Engineers don’t have time to translate their workloads into “audit speak”. Auditors can’t provide value in cloud-based engineering domains.

Engineering Interruptus
Organizations today spend upwards of 2 million dollars to accomplish critical compliance milestones such as FedRamp, and run at a minimum, hundreds of thousands annually just to stay in compliance with existing mandates for PCI DSS 3.2, ISO27001, SOX, NIST Cybersecurity Framework (CSF), HIPAA or HITRUST Common Security Framework, and Trust Services Principles or SOC 2 assurance. All of today’s regulatory and compliance frameworks include substantial coverage for information security management systems (ISMS). In addition, any lack of externally validated security architecture or compliance program is increasingly viewed as unethical and even criminal.
With all this compliance, one might ask, “Where are companies wasting the most time? What are the greatest hidden costs? Which activities associated to audit bring the greatest actual security value?”

Unfortunately, the compliance areas that waste the most time (auditor to engineering conversation), have the highest hidden cost (business disruption), and those areas that could have, but likely didn't reap the most value (resilient configuration), are one and the same. 

Effective secure host and instance baseline configuration are still in the NSA top ten most important IT initiatives and unfortunately is also the most wildly misrepresented control domain in preparing for and conducting an audit. Any web search on "exploits older than one year" returns a remarkable set of research concluding the same thing, that most exploited vulnerabilities today have existed on systems for more than a year, in many cases for more than three years. Returning to the recommendations of the NSA, a large number of the simple initiatives to become cyber secure were established at the moment an asset was released. Seven out of ten can be categorized as asset monitor, meaning they could be handled as a part of configuration management and policy.

  1. Control Administrative Privileges
  2. Limiting Workstation-to-Workstation Communication
  3. Antivirus File Reputation Services
  4. Anti-Exploitation
  5. Host Intrusion Prevention (HIPS) Systems
  6. Secure Baseline Configuration
  7. Web Domain Name System (DNS) Reputation
  8. Take Advantage of Software Improvements
  9. Segregated Networks and Functions
  10. Application Whitelisting
Main Menu