As a relatively new CIO with responsibility for information security, I remember agonizing about making sure we could pass the latest compliance test. The whole process was wrought with inefficiencies, with different teams responding with evidence for similar control objectives associated with different control standards. It was death by a thousand controls. It didn’t matter which standard – PCI, HIPPA, SOC2 or ISO – all that mattered was putting a check in the box and not having to worry about it for another year. Many other CIOs in my circle of confidants were struggling with the same thing and, more alarming, was the realization that many of our “attestations” were actually “aspirations.”
In order to convert the “aspirations” into “attestations,” we focused on programs of security hygiene, which allowed us to feel a bit better about our responses, but all this foolishness was doing little to make us more secure.
Over the years, a more effective model for addressing both information security and compliance standards has emerged. That is, instead of starting with compliance, END with it.
The model starts with analyzing company-specific threats and ends with an environment where the company is more compliant and is able to confidently attest that it:
- Is focused on what high-value assets may be threatened.
- Has established processes to monitor and respond to threats and advisories.
- Has established a security hygiene framework to measure and demonstrate maturity and act upon it.
- Is more compliant with established standards.
At Veracode, we use a simple model to identify what assets and business processes would be most impacted by an inside or outside threat:
- The data we have that, if in the hands of those who don't have our interests in mind, could hurt us.
- The business processes that, if impacted in a negative way by those who don't have our interests in mind, could hurt us.
Then we use common Security Risk Assessment Processes to gauge the business impact and likelihood, and develop mitigating controls to protect each specific high-value asset.
Responding to Threats and Advisories
We are also mindful of current threats and advisories. For example, recent Verizon Data Breach Investigations reports cite the top three threats arising from phishing, malware on endpoints and compromised credentials. This informs our focus on programs for employees, changes to and additions of processes and deployment of technologies to respond to each.
The next step is to generally assess controls based on common frameworks to gauge maturity of our program against industry standards. In our case, we use a combination of the NIST Special Publication 800-53 and Cloud Security Alliance Cloud Security Control Frameworks. These assessments yield dashboards to communicate to our executive team and board where we are doing well and where the gaps are. The reality is that security hygiene is an ongoing process, and the dashboards ensure that the gaps aren’t in areas that would risk our high-value assets or increase our vulnerability to current threats and advisories.
Compliance End Game
Finally, our experience shows that by taking this approach, we are able to make solid attestations when responding to compliance standards, audits and customer questionnaires. More importantly, where there are gaps (and there always will be some), we can demonstrate that, while we’re working to address them, our customers’ and our assets are not at risk.
Has your application security program moved beyond checking boxes for auditors?
Find out how our customers are working to create comprehensive application security programs in our new guide, From Ad Hoc to Advanced Application Security: Your Path to a Mature AppSec Program.