Policy Driven Controls Assessment – Bridging the gap between letter and spirit
Information security polices outline the guiding principles for organizations outlook towards security and privacy and also holds itself accountable to its shareholders and consumers. Policies impact both technology and human decisions. There is always an effort to align technology solution with policies. The real challenge is to be able to enforce policies and flag violations over data that comes out of various tools , teams and functional areas.
CISO’s / CIO’s and executive leadership is concerned about emerging threats amid the changing landscape, however a common theme that has come out of various conversations is the need for a consistent, policy driven approach towards enforcement of established organizational policies. The company board and the audit committee is the primary recipient and interested party for policy driven enforcement, its the only way that the board can validate the fact that business and consumer data security interests are adequately safe-guarded.
Four Pillars for Board / Executive Reporting
Looking at information security policies, the following four pillars contribute towards executive / board level reporting,
We often see organizations go into a huddle and scramble before an audit or an important executive review. This is mainly because the glue that should maintain the equilibrium between policies and technical controls is too rigid and fails to fill the constantly shifting gaps.
ThreatWatch Policy Orchestration (TPO)
ThreatWatch’s policy orchestration framework has taken steps in shaping up the industry outlook toward addressing this challenge. The framework is geared to handle this via a few core principles,
- Policy Definition Language (PDL): The framework provides a mechanism to translate the intent and purpose of a given policy by formalizing a policy definition language that can be understood and interpreted by technology solutions. In today’s world there is a major shift towards purpose driven data gathering and processing and policy enforcement has to fit into that mould as well.
- Policy Association(PA): The orchestration framework allows expressing a policy that can be applied to different organizational systems and assets creating a uniform baseline for enforcement. This gives an ability to attach policies dynamically to the infrastructure layers without human interaction and purely driven by very granular rule-sets.
- Policy Templates(PT) : The glue that holds policies and technical controls needs to constantly adapt to ensure policies remain relevant and handle evaluation outcomes as intended. The orchestration framework takes a template driven approach that can be extended and adapted to categories and sub-categories of assets.
- Policy Automation(PA) : It’s not enough to have policies that are applicable , relevant and actionable but also be able to have intelligent automation that can ensure policy checks can happen without human intervention and 24×7. The framework takes a “smart” outlook towards automation by understanding how an external stimulus can influence change and which polices need to be re-evaluated for enforcement and compliance. This is very different from a task being scheduled that runs at a given cadence which is how automation has been looked at over the years.
- Policy Evaluation Engine(PEE) : PEE is a core component of ThreatWatch policy framework and responsible for policy evaluation and trigger actions that are user defined. Consumers of the policy framework will not have to deal with PEE directly and will interact with it via policies that leverage policy templates ( PT ).
Below are a few scenario’s and categories where such polices can be applicable. All of these policy types are currently supported by ThreatWatch Policy Framework and has canned templates ready for use.
CI / CD : Pre-checkin sanity check for code level vulnerabilities is a very common use case for CI / CD policy enforcements. Developers have the ability to automate this using twigs and can set threshold values to prevent vulnerable code getting pushed into mainline. Another common example , especially for organizations relying heavily on open source software or the one’s that release open source software is to ensure license compliance is tracked closely to ensure downstream code does not get tainted with “strong copyleft” licenses.
Asset and Service Inventory: The ephemeral nature of assets whether they are cloud , container or on-prem virtualized environments , throw up a a fast moving inventory of systems and services. Detection tools often hold on to obsolete data that doesn’t reflect the ground truth and result in skewed decisions. Old asset vulnerability and configuration information that is no longer relevant can be purged via an inventory management policy that comes bundled with the policy framework. Similarly patching compliance for assets is an important metric from a policy standpoint.
Regulatory Compliance: There are several examples where policy driven continuous checks can have significant advantages towards industry regulatory compliance. Two such examples are SOX and PCI-DSS. Instead of purely relying on periodic scanning for PCI , ThreatWatch continuous vulnerability checks combined with policy enforcements can bring significant operational effectiveness where the time to address a PCI sensitive finding doesn’t have to wait for the results of the next scheduled scanning. Going a step further, dynamic policy application helps keep track of changing scope of PCI environments without the need to manually update configuration such as IP subnet information.
SOX is another example where data integrity is a major factor for demonstrating continued compliance.
Periodic Reporting: Understanding periodic trends about effectiveness of controls based on pre-defined criteria becomes an important element in decision making. Policies to initiate these reports removes not only the human element involved in generation of these reports but also removes the risk of data tampering.
ThreatWatch Policy Orchestration(TPO) helps ensure that organization’s security posture is inline with expectations by flagging any violations / deviations.
If you would like to learn more, reach us at email@example.com