Ensuring Regulatory Compliance Through Vulnerability Management Programs
The rapid increase in fraud and business interruption caused by cyber attacks is behind the growing focus on security—particularly personal data protection—by regulators. The introduction of the GDPR in Europe in 2018, and local and national developments in the United States, have been an eye-opener for organizations that previously considered data protection important but a relatively low priority.
The impact on organizations from non-compliance can be significant. Regulators have the power to levy penalties—the UK’s Information Commissioner’s Office fined Marriott £99m and British Airways £183m in 2019, and Fresenius Medical Care attracted a fine of $3.5m for breach of HIPAA regulations in 2018—and reputational damage can last years.
In this article, we consider some of the most important regulations and the role of a threat and vulnerability management (TVM) program in ensuring compliance and helping to avoid those eye-watering fines.
What the Regulations Ask For
Security requirements in GDPR, HIPAA, and PCI DSS focus on personal data protection.
The GDPR integrity and confidentiality principle—also known as the security principle—requires “appropriate technical and organizational measures to ensure a level of security appropriate to the risk [and] a process for regularly testing, assessing and evaluating their effectiveness.”
Like GDPR, the HIPAA security rule has high-level rather than specific requirements—one covering risk analysis (“Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to ePHI.”), the other covering risk management (“Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.”).
PCI DSS is more specific and for that reason worth quoting in full:
6.1 Establish a process to identify security vulnerabilities, using reputable outside sources for security vulnerability information, and assign a risk ranking to newly discovered security vulnerabilities.
6.2 Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor-supplied security patches. Install critical security patches within one month of release.
11.2 Run internal and external network vulnerability scans at least quarterly and after any significant change in the network.
Beyond data protection, most industry sectors have their own security regulations, with financial services given particular scrutiny.
The EU Financial Supervisory Authority, CSSF, requires banks and investment firms to implement a process for the early identification of new vulnerabilities, a patch management process to fix them, and the internal audit function to review the effectiveness of both; the NYDFS Cybersecurity Regulation requires bi-annual vulnerability assessments; and SOX was recently updated to address cyber risk and requires executive officers to certify—among other things—the effectiveness of vulnerability detection and remediation.
How a TVM Program Helps Ensure Regulatory Compliance
As can be seen, requirements are outlined rather than defined in detail: Regulators describe the outcome they want and the rationale for wanting it (the what and why), leaving the how to individual organizations and putting the onus on them to work out a compliance approach that’s appropriate for their operating characteristics.
Given the importance that all regulations place on threat and vulnerability management, a TVM program has a critical role to play in compliance efforts. Program scope will vary by organization (The PCI Security council recommends three basic steps.), but elements common to all are: maintaining an asset inventory, conducting regular threat assessments, and remediating problems quickly.
Regulations don’t mandate an asset inventory but they are a key element of a TVM program: It’s unlikely an organization will satisfy the regulator that all assets are secured if they can’t provide an up-to-date list of what they are, and they certainly won’t be able to manage the risks to the organization.
Each asset the organization is dependent on to function should be categorized according to criteria such as their importance to the organization or the likely impact if security is breached. This categorization will help inform decisions on how risks are to be managed and where to apply resources—a good threat and vulnerability management platform will use categorization to automatically prioritize and assign remediation tasks.
Recording data assets should be a standard process, but—to ensure regulatory compliance—all personal data needs to be recorded in detail, and in such a way that it can be easily extracted for an auditor. Expect to record information such as the nature of the data (e.g., customer account records), the purpose of use, personal information (name, address, IP address, etc.), data owner, volume, access permissions, storage location, and lifespan.
Similarly, personal data processing assets—hardware, software, and network—need to be recorded in the inventory. Again, this needs to be considered from a data protection perspective: What devices are being used to process what data; what software is used on those devices and what dependencies does it have on other software or hardware components; who is accessing data and from where, data encryption details, and so on.
Given the frequency of changes to personal data assets, automated discovery tools are the only way to ensure inventory is complete and current, especially for large organizations. Once complete, the inventory baseline should be recorded, and any additions should be made using change control.
Since regulators recommend keeping only personal data needed for meeting current processing requirements (i.e., don’t keep historical information unless there’s a good reason), a by-product of a comprehensive inventory is that data which is no longer required can be identified for secure removal.
To ensure severe threats are addressed early and resources used effectively, vulnerabilities need to be prioritized for patching. Tools like CVSS are useful, but risk scores don’t take into account the characteristics of individual organizations—the same vulnerability could impact different environments in different ways—so risk assessment should be tailored.
The assessment should identify all vulnerabilities, with a focus on those affecting critical assets, since they will be the priority for remediation activity. PCI DSS identifies critical assets as being those that store, process, or transmit cardholder data, and vulnerabilities that pose an imminent threat to those assets would be an obvious priority, for example.
Threat intelligence sources, such as public threat databases or vendor advisories, are a valuable input to the risk assessment process, although some care needs to be taken since they tend to focus on possible exploitability rather than active exploitation. They can also quickly become out of date. Again, automation speeds everything up.
Effective vulnerability remediation resolves threats before they cause any harm. The UK ICO has warned that failing to patch vulnerabilities, such as Meltdown and Spectre, could result in heavy fines, while the Office of Civil Rights also reminded healthcare organizations of the importance of patch management for HIPAA compliance.
Patch management is challenging for larger organizations, where rigorous multi-system testing is required yet test platforms are often oversubscribed; or for 24×7 organizations, such as banks or online retailers, where scheduling system downtime is always a problem. The PCI-DSS 30-day patch rule (see above) adds to their woes. Anecdotally, PCI will compromise, provided high-priority vulnerabilities are remediated within 30 days and there’s a clear plan of action for the rest while mitigating their risk in the interim.
Patches aren’t always the best answer. A workaround or configuration change might be enough or at least provide temporary relief until full patching is possible.
After remediation, a rescan is needed. The asset inventory should also be updated and re-baselined to reflect the changes and a root cause analysis performed as well as lessons learned factored back into the TVM program.
Continuous Vulnerability Monitoring
While remediation fixes current problems, threats and vulnerabilities have a continuous lifecycle and must be managed accordingly. Better lifecycle management helps organizations meet compliance and audit requirements by keeping track of how vulnerabilities are remediated throughout the entire process from detection to remediation, and by demonstrating how the process is being performed and applied against compliance requirements.
Frequent scanning should be used to identify new vulnerabilities. PCI DSS requires quarterly scans, but for most organizations that won’t be enough and, in any case, automated scanning tools make it easy to schedule and run scans regularly. Scanning should be as continuous as possible in order to detect vulnerabilities and breaches as fast as possible and give time for the organization to react. As an additional integrity check, it’s good practice for the scan process to be managed by someone independent of the security team.
To ensure threats and vulnerabilities are addressed according to their priority, service level agreements (SLAs) can be defined according to conditions, such as the severity of vulnerabilities, or specific assets (a vulnerability found on an asset with a PCI tag needs to be fixed within five days, for example). Further, the responsiveness of individuals and teams can also be managed using granular SLAs. For example, if a vulnerability is assigned to the Operations Team, which is given four days to remediate, failing to meet the SLA could mean the technical implementation takes longer than expected or there is some other underlying issue—information which can be used for process or team improvement.
Reporting—covering the asset register, changes made and change control process used, scan dates and results, patches applied, when and why, and details of rescans to validate effective application—helps make sure lifecycle management is operating optimally and will highlight any problems or inefficiencies throughout.
Regulations don’t stand still. The EU will review the effectiveness of GDPR in early 2020 and change its scope if necessary. OCR, the HIPAA regulator, is stepping up its enforcement activities; and in the United States, there are regional and national changes in the law in the pipeline. This increased regulatory focus will heighten the importance of TVM.
An IT team that’s overwhelmed by vulnerabilities and unable to pinpoint priorities for immediate remediation risks data breaches and, hence, non-compliance—something that can be avoided with a comprehensive TVM program.