By: Kevin Thomas, Principal Consultant
Contextual Security Solutions | May 24, 2017 @ 14:00
Recently I spoke at a BSIDES conference and shared with the audience a common scenario that I run into when working with new clients. As a compliance consultant, I spend most of my time assessing companies against regulatory frameworks like the payment card industry data security standard (PCI DSS), the Health Insurance Portability and Accountability Act (HIPAA) and the Experian Independent Third Party Assessment (EI3PA) standard. The first step in any compliance audit that we perform begins with requesting an organizations policies and procedures, as well as their current network diagram(s). We like to get this information before assessing the client’s technologies, physical security and people because it usually allows us to get a solid understanding of their environment and their information security program’s maturity level. With that said, this also ends up being the deficiency or gap in compliance that we see more frequent than any other. In most cases the client either hasn’t yet developed and documented their policies or procedures, or they haven’t updated their documentation in some time. Each of these issues not only affect their compliance status but also negatively impact their security posture.
For those organizations that haven’t yet developed and formally documented their policies and procedures, there are several resources we can point them towards, both free and fee based. SANS (https://www.sans.org/security-resources/policies) has compiled an excellent set of free baseline policy resources that is constantly being updated by the information security community. With respect to organizations that need templates for specific regulatory frameworks like PCI and HIPAA, PCI Policy Portal (http://pcipolicyportal.com) and the HIPAA Store (http://www.hipaastore.com/ are both inexpensive resources to assist with policy development. This is not an exhaustive list of policy template resource by any stretch of the imagination, and there are plenty of other solid options, both free and fee-based to choose from.
As for those organizations who have documented policies and procedures but haven’t updated them in quite some time, I highly recommend that time be taken to do so. One reason to do so is that in many cases its required in many compliance frameworks. For instance, requirement 12.1.1 from PCI DSS version 3.2 states that merchants must:
“review security policy at least annually and update the policy when the environment changes”.
The guidance for this particular PCI DSS control notes that “security threats and protection methods evolve rapidly. Without updating security policy to reflect relevant changes, new protection measures to fight against these threats are not addressed.”
Things do change, and a couple slides that I typically show to illustrate this point are taken from the HIPAA’s Breaches Affecting 500 or More Individuals page (also known as the HIPAA Wall of Shame – https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf ). Looking at the results from 2009, out of the first fourteen breaches reported, twelve were a result of theft.
OCR Breaches Affecting 500 or More Individuals Results from 2009
Considering these results, policies and procedures drafted around 2009 probably began to focus heavily on physical controls as well as using encryption on data at rest. Both of which could be used as part of a greater defense in depth approach to addressing theft.
However, when you fast forward to 2017, most the reported breaches are tied to a hacking/IT incident.
OCR Breaches Affecting 500 or More Individuals Results from 2017
Granted, these data points are many years apart, but it doesn’t dismiss the fact that it is all too common for me to be handed policies to review that haven’t been updated in five to seven years.
Looking at the carnage that was left by WannaCry(pt) a little over a week ago, I wonder how many organizations, especially those in healthcare, had playbooks within their incident response procedures that addressed ransomware scenarios. I also wonder how many organizations will go back and look at the documentation that governs their information security program. Whether you were affected by WannaCry(pt) or not, there’s no better time than now to develop/update your organizations documentation.
So, what should you do? Here are a few pointers:
- Review processes and procedures at least annually and after any significant change to your environment
- Update to reflect and address the evolving threat landscape
- Update to reflect and address the evolving compliance landscape
- Update to reflect and address the evolving legal landscape (e.g. Breach Notification)
- Update to reflect and address changes in the organization
- Document the reviews! (Be sure to date the review and note who participated in it)
Key policies and procedures that are typically out of date include the following:
- Incident Response Procedures
- Disaster Recovery Procedures
- Data Handling Procedures
- Backup Policies
- System Configuration and Hardening Guides
If you have any questions regarding the content of this blog entry or are simply looking for some guidance on building/updating your information security program, please contact us directly at firstname.lastname@example.org.