As of June 1, 2024, Vestige Digital Investigations is part of ArcherHall, a leading digital forensics, 
e-discovery, and cybersecurity service provider. The Vestige team that you know and trust will
continue to serve you at ArcherHall. Our expanded team, capabilities, and infrastructure will allow
us to serve you and your clients even better.

Why Your Cybersecurity Program shouldn’t be the result of your Compliance Program


Why Your Cybersecurity Program shouldn’t be the result of your Compliance Program

Author photo
by Jade Brown

Compliance is an aspect of information security that affects organizations large and small across a variety of sectors. Many organizations reach their information security compliance goals by fulfilling the objectives already established and adopted by a control framework. Control frameworks, including frameworks that are widely recognized such as those created by the National Institute of Standards and Technology (NIST) and the International Organization for Standardization (ISO), provide a starting point for organizations to define security practices that are essential to implement based on the current security landscape and recommended guidelines, itemize the practices that are missing in their organization, and work towards identifying corrective actions they may take to enforce best practices and better their security posture.

Behaviors & Compliance

While some organizations may establish a cybersecurity compliance program in order to meet the requirements necessary to pursue contracts with federal entities or to maintain their business operations, others may do so voluntarily at their own pace. In the Governance, Risk, and Compliance (GRC) space, there are several behaviors or attitudes which can offset the development of a comprehensive and robust compliance program. These behaviors include practicing a checklist-focused compliance approach, relying on automated compliance packages, failing to adopt a framework prior to undergoing an assessment, and accepting one framework as the sole model for security practices wherein only basic requirements need to be adopted.

Taking a checklist approach to cybersecurity compliance and using a control framework as a means to an end is one misstep that can deter an organization’s compliance program. A checklist approach to information security and compliance does not lend itself to dynamic growth.

Establishing a Functional Compliance Program

It is common for the following scenario to take place: An organization must complete a security assessment. The organization’s manager or CEO may ask: “Should we reach out to a third-party assessor or do this ourselves?  Okay, now that I think of it, we could accomplish this by ourselves. We only need to do a NIST (800-171) assessment. There are plenty of checklists we can build and refer to…”.

Incorporating checklists to aid in completing an assessment may be beneficial to summarize key expectations and missing objectives; however, such aids should not be the only reference point or tool used as an end-all be-all to reach compliance. Many organizations compound this issue further by searching and shopping for an all-in-one compliance solution which may be costly, less than optimal and still cannot be utilized on its own to aid the organization in passing a compliance assessment.

Establishing a functional compliance program is an investment and it requires consistent, grounded, and strategic efforts that are built upon processes that can produce reliable outcomes. Rather than taking the approach of viewing a compliance program as a shopping list, organizations must view such a program as a combination of items: an instructional field manual on compliance objectives, a stringent education program that establishes the functions of specific organizational practices across business functions, and an affidavit which attests to the organization’s adherence to security standards.

The use of automated control templates such as those which are provided with AWS resources has also extended the issue of organizations solely applying checklists to reach compliance. Projects managed to assess compliance and incompliance must be accompanied by more data than a simple true or false query. Once more, “compliance configuration checker packages” rely highly on identifying basic settings and technologies and these toolsets often cannot evaluate the information security and organizational processes, like written policies and procedures which must accompany any technical configurations. This leaves an organization that relies on such automated configuration checklists in a space where they will likely fail to develop a true compliance program that includes the documentation, decision making, testing, and elements of risk/mitigation that should inform all practices driven by the organization, its staff and parties acting on its behalf, and any controlled technologies.

While the checklist-dependency issue is rife in GRC, another type of assessment issue occurs when an organization attempts to complete an assessment from scratch without having previously adopted a framework. When asked how the organization seeking an assessment uses a framework to build a security plan, the organization that responds with a “No, we don’t have a framework” is at a great disadvantage compared to the one who mentions, “We have incorporated the practices from NIST 800-53 to configure our current environment and establish our security plan”.

The organization who has already adopted NIST 800-53 has the opportunity to take actions that are already in progress to establish security and resiliency while managing federal information systems and validate them in a manner that translates to another framework such as the Cybersecurity Maturity Model Certification (CMMC) framework. The function of the CMMC framework is to enforce practices to protect the confidentiality of CUI and this framework is derived from the NIST 800-171 standards.

Assessment Choices

The attempt to perform a self-assessment for an organization who has not adopted a framework in advance is often a shot in the dark; it typically involves an organization’s CISO trying to fit actions that are not yet understood and/or realized into a security plan, a compliance narrative, that is underdeveloped at its best and imaginary at its worst. Once more, generally organizations who take on a self-assessment without having a prior security assessment plan, a control framework, and who exercise a reliance on checklists risk misinterpreting practices and standards. This results in the organization sacrificing more time and resources than they may be able to offset. An organization can remedy this issue by ensuring that staff members receive education on control and assessment frameworks. Then, the organization can take steps to incorporate the appropriate framework into their operations and build a security program before seeking out an assessment.

In cases where information security and compliance education and/or organizational resources are limited, the organization must recognize their challenges and be willing to reach out to a third party for assistance in completing an accurate assessment. Organizations who do not recognize that they need further support, do not reach out to a third party for an assessment , and instead put a high-level of confidence in their own assessment process when their knowledgebase is greatly limited position themselves in a Schrodinger’s Cat type of dilemma. Situations often play out where an organization’s compliance status is both passing and failing until a specialist outside of the organization is contacted/requested and delivers results to indicate that the organization failed the assessment at its initial starting point.

Appointing a third party to serve as the organization’s Assessment Specialist or Auditor is advantageous to ensure there are no surprises and the assessment is conducted based on sound guidance. Undergoing an independent assessment or audit may also ensure that elements of confirmation bias do not skew the assessment results. However, knowledge of compliance requirements and specifications should not be limited to the outside assessing party. At least one individual internal to the organization (if not two as it’s critical to have appropriate support) should have a similar body of knowledge and that role may include those with the skills and qualifications essential for a Compliance Officer or Program Director. Having an internal staff member with this area of expertise is necessary so that the organization may make confident statements and predictions to direct its resources and compliance actions going forward. The organization should also ensure that staff members collaborate, document, and communicate their compliance efforts and changes that may impact their objectives on an ongoing basis.

Understanding Framework Context

Far too many organizations who adopt a framework or set of standards do so without understanding their context and may take elements of the control objectives too literally, claiming the reference or framework in use is the de facto model. Such an organization may take in all guidelines without room for exception and without considering security practices that fall outside of the framework to enhance the security of organizational assets and data.

Take the NIST 800-171 standards for instance. It is common for organizations to read the assessment objectives on a surface level and cast aside superior practices. When addressing a password policy, an organization may decide to enforce one with an emphasis on password length rather than length and the incorporation of special characters and different character types. When examining the Awareness and Training domain, many organizations choose to create a training platform that quizzes users on business risks and other content and provides an abridged overview of best practices for clicking on links or attachments. However, some of these organizations will refuse to incorporate regular practical phishing campaigns into their Awareness and Training program. The organization may offer a counterargument, stating something along the lines of”: “NIST 800-171 does not require actual phishing exercises, so we’ve added everything that’s needed”.

In Review

When an organization sets out on its compliance journey, establishing the bare minimum of what is required or “adequate enough” should not be the outcome of its compliance program. The program must be holistic, adaptable, and amended across time so improvements can be made that surpass common organizational security requirements where feasible.

The cybersec staff at Vestige are experts at cybersecurity compliance across multiple frameworks.  CONTACT US if you have any questions or needs for your organization.

By Jade Brown, BA, C|EH, GCTI
Cybersecurity Analyst
Vestige Digital Investigations
  Follow Vestige on Linkedin