A common challenge that all organizations face — whether federal agencies, the Defense Industrial Base (DIB), private organizations, or commercial entities — is regulatory and policy compliance.
While the federal government has adopted NIST Special Publication 800-53 as its regulatory standard for IT security controls, the commercial sector is required to abide by various regulations and guidelines such as the Payment Card Industry Digital Security Standard (PCI DSS), the Health Insurance Portability and Accountability Act (HIPAA), and Control Objectives for Information and Related Technology (COBIT) just to name a few. Additionally, all organizations have internal policy compliance requirements such as audits, business continuity, and disaster recovery.
Cybersecurity professionals across all industries are tasked with continuously evaluating and monitoring their information systems against the required set of security controls provided by these regulations.
While automated penetration testing tools and vulnerability scanners have come a long way in recent years, they are unable to automate a significant portion of security controls. The evaluation of non-technical controls, or rather those controls that are policy- and management-based, require human involvement. It is estimated that less than twenty-five percent of security controls can be automated. The reality that most security controls must be periodically and continuously evaluated in a manual fashion creates many problems for cybersecurity professionals throughout industry.
The first problem presented by this manual procedure is the inability to identify a point of contact that is responsible for implementing each security control. Additionally, it is impractical to identify who is responsible for enforcing the security policy. Such a problem leaves questions such as, “Who performed what action and under whose direction?” unanswered. This lack of accountability creates a problem for the organization as a whole when security vulnerabilities are exposed. Lack of an adequate trail of events can lead to poor compliance and increased exposure to security risk.
Another problem that exists with manually implementing and enforcing human dependent security controls is a logistical hurdle that must be overcome when conveying the prescribed implementation and collecting the results. Security controls are often communicated by a series of emails and phone calls to the point of contact responsible for implementation. In addition to phone and email, the security controls enforcer may be required to conduct a site visit to verify the control is in place. Not only is there a lack of an audit trail in these situations, there is also an increased cost presented to the organization in terms of time and effort.
Finally, many security controls require more than a simple pass or fail type of response. Each control must be evaluated with the assumption that certain responses may lead to additional evaluation criteria being required.
Telos Corporation is developing a solution to automate this manual compliance process. Scheduled for release within the next couple of weeks, Xacta Compliance Campaign Manager (Xacta CCM) will simplify the data-gathering process into a web-based solution. Xacta CCM leverages the Open Checklist Interactive Language (OCIL) to assist in the creation and distribution of compliance-based questionnaires for manual security checks, government and commercial standards, and crosswalk controls from different frameworks as well.
Through Xacta CCM it will be possible to easily identify those responsible for implementing and enforcing controls. Additionally, Xacta CCM will enable organizations to schedule periodic evaluations and automate ongoing authorization of manual security controls. Xacta CCM is the latest component of the Xacta IA Manager suite for security risk management, providing a key element for simplifying and streamlining the compliance management process.