Compliance or Checkboxes?

Compliance.


Does not matter which SOC2, HIPAA, PCI, or NIST. There are many times when I have been told that the boxes need to get checked.


Compliance makes money - it helps finalize deals. It means very little if the processes and practices are not in place all of the time to back it up.


I have completed many audits and continuously am able to get resources to meet compliance goals. This is not the same story for security. Security does not make money, it costs money.


This sucks. I keep saying compliance is not security. If an organization is implementing and maintaining security, compliance is already there. NO need to do compliance pushes, there is a need to do security pushes. 


Implement a framework and ensure that all the controls have processes and practice those processes. Security. Have a third-party auditor do a check. Compliance.


How many organizations ramp up for their annual audits? There is absolutely no need for this type of circus. Build the security habits like you build any other habit. Repeat and repeat. When I started working in IT, there were many passwords written down on sticky notes or often no passwords at all (I do not consider “password” as a password). Today, there are complex requirements for passwords and it is uncommon not to have passwords on a device. Are there still passwords on sticky notes - yes. I find them every single time. Most are digital now.


I was recently asked if we could implement a new framework and I replied with a question of what resources would be made available. The answer was a timeline with no mention of resources. I took this to mean I would not have any resources. I replied that the requested timeline is not feasible to implement and maintain the framework. The response - we need the piece of paper to make a sale. Ugh. Straight up ugh. I wholly believe that security is what organizations need to make sales and to keep secure in today’s environment is an almost impossible task. However, using compliance to assure security is not the right way.


I am not sure who is looking at the piece of audit paper that decides whether an environment is secure. I know that my environment goes through many levels of security throughout the month, week, and day. Patching, zero-days, and new attack vectors are constantly being reviewed. Compensating controls bring up their own challenges and risks. I asked if I needed to speak to the client and I was told there was not a need because we had a third-party audit. We get that audit once per year. I would ask to speak to the security professional to see how they respond to incidents and ongoing threats. 


Why is this? It does not matter what a third-party auditor finds once a year. It matters how their security team can deal with issues and incidents. How fast can they protect the environment and what is the decision-making process? Compliant is good. How the team can protect the environment is more important.


I often do security reviews and am told the organization has never had a security incident. I find that statement funny. Are you not looking or are you withholding? I am not sure what is worse. 

Comments

Post a Comment

Popular posts from this blog

Understanding Protection (SC)

Understanding Protection (SC) These controls focus on protecting system boundaries, communications, and preventing unauthorized data exposure. Let's break down the key SC controls with examples. SC-1: Policy and Procedures This foundational control requires documented policies and procedures for system and communications protection. Example: SYSTEM AND COMMUNICATIONS PROTECTION POLICY Version: 2.1 Last Updated: 2025-01-02 1. PURPOSE This policy establishes requirements for protecting the organization’s cloud infrastructure and communications. 2. SCOPE Applies to all cloud systems within the authorization boundary. 3. POLICIES 3.1 Encryption Requirements - All data in transit must use TLS 1.2 or higher - All data at rest must use FIPS 140-2 validated encryption - Key rotation required every 365 days 3.2 Network Security - All external connections must traverse a DMZ - Firewall rules follow deny-by-default principle - Monthly review of access control lists 4. PROCEDURES 4.1 Firewall ...
Read more

Security Assessment (SA) Controls

The Security Assessment (SA) family of controls, derived from NIST 800-53 Revision 5, plays a pivotal role in keeping systems secure over time. What Are the Security Assessment (SA) Controls? The SA family of controls focuses on ensuring that security controls are assessed for their effectiveness and are continuously monitored throughout the life of the system. This means checking whether the security measures in place are not only effective but remain effective and up-to-date as time progresses. For FedRAMP Moderate, these controls are crucial because: They ensure security controls are evaluated regularly. They support continuous monitoring for vulnerabilities or weaknesses. They establish corrective actions when necessary. SA-1: Security Assessment and Authorization Policies and Procedures Control Overview SA-1 requires the development of security assessment and authorization (A&A) policies and procedures. These procedures outline the process for conducting security assessm...
Read more

FedRAMP Moderate Rev 5 SI Controls

  In this post, I'll break down each SI control in FedRAMP Moderate Rev 5 and provide tips.   SI-1: System and Information Integrity Policy and Procedures The key to a strong base is well-documented policies and procedures.  For SI-1, organizations must: - Develop and maintain system and information integrity policies that address purpose, scope, roles, and responsibilities - Define procedures for implementing security controls - Review and update these documents at least annually Example:  Create a System and Information Integrity Policy document that includes: - Malware protection requirements with procedures - System monitoring procedures - Software and firmware update processes - Security alert handling processes and procedures - Error handling protocols  SI-2: Flaw Remediation Flaw remediation is key for maintaining system security.  Organizations must: - Identify, report, and correct system flaws promptly - Test software updates before deployment...
Read more