“Continuous” Now Part of the Standard of Due Care

This is the third installment in my Drifting Out of Compliance series, taking a closer look at organizational approaches indicative of a point-in-time compliance mentality and the challenges of shifting to a continuous compliance mentality. Although a security first, compliance second approach is best, many organizations still struggle to attain the baseline level of security outlined in compliance requirements.

Thus far, we’ve looked at different approaches to compliance indicative of a point-in-time compliance mentality as well as three myths, or false assumptions, organizations believe which further entrench themselves in this point-in-time compliance mindset. In this discussion I take a look at how increasingly, organizations will be expected to adopt a continuous compliance mentality as part of the ever-rising standard of due care.

Compliance frameworks weigh in

Organizations will be expected to adopt a continuous compliance mentality as part of the ever-rising standard of due care

Many of you are probably already familiar with the “business as usual” language introduced into the PCI DSS with v 3.1, the idea being to incorporate compliancy into everyday business processes as a matter of course. We see this sort of language in other frameworks as well, in a number of different contexts, including risk management, process improvement, continuous monitoring and continuous security improvements. It is clear to me that the concept of “ongoing basis” is not a new one. Other frameworks have been endorsing this continuous approach for some time as well. In fact, NIST has devoted an entire publication to Information Security Continuous Monitoring. Consider the following contexts and framework references:

• Risk Management - NIST 800-37 endorses “near real time risk management,” “ongoing information system authorization” and “continuous monitoring processes” as part of its risk management framework
• Security Controls - NIST 800-53 addresses the need for “ongoing risk-based decisions,” “ongoing effectiveness,” “near real time information” and “continuous monitoring”
• Card Data Security - PCI SSC encourages PCI entities to “monitor effectiveness of security controls on an ongoing basis” and “maintain their PCI DSS environment in between PCI DSS assessments”
• Continuous Monitoring - NIST 800-137 recognizes the need for an “ongoing awareness” to be incorporated as part of an overall Information Security Continuous Monitoring program
• Security Continuous Monitoring – The NIST Cybersecurity framework has devoted a section of its requirements to this concept
• Continuous Reporting - The federal government’s Continuous Diagnostic and Monitoring (CDM) program was started to address the need for reporting on an “ongoing basis”
• Critical Infrastructure Reliability – NIST 800-82 endorses the “continuous monitoring of selected security controls” and the need for “continuous security improvements”
• Risk assessments – the CIS Top 20 speaks to the need to “continuously conduct risk assessments” and to “continuously look for vulnerabilities”

There ... always will be a need for continual compliance

I’m sure there are many more, but you get my point. There has always been and always will be a need for a continual, non-stop security program, and considering compliance requirements represent a baseline level of security, there has always been and always will be a need for continual compliance as well. In this way, compliance activities will become more closely aligned with security programs. Per the PCI SSC:

To ensure security controls continue to be properly implemented, PCI DSS should be implemented into business-as-usual (BAU) activities as part of an entity’s overall security strategy.

The rising “baseline” calls out the need for efficiencies

As the standard of due care increasingly incorporates the concepts of “ongoing awareness,” “continuous monitoring” and “business as usual” the compliance expectations rise as well. The challenge of attaining and sustaining even a baseline level of security, such as that laid out in the PCI DSS requirements, becomes even more daunting. When you pair the fact that 80% of organizations drift out of compliance in between annual assessments with the fact that compliance standards continue to become more demanding, it’s very easy to become overwhelmed by the thought of attaining a continuous state of compliance. However consider a suggestion found in NIST 800-137:

Automated processes, including the use of automated support tools (e.g., vulnerability scanning tools, network scanning devices), can make the process of continuous monitoring more cost-effective, consistent, and efficient.

I couldn’t agree more. Sustainable compliance requires automation and new found efficiencies. It has to. Security personnel are already “doing more with less.” An automated continuous network monitoring solution such as Tenable’s SecurityCenter Continuous View™ discovers, assesses and monitors your network environment on an ongoing basis. This provides the ongoing awareness and insights needed to conduct comprehensive risk-based assessments and to monitor the effectiveness of your organization’s security controls.

Check back next week for the fourth and final installment of this Drifting out of Compliance series.