Reports such as the Ponemon Institute’s The True Cost of Compliance indicate that proactive investments in compliance can help organizations reduce their consequential costs of non-compliance. But not all compliance investments yield this benefit. Learn what investments and strategies reduce the cost of compliance, and how Tripwire IT security and compliance automation solutions help effectively utilize compliance investments to improve security and protect sensitive data.
Reducing the Cost of Compliance: The Top 3 Effective Strategies
1. COMPLIANCE WHITE PAPER
REDUCING THE COST OF COMPLIANCE
THE TOP THREE EFFECTIVE STRATEGIES
CURITY BREACHES NERC INSIDER THREATS PCI FAILED AUDITS FDCC REGULATORY VIOLATIONS BASEL II SYSTEM OUTAGES MiFID SECUR
EACHES COBIT INSIDER THREATS PCI FAILED AUDITS PCI REGULATORY VIOLATIONS ISO27001 SYSTEM OUTAGES GLBA SECURITY BREACH
RC INSIDER THREATS SOX FAILED AUDITS PCI SECURITY BREACHES NERC INSIDER THREATS HIPAA COMPLIANCE PCI REGULATORY VIO
NS BASEL II SYSTEM OUTAGES MiFID SECURITY BREACHES COBIT INSIDER THREATS FDCC FAILED AUDITS PCI REGULATORY VIOLATIO
27001 SYSTEM OUTAGES GLBA SECURITY BREACHES NERC INSIDER THREATS SOX FAILED AUDITS PCI REGULATORY VIOLATIONS BASE
TEM OUTAGES MiFID SECURITY BREACHES COBIT INSIDER THREATS FDCC FAILED AUDITS PCI REGULATORY VIOLATIONS ISO27001 SYST
TAGES GLBA SECURITY BREACHES NERC INSIDER THREATS SOX FAILED AUDITS PCI REGULATORY VIOLATIONS BASEL II SYSTEM OUTAGES M
CURITY BREACHES COBIT INSIDER THREATS FDCC FAILED AUDITS PCI REGULATORY VIOLATIONS ISO27001 SYSTEM OUTAGES GLBA SECUR
EACHES NERC INSIDER THREATS SOX FAILED AUDITS PCI REGULATORY VIOLATIONS BASEL II SYSTEM OUTAGES MiFID SECURITY BREA
COBIT INSIDER THREATS FDCC FAILED AUDITS PCI REGULATORY VIOLATIONS ISO27001 SYSTEM OUTAGES GLBA SECURITY BREACHES N
IDER THREATS PCI FAILED AUDITS FDCC REGULATORY VIOLATIONS BASEL II SYSTEM OUTAGES MiFID SECURITY BREACHES COBIT INSID
REATS PCI FAILED AUDITS PCI REGULATORY VIOLATIONS ISO27001 SYSTEM OUTAGES GLBA SECURITY BREACHES NERC INSIDER THREATS
LED AUDITS PCI SECURITY BREACHES NERC INSIDER THREATS PCI FAILED AUDITS PCI REGULATORY VIOLATIONS BASEL II SYSTEM OUTAG
ID SECURITY BREACHES COBIT INSIDER THREATS FDCC FAILED AUDITS PCI REGULATORY VIOLATIONS ISO27001 SYSTEM OUTAGES G
CURITY BREACHES NERC INSIDER THREATS SOX FAILED AUDITS PCI REGULATORY VIOLATIONS BASEL II SYSTEM OUTAGES MiFID SECUR
EACHES COBIT INSIDER THREATS FDCC FAILED AUDITS PCI REGULATORY VIOLATIONS ISO27001 SYSTEM OUTAGES GLBA SECURITY BREACH
RC INSIDER THREATS SOX FAILED AUDITS PCI REGULATORY VIOLATIONS BASEL II SYSTEM OUTAGES MiFID SECURITY BREACHES COBIT INSID
REATS FDCC FAILED AUDITS PCI REGULATORY VIOLATIONS ISO27001 SYSTEM OUTAGES GLBA SECURITY BREACHES NERC INSIDER THRE
FAILED AUDITS PCI REGULATORY VIOLATIONS BASEL II SYSTEM OUTAGES MiFID SECURITY BREACHES COBIT INSIDER THREATS FDCC FAI
DITS PCI REGULATORY VIOLATIONS ISO27001 SYSTEM OUTAGES GLBA
IT SECURITY AND COMPLIANCE AUTOMATION SOLUTIONS
2. TOP THREE STRATEGIES TO REDUCE THE HIGHLIGHTS OF THE
COSTS OF COMPLIANCE 2011 TRUE COST OF
COMPLIANCE STUDY
W thout a doubt, almost every organ zat on that works w th
» The costs of non-
sens t ve data such as cred t cardholder data, personally dent f able compliance can be
nformat on, or ntellectual property faces compl ance w th at more expensive
least one mandate, and typ cally many more The ntent of these than investing in
compliance.
mandates—whether ndustry standard, government regulat on or
» More frequent audits
nternal secur ty pol cy— s to protect sens t ve or bus ness-cr t cal
can reduce the overall
data and the IT nfrastructure Unfortunately, many organ zat ons take cost of compliance.
a checkbox approach to compl ance val dat on, nstall ng requ red » More effective security
controls w thout ensur ng that they actually protect systems and reduces the cost of
data By f nd ng the shortest, least expens ve path to compl ance, non-compliance.
organ zat ons have m ssed the po nt, wh ch s to effect vely ut l ze » The bigger the gap
compl ance nvestments to mprove secur ty between compliance
and non-compliance
Many v s onary ch ef nformat on secur - paper does th s by focus ng on act ons costs, the greater the
ty off cers and IT secur ty profess onals the study suggests would lower the cost data breach size.
have pushed for proact ve nvestment of compl ance and demonstrat ng how
n nformat on secur ty, w th compl - Tr pw re solut ons support these
ance result ng as a natural byproduct of
those nvestments Th s approach would STRATE Y #1
not only meet compl ance requ rements, REDU E THE AP BETWEEN Organ zat ons must reduce the t me
but would also reduce the consequenc- TIME OF OMPROMISE TO DIS OVERY between comprom se and d scovery to
es and h gh costs of non-compl ance Most organ zat ons tend to focus on conta n the damage and re n n non-
Yet unt l recently, they’ve had no data to f nes and penalt es when they cons der compl ance costs To do that, they need
back them up the costs of non-compl ance The True solut ons that help them manage and
ost of ompl ance study determ ned control change and g ve them v s b l ty
The Ponemon Inst tute’s 2011 True ost that the bulk of non-compl ance costs to spec f cally what changed and who
of ompl ance1 study prov des cr t cal actually come from nd rect and oppor- made the change
ev dence that nvestments made on tun ty costs, such as lost employee
compl ance today—espec ally f they product v ty, d srupted serv ces, cus- Tr pw re® Enterpr se does th s w th f le
mprove secur ty—can l kely save much tomer churn or a ma or outage In fact, ntegr ty mon tor ng (FIM) that cont nu-
more n the long run by reduc ng the bus ness d srupt on accounted for more ously mon tors for change—and captures
costs and consequences assoc ated w th than tw ce the costs of non-compl ance what changed, who made the change, f a
non-compl ance And wh le t’s mpos- compared to f nes and penalt es and change was expected or acceptable, and
s ble to completely avo d these costs, t other s m lar costs learly, the longer f t ntroduces r sk or non-compl ance It
s poss ble to s gn f cantly reduce them a comprom se goes undetected, the also analyzes change n real t me aga nst
The quest on s what can an organ za- more t me these relat vely larger non- cr ter a such as compl ance pol cy and
t on do to reduce these costs compl ance costs have to accumulate approved change t ckets
Yet the recent Ver zon 2011 Data Breach
Th s paper expla ns how organ zat ons Invest gat ons Report2 noted that n 78 Best of all, Tr pw re Enterpr se nte-
can use Tr pw re IT secur ty and com- percent of the breaches rev ewed, t grates w th Tr pw re Log enter® as
pl ance automat on solut ons to lower took from weeks to years to d scover a part of the Tr pw re VIA™ platform, so
the r overall cost of compl ance The comprom se after t occurred IT can see changes w th n the context
2 Reducing the Cost of Compliance
3. of secur ty events Now the user can COMPLIANCE TERMINOLOGY
determ ne what secur ty events and
Cost of Costs associated with proactively addressing compliance. Examples include software or
susp c ous changes m ght be connected
compliance. hardware purchased for compliance, audit preparation time, employee compliance training.
to a secur ty breach or attempt because
Cost of Costs associated with experiencing a breach or failing an audit—typically reactive costs.
they occurred around the same t me on
non-compliance Examples include fines, legal fees, business disruption, tarnished brand image, and others.
a server, dev ce or other IT asset For
example, w th Tr pw re VIA solut ons, Overall cost of The cost of compliance added to the cost of non-compliance.
compliance
a user can get an alert that unauthor-
zed access has been detected and a Direct costs Costs for which a direct cash outlay was made—typically for a given project or output.
Examples include a software purchase for a compliance project or engaging a compliance
subsequent change led to a secur ty
consultant for compliance needs.
hole—certa nly a s tuat on IT would
want to nvest gate W th th s h gh level Indirect costs Costs that cannot be directly attributed to a project or output, and often referred to as
“overhead.” For example, employee time spent producing compliance reports.
of v s b l ty to susp c ous act v ty, IT can
reduce the t me of comprom se to d s- Opportunity costs Business options lost because resources were spent elsewhere or circumstances negated
the option. For example, if a business suffers a security breach, customers may choose to
cover from weeks, months or even years
do business elsewhere.
to ust days or even hours
In add t on, Tr pw re Log enter cap- Th s f nd ng m ght surpr se many orga- chang ng regulat ons 4 And that doesn’t
tures a complete act v ty log for each n zat ons Most bel eve that the constant nclude the t me spent creat ng or
mon tored IT asset and stores t n a work of prepar ng for, undergo ng, and mod fy ng compl ance-related reports
h ghly searchable format Th s means address ng f nd ngs of aud ts takes for upper management Tr pw re VIA
the user can qu ckly get even more more resources than they have ava l- solut ons ease the burden assoc ated
deta l about the act v t es that sur- able Th s bel ef s espec ally strong w th aud ts by automat ng trad t onally
rounded susp c ous act v ty And n the when, l ke most organ zat ons today, manual tasks
event of a secur ty breach, th s prov des an organ zat on faces mult ple compl -
useful forens c data to help dent fy the ance mandates Many organ zat ons Tr pw re also helps organ zat ons more
root cause of a change to decrease the are also saddled w th ser ous budget eff c ently prepare for mult ple compl -
mean t me to repa r (MTTR) concerns A survey of compl ance ance aud ts Tr pw re’s experts constantly
profess onals completed by ompl net update the compl ance pol c es to reflect
STRATE Y #2 at the end of 2008 showed that 56 per- changes n standards and regulat ons,
USE AUTOMATION TO SUPPORT cent of those surveyed bel eved the r so organ zat ons know they are assess-
MORE FREQUENT AUDITS budgets for the follow ng year would ng the r compl ance aga nst the latest
The Ponemon ost of ompl ance study be cut or rema n flat 3 As a result, requ rements In add t on, because
suggests that those organ zat ons organ zat ons frequently a m for the Tr pw re Enterpr se’s automated f le
that conduct more frequent nternal bare m n mum, attempt ng to pass only ntegr ty mon tor ng alerts IT to changes
aud ts tend to have a lower overall mandatory aud ts, fall ng out of compl - that cause non-compl ance, organ za-
cost of compl ance Perhaps th s s ance between aud ts, and pay ng the t ons can mmed ately f x ssues—even
because organ zat ons that conduct assoc ated costs assoc ated w th the us ng automated remed at on f they
more nternal aud ts approach compl - consequences of non-compl ance want Such sw ft repa r of non-compl ant
ance proact vely It also may that these conf gurat ons helps organ zat ons avo d
organ zat ons have a strong culture The real ty s that prepar ng for and non-compl ance costs such as d srup-
of secur ty, so employees requ re less react ng to f nd ngs of external aud ts t ons of serv ce or f nes and penalt es
tra n ng and enforcement to ensure can be costly when not done n a cost- Because Tr pw re Enterpr se and Tr pw re
adherence to compl ance and secur ty effect ve, proact ve manner The ost of Log enter automat cally populate dash-
processes and pol c es In add t on, ompl ance 2011 Survey publ shed by boards w th secur ty and compl ance
these organ zat ons may exper ence Thomson Reuters backs th s up—more status nformat on and produce aud t-
costs sav ngs that result from cont nu- than one-th rd of compl ance teams ready reports, prepar ng for mult ple
ous compl ance because they’re already surveyed nd cated that they spent aud ts becomes much eas er
n an aud t-ready state, no matter how more than an ent re work day each
many compl ance mandates they face week try ng to keep up w th constantly
Reducing the Cost of Compliance 3
4. STRATE Y #3 TRIPWIRE HELPS ORGANIZATIONS MEET THE SES OBJECTIVES
BUILD A MORE EFFE TIVE THAT REDUCE NON COMPLIANCE COSTS MOST
SE URITY STRATE Y SES objectives Most Highly Related to Non-Compliance Does Tripwire Help?
One of the s gn f cant f nd ngs of the
True ost of ompl ance study was that Monitor and strictly enforce security policies
organ zat ons w th a better secur ty
posture had s gn f cantly lower non- Conduct audits or assessments on an ongoing basis
compl ance costs In fact those n the
group w th the best secur ty posture Ensure minimal downtime or disruptions to systems resulting from security issues
spent approx mately 4 5 t mes less on
non-compl ance costs than those n the Secure endpoints to the network
group w th the worst secur ty posture
Intu t vely, th s makes sense more
secure systems mean fewer d srupted that may have weakened the organ za- unauthor zed access and results n one
serv ces and ncreased employee pro- t on’s secur ty posture can be qu ckly or mult ple system changes Tr pw re
duct v ty, along w th lower legal fees nvest gated and f xed VIA solut ons detect changes and secu-
and other non-compl ance costs Yet r ty events that nd cate unauthor zed
surpr s ngly, organ zat ons cont nue onduct aud ts or assessments on access and detect changes such as the
nvest ng n compl ance solely to meet an ongo ng bas s Th s ob ect ve nd - actual nstallat on and any subsequent
compl ance requ rements—the check- cates whether or not an organ zat on changes the appl cat on makes Th s
box approach to compl ance has nst tuted a proact ve approach to comb nat on of detect ng—and cor-
compl ance by ensur ng cont nuous relat ng—both events and changes
The True ost of ompl ance study compl ance and be ng prepared at any prov des a level of protect on not pos-
used a measure of secur ty effect ve- t me to prove t Tr pw re Enterpr se s ble w th s gnature-based tools such as
ness called the Secur ty Effect veness automat cally detects changes that ant -v rus
Score (SES) to assess each organ za- cause non-compl ance to conf gurat ons
t on’s secur ty posture The score was and prov des automated remed at on to Secure endpo nts to the network For
calculated accord ng to how well an qu ckly return these conf gurat ons to many organ zat ons—espec ally those n
organ zat on met a total of 25 “reason- a compl ant state In add t on, t ma n- the hosp tal ty and reta l ndustry—the
able secur ty ob ect ves”5 —for example, ta ns a record of all changes, along w th weakest po nt s out at the edge of the
d d the organ zat on know where ts automated reports and dashboards that network For reta lers, th s s the cred t
sens t ve or conf dent al nformat on prove compl ance at any g ven t me card-process ng dev ce at a store or an
was phys cally located and d d they l m t on-s te server for the hosp tal ty ndus-
phys cal access to dev ces conta n ng Ensure m n mal downt me or d s- try, t’s the hotel check- n k osk or front
such nformat on rupt ons to systems result ng from desk system Tr pw re VIA solut ons
secur ty ssues W th Tr pw re VIA protect these endpo nt dev ces ust the
Tr pw re IT secur ty and compl ance solut ons, organ zat ons not only way they protect the dev ces, systems,
automat on solut ons help w th more mmed ately detect susp c ous changes appl cat ons and data that res de w th n
than half of these ob ect ves In fact, w th Tr pw re Enterpr se, they can also the corporate data center, by detect ng
Tr pw re solut ons helped w th f ve of the correlate those changes w th secur ty changes that ntroduce r sk or non-
10 ob ect ves most strongly assoc ated events captured by Tr pw re Log enter compl ance and help ng organ zat ons
w th a good secur ty posture These f ve By see ng what secur ty events occurred qu ckly f x them to avo d or reduce the
ob ect ves are before and after a susp c ous change, IT mpact of a secur ty breach
can more eas ly dent fy and f x changes
Mon tor and str ctly enforce secur ty that could lead to d srupt ons The takeaway here s that when mak ng
pol c es Tr pw re Enterpr se’s f le nteg- compl ance nvestments, these nvest-
r ty mon tor ng and compl ance pol cy Prevent or curta l v ruses, malware ments must mprove the organ zat on’s
management capab l t es comb ne to and spyware nfect ons A v rus, secur ty posture Th s s where nvest ng
mon tor the IT nfrastructure for change malware or spyware appl cat on has for checkbox compl ance alone s clearly
that mpacts secur ty (and compl ance) to be nstalled to create an ssue a los ng propos t on
Automated alerts ensure that changes Such an nstallat on typ cally requ res
4 Reducing the Cost of Compliance
5. DON’T JUST SPEND ON COMPLIANCE.
SPEND ON IT WISELY, FOR SECURITY
In th s paper, we’ve exam ned three recommendat ons organ zat ons
can apply to reduce the r overall cost of compl ance based on f nd ngs .: “Achieving critical and
from The True ost of ompl ance study These recommendat ons complex goals related to
nclude better manag ng and controll ng change throughout the IT compliance requires
nfrastructure us ng automat on to conduct aud ts more regularly holistic and integrated
and bu ld ng a stronger IT secur ty posture security solutions
that seamlessly address
We’ve also d scussed how Tr pw re F nally, Tr pw re VIA solut ons not only
every area of the
IT secur ty and compl ance auto- help organ zat ons meet compl ance w th
organization that
mat on solut ons support these mult ple compl ance mandates, they
recommendat ons also greatly mprove the organ zat on’s
compliance impacts.” :.
secur ty posture W th Tr pw re solut ons,
Tr pw re Enterpr se helps organ zat ons organ zat ons can lower the costs assoc - THE TRUE COST OF
COMPLIANCE
detect all change and pr or t ze those ated w th non-compl ance consequences
that need mmed ate attent on because by avo d ng secur ty breaches or by PONEMON INSTITUTE
they threaten compl ance or secur ty qu ckly detect ng a breach before s gn f -
By ntegrat ng Tr pw re Enterpr se w th cant damage occurs
Tr pw re Log enter, users can rev ew
complex sequences of changes and One way or another, organ zat ons w ll
secur ty events to add cr t cal context to spend on compl ance The quest on s
detected changes Th s means organ za- what approach to compl ance spend-
t ons can even more clearly dent fy an ng w ll they take They can spend the
attack or the start of an attack bulk of the r compl ance nvestments
react vely on non-compl ance costs n
Tr pw re VIA solut ons also help ease response to a breach or aud t f nd ng
the work and lower the cost of ma n- Or they can take a proact ve approach
1 The True ost of ompl ance A Benchmark
ta n ng and prov ng compl ance, through to compl ance, nvest ng n people, Study of Mult nat onal Organ zat ons by
automated compl ance pol cy assess- processes and technolog es that offer the Ponemon Inst tute, January 2011
ment, aud t report generat on and cont nuous compl ance and mproved 2 2011 Data Breach Invest gat ons
Report by Ver zon RISK, the U S Secret
dashboards, and remed at on of non- secur ty W th th s approach, they Serv ce and the Dutch H gh Tech
compl ant conf gurat ons Automat on w ll l kely spend less on compl ance r me Un t Released Apr l 2011
allows organ zat ons to eff c ently and overall, pr mar ly by reduc ng the r non- 3 osts of Non-compl ance However Much
cost-effect vely conduct mult ple aud ts, compl ance costs The Tr pw re VIA su te ompl ance osts, Non-compl ance
osts More by Susannah Hammond
wh ch has been shown to lower the r of IT secur ty and compl ance automa- and Stacey Engl sh, May 2009
costs of non-compl ance t on solut ons supports th s approach, 4 ost of ompl ance Survey 2011 by Susannah
mak ng t far eas er, and ult mately Hammond and Stacey Engl sh, 2011
more affordable, for organ zat ons to 5 The True ost of ompl ance A
Benchmark Study of Mult nat onal
bu ld a strong secur ty posture through Organ zat ons by the Ponemon Inst tute,
proact ve compl ance nvestment January 2011 Append x 3, page 30
Reducing the Cost of Compliance 5