Compliance and Data Security:
Do they Ever Meet?
In my years working with technology and security data in the information security industry, I've heard numerous people confuse the word "compliance" with "security". We've all heard the stories in the news about an organization or company that was supposedly compliant with a particular ISO or NIST program imposed on them, only to find that later on they have been breached and that they are now having to explain to auditors or examiners how the breach occurred if they were indeed compliant.
Sadly, the breach often occurs because the company trusts that because they have put all of these compliance measures in place that they are now secure from all threats. Unfortunately, this is rarely the case. All too often the compliance measures that they've implemented, don't mesh with the security practices that they have or don't have, in place.
Wait, aren't Compliance and Data Security the Same Thing?
Dictionaries define compliance as adherence to a given set of rules or requirements, often set by a group or a regulatory body (FDIC, HHS, etc.). So, what is Data Security? The data security definition, on the other hand, is the hardening and patching of systems and networks to ensure that there is little or no chance of comprise. While they may seem like they are both a means to an end, they in fact address risk in totally different fashions.
A real-world analogy for this difference could be going on a diet and eating what you think are all the right things, as opposed to going to the doctor and having a battery of tests run to determine what your overall health looks like and from there deciding what type of diet you should be on.
Don’t get me wrong, standards like ISO 27001 are very important! And they truly help when it comes to data protection and security. They help an organization set a baseline for where they are with their policies and procedures associated with data security controls such as password length, system access, etc. And while there are audits that can be performed to test your compliance with the ISO standard, which are important, these audits do not test password strength, seek out vulnerabilities on your network, or find SQL injection issues in your web-based applications. Simply put, they are meant to show your level of compliance with the standard so that you are ready should you ever be audited.
Why Compliance Is Important
While I've established that there are definite differences between compliance and data security, compliance still plays a critical success of your overall data security solutions program. With compliance, you establish a robust set of policies and procedures that provide a foundation for all of the other activities that you conduct as part of your data security program. As an example, I mentioned earlier that a compliance program would not test the strength of your passwords. However, if you do test the strength of your passwords, and there is no policy that sets the parameters (8 characters minimum, a mix of alpha, numeric, and special characters, etc.) how would you know if the passwords were out of compliance?
What is key with the data protection policies and procedures that you set is that you follow some set standard whether it be the ISO standards, NIST, or something else akin to either of these standards bodies. Why? Because when you're audited, and you will be audited by someone at some point, you'll have something to stand on by saying that you accepted and implemented policies and procedures that were derived from a nationally or internationally accepted information data security policies and procedure programs. If you have undergone a review on your compliance with the new standards, then that gives you an even stronger leg to stand on when questions come up during the audit.
Types of Policies in an ISO Compliance Program
- Policy Review Cycle
- Segregation of Duties
- Mobile Device Management
- Screening and Background Checks
- Inventory of Systems
- User Access Enrollment
And many, many others. As you can see, the policies are wide-ranging and cover things from traditional information data security, to HR practices, to general security policy hygiene. However, having a broad policy set is what it takes to become ISO or NIST compliant. A small policy set is sure to get you a number of findings on your review or audit and that’s nothing that anyone wants.
Why Security Data Is Important
As I mentioned earlier in the post, compliance is important, but compliance does not necessarily make you secure. You see, they are two different animals when you boil it down to the essentials. When it comes to data security, you need to look at services like the following:
- Vulnerability Assessments
- Penetration Tests
- Social Engineering
- Web Application Testing
- Physical Security Reviews
And many other data security solutions tests that can be performed on your network and computing assets. Let’s talk about each of these and how they tie into policies that may come about during your efforts to become ISO or NIST compliant.
Vulnerability assessments are the automated scanning of your computer systems and networks with specialized data security software which looks to see if there are vulnerabilities evident on these systems that may pose a risk to your security posture.
Potential Associated Policies: System and Network Security, Vulnerability Scanning, etc.
Penetration testing is the manual testing of systems and networks to see if a vulnerability detected during a vulnerability scan can actually be exploited and system or admin access gained from this exploitation thereby violating your data protection controls.
Potential Associated Policies: System and Network Security, Manual Vulnerability Testing
Much like penetration testing, social engineering is a test, however, it is a test of people. It tests to see if your employees can be tricked into giving out sensitive information about the company or its clients, violating your security data controls.
Potential Associated Policies: Physical Security Perimeters, Securing Data Centers, Creating Secure Rooms
Web Application Testing
Web Application Testing, much like Penetration Testing, is the focused testing of web applications looking for issues such as SQL Injection, buffer overflows, and privilege escalation or any other issue that will violate your data protection controls.
Potential Associated Policies: Change Management Security, Developer Training, Quality Assurance Testing
Physical Security Reviews
Physical Security Reviews are a close cousin to Social Engineering engagements. However, during the physical security review, the customer knows when it is happening and what the tester is looking for in the way of weak physical security controls that protect security data.
Potential Associated Policies: Physical Security Controls, Clean Desk Policy Controls, Print Job Security
As you can see, compliance and security are closely intertwined and actually support each other to ensure that the enterprise is, and remains secure.
This Seems Like A Lot of Work, Where Do I Even Start?
This seems silly to say, but you start at the beginning.
You first have to identify all of the data protection controls within your organization and ensure that you have a policy for them. This is called doing a gap analysis. Once your gap analysis is complete you should be left with a list of policies that you need to write and implement. Not sure what to write for a particular policy? Simply look online, there are plenty of templates for most of what you’d be looking for. However, that doesn’t mean it’s as easy as just downloading something and putting it in place. No, you’ll need to compare the download to your actual practices and make adjustments accordingly so that the policy actually reflects what an auditor would find when they were testing your controls against the policies that you provide them.
Once the policies are written, it’s now time to write the procedures that support the policies. Always remember the policies tell you the who and why you are doing something whereas procedures tell you the how to do something. When you write the procedures, make sure they tie back directly to the policy that it is supporting. Too many times I’ve see procedures that stray from the policy and it makes it very confusing for everyone involved.
Once you have the policies and procedures written, it becomes imperative to have your employees acknowledge them. Why? Because you can’t hold an employee or vendor or partner accountable for something that they didn’t even know existed. Oh, and it needs to be in writing. A verbal acknowledgment in this case just doesn’t work as people tend to have short term memory loss when it comes to something that they are being accountable for and they mess up.
How Should I Distribute My Policies and Procedures?
I typically recommend putting policies and procedures in an online format. It makes it easier for employees to search for particular clauses, etc. when they are doing their jobs. It also makes it easier to keep things up to date and to publish said updates out to the staff of the company.
But what is most important is putting the policies and procedures out there. So, whether you decide to do them online, in hardcopy form, or as a searchable PDF you’ll have them out there and everyone will understand what their roles and responsibilities are for their job function.
Compliance and Data Security, A Match Made in Heaven!
Now that we’ve established the importance of both compliance and security, and laid out the ground rules for both, you should have a very strong chance of becoming compliant and secure at the same time!