Viridis Security

Are you Secure? Automated Compliance tools aren’t enough.

Want to be secure AND compliant? There is a need for information security and risk expertise even if your Automated Compliance tool says you are compliant, they are only one piece of the puzzle.

Viridis filling in the puzzle of automated compliance

The AIPCA which is the controlling body of the SOC 2 standards, in discussing the peer review checklist, specifically called out the need for auditors to check that Automated Compliance tools have:

  1. Complete and accurate software and vendor inventory
  2. Necessary Monitoring of controls

This analysis validated what I have experienced. The Automated Compliance tools are only as good as the people that wield them. Without Information Security, Governance, Risk and Compliance experience, you risk being overconfident in your control environment.

  1. Risk Appetite reflection missing
  2. Asset inventory incomplete
  3. Missing apps in tool integrations
  4. Overuse of “Out of Scope” option
  5. Vendor risk underrepresented
  6. Inherent and residual risk inaccuracies

You cannot prevent a motivated adversary from gaining access to your systems. You can do your best to limit the damage a hacker can do when a breach happens.

Executive Security Posture Questions – Do Automated Compliance tool answer these?

Viridis delivers sleep at night security guidance
  • Can I sleep at night knowing blame will fall on me if we have a breach?
  • Can I sleep at night knowing my company could recover from a security or operational incident?
  • Am I confident I did enough to prevent data loss?

Automated Compliance tools are a great way to organize and evidence your program but they don’t dictate what additional security tools you buy, how you implement your controls, measure your defense-in-depth effort. They can’t tell you if all the surrounding work is appropriate for the type of data you handle. They don’t question your vendor ratings, or policy changes. Auditors do their best to question your control environment, monitoring, etc. but in the end, especially with SOC 2, they are only checking to make sure you are doing what you said you would do for the listed controls.

Utilizing a vCISO/Managed Security Provider like Viridis Security not only gives you help setting up your assessments and compliance tooling, it gives you

Risk Appetite Reflection Missing

As an organization how much risk can you stand? How many outstanding items, unfixed issues, gaps in security, etc. can be outstanding and still allow you to “sleep at night.” This is an important conversation to have before you start your governance/compliance journey.

Crafting an organizational risk appetite statement gives the entire organization a cornerstone for the overall security program. Based on the type of data you store, and the volume, will dictate the level of control and monitoring you need. This then influences your security posture goals and the roadmap for your security program.

Automated Compliance tools will track that you have a statement but they can’t ensure it is right for your organization.

Asset Inventory Incomplete

A good rule of thumb for listing assets from a Cybersecurity perspective is to include anything with an IP address. This includes your dedicated hardware, cloud assets (including virtual machines), laptops, mobile devices and IOT appliances.

Depending on the size of the organization you may be able to organize the items in a spreadsheet although keeping a spreadsheet up-to-date will become increasingly difficult as your business grows.

Three key inventory questions:

  • Do I know when a new asset connects to my network?
  • What is connected to my network right now?
  • Are all known assets in compliance?

It’s the long list of controls associated with assets that makes this such a critical part of risk management. However, you can’t protect or assess risk on assets you don’t know about.

Associated Risk Controls would include: patching, vulnerability management, scanning, authentication, firewall/networking, access control, hardening standards, etc. Your Automated Compliance tools will only know what you tell them. They can’t assess if you have everything covered.

Don't leave shadow IT assets unrecorded

Missing Apps in Tool Integrations

If you are relying on Automated Compliance Tools to provide a complete picture of your risk profile then it is important to compile data from all your tools. Your automated compliance vendor does not have an integration for your vendor? Make a formal request to add it and in the interim use the vendor API to automatically integrate important compliance status information.

When choosing an Automated Compliance vendor it is good practice to compare your list of application to their list of integrations and the more complicated your environment the more weight you should give to vendors with an open API that will allow you bring in compliance data regardless of the source.

Overuse of “Out of Scope” Option

Risk is easy to avoid in your reporting if you aren’t careful. Marking controls/assets as “Out of Scope” is a valid practice but use with caution.

  • Is the asset on a network segment with in-scope assets?
  • Could in-scope data be stored on the asset in the future?
  • Would the asset pose no risk of left unpatched?
  • Is access to the asset controlled or limited to a subset of employees?

When in doubt I recommend protecting all assets as though they might contain confidential or high risk data. Remember, if a bad actor gets through the front door you don’t want to give them an easy way to leapfrog around the network via uncontrolled assets.

Vendor Risk Underrepresented

In addition, employees today can engage with cloud vendors at-will. Free trials/plans or low cost plan paid for via credit card may expose your organization to “shadow IT” risks. As an example, Automated Compliance tool, Vanta, will tell you if a new vendor is discovered in use at your organization. This is extremely helpful for third party risk management.

vendor tracking and assurance is key to strong security posture

Assessment of vendor security practices is only required for vendors that have been rated high or critical, based on the type data they handle/store. If the control process ONLY reviews vendors believed to be high or critical it is possible that key vendors will be missed in the initial reviews or in subsequent reviews.

It is far preferable to create a vendor onboarding process that documents and risk rates ALL vendors. This method removes decision making at the time of entry and avoids mistakes regarding ratings.

Inherent and Residual Risk Inaccuracies

Determining risk levels can be more art than science. Complicating the process is the natural push and pull between security leadership and IT owners. If high risks must be remediated, mitigation compensation can be overestimated so that the asset risk can be listed at Medium. Discussions require that both parties understand the main tech and any mitigating controls. Don’t forget your organizational risk appetite statement! It’s important to present an accurate view of risk so that c-level leaders and board members understand investments (people or tech) that are needed to realize their security goals.

Remember, security is a path of continuous improvement! If your first “grade” is an F that just means you’ll have more points to celebrate on your journey to better security.

At Viridis we strongly believe that accepting or transferring risk are valid options but HIDING risk is not a viable way to run a program.

As a managed service provider, Viridis can help you along your path to compliance and stronger security. Contact Us today to discuss.