Shankar Talukdar

Security Audit and Compliance

SHANKAR TALUKDAR | January 28, 2022

Despite the fact that today's technological world is an ever-emerging landscape of complex network infrastructure, security measures, and state-of-the-art technological tools, we still cannot guarantee that a cyber-attack or a breach can be easily averted. The prime reason for such cyber breaches is the possession of complex and highly advanced attack mechanisms by hackers or attackers. Therefore, the only sustainable way to counter cyber-attacks is to implement a continuous monitoring system. A compliance program is an example of continuous monitoring where consistent adherence to a benchmark or compliance level is highly emphasized on a continual basis. A compliance program is essential for ensuring data integrity, confidentiality, and availability. The three elements (integrity, confidentiality, and availability) form the backbone of any information security system. It is needed to increase the operational efficiency of organizations ranging from education, healthcare, financial institutions, and others. A compliance program equips company personnel with the resources necessary to develop confidence in their compliance efforts, allowing them to concentrate on running their organization. In the subsequent paragraphs, we shall discuss the approach that should be used to build a robust compliance program. The scope of the compliance program for which we will build is the first and most important step we take. The following procedures, which are listed below, may be included in the scope of the enterprise: Access Management Vulnerability and Patch Management Asset and Configuration Management Logging and Monitoring Risk Management Physical and Environmental Security Privacy Governance (Policies & Procedures & Awareness) End Point Security Change Management Incident and Problem Management, Capacity and Availability Vendor Management Application Security Once the scope is identified, it is easier to move forward with the design of the compliance program. Now we define a benchmark for measuring the compliance level of each of these processes. For e.g., if we take end point security into consideration, the percentage of security patches deployed or implemented on the servers and workstations must comply with the benchmark or compliance level percentage formerly identified and agreed upon. Then we analyze the data collection at a given point of time for each of these processes that provide us with the current posture. The data collection is to be done by various tech teams and can be in the form of reports, logs, or any raw form of data. A thorough review and analysis of the data collected is done against the benchmark to identify the gaps. This is an important step and the most crucial one, as any lack here may result in a security breach. For example, if we take vulnerability management into consideration and we analyze that the remediation of vulnerabilities for a quarter is falling short of the benchmark percentage, then such un-remediated vulnerabilities in turn actually expose the servers and systems to serious security breaches, and hence effort must be taken to remediate such findings within the stipulated time. "It is important to recommend solutions and a roadmap to close the gaps within a specified period. The roadmap to close the gaps in a compliance program is usually over a period of a number of years. This should sit in conformance with the various tech teams and must have their consent." Finally, measure the compliance level (against a benchmark already identified) and come up with a compliance score for each of these processes at any given point in time. The compliance score can be depicted in the form of a dashboard showcasing the various graphs and charts and hence depicting the current security posture of the organization. These components give the necessary foundation to set up a compliance program and begin protecting any highly regulated firm immediately. These components contribute to the establishment of an effective compliance and ethics program by detecting and preventing inappropriate conduct as well as encouraging adherence to the organization's legal and ethical responsibilities. Why should Organizations have a Compliance Program? Building a compliance program is neither a simple nor an inexpensive task. Since compliance departments do not generate income, it can be tempting to disregard compliance as a cost center. This would be a mistake. A compliance breach has the ability to do severe damage to a business, or in the worst-case situation, to completely destroy it (as famously happened to Enron Corporation). Listed below are a few of the advantages that a compliance program offers: A compliance program indicates the organizations' dedication to ethical behavior It minimizes the likelihood of violations, establishes a means for detecting violations sooner rather than later, and establishes a procedure for swiftly and efficiently responding to violations  It will minimize the risk of severe consequences in the event of a violation An effective compliance program in business operations reduces compliance risk and business drag The importance and complexity of compliance programs have increased in recent years, as has the number of organizations using them. It has emerged as a critical component for employees, investors, regulators, and everyone else who is concerned with the operation, protection, and evaluation of a company.