Post by account_disabled on Mar 5, 2024 5:53:37 GMT
Many security practitioners have been frustrated by bad compliance audits, where an auditor wants something that is impossible, or nonsensical, or simply not worth implementing. Or when they accept a security control like the keypad above when it clearly does nothing to prevent anyone from accessing what that keypad was intended to protect. At Asana, we’ve rejected the false tradeoff between security and compliance. We deeply believe that Asana’s security is significantly improved through our compliance initiatives. Compliance improves security outcomes Here’s a simple example: you have a vulnerability management program, and you’ve told your customers that you will fix all high severity vulnerabilities within one week. The reason you’ve done this is that high severity security vulnerabilities are important and you want to get them fixed in a timely manner.
You and your team implemented this and then went on to Germany Phone Number other work. A few years goes by. Are you still triaging and fixing all of your vulnerabilities on time? What about that one time your vulnerability management solution broke for two weeks and no one noticed? Or that time the remediation task was assigned to someone who was on a long vacation and no one followed up? A good compliance program will find instances of control failures like these, and then help recommend improvements. This continuous feedback loop is essential for incremental improvements to a security program. No one would say that well designed controls aren’t crucial for your security program’s success. But many people would say that compliance isn’t crucial.
But how do you know if your controls are functioning correctly if you don’t audit them? The answer is: you don’t. How to avoid checkbox compliance What about all those compliance controls that don’t actually improve your security posture, like FIPS certified cryptography, or PCI ASV scans, or disabling Bluetooth? The key is to focus on the spirit, rather than the letter, of the control. For example, you have a compliance control that’s asking you to audit user access quarterly. What is this control trying to make you do? It’s trying to make sure that only appropriate users have access, and it’s given you a method, one among many, that could work. Instead of implementing that, what if you implemented SCIM to automate the provisioning and deprovisioning of access to that system? Then another control can audit the effectiveness of onboarding and offboarding at your identity provider instead. Another possibility could be to reduce the frequency of your manual audits, saving time. This becomes more difficult when you do have controls that are overly specific.
You and your team implemented this and then went on to Germany Phone Number other work. A few years goes by. Are you still triaging and fixing all of your vulnerabilities on time? What about that one time your vulnerability management solution broke for two weeks and no one noticed? Or that time the remediation task was assigned to someone who was on a long vacation and no one followed up? A good compliance program will find instances of control failures like these, and then help recommend improvements. This continuous feedback loop is essential for incremental improvements to a security program. No one would say that well designed controls aren’t crucial for your security program’s success. But many people would say that compliance isn’t crucial.
But how do you know if your controls are functioning correctly if you don’t audit them? The answer is: you don’t. How to avoid checkbox compliance What about all those compliance controls that don’t actually improve your security posture, like FIPS certified cryptography, or PCI ASV scans, or disabling Bluetooth? The key is to focus on the spirit, rather than the letter, of the control. For example, you have a compliance control that’s asking you to audit user access quarterly. What is this control trying to make you do? It’s trying to make sure that only appropriate users have access, and it’s given you a method, one among many, that could work. Instead of implementing that, what if you implemented SCIM to automate the provisioning and deprovisioning of access to that system? Then another control can audit the effectiveness of onboarding and offboarding at your identity provider instead. Another possibility could be to reduce the frequency of your manual audits, saving time. This becomes more difficult when you do have controls that are overly specific.