Compliance: Just a Check Box or a Strategic Tool to Reduce Risk?

Newer regulations such as GDPR, PCI & NIST 800-171 require companies to take a more holistic approach to security compliance. Meeting compliance requirements is only half the challenge, however. Organizations also need newer and faster ways to measure and prove their compliance with the mandated requirements. Large global organizations in regulated industries must often comply with a cornucopia of regulations and mandates with varied reporting requirements. Collecting the data needed to measure and prove compliance on an ongoing basis can be especially challenging in these environments considering how granular the reporting requirements can get at times. Even medium sized organizations that do not need to meet as many regulations as large companies can find the data collection and reporting tasks very cumbersome.

Using manual processes, custom scripts, or spreadsheets to collect and manage the data needed to measure compliance was never a good idea and is even less so now. The sheer scope of the reporting challenge requires the use of tools that automate the process of data collection and compliance measurement. You need to have a way to continuously bring measurement data, from across your enterprise to a central location so you can monitor how your security controls are working and help resolve problems expeditiously. Web-based dashboards and visualization capabilities are critical to helping you measure risk and check compliance status across your organization.

Periodic snapshots of your compliance status are also no longer enough. Your organization needs to be able to show compliance with mandated requirements on an ongoing and continuous basis across your digital infrastructure. That means having complete visibility over your data assets and consistently monitoring the controls you have at the application, database, server, network, endpoint, and cloud tiers to manage risk to the data. You need to identify new risks to your infrastructure and quickly address identified gaps in coverage that might result from the use of new technologies, such as IoT for instance. By having a process and technology that covers your entire digital infrastructure and the associated security controls, you can have the full visibility on what needs to be addressed to help reduce the security and mandate risks of your Enterprise.

Once you have the required compliance data, you need the ability to prioritize and fix the issues identified. These can vary from identifying and applying a patch, to changing processes, training users, or changing a configuration. Before you execute, often the biggest challenge is knowing where to start and how to prioritize. Wouldn't it be nice to be able to view all the elements at risk, prioritized by relevance to your business, and the impact they could have? This can then serve as a starting point for remediation activities, and give comprehensive visibility into why certain things need to be addressed first. Building automation into the remediation process is key because left to manual steps; things can take an unacceptable amount of time and are prone to error.

There are at least two options available:

• Automate your patch process or
• Put in place a mitigating control that prevents the particular weakness from being exploited, which is then a repetitive process as you get closer and closer to the goal of compliance and reducing the overall risk within your organization.

Symantec Control Compliance Suite 12.0

The new release of Symantec Control Compliance Suite 12.0 is designed to help demonstrate compliance and to help reduce the overall risk to the enterprise. It supports automated security compliance assessments for over 100 major regulations and mandates including GDPR, NIST, HIPAA, PCI and many more right out-of-the-box. The agent-based and agentless scanning capabilities can perform 57,000 patch checks and over 15,000 configuration checks across 75 platforms so you can quickly identify vulnerabilities and security gaps in your infrastructure. Control Compliance Suite lets you use the results of a single assessment to report against multiple regulations thereby eliminating the need to conduct separate security assessments for individual mandates. Audit-ready reports and dashboards provide visibility across both technical and procedural controls so you have a holistic understanding of how effectively you are managing IT risk. Most importantly, it has deep integrations with multiple offerings in the Symantec portfolio to enable closed loop remediation and risk reduction.

The new release of CCS v12.0 caters to the following areas of a compliance program:

• Deploy and upgrade within hours to ensure quick time to value
• New UI with guided flows and 30% reduction in clicks
• An architecture with self-healing agents for operational resilience
• Easy access to automated reports and dashboards
• Integrations with products like Symantec Data Loss Prevention (Relevant for GDPR), IT Management Suite (Automated closed loop remediation), and Data Center Security (enable virtual patching) to accelerate remediation, reduce risks, and enable Symantec to be your Cyber Defense Platform.

For information on Control Compliance Suite please visit the CCS home page.