Gearing Towards Your Next Audit – Understanding the Difference Between Best Practice Frameworks and Regulatory Compliance Standards

Security configuration management (SCM) can help organizations do much more than just harden their attack surfaces against intrusions. This fundamental control also has the ability to make your audits flow more smoothly. Indeed, it allows organizations to pull reports from any point in time and demonstrate how their configuration changes and alignments help to support their compliance efforts.

SCM doesn’t help organizations with just one type of audit, either. As an example, it can support them in an in-house audit where staff members evaluate the organization’s configuration against a set of internal controls and best practice frameworks. It can also give them all they need to meet an externally conducted audit involving regulatory compliance standards.

To understand how, it’s important that organizations understand the difference between a best practice framework of security controls and a set of regulatory compliance standards.

Best Practice Frameworks

Organizations can use best practice frameworks to create, enhance and maintain an effective digital security program. These frameworks all recommend that organizations implement SCM. But they do not enforce this implementation via a formal audit, per se.

There are three best practice frameworks in particular that stand out for wide recognition within the security industry: the Center for Internet Security’s Top 20 Critical security Controls (“the CIS Controls”), the National Institute of Standards and Technology’s various publications (“NIST”) and the MITRE ATT&CK Cybersecurity Framework (“MITRE ATT&CK”).

The CIS Controls

Considered the gold standard for organizations that are looking to secure their systems, the CIS Controls consists of a prioritized list of 20 security fundamentals. SCM appears in the top 5 CIS Controls, known as the “Basic CIS Controls,” as Control 5: “Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers.” It comes after Control 1: “Inventory and Control of Hardware Assets,” Control 2: “Inventory and Control of Software Assets,” Control 3: “Continuous Vulnerability Management” and Control 4: “Controlled Use of Administrative Privileges.”

NIST

NIST has published several frameworks that align with the Federal Information Security Modernization Act (FISMA) for the purpose of helping organizations protect U.S. federal information systems. Many of those publications contain guidance around the importance of maintaining secure configurations. For instance, NIST special publication (SP) 800-53 entitled “Security and Privacy Controls for Federal Information Systems and Organizations” recommends that organizations embrace automated tools for the purpose of managing their assets’ configurations. Simultaneously, NIST 800-128 provides additional guidance on how organizations can manage their information systems’ configurations with security in mind. NIST’s publications don’t just apply to federal information systems, either. Even private-sector organizations can use its recommendations to optimize their SCM efforts.

MITRE ATT&CK

A discussion of security best practice frameworks wouldn’t be complete without a word about the MITRE ATT&CK Framework. This set of standards covers the different tactics that adversaries use to establish a foothold into an organization’s network and to capitalize on that unauthorized access. In doing so, the ATT&CK Framework differs from the CIS Controls in that it focuses on the perspective of the attacker and not the defending organization. This viewpoint helps organizations to learn about the types of threat behaviors that they should work to deter using tested security controls. For instance, by implementing SCM, they could help to prevent malicious actors from conducting privilege escalation, credential access and lateral movement.

Regulatory Compliance Standards

Regulatory compliance standards aren’t the same as best practice frameworks. The former requires that organizations abide by certain principles because of the industry in which they operate and/or the business requirements which they must fulfill. SCM features as an element in many of those standards, which carry hefty fines for non-compliance.

PCI DSS

The purpose of the Payment Card Industry Data Security Standard (PCI DSS) is to reduce the occurrence of digital fraud and data breaches involving users’ payment card details. It does this by specifying the ways in which organizations store cardholders’ data. The Standard also helps limit card issuers’ and banks’ liability in the event that they suffer a breach. In particular, PCI DSS calls on in-scope organizations to use File Integrity Monitoring (FIM) capabilities along with SCM solutions to protect against common attack vectors and to watch for configuration drift among their digital assets.

HIPAA

Created in 1996 and managed by the U.S. Department of Health and Human Services (HHS), the Health Insurance Portability and Accountability Act (HIPAA) requires that organizations ensure the confidentiality, integrity and availability of protected health information. Organizations to which HIPAA is applicable can use SCM tools to monitor their systems for unauthorized changes. They can also use those solutions to gain a snapshot of their HIPAA compliance at any given time and to generate a report when it comes time for an audit.

NERC

The North American Energy Reliance Commission (NERC) created a series of regulatory standards designed to help organizations reduce the risks associated with power grid infrastructure. In particular, organizations that are responsible for Bulk Electric Systems (BES) must comply with NERC’s Critical Infrastructure Protection (CIP) measures if they wish to avoid hefty fines for non-compliance. Among those measures is Substandard 010 “Configuration Change Management And Vulnerability Assessments,” which requires organizations to protect their BES digital systems against unauthorized changes using controls such as SCM.

SOX

Last but not least, all publicly held organizations must comply with SOX by incorporating internal controls into their financial reporting processes for the purpose of reducing corporate fraud. SOX recommends that organizations follow the guidance of the Control Objective for IT (COBIT) framework to comply with this standard. This framework includes standard DS9, which applies to organizations managing the configurations of their hardware and software via solutions such as secure configuration management.

Just the Beginning

SCM can help organizations maintain compliance with best practice frameworks and regulatory compliance standards such as those discussed above. The benefits of SCM aren’t limited to organizations’ compliance efforts, however. This control can also aid organizations in their security efforts.

To learn more about the benefits of SCM, download Tripwire’s latest eBook “Mastering Configuration Management Across the Modern Enterprise: An Explorer’s Guide to SCM.”

FURTHER READING ON SCM:
  1. SCM: Understanding Its Place in Your Organization’s Digital Security Strategy
  2. 4 Areas of Your IT Infrastructure that SCM Can Help to Secure
  3. SCM in Practice: How to Strengthen Your Organization’s Security Processes