Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

Like Keeping a Car Running, Compliance Needs a Program and a Mechanic

Recently I took my car in for a service - that, in itself, isn't earth shattering. But it led me to think more about car servicing. Most manufacturers issue a service booklet with each new car, detailing when a car needs to receive maintenance and what needs to be done to keep the car running well.

If you miss a scheduled service, depending on what was to be done at that appointed time, the consequences may be minimal or severe in the short term, and continue to snowball over time. If you want your vehicle to last, you must follow a program of routine maintenance.

The same is true of any compliance program, whether it be the Payment Card Industry (PCI) Data Security Standard, the forthcoming General Data Protection Regulation or ISO 27001 certification. You must have a program in place to maintain compliance throughout the year so that you don't experience a breakdown.

The impact of ignoring a compliance program and treating it like a point-in-time task can be significant. In some cases, significant fines apply for failure to comply. In comparison to those fines, the cost of a regular maintenance program will likely seem insignificant, to say the least.

You must be following your maintenance guidelines throughout the year to keep the engine running, similarly, there are sequential compliance tasks and missing a task early in the compliance timeline can lead to non-compliance.

This then results in significant pressure to rectify the non-compliant issue, re-assessment for compliance (and associated costs) and trying to avoid subsequent fines. Also, what is often overlooked is that some compliance tasks can take a significant amount of time before they can be rectified due to the requirements of the standard.

For example, PCI compliance requires quarterly vulnerability scanning with four passing scans over the previous 12 months to be assessed (unless this is your first time gaining PCI compliance). There are rules around what is acceptable in the way of results in order to pass, such as no high-risk/critical issues and nothing over a CVSS (Common Vulnerability Scoring System) score of 3.9 being identified. Essentially you need a passing vulnerability scan each quarter to comply.

Here is where an issue can arise. Typically, a quarter is defined as 90 days, so if any of your vulnerability scans fail to qualify for compliance, the clock could start again from your last passing scan. Depending on which quarter's scan failed to comply, that could have devastating consequences to your overall compliance, with impacts starting from up to 90 days onward. If your second quarter scan failed to comply, then the impact could be 180 days and so on, until you have four passing and consecutive quarterly scans to produce for the assessment.

Obviously routine maintenance along the way could have avoided this scenario, and yet it is all too common to have missing or failed scans with organizations who do not have a managed compliance program working in conjunction with a trusted advisor. The result? Compliance breakdown.

So how do you avoid such problems being identified during the assessment? Simply put, your compliance initiatives need to be treated like a program, adhering to project management fundamentals to ensure success.

Using PCI scanning requirements again as an example, different types of scans are required at multiple points throughout a 12-month period. A project plan not only showing when the scans are required but also the lead-up and post scan tasks, such as change management, resource allocation, execution and analysis, remediation, implementation of a compensating control would help ensure success. The rigors around project and program management would help assure risks and issues are called out early and addressed, and everyone will know in advance what is expected of them and when.

Every car needs a mechanic to successfully maintain it, and likewise every compliance program needs a project/program manager to help ensure success, preferably one who has a background in compliance and/or security.

Any compliance program will have multiple aspects to balance, including resource availability, stakeholder management, the identification of documents and reports required for compliance, impact to timelines by events like change freezes, and management of issues and risks, budget management and justification to name but a few. Without a central person responsible for managing these components, a compliance program is often doomed to crash.

If you were to examine why cars break down, you would probably find the lack of routine maintenance as the primary culprit. The same is true of compliance. Often it is treated as a task at some point during the year when a compliance assessment is due, only to find something missing.

If your organization has an ongoing program where compliance is addressed as business as usual, you would have all the documents and reports ready prior to an assessment, reducing not only the strain on your organization, but also the risk of financial and brand impact that could result from non-compliance.

Compliance is program, not a task to tick a box at some point during a year. Adding dedicated project/program management to your compliance initiatives will help lead to a better outcome.

Remember, it is your organization's responsibility to maintain all the compliance controls year-round; the same responsibility you have for your car to be road worthy.

Brian Odian is a managing consultant at Trustwave. 

Latest Trustwave Blogs

Defending Healthcare Databases: Strategies to Safeguard Critical Information

The healthcare sector continues to be a primary target for threat actors, with 2023 seeing a record number of data breaches and compromised records. While successful attacks are inevitable, it’s...

Read More

Trustwave SpiderLabs: Ransomware Gangs Dominate 2024 Education Threat Landscape

The security teams manning the defenses at the higher education and primary school system levels often find themselves being tested by threat actors taking advantage of the sector's inherent cyber...

Read More

LockBit Takedown: Law Enforcement Disrupts Operations, but Ransomware Threats Likely to Persist

The news that US, UK, and other international law enforcement agencies disrupted LockBit is welcome, as stopping any threat group activity is always a positive. The unfortunate aspect is this blow...

Read More