Top 10 Tips to Avoid the Regulatory Auditor's Wrath

By James Lyne, Director of Technology Strategy, Sophos

As security practitioners, we know there’s no 100% in security. Sooner or later an incident will occur, and when it does, you want to make sure you have the right procedures, policies and controls to avoid regulatory or audit scrutiny.

Appropriately, it is not illegal to lose data (regulators, too, understand there is no 100%), but it is illegal to not take appropriate measures to protect it; you need to demonstrate you’re managing the risk responsibly. The seventh data protection principle states that you need to take “appropriate technical and organizational measures” to protect the data. Naturally, these measures will vary depending on the sensitivity of the data, the nature of your business, your available resources and so on, but here are some key items you should cover to avoid the Regulatory Auditor's wrath in 2011:

1. Full-disk encryption
Most data losses occur due to someone simply losing a device—in a taxi or train, or during the classic Friday night in the pub. In the event that you lose a device, you may be called upon to show that sensitive data did not reside on the device. And figuring out where sensitive data resides, and proving it, is an expensive and difficult exercise. Full-disk encryption finishes the conversation. Auditors understand full-disk encryption. If it isn’t deployed, that’s a serious warning sign to them; if it is deployed, that’s often going to be the end of the conversation.

Make sure you have reports that show when devices were encrypted and regular device check-ins to show that a device was encrypted when lost. Most enterprises have now deployed this control, and those that haven’t yet should make it a high priority.

2. Removable-device encryption
Right after full-disk encryption, you need to deal with those pesky USB keys and mass-storage devices. Lots of enterprises are caught here: They invest in a technology, but users just work around it since it doesn’t allow partners or other business users to easily share data. An inflexible policy, and technology is doomed to be less secure. Prepare yourself for the auditors with reporting that shows you’re actually using removable-device encryption in your business.

3. The right policy “system”
Part of taking appropriate technical and organizational measures is documenting how your data “should” be protected. As noted earlier, we’ve accepted there’s no guarantee against loss—but without the right documentation of your procedures, you are likely to be hung out to dry by an auditor. If you document your practices so you can show what should have happened but failed to achieve 100%, you have a fighting chance. Policy documentation is also the Auditor's first point of review, rather than detailed review of technical controls and processes in your business. I should also note that having a huge stack of paper (lots of conflicting or badly structured policies) will not get you far. Get this in order, and you’ll avoid a more painful discussion.

4. Acceptable-use policy
Educating your users is not only an important part of an effective policy system, but also a cost-effective way to prevent incidents. In particular, make sure your acceptable-use policy is up to date for the latest devices and practices in your business—do you cover new mobile devices such as iOS/Android, working from home and data sharing with third parties?

5. Modern antivirus
Modern malicious code is designed to steal data (indeed, just the kind of data that will get you in trouble), and we see 95,000 new pieces of malware every day. Make sure you’re using modern technology, not traditional and legacy antivirus. Check for simple-to-deploy runtime behavior capabilities Host Intrusion Prevention System (HIPS) and cloud-lookup technology. Buying the technology and keeping it on the shelf because it’s too difficult or expensive to deploy is not an effective defense.

6. DLP
DLP was a massive buzzword in 2010 and it describes a huge array of technologies and processes (one could argue that antivirus is DLP, as it helps avoid data loss), but this isn’t a reason to ignore it. Avoid overambitious, complex projects that require you to go and discover all your business data and manage insanely complex policies that stipulate which users can handle each piece of data in which way — this is going to take years to implement. Focus on DLP controls that simply detect personally identifiable information (PII), financial documents and key IP in appropriate volumes, and challenge the user when such data is moved to webmail clients, cloud storage or unencrypted media. Don’t put IT in the line of fire by explicitly blocking applications; instead, offer users a choice. This lets you to get something done while you execute a more comprehensive project. This will reduce your DLP implementation time from 200 work days to 2, and help you show auditors that you take your data handling seriously.

7. Strong password policy
Password brute forcing by cybercriminals or even the casual user is a very established attack vector. Weak passwords can circumvent most of your security controls and permissions, so make sure you cover this area as a high priority. Create a policy that introduces sufficient complexity, but not so much as to force users to write their passwords down on sticky notes. Visit for tips for your password policy and materials to help educate your users.

8. Incident handling process
I have seen it time and time again: Enterprises define an incident handling process, but then don’t practice it until it is too late. People run around shouting about the incident, evidence gets compromised, press or customers find out and legal reviews are handled inappropriately. All of that can happen before an incident is even understood—you may not have even lost data! Create an incident handling process and multidisciplinary team (involving not just IT, but also legal teams and PR) and make sure the process is understood and practiced before the review.

9. Mobile protection
Mobile devices are continuing to be populated with a mass of sensitive information, rather than a collection of telephone numbers and vCards. As this shift occurs, both auditors and cybercriminals are going to pay these devices more attention. This area of security is likely to move quickly and be highly populated with overhyped solutions. Stick to the basics and make sure you have a good view of the assets used in your environment and that basic compliance measures (password security, screen locking, encryption, patch status and the ability to purge data when lost) are in place. Get these basics under control as a top priority and monitor the situation closely.

10. Controls that work with the roaming user
Many security controls are deployed at the network layer and work ineffectively when end users are roaming out of the office. Make sure that controls, such as web security, work when users connect in coffee shops then route directly to services. To avoid embarrassing losses, engineer your patching, filtering and reporting processes to work whether your users are in or out of the office.

It’s hard to choose a top 10, but these items are certainly areas you want to consider to avoid the attention of the regulatory auditor's wrath in 2011.