Updating your data security policy isn't just a smart way to mitigate risks, it's necessary for compliance. If your policy is severely out-of-date, your human, technology, and regulatory risks may have skyrocketed.
PCI Requirement 12 states that compliant organizations are required to "maintain a policy that addresses information security for employees and contractors." This requirement's recommendations for data security include:
- Annual review of data security policies
- Review policies whenever your "environment changes"
- Daily security activities
- Employee screening
Reviewing your policy once per year may be enough to squeak by for compliance, but it won't really protect your environment. In this blog, you'll learn why an outdated data security policy can increase your risks and how to identify and fix vulnerabilities.
13 Reasons Outdated Data Security Policies Put You At Risk
1. Security isn't a Routine
PCI 12.2 requires teams to "develop daily operational security procedures that are consistent with PCI DSS requirements." Based on other recommendations within PCI guidelines and best practices, the types of activities you may need to do daily can include:
- Log reviews,
- Updating access credentials for former employees as needed, and
- Applying available patches.
While these procedures certainly don't need to be performed manually, it's important to establish them into a routine by supporting them with policy.
Security shouldn't be a priority or an afterthought when you suspect you have suffered a breach. Developing a state of constant vigilance, including daily routines, can help you avoid falling out of PCI compliance.
2. Identity Management is a Chore
A lack of identity management governance can lead to unnecessary data access internally. Unnecessary access can be a security risk, especially when it comes to "super-admin" users who have the ability to cover their trails.
Consistently providing the minimum amount of access necessary is important and can be much simpler if your policies support this goal. In some cases, poor logging procedures can also mean non-compliance.
The only daily activity specifically required by PCI is log review. However, creating policy-based administration to control your identity management is an important security activity.
3. Possible Suffering from "Shadow IT" Risks
Shadow IT is defined by Gartner as "devices, software, and services outside the ownership or control of IT organizations." This technically includes your bring-your-own-device (BYOD) program, but it can also include really sketchy things like employee-owned thumb drives, personal laptops used on your company network, and more.
Security cannot protect the company from unknown risks, which include your employee's unauthorized endpoints. A better security policy to address acceptable use can be a powerful way to reduce shadow IT at your organization.
4. Little Responsibility for Security on Any Level
A culture where security is an IT problem is more than just a policy issue. Executives who view information security as unnecessary can create a culture where employees and leadership are also apathetic. In order to hit your security objectives, gaining objective support is crucial.
Awareness is an important tool for helping your employees engage in more secure behaviors. However, policy also plays a role. In many cases, security pros will actively need to work with HR departments to include employee security responsibilities in job descriptions, onboarding materials, training, and performance evaluations.
5. A Lack of Constant Threat Assessment
Without constant monitoring and human-readable intelligence, you may not be aware of a breach until weeks after it has occurred. While regulatory requirements for threat assessment can vary, PCI requires vulnerability scanning each time a significant change occurs or on a weekly basis.
Today's criminals are fast. In some cases, they can gain access to your network and steal data in a matter of minutes. Shifting towards policy and technology that support constant vulnerability scanning can enable real-time intelligence.
6. Unsure of Compliance
In many enterprises, there can be thousands of changes to the network on a daily basis. Without the right technology, it can be difficult to determine which utility servers are un-patched or when critical system files are being modified. This leads to compliance risks.
Full, continuous compliance is never easy. However, your policy should support the activities and technology you need to be confident in your compliance 24/7/365.
7. Formal Vulnerability Management Processes
If patching, risk mitigation, and assessment aren't routine, you'll be stuck in a reactive, fire-fighting mode. When you're too busy fixing gaping holes to improve your strategy, your security program is unlikely to get any better.
Your organization needs a formal vulnerability management policy to support the right routines and automation. An effective policy will address:
- How to assess and rank vulnerabilities,
- Frequency of vulnerability scanning,
- Vulnerability reporting, and
- Risk remediation procedures.
8. Threat Intelligence is Lacking or Not Informing Action
Some organizations lack automated threat intelligence entirely aside from the bare-minimum weekly scans that are required for PCI. At other organizations, the intelligence from existing scanning software may not be human-readable or it can be so "loud," it's difficult to determine which changes require action.
However, even automated threat intelligence you understand isn't always useful. If you're using an agentless file integrity monitoring tool that is polling against a comprised baseline, you may not be getting the full picture. Your policy must support a comprehensive approach to threat intelligence and the use of threat intelligence tools you can trust.
9. Unable to Manage Environment Changes
Many PCI requirements, including 12 and 10, require action when there is a significant change in your environment. However, how do you know when changes have occurred?
At some companies with a massive amount of endpoints, thousands of changes can occur on a daily basis. This is another area of information security where the right technology is crucial. However, your data security policy also needs to include a precise, compliant definition of environmental change and appropriate response.
10. No Screening of New Hires
PCI requires the screening of new hires for criminal background and other risk factors to reduce internal threats. In a recent survey of subject matter experts, Digital Guardian cited a failure to understand the risks of insiders as one of the biggest mistakes companies can make.
For more insight, check out Can File Integrity Monitoring Catch Internal Threats?
11. No Screening of Vendors
Vendor error has caused countless high-profile security breaches. While these high-profile breaches rarely include criminal activity by vendors, poor vendor security can significantly comprise your baseline. If your vendors have access to your data, they should be screened for security and compliance. If you are unsure of the quality of your vendors’ security, ensure they have the appropriate safeguards in place and ask for their IT infrastructure audits. One way to do this is by creating a vendor security questionnaire to provide to any potential vendors. Your policy should support a standardized, regular approach to ensuring that your vendors aren't putting your data at risk.
12. Formal Security Awareness is Minimal
In a culture where policy is outdated, and security is viewed as an IT responsibility, your employees may not have sufficient awareness of acceptable use or responsibilities. However, putting actions into policy for formal security awareness may be the first step towards better responsibility.
While individual organization's needs and requirements can vary, topics you may wish to address in your formal security awareness policy can include:
- Building a security awareness team.
- Steps to define and update employee security responsibilities.
- Development of security training content.
- Periodic review of existing training and roles.
- Metrics to measure employee security awareness.
13. Insufficient Incident Response Plan
If your organization suffers a data breach, will you know within minutes that there are signs your data integrity is compromised? Do you have the ability to act immediately?
Your organization needs the ability to detect issues and restore all critical system files to a previous state if you are faced with malware, ransomware, or any other threats. Any security policy should detail plans and tools for business continuity during a security incident.
To learn more about how to File Integrity Monitoring, and how to restore all critical systems to a previous state, download the Definitive Guide to File Integrity Monitoring today.
April 4, 2023