[Specific to Information Security]
Before touching main point, let me give you an idea about 'What exactly is Compliance'.
In simple words, compliance is nothing but Standard Rules that are accepted all over the world. Entities related with a particular industry has to comply to certain standards, to gain licenses/ customer trust in order to operate & generate cash flow.
For example, if you are an eCommerece Entrepreneur who deals heavily with Online Money by using Third Party Payment solution which is PCI DSS compliant. If you want & if you have sufficient capability to operate Online Transaction on your own then you have to comply to PCI DSS standard, get your facility certified and you are ready to do business on your own!
Sounds simple, right? But this isn't simple at all!
Roughly I would say there are few steps
Ideally once an organization get itself certified for the first time, it has to follow the guidelines/processes that are defined & then it has to undergo recertifications after stipulated time period, say after every 2 years. This ensures that organization comply with Industry best practices - standards.
But what exactly happens?
Case 1: XYZ, a software development firm contacts ABC, Information security consulting firm. Ask them to help them in getting ISO 27001 certified. ABC deploys it's resource on XYZ's premise and make sure all the processes are as per the required standard. Once implementation is done, Lead Auditor visits the firm, XYZ. Audits the processes with respect to ISO 27001 standard and eventually XYZ earns ISO 27001 Certification. Barely a month & they start operating how they used to do prior to earning the ISO 27001 certification. As if they have never heard of ISO 27001 compliance.
Meanwhile They keep winning customers by showing they comply to ISO 27001 & certified too!
Just before the Certification is expiring they contact XYZ & ask them to help in re certification. IT manager asks every Department head to make sure every body is following all the policies & again for a while the process document starts getting followed.
So why this *fuss* about Compliance? Organizations today worry about Compliance & not security but they forget, Merely getting a certificate to your organization doesn't guarantee you Security! Unless your people, your employee actually follow the processes religiously.
Hardening the servers, updating Log books just before Audit can fool the auditor but not the hackers. Today hackers are sophisticated, they do proper reconnaissance before attacking your organizations assets. They know your weak links, your people. It might be easy for you to Harden the Servers but it's a pain when it comes to Harden the People.
So how do you tackle this situation? A Surprise Audit, may be yes! This should be done by the Certifying Bodies (CBs) who gives out the Certification to Organizations. Once an Organization is Certified after some period CBs, should do a Surprise Audit to check if Organization is following the standard that is set! I have heard it from experts that - Audit's are never Surprise. But in my opinion there has to be a separate term called 'Surprise Audit' which should be done by the CBs in order to have certain discipline.
In my opinion Flow should be as:
Compliance Implementation(Day 0 to Day 30) --> Internal Audit (Day 31) -->Patching of NCs(Day 32 to Day 36) --> Final Audit (Day 40) --> Surprise Audit (~ Day 110)
Post Security Audit, CBs should produce NCs to Organization along with a Warning. Organization should patch the NCs and produce the report to CB. Any further NCs and Organization's Certificate should be revoked by the CB.
Though this will also not give guarantee of 100% security but it'll at least ensure things are more Harden than what they were earlier.This will help the overall Security Ecosystem.
*** IMPORTANT NOTE: THESE ARE MY PERSONAL VIEWS, THIS HAS NOTHING TO DO WITH ANY PARTICULAR ORGANIZATION THAT I WAS/AM ASSOCIATED WITH ***
Before touching main point, let me give you an idea about 'What exactly is Compliance'.
In simple words, compliance is nothing but Standard Rules that are accepted all over the world. Entities related with a particular industry has to comply to certain standards, to gain licenses/ customer trust in order to operate & generate cash flow.
For example, if you are an eCommerece Entrepreneur who deals heavily with Online Money by using Third Party Payment solution which is PCI DSS compliant. If you want & if you have sufficient capability to operate Online Transaction on your own then you have to comply to PCI DSS standard, get your facility certified and you are ready to do business on your own!
Sounds simple, right? But this isn't simple at all!
Roughly I would say there are few steps
- Identify your business vertical.
- Find out different compliance/standards which may be mandate/help you to win customers! (Some of your customers may explicitly ask you to comply to certain standards like ISO 9001 - Quality, ISO 27001 - Information Security etc. before dealing with you)
- Identify the scope for which you would like to go ahead and get certified. (Scope can be a department within the company or whole company)
- Hire consultant, get the standard implemented & get it Certified from Certifying Authorities!
Ideally once an organization get itself certified for the first time, it has to follow the guidelines/processes that are defined & then it has to undergo recertifications after stipulated time period, say after every 2 years. This ensures that organization comply with Industry best practices - standards.
But what exactly happens?
Case 1: XYZ, a software development firm contacts ABC, Information security consulting firm. Ask them to help them in getting ISO 27001 certified. ABC deploys it's resource on XYZ's premise and make sure all the processes are as per the required standard. Once implementation is done, Lead Auditor visits the firm, XYZ. Audits the processes with respect to ISO 27001 standard and eventually XYZ earns ISO 27001 Certification. Barely a month & they start operating how they used to do prior to earning the ISO 27001 certification. As if they have never heard of ISO 27001 compliance.
Meanwhile They keep winning customers by showing they comply to ISO 27001 & certified too!
Just before the Certification is expiring they contact XYZ & ask them to help in re certification. IT manager asks every Department head to make sure every body is following all the policies & again for a while the process document starts getting followed.
So why this *fuss* about Compliance? Organizations today worry about Compliance & not security but they forget, Merely getting a certificate to your organization doesn't guarantee you Security! Unless your people, your employee actually follow the processes religiously.
Hardening the servers, updating Log books just before Audit can fool the auditor but not the hackers. Today hackers are sophisticated, they do proper reconnaissance before attacking your organizations assets. They know your weak links, your people. It might be easy for you to Harden the Servers but it's a pain when it comes to Harden the People.
So how do you tackle this situation? A Surprise Audit, may be yes! This should be done by the Certifying Bodies (CBs) who gives out the Certification to Organizations. Once an Organization is Certified after some period CBs, should do a Surprise Audit to check if Organization is following the standard that is set! I have heard it from experts that - Audit's are never Surprise. But in my opinion there has to be a separate term called 'Surprise Audit' which should be done by the CBs in order to have certain discipline.
In my opinion Flow should be as:
Compliance Implementation(Day 0 to Day 30) --> Internal Audit (Day 31) -->Patching of NCs(Day 32 to Day 36) --> Final Audit (Day 40) --> Surprise Audit (~ Day 110)
Post Security Audit, CBs should produce NCs to Organization along with a Warning. Organization should patch the NCs and produce the report to CB. Any further NCs and Organization's Certificate should be revoked by the CB.
Though this will also not give guarantee of 100% security but it'll at least ensure things are more Harden than what they were earlier.This will help the overall Security Ecosystem.
*** IMPORTANT NOTE: THESE ARE MY PERSONAL VIEWS, THIS HAS NOTHING TO DO WITH ANY PARTICULAR ORGANIZATION THAT I WAS/AM ASSOCIATED WITH ***
No comments:
Post a Comment