Creating a compliance program on a budget

Along with death and taxes, security compliance programs are becoming one of the unavoidable facts of life for many of us. That means someone has to create a compliance program so you can monitor and put appropriate controls in place around information security.

The trouble is, while many people see such a program as important, they don’t want to commit too many, if any, resources to a program. Ashley Deuble of Caterpillar was faced with this challenge. He told the audience at AusCERT 2015 about how he created a compliance program on a tight budget.

"A tight budget really means you’ve got nothing, start using Excel”. The first question you need to answer, according to Deuble, is why you think you need a compliance or assessment program.

“Our companies spend lots and lots of money creating wonderful policies, standards, guidelines, technical controls and all this wonderful stuff to protect our data, protect what’s nearest and dearest to us. At the end of that we don’t even know if our business are actually reading these policies or reading these security documents”.

This is the driver for putting a compliance program in place as those documents put operational and regulatory obligations on the business. Putting an ongoing program in place also means there’s ongoing assessment so the business better understands its posture over time.

Deuble’s process was not complex but it resulted in far better visibility of the challenges around compliance. By placing a monitoring and reporting structure around security compliance, he was able to document obligations, assign them to appropriate stakeholders and get them to take responsibility.

One of the challenges all compliance regimes need to address is partial compliance. If compliance with a particular obligation is subject to several criteria is compliance only achieved when all the criteria is met or is there some “sliding scale” of compliance.

Ultimately, Deuble chose to implement a binary scale. However, he emphasised the importance of maintaining complete documentation. For example, if a particular compliance control required a particular item to be subject to automated checking but was regularly checked manually, it was important to note both the non-compliance and how the item was being checked manually along with evidence of the checking.

There are several different options for assessment. Deuble suggested on-site reviews with security staff, remote interviews, onsite personnel working on behalf of security staff and employee self-surveys were all reasonable approaches for different controls that were being monitored.

Read more: The week in security: Budget flags encryption troubles, cross-government IAM

It was also important to assign the risks in bite-sized chunks. If to many different issues are wrapped into a single risk then it may be hard to get some one to take ownership.

When reporting out to the business and senior management about the results of the compliance assessment Deuble recommends using formats that are already familiar to the business rather than creating something completely new. By including an executive summary, issues overview, detailed issues, recommendations and document control it’s possible to address the needs of most of the business without hitting them with something unfamiliar.

Deuble also emphasised the importance of reviewing reports thoroughly before distributing them. That means reading them and putting them out for peer review before wide distribution. It’s also critical to get explicit management approval for any reports that are sent out to clients.

All compliance reporting data should be encrypted when stored and in flight. That not only covers reported and any data used in the report onsite but having appropriate encryption procedures in place for data received from external partners and clients. This data should be stored in a single, safe repository.

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Feeling social? Follow us on Twitter and LinkedIn Now!

Join the CSO newsletter!

Error: Please check your email address.

Tags Caterpillarbudgetinformation securitycompliance program#Auscert2015security complianceCSO Australiasecurity documentsAshley Deuble

More about CSOEnex TestLabExcelTwitter

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Anthony Caruana

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts