co-écrit par Margot
The goal of these few lines is to share some simple thoughts on how to handle IT Security practices and to compare two approaches: the Compliance and the Risk approaches.
Since many years IT security has been mostly handled through compliance checklists, based on market IT security standards (ex. ISO 27002, COBIT, NIST), specific IT general controls (ITGC), domain specific best practices or regulations (ex. Sarbanes Oxley, PCI-DSS), and internal security policies (resulting from previous).
Today with the threat landscape evolving, the company’s IT security exposure increasing and the tight budget management, this multi checklists approach is not appropriated any more, for two practical reasons:
- Cost: it is too expensive to implement on the entire company’s scope
- Efficiency: it is inefficient to cover new threats on the whole IT scope
However if the Compliance approach is understandable for companies under regulation pressure, it does not give information on the risks and thus does not allow preventing from negative impacts due to IT security vulnerabilities (organizational, functional or technical). Indeed, not implementing a control is much more than an « un-ticked box »; it can be a potential risk for the company!
In order to increase security efficiency and better protect companies, a Risk Based Approach (RBA) must be adopted. The RBA is systematically mentioned within companies but rarely efficiently implemented. The Risk Based approach can be implemented throughout businesses (not only IT). For example, it is used since almost 10 years by the intergovernmental organization Financial Action Task Force (FATF) on Money Laundering (http://www.fatf-gafi.org/media/fatf/documents/reports/High%20Level%20Principles%20and%20Procedures.pdf ).
This Risk Based Approach can of course be combined to the Compliance Based Approach, as we see more and more organizations with strong links between Risk Management, Compliance and Security teams.
At Beijaflore, we think that the right way to approach IT Security is to take the best of these two approaches (Compliance and Risk):
- In one hand, build a prioritized list of measures (organizational, functional and technical) to be implemented, based on the criticality of the risk they cover. This list should be handled at group level and shared with the entities;
- The implementation of these security measures should be performed on defined scopes of the company based on its businesses, its critical data and IT risks. This definition is to be performed within each entity;
- The prioritized list of security measures is to be regularly updated based on technology evolution and concrete vulnerabilities detected through audits, vulnerability scans, penetration testing, etc.
The results of the offence teams (ex. pen tests) must be inputs for the defense (the security measures).
Indeed, too many companies perform a high number of audits and therefore spend a high budget to realize afterwards that 80% of detected vulnerabilities are exactly the same from one year to another or from one entity to another. An adapted and updated vulnerability register would have enabled:
- The companies to correct already known vulnerabilities and
- The pen tests team to go deeper in their analysis and find new vulnerabilities rather than always exploiting the same ones.
What about you? What is your experience of compliance checklists vs risk approach?
Don’t hesitate to comment and contact us!