Blog
Compliance

Security compliance 101 with Intruder and Secureframe

James Harrison
Author
James Harrison
Senior Content Writer

Key Points

Every business these days has to "do compliance" or "check the security compliance box". But what does it actually mean? How can vulnerability management help make it easy? And how do you get started?

In our latest webinar, Intruder CEO Chris Wallis and Marc Rubbinaccio, CISSP, CISA (Compliance Expert at Secureframe), offered their top tips on achieving compliance and showed how easy it can be with the right tools. Here’s a recap in case you missed it...

What is security compliance?

Security compliance means all the measures you must take to adhere to established security standards or frameworks such as SOC 2 compliance, ISO 27001 and Cyber Essentials. It includes the policies, procedures, and best practices needed to safeguard sensitive information from unauthorized access and misuse, which can vary between frameworks.

Compliance has always been important for certain organizations, but in 2023 it’s more important than ever with the numbers of vulnerabilities and breaches on the rise. Organizations need to be proactive to safeguard their sensitive data and prove it to customers, shareholders and regulators.

How to get started with security compliance

Marc explains that it’s up to you as an organization to determine what data you consider is sensitive and therefore needs protection. Then you need to determine the scope of your efforts by considering:

  • how you ingest this data
  • how you process it
  • where the data is transmitted in your environment and your network
  • where you store it and for how long  

“A great way to begin understanding your scope is by creating a network diagram and a data flow diagram so that you have a way to visualize exactly how that sensitive data is ingested all the way through its lifecycle throughout your environment,” Marc adds.

The scope of some frameworks goes beyond just data however, such as the digital and physical infrastructure, the resources that impact this data, and the personnel handling it. This may seem overwhelming but there are a number of controls you can put in place that will help your security compliance efforts. Marc categorized these into two groups: technical controls and operational controls.

Of the technical controls, vulnerability management is one of the most important, and should include:  

  • Infrastructure testing (both external and internal vulnerability scanning)
  • Application scanning
  • Penetration testing

Also on Marc’s list for key technical controls are:  

  • Encryption of sensitive data
  • Logging and monitoring of security events, such as changes to your production infrastructure
  • Secure configuration of resources and devices

As for operational controls, the stages at which personnel are hired, managed and let go matter. “Performing background checks and reference checks are important and new hires must also go through security awareness training,” says Marc.  

And, every access change whether it’s for a new starter or a termination must be tracked, along with any software or infrastructure changes. An auditor will check!

In fact, all of the aspects of your security control environment should have related policies and procedures. Even the tools you’re using and the personnel responsible should be documented in the vulnerability management policy too.  

Why is vulnerability management important for security compliance?

“Vulnerability management is simply finding the weaknesses that hackers exploit to get into your systems, and fixing them before the hackers get to them,” explains Chris. “All the compliance frameworks understand that vulnerability management is vital to keeping your company secure because last year alone, 25,000 vulnerabilities were discovered - that's nearly 70 every single day.”

Different compliance frameworks give different guidelines on how frequently scans should be run. For example, PCI DSS expects organizations to run an external scan once a quarter. However, hackers are moving so quickly that from Intruder’s perspective, a scan should be run every 30 days at least. “If anything, you want to be doing it more often than that to give your teams’ time to fix these things,” Chris says.  

He adds, “You don't want this to be something that you wait until an audit comes along to pick up. You want to bake it into your process so that you are audit ready. A bit like you wouldn't go a whole year without brushing your teeth and then turn up at the dentist and expect everything to be okay.” With up to 70 vulnerabilities a day, it can really add up if left unaddressed, so it’s better to take care of issues as soon as they arise.

Can automation streamline your security compliance journey?  

The more of the security compliance journey you can automate, the easier it will all become, and fortunately, there are a wealth of powerful tools available to you to make vulnerability management effective and straightforward.  

Scanning is a key part of the process and Intruder can help you find your vulnerabilities quickly and easily. You can run scans daily, weekly or monthly, and Intruder also operates emerging threat scans which kick off automatically every time a new vulnerability is discovered.

Chris adds, “not every single vulnerability is critical or needs to be fixed and so the compliance frameworks state you need only fix the “criticals” or the “highs”. This means you also need a way of prioritizing your vulnerabilities”

Intruder can do this too, prioritizing things which are exposed to the internet but shouldn't be, to help you understand where your biggest risks lie so you can spend your time where it matters most.  

There are also platforms that can help ensure you are audit ready. For example, Secureframe turns compliance from a complicated hurdle to overcome into a routine task by providing everything you need to prepare for an audit or set up security controls. You can even invite your people to Secureframe for security awareness training which is built into the platform, or assign certain policies to certain staff, allowing them to acknowledge and accept the policies they're responsible for.

Want to know more about security compliance?  

Get our free

Ultimate Guide to Vulnerability Scanning

Learn everything you need to get started with vulnerability scanning and how to get the most out of your chosen product with our free PDF guide.

Sign up for your free 14-day trial

7 days free trial