Home » Compliance » Resistance is Futile; You Must Comply
personally identifiable information

Resistance is Futile; You Must Comply

No threat actor ever avoided attacking your system because you marked a control as compliant.

Yet organizations today are spending ever increasing resources to remain compliant with a myriad of frameworks, including the National Institute of Standards and Technology’s (NIST) Risk Management Framework (RMF), International Standards Organization (ISO) frameworks, such as ISO 27001, and ISACA’s Control Objectives for Information and Related Technologies (COBIT) framework, not to mention domain-specific requirements, such as the Health Insurance Portability and Accountability Act (HIPAA), Sarbanes-Oxley (SOX) Act and Payment Card Industry Data Security Standard (PCI-DSS).

Kenneth Olsen, the co-founder of Digital Equipment Corporation, was quoted as saying, “The nicest thing about standards is that there are so many of them to choose from.” Each standard looks at risk from its unique perspective and compliance can be arduous.

So how can we make it worth our while?

Complying with standards gives an organization a great starting point with respect to making their organization more resilient. They provide a great way to account for the operational risks an organization must mitigate. Operational risks are those that degrade the organization’s operational resilience, which according to the Software Engineering Institute’s CERT Resilience Management Model, is “the organization’s ability to adapt to risk that affects its core operational capacities.”

But how does an organization use compliance to support operational resilience?

First, start with a risk management process that is ongoing and woven into the way the organization makes its decisions (e.g., SEI’s Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) process). Most compliance frameworks are not intended to be merely checklists of things to do, but rather risk-based best practices. For instance, the NIST RMF assumes that the organization is evaluating:

  • What systems are being protected and how they support mission-essential business processes.
  • Intelligence on threat actors who may target those systems, and their intentions (if they are human), their capabilities, and their prevailing attack patterns. (And don’t forget non-human threats, such as weather, or unintentional threats, such as busy people or poor design.)
  • The vulnerabilities present on these systems.
  • Organizational resources.

When an organization selects its baseline of controls, NIST does not expect the organization to blindly accept controls listed in the baseline, but to tailor them to the organizational risk assessment. Controls and control enhancements should be tailored (i.e., altered, replaced with compensating controls, or added in) based upon this risk assessment.

Next, focus on the processes that will support and implement these controls. Simply because the system is compliant one day does not mean it will be the next if the underlying process is not effective. According to CERT-RMM, processes must be planned in a practicable way, resourced, trained, coordinated with stakeholders, measured for effectiveness, and supported by management. Process maturity does not mean perfect documentation, nor does it mean dogmatic adherence to that documentation. The process should mirror and enable how people do business on a day-to-day basis. Compliance becomes the natural result of mature processes.

Finally, compliance to one standard should readily translate to compliance in another. Many governance, risk-management and compliance (GRC) tools provide a listing of the controls of the different standards. Look for a tool that maps similar controls so that the results of one assessment, appraisal or audit can be quickly represented in one using a different standard. If the GRC tool does not do this mapping, many standards bodies will provide how their standards map to other standards bodies. So this mapping may have to be done in-house. However, some upfront mapping work can ensure more agile responsiveness when moving from standard to standard.

The goal should be a symbiotic relationship between how the organization manages operational risk, how people actually work day-to-day, and what compliance reports show during the next assessment, appraisal, or audit.

Lunarline offers a full spectrum of compliance and risk management services that can improve your organization’s resilience. To learn more, contact us at 571-481-9300 or send us a message

About Doug Gray

Doug Gray is Lunarline's Senior Cyber Architect. Prior to coming to Lunarline, Doug was a member of the Cyber Risk Management Team at the Software Engineering Institute, Carnegie Mellon University. An expert in risk and resilience management, Doug is a former Army senior officer with 24 years of organizational leadership experience, and 13 years in IT and cybersecurity leadership. At SEI, Doug developed the Intelligence Preparation for Operational Resilience (IPOR) framework to enable cybersecurity leaders to develop situational awareness. In 2012, Doug led the U.S. Army Command and Control Support Agency to earn recognition as runner-up for the National Security Agency’s prestigious Rowlett Award, which recognizes outstanding organizational excellence in the field of information systems security. Doug and his wife of two decades, Daria, are avid Red Sox and Patriots fan, but we love them anyways.