2020: A year for regulatory compliance?
Cyber security and regulatory compliance are frequent bedfellows. If compliance standards aren’t specifically driving security adoption, they are affecting wider areas, such as GDPR and privacy, which significantly impacts on security.
In 2020 we are seeing wider regulatory compliance and audit requirements shaping approaches to risk management more generally. We often find standards are adopted freely, not because they are mandated; but because in the face of outside scrutiny, a formal third-party framework provides an accessible yardstick against which to align security polices and controls.
Regulatory Compliance Requirements
🇺🇸 US PCAOB
In the US, the Public Company Accounting and Oversight Board (PCAOB), is responsible for setting audit standards. These audit standards apply to all listed organisations and are much broader than cyber security. However, there are requirements that cyber security audits and governance need to comply with just as financial audits must.
One requirement is that organisations must obtain timely information around the performance of their security controls. If it takes 6 weeks to compile the data and report on the activity, performance or metrics of security controls, it makes it very hard to say you are obtaining timely information.
In cyber security, operating system patches come out routinely and falling victim to an attack can take seconds or minutes. Knowing that 4 weeks ago it took 5 days to deploy a critical patch doesn’t really provide senior executives much of an opportunity to manage risk.
Another area coming under scrutiny is the degree of manual intervention or interference between the audit evidence being identified and the reporting on it occurring. Something that provides its own telemetry is always going to be more objective and reliable than anything that needs a chain of humans to identity, gather, interpret, summarise, analyse and report on.
🇺🇸 US DoD / CMMC
The Cybersecurity Maturity Model Certification (CMMC) is a US Department of Defense (DoD) initiative. Contractors who handle Controlled Unclassified Information are already required to self-certify compliance with the NIST SP 800-171 standard of cybersecurity best practices. However, with self-certification now being acknowledged as unreliable, CMMC will require contractors to undergo a third-party audit and certification starting in 2020.
This process echoes similar initiatives around the UK’s Defence Cyber Protection Partnership (DCPP), which is based on Cyber Essentials Plus and a separate questionnaire, and the Australian Government’s Essential Eight which underpins the Australian Defence Industry Security Program (DISP) supply chain approach.
With these three standards already closely aligned, it is likely that the most commonly uniform approach with the biggest defence market behind it will predominate over time…… the CMMC approach.
🇦🇺 Australian Essential Eight
The Australian Cyber Security Centre (ACSC) “Essential Eight” remains a lynchpin of the Australian government’s approach to cyber security hygiene in the governmental and defence sectors.
A key requirement of the Australian Signals Directorate’s Information Security Manual, the Essential Eight will continue to be adopted and audited to oversee government bodies and their supply chains as 2020 progresses. Including, as referenced above, within the DISP programme.
🇬🇧 UK Cyber Essentials
The UK Cyber Essentials scheme provides two levels of assurance, a self-assessment questionnaire-based certification (Cyber Essentials) and a consultant-supported onsite review (Cyber Essentials Plus). This forms a major cyber hygiene baseline for the UK public sector supply chain and has been in use for a while.
Although no changes to the scheme are imminent in 2020 one thing that is emerging is a business need to monitor the effectiveness of security controls on a continuous basis, rather than just “checking” them on an annual audit cycle as part of the annual re-certification process.
At the end of the day, if these security controls are “essential”, then as with the Australian Essential Eight, they should be monitored all the time, not just used as the basis of an annual questionnaire or audit.
🌎 MITRE ATT@CK
MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. It can be used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cyber security product and service community.
Although it is not a standard, or in any way enforced, at a technical level it provides a useful repository of techniques. The trick is in finding combinations of security controls that can address as many risks as possible, as cost-effectively as possible – such as application whitelisting to control the execution of unauthorised code and hence providing coverage against any attack technique that requires the attacker to install (or dupe a user into installing) an executable.
🇪🇺 EU GDPR Compliance
The GDPR EU regulation on privacy and data protection has been covered in depth and breadth both before and since its adoption. We have blogged about it on several occasions. The emergence of the first fines levied on BA and Marriot have brought the need for good cyber security risk management and hygiene into sharp focus for boards.
The drivers for cyber security in enterprises and supply chains are underpinned by very real financial impacts. Even in the wider public sector and recent breaches that have not yet had time to fully sink in – like the UK new year’s honours list breach – the financial ramifications are very real.
Compliance: The common themes
There seems to be two types of compliance requirements emerging in cyber security.
One is the drive to make comprehensive and all-encompassing standards that span the management, people, process and technological issues at length and aim to leave no security stone unturned. The MITRE ATT&CK framework follows this approach for technical attacks; while management systems standards like ISO and COBIT aim to address the broader non-technical requirements.
The second compliance requirement recognises that a smaller set of basic “cyber hygiene” security controls is both easier for businesses of all sizes to work with and will cover a large proportion of the methods of attack that are used to compromise networks. This is the ethos behind The UK’s Cyber Essentials and Australia’s Essential Eight.
Somewhere in the middle is the US defence department supply chain approach to cyber maturity. This is not a long standard, but it’s not a short one either. What it does epitomise however is the need for cyber security controls to be measured and monitored rather than being self-assessed or self-asserted.
As with the added vulnerability scanning and firewall reviews of Cyber Essentials Plus, CMMC will require an audit of the supply-chain business to which it relates. This prevailing view that cyber security cannot be left to chance and must be “measured” in an objective, repeatable and trustworthy way has now taken root.
The reliability of audit processes, systems and evidence – around cyber or otherwise – has been in the focus of bodies like the PCAOB for good reason!