“Continuous” Now Part of the Standard of Due Care
This is the third installment in my Drifting Out of Compliance series, taking a closer look at organizational approaches indicative of a point-in-time compliance mentality and the challenges of shifting to a continuous compliance mentality. Although a security first, compliance second approach is best, many organizations still struggle to attain the baseline level of security outlined in compliance requirements.
Thus far, we’ve looked at different approaches to compliance indicative of a point-in-time compliance mentality as well as three myths, or false assumptions, organizations believe which further entrench themselves in this point-in-time compliance mindset. In this discussion I take a look at how increasingly, organizations will be expected to adopt a continuous compliance mentality as part of the ever-rising standard of due care.
Compliance frameworks weigh in
Organizations will be expected to adopt a continuous compliance mentality as part of the ever-rising standard of due care
Many of you are probably already familiar with the “business as usual” language introduced into the PCI DSS with v 3.1, the idea being to incorporate compliancy into everyday business processes as a matter of course. We see this sort of language in other frameworks as well, in a number of different contexts, including risk management, process improvement, continuous monitoring and continuous security improvements. It is clear to me that the concept of “ongoing basis” is not a new one. Other frameworks have been endorsing this continuous approach for some time as well. In fact, NIST has devoted an entire publication to Information Security Continuous Monitoring. Consider the following contexts and framework references:
- Risk Management - NIST 800-37 endorses “near real time risk management,” “ongoing information system authorization” and “continuous monitoring processes” as part of its risk management framework
- Security Controls - NIST 800-53 addresses the need for “ongoing risk-based decisions,” “ongoing effectiveness,” “near real time information” and “continuous monitoring”
- Card Data Security - PCI SSC encourages PCI entities to “monitor effectiveness of security controls on an ongoing basis” and “maintain their PCI DSS environment in between PCI DSS assessments”
- Continuous Monitoring - NIST 800-137 recognizes the need for an “ongoing awareness” to be incorporated as part of an overall Information Security Continuous Monitoring program
- Security Continuous Monitoring – The NIST Cybersecurity framework has devoted a section of its requirements to this concept
- Continuous Reporting - The federal government’s Continuous Diagnostic and Monitoring (CDM) program was started to address the need for reporting on an “ongoing basis”
- Critical Infrastructure Reliability – NIST 800-82 endorses the “continuous monitoring of selected security controls” and the need for “continuous security improvements”
- Risk assessments – the CIS Top 20 speaks to the need to “continuously conduct risk assessments” and to “continuously look for vulnerabilities”
There ... always will be a need for continual compliance
I’m sure there are many more, but you get my point. There has always been and always will be a need for a continual, non-stop security program, and considering compliance requirements represent a baseline level of security, there has always been and always will be a need for continual compliance as well. In this way, compliance activities will become more closely aligned with security programs. Per the PCI SSC:
To ensure security controls continue to be properly implemented, PCI DSS should be implemented into business-as-usual (BAU) activities as part of an entity’s overall security strategy.
The rising “baseline” calls out the need for efficiencies
As the standard of due care increasingly incorporates the concepts of “ongoing awareness,” “continuous monitoring” and “business as usual” the compliance expectations rise as well. The challenge of attaining and sustaining even a baseline level of security, such as that laid out in the PCI DSS requirements, becomes even more daunting. When you pair the fact that 80% of organizations drift out of compliance in between annual assessments with the fact that compliance standards continue to become more demanding, it’s very easy to become overwhelmed by the thought of attaining a continuous state of compliance. However consider a suggestion found in NIST 800-137:
Automated processes, including the use of automated support tools (e.g., vulnerability scanning tools, network scanning devices), can make the process of continuous monitoring more cost-effective, consistent, and efficient.
I couldn’t agree more. Sustainable compliance requires automation and new found efficiencies. It has to. Security personnel are already “doing more with less.” An automated continuous network monitoring solution such as Tenable’s SecurityCenter Continuous View™ discovers, assesses and monitors your network environment on an ongoing basis. This provides the ongoing awareness and insights needed to conduct comprehensive risk-based assessments and to monitor the effectiveness of your organization’s security controls.
Check back next week for the fourth and final installment of this Drifting out of Compliance series.
Related Articles
Strengthening the Nessus Software Supply Chain with SLSA
April 16, 2024You know Tenable as a cybersecurity industry leader whose world-class exposure management products are trusted by our approximately 43,000 customers, including about 60% of the Fortune 500. But sometimes we like to give you a peek behind the curtain to share how we protect our own house against cyberattacks – and that’s what this blog is about. Today we’re sharing our experience adopting the supply-chain security framework SLSA, with the hopes that the lessons we learned will be helpful to you.
CISA and NSA Release Top 10 Cybersecurity Misconfigurations: How Tenable Can Help
October 19, 2023The NSA and CISA have released a joint cybersecurity advisory discussing the top 10 most common cybersecurity misconfigurations, and outlining ways to mitigate them. Read this blog to learn more and see how Tenable technologies can help discover, prevent and remediate these misconfigurations.
Cybersecurity Snapshot: The Latest on Supply Chain Security – SBOM Distribution, Open Source Flaws and a New Security Framework
April 21, 2023Check out what CISA says about the sharing of software bills of materials. Plus, why you should tread carefully with open source components. Also, the SLSA supply chain security framework is ready. In addition, security worries hold back enterprise IoT adoption. And much more!
Cybersecurity Snapshot: Many Employees Overshare Work Info with AI Tools, Report Finds, as ‘Cybersecurity Awareness Month’ Kicks Off
October 4, 2024Check out the best practices cyber agencies are promoting during Cybersecurity Awareness Month, as a report warns that staffers are feeding confidential info to AI tools. Meanwhile, a study highlights how business decisions can derail OT security. Plus, get the latest on Active Directory security, CISO salary trends and ransomware attacks!
How to Unlock Advanced IoT Visibility for Cyber-Physical Systems
October 1, 2024As the number of IoT devices deployed globally continues to rise, cyber-physical systems and business operations are exposed to greater risk. Improving asset visibility, monitoring and risk management are critical steps to preventing breaches.
Cybersecurity Snapshot: NIST Program Probes AI Cyber and Privacy Risks, as U.S. Gov’t Tackles Automotive IoT Threat from Russia, China
September 27, 2024A new NIST program will revise security frameworks like NIST’s CSF as AI risks intensify. Plus, the U.S. may ban cars with Russian and Chinese IoT components. Meanwhile, the CSA adds AI insights to its zero trust guide. And get the latest on cybersecurity budgets, SBOMs and the Ghost cybercrime platform!
- Security Frameworks
- Standards
- Vulnerability Management