Policy compliance: one size does not fit all

Leading state and federal officials attend a ribbon-cutting event at the National Cybersecurity Center of Excellence a few years ago at the National Institutes of Standards and Technology in Rockville, Md. Today’s columnist, Josh Grove of TalaTek, focuses on security compliance and talks about many compliance efforts revolve around the NIST Cyberse...

How do we get our brains around the arcane topic of policy compliance? Security pros define compliance as adhering to established rules and regulations, codes of conduct, laws, or organizational standards of conduct. For the cybersecurity industry, this means following guidelines established to protect the security and privacy of an organization’s information system or enterprise. Policy compliance, an essential element of cybersecurity, cannot function as a one-size-fits-all proposition. Organizations should tailor it according to their policy, regulatory frameworks, configuration, and devices.

Think of policy compliance as an important component of an organization’s integrated risk and vulnerability assessment program. It consists of regularly checking network, application, desktop, and server settings against a specific organizational policy or benchmark. It helps organizations find areas of misconfiguration and misalignment from established benchmarks so they can configure systems exactly in accordance with the chosen organizational policy—for example, checking the number of allowed log-in attempts before locking a user’s account.

Because policy compliance scans are often specific to an organization, IT managers should customize and tailor them to meet their organization’s unique requirements.

Configure each policy according to a system’s baseline. A baseline specifies the minimum level of security required. All systems in the organization must comply with that minimum: to determine which systems meet the baseline and which do not, evaluate the system regularly. The results of policy compliance scans show a percentage of checks that pass, that receive warnings, and that show failures for each target system. This helps companies identify areas to configure properly and prioritize which area to do first. Once they customize the policy, it will show systems that are not configured the same as the baseline.

Here are five takeaways about customized policy compliance:

1. Tailor policy compliance scans to the organization and its requirements.

Most organizations will find it necessary to modify the checks within a compliance policy to match their desired configuration, a daunting task. Review the organization policy and evaluate the checks to see why they fail and if the organization meets its regulatory requirements.

2. Configure each policy to a system's baseline.

When organizations first perform policy compliance with various commercial scanners, they discover a big challenge. The checks that the default policy performs are often not customized to their policy. As a result, the checks might look for the wrong configuration. To prevent this, the organization should customize the policy to fit its baseline configuration.

3. Not all risks, missions, organizations, and agencies require the same level of protection.

Compliance requirements offer room for customization. This lets agencies and organizations select the controls most appropriate to meet their goals and/or industry standards. 

4. Many commercial policy compliance scanners do not automatically perform checks or may not perform them correctly out of the box.

Policy compliance plays an important role in securing an organization’s IT system. Organizations should customize their policy compliance, regardless of how much modification they may need to meet their benchmarks or for their systems to comply with minimum security baselines. Without this critical step, enterprises leave themselves open to additional and unnecessary risks.

5. Modify default policies based on their organizational requirements and/or risk management frameworks.

A risk management framework addresses risk at the organization level, mission/business process level, and information system level. Many public, private and nonprofit organizations follow NIST requirements as a baseline for privacy and security. Other examples of frameworks include HIPAA, ISO, and DISA STIG. Policy compliance offers a way to verify proper control implementation, based on the organizational framework.

Most businesses rely on information systems as the foundation of their work. Policy compliance offers a direct path to solidifying that foundation, in turn delivering more consistent, dependable and secure systems that lead to competitive advantage.

Josh Grove, CTO, TalaTek

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.