When it comes to application security monitoring, there are three major mistakes that companies make: Not knowing what they’re on the hook for, an inability to catch mistakes and insufficient or nonexistent follow through. There are a number of things that go into each of these mistakes, so let’s break it down.
Compliance tends to come from legal departments. Info sec plays a part in compliance and can be a bridge, and privacy departments which are typically led by lawyers are involved as well. What happens is these three departments come together and determine that the company should be incorporating certain compliance guidelines and will write an OISP. If your company needs to be HIPAA, PCI or GDPR compliant, your OISP will include language for that. The problem isn’t knowing where the business needs to be compliant, it’s ensuring that the information is disseminated throughout the company.
The first mistake companies make is that companies are not aware of what they’re actually on the hook for outside of a small group. That information is not disseminated through the company at least not in a digestable way. For example, if a company needs to be HIPAA or GDPR compliant, the executives in the company might know that they’re on the hook for 4% of their annual gross revenue as a fine. However, the developers on the front lines of the business have no clue that not having a way to thoroughly delete all of a users info on demand is risking millions or billions of dollars. So step one is ensuring that people outside of the executive pool and the directly complaince-related departments actually facilitate maintaining compliance by understanding what’s on the line if they don’t.
The second mistake is failing to understand that you have to catch ignorance because you can never totally prevent it. Lack of knowledge in compliance is a problem, so even if you’re educating your employees, you have to catch their mistakes. Businesses are compliant on the day they’re audited, they’re compliant on the day they start, but in between those dates if there’s no monitoring, then they aren’t catching the accident and well-intentioned mistakes of their employees. Not catching these mistakes can result in hefty fines on the business.
The third mistake happens when companies actually do educate their employees and disseminate information, but there’s no active follow through. Yearly auditing is not enough. People can prepare for an audit, they can be compliant on that specific day, but monitoring needs to happen more frequently to ensure that compliance is happening day in and day out. And monitoring needs to be active. If, an employee does something wrong and doesn’t realize it for six months, or worse tries to fix it on their own resulting in further problems, the business is still on the hook for everything that has happened and fines have accrued in some cases for as long as it’s gone uncorrected. So, monitoring can’t be passive until it’s audit season.
These mistakes are costly to companies, and if a company isn’t properly prepared to handle the fines thrown at them, it could very well put them out of business. So, ensure that information is disseminated throughout the business, actively monitor employees to ensure compliance is maintained, and systematically follow up to make sure your still complaint between audits. Taking these steps goes a long way toward keeping your business compliant.