Compliance is no longer a monthly, or even weekly, task -- it’s something that needs constant evaluation and adjustment. Sources change and applicability of control over data should be under consistent review -- that’s the age of continuous compliance we live in today. One requirement of continuous compliance is ongoing, effective and intelligent communication. There are some ways to help improve communication and ensure your compliance and security teams get the best, most relevant and timely information to keep you secure and compliant -- and remain that way.
Connect the Dots in Data Usage
Traditional lines of administration and control are still the norm at larger, more established organizations -- and that’s OK. Lines of administration and control were drawn long ago, and processes held that administrators maintained control over their areas of expertise.
What we have to recognize is that information held within these silos can be valuable to other areas of the organization, and by preventing an exchange of intelligence, we can hinder security and compliance. It’s easy enough to describe and recognize -- but doing something about it can challenge both political and other boundaries.
One way that can help you overcome some of these limitations is to make sure the groups that traditionally don’t share information (Security, HR, IT Operations, etc.) define their roles for the organization and give examples of what they do with data. Look for data similarities or lines that cross -- and ensure that all of the other parts of the organization understand your goals and purposes for gathering data.
Normalize Event Data
Another step that can really improve the situation is to normalize your event data. In today’s line-of-business apps, cloud solutions, internal tools and management frameworks, data that should be similar -- or the same -- can look very different depending on how developers choose to expose the data to end users (usually in the form of logs or events).
It often takes some application expertise to translate events into something meaningful before the data can be determined to be useful or not. Look for applications that can normalize the data for you -- that don’t need application expertise to understand what the application developers are trying to tell you.
Sharing Data Securely
Finally, you also can look for opportunities to share data without providing access to the collecting application or infrastructure, and without providing knowledge about how it was collected. An example of where this can be really helpful would be where account information is shared with the helpdesk and security. Account creation and provisioning, permission changes, failed login attempts, account lockout, etc. are all really useful for these teams in their efforts to assist end users or investigate security holes or data breaches. Look for ways to securely, simply and easily share live event data with teams that can make the most use of the data, allowing them to group, sort and filter to best serve their needs and the needs of their clients.
It doesn't have to stop with the helpdesk and security -- internal auditors, IT management and others can make good use of the data, as well. A word of caution, though, particularly when it comes to external parties (like external auditors), you should always avoid “over sharing.” By providing more data than auditors specifically ask for it allows them to dig deeper on unrelated data, and spend more time investigating and looking for data breaches or misuse. It may sound obvious, but be judicious about how much you share with those outside your organization, and you can save yourself a lot of headaches in the future.
So, remember, the data you collect (and I’m mainly referring to governance, risk and compliance data here) can have value beyond its primary purpose -- when it’s normalized and shared with an audience that knows what to do with it. It can make you more secure, and assist in the normal day-to-day flow of business in the organization. We just have to share appropriately, understand who can use the data and for what purpose.