How Auditors Can Make Compliance Programs More Effective

Woman using tablet pc, pressing on virtual screen and selecting compliance.
9 July 2020

When conducting an audit of your cybersecurity plans, it’s important to reassess risk and evaluate whether established policies and procedures are both effective and actionable. To aid in cyber compliance, CSO Online said the updated compliance guidelines issued by the Department of Justice, “has particular relevance to the cybersecurity practices of organizations when it comes to, for example, data breach and other security-related lawsuits.” Essentially, the document outlines how to assess, “whether a particular compliance program works in practice.” Toward that end, the guidelines pose three questions that every compliance auditor should be asking as part of its compliance process.

Is the Compliance Program Well Designed?

Having clearly defined plans, policies and procedures that inform the organization on how to detect and protect against internal and external vulnerabilities is the first step in a well-designed compliance program.

But, to use a coronavirus analogy, taking a person’s temperature to determine whether they have the coronavirus is tantamount to doing only a document-based review of your cybersecurity plans. Having plans is critical, but what are those plans actually evaluating?

If these reviews are ongoing, they should–theoretically–inform whether the program is well designed and inclusive of the best methods of identifying risk. A comprehensive compliance program must do more, though. For example, without additional penetration testing and reassessing risk, a compliance audit won’t reveal new threats.

Each time a potential new threat is introduced, whether through human error, a vulnerability within your own organization, or through a third party, an organization can slip out of compliance. Taking a person’s temperature–or performing a document-based review–doesn’t reveal these blindspots. To truly assess risk, organizations must do more than periodic reviews that only assess a moment in time.

Is the Program Being Applied in Good Faith?

Organizations that are required to perform compliance audits must do so to protect critical systems, sensitive data or even national security, which is why the DOJ asserts that, “A well-designed compliance program should apply risk-based due diligence to its third party relationship.”

Thermal imaging goes beyond measuring a temperature and will give more insight into the asymptomatic, pre-symptomatic or those who suffer only mild symptoms, especially when that data is compiled together with other contact tracing intelligence. Applying a compliance program in good faith means having the ability to do thermal imaging across all of your suppliers and partners, but it also requires additional intelligence.

If organization’s can’t identify their patient zero, there will inevitably be more contagion because malware is stealthy and not easily identified. Often, adversaries are looking to get into an organization and become authorized so that they appear legitimate. When they succeed at this, technology can rarely detect that the activity is malicious unless they have insight into internal and external communications.

Does the Company’s Compliance Program Work?

Evidence of a compromise does not mean that a compliance program is flawed. In fact, it’s quite the opposite. A well designed compliance program that works and is applied in good faith requires that organizations have visibility into every nodule of data across their networks and those of their suppliers and vendors. It should detect threats so that they can be mitigated.

Ultimately, every compliance audit should go beyond filling out documents and performing vulnerability assessments. Organizations need visibility into their own environments as well as those of their partners and suppliers. Knowing which vendor has potentially been compromised allows you to proceed with caution.

But an organization’s internal compliance auditors aren’t the only ones who should have that level of visibility. Evidence of compromise data is equally valuable to external compliance auditors who are vetting third parties and assessing whether those companies are cyber compliant.

The Latest

Prevailion CEO, Karim Hijazi – Cheddar News- FCC commissioner calls on Apple and Google to ban TikTok app

A member of the FCC renewed urgency calls on Apple and Google to remove TikTok from their app stores, raising concerns that TikTok’s Chinese-based parent company is collecting user data that is being accessed in China.

IRONSCALES Cyber Security Heroes: The New Cyber Era Post Ukraine Invasion

What Wicked Webs We Un-weave

What Wicked Webs We Un-weave: Wizard Spider once again proving it isn’t you, it isn’t me; we search for things that you can’t see Authored by: Matt Stafford and Sherman Smith Executive summary: In late January 2022, Prevailion’s Adversarial Counterintelligence Team (PACT) identified extensive phishing activity designed to harvest credentials for Naver. Naver is a […]

Copyright 2023 Prevailion, Inc. All rights reserved.    

Disclaimer: Gartner “Cool Vendors in Security Operations and Threat Intelligence,” Mitchell Schneider, Ruggero Contu, John Watts, Craig Lawson, October 13, 2020. GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved. Gartner Disclaimer: The GARTNER COOL VENDOR badge is a trademark and service mark of Gartner, Inc. and/or its affiliates and is used herein with permission. All rights reserved. Gartner does not endorse any vendor, product or service depicted in its research publications and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s Research & Advisory organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.