Continuous Compliance…Moving Beyond a Checklist Mentality
Author(s): Jeffrey Johnson, Posted on May 14th, 2015
Often, people incorrectly view governance and compliance as a static checklist set of activities, that when completed, signify that an organization has successfully guaranteed its present and future security. A better point of view of compliance is the set of activities that continuously evaluate an organization’s ability to protect the confidentiality, integrity, availability, and privacy of the information it stores, processes, and transmits.
In order to do this, an organization must follow a rigorous and standards-based approach to attest to the effectiveness of its people, processes, and technologies; while still understanding the dynamic and ever evolving threat landscape. An organization must always consider the complementary tenets of defense in depth (layers of security, and redundant controls at each layer) and defense in breadth (from the central core to external interfaces, partners, and extranets) with the underpinning philosophy of continuous, predictive, and evolutionary improvements.
As mentioned previously, compliance is a continuous set of activities. This usually begins with a Certification and Accreditation (C&A) (or synonymously Assessment and Authorization (A&A)) that is a static point-in-time analysis of a system’s security and risk postures against a set of standards, guidelines, regulations, laws, and directives. The effect of the A&A is to allow an organization to “get its house in order” by validating that its processes, security measures, and documentation meet a standard of uniformity.
In order to continue complying with Enterprise Security Frameworks (ESFs) (or synonymously Risk Management Frameworks (RMFs)) and maintain an Authority to Operate (ATO) an organization must also show it conducts ongoing Security Test and Evaluation (ST&E)/continuous monitoring activities beyond just the A&A activities to include:
- Continuous monitoring using tools such as eEye Retina, AppDetective, Web-Inspect, etc.
- Include an Information Assurance Vulnerability Management Program (IAVM Program)
- Structure ongoing risk assessments in accordance with vulnerabilities as identified in the Common Vulnerabilities and Exposures (CVE), Common Weakness Enumeration (CWE), National Vulnerability Database (NVD), and other organizations such as United States Computer Emergency Readiness Team (US-CERT)
- Utilize System Readiness Review (SRR) or Security Content Automation Protocol (SCAP) compatible checklists
- Examine the effectiveness of the in-place processes and controls, and when necessary, replace or augment infective controls with additional countermeasures
Often, an organization is governed by a particular RMF, such as Federal Civilian agencies that must follow Federal Information Security Management Act (FISMA) or the Federal Risk and Authorization Management Program (FedRAMP). Federal Defense agencies once followed the DoD Information Assurance Certification and Accreditation Process (DIACAP) but are migrating to a National Institute of Standards and Technology (NIST) based set of processes, guidelines, and directives. Critical infrastructure facilities, as described in Homeland Security Presidential Directive (HSPD) 7 may choose a RMF defined through the North American Electric Reliability Corporation (NERC). International corporations may base their RMF off the International Organization for Standardization/International Electro technical Commission ISO/IEC 27001. Payment entities and card holders use another RMF defined as Payment Card Industry Data Security Standard (PCI-DSS).
The point of this article is not to give an exhaustive listing of every RMF – there are a large number – but rather to show that there are sets of standard and recognized RMFs frequently overlapping within organizational boundaries. Often, an organization will have to comply with multiple RMFs – e.g. an agency might fall under FISMA, but store PCI-DSS or Health Insurance Portability and Accountability Act (HIPAA) data, thereby having to comply with several RMFs. When following multiple RMFs, it is helpful to automate the crosswalk and prioritization of security controls using a tool such as the Unified Compliance Framework. Tools such as these facilitate prioritizing controls (e.g. prioritize controls related to criminal liability over those having civil liability), as well as creating concise spreadsheets documenting how meeting one particular control in RMF A also meets corresponding controls in RMFs B, C, and D.
What all these frameworks have in common is the objective of providing a uniform proof point that attests to an organization meeting the underlying requirements and goals of the corresponding RMF. Thus, when an organization states its data centers are certified FISMA Moderate then it has met the A&A and continuous activities required by FISMA Moderate, nothing more or less.
The problem is that threats evolve more rapidly than governing agencies can respond through issuance of guidelines, regulations, and directives. We see this in the explosion of zero day exploits; the lag between application vulnerabilities being detected and patches being released; the sophistication of attacks evolving from lone hackers to state sponsored agencies engaging in cyber warfare; and the complexity of administrating a secure enterprise infrastructure. It is unrealistic to assume standards and guidelines published oftentimes years ago can, on their own, provide anything more than a baseline of best practices against low to medium threshold attacks.
A potential solution is to reduce the attack surface, using technologies such as Unisys Stealth. By cryptographically isolating and bounding the organizational infrastructure you simultaneously protect against unauthorized infiltration (e.g. network-based attacks) and exfiltration (e.g. malicious employee activity). This enables an organization to enforce, through multi-domain containers, concepts such as separation of duties, least privilege, and restricted views. Combining a technology such as Stealth with ongoing stress tests of the environment (through audits, penetration testing, etc.) and dynamic, proactive continuous monitoring provides the most truly effective risk management (i.e. risk control) program.