Taking the Necessary Steps to Maintain Compliance
Chris Schwartzbauer, VP Worldwide Field Operations, Shavlik Technologies explains more about business with-in the fields of Oil & Gas
An organisation that cannot prove adherence to security policy, is not likely to pass an IT system audit – whether validating internal controls or regulatory compliance. Proving adherence to policy requires a consistent means of measuring the condition or state of any given machine on the network—a task that more often than not requires a significant commitment of time and resources before a scheduled audit. Once achieved, the opportunities immediately arise for the newly adopted security posture to drift out of compliance—users download software, malware creeps in, configurations are changed without approval.
In addition, standards change, regulations are updated, and new regulations are released, assuring preparation for the next audit is an arduous task. In some cases, such as the payment card industry’s PCI DSS standards, quarterly audits are required. Clearly, companies need to be audit ready at any given time, even if only to manage the costs of the audits themselves.
Being audit ready means proving adherence to security policy: The result can only be an improvement to the company’s risk posture.
Maintaining compliance requires an enterprise-wide approach that starts with establishing a defined and approved security configuration baseline for managing the approved, “desired state,” of any IT systems infrastructure. This typically includes control over services, account management, registry control, and much more. Each system should have a pre-defined and approved security baseline established to include domain controllers, file servers, print servers, application servers, and clients.
The Baseline provides a compliance benchmark and a point of reference to determine the effectiveness of new security policies. It should be set against a recognisable framework or standard of best practice, such as those defined by COBiT, ITIL or ISO, while accounting for the specific regulatory requirements that apply.
The security baseline will also help identify the opportunity to establish good, solid repeatable processes that are ripe for automation to drive down costs and improve readiness. Most of the current solutions available today for vulnerability assessment only allow companies to assess and audit for gaps in security and compliance: They don’t provide the remediation option to close those gaps – which reduces efficiencies to be gained by establishing a baseline in the first place. To simplify and automate the entire security and compliance management cycle, the automation solution chosen should continually and automatically establish a known secure state, assess for gaps in that state, and close the gaps.
It is also all too common that vulnerabilities are managed on a regular, commonly quarterly, basis through the process of an IT administrator physically visiting machines to manually update configurations, apply patches, and the like. Security posture drift leaves the company open to risk, or worse – unaware of a breach that is present until the next regular visit, unless an attack is launched before this visit. A more proactive consistent approach is required to scan and detect security posture drift, and remediate against it, by automatically returning systems to their baseline configuration, deploying patches across the organisation and removing unapproved software as soon as it is detected. Reports prove adherence to policy with a comprehensive overview of the software and configuration on all PCs, including mobile devices, and servers that connect to the network.
While ensuring the organisation is ready for audit at any time, companies can also facilitate a continuous assessment of the enterprise security status. With information from disparate processes properly gathered into an integrated system, network risks become obvious, policies are put to the test, and the security configuration baseline adjusted as appropriate.
Shavlik Technologies LLC is exhibiting at Infosecurity Europe 2008.