Why governance and policy can strengthen compliance efforts
by Tim Sedlack - Product manager at Dell Software - Friday, 31 January 2014.
A colleague of mine recently made a joke and it made me pause to think. During our discussion on compliance and how internal policy can help organizations comply with external regulation, she said ď...like an Amazon suggestion ĎPeople who comply with PCI also like the following regulations...Ē. I smiled because it was funny, but there was also wisdom in what she said. Many of the requirements in compliance regulations seem similar as you go from regulation to regulation Ė so you see what could be considered as duplication.

Good password policy, control over critical and protected resources, proper account handlingÖ It is seen across multiple, seemingly unrelated compliance regulations. Thatís because regulators are trying to ensure simple, effective governance that can also be verified.

For many organizations, focus on a single regulation, sometimes even single requirements in a single regulation, might make it difficult to spot commonalities. As someone who talks to various customers around the world about complying with a variety of generic and specific regulations, I see a lot of the same basic requirements. They all seem to point to the same conclusion: get control of your organizationís environment with good governance.

A structured and controlled organization generally has a much easier time complying with requirements in regulations. The reverse is also true Ė if you have to comply with the requirements in a regulation, itís something that can easily lead you to better governance overall for your organization. Here are a few best practices derived from the most common requirements that help lead to good governance.

Controlling your accounts

People in companies and organizations tend to move around; nothing is static for too long. Many employees have different access rights for different roles and responsibilities over time, but itís rare to see organizations reviewing access control policies and permissions for users that move around. Well-maintained organizations provision people as they start at a company; many of them are even de-provisioning by removing all access that was assigned to an account.

Most have no problem asking for access to resources as they change jobs and roles Ė so thatís rarely a problem. Whatís missing is ensuring access rights to controlled resources are removed or adjusted as job titles and roles change. The proper approach here is to understand what should be controlled, as well as registering changes to access. At that point, you have a manual process that can help identify people who should be removed. Remember, your organizationís controlled resources should be in your control.

Strong passwords are good policy

One of the more common compliance requirements is to ensure that passwords are strong and protected. This usually includes things like age, length and complexity, which is often managed through Group Policy in a Microsoft Windows environment. Whatís not so obvious is a history of your organizationís password policy, as well as notation of any exceptions that you make.

Complex, difficult-to-guess passwords are really only a start, especially when there are self-service systems that allow you to reset the password by asking for answers to some common questions, many of which are often discoverable via Facebook, LinkedIn or other social media sources.

If your organization has a system to reset passwords via a self-service system, make sure you advise your users of the dangers of providing simple answers to these questions. One suggestion is respond to questions with answers that donít fit the question. Itís much harder for someone to socially engineer or guess an answer to a secret question if the answers donít make sense.


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Mon, Feb 8th