Compliance: I don't know of a single security professional -- especially a Chief Information Security Officer (CISO) -- who doesn't deal with this issue daily, or even hourly. If it isn't Payment Card Industry Data Security Standard (PCI DSS) requirements, then it could be HIPAA, Graham-Leach-Bliley, Sarbanes Oxley or one of many other privacy and security mandates a company faces. Not only is it essential to protect an organization's data, but also to ensure that the compliance mandates are fulfilled.
So, how can a CISO properly manage compliance efforts? What are the key management processes, priorities and mindsets a CISO must have to ensure an information security group is enabling organizational compliance? There are several, but I'd like to focus on four that may help you in your pursuit of success.
Your mantra: Protect the data
First, remember that your role as the CISO is to be the corporate conscience for information security. Regardless of specific compliance requirements, your primary job is to protect the corporate data and, in turn, protect employees, patients, vendors, customers and your shareholders.
If you look at any number of key compliance guidelines -- including the PCI DSS, HIPAA or NERC requirements -- the overarching themes are protecting systems, data and preventing data loss. Essentially, the fundamentals of most compliance rules aim to maintain "CIA": confidentiality, integrity and availability of data and systems.
Know the requirements to manage compliance
Secondly, know the requirements of the regulations you must comply with. Read them, study them and perform audits and assessments against them. Stay up to date on interpretations, rulings and news regarding these mandates. For instance, subscribe to selected newsgroups on PCI DSS, HIPAA or NERC, or set up a Google Alert for news items on credit card security, or whatever is most pertinent to your industry. By knowing the requirements and staying current with the industry conversations about these topics, you will be able to think more clearly about consequences of decisions that could affect your company's compliance posture.
You can also learn the requirements by using industry assessment checklists for guidance in change management or architecture reviews. Be sure that changes to systems -- even those not directly related to the compliance topic at hand -- do not expose data or systems to potential compromise.
Training and awareness
As a CISO, I firmly believed the first line of defense for any company is the individual employee. Ensure employees and contractors realize that their actions -- or inactions -- can result in breaches or non-compliant situations. So, how do you communicate this?
The first step is to look at the business' processes and deduce those places in the data flows and system operations where failure to fulfill certain requirements can result in non-compliance. Using this information, spend some time training and orienting the key players on their responsibilities to protect the information.
For example, with PCI DSS, one of the potential weak areas is the handling of credit card data at the point-of-sale counter. It would be appropriate (and even required per PCI DSS) to spend some time with the customer-facing employees -- or at least develop some computer-based training or employee awareness brochures -- to explain the proper and improper ways to handle credit cards, such as never copying down the credit card number.
Other examples in this space could be orienting the development staff on the importance of Web application testing and data validation, or training all laptop users on proper security of their machines when traveling.
In other words, train and orient all employees constantly about why certain actions must be taken and what the consequences are to the company's reputation and to employees if data is not appropriately protected.
Understand the root cause
When or if an incident occurs that could put the organization's compliance in question, it's necessary to spend the time and energy to understand the root cause of the event. Don't just gloss over the symptoms; really understand what happened and why. Then, take the time to develop remediation actions that will solve the problem and prevent it from occurring in the future. Be sure and track these remediations to completion.
This approach will also help with regulators and compliance overseers. By staying on top of your issues and events, you'll demonstrate that you don't want mistakes to happen and that you're willing to put in the time and effort to prevent repeat problems. If it comes to fines or penalties, regulators are much more likely to be lenient if you are continually straightforward with them.
As a CISO, I often told my fellow security professionals that our most important job is putting constant pressure on the organization to be compliant, secure and focused on protecting the data. Unfortunately, it may not be easy, and some days it is challenging, but you need to keep the pressure on to sustain and improve your enterprise security posture.
About the author:
Ernest N. Hayden (Ernie), CISSP, CEH, is the founder and owner of 443 Consulting, LLC, an enterprise focused on providing quality thought leadership in the areas of information security, cybercrime/cyberwarfare, business continuity/disaster recovery planning, and research. Most recently, Ernie was Information Security Strategic Advisor in the Compliance Office at Seattle City Light. In this role he was the primary leader of utility-wide efforts focused on complying with the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Standards.
This was first published in May 2010