We live in a business environment flooded with governance, regulatory, and compliance (GRC) requirements. The alphabet soup of HIPAA, FISMA, DIACAP, NERC CIP, SOC, SOX, NIST, PHI, PCI and GLB are all attempts to avoid or mitigate the risks exposure of people, organizations, information, and systems. One common attribute of these GRC is that they are generally labor and paper-intensive. Volumes of binders are often generated to document current state, to identify areas of non-conformance, and to capture plans for remediating deficiencies. Millions of dollars and thousands of man-hours are spent producing these tomes that are generally outdated the minute they are printed. In 2010, the U.S. State Department estimated that it spent $133 million over six year for certification and accreditation (C&A) of 150 of its systems. That’s a cost of almost $1M per system just to ensure it complies with a regulatory requirement. ViewTrust Technologies estimates that an automated process can produce 15‐- 20% cost efficiencies by reducing the agency estimated work effort in the first year and an added efficiency gain of another 35‐- 40% in the following years. There is money to be saved by automating this process.
In a world of constantly evolving and escalating threats, a static, paper-based approach to compliance management cannot keep pace. The result is that despite these efforts, organizations are still vulnerable to the risks they are trying to avoid. Systems that are deemed compliant through a checklist process can have that compliance evaporate through the failure to apply a patch or update to a system or the lack of awareness that a critical security component is out of service. The lack of integration of vulnerability assessments, security event notifications, system configuration reports, emerging threat intelligence, security control monitoring, business impact analysis, corporate policies, and compliance documents inhibits the ability to present a near real-time system assessment. Consequently, although the existence of a threat may be known, the risk that threat presents to the enterprise cannot be adequately addressed because the full context of the impact of the threat doesn’t exist to draw accurate and complete conclusions. The SANS Institute found that the U.S. State Department was able to reduce the risk scores of hundreds of thousands of systems by 90% in the first year of implementing an automated security monitoring capability. There are risks to be avoided by automating this process.
A university in Idaho settled a HIPAA Security case for $400,000 in penalties in May 2013 due to allegations of a breach of electronic protected health information (ePHI). The university reported a breach in which the ePHI was unsecured for at least 10 months, due to the disabling of firewall protections at servers. The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) concluded that the university failed to assess the likelihood of potential risks occurring and did not have procedures for routine, automated review of their information system in place. There are financial penalties to be avoided by automating this process.
A Ponemon research report indicates that in 2012 only 46% of American IT professionals surveyed felt that their organization was partially or fully implementing continuous monitoring. These organizations are reaping the benefits of reduced risk, cost savings, and penalty avoidance. What about your organization?
- Gerry Baron, MBA
VP Business Development at Diligent eSecurity International