So much has been written on security versus compliance and continual compliance that it seems at times that discussing it is beating a dead horse. That being said, it is a dead horse that needs to be beaten, as we continuously come across situations where organizations find themselves in a mad dash to get into compliance near whatever date they need to prove compliance. What makes this all the worse is that while many compliance audits cover a point in time, being compliant requires maintaining compliance all the time. Having all your documentation and systems ready for audit when the auditor shows up may get you passing audit, but if that doesn’t reflect the true state of the organization on an ongoing and prior period basis, then you really aren’t and weren’t complaint (Semantics aside). Given that organizations aren’t (usually, if ever) considered out of compliance because they exceed security requirements, this means that organizations are also letting security slide during periods of non-compliance.
Audit and assessment processes are a topic for another time, but here it is essential to understand that not only will maintaining continual compliance keep you more secure (I understand that there may be exceptions to this, but that is also a topic for another time), it will make life for everyone so much easier when audit time comes around. There are many ways to maintain continual compliance, but all of them will require that someone or some group “own” compliance. Organizations should be performing spot checks or internal audits throughout the year to ensure compliance is maintained. In some organizations, internal audit can fill some or all of this role. In smaller organizations, it may be the security or IT function. Keeping track of your organizational compliance status will prevent surprises at audit time and save everyone from the all too common “let’s work 20 hours seven days a week to get ready for the audit” mad dash.
If a standard requires that you perform some type of scanning quarterly for example, you don’t want to find out at audit time that these scans did not occur. If a standard requires document review, review the documents at a set interval that is well before the audit date. Trying to get rush/emergency management sign off and approval for a policy when an audit date is fast approaching is not always fun. And don’t forget documentation- document that spot checks and internal audits occurred. Note what was reviewed and for what standard, and who reviewed it. Make use of ticketing systems, and anything else that can make the process easier.
If you have any questions about how to maintain compliance throughout the year and not just at audit time, and how to make sure you are always “audit ready,” we are always happy to have a discussion.
This article was written by Alex Hamerstone (@Infosecdoc) of TrustedSec.