Well-structured security policies are a necessity for business organizations regardless of size. Without effective policies, there is no governance and no effective security program. In order to be effective, policies need to be supported by effective controls which can be either physical, procedural, or technical.
Participating in a recent due diligence audit with a prospective customer and partner, one item raised from the checklist questioned the use of USB drives and removable media. The outcome serves as an excellent example of how compliance does not equate to security. While the organization had a well worded policy addressing the use of removable USB storage, there existed absolutely no compensating control to enforce the policy. This item, which should have required further review and corrective action resulted in a check-box exercise.
The solution was to have the team order an “approved” USB stick from the corporate IT department for use when needed. By documenting this step and action, the box was checked and all were satisfied. However, the action accomplished nothing other than the check-box exercise. No further follow-up was conducted and working to lock down USB ports or deploy any type of DLP (Data Leakage Prevention) was never considered.
For policies to be effective, controls need to be effective and tested. Compliance, and in this case the organization complied with ISO 27001, is not the same as security. The organization had a policy; check. The organization generated activity to show that the policy could be followed; check. The organization effectively secured removable USB storage and data loss; fail.
The lesson here is that passing an audit, be it PCI, ISO 27001, HITRUST, or any other framework can often create a false sense of security believing “we’ve got that covered.” Think outside the audit box and ask the following questions:
- Does the policy articulate what we are trying to achieve?
- IS the policy reinforced with appropriate controls?
- Are the controls effective at enforcing the policy? (Have the controls been tested?)
Think you “have it covered?” How do you know?