Skip to main content

Five best practices for customizing your compliance program

compliance
(Image credit: Image Credit: Docstockmedia / Shutterstock)

The digital age has forced organizations of all sizes to demonstrate compliance within a variety of regulatory standards. This has been exacerbated by the fact that cyberattacks are mounting, with hackers seeking to exploit weak security controls and outdated operating systems. These gaps in organizational security strategies need to be addressed, and regulatory standards offer a platform for organizations to get a better handle on their security posture. Yet, regardless of whether these are enforced locally, nationally, internationally, or are industry-specific, ensuring compliance takes time and resources, and can be a strain for businesses. 

Not to mention, organizations face an additional obstacle when they have internal compliance standards to conform to. These types of standards require the same level of monitoring as regulatory policies, and need to be adopted across the same varied, dispersed and ever-evolving IT infrastructure.  

Industries such as finance, manufacturing, healthcare, and retail are continually innovating and evolving, and business objectives are constantly changing. And as a result, so are the types of technologies that are available to them. Such dynamism points to many reasons why businesses might ultimately be required to supplement their current compliance program with additional policies down the road, especially as more regulatory standards are developed.  

With all these factors to consider, it’s easy to understand why organizations often end up with an excess of tools applied piecemeal across their environment, rather than a centralized view of their organization’s security posture and policy compliance. More complexity is the last thing they need. Here are a few things to consider when managing compliance for your organization: 

Eliminating complexity

Create a centralized view: Organizations should avoid sinking time and resources into managing and maintaining different vendors for individual compliance requirements. Instead, they should invest in a single tool that can be applied across their entire IT environment that allows them to use a customized combination of internal and external policies. For example, an organization may need to be able to prove continuous compliance with PCI-DSS and ISO27001, in addition to an internally created corporate compliance standard. They should look for a tool that can support each of these policies across a unified console, and one that allows them to make changes or additions in real-time, as needed.  

Employ continuous monitoring: A well-secured organization can pinpoint their exact level of alignment to a regulatory standard at any given time by monitoring their compliance continuously, not periodically. This can be done through security configuration management (SCM) - a security practice that is designed to continuously maintain a compliant system state post-audit rather than a mere snapshot of compliance for a specific moment in time. It’s no longer enough for organizations to know that they were aligned with their compliance mandates under the scrutiny of an auditor, but then let things fall to the wayside. The goal should be understanding their exact compliance level at any point in time—audit or not.  

Not to mention, when new assets are deployed and hardened, the confidence in the functionality of those assets is usually high. But as users and administrators interact with it—as software/operating systems are upgraded and settings are changed—that confidence degrades over time. With SCM, organizations can track these changes, determine if they’ve moved out of compliance and implement steps to return to their secure, baseline state. 

Match policies across your assets: With regard to larger organizations, systems may be more complex and have multiple layers, but it’s still necessary to get actionable information out of these various environments. This includes when a company’s operations are divided by location, system owner, business owner, application and so on. It’s important that organizations have the ability to tag their assets by the logical schema that maps best to them. This will allow organizations to better report on and manage their compliance.  

Double-check your cloud environment: Organizations are quickly shifting their assets to the Cloud to keep up with digital transformation, maintain better backup and recovery of data, and for general scalability. But maintaining compliance in this new environment can be difficult, especially when shared responsibility models with cloud providers are unclear and differ from platform to platform. Working with a trusted provider that meets your compliance needs and understanding where responsibilities lie at the onset of a partnership is key to managing your Cloud environment.  

Find the right tool(s): Organizations should seek out a solution that can grow and adapt with their business and allows them to easily track multiple combinations of security and compliance policies, standards, regulations, and vendor guidelines. Deploying a fully integrated solution that provides visibility into policy compliance, file integrity and remediation management is a surefire way to streamline compliance efforts. That said, many organizations face resourcing challenges, and lack of skilled personnel to monitor compliance solutions. Adopting a managed service hosted by the vendor is a good way to solve this gap and ensure that you have the right skill set for the solution. It also gives the vendor an opportunity to interact with your organization and understand unique compliance requirements. 

Closing comments

At the end of the day, compliance is about more than making sure your organization is operating within a specific set of security standards. Though, that is extremely important. Maintaining compliance also helps your business run more efficiently through transparency, it lessens the likelihood of a data breach and subsequent reputational damage, and it keeps you from paying costly fines. Moreover, as many industries welcome this period of legal reformation, having a strong compliance program will put the organization in a good position to meet future regulatory standards that become mandated. 

While some standards are specific to a particular industry, many have elements and requirements that are similar to one another. So, if the organization is already aligned with commonly followed regulations, then maintaining compliance with new ones won’t be as demanding. Taking the right steps to ensure your environment is in compliance (and stays that way) and can be easily managed is key for achieving operational efficiency.

PJ Norris, Principal Systems Engineer, Tripwire

PJ is a rounded security professional with extensive security experience gained within enterprises organizations across many sectors, most recently within utilities and service provider environments. Having worked in the IT Sector for more than 27 years PJ is proficient in most enterprise technologies including operating systems, networks, storage, applications and databases.