Best Practices for Achieving Compliance through Security (COSEC)

By Carl Milloshewski, TierPoint Security and Compliance Manager

Taking a Layered Approach

Many companies try to meet compliance standards based on an auditing, checklist model. These companies or their consultants go through the published requirements for a particular compliance framework dotting their I’s and crossing their T’s, and, from an auditing standpoint, they become compliant for that particular framework, spending time, money and resources focused only on compliance, but not necessarily security. When these companies’ business grows and expands into new markets, they are forced to adhere to additional compliance and regulatory standards, which incurs additional time, money and resources. As new markets continue to be entered and business models change, these companies can fall into a never-ending cycle of an expensive game of whack-a-mole.

When using the COSEC best practices layered approach, companies eliminate the whack-a-mole trap, and companies can cover many, if not all, applicable compliance and regulatory frameworks. Valuable time, money and resources can be spent once, rather than getting caught in the costly cycle of repetition. Here are the key COSEC layers to consider:

COSEC Layers

  • Layer 1: Software assurance
  • Layer 2: Block attacks against your network
  • Layer 3: Ensure you block host attacks
  • Layer 4: Patching and vulnerability remediation
  • Layer 5: Safely support your users
  • Layer 6: Use tools to maximize security effectiveness

One control TierPoint has initiated company-wide is Security Awareness Training, an essential front line defense that falls under Layer 6. TierPoint believes that armed with the right knowledge and the opportunity to practice new skills, TierPoint’s staff will be its own best security defense. TierPoint’s Security Awareness Training includes privacy principles regarding social security numbers, credit card numbers, phishing attacks, malware, malicious websites, social engineering and HIPAA requirements.

TierPoint implemented this training as a security best practice, but this one best practice is cited in multiple compliance and regulatory frameworks.

  • ISO/IEC 27001 & 27002 §8.2.2
  • PCI DSS §12.6
  • FISMA  §3544.(b).(4).(A),(B)
  • Gramm-Leach Bliley Act (GLBA) §6801.(b).(1)-(3)
  • HIPAA §164.308.(a).(5).(i)

This is just one example of using security best practices to become compliant. To learn more about how TierPoint and TierPoint’s security best practices can save your company time, money and resources, click here.