It is becoming more and more clear to me that multiple industries are making this compliance and security matter much harder than it needs to be. With so many regulations, it can be easy to latch on to a checklist that promises a shortcut to compliance, but we wary as most checklist systems are just that: a shortcut! And few provide a real, complete risk analysis solution.
You Cannot Check-list Your Way To Good Security
Everyone has his or her preferred security “checklist” (ISO, PCI, HITRUST, SOC 2, CSF, etc.). Why, oh why are there so many so-called “frameworks”? Everyone just argues over which one you need to use. It’s so confusing, and such a waste of time. And, you just cannot check-list your way to good security!
As a service provider to the healthcare industry we have seen dozens of home-brewed questionnaires that must be filled out, in addition to the requested 3rd party certifications (ISO, PCI, HITRUST, SOC 2, etc.). The latest is related to HITRUST (see HITRUST or High Risk? The Health Information Trust Alliance’s Common Security Framework).
Checklists don’t take into account that every environment is different, the sensitive information assets and threats are changing all the time and the vulnerabilities may be unique to an organization.
Whether it be an independent organization or an in-house security team, they all imply that if you can get the boxes checked then you are “secure”. Which is nonsense–they don’t take into account that every environment is different, the sensitive information assets and threats are changing all the time and the vulnerabilities may be unique to an organization. They don’t even ask about those! Controls, designed to prevent threats from exploiting vulnerabilities, may be in place, but may not be effective.
The only sane way to “become secure” is to start with a bona fide risk assessment (a.k.a., risk analysis, in HIPAA parlance). I know the industry trend is to profess they “manage risk”, but it’s amazing how quickly they turn right back to the “checklists” because a risk assessment takes too much “hard thinking.” If you’ve ever completed a true risk assessment, you know what I mean. The easier way is to use someone’s “certified” checklist of controls, with no assessment of the threats and vulnerabilities (risks), and then pat yourself on the back and call it risk management.
Risk Analysis Checklist Change
Some of those big checklist providers, such as the PCI DSS and SOC 2, are starting to “get it” because amongst all their “security controls” they want to see checked off, they are now asking for a bona fide or “formal” risk assessment to be completed. Most everyone references the NIST information security management process and, specifically, NIST SP 800-30 Guide for Conducting Risk Assessments. But still it’s a passive item in the list as I don’t think most people know how to do a true Risk Analysis and the references to all of the accepted Risk Analysis approaches is overwhelming and confusing to most IT professionals.
I’d vote we throw all control-based certifications out the window and require everyone to do a bona fide risk assessment based on NIST SP 800-30 Guide for Conducting Risk Assessments and then share the results with their customers/partners, along with their risk response plan. Of course it would have to be done by a 3rd party to be objective, but that’s fine, hire a 3rd party to do it right and have them teach you how to do it on your own in the future. But wouldn’t it be better to pass judgment on the security of a partner company by seeing their risk assessment and risk response plan, rather than how much of a checklist they were able to check-off?
How Do We Fix “Checklist” Frustration?
It’s a cultural problem, so big I don’t know if it can really be fixed–not with groups the size of ISO, AICPA and PCI. And HITRUST? Somehow they convinced the biggest health carriers in the country to use their “checklist” …probably because it’s too hard for the health carriers to get their downstream service providers to do a risk assessment or maybe their customers don’t really know what a bona fide risk assessment is… or maybe they’re just tired and just want to find the easiest way to feel they made “best efforts” to ensure their vendors are secure—I sure hope the vendors don’t think they are.
I know I’m probably preaching to the choir; too bad more people don’t hear the singing!