SlideShare a Scribd company logo

Reducing the Cost of Compliance: The Top 3 Effective Strategies

Tripwire
Tripwire

Reports such as the Ponemon Institute’s The True Cost of Compliance indicate that proactive investments in compliance can help organizations reduce their consequential costs of non-compliance. But not all compliance investments yield this benefit. Learn what investments and strategies reduce the cost of compliance, and how Tripwire IT security and compliance automation solutions help effectively utilize compliance investments to improve security and protect sensitive data.

TechnologyBusiness
1 of 6
Download to read offline
COMPLIANCE WHITE PAPER REDUCING THE COST OF COMPLIANCE THE TOP THREE EFFECTIVE STRATEGIES CURITY BREACHES NERC INSIDER THREATS PCI FAILED AUDITS FDCC REGULATORY VIOLATIONS BASEL II SYSTEM OUTAGES MiFID SECUR EACHES COBIT INSIDER THREATS PCI FAILED AUDITS PCI REGULATORY VIOLATIONS ISO27001 SYSTEM OUTAGES GLBA SECURITY BREACH RC INSIDER THREATS SOX FAILED AUDITS PCI SECURITY BREACHES NERC INSIDER THREATS HIPAA COMPLIANCE PCI REGULATORY VIO NS BASEL II SYSTEM OUTAGES MiFID SECURITY BREACHES COBIT INSIDER THREATS FDCC FAILED AUDITS PCI REGULATORY VIOLATIO 27001 SYSTEM OUTAGES GLBA SECURITY BREACHES NERC INSIDER THREATS SOX FAILED AUDITS PCI REGULATORY VIOLATIONS BASE TEM OUTAGES MiFID SECURITY BREACHES COBIT INSIDER THREATS FDCC FAILED AUDITS PCI REGULATORY VIOLATIONS ISO27001 SYST TAGES GLBA SECURITY BREACHES NERC INSIDER THREATS SOX FAILED AUDITS PCI REGULATORY VIOLATIONS BASEL II SYSTEM OUTAGES M CURITY BREACHES COBIT INSIDER THREATS FDCC FAILED AUDITS PCI REGULATORY VIOLATIONS ISO27001 SYSTEM OUTAGES GLBA SECUR EACHES NERC INSIDER THREATS SOX FAILED AUDITS PCI REGULATORY VIOLATIONS BASEL II SYSTEM OUTAGES MiFID SECURITY BREA COBIT INSIDER THREATS FDCC FAILED AUDITS PCI REGULATORY VIOLATIONS ISO27001 SYSTEM OUTAGES GLBA SECURITY BREACHES N IDER THREATS PCI FAILED AUDITS FDCC REGULATORY VIOLATIONS BASEL II SYSTEM OUTAGES MiFID SECURITY BREACHES COBIT INSID REATS PCI FAILED AUDITS PCI REGULATORY VIOLATIONS ISO27001 SYSTEM OUTAGES GLBA SECURITY BREACHES NERC INSIDER THREATS LED AUDITS PCI SECURITY BREACHES NERC INSIDER THREATS PCI FAILED AUDITS PCI REGULATORY VIOLATIONS BASEL II SYSTEM OUTAG ID SECURITY BREACHES COBIT INSIDER THREATS FDCC FAILED AUDITS PCI REGULATORY VIOLATIONS ISO27001 SYSTEM OUTAGES G CURITY BREACHES NERC INSIDER THREATS SOX FAILED AUDITS PCI REGULATORY VIOLATIONS BASEL II SYSTEM OUTAGES MiFID SECUR EACHES COBIT INSIDER THREATS FDCC FAILED AUDITS PCI REGULATORY VIOLATIONS ISO27001 SYSTEM OUTAGES GLBA SECURITY BREACH RC INSIDER THREATS SOX FAILED AUDITS PCI REGULATORY VIOLATIONS BASEL II SYSTEM OUTAGES MiFID SECURITY BREACHES COBIT INSID REATS FDCC FAILED AUDITS PCI REGULATORY VIOLATIONS ISO27001 SYSTEM OUTAGES GLBA SECURITY BREACHES NERC INSIDER THRE FAILED AUDITS PCI REGULATORY VIOLATIONS BASEL II SYSTEM OUTAGES MiFID SECURITY BREACHES COBIT INSIDER THREATS FDCC FAI DITS PCI REGULATORY VIOLATIONS ISO27001 SYSTEM OUTAGES GLBA IT SECURITY AND COMPLIANCE AUTOMATION SOLUTIONS
TOP THREE STRATEGIES TO REDUCE THE HIGHLIGHTS OF THE COSTS OF COMPLIANCE 2011 TRUE COST OF COMPLIANCE STUDY W thout a doubt, almost every organ zat on that works w th » The costs of non- sens t ve data such as cred t cardholder data, personally dent f able compliance can be nformat on, or ntellectual property faces compl ance w th at more expensive least one mandate, and typ cally many more The ntent of these than investing in compliance. mandates—whether ndustry standard, government regulat on or » More frequent audits nternal secur ty pol cy— s to protect sens t ve or bus ness-cr t cal can reduce the overall data and the IT nfrastructure Unfortunately, many organ zat ons take cost of compliance. a checkbox approach to compl ance val dat on, nstall ng requ red » More effective security controls w thout ensur ng that they actually protect systems and reduces the cost of data By f nd ng the shortest, least expens ve path to compl ance, non-compliance. organ zat ons have m ssed the po nt, wh ch s to effect vely ut l ze » The bigger the gap compl ance nvestments to mprove secur ty between compliance and non-compliance Many v s onary ch ef nformat on secur - paper does th s by focus ng on act ons costs, the greater the ty off cers and IT secur ty profess onals the study suggests would lower the cost data breach size. have pushed for proact ve nvestment of compl ance and demonstrat ng how n nformat on secur ty, w th compl - Tr pw re solut ons support these ance result ng as a natural byproduct of those nvestments Th s approach would STRATE Y #1 not only meet compl ance requ rements, REDU E THE AP BETWEEN Organ zat ons must reduce the t me but would also reduce the consequenc- TIME OF OMPROMISE TO DIS OVERY between comprom se and d scovery to es and h gh costs of non-compl ance Most organ zat ons tend to focus on conta n the damage and re n n non- Yet unt l recently, they’ve had no data to f nes and penalt es when they cons der compl ance costs To do that, they need back them up the costs of non-compl ance The True solut ons that help them manage and ost of ompl ance study determ ned control change and g ve them v s b l ty The Ponemon Inst tute’s 2011 True ost that the bulk of non-compl ance costs to spec f cally what changed and who of ompl ance1 study prov des cr t cal actually come from nd rect and oppor- made the change ev dence that nvestments made on tun ty costs, such as lost employee compl ance today—espec ally f they product v ty, d srupted serv ces, cus- Tr pw re® Enterpr se does th s w th f le mprove secur ty—can l kely save much tomer churn or a ma or outage In fact, ntegr ty mon tor ng (FIM) that cont nu- more n the long run by reduc ng the bus ness d srupt on accounted for more ously mon tors for change—and captures costs and consequences assoc ated w th than tw ce the costs of non-compl ance what changed, who made the change, f a non-compl ance And wh le t’s mpos- compared to f nes and penalt es and change was expected or acceptable, and s ble to completely avo d these costs, t other s m lar costs learly, the longer f t ntroduces r sk or non-compl ance It s poss ble to s gn f cantly reduce them a comprom se goes undetected, the also analyzes change n real t me aga nst The quest on s what can an organ za- more t me these relat vely larger non- cr ter a such as compl ance pol cy and t on do to reduce these costs compl ance costs have to accumulate approved change t ckets Yet the recent Ver zon 2011 Data Breach Th s paper expla ns how organ zat ons Invest gat ons Report2 noted that n 78 Best of all, Tr pw re Enterpr se nte- can use Tr pw re IT secur ty and com- percent of the breaches rev ewed, t grates w th Tr pw re Log enter® as pl ance automat on solut ons to lower took from weeks to years to d scover a part of the Tr pw re VIA™ platform, so the r overall cost of compl ance The comprom se after t occurred IT can see changes w th n the context 2 Reducing the Cost of Compliance
of secur ty events Now the user can COMPLIANCE TERMINOLOGY determ ne what secur ty events and Cost of Costs associated with proactively addressing compliance. Examples include software or susp c ous changes m ght be connected compliance. hardware purchased for compliance, audit preparation time, employee compliance training. to a secur ty breach or attempt because Cost of Costs associated with experiencing a breach or failing an audit—typically reactive costs. they occurred around the same t me on non-compliance Examples include fines, legal fees, business disruption, tarnished brand image, and others. a server, dev ce or other IT asset For example, w th Tr pw re VIA solut ons, Overall cost of The cost of compliance added to the cost of non-compliance. compliance a user can get an alert that unauthor- zed access has been detected and a Direct costs Costs for which a direct cash outlay was made—typically for a given project or output. Examples include a software purchase for a compliance project or engaging a compliance subsequent change led to a secur ty consultant for compliance needs. hole—certa nly a s tuat on IT would want to nvest gate W th th s h gh level Indirect costs Costs that cannot be directly attributed to a project or output, and often referred to as “overhead.” For example, employee time spent producing compliance reports. of v s b l ty to susp c ous act v ty, IT can reduce the t me of comprom se to d s- Opportunity costs Business options lost because resources were spent elsewhere or circumstances negated the option. For example, if a business suffers a security breach, customers may choose to cover from weeks, months or even years do business elsewhere. to ust days or even hours In add t on, Tr pw re Log enter cap- Th s f nd ng m ght surpr se many orga- chang ng regulat ons 4 And that doesn’t tures a complete act v ty log for each n zat ons Most bel eve that the constant nclude the t me spent creat ng or mon tored IT asset and stores t n a work of prepar ng for, undergo ng, and mod fy ng compl ance-related reports h ghly searchable format Th s means address ng f nd ngs of aud ts takes for upper management Tr pw re VIA the user can qu ckly get even more more resources than they have ava l- solut ons ease the burden assoc ated deta l about the act v t es that sur- able Th s bel ef s espec ally strong w th aud ts by automat ng trad t onally rounded susp c ous act v ty And n the when, l ke most organ zat ons today, manual tasks event of a secur ty breach, th s prov des an organ zat on faces mult ple compl - useful forens c data to help dent fy the ance mandates Many organ zat ons Tr pw re also helps organ zat ons more root cause of a change to decrease the are also saddled w th ser ous budget eff c ently prepare for mult ple compl - mean t me to repa r (MTTR) concerns A survey of compl ance ance aud ts Tr pw re’s experts constantly profess onals completed by ompl net update the compl ance pol c es to reflect STRATE Y #2 at the end of 2008 showed that 56 per- changes n standards and regulat ons, USE AUTOMATION TO SUPPORT cent of those surveyed bel eved the r so organ zat ons know they are assess- MORE FREQUENT AUDITS budgets for the follow ng year would ng the r compl ance aga nst the latest The Ponemon ost of ompl ance study be cut or rema n flat 3 As a result, requ rements In add t on, because suggests that those organ zat ons organ zat ons frequently a m for the Tr pw re Enterpr se’s automated f le that conduct more frequent nternal bare m n mum, attempt ng to pass only ntegr ty mon tor ng alerts IT to changes aud ts tend to have a lower overall mandatory aud ts, fall ng out of compl - that cause non-compl ance, organ za- cost of compl ance Perhaps th s s ance between aud ts, and pay ng the t ons can mmed ately f x ssues—even because organ zat ons that conduct assoc ated costs assoc ated w th the us ng automated remed at on f they more nternal aud ts approach compl - consequences of non-compl ance want Such sw ft repa r of non-compl ant ance proact vely It also may that these conf gurat ons helps organ zat ons avo d organ zat ons have a strong culture The real ty s that prepar ng for and non-compl ance costs such as d srup- of secur ty, so employees requ re less react ng to f nd ngs of external aud ts t ons of serv ce or f nes and penalt es tra n ng and enforcement to ensure can be costly when not done n a cost- Because Tr pw re Enterpr se and Tr pw re adherence to compl ance and secur ty effect ve, proact ve manner The ost of Log enter automat cally populate dash- processes and pol c es In add t on, ompl ance 2011 Survey publ shed by boards w th secur ty and compl ance these organ zat ons may exper ence Thomson Reuters backs th s up—more status nformat on and produce aud t- costs sav ngs that result from cont nu- than one-th rd of compl ance teams ready reports, prepar ng for mult ple ous compl ance because they’re already surveyed nd cated that they spent aud ts becomes much eas er n an aud t-ready state, no matter how more than an ent re work day each many compl ance mandates they face week try ng to keep up w th constantly Reducing the Cost of Compliance 3
STRATE Y #3 TRIPWIRE HELPS ORGANIZATIONS MEET THE SES OBJECTIVES BUILD A MORE EFFE TIVE THAT REDUCE NON COMPLIANCE COSTS MOST SE URITY STRATE Y SES objectives Most Highly Related to Non-Compliance Does Tripwire Help? One of the s gn f cant f nd ngs of the True ost of ompl ance study was that Monitor and strictly enforce security policies organ zat ons w th a better secur ty posture had s gn f cantly lower non- Conduct audits or assessments on an ongoing basis compl ance costs In fact those n the group w th the best secur ty posture Ensure minimal downtime or disruptions to systems resulting from security issues spent approx mately 4 5 t mes less on non-compl ance costs than those n the Secure endpoints to the network group w th the worst secur ty posture Intu t vely, th s makes sense more secure systems mean fewer d srupted that may have weakened the organ za- unauthor zed access and results n one serv ces and ncreased employee pro- t on’s secur ty posture can be qu ckly or mult ple system changes Tr pw re duct v ty, along w th lower legal fees nvest gated and f xed VIA solut ons detect changes and secu- and other non-compl ance costs Yet r ty events that nd cate unauthor zed surpr s ngly, organ zat ons cont nue onduct aud ts or assessments on access and detect changes such as the nvest ng n compl ance solely to meet an ongo ng bas s Th s ob ect ve nd - actual nstallat on and any subsequent compl ance requ rements—the check- cates whether or not an organ zat on changes the appl cat on makes Th s box approach to compl ance has nst tuted a proact ve approach to comb nat on of detect ng—and cor- compl ance by ensur ng cont nuous relat ng—both events and changes The True ost of ompl ance study compl ance and be ng prepared at any prov des a level of protect on not pos- used a measure of secur ty effect ve- t me to prove t Tr pw re Enterpr se s ble w th s gnature-based tools such as ness called the Secur ty Effect veness automat cally detects changes that ant -v rus Score (SES) to assess each organ za- cause non-compl ance to conf gurat ons t on’s secur ty posture The score was and prov des automated remed at on to Secure endpo nts to the network For calculated accord ng to how well an qu ckly return these conf gurat ons to many organ zat ons—espec ally those n organ zat on met a total of 25 “reason- a compl ant state In add t on, t ma n- the hosp tal ty and reta l ndustry—the able secur ty ob ect ves”5 —for example, ta ns a record of all changes, along w th weakest po nt s out at the edge of the d d the organ zat on know where ts automated reports and dashboards that network For reta lers, th s s the cred t sens t ve or conf dent al nformat on prove compl ance at any g ven t me card-process ng dev ce at a store or an was phys cally located and d d they l m t on-s te server for the hosp tal ty ndus- phys cal access to dev ces conta n ng Ensure m n mal downt me or d s- try, t’s the hotel check- n k osk or front such nformat on rupt ons to systems result ng from desk system Tr pw re VIA solut ons secur ty ssues W th Tr pw re VIA protect these endpo nt dev ces ust the Tr pw re IT secur ty and compl ance solut ons, organ zat ons not only way they protect the dev ces, systems, automat on solut ons help w th more mmed ately detect susp c ous changes appl cat ons and data that res de w th n than half of these ob ect ves In fact, w th Tr pw re Enterpr se, they can also the corporate data center, by detect ng Tr pw re solut ons helped w th f ve of the correlate those changes w th secur ty changes that ntroduce r sk or non- 10 ob ect ves most strongly assoc ated events captured by Tr pw re Log enter compl ance and help ng organ zat ons w th a good secur ty posture These f ve By see ng what secur ty events occurred qu ckly f x them to avo d or reduce the ob ect ves are before and after a susp c ous change, IT mpact of a secur ty breach can more eas ly dent fy and f x changes Mon tor and str ctly enforce secur ty that could lead to d srupt ons The takeaway here s that when mak ng pol c es Tr pw re Enterpr se’s f le nteg- compl ance nvestments, these nvest- r ty mon tor ng and compl ance pol cy Prevent or curta l v ruses, malware ments must mprove the organ zat on’s management capab l t es comb ne to and spyware nfect ons A v rus, secur ty posture Th s s where nvest ng mon tor the IT nfrastructure for change malware or spyware appl cat on has for checkbox compl ance alone s clearly that mpacts secur ty (and compl ance) to be nstalled to create an ssue a los ng propos t on Automated alerts ensure that changes Such an nstallat on typ cally requ res 4 Reducing the Cost of Compliance
DON’T JUST SPEND ON COMPLIANCE. SPEND ON IT WISELY, FOR SECURITY In th s paper, we’ve exam ned three recommendat ons organ zat ons can apply to reduce the r overall cost of compl ance based on f nd ngs .: “Achieving critical and from The True ost of ompl ance study These recommendat ons complex goals related to nclude better manag ng and controll ng change throughout the IT compliance requires nfrastructure us ng automat on to conduct aud ts more regularly holistic and integrated and bu ld ng a stronger IT secur ty posture security solutions that seamlessly address We’ve also d scussed how Tr pw re F nally, Tr pw re VIA solut ons not only every area of the IT secur ty and compl ance auto- help organ zat ons meet compl ance w th organization that mat on solut ons support these mult ple compl ance mandates, they recommendat ons also greatly mprove the organ zat on’s compliance impacts.” :. secur ty posture W th Tr pw re solut ons, Tr pw re Enterpr se helps organ zat ons organ zat ons can lower the costs assoc - THE TRUE COST OF COMPLIANCE detect all change and pr or t ze those ated w th non-compl ance consequences that need mmed ate attent on because by avo d ng secur ty breaches or by PONEMON INSTITUTE they threaten compl ance or secur ty qu ckly detect ng a breach before s gn f - By ntegrat ng Tr pw re Enterpr se w th cant damage occurs Tr pw re Log enter, users can rev ew complex sequences of changes and One way or another, organ zat ons w ll secur ty events to add cr t cal context to spend on compl ance The quest on s detected changes Th s means organ za- what approach to compl ance spend- t ons can even more clearly dent fy an ng w ll they take They can spend the attack or the start of an attack bulk of the r compl ance nvestments react vely on non-compl ance costs n Tr pw re VIA solut ons also help ease response to a breach or aud t f nd ng the work and lower the cost of ma n- Or they can take a proact ve approach 1 The True ost of ompl ance A Benchmark ta n ng and prov ng compl ance, through to compl ance, nvest ng n people, Study of Mult nat onal Organ zat ons by automated compl ance pol cy assess- processes and technolog es that offer the Ponemon Inst tute, January 2011 ment, aud t report generat on and cont nuous compl ance and mproved 2 2011 Data Breach Invest gat ons Report by Ver zon RISK, the U S Secret dashboards, and remed at on of non- secur ty W th th s approach, they Serv ce and the Dutch H gh Tech compl ant conf gurat ons Automat on w ll l kely spend less on compl ance r me Un t Released Apr l 2011 allows organ zat ons to eff c ently and overall, pr mar ly by reduc ng the r non- 3 osts of Non-compl ance However Much cost-effect vely conduct mult ple aud ts, compl ance costs The Tr pw re VIA su te ompl ance osts, Non-compl ance osts More by Susannah Hammond wh ch has been shown to lower the r of IT secur ty and compl ance automa- and Stacey Engl sh, May 2009 costs of non-compl ance t on solut ons supports th s approach, 4 ost of ompl ance Survey 2011 by Susannah mak ng t far eas er, and ult mately Hammond and Stacey Engl sh, 2011 more affordable, for organ zat ons to 5 The True ost of ompl ance A Benchmark Study of Mult nat onal bu ld a strong secur ty posture through Organ zat ons by the Ponemon Inst tute, proact ve compl ance nvestment January 2011 Append x 3, page 30 Reducing the Cost of Compliance 5
.: Tripwire is a leading global provider of IT security and compliance automation solutions that help businesses, government agencies, and service providers take control of their physical, virtual, and cloud infrastructure. Thousands of customers rely on Tripwire’s integrated solutions to help protect sensitive data, prove compliance and prevent outages. Tripwire VIA, the integrated compliance and security software platform, delivers best-of-breed file integrity, policy compliance and log and event management solutions, paving the way for organizations to proactively achieve continuous compliance, mitigate risk, and ensure operational control through Visibility, Intelligence and Automation. :. LEARN MORE AT WWW.TRIPWIRE.COM AND TRIPWIREINC ON TWITTER. ©2011 Tripwire, Inc. Tripwire, Log Center, and VIA are registered trademarks and/or trademarks of Tripwire, Inc. All other product and company names are property of their respective owners. All rights reserved. WPRCC1n 201105

Recommended

A Pragmatic Approach to SIEM: Buy for Compliance, Use for Security
A Pragmatic Approach to SIEM: Buy for Compliance, Use for SecurityA Pragmatic Approach to SIEM: Buy for Compliance, Use for Security
A Pragmatic Approach to SIEM: Buy for Compliance, Use for Security
Tripwire
 
Achieving Effective IT Security with Continuous ISO 27001 Compliance
Achieving Effective IT Security with Continuous ISO 27001 ComplianceAchieving Effective IT Security with Continuous ISO 27001 Compliance
Achieving Effective IT Security with Continuous ISO 27001 Compliance
Tripwire
 
Meeting the True Intent of File Integrity Monitoring
Meeting the True Intent of File Integrity MonitoringMeeting the True Intent of File Integrity Monitoring
Meeting the True Intent of File Integrity Monitoring
Tripwire
 
5 Challenges to Continuous PCI DSS Compliance
5 Challenges to Continuous PCI DSS Compliance5 Challenges to Continuous PCI DSS Compliance
5 Challenges to Continuous PCI DSS Compliance
Tripwire
 
A Look Back at 2016: The Most Memorable Cyber Moments
A Look Back at 2016: The Most Memorable Cyber MomentsA Look Back at 2016: The Most Memorable Cyber Moments
A Look Back at 2016: The Most Memorable Cyber Moments
Tripwire
 
Breaking In and Breaking Records – A Look Back at 2016 Cybercrimes
Breaking In and Breaking Records – A Look Back at 2016 CybercrimesBreaking In and Breaking Records – A Look Back at 2016 Cybercrimes
Breaking In and Breaking Records – A Look Back at 2016 Cybercrimes
Tripwire
 
Mind the Cybersecurity Gap - Why Compliance Isn't Enough
Mind the Cybersecurity Gap - Why Compliance Isn't EnoughMind the Cybersecurity Gap - Why Compliance Isn't Enough
Mind the Cybersecurity Gap - Why Compliance Isn't Enough
Tripwire
 
Data Privacy Day 2022: Tips to Ensure Data Privacy
Data Privacy Day 2022: Tips to Ensure Data PrivacyData Privacy Day 2022: Tips to Ensure Data Privacy
Data Privacy Day 2022: Tips to Ensure Data Privacy
Tripwire
 

Recommended

A Pragmatic Approach to SIEM: Buy for Compliance, Use for Security
A Pragmatic Approach to SIEM: Buy for Compliance, Use for SecurityA Pragmatic Approach to SIEM: Buy for Compliance, Use for Security
A Pragmatic Approach to SIEM: Buy for Compliance, Use for Security
Tripwire
 
Achieving Effective IT Security with Continuous ISO 27001 Compliance
Achieving Effective IT Security with Continuous ISO 27001 ComplianceAchieving Effective IT Security with Continuous ISO 27001 Compliance
Achieving Effective IT Security with Continuous ISO 27001 Compliance
Tripwire
 
Meeting the True Intent of File Integrity Monitoring
Meeting the True Intent of File Integrity MonitoringMeeting the True Intent of File Integrity Monitoring
Meeting the True Intent of File Integrity Monitoring
Tripwire
 
5 Challenges to Continuous PCI DSS Compliance
5 Challenges to Continuous PCI DSS Compliance5 Challenges to Continuous PCI DSS Compliance
5 Challenges to Continuous PCI DSS Compliance
Tripwire
 
A Look Back at 2016: The Most Memorable Cyber Moments
A Look Back at 2016: The Most Memorable Cyber MomentsA Look Back at 2016: The Most Memorable Cyber Moments
A Look Back at 2016: The Most Memorable Cyber Moments
Tripwire
 
Breaking In and Breaking Records – A Look Back at 2016 Cybercrimes
Breaking In and Breaking Records – A Look Back at 2016 CybercrimesBreaking In and Breaking Records – A Look Back at 2016 Cybercrimes
Breaking In and Breaking Records – A Look Back at 2016 Cybercrimes
Tripwire
 
Mind the Cybersecurity Gap - Why Compliance Isn't Enough
Mind the Cybersecurity Gap - Why Compliance Isn't EnoughMind the Cybersecurity Gap - Why Compliance Isn't Enough
Mind the Cybersecurity Gap - Why Compliance Isn't Enough
Tripwire
 
Data Privacy Day 2022: Tips to Ensure Data Privacy
Data Privacy Day 2022: Tips to Ensure Data PrivacyData Privacy Day 2022: Tips to Ensure Data Privacy
Data Privacy Day 2022: Tips to Ensure Data Privacy
Tripwire
 
Key Challenges Facing IT/OT: Hear From The Experts
Key Challenges Facing IT/OT: Hear From The ExpertsKey Challenges Facing IT/OT: Hear From The Experts
Key Challenges Facing IT/OT: Hear From The Experts
Tripwire
 
Tripwire Energy Working Group: TIV Demo
Tripwire Energy Working Group: TIV Demo Tripwire Energy Working Group: TIV Demo
Tripwire Energy Working Group: TIV Demo
Tripwire
 
Tripwire Energy Working Group Session w/Dale Peterson
Tripwire Energy Working Group Session w/Dale PetersonTripwire Energy Working Group Session w/Dale Peterson
Tripwire Energy Working Group Session w/Dale Peterson
Tripwire
 
Tripwire Energy Working Group: CIP Solutions and Baseline Walk-Through
Tripwire Energy Working Group: CIP Solutions and Baseline Walk-Through Tripwire Energy Working Group: CIP Solutions and Baseline Walk-Through
Tripwire Energy Working Group: CIP Solutions and Baseline Walk-Through
Tripwire
 
Tripwire Energy Working Group: Customer Session with Chase Cole
Tripwire Energy Working Group: Customer Session with Chase ColeTripwire Energy Working Group: Customer Session with Chase Cole
Tripwire Energy Working Group: Customer Session with Chase Cole
Tripwire
 
Tripwire Energy Working Group: Keynote w/Patrick Miller
Tripwire Energy Working Group: Keynote w/Patrick Miller Tripwire Energy Working Group: Keynote w/Patrick Miller
Tripwire Energy Working Group: Keynote w/Patrick Miller
Tripwire
 
World Book Day: Cybersecurity’s Quietest Celebration
World Book Day: Cybersecurity’s Quietest CelebrationWorld Book Day: Cybersecurity’s Quietest Celebration
World Book Day: Cybersecurity’s Quietest Celebration
Tripwire
 
Tripwire Retail Security 2020 Survey: Key Findings
Tripwire Retail Security 2020 Survey: Key FindingsTripwire Retail Security 2020 Survey: Key Findings
Tripwire Retail Security 2020 Survey: Key Findings
Tripwire
 
Key Findings: Tripwire COVID-19 Cybersecurity Impact Report
Key Findings: Tripwire COVID-19 Cybersecurity Impact ReportKey Findings: Tripwire COVID-19 Cybersecurity Impact Report
Key Findings: Tripwire COVID-19 Cybersecurity Impact Report
Tripwire
 
The Adventures of Captain Tripwire: Coloring Book!
The Adventures of Captain Tripwire: Coloring Book!The Adventures of Captain Tripwire: Coloring Book!
The Adventures of Captain Tripwire: Coloring Book!
Tripwire
 
Industrial Cybersecurity: Practical Tips for IT & OT Collaboration
Industrial Cybersecurity: Practical Tips for IT & OT CollaborationIndustrial Cybersecurity: Practical Tips for IT & OT Collaboration
Industrial Cybersecurity: Practical Tips for IT & OT Collaboration
Tripwire
 
The Adventures of Captain Tripwire #1: Captain Tripwire Faces the Indefensibl...
The Adventures of Captain Tripwire #1: Captain Tripwire Faces the Indefensibl...The Adventures of Captain Tripwire #1: Captain Tripwire Faces the Indefensibl...
The Adventures of Captain Tripwire #1: Captain Tripwire Faces the Indefensibl...
Tripwire
 
Tripwire 2019 Skills Gap Survey: Key Findings
Tripwire 2019 Skills Gap Survey: Key FindingsTripwire 2019 Skills Gap Survey: Key Findings
Tripwire 2019 Skills Gap Survey: Key Findings
Tripwire
 
A Look Back at 2018: The Most Memorable Cyber Moments
A Look Back at 2018: The Most Memorable Cyber MomentsA Look Back at 2018: The Most Memorable Cyber Moments
A Look Back at 2018: The Most Memorable Cyber Moments
Tripwire
 
Time for Your Compliance Check-Up: How Mercy Health Uses Tripwire to Pass Audits
Time for Your Compliance Check-Up: How Mercy Health Uses Tripwire to Pass AuditsTime for Your Compliance Check-Up: How Mercy Health Uses Tripwire to Pass Audits
Time for Your Compliance Check-Up: How Mercy Health Uses Tripwire to Pass Audits
Tripwire
 
Tripwire State of Cyber Hygiene 2018 Report: Key Findings
Tripwire State of Cyber Hygiene 2018 Report: Key FindingsTripwire State of Cyber Hygiene 2018 Report: Key Findings
Tripwire State of Cyber Hygiene 2018 Report: Key Findings
Tripwire
 
Defend Your Data Now with the MITRE ATT&CK Framework
Defend Your Data Now with the MITRE ATT&CK FrameworkDefend Your Data Now with the MITRE ATT&CK Framework
Defend Your Data Now with the MITRE ATT&CK Framework
Tripwire
 
Defending Critical Infrastructure Against Cyber Attacks
Defending Critical Infrastructure Against Cyber AttacksDefending Critical Infrastructure Against Cyber Attacks
Defending Critical Infrastructure Against Cyber Attacks
Tripwire
 
Jumpstarting Your Cyberdefense Machine with the CIS Controls V7
Jumpstarting Your Cyberdefense Machine with the CIS Controls V7 Jumpstarting Your Cyberdefense Machine with the CIS Controls V7
Jumpstarting Your Cyberdefense Machine with the CIS Controls V7
Tripwire
 
Hunting for Cyber Threats Using Threat Modeling & Frameworks
Hunting for Cyber Threats Using Threat Modeling & Frameworks Hunting for Cyber Threats Using Threat Modeling & Frameworks
Hunting for Cyber Threats Using Threat Modeling & Frameworks
Tripwire
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
The Digital Insurer
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 

More Related Content

More from Tripwire

Defend Your Data Now with the MITRE ATT&CK Framework
Defend Your Data Now with the MITRE ATT&CK FrameworkDefend Your Data Now with the MITRE ATT&CK Framework
Defend Your Data Now with the MITRE ATT&CK Framework
Tripwire
 
Jumpstarting Your Cyberdefense Machine with the CIS Controls V7
Jumpstarting Your Cyberdefense Machine with the CIS Controls V7 Jumpstarting Your Cyberdefense Machine with the CIS Controls V7
Jumpstarting Your Cyberdefense Machine with the CIS Controls V7
Tripwire
 

More from Tripwire (20)

Key Challenges Facing IT/OT: Hear From The Experts
Key Challenges Facing IT/OT: Hear From The ExpertsKey Challenges Facing IT/OT: Hear From The Experts
Key Challenges Facing IT/OT: Hear From The Experts
 
Tripwire Energy Working Group: TIV Demo
Tripwire Energy Working Group: TIV Demo Tripwire Energy Working Group: TIV Demo
Tripwire Energy Working Group: TIV Demo
 
Tripwire Energy Working Group Session w/Dale Peterson
Tripwire Energy Working Group Session w/Dale PetersonTripwire Energy Working Group Session w/Dale Peterson
Tripwire Energy Working Group Session w/Dale Peterson
 
Tripwire Energy Working Group: CIP Solutions and Baseline Walk-Through
Tripwire Energy Working Group: CIP Solutions and Baseline Walk-Through Tripwire Energy Working Group: CIP Solutions and Baseline Walk-Through
Tripwire Energy Working Group: CIP Solutions and Baseline Walk-Through
 
Tripwire Energy Working Group: Customer Session with Chase Cole
Tripwire Energy Working Group: Customer Session with Chase ColeTripwire Energy Working Group: Customer Session with Chase Cole
Tripwire Energy Working Group: Customer Session with Chase Cole
 
Tripwire Energy Working Group: Keynote w/Patrick Miller
Tripwire Energy Working Group: Keynote w/Patrick Miller Tripwire Energy Working Group: Keynote w/Patrick Miller
Tripwire Energy Working Group: Keynote w/Patrick Miller
 
World Book Day: Cybersecurity’s Quietest Celebration
World Book Day: Cybersecurity’s Quietest CelebrationWorld Book Day: Cybersecurity’s Quietest Celebration
World Book Day: Cybersecurity’s Quietest Celebration
 
Tripwire Retail Security 2020 Survey: Key Findings
Tripwire Retail Security 2020 Survey: Key FindingsTripwire Retail Security 2020 Survey: Key Findings
Tripwire Retail Security 2020 Survey: Key Findings
 
Key Findings: Tripwire COVID-19 Cybersecurity Impact Report
Key Findings: Tripwire COVID-19 Cybersecurity Impact ReportKey Findings: Tripwire COVID-19 Cybersecurity Impact Report
Key Findings: Tripwire COVID-19 Cybersecurity Impact Report
 
The Adventures of Captain Tripwire: Coloring Book!
The Adventures of Captain Tripwire: Coloring Book!The Adventures of Captain Tripwire: Coloring Book!
The Adventures of Captain Tripwire: Coloring Book!
 
Industrial Cybersecurity: Practical Tips for IT & OT Collaboration
Industrial Cybersecurity: Practical Tips for IT & OT CollaborationIndustrial Cybersecurity: Practical Tips for IT & OT Collaboration
Industrial Cybersecurity: Practical Tips for IT & OT Collaboration
 
The Adventures of Captain Tripwire #1: Captain Tripwire Faces the Indefensibl...
The Adventures of Captain Tripwire #1: Captain Tripwire Faces the Indefensibl...The Adventures of Captain Tripwire #1: Captain Tripwire Faces the Indefensibl...
The Adventures of Captain Tripwire #1: Captain Tripwire Faces the Indefensibl...
 
Tripwire 2019 Skills Gap Survey: Key Findings
Tripwire 2019 Skills Gap Survey: Key FindingsTripwire 2019 Skills Gap Survey: Key Findings
Tripwire 2019 Skills Gap Survey: Key Findings
 
A Look Back at 2018: The Most Memorable Cyber Moments
A Look Back at 2018: The Most Memorable Cyber MomentsA Look Back at 2018: The Most Memorable Cyber Moments
A Look Back at 2018: The Most Memorable Cyber Moments
 
Time for Your Compliance Check-Up: How Mercy Health Uses Tripwire to Pass Audits
Time for Your Compliance Check-Up: How Mercy Health Uses Tripwire to Pass AuditsTime for Your Compliance Check-Up: How Mercy Health Uses Tripwire to Pass Audits
Time for Your Compliance Check-Up: How Mercy Health Uses Tripwire to Pass Audits
 
Tripwire State of Cyber Hygiene 2018 Report: Key Findings
Tripwire State of Cyber Hygiene 2018 Report: Key FindingsTripwire State of Cyber Hygiene 2018 Report: Key Findings
Tripwire State of Cyber Hygiene 2018 Report: Key Findings
 
Defend Your Data Now with the MITRE ATT&CK Framework
Defend Your Data Now with the MITRE ATT&CK FrameworkDefend Your Data Now with the MITRE ATT&CK Framework
Defend Your Data Now with the MITRE ATT&CK Framework
 
Defending Critical Infrastructure Against Cyber Attacks
Defending Critical Infrastructure Against Cyber AttacksDefending Critical Infrastructure Against Cyber Attacks
Defending Critical Infrastructure Against Cyber Attacks
 
Jumpstarting Your Cyberdefense Machine with the CIS Controls V7
Jumpstarting Your Cyberdefense Machine with the CIS Controls V7 Jumpstarting Your Cyberdefense Machine with the CIS Controls V7
Jumpstarting Your Cyberdefense Machine with the CIS Controls V7
 
Hunting for Cyber Threats Using Threat Modeling & Frameworks
Hunting for Cyber Threats Using Threat Modeling & Frameworks Hunting for Cyber Threats Using Threat Modeling & Frameworks
Hunting for Cyber Threats Using Threat Modeling & Frameworks
 

Recently uploaded

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 

Recently uploaded (20)

FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 

Reducing the Cost of Compliance: The Top 3 Effective Strategies

  • 1. COMPLIANCE WHITE PAPER REDUCING THE COST OF COMPLIANCE THE TOP THREE EFFECTIVE STRATEGIES CURITY BREACHES NERC INSIDER THREATS PCI FAILED AUDITS FDCC REGULATORY VIOLATIONS BASEL II SYSTEM OUTAGES MiFID SECUR EACHES COBIT INSIDER THREATS PCI FAILED AUDITS PCI REGULATORY VIOLATIONS ISO27001 SYSTEM OUTAGES GLBA SECURITY BREACH RC INSIDER THREATS SOX FAILED AUDITS PCI SECURITY BREACHES NERC INSIDER THREATS HIPAA COMPLIANCE PCI REGULATORY VIO NS BASEL II SYSTEM OUTAGES MiFID SECURITY BREACHES COBIT INSIDER THREATS FDCC FAILED AUDITS PCI REGULATORY VIOLATIO 27001 SYSTEM OUTAGES GLBA SECURITY BREACHES NERC INSIDER THREATS SOX FAILED AUDITS PCI REGULATORY VIOLATIONS BASE TEM OUTAGES MiFID SECURITY BREACHES COBIT INSIDER THREATS FDCC FAILED AUDITS PCI REGULATORY VIOLATIONS ISO27001 SYST TAGES GLBA SECURITY BREACHES NERC INSIDER THREATS SOX FAILED AUDITS PCI REGULATORY VIOLATIONS BASEL II SYSTEM OUTAGES M CURITY BREACHES COBIT INSIDER THREATS FDCC FAILED AUDITS PCI REGULATORY VIOLATIONS ISO27001 SYSTEM OUTAGES GLBA SECUR EACHES NERC INSIDER THREATS SOX FAILED AUDITS PCI REGULATORY VIOLATIONS BASEL II SYSTEM OUTAGES MiFID SECURITY BREA COBIT INSIDER THREATS FDCC FAILED AUDITS PCI REGULATORY VIOLATIONS ISO27001 SYSTEM OUTAGES GLBA SECURITY BREACHES N IDER THREATS PCI FAILED AUDITS FDCC REGULATORY VIOLATIONS BASEL II SYSTEM OUTAGES MiFID SECURITY BREACHES COBIT INSID REATS PCI FAILED AUDITS PCI REGULATORY VIOLATIONS ISO27001 SYSTEM OUTAGES GLBA SECURITY BREACHES NERC INSIDER THREATS LED AUDITS PCI SECURITY BREACHES NERC INSIDER THREATS PCI FAILED AUDITS PCI REGULATORY VIOLATIONS BASEL II SYSTEM OUTAG ID SECURITY BREACHES COBIT INSIDER THREATS FDCC FAILED AUDITS PCI REGULATORY VIOLATIONS ISO27001 SYSTEM OUTAGES G CURITY BREACHES NERC INSIDER THREATS SOX FAILED AUDITS PCI REGULATORY VIOLATIONS BASEL II SYSTEM OUTAGES MiFID SECUR EACHES COBIT INSIDER THREATS FDCC FAILED AUDITS PCI REGULATORY VIOLATIONS ISO27001 SYSTEM OUTAGES GLBA SECURITY BREACH RC INSIDER THREATS SOX FAILED AUDITS PCI REGULATORY VIOLATIONS BASEL II SYSTEM OUTAGES MiFID SECURITY BREACHES COBIT INSID REATS FDCC FAILED AUDITS PCI REGULATORY VIOLATIONS ISO27001 SYSTEM OUTAGES GLBA SECURITY BREACHES NERC INSIDER THRE FAILED AUDITS PCI REGULATORY VIOLATIONS BASEL II SYSTEM OUTAGES MiFID SECURITY BREACHES COBIT INSIDER THREATS FDCC FAI DITS PCI REGULATORY VIOLATIONS ISO27001 SYSTEM OUTAGES GLBA IT SECURITY AND COMPLIANCE AUTOMATION SOLUTIONS
  • 2. TOP THREE STRATEGIES TO REDUCE THE HIGHLIGHTS OF THE COSTS OF COMPLIANCE 2011 TRUE COST OF COMPLIANCE STUDY W thout a doubt, almost every organ zat on that works w th » The costs of non- sens t ve data such as cred t cardholder data, personally dent f able compliance can be nformat on, or ntellectual property faces compl ance w th at more expensive least one mandate, and typ cally many more The ntent of these than investing in compliance. mandates—whether ndustry standard, government regulat on or » More frequent audits nternal secur ty pol cy— s to protect sens t ve or bus ness-cr t cal can reduce the overall data and the IT nfrastructure Unfortunately, many organ zat ons take cost of compliance. a checkbox approach to compl ance val dat on, nstall ng requ red » More effective security controls w thout ensur ng that they actually protect systems and reduces the cost of data By f nd ng the shortest, least expens ve path to compl ance, non-compliance. organ zat ons have m ssed the po nt, wh ch s to effect vely ut l ze » The bigger the gap compl ance nvestments to mprove secur ty between compliance and non-compliance Many v s onary ch ef nformat on secur - paper does th s by focus ng on act ons costs, the greater the ty off cers and IT secur ty profess onals the study suggests would lower the cost data breach size. have pushed for proact ve nvestment of compl ance and demonstrat ng how n nformat on secur ty, w th compl - Tr pw re solut ons support these ance result ng as a natural byproduct of those nvestments Th s approach would STRATE Y #1 not only meet compl ance requ rements, REDU E THE AP BETWEEN Organ zat ons must reduce the t me but would also reduce the consequenc- TIME OF OMPROMISE TO DIS OVERY between comprom se and d scovery to es and h gh costs of non-compl ance Most organ zat ons tend to focus on conta n the damage and re n n non- Yet unt l recently, they’ve had no data to f nes and penalt es when they cons der compl ance costs To do that, they need back them up the costs of non-compl ance The True solut ons that help them manage and ost of ompl ance study determ ned control change and g ve them v s b l ty The Ponemon Inst tute’s 2011 True ost that the bulk of non-compl ance costs to spec f cally what changed and who of ompl ance1 study prov des cr t cal actually come from nd rect and oppor- made the change ev dence that nvestments made on tun ty costs, such as lost employee compl ance today—espec ally f they product v ty, d srupted serv ces, cus- Tr pw re® Enterpr se does th s w th f le mprove secur ty—can l kely save much tomer churn or a ma or outage In fact, ntegr ty mon tor ng (FIM) that cont nu- more n the long run by reduc ng the bus ness d srupt on accounted for more ously mon tors for change—and captures costs and consequences assoc ated w th than tw ce the costs of non-compl ance what changed, who made the change, f a non-compl ance And wh le t’s mpos- compared to f nes and penalt es and change was expected or acceptable, and s ble to completely avo d these costs, t other s m lar costs learly, the longer f t ntroduces r sk or non-compl ance It s poss ble to s gn f cantly reduce them a comprom se goes undetected, the also analyzes change n real t me aga nst The quest on s what can an organ za- more t me these relat vely larger non- cr ter a such as compl ance pol cy and t on do to reduce these costs compl ance costs have to accumulate approved change t ckets Yet the recent Ver zon 2011 Data Breach Th s paper expla ns how organ zat ons Invest gat ons Report2 noted that n 78 Best of all, Tr pw re Enterpr se nte- can use Tr pw re IT secur ty and com- percent of the breaches rev ewed, t grates w th Tr pw re Log enter® as pl ance automat on solut ons to lower took from weeks to years to d scover a part of the Tr pw re VIA™ platform, so the r overall cost of compl ance The comprom se after t occurred IT can see changes w th n the context 2 Reducing the Cost of Compliance
  • 3. of secur ty events Now the user can COMPLIANCE TERMINOLOGY determ ne what secur ty events and Cost of Costs associated with proactively addressing compliance. Examples include software or susp c ous changes m ght be connected compliance. hardware purchased for compliance, audit preparation time, employee compliance training. to a secur ty breach or attempt because Cost of Costs associated with experiencing a breach or failing an audit—typically reactive costs. they occurred around the same t me on non-compliance Examples include fines, legal fees, business disruption, tarnished brand image, and others. a server, dev ce or other IT asset For example, w th Tr pw re VIA solut ons, Overall cost of The cost of compliance added to the cost of non-compliance. compliance a user can get an alert that unauthor- zed access has been detected and a Direct costs Costs for which a direct cash outlay was made—typically for a given project or output. Examples include a software purchase for a compliance project or engaging a compliance subsequent change led to a secur ty consultant for compliance needs. hole—certa nly a s tuat on IT would want to nvest gate W th th s h gh level Indirect costs Costs that cannot be directly attributed to a project or output, and often referred to as “overhead.” For example, employee time spent producing compliance reports. of v s b l ty to susp c ous act v ty, IT can reduce the t me of comprom se to d s- Opportunity costs Business options lost because resources were spent elsewhere or circumstances negated the option. For example, if a business suffers a security breach, customers may choose to cover from weeks, months or even years do business elsewhere. to ust days or even hours In add t on, Tr pw re Log enter cap- Th s f nd ng m ght surpr se many orga- chang ng regulat ons 4 And that doesn’t tures a complete act v ty log for each n zat ons Most bel eve that the constant nclude the t me spent creat ng or mon tored IT asset and stores t n a work of prepar ng for, undergo ng, and mod fy ng compl ance-related reports h ghly searchable format Th s means address ng f nd ngs of aud ts takes for upper management Tr pw re VIA the user can qu ckly get even more more resources than they have ava l- solut ons ease the burden assoc ated deta l about the act v t es that sur- able Th s bel ef s espec ally strong w th aud ts by automat ng trad t onally rounded susp c ous act v ty And n the when, l ke most organ zat ons today, manual tasks event of a secur ty breach, th s prov des an organ zat on faces mult ple compl - useful forens c data to help dent fy the ance mandates Many organ zat ons Tr pw re also helps organ zat ons more root cause of a change to decrease the are also saddled w th ser ous budget eff c ently prepare for mult ple compl - mean t me to repa r (MTTR) concerns A survey of compl ance ance aud ts Tr pw re’s experts constantly profess onals completed by ompl net update the compl ance pol c es to reflect STRATE Y #2 at the end of 2008 showed that 56 per- changes n standards and regulat ons, USE AUTOMATION TO SUPPORT cent of those surveyed bel eved the r so organ zat ons know they are assess- MORE FREQUENT AUDITS budgets for the follow ng year would ng the r compl ance aga nst the latest The Ponemon ost of ompl ance study be cut or rema n flat 3 As a result, requ rements In add t on, because suggests that those organ zat ons organ zat ons frequently a m for the Tr pw re Enterpr se’s automated f le that conduct more frequent nternal bare m n mum, attempt ng to pass only ntegr ty mon tor ng alerts IT to changes aud ts tend to have a lower overall mandatory aud ts, fall ng out of compl - that cause non-compl ance, organ za- cost of compl ance Perhaps th s s ance between aud ts, and pay ng the t ons can mmed ately f x ssues—even because organ zat ons that conduct assoc ated costs assoc ated w th the us ng automated remed at on f they more nternal aud ts approach compl - consequences of non-compl ance want Such sw ft repa r of non-compl ant ance proact vely It also may that these conf gurat ons helps organ zat ons avo d organ zat ons have a strong culture The real ty s that prepar ng for and non-compl ance costs such as d srup- of secur ty, so employees requ re less react ng to f nd ngs of external aud ts t ons of serv ce or f nes and penalt es tra n ng and enforcement to ensure can be costly when not done n a cost- Because Tr pw re Enterpr se and Tr pw re adherence to compl ance and secur ty effect ve, proact ve manner The ost of Log enter automat cally populate dash- processes and pol c es In add t on, ompl ance 2011 Survey publ shed by boards w th secur ty and compl ance these organ zat ons may exper ence Thomson Reuters backs th s up—more status nformat on and produce aud t- costs sav ngs that result from cont nu- than one-th rd of compl ance teams ready reports, prepar ng for mult ple ous compl ance because they’re already surveyed nd cated that they spent aud ts becomes much eas er n an aud t-ready state, no matter how more than an ent re work day each many compl ance mandates they face week try ng to keep up w th constantly Reducing the Cost of Compliance 3
  • 4. STRATE Y #3 TRIPWIRE HELPS ORGANIZATIONS MEET THE SES OBJECTIVES BUILD A MORE EFFE TIVE THAT REDUCE NON COMPLIANCE COSTS MOST SE URITY STRATE Y SES objectives Most Highly Related to Non-Compliance Does Tripwire Help? One of the s gn f cant f nd ngs of the True ost of ompl ance study was that Monitor and strictly enforce security policies organ zat ons w th a better secur ty posture had s gn f cantly lower non- Conduct audits or assessments on an ongoing basis compl ance costs In fact those n the group w th the best secur ty posture Ensure minimal downtime or disruptions to systems resulting from security issues spent approx mately 4 5 t mes less on non-compl ance costs than those n the Secure endpoints to the network group w th the worst secur ty posture Intu t vely, th s makes sense more secure systems mean fewer d srupted that may have weakened the organ za- unauthor zed access and results n one serv ces and ncreased employee pro- t on’s secur ty posture can be qu ckly or mult ple system changes Tr pw re duct v ty, along w th lower legal fees nvest gated and f xed VIA solut ons detect changes and secu- and other non-compl ance costs Yet r ty events that nd cate unauthor zed surpr s ngly, organ zat ons cont nue onduct aud ts or assessments on access and detect changes such as the nvest ng n compl ance solely to meet an ongo ng bas s Th s ob ect ve nd - actual nstallat on and any subsequent compl ance requ rements—the check- cates whether or not an organ zat on changes the appl cat on makes Th s box approach to compl ance has nst tuted a proact ve approach to comb nat on of detect ng—and cor- compl ance by ensur ng cont nuous relat ng—both events and changes The True ost of ompl ance study compl ance and be ng prepared at any prov des a level of protect on not pos- used a measure of secur ty effect ve- t me to prove t Tr pw re Enterpr se s ble w th s gnature-based tools such as ness called the Secur ty Effect veness automat cally detects changes that ant -v rus Score (SES) to assess each organ za- cause non-compl ance to conf gurat ons t on’s secur ty posture The score was and prov des automated remed at on to Secure endpo nts to the network For calculated accord ng to how well an qu ckly return these conf gurat ons to many organ zat ons—espec ally those n organ zat on met a total of 25 “reason- a compl ant state In add t on, t ma n- the hosp tal ty and reta l ndustry—the able secur ty ob ect ves”5 —for example, ta ns a record of all changes, along w th weakest po nt s out at the edge of the d d the organ zat on know where ts automated reports and dashboards that network For reta lers, th s s the cred t sens t ve or conf dent al nformat on prove compl ance at any g ven t me card-process ng dev ce at a store or an was phys cally located and d d they l m t on-s te server for the hosp tal ty ndus- phys cal access to dev ces conta n ng Ensure m n mal downt me or d s- try, t’s the hotel check- n k osk or front such nformat on rupt ons to systems result ng from desk system Tr pw re VIA solut ons secur ty ssues W th Tr pw re VIA protect these endpo nt dev ces ust the Tr pw re IT secur ty and compl ance solut ons, organ zat ons not only way they protect the dev ces, systems, automat on solut ons help w th more mmed ately detect susp c ous changes appl cat ons and data that res de w th n than half of these ob ect ves In fact, w th Tr pw re Enterpr se, they can also the corporate data center, by detect ng Tr pw re solut ons helped w th f ve of the correlate those changes w th secur ty changes that ntroduce r sk or non- 10 ob ect ves most strongly assoc ated events captured by Tr pw re Log enter compl ance and help ng organ zat ons w th a good secur ty posture These f ve By see ng what secur ty events occurred qu ckly f x them to avo d or reduce the ob ect ves are before and after a susp c ous change, IT mpact of a secur ty breach can more eas ly dent fy and f x changes Mon tor and str ctly enforce secur ty that could lead to d srupt ons The takeaway here s that when mak ng pol c es Tr pw re Enterpr se’s f le nteg- compl ance nvestments, these nvest- r ty mon tor ng and compl ance pol cy Prevent or curta l v ruses, malware ments must mprove the organ zat on’s management capab l t es comb ne to and spyware nfect ons A v rus, secur ty posture Th s s where nvest ng mon tor the IT nfrastructure for change malware or spyware appl cat on has for checkbox compl ance alone s clearly that mpacts secur ty (and compl ance) to be nstalled to create an ssue a los ng propos t on Automated alerts ensure that changes Such an nstallat on typ cally requ res 4 Reducing the Cost of Compliance
  • 5. DON’T JUST SPEND ON COMPLIANCE. SPEND ON IT WISELY, FOR SECURITY In th s paper, we’ve exam ned three recommendat ons organ zat ons can apply to reduce the r overall cost of compl ance based on f nd ngs .: “Achieving critical and from The True ost of ompl ance study These recommendat ons complex goals related to nclude better manag ng and controll ng change throughout the IT compliance requires nfrastructure us ng automat on to conduct aud ts more regularly holistic and integrated and bu ld ng a stronger IT secur ty posture security solutions that seamlessly address We’ve also d scussed how Tr pw re F nally, Tr pw re VIA solut ons not only every area of the IT secur ty and compl ance auto- help organ zat ons meet compl ance w th organization that mat on solut ons support these mult ple compl ance mandates, they recommendat ons also greatly mprove the organ zat on’s compliance impacts.” :. secur ty posture W th Tr pw re solut ons, Tr pw re Enterpr se helps organ zat ons organ zat ons can lower the costs assoc - THE TRUE COST OF COMPLIANCE detect all change and pr or t ze those ated w th non-compl ance consequences that need mmed ate attent on because by avo d ng secur ty breaches or by PONEMON INSTITUTE they threaten compl ance or secur ty qu ckly detect ng a breach before s gn f - By ntegrat ng Tr pw re Enterpr se w th cant damage occurs Tr pw re Log enter, users can rev ew complex sequences of changes and One way or another, organ zat ons w ll secur ty events to add cr t cal context to spend on compl ance The quest on s detected changes Th s means organ za- what approach to compl ance spend- t ons can even more clearly dent fy an ng w ll they take They can spend the attack or the start of an attack bulk of the r compl ance nvestments react vely on non-compl ance costs n Tr pw re VIA solut ons also help ease response to a breach or aud t f nd ng the work and lower the cost of ma n- Or they can take a proact ve approach 1 The True ost of ompl ance A Benchmark ta n ng and prov ng compl ance, through to compl ance, nvest ng n people, Study of Mult nat onal Organ zat ons by automated compl ance pol cy assess- processes and technolog es that offer the Ponemon Inst tute, January 2011 ment, aud t report generat on and cont nuous compl ance and mproved 2 2011 Data Breach Invest gat ons Report by Ver zon RISK, the U S Secret dashboards, and remed at on of non- secur ty W th th s approach, they Serv ce and the Dutch H gh Tech compl ant conf gurat ons Automat on w ll l kely spend less on compl ance r me Un t Released Apr l 2011 allows organ zat ons to eff c ently and overall, pr mar ly by reduc ng the r non- 3 osts of Non-compl ance However Much cost-effect vely conduct mult ple aud ts, compl ance costs The Tr pw re VIA su te ompl ance osts, Non-compl ance osts More by Susannah Hammond wh ch has been shown to lower the r of IT secur ty and compl ance automa- and Stacey Engl sh, May 2009 costs of non-compl ance t on solut ons supports th s approach, 4 ost of ompl ance Survey 2011 by Susannah mak ng t far eas er, and ult mately Hammond and Stacey Engl sh, 2011 more affordable, for organ zat ons to 5 The True ost of ompl ance A Benchmark Study of Mult nat onal bu ld a strong secur ty posture through Organ zat ons by the Ponemon Inst tute, proact ve compl ance nvestment January 2011 Append x 3, page 30 Reducing the Cost of Compliance 5
  • 6. .: Tripwire is a leading global provider of IT security and compliance automation solutions that help businesses, government agencies, and service providers take control of their physical, virtual, and cloud infrastructure. Thousands of customers rely on Tripwire’s integrated solutions to help protect sensitive data, prove compliance and prevent outages. Tripwire VIA, the integrated compliance and security software platform, delivers best-of-breed file integrity, policy compliance and log and event management solutions, paving the way for organizations to proactively achieve continuous compliance, mitigate risk, and ensure operational control through Visibility, Intelligence and Automation. :. LEARN MORE AT WWW.TRIPWIRE.COM AND TRIPWIREINC ON TWITTER. ©2011 Tripwire, Inc. Tripwire, Log Center, and VIA are registered trademarks and/or trademarks of Tripwire, Inc. All other product and company names are property of their respective owners. All rights reserved. WPRCC1n 201105