Why governance and policy can strengthen compliance efforts
A colleague of mine recently made a joke and it made me pause to think. During our discussion on compliance and how internal policy can help organizations comply with external regulation, she said “…like an Amazon suggestion “People who comply with PCI also like the following regulations…”. I smiled because it was funny, but there was also wisdom in what she said. Many of the requirements in compliance regulations seem similar as you go from regulation to regulation – so you see what could be considered as duplication.
Good password policy, control over critical and protected resources, proper account handling-¦ It is seen across multiple, seemingly unrelated compliance regulations. That’s because regulators are trying to ensure simple, effective governance that can also be verified.
For many organizations, focus on a single regulation, sometimes even single requirements in a single regulation, might make it difficult to spot commonalities. As someone who talks to various customers around the world about complying with a variety of generic and specific regulations, I see a lot of the same basic requirements. They all seem to point to the same conclusion: get control of your organization’s environment with good governance.
A structured and controlled organization generally has a much easier time complying with requirements in regulations. The reverse is also true – if you have to comply with the requirements in a regulation, it’s something that can easily lead you to better governance overall for your organization. Here are a few best practices derived from the most common requirements that help lead to good governance.
Controlling your accounts
People in companies and organizations tend to move around; nothing is static for too long. Many employees have different access rights for different roles and responsibilities over time, but it’s rare to see organizations reviewing access control policies and permissions for users that move around. Well-maintained organizations provision people as they start at a company; many of them are even de-provisioning by removing all access that was assigned to an account.
Most have no problem asking for access to resources as they change jobs and roles – so that’s rarely a problem. What’s missing is ensuring access rights to controlled resources are removed or adjusted as job titles and roles change. The proper approach here is to understand what should be controlled, as well as registering changes to access. At that point, you have a manual process that can help identify people who should be removed. Remember, your organization’s controlled resources should be in your control.
Strong passwords are good policy
One of the more common compliance requirements is to ensure that passwords are strong and protected. This usually includes things like age, length and complexity, which is often managed through Group Policy in a Microsoft Windows environment. What’s not so obvious is a history of your organization’s password policy, as well as notation of any exceptions that you make.
Complex, difficult-to-guess passwords are really only a start, especially when there are self-service systems that allow you to reset the password by asking for answers to some common questions, many of which are often discoverable via Facebook, LinkedIn or other social media sources.
If your organization has a system to reset passwords via a self-service system, make sure you advise your users of the dangers of providing simple answers to these questions. One suggestion is respond to questions with answers that don’t fit the question. It’s much harder for someone to socially engineer or guess an answer to a secret question if the answers don’t make sense.
Watch the watcher
Keep an eye on your administrators. The people with the most opportunity to misuse or incorrectly share private data are the people with the most access. Compliance regulations usually require organizations to keep track of administrator activity – especially WHO is an administrator. While it’s likely apparent to most people, keeping a log of administrator activity is key to maintaining a secure environment that complies with external regulations.
One item that tends to get overlooked is service accounts or highly privileged accounts that run applications or services. These accounts have the basic administrative access, plus the added benefit of appearing invisible to most inexperienced or naïve organizations. There are methods that can ensure service accounts are not being used for unintended purposes, alerting you when someone uses one of these highly privileged accounts for a purpose other than the one they are intended.
Assess, access and alert
In today’s world, data sets are so large and complex that it is hard to regulate who has access. When it comes to regulations and avoiding unintentional sharing of private data, you have to set the baseline and record the current access and permissions. To get a handle on your organization’s controlled resources, record where your organization is TODAY! If you don’t understand who has access to resources you are missing a key piece of information; consider asking people to help you justify who has access and eliminate those who do not belong. Once you get control of access to these critical resources, you should set up alerts when that access changes, so you know what’s going on, and can address any mistakes or maleficence at a moment’s notice.
Make it a policy to communicate
There are many good reasons to document and communicate what your organization is doing and how you are maintaining control of its environment. First, everyone in your organization will know that you’re secure and any suspicious activity is being tracked. Second, it is easier to train additional people should the need arise.
Next it makes updating your organization’s environment much easier when there is clear policy and processes in place. Finally, your superiors know you’re doing everything that needs to be done to ensure your organization is safe, secure and compliant with external regulations.
These are only a few best practices among many regulations that place controls over IT in an effort to be as secure and protected as possible. It would be easy for organizations to review compliance regulations and understand where the intention is to codify good policy and protect users and information. And while I’ve viewed this from the regulatory requirement angle, you could easily reverse and say, “Our good security policies make it easier to comply with many external regulations.” It’s up to you to get in control and stay in control of your environment from both a policy and a regulatory standpoint. If there was an Amazon.com item for regulatory compliance it might say, “If you like good policy, you might also enjoy a much better (and more secure) IT environment.”