Both security and compliance are all about establishing (and implementing) standards that ensure an environment where company assets and data is accessed and utilized properly. So if you were asked, “Do you think security and compliance really coexist?” you’d most likely think it a dumb question and say, “Of course.”
But what if we challenge that notion a bit -- not so much to explore if they can coexist, but whether they do.
Security is about access -- whether you can get to systems and data. Compliance is about behavior -- what you do with it once you get there. So to truly see security and compliance coexist, you need a way to tie the two together to get a full picture of what kind of access is available and who utilized that access.
For the purposes of this article, let’s focus on the access each IT person has and the work being done within critical systems to establish and maintain a secure environment. But let’s do so from the perspective of a compliance audit. Here there is a distinct secret to bridging the gap between security and compliance and some critical changes every organization should audit.
It’s not until an actual audit that it becomes evident that security and compliance are not aligned. Why? Because of one simple issue -- documentation. During an audit, security pros are asked for proof that security has been maintained in a known state -- where a security pro is aware of the state of security at any given point in time. Without knowing who was given access, it’s pretty tough to tell whether the folks with access behaved themselves. And access can change quickly -- someone can have access to a resource today and have it removed tomorrow.
Take the reasonable auditor question of, “Who has been a member of the Domain Admins group within the last year?” (You can, of course, insert your own administrative group if you’re not using Active Directory.) It’s a reasonable question -- the auditor simply wants to know who has had access to make critical changes to security, affecting access to sensitive data. It’s at this point that the security pro realizes they haven’t documented every change made to this group and have no reasonable way to come up with an answer to the question, thus failing at least that part of the audit.
So the secret is simply documentation. As long as the configuration of and changes to security are documented, security aligns with compliance. Now the hard part – how do you document every change? Without third party solutions, it’s not an easy task, but it is as simple as documenting security changes -- but that does mean every change.
What Changes Should I Be Watching?
Every Change? That’s a daunting task and no IT or security pro really has the time. So let’s try to break down everything to something a little more manageable and look at the changes that will assist in meeting compliance objectives.