Does there have to be tension between security and compliance? They’re certainly not the same, as I note in my previous blog, Security vs. Compliance: What’s the Difference?
It’s never been fun to have to show your work, and nobody wants to be a nag, so how can the groups come together to create something stronger than the individual parts? Here are a few ways to create that winning alliance.
COMMUNICATE
When compliance teams communicate well, everyone wins. The following are important things a compliance team can communicate to be more successful with integrating into security.
The Requirements – It may seem obvious, yet it's not uncommon to have a gap analysis, only to find out that the dev team didn’t know the requirements up front. The sooner security and development teams understand what is required, the sooner they can find ways to meet those requirements. Building compliance in from the beginning makes audits easier, and that needs to be part of any control design and implementation.
The Details – When communicating requirements, the responsible people must understand what an auditor looks for. It’s not enough to say, “have a firewall.” Is layer 3 sufficient, or do we need layer 7? How is the firewall defined? Does it have to be an appliance or can other approaches like security groups work? Communicating the requirements in a specific, detailed way allows security teams to be compliant in a way that fits their current workflow and technology choices.
The Evidence - The teams that provide the evidence need to know what will satisfy the auditor. Will the auditor be looking for reports, screenshots, or policy documents? An auditor will want to see a variety of different things, and knowing what these are ensures that nothing is missed come audit time. Developing the processes and artifacts early and often will save a lot of scrambling when an auditor is onsite.
The Frequency – Many controls and requirements are frequency-bound. Does something have to happen annually or monthly? Perhaps the control is continuous, so how can you show that? Knowing how often something needs to happen allows security teams to plan ahead and schedule those tasks. This is especially important when a missed task will be an audit finding because you can’t go back and make it up. A good practice is to perform frequency-bound tasks twice as often as required to avoid missing a control due to unforeseen circumstances like illness.
DOCUMENT
Documentation can be tedious and time-consuming, yet it is required for a successful audit. Documentation is both an internal reference and evidence an auditor will ask for.
Here are key documents for a winning alliance:
The Controls – Generate a list of all the controls the enterprise has agreed to follow. These should have an ID, name and description, and may also include frequency, environment, compliance, regulatory framework reference, and any other information the teams find useful. This is the standard list of things the compliance team says are required and the security team says they do. Auditors also like to see these since they make an easy reference for them when performing audit work. You may develop your own set of controls, use something like NIST 800-53, or some combination of the two. Regardless of how you generate your controls, ensure everything in your compliance frameworks is included.
The Evidence – In communication, it’s critical everyone understands and agrees on what is considered acceptable evidence. For documentation, the focus is on the artifacts themselves. It is not enough to do the work; you should get credit for it! Meeting notes, access and rule reviews, reports and emails can be evidence. Develop a plan to create receipts for all your good work, and be sure to have a known place to keep them. You don’t want to do all that paperwork and then be unable to find it when someone asks to see it. Even better, find ways to automate and store your evidence without thinking about it. The easier it is, the more successful you will be.
The Calendar – Frequency has been communicated, so it’s useful to create a shared calendar to track the frequency-bound events, the audit schedule, and any time off for the teams. A visual representation of what is required - when and who is available - makes coordinating all the security and compliance tasks easier.
AUTOMATE
The biggest win of the winning alliance is automation. Much compliance is about producing the evidence and documenting the security team's great work. Security benefits from turning manual processes and controls into automated tasks; compliance can use that automation as evidence.
The three areas of automation that will produce the greatest benefit are:
Workflows – Workflows are the easiest place to start. How many workflows still require manual steps or hand-offs? Look for opportunities to build documentation into steps and triggers to kick off the next ones. For instance, source control repository tools in a DevOps pipeline make it easy to show code reviews and pull request approvals.
Reports – If you are going in and generating reports manually, there is always a risk of failure, particularly in frequency-bound controls. It’s easy to forget or miss a reporting window. Generating and distributing reports in an automated fashion ensures they go out on time, ideally to a group of people responsible for analysis and action. Look for APIs and other ways to automate reporting functions.
Documentation – I mentioned building documentation into standard workflows, and this is a great way to build security and compliance into day-to-day work. Like reports, there are opportunities to automate documentation. Asset and software lists can be generated based on triggers in the environment and then reviewed for authorization. The same can be done for users in access reviews. Collaboration tools also offer opportunities for automation. ChatOps can be a great way to create documentation based on processes you already have in place by triggering them in a tool already in common use.
The winning alliance occurs when a security team has implemented effective controls to protect information assets and a compliance team validates that they are in place and operating as expected. This alliance ensures that security controls don’t atrophy and that required documentation is in place come audit time.
