Monitoring compliance with internal security policies

Internal checks

In addition to external audits, organisations should plan regular internal security policy compliance checks.

For example, reviewing the register of people who can access a secure cabinet or checking that ex-staff don’t still have access to the network. Non-compliances should be reported, the business impact assessed, and action taken.

Local security managers and department heads are responsible for enforcing compliance. However, they might need to share responsibility with technical experts, like the IT department. The IT department should also independently provide reports on policy matters, like the number of times a person failed to log in and the number of locked user accounts. These are useful metrics for determining how well the organisation is performing against the security policy. If policy is not being followed, then the SWG (Security Working Group) will need to enforce sanctions where necessary. 

Having seen how important it is for an organisation to examine its procedures regularly, it's also important to recognise the importance of certifying compliance to external obligations. 

Figure 1: The Deming cycle

External compliance regimes 

There are several external compliance regimes that you may need to follow. These include government requirements, exporting countries, shareholders, customers, and regulatory bodies; external auditing agencies, etc. 

Many organisations must adhere to external compliance requirements. These include laws like the Data Protection Act in the UK which affect organisations that process personal information. Organisations have to know the range of compliance requirements they have to meet, and this often relates to understanding who they’re accountable to.  

Private companies are accountable to the governments of countries in which they operate. They are also accountable to their shareholders, customers, and any regulatory bodies in their industry. 

An organisation will need to satisfy all the requirements placed on them by these external stakeholders and should appoint someone to manage external compliance requirements, ensuring that enough evidence is generated to satisfy the relevant external regulatory bodies.  In some cases, the external agency may need to conduct the audit. In other situations, the organisation may be required to self-certify through the information security team. If the organisation has an internal information security policy, it is more likely to meet the requirements of regulatory bodies. So, some organisations adopt an industry standard like ISO 27001 (and its associated controls). If this is implemented effectively, then the obligations of the Data Protection Act should already be met. However, you should never simply assume compliance just because another standard has been followed. 

The ISO 27001 model provides an approach for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving information assurance within an organisation. This is based on the Plan-Do-Act-Check approach to continuous improvement. Again, this is an iterative process whereby any results are the starting baseline for the next cycle of the process (see Figure 1). 

Also worthy of note is the Wassenaar Arrangement which is an export control regime. It seeks to regulate Dual-Use Goods, conventional weapons and encryption among 42 countries world-wide.

Third-party compliance 

Organisations often overlook third-party compliance when, in fact, many of the vulnerabilities in information systems result from non-compliant third parties. Third parties can include customers, cleaners, internet service providers, hosting providers and sub-contractors. Any of these could adversely affect the compliance status of an organisation, perhaps because they have access to confidential information or to the organisation’s computer systems. They must be bound by the same rules as the organisation’s staff which means signing an NDA and incurring penalties for breaches of security. 

The best way to ensure compliance in the supply chain is to insist that the third party has the same level of compliance as the organisation. So, if the organisation has implemented ISO 27001 and has been audited to prove compliance, their suppliers should have the same certification. This cannot be taken for granted and should be verified in a comprehensive manner. 

That is the end of this Course. Before moving on, it's worth reflecting on the role of policy as a mission statement for IA. Policy plays a key role in building a strong culture which is compliant and protected. In the next Course, you’ll learn more about implementing the policy, processes and procedures you’ve encountered in this path. 

What's next?

You've now been introduced to the Information Security Framework; in the next Course, you're going to look at how to put the Information Assurance programme into practice.