Updating your data security policy isn't just a smart way to mitigate risks—it's necessary for compliance. If your policy is severely out-of-date, your human, technology, and regulatory risks may have skyrocketed.
PCI Requirement 12 states that compliant organizations are required to "maintain a policy that addresses information security for employees and contractors." This requirement's recommendations for data security include:
- Annual review of data security policies
- Review policies whenever your environment changes
- Security awareness training
- Employee screening
Annually reviewing your policy may be enough to squeak by for compliance, but it won't protect your environment. In this blog, you'll learn why an outdated data security policy can increase your risks and how to identify and fix vulnerabilities.
13 Reasons Outdated Data Security Policies Put You At Risk
1. Security isn't a Routine
PCI 12.2 requires teams to "develop daily operational security procedures that are consistent with PCI DSS requirements." Based on other recommendations within PCI guidelines and best practices, the types of activities you may need to do daily can include:
- Logging reviews
- Updating access credentials for former employees as needed
- Applying available patches
While these procedures certainly don't need to be performed manually, it's important to establish them into a routine by supporting them with policy.
Security shouldn't be a priority or an afterthought when you suspect you have suffered a breach. Maintaining constant vigilance, including daily routines, can help you avoid falling out of PCI compliance.
2. Identity Management is a Chore
A lack of identity management governance can lead to unnecessary data access, which can be a security risk, especially for "super-admin" users who can cover their trails.
It is essential to provide the minimum access necessary; if your policies support this objective, it can be much simpler. In some cases, inadequate logging procedures can also mean non-compliance.
The only daily activity specifically required by PCI is log review. However, creating a policy-based administration to control your identity management is an important security activity.
3. Possible Suffering from "Shadow IT" Risks
Gartner defines Shadow IT as "devices, software, and services outside the ownership or control of IT organizations." This technically includes your bring-your-own-device (BYOD) program, but it can also include sketchy things like employee-owned thumb drives, personal laptops used on your company network, and more.
Security cannot protect the company from unknown risks, including your employees' unauthorized endpoints. However, a better security policy that addresses acceptable use can be a powerful way to reduce shadow IT at your organization.
4. Little Responsibility for Security on Any Level
A culture where security is an IT problem is more than a policy issue. Executives who view information security as unnecessary can create a culture where employees and leadership are also apathetic. Gaining objective support is crucial to hitting your security objectives.
Awareness is important for helping your employees engage in more secure behaviors. However, policy also plays a role. Security pros must often actively work with HR departments to include employee security responsibilities in job descriptions, onboarding materials, training, and performance evaluations.
5. A Lack of Constant Threat Assessment
Without constant monitoring and human-readable intelligence, you may not be aware of a breach until weeks after it has occurred. While regulatory requirements for threat assessment can vary, PCI requires vulnerability scanning each time a significant change occurs or weekly.
Today's criminals are fast. In some cases, they can gain access to your network and steal data in minutes. Shifting towards policy and technology that support constant vulnerability scanning can enable real-time intelligence.
6. Unsure of Compliance
In many enterprises, the network can undergo thousands of changes daily. Without the right technology, it can be difficult to determine which utility servers are unpatched or when critical system files are being modified, leading to compliance risks.
Complete, continuous compliance is never easy. However, your policy should support the activities and technology you need to be confident in your compliance 24/7/365.
7. Formal Vulnerability Management Processes
If patching, risk mitigation, and assessment aren't routine, you'll be stuck in reactive, fire-fighting mode. Your security program is unlikely to improve when you're too busy fixing gaping holes.
Your organization needs a formal vulnerability management policy to support the right routines and automation. An effective policy will address:
- How to assess and rank vulnerabilities
- Frequency of vulnerability scanning
- Vulnerability reporting
- Risk remediation procedures
8. Threat Intelligence is Lacking or Not Informing Action
Some organizations lack automated threat intelligence entirely, aside from the bare minimum weekly scans that are required for PCI. At other organizations, the intelligence from existing scanning software may not be human-readable, or it can be so "loud" that it's difficult to determine which changes require action.
However, even automated threat intelligence you understand isn't always useful. If you're using an agentless file integrity monitoring tool that polls against a comprised baseline, you may not be getting the full picture. Your policy must support a comprehensive approach to threat intelligence and use trustworthy threat intelligence tools.
9. Unable to Manage Environment Changes
Many PCI requirements, including 12 and 10, require action when there is a significant change in your environment. However, how do you know when changes have occurred?
At some companies with a massive number of endpoints, thousands of changes can occur daily. This is another area of information security where the right technology is crucial. However, your data security policy also needs to include a precise, compliant definition of environmental change and appropriate response.
10. No Screening of New Hires
To reduce internal threats, PCI requires the screening of new hires for criminal background and other risk factors. With 76% of breaches involving the human element, failure to understand the risks of insiders is one of the biggest mistakes companies can make.
For more insight, check out Can File Integrity Monitoring Catch Internal Threats?
11. No Screening of Vendors
Vendor error has caused countless high-profile security breaches. While these high-profile breaches rarely include criminal activity by vendors, poor vendor security can significantly comprise your baseline. If your vendors have access to your data, they should be screened for security and compliance. If you are unsure of the quality of your vendors’ security, ensure they have the appropriate safeguards in place and ask for their IT infrastructure audits. One way to do this is by creating a vendor security questionnaire to provide to any potential vendors. Your policy should support a standardized, regular approach to ensuring that your vendors aren't putting your data at risk.
12. Formal Security Awareness is Minimal
In a culture where policy is outdated and security is viewed as an IT responsibility, your employees may not have sufficient awareness of acceptable use or responsibilities. However, putting actions into policy for formal security awareness may be the first step towards better responsibility.
While individual organization's needs and requirements can vary, topics you may wish to address in your formal security awareness policy can include:
- Building a security awareness team
- Steps to define and update employee security responsibilities
- Development of security training content
- Periodic review of existing training and roles
- Metrics to measure employee security awareness
13. Insufficient Incident Response Plan
Can your organization detect and respond to a data breach within minutes? Without a reliable incident response plan, you risk prolonged exposure to security threats and increased damage to your systems.
Your organization needs both detection capabilities and recovery procedures to handle threats like malware and ransomware effectively. A comprehensive security policy should include detailed plans for:
- Detecting security incidents quickly
- Responding to breaches immediately
- Restoring critical system files to their previous secure state
- Maintaining business continuity during security events
To learn more about File Integrity Monitoring and how to restore all critical systems to their previous state, download the Definitive Guide to File Integrity Monitoring today.
