How Auditors Can Make Compliance Programs More Effective

Woman using tablet pc, pressing on virtual screen and selecting compliance.

When conducting an audit of your cybersecurity plans, it’s important to reassess risk and evaluate whether established policies and procedures are both effective and actionable. To aid in cyber compliance, CSO Online said the updated compliance guidelines issued by the Department of Justice, “has particular relevance to the cybersecurity practices of organizations when it comes to, for example, data breach and other security-related lawsuits.” Essentially, the document outlines how to assess, “whether a particular compliance program works in practice.” Toward that end, the guidelines pose three questions that every compliance auditor should be asking as part of its compliance process.

Is the Compliance Program Well Designed?

Having clearly defined plans, policies and procedures that inform the organization on how to detect and protect against internal and external vulnerabilities is the first step in a well-designed compliance program.

But, to use a coronavirus analogy, taking a person’s temperature to determine whether they have the coronavirus is tantamount to doing only a document-based review of your cybersecurity plans. Having plans is critical, but what are those plans actually evaluating?

If these reviews are ongoing, they should–theoretically–inform whether the program is well designed and inclusive of the best methods of identifying risk. A comprehensive compliance program must do more, though. For example, without additional penetration testing and reassessing risk, a compliance audit won’t reveal new threats.

Each time a potential new threat is introduced, whether through human error, a vulnerability within your own organization, or through a third party, an organization can slip out of compliance. Taking a person’s temperature–or performing a document-based review–doesn’t reveal these blindspots. To truly assess risk, organizations must do more than periodic reviews that only assess a moment in time.

Is the Program Being Applied in Good Faith?

Organizations that are required to perform compliance audits must do so to protect critical systems, sensitive data or even national security, which is why the DOJ asserts that, “A well-designed compliance program should apply risk-based due diligence to its third party relationship.”

Thermal imaging goes beyond measuring a temperature and will give more insight into the asymptomatic, pre-symptomatic or those who suffer only mild symptoms, especially when that data is compiled together with other contact tracing intelligence. Applying a compliance program in good faith means having the ability to do thermal imaging across all of your suppliers and partners, but it also requires additional intelligence.

If organization’s can’t identify their patient zero, there will inevitably be more contagion because malware is stealthy and not easily identified. Often, adversaries are looking to get into an organization and become authorized so that they appear legitimate. When they succeed at this, technology can rarely detect that the activity is malicious unless they have insight into internal and external communications.

Does the Company’s Compliance Program Work?

Evidence of a compromise does not mean that a compliance program is flawed. In fact, it’s quite the opposite. A well designed compliance program that works and is applied in good faith requires that organizations have visibility into every nodule of data across their networks and those of their suppliers and vendors. It should detect threats so that they can be mitigated.

Ultimately, every compliance audit should go beyond filling out documents and performing vulnerability assessments. Organizations need visibility into their own environments as well as those of their partners and suppliers. Knowing which vendor has potentially been compromised allows you to proceed with caution.

But an organization’s internal compliance auditors aren’t the only ones who should have that level of visibility. Evidence of compromise data is equally valuable to external compliance auditors who are vetting third parties and assessing whether those companies are cyber compliant.

The Latest

Post thumbnail image

Information Technology Manager

The Information Technology Manager works to support Prevailion’s IT assets, employees and mission critical systems. In this role, you will wear many hats and work collaboratively with internal teams to deploy, manage, and maintain systems and infrastructure key to the company’s success and growth of Prevailion.

Post thumbnail image

Threat Intelligence Researcher

The Threat Intelligence Researcher works in Prevailion’s Intelligence team. In this role, you will work collaboratively with internal teams to deploy, manage, and maintain systems and infrastructure key to the Intelligence team’s success and growth and that of Prevailion.

Post thumbnail image

Senior Threat Intelligence Researcher

The Senior Threat Intelligence Researcher works in Prevailion’s Intelligence team. In this role, you will work collaboratively with internal teams to deploy, manage, and maintain systems and infrastructure key to the Intelligence team’s success and growth and that of Prevailion.

Copyright 2021 Prevailion, Inc. All rights reserved.    

Disclaimer: Gartner “Cool Vendors in Security Operations and Threat Intelligence,” Mitchell Schneider, Ruggero Contu, John Watts, Craig Lawson, October 13, 2020. GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved. Gartner Disclaimer: The GARTNER COOL VENDOR badge is a trademark and service mark of Gartner, Inc. and/or its affiliates and is used herein with permission. All rights reserved. Gartner does not endorse any vendor, product or service depicted in its research publications and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s Research & Advisory organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.