It continues to amaze me how so many companies still use the 25+ year old process of manual and error prone assessments. These companies rely on someone with a few pages of questions addressing a handful of security controls or policies, walking around to the different departments to hold meetings to figure out how they stack up against NIST, HIPAA, PCI, FFIEC, ISO or other compliances. In my 18+ years of experience, this is the area of compliance assessment with the greatest opportunity for improvement in time, accuracy and especially cost.
First and foremost, this handful of security controls or policies barely scratches the surface of complete Information Security (InfoSec) compliance. Secondly, working with the different departments in person creates a huge time and logistics challenge which causes many assessments to last several months. If companies were to insist on complete and thorough assessments of all security controls and policies, then they would be looking at years to complete an assessment. When the assessment is finally concluded with this manual process, the report is highly subjective to the interpretation and understanding of the assessment team compared to what the various departments conveyed in their own unique and highly technical language.
This language barrier challenge continues through the remediation process as the InfoSec team tries to convey the project implementation to the IT team in a language different than their own, and the IT team tries to convey the verification of the project in their language which is technically foreign to the InfoSec team. The main reason these manual approaches continue is primarily financial. The longer the assessments take, the more consulting time and money the consulting companies make. In this scenario, automation is a deterrent to financial progress.
In order to accurately measure compliance, thousands of questions must be asked about hundreds of policies. With the automation and convenience of a cloud-based platform, this can be done in days to weeks instead of months to years. The reports can then be automatically created with the specific detail of policy description, questions, answers and remediation recommendations for each policy of the entire InfoSec compliance framework.
Stay tuned for more experiences and lessons that will help you keep your risk low and security high.