Governance, Risk and Compliance

How to Avoid A Compliance Breakdown

Author: Trustwave Managing Consultant Brian Odian
Author: Trustwave Managing Consultant Brian Odian

Recently I took my car in for a service - that, in itself, isn't earth shattering. But it led me to think more about car servicing. Most manufacturers issue a service booklet with each new car, detailing when a car needs to receive maintenance and what needs to be done to keep the car running well.

If you miss a scheduled service, depending on what was to be done at that appointed time, the consequences may be minimal or severe in the short term, and continue to snowball over time. If you want your vehicle to last, you must follow a program of routine maintenance.

The same is true of any compliance program, whether it be the Payment Card Industry (PCI) Data Security Standard, the forthcoming General Data Protection Regulation or ISO 27001 certification. You must have a program in place to maintain compliance throughout the year so that you don't experience a breakdown.

The impact of ignoring a compliance program and treating it like a point-in-time task can be significant. In some cases, significant fines apply for failure to comply. In comparison to those fines, the cost of a regular maintenance program will likely seem insignificant, to say the least.

You must be following your maintenance guidelines throughout the year to keep the engine running, similarly, there are sequential compliance tasks and missing a task early in the compliance timeline can lead to non-compliance.

This then results in significant pressure to rectify the non-compliant issue, re-assessment for compliance (and associated costs) and trying to avoid subsequent fines. Also, what is often overlooked is that some compliance tasks can take a significant amount of time before they can be rectified due to the requirements of the standard.

For example, PCI compliance requires quarterly vulnerability scanning with four passing scans over the previous 12 months to be assessed (unless this is your first time gaining PCI compliance). There are rules around what is acceptable in the way of results in order to pass, such as no high-risk/critical issues and nothing over a CVSS (Common Vulnerability Scoring System) score of 3.9 being identified. Essentially you need a passing vulnerability scan each quarter to comply.

Here is where an issue can arise. Typically, a quarter is defined as 90 days, so if any of your vulnerability scans fail to qualify for compliance, the clock could start again from your last passing scan. Depending on which quarter's scan failed to comply, that could have devastating consequences to your overall compliance, with impacts starting from up to 90 days onward. If your second quarter scan failed to comply, then the impact could be 180 days and so on, until you have four passing and consecutive quarterly scans to produce for the assessment.

Obviously routine maintenance along the way could have avoided this scenario, and yet it is all too common to have missing or failed scans with organizations who do not have a managed compliance program working in conjunction with a trusted advisor. The result? Compliance breakdown.

So how do you avoid such problems being identified during the assessment? Simply put, your compliance initiatives need to be treated like a program, adhering to project management fundamentals to ensure success.

Using PCI scanning requirements again as an example, different types of scans are required at multiple points throughout a 12-month period. A project plan not only showing when the scans are required but also the lead-up and post scan tasks, such as change management, resource allocation, execution and analysis, remediation, implementation of a compensating control would help ensure success. The rigors around project and program management would help assure risks and issues are called out early and addressed, and everyone will know in advance what is expected of them and when.

Every car needs a mechanic to successfully maintain it, and likewise every compliance program needs a project/program manager to help ensure success, preferably one who has a background in compliance and/or security.

Any compliance program will have multiple aspects to balance, including resource availability, stakeholder management, the identification of documents and reports required for compliance, impact to timelines by events like change freezes, and management of issues and risks, budget management and justification to name but a few. Without a central person responsible for managing these components, a compliance program is often doomed to crash.

If you were to examine why cars break down, you would probably find the lack of routine maintenance as the primary culprit. The same is true of compliance. Often it is treated as a task at some point during the year when a compliance assessment is due, only to find something missing.

If your organization has an ongoing program where compliance is addressed as business as usual, you would have all the documents and reports ready prior to an assessment, reducing not only the strain on your organization, but also the risk of financial and brand impact that could result from non-compliance.

Compliance is program, not a task to tick a box at some point during a year. Adding dedicated project/program management to your compliance initiatives will help lead to a better outcome.

Remember, it is your organization's responsibility to maintain all the compliance controls year-round; the same responsibility you have for your car to be road worthy.

Brian Odian is a managing consultant at Trustwave, a Top 100 MSSP. Read more Trustwave blogs here.