Data Security and Spreadsheets – A Recipe for Failure
Mention the words “compliance” or “audit” and most people within earshot will either dive under the table or find a better place to hide. These are two words that can expose what organizations are currently not doing for security, instead of highlighting what is being done, especially for PCI compliance. The annual PCI DSS audit or PCI SAQ submission sends many security professionals down a rabbit hole filled with documentation flurry, policy review, and lengthy meetings. In the meantime, vulnerabilities pile up in the corner with little to no time to be resolved.
Even with the increasing amount of compliance requirements for security and privacy, PCI DSS remains one of the most comprehensive frameworks. Large merchants, service providers, eCommerce stores, and smaller merchants that store credit card numbers are often required to undergo an annual 3rd party audit. These audits produce what is called a RoC or “Report on Compliance”. To compile the RoC, your auditor will go through an exhaustive review of evidence in order to ensure that all the compliance obligations are met: not just now, but over the duration of the reporting period (generally the previous year). If you can’t demonstrate continual compliance, you could end up with gaps reported to the payment brands and they can (and do) penalize for these oversights, even if you haven’t been breached.
With the increasing amount of compliance requirements for security and privacy, PCI compliance is one of the most comprehensive. All Level 1 merchants are required to have a 3rd party audit, which requires an auditor to check for proof that something occurred at a specific point in time. That means that you are left responsible for providing evidence from months ago.
Gone are the days that having a spreadsheet for compliance provides value to your organization, or the auditors. Having a centralized tool for PCI compliance not only allows organizations to have a live, holistic view of their system architecture, but provides live updates, the ability to manage and prioritize tasks, and work collaboratively as a team to achieve year-round compliance.
Here are 5 benefits of using a compliance management tool, rather than a spreadsheet:
Compliance tools can integrate with other tools you’re already using, such as ticketing systems, CMDB’s, scanners, endpoint management tools and threat intelligence feeds. Integrating already used solutions to a comprehensive overview, gives you an idea of what’s not being done and where biggest risks arise (or present themselves) on your network.
2) Spreadsheets don’t always provide proof
When auditors are checking for evidence of compliance, they’re often looking for timestamped signoffs or documentation that something occurred. Using a spreadsheet for things like access control management, asset tracking and other technical items that need to be tracked, could allow things to slip through the crack and be forgotten. Most of the time, spreadsheets don’t show specific approvals or sign offs or that company SLA’s were achieved. Using a centralized tool means there is an audit trail of when events occurred by specific and the ability to easily track down tickets or other documentation.
**3) Spreadsheets are not “live” **
PCI can be used as a baseline for a comprehensive security program, due to the vast amount of controls that could be in-scope, but spreadsheets don’t show live information. Using a compliance tool could provide immediate access to results of network/application scans, remediation efforts, patch deployment success/failures, assets in/out of compliance, etc. which makes it easier to prioritize tasks, assign, and track remediation efforts.
4) Higher Visibility
Compliance tools normally include dashboards and summaries of recent scans, successes/failures, vulnerabilities and ticketing information to name a few. This not only helps the security team to understand what network issues are occurring at a high level but can also help provide specific information to management. Technical leaders can leverage the dashboard visuals and make a case to management for specific budgets, approvals, or technologies by having a way to show an overview of the company landscape. Dashboards would be nearly impossible to update manually, and not comprehensive of the entire environment.
When an area goes in or out of compliance, automation can be used to create tickets, assign to application owners and easily track of the status and SLA’s of important issues. Items on spreadsheets have to be manually addressed or updated by setting up (sometimes unnecessary) meetings. Using automation can remind owners to complete the task, seek specific approval, and make the remediation process more efficient. Spreadsheets are great tool for business, but they have their time and place. The tracking of sensitive data and compliance related areas are not one of them. Compliance management tools are specifically designed to manage the process. They will make life better, easier and more secure and create an easy path to data security and compliance that can be maintained throughout the year.