Changes to the way the Australian federal government defines critical infrastructure under the Cyber Security Act (CSA) mean that financial services (FSI) and other industries are subject to greater compliance requirements than ever before.
But not only is achieving compliance difficult, remaining in compliance can feel practically impossible without an ‘always-on’ system. While most companies have a variety of tools to support their compliance needs, it’s all too common that these tools are only ever dusted off prior to — or worse, during — an audit. If an organisation’s compliance lags between audits, these gaps produce unexpected risk.
Unfortunately, at many of the organisations we talk to, the managers and directors in charge of compliance aren’t necessarily specialists on the subject — and they’re juggling compliance as an added burden on top of their regular day-to-day responsibilities.
If you’ve been told you need to meet compliance standards, but don’t understand what they are or how to choose the right ones, Codify’s Pyramid of Implementation model (and our Managed Azure service) can help.
ISO: The Top of the Pyramid
The first question you need to answer when it comes to compliance is which specific programs or rule sets are relevant to your organisation. From ISO to NIST, you’ve probably seen plenty of names thrown around. So how do you know which model (or models) apply?
Starting at the top of the pyramid is ISO. It’s well-known and, as you’ll see, it effectively flows into all of the other standards, frameworks, and rule sets you may need to comply with.
‘ISO’ stands for the International Organization for Standardization and is used colloquially to refer to all of the standards produced by the organisation. One that you may already be familiar with is ISO 27001 on Information Security Management (which Codify is currently pursuing).
ISO 27001, which we think of as ‘entry-level ISO’, with more than 100 requirements (or ‘controls’). For each of these controls, organisations need to be able to show three things:
- Documentation that defines the organizational posture for each requirement.
- Documentation regarding the technical implementation of each requirement.
- An audit history for each requirement, including how and where information is stored so that it can be interrogated in the future.
Generally speaking, ISO isn’t something you can just pick up and implement yourself. You might be able to do the documentation on your own, but you’d have to infer a lot of things around the technology. Similarly, with the audits piece, ISO is very standards-based. It doesn’t tell you how to do something; it just tells you what you need to do.
How ISO Ties to Additional Frameworks
Jumping to the bottom of the Pyramid of Implementation, you’ll see programs like the benchmarks from the Center for Internet Security (CIS). These rule sets are more practical in nature, in that they’ll tell you exactly what you need to do to become compliant with their policies, down to specific PowerShell commands and configurations. NIST is another example you may be familiar with, though there are hundreds of others out there as well.
What ties ISO and the bottom tier of rule sets together are the questions of industry and what your organisation needs to achieve through compliance.
For instance, in the financial services sector, you have APRA and policy number CPG 235 on managing data risk. You also have vendor-based compliance standards like CSP from global payments processor SWIFT, which actually goes to the point of defining a set of rules for compliance.
You may also be beholden to the Australian Corporations Act, the Privacy Act, and other laws that are enforced through the ATO and ASIC. The updated Australian Critical Infrastructure Act, which is forcing many Australian organizations to meet specific levels of cyber security, may also need to be on your compliance radar, depending on your organisation’s specific activities.
Once you understand which of these programs are relevant to your organisation, you can make a plan for achieving and sustaining compliance using the Pyramid of Implementation.
Why the Pyramid of Implementation Matters
As you explore different compliance programs, standards, frameworks, and rule sets, you’ll notice a recurring theme: nearly all of them draw from ISO. In fact, in the case of CPG 235, APRA has gone as far as effectively rewriting ISO to create its own standard.
Why rewrite ISO? Because bodies like APRA need to legislate it. They can’t legislate ISO itself, but they can rewrite it, and then legislate that. That’s why it’s so important that you understand not just the specific standards you may be held accountable to, but the relationships that exist between individual programs as well.
As an example, imagine that your organisation is working towards ISO, but then decides to pursue NIST instead. It’s easy to see the merits of both paths, but if you don’t recognise the way these programs and standards work together, you risk wasting time, money, and effort by pursuing implementation in the wrong order.
In this case, ISO is a standard, and NIST is a rule set; arguably, both have to go together. That’s why you need to start as high up on the pyramid as is relevant for your organisations. If you start low, you may still need to go higher up later on. However, by starting as high up the pyramid as is necessary, you reduce your workload and costs by avoiding duplicate effort.
For most businesses, that means starting with ISO. If, for example, you need to comply with APRA, and you’re going to be processing payments through SWIFT, everything ultimately arises from ISO anyways — so why not start there? Once you’ve achieved ISO, you can add a rule set to build compliance if needed (or you can write your own, though the time required to do so isn’t worth it for most companies).
The Issue with Standard Compliance Audits
The way many organisations handle compliance with these types of programs is to spend oodles of money once a year to have one of the ‘Big Four’ auditing firms come in and basically say, ‘We’ve reviewed your system, you’re still compliant, here’s your gold star.’
But what happens behind the scenes is that, after the firm identifies compliance issues, the IT team (or business teams, or whoever else is involved) scrambles to remediate them, and then puts compliance on the back burner until the next audit.
But systems don’t stay stable. If you think about the average on-prem architecture, companies are regularly making changes to bring different pieces together. And even if they have something like a NIST template to follow, it’s going to be very specific to their environment and deployments at a single point in time.
The result of these changes is that, even if their dashboard is green for the week they’re doing the audit, it’s going to slowly decay and degrade as normal life gets in the way, causing the organisation to fall out of compliance.
How Does Microsoft Azure Fit In?
If you’re thinking that resources like Azure Security Center or Azure Advisor mitigate the degradation of compliance, you’re partially right. Out of the box, in Azure, you can go in and turn on these systems so that you’ll receive weekly emails notifying you when elements are out of compliance.
But the challenge is that neither of these systems tell you what the next steps are when issues arise. In that way, they fall into the same trap as annual audits — giving you a sense that your compliance has been handled, without actually ensuring that it’s maintained on an ongoing basis.
That’s one of the reasons we’ve built our Managed Azure offering to include an automation platform that automatically notifies us when exceptions occur, based on policies we’ve set.
For example, if, for compliance purposes, you can’t have resources deployed that aren’t Australian, Managed Azure sends an immediate notification if someone in your organisation goes and deploys a resource outside of Australia. From there, we can engage the user to understand what happened and what steps need to be taken.
With systems like these in place, you can be confident that you’ve got the latest version of the CIS benchmark continually enforced in your environment — not just during your annual audit period.
Whether your organisation would benefit from this type of ‘always on’ compliance, or whether you’re in need of guidance around the ideal order of compliance program implementation, the team at Codify is standing by to help. Talk to our expert Microsoft Azure specialists today for more information.