Those who write compliance requirements should hang their heads in shame

Opinion by François Amigorena

François Amigorena, CEO and founder, IS Decisions

Compliance certainly has an image problem. No matter how cyber vendors try to dress it up as an opportunity to improve your security posture, or an opportunity to show customers how responsible you are with their data, most organisations still view it as something they just have to do because someone else says so.

But part of the reason as to why compliance has an image problem is because it's far too complex. Those who have the unenviable responsibility of outlining compliance requirements very rarely seem to be able to strike the right balance between outlining specific, unambiguous advice that businesses understand, and making sure the requirements are relevant to as wide a pool of organisations as possible. At the moment, many compliance requirements err too much on the side of being applicable to the audience and far too little on the specifics. Not to mention that most compliance requirements are better understood by lawyers rather than IT professionals.

Vague and ambiguous requirements

Compliance writing in the US seems to be far more complicated than that in the UK. The healthcare industry in the US, for example, has it particularly bad. HIPAA was deemed so complicated that the HHS decided to publish a 115-page simplified version on its website. But even this version doesn't clarify matters. For example, on page 63, HIPAA states that healthcare organisations “protect against any reasonably anticipated threats or hazards to the security or integrity of such information.” What constitutes “reasonably anticipated”, and what about those attacks that aren't expected? Worse still, we see requirements as vague as “implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level” (page 64).

US financial services companies also have to put up with poorly written compliance with the likes of the Gramm-Leach- Bliley Act (GLBA). GLBA even states that its requirements are “designed to be flexible” and “companies should implement safeguards appropriate to their own circumstances”. And when GLBA states “it's wise to…” as it does when discussing improper closure or theft of customer information, organisations have a get-out clause without even breaking a sweat.

There are loads of other examples of poor writing. The Federal Information Security Modernization Act (FISMA), which hasn't been updated since 2014, is just one big headache to read. Seriously, try it. ISO 20071 has a six-part process, which includes commands like “define a security policy”, “conduct a risk assessment” and “manage identified risks”. Don't even get me started on the likes of Sarbanes-Oxley (SOX) in the US or requirements by the Financial Conduct Authority (FCA) in the UK.

My point is that no IT professional wants to wade through all this information, and they wouldn't struggle if all compliance was structured in the way that the Payment Card Industry structures its PCI DSS requirements — with clear requirements, testing procedures and guidance, all in one place, updated regularly to keep up with the pace of change with IT.

Given that most organisations have to comply with multiple requirements at the same time, it makes sense to start with working out what the commonalities are. While these may be much vaster than the confines of this article, the following three areas are, I believe, the most important:

1. Knowing your data — inside and out

Since data, these days, no longer resides in the confines of just your office, making sure you keep track of your data is becoming a harder challenge, and therefore a more important part of compliance requirements. The last thing you want is for your customers to be ringing you up to ask if their data that you store really is safe.

2. Having a detailed audit trail of files and folder access

Without knowing what's occurring on your corporate network, you're unlikely to be able to ever prove your'e  compliant with anything. Virtually all requirements now demand a detailed audit trail of activity includes who is accessing what files and folders, when they're accessing them, what exactly they're doing with them, and more.

3. Ensuring employees have the right access permissions for sensitive data
One of the easiest ways to manage access is to monitor logons effectively. Pretty much all cyber-breaches these days involve a logon at some stage of the process, so if you had a way of detecting that suspicious logon, you could halt attacks much more quickly — and demonstrate compliance.

Technology is critical to being able to monitor logons (the manual alternative would be a huge drain on resources), and can alert you to suspicious logons immediately, for example logons from an unusual location or device — even if the user is using legitimate login credentials. 

Before you do anything else, make sure you do the basics right. Most compliance is all about common sense, and getting the basics right, but lawmakers have a knack of turning that challenge into something seemingly unsurmountable. Crack these three points though and you're already on your way to becoming fully compliant with the security sections of most requirements.

Contriubuted by François Amigorena, CEO and founder, IS Decisions 

*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media UK or Haymarket Media.


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming event