What's the Point of Compliance? Making Paperwork Useful

besides DC would like to thank all of our sponsors and a special thank you to all of our speakers volunteers and organizers for making 2018 a success everybody my name is Rachel linenger and I'm here to talk to you about the exciting topic of compliance are you okay alright here's why you should listen to me actually I don't know why but I'm kind of a risk enthusiast have been in information security for 15 years most of us in GRC for some reason I have all the stupid certifications that you want I'm currently between jobs but I am moving to DC in a month to start work here and if you have any questions or want to yell at me about my talk there's

my contact information it will come up again at the end so what are we going to do at first we're gonna talk about GRC we're going to introduce it and talk about some principles then I'm going to give you a quick background of the exciting US landscape of compliance I'll talk you through a minimalist GRC program that really does work and doesn't hurt nearly as bad and I'm also gonna do a little brief explainer on talking to Assessors cuz they're really not that scary only a little bit scary so what's your C stands for governance risk and compliance why are we doing it why here is your existential scream who here loves audits assessments keep your hands up Oh two of

you who had your heads up checklists findings corrective action plans policy exceptions vendor questionnaires nobody's hand is still up if you're if you're if you get paid for any of these it doesn't count what about knowing that the latest logo voom was patched who likes that knowing for sure which boxes weren't patched and why yeah I see some people liking this stuff payroll asks you first before they send a million dollars to the CEO in Romania the latest issue with your vendor is covered in your contract and so they can't tell you to go pants and that's kind of fun you have a budget to fix things who likes that yeah you don't get any of that without GRC sorry GF c

stands for governance governance is all the oh great that's doing there's a bug governance is all the standards policies processes exception that's writing down your decisions about what you're going to do about security and what you're doing now preferably you do this once and write it down rather than having people figure it out again every single time that does not make for a very consistent environment risk risk is a probable frequency and probable magnitude of future loss that's from fair I'll talk a little bit more about that later but what risk management really is it's strategizing what's actually important what you need to do and what you can skip because it's not that important compliance is checking your

work to make sure it got done it's keeping yourself honest why don't we like held accountable for stuff we can really don't but then there's what GRC is most places pain useless stupid busy work that doesn't lead to any changes doesn't lead to improvements doesn't actually hold anyone accountable and doesn't actually work but wait if even worse than this or better than this depending on your point of view somehow we all got the idea that pain is considered a feature of GRC anyone who tries to tell you something different can't sell you anything this is part of our fold as practitioners when I was a consultant we kept trying to sell simplicity and doing things

right the first time and making it work and people were buying they wanted they wanted the 400-pound gorilla for their you know tiny startup or whatever okay but GRC it can be simple it does not have to be this way you know it's gonna be fun cleaning your room is not always fun but at the end of it you get a clean room that's kind of nice it shouldn't be a stupid waste of time so there's three more principles that I want to talk about that are important for this they're important for understanding what we're going to do in the rest of the talk first of all what's the purpose of record regulations its correcting

externalities is everyone here familiar with externalities externalities are concept in economics it's the idea that sometimes someone does something and someone else pays for it I pollute the river you people downstream that's your problem I don't care it could also be like everyone somehow deciding that our multi-factor authentication was going to go to SMS de facto making the telecoms the registration authority for all identities that was a real smart idea that one the basic rule for regulation and this isn't always true it doesn't always happen but it's not just there to trample the flowers and stifle aerial innovation it's making it so that the big guys can't hurt the little guys whenever they want just because they can

that's sort of what regulation is for that's not actually that bad an idea and that terrible what's the point of security controls and contracts it's don't you have recourse when things go wrong that's kind of cool and finally my favorite what is the point of a metric metrics are measuring things in order to do something if you can't measure it I mean if you can't do anything about it don't measure it it's a waste of time if you don't want to admit you can't do anything about it everyone who's ever bought a pen test and didn't fix the findings if you don't want to admit that that's a different problem you should be working on that instead of trying to get

more information that you're not going to use to deal with this you may want to come to my next talk on inner peace through security nihilism so here's a little philosophical digression but it's important what is a measurement one of my favorite InfoSec books is Douglas Hubbard how to measure everything anything and how to measure anything in cybersecurity risk he's talking to an audience that way okay yeah you have to say cyber sorry but it's a great book measurement is a quantitatively expressed reduction of uncertainty based on one or more observations reduce any uncertainty a little bit doesn't cost much but then you can reduce uncertainty a lot for that first step if you want to reduce inserting more it

starts costing a lot more are you going to use that is that worthwhile are you getting your return on investment for those measurements maybe not if you're not don't do them honestly I think one of the biggest reasons and physec people burn out all the time and we talk about that is we're spending all this time gathering information that we do nothing about and we know is useless I mean who likes that part everybody likes that part right yeah no I'm not saying you shouldn't measure important stuff I'm saying you should only measure important stuff if you're not going to do anything about it then that measurement wasn't that important anyway now was it don't do it there are

organizations that are really mature and they can measure everything and they kind of do stuff about it and it's really neat but you only get to that places if you start off being honest with yourself about where you are now so this has been the most important part of my talk if you're bored or if you like know what to do now or whatever like feel free to go it's all done here from here because now we get to the exciting world wind tour of the US landscape this is gonna be quick it's just gonna be a high-level sketch I'm not gonna go into a lot of detail but it helps to know sort of what's out there and what it's

for so when you do in the US you've got data security regulations most most states have something they're all a little bit different some of the bigger municipalities have something that's exciting too depends on where you are where you do business privacy is mostly other countries by petah in Canada GDP are if you've got business overseas that's when you really know to need to know about privacy but it's coming to be perfectly honest I don't think it's going to do much good here when it does I think that ship sailed in the 1930s anyone know what happened in the 1930s about privacy yes we got the Social Security Administration we had a lot of rules

about what governments could do about those IDs because we didn't want government tracking but almost no rules about what corporations could do with them that is from Simon & Garfunkel's database nation which is quite an old book but it really helps with the history of what is one on earth we were on when we did all this basically so next week we're going to talk about HIPAA and hi-tech therefore healthcare companies health insurance companies and any of their suppliers so if your customers are healthcare entities you probably need to know about HIPAA that's HIPAA not HIPAA as in hippo one thing to know is that you don't get HIPAA certified if someone talks about getting

HIPAA certified or especially about you paying them lots of money for them to help you get HIPAA certified they are wrong they're confused and they are quite possibly very incompetent there is no HIPAA certification there is you have a breach and the OCR comes and talks to you and sees if you're compliant that's how you know your HIPAA compliant is you have a breach a nose here says well it sucks if you weren't compliant OCR says so that's talk don't get it don't get audited by OCR verbal regulations for student records GLBA and FFIEC regulations for financial institutions and insurance companies so health insurance companies get lots of regs oh and I meant to say some people

got budget with sarbanes-oxley I'm sure you all have heard of it it's not directly an information security regulation it's about knowing your financial controls work and so that touches on information security but kind of isn't really but that's where that came from FISMA and Fred ramp I'm sure nobody here has anything to do either these FISMA regulations for the US government and how they do security FedRAMP they decided that hey maybe we should look into this cloud thing you know when it came out a couple years ago so speedy now onto the voluntary stuff and by voluntary I really mean voluntary payment card industry data security standard it's not a regulation kind of acts like one because it's a contract

and if you want to process or have it anything to do with the credit card you need to do it PCI is kind of not a normal contract really what it is is risk transfer from the payment card industry to you personally and you can't get out of it you're stuck with it if you've wanted credit card it's been around about fifteen years it is freaking amazing I wish I knew how they did that I don't think anyone will be able to do it again sock one and to type one into these are fun and very confusing there what happens when accountants decide they need to deal with security sauk stands for system and organization controls

since it is very confusing here's a sock Magic Quadrant top one the rules are all for your internal financial controls and you can pick whatever you want for your security controls there's nothing specific that you have to do so to you use the trust Services criteria which is the AICPA a security controls type what you say in it and the accountant comes and writes a report that says you said you did it type to the accountant actually sort of reviews what you did over a six-month period and whether or not you actually did it you've probably also heard of sock three that's just your customer-facing letter so that makes an awful lot of sense not

but that's how it breaks down they're really picky about their I become Roman numerals don't ask me why except I shouldn't do that I trust here let me fix up my trust is high trust is my favorite I trust is a full-employment program for consultants you see it mostly in health care vertical but it's not just health care it is high trust is a superset of every single regulation PCI contract whatever that you're subject to based on where you are how many hospital beds you have how many credit card transactions you process etc etc etc it's the closest thing I know of to a punishment regime in regulate in in in this space it's not really regulation

it's a certification clients I've had who done it have had upwards of a thousand artifacts of compliance proving they were following all of the controls they needed to follow it's kind of like they took what they what people imagine GRC is supposed to be and they made it real catch-22 was a warning not an instruction manual and finally there's the contracts you have signed with your suppliers and your customers this guy is the limit here check what your sales people are doing sure you can get a night dresser that'll happen sure well I did indemnify you a hundred percent that'll happen - it's up to you what you do here I do recommend kind of keeping

track of it that's usually good idea I don't know might bite you if you don't now we're going to talk about frameworks and there's five that sort of matter that I see most often frameworks are just a scaffolding they make it a lot easier to do your work they tell you okay here are controls to think about here what to do but they don't actually do any of it for you they don't say you have to do this that and the other newest 800-53 you all are familiar with this it is not a rag that's FISMA which I'm sure most people here know but some people don't it's very complicated it's very comprehensive and one of the fun

features is that it requires impact ratings where you go through each system and say is this a low a medium or high impact system you're almost certainly medium dose search so you are your medium on the other hand doing that work to show it is kind of a pain in the butt trust services criteria that's again that's what the AICPA did it's what accountants do when information security doesn't step up it's aligned with the coast of framework internal financial controls Co so is the committee of sponsoring organizations of the Treadway committee ok Treadway commission and like their accountants ok commit is another accounting framework it's also related to Co so stands for control objectives for information and related

technologies I guess the R is silent the main difference between COBIT and TSC is that COBIT is kind of its scope koubek kind of covers everything TSC just covers what Co so doesn't directly cover those are the big differences there we've got the C is critical security controls also known as the sans top 20 who knew that they were the same thing I actually didn't for a long time I was so confused yeah I was terribly terribly confused for awhile but they are actually the same thing Center for Internet security makes the critical security controls since there's a lot of training on them that's what's going on with that the prioritize list of controls is great

the benchmarks are soul-destroying they should be easy it would be great if organizations could easily identify unauthorized devices on their network within an hour how many of you work for a place that can do that reliably yeah it's a constant it's bear I like them I like referencing them I don't want to use them because it benchmarks me cry and finally we've got ISO 27000 series these are actually my favorite so like ignore everything I say about them because I like them but they're pretty comprehensive they're pretty flexible I could have talked about them before because you can get certified in them but certifications can be very narrowly scoped and may not mean much but ISO is

very handy and most people recognize that that's another good thing so that's the exciting background and now we're going to talk about how to do a minimalist compliance program that actually works you need to know what you're doing you need to know why you're doing it you need to be able to show you work and that's kind of the part we hate most is showing your work but it does kind of need to have a mess of cleaning your room part of this and you need to make sure you're actually getting result what you don't want to do is make these binders full of auditor bane that are just sitting on a desk being ignored

that doesn't help anybody so what do you need you need written policies and procedures we need to agree on what we're doing and what we're going to do policies can and should be very short and clear but most of them aren't most of them are really long they're written in legalese and they kind of conflict with themselves and it best they're just not very clear that's a problem there's more than way to do there's more than one way to do a lot of things that you need to do and people who know what they're doing can pick different ways you need to write down which way your organization is going with so people can be consistent so I have totally stolen

this from my friends at smooth sailing consulting but it's really great policy simple statement the dog will be clean standard we're gonna watch the dog every week well the kids will watch the dog you have to say who the kids are gonna watch the dog every week in the backyard in the kiddie pool with the dog shampoo the procedure is first step you got to catch the job the procedure needs to be enough to be able to comply with this and you know you probably want an ad a bad procedure for when the dog runs into a local phone like the skunk so next we've got asset management I almost put this first because you can't really do

much without it it's not traditionally an InfoSec why can't we keep track of our stuff I mean really just why that's this is probably why the accountants got so mad at us that they made TSC and COBIT and high trust and all and all their and stock one and two and all the rest of this they kind of have a point but that Countians are really good at tracking assets so it is a good idea to ask them for help but unfortunately i did say you had to go first with the policy because you do need a policy and what assets you're going to track if you say asset inventory what do people think of first they think of your physical

devices is that enough no you might want stuff like Oh what domain names you own the TLS certificates that you need to keep refreshed you know the ampoules where all your data is in the cloud because it would be kind of bad to forget about that s3 bucket with all your data maybe I'm no that's never happened right

management risk management's about what's important and what isn't currently the way we do it is over complicated based on kind of bad assumptions and it doesn't really work so great it's a big topic so I'm gonna refer to you to my last bead size talk on the minimum viable risk management program I wrote a white paper it's about a dozen pages I tried really hard not to put it in the passive-aggressive tense there's also a YouTube talk if you fight you can stand and listening to me talk for an hour how many times have you filled out 20 or 100 questions about an asset in order to do a risk assessment and has that done you any good mostly

this is just a waste of time there are better ways to do it the process I wrote about it works it fits with state NIST 830 and it actually passed a high trust audit seriously the only thing the auditors asked for was they want is to put the words confidentiality integrity and availability in the policy ok we'll do that no problem they thought the process was fine and it was dead simple so you don't have to use that you can find some other way to do risk management just find something simple that you actually do the risk management instead of spending all your time on gathering information that you don't use like I said before vendor management so if your

vendor goes out of business what are they doing with your data selling it for bankruptcy who has your data who do you rely on for payroll what are your dependencies for uptime who's running their lousy ad code on your servers I have no idea you know if your vendor fails to deliver can you do anything about it where would you even notice that's what vendor management's all about if you were getting if you're sending out vendor security questionnaires use a standard like Google's feed sack or sig light or even just a shorter version of each if you're no you're not going to do some questions everybody wants to put their own custom questions and they're you know what

happens this salesperson answers and you have to go to the security folks there for clarification you have to get people in a meeting and it's really really hard but you were going to have to do that anyway because it's salespeople answered just use this just use a standard form get the standard answer do it to save have already vetted and done and then ask your questions from there it does not actually save time to ask the custom stuff up front if you are receiving vendor questionnaires ask them if they'll take the gold the standard form that you've already done invented doesn't they won't always do it if you're trying to deal with a really really big company you know they might

tell you to pounce and know you're answering our questions but a lot of times they'll say oh you have that okay whatever it can happen we have a tendency to try to outsource everything that's sort of the thing now we outsource all of it but we can't outsource the risk you know we still have to deal with that risk and finally you need some kind of office system you need something for ticketing you need stuff for version control you need stuff for document management Jared github office 365 done or use whatever you prefer I don't care it doesn't actually matter that managed matter that much you do not need a GRC tool unless you are so big that you know

you're not here at this talk you're you know you're you're in a giant giant giant organization you don't need the GRC tool they're expensive they're complicated they're also full employment programs for professional services as Winston Churchill said Excel is the worst GRC tool except for all the others that have been tried from time to time and is this really all yeah pretty much so you're gonna need some kind of vulnerability management program okay that's risk and asset management you know you need a policy you need to know where your assets are and how they get to Amend who can do it and you need to know which ones are which Petworth patching before you add anything other

than stuff on my list even if all the cool kids have it check to see can you do anything about it is it worth doing and will the results you want you know you can scan for vulnerabilities all day if you never patch anything what has that got you it's got you a very annoyed security engineer that's what discs are you and so last we're going to talk about the aliens these are the Assessors I've been an Assessor it's a process and it helps to know what the process is they're going to have a list of things they have to check they will be more or less obvious that they are running through a list it can be annoying whatever you

know sometimes they just want to talk sometimes they need to ask you for evidence like there's going to be they want screenshots or ticket numbers or whatever so it helps to assume that the Assessor is as well-meaning and competent as anyone else you work with have you ever found that assuming someone you don't know yet that you work with is a helpful it's kind of fun but not actually helpful most auditors are going to understand compensating controls not everyone does I've had colleagues in the field who don't but most of them will get it remember the point of rent regulation is so that the people with power are not squishing the people without and it can be a very

localized kind of power you may not think you have power but you're still able to drop that pollutant in the river or whatever that's a power as long as you have a way to not do that they're frequently going to be ok with it even if it isn't on their you know list of how to how how they expect you not to do that one really important thing to understand for us findings just aren't that big a deal usually they're just information management will often flip out a lot of people will flip out but it's just information ok so this doesn't work how do we fix it there's one big exception well two big exceptions

one of them is if you were just to completely ignoring the rigor regulation or lying that will not go well for you the other exception of PCI if you're breached you weren't you obviously weren't compliant there's no much you can do about that target couldn't do anything about that do you think you can you know outweigh target on this kind of thing no you're just kind of stuck with it it's not a reg it's not a it's not a normal kind of contract it is a risk transfer and you are accepting the risk have a nice life if you assume that the Assessor is hostile there's a pretty good chance they'll get hostile back when I do the assessments the first five

minutes or sometimes the first 15 minutes were spent assuring people no I'm not trying to get you fired it can actually be good answer you can talk people down but that can actually get pretty difficult sometimes and if someone is just terrified of you or pissed off at you it might come back it helps not to be that upset in the first place if you treat the successors like they're stupid that's not going to go well either I'm sure everybody here enjoys being treated as if they were a and that brings out the best in you at all times right

all those big HIPPA fines that you hear about they included some degree of willful disregard they were really ignoring stuff you know this wasn't the regulator's were mean they were really ignoring stuff you know if you straight-up ignore the Reg if you lie to the auditor it is not going to go well for you but most of the time a good-faith effort is really enough and I can't emphasize that more good faith really does do it even with high trust a good faith effort is enough they're just gonna ask you for another hundred artifacts of compliance but the good faith was enough your mission should you choose to accept it is to make your compliance program not stupid burn all

those binders full of auditor bait make sure the stuff you're doing actually matters make sure you know why you're doing it and that's actually doing some good we have far more control than we realize and every make what stupid task we do is time that we're not spending doing something that matters so instead of not doing the compliance stuff we're ignoring the compliance stuff maybe the compliance stuff matters it's really hard to work in a dirty room okay so here we go questions yeah do you have any advice for selling a program like this day engineer the question is that do you have any advice for selling the program to engineers because the biggest pushback is from the

technical side that that was kind of the purpose of this talk uh-hum you know point out the Dread Pirate Roberts thing you know we choose in a lot of cases we choose the pain you know the concept of a full employment program for compliance on the one hand we kind of hate it but on the other hand we like our jobs and so we want to make sure nobody else can do them and making things simple makes that hard the best way that I can think of is to talk about all the stuff they can be doing that's better than jumping their little self-imposed pain treadmill that's the best answer I have I mean it's been

something I've been working on you know I know a bunch of consultants who want to sell simplicity and can't they're like you want to pay me money to do this the hard way okay I'd rather do it the easy way you can pay a lot less no no you want to give me more money huh it's kind of hard to expect them to turn it down yeah or better can I email you for your recent tasting so I can catch the part that did it or should I just go watch the game um I believe that the video is going to be posted you missed all the exciting stuff at the beginning with me not having the right dongle and then not

being miked so there is a video and it will be posted now I restart anymore I restarted all right any other questions so okay so I reference people to my other paper and I kind of hate doing that because I like talks to be self contained but doing an entire risk management program it does take a whole hour I don't know anyone else who can do it in under an hour but it does take a whole hour what I recommend is a combination of binary risk assessment that's a binary protecto and everything is in the white paper that's the ten question quest ten question you know is the set that's the outside have a vulnerability is a

vulnerability always there sometimes not you know you answer them yes/no and you can you figure out a risk rating and then that gives you not a whole lot of information what I like about it is it doesn't have the fake rigor that the hundred question things do because you do a lot of work so it feels like you're getting a lot of information here right yeah now if that is not enough then I recommend moving to Fair which is factor analysis of information risk which is for my money the best way to assess information security risk out there it is quantitative but it doesn't have to be it is super cool it's from Jack Jones you're shaking

your head at me the white paper is about building that expertise through binary and then when you need more information and only when you need more information doing fair so it's it's actually doable and it has worked yeah yes I would have to ask about that what what we did with fair well there there's a couple clients we've used it with one of them I think it's more that we built the program for them and they're going to use fair someday they're still working on it another one we actually did fair analysis for them I know that they used that analysis I don't know if they're continuing to use it going forward I did provide a bunch of suggested here's how

you do some other ones you know there's a lot of stuff out there on fair if you look at risk lens that's the company that does the tool for fair which is not necessary but pretty cool they have like client testimonials and stuff like that and B of a apparently will talk to anybody at the drop of a hat yeah

[Music] pretty much but here's the thing this was like more honest than 90% of the answers you will get from any consultant and it costs a lot less one of the problems with information especially risk management and I talked about this in the white paper a lot is we spend an awful lot of money getting very useful getting not very useful information spend a lot less money and deal with the fact that you have less information because you know you as much information as you could actually use anyway this is why my next talk is going to be inner peace through security nihilism I've been making this joke enough I'm going to have to do it now aren't I but a lot

of things with the cloud you can kind of tell they you can kind of tell that someone's on the ball it's it's like with food safety you don't go to a restaurant and say everything here with the food safety is on point and perfect except for the rats running around damn know if they have rats they have everything else and you can use that information to get a much better idea of what's going on then by listening to the salespeople a lot of the bigger cloud providers are now doing stuff like assigning bas providing not just stock threes but saw to information and and and similar stuff like that you know I hate to say it but if someone's actually

gone to the trouble of getting us off - they're probably better than someone else and I'm not super in love with sock to either but it also some some of this is the only game of town and I'm not sure that that's the answer you wanted but it's the limit I have I don't know that it's right but yeah it's very Constitution just what concrete examples of what matters what doesn't what can be dropped and it's very context dependent a lot of it is our organization consistently refuses to do this so let's stop pretending that we're doing it and again if you don't want to admit that you're not doing it then you need to then you need to deal with that

problem frequently the very detailed risk assessments get you a lot more information about risk but you're not using it anyway so why do it that's something I really recommend dropping a lot of the time you know vulnerability scans if you're doing them constantly but things aren't changing that fast maybe you don't need to do them that often is that helpful

right and sometimes the risk that you're dealing with is auditor risk so like just know that this is why we're doing this we're not pretending to do it because we're going to do the patching this is why we're doing it but I think that they're waving frantically for time so I think we're done if anybody has questions come up and yell at me all right thank you