Commentary: Quis Custodiet Ipsos Custodes?
Toronto, ON, June 2003
I don’t envy many of you. Meeting or even understanding the technical requirements needed to comply with the newest government laws for security and privacy is a real challenge for many organizations. These organizations dwell in a world of regulations and laws affecting the way they do business. In the wake of accounting and corporate scandals, there are newly mandated government and industry regulations forcing many organizations to follow strict security guidelines. Industry-related laws such as the Health Insurance Portability and Accountability Act (HIPAA), the Bank Secrecy Act (BSA) and the various money-laundering laws spring to mind. But, U.S. legislation, such as the Sarbanes-Oxley Act and the Patriot Act, affects a lot more organizations. Companies know that they must comply with these new or existing laws, but exactly what they need to do is not always clear to them. And perhaps, their business is so complex; they might not even identify all the laws affecting them.
For those not familiar with the Sarbanes-Oxley Act of 2002, a little explanation is in order. The Sarbanes-Oxley Act requires companies to make disclosures on their annual reports regarding internal controls, ethics codes and the makeup of their audit committees. When your CEO and CFO sign off on your firm’s quarterly and annual reports, they are stating that the organization’s financial systems have the appropriate controls and security to assure the reliability of the resulting financial statements. Their hands must tremble when they sign off! Sarbanes-Oxley has spawned a cottage industry of software vendors developing compliance software. For instance, there’s CARD®decisions’ CARDmap SOX 302/404 Edition (http://www.carddecisions.com/), Documentum’s Corporate Governance and Compliance Solution (http://www.documentum.com), HandySoft Corp.’s BizFlow Solution for Sarbanes-Oxley (http://www.handysoft.com), Logical Apps Inc.’s AppsRules and AppsFlow (http://www.logicalapps.com), and Paisley Consulting’s Focus (http://focus.paisleyconsulting.com/).
Other regulations require senior management to attest to something similar. Tracking all these laws and regulations is a full-time job to say the least. I know, for along with an associate, we developed a corporate governance system for an insurance company to try this very thing! So how do you do it?
First, you need to develop the infrastructure. Security policies and baseline security standards buttress the security of your information and your organization. Your policies and standards must directly reflect the needs of your organization and meet applicable laws and regulations. To be most effective, security policies must be fully auditable and flexible enough to respond to ever-changing events necessary in continually safeguarding enterprise-wide resources.
You require security policies comprehensive in their coverage of security issues. These policies should contain control requirements, including some very complex ones. That said; having a security policy document in itself is not enough. Your organization must carry out the policy and track compliance to be effective. And as I like to point out, this is often easier said than done!
Achieving compliance with these policies is a far from trivial task, even for the most security conscious of organizations. The best starting point in the compliance process is often an assessment of the current position, followed by identification of what changes you need for compliance. From there, you must undertake planning and control implementation.
Historically, compliance with security policy and standards has been abysmal. To help us mere mortals, several software vendors have developed products to track policies and compliance. Most software available today barely scratches the surface when it comes to helping customers wrap their arms (and heads) around these problems, but at least they are a departure point.
Of course, there are the old stand-bys from companies like BindView (http://www.bindview.com/), Computer Associates (http://www.ca.com), ISS (http://www.iss.net), NetIQ (http://www.netiq.com/) and Symantec (http://www.symantec.com). Even Microsoft (http://www.microsoft.com) has joined the fray with the introduction of Microsoft Baseline Security Analyzer (MBSA), Security Templates and the Security Configuration and Analysis Tool. Generally, these products assess vulnerabilities, but they also allow you to document your policy and then review compliance to that policy. BindView Corp., however, launched a new twist on the genre with Compliance Center (part of its Policy Compliance solutions suite), which is software that helps to synthesize the depth of data collected across the sundry networks and systems and measure compliance with rules set by the company or external benchmarks established by industry and regulatory bodies. Compliance Center can provide continuous feedback on systems compliant with risk management guidelines while quickly identifying those that are not. It can measure compliance against industry standards such as the Center for Internet Security (CIS) Benchmarks. The CIS Benchmarks reflect the consensus of recognized industry experts from the National Security Agency (NSA), Defense Information Systems Agency (DISA), General Services Administration (GSA), National Institute of Standards and Technology (NIST) and the SANS Institute on how to provide a practical level of due care without significantly affecting performance. Choosing to implement the CIS “gold standards” reduces administrative costs by alleviating the need for IT and security staffs to create their own effective configuration standards. Finally, Compliance Center also provides the solutions for auditing and documenting compliance with regulations such as HIPAA, Sarbanes-Oxley, and Gramm-Leach-Bliley Act (GLBA) among others.
The most effective method to achieve policy compliance is to use a software package to semi-automate the process. Another product, the COBRA Policy Compliance Analyst (http://www.securitypolicy.co.uk/riskanalysis/cobprods.htm#PCA), guides you through the entire compliance exercise. Section by section, through a series of online questions, COBRA takes you through your own security policy (a provided component helps you enter your policy into the system) or, alternatively, through a pre-packaged policy or standard, such as BS7799. ESTec Systems (http://www.estec.com) flips this model around. Their Policy Analyst allows you to enter organization-specify activity and information. Using this input, it creates recommended security policies; based upon the latest industry, national and international standards. Also, Policy Analyst will recommend changes to the organization’s security operations, where necessary to bring the network of computers into compliance with the recommended policies.
Another way to look at this problem is offered by Corporate Risk Management Suite (CRMSuite) from Alex Woda & Associates (http://www.awa.ca). Using customized questionnaires, your organization can manage and report compliance to documented standards. CRM Suite comes with a database of regulatory guidelines and best industry practices for information systems security and Government regulations for financial institutions. It is easy to add new regulations as needed. CRMSuite also helps you to meet another requirement—providing appropriate audit-ready documentation—by helping to electronically publish corporate policies, standards and procedures on the Internet or the organization’s intranet web site.
Another category of software to help with compliance review is patch management. There are companies offering patch management solutions such as Altiris (http://www.altiris.com/), Configuresoft (http://www.configuresoft.com), Ecora (http://www.ecora.com/ecora/), New Boundary Technologies (http://www.lanovation.com/) and Shavlik (http://www.shavlik.com/) to name a few. Configuresoft Inc. offers Enterprise Configuration Manager (ECM). ECM can capture configuration variables on every server and workstation in your organization, compare it to policy and roll back server and workstation configurations to preset standards when someone inadvertently changes them.
Most organizations have lots of data, so much so that it’s almost impossible to cull pertinent information about who is doing what. So, organizations are looking for policy compliance software that provides easy to comprehend information: something that looks like the dashboard of a car. After the software gathers and sorts the data, it will display the most critical information on one or two screens in a format that any manager can comprehend. When something flashes red, management can dig a little deeper. Many financial and management accountants are aware of the Balanced Scorecard (http://www.balancedscorecard.org/) method. For those of you who aren’t, the balanced scorecard is a management system that enables organizations to clarify their vision and strategy and translate them into action. The methodology provides feedback around both the internal business processes and external outcomes to continuously improve strategic performance and results. You focus on several key factors and report on them using something that looks like a car’s gauge. This is useful information that someone can act upon.
Managing compliance with security policies and security baselines is far from trivial. Assessing compliance levels for information systems, and then deriving and implementing plans to become compliant, can by a very intensive and extensive process. However, with the correct approach, you can minimize your effort.
After looking at these products, I am struck by one thought. Juvenal, in his Satires, posed the vexing question, “Who will guard the guard themselves?” Someday, we may get to the point where systems can assess themselves against a policy, but who will review the compliance software itself? I remember when one vendor of very popular vulnerability assessment software reported on a finding in one version of its product but not in the next. When asked why, they claimed they changed the way they collected the data—in one version they used UDP and in the other they used ICMP. The same vendor’s tool collected other data and put it into the database. Unfortunately, the reporting software did not extract the information and display it. I found these slips very disconcerting. Even more so, when I think that organizations are placing reliance on third-party software to do compliance checking and patch management. Oh well, I guess it provides plausible denial. I am not suggesting that these products don’t have merit. Alas, they are but a tool and part of a larger process. As an auditor, you will need to shift your emphasis from compliance audits to reviewing the larger process and the efficacy of the compliance software itself.