Auditing and Compliance with Metadata
Many companies need to adhere to at least one regulatory compliance standard for the data that they keep. Identifying the data and systems within the scope of the compliance standard is vital to enforce compliance standards and satisfy auditing requirements.
Correct application of metadata policies and procedures can significantly increase a company’s ability to meet regulatory compliance standards. Metadata can be in the form of naming standards, attributes, or tags. Metadata can be applied directly to an object or at a higher level.
Configuration managers frequently use metadata to group like servers together, influencing the configuration applied including security policy settings. Grouping servers that require specific configurations together ensures that compliance standards are met and provides a mechanism to report on configurations applied.
Auditing processes are used to demonstrate that a company has implemented controls and processes required by the relevant body. An audit typically focuses on how controls are applied and how the controls are managed and monitored after application.
E-mails from defence departments often include a security classification tag in the subject line, such as [Unclassified] or [Sensitive]. Security systems such as Data Loss Prevention (DLP) systems apply rules based on security classification. These rules may determine who can receive an e-mail based on the security tag applied.
The subject line of the e-mail is metadata about the e-mail that is used by the DLP system to identify and apply rules to meet the department’s obligations under the national secrets act.
Document sharing platforms are often used to enforce that document attributes are applied to a new document before it can be shared. In the e-mail example above, the DLP system would enforce rules based on the security classification of attached documents.
Document sensitivity level classifications determine many behaviours beyond just e-mails, such as where the document is physically stored or monitoring policies for access and change.
An end user may only be able to access a classification from a specific network on a specific device, and the document cannot be stored locally. Other classifications may require the use of a VPN connection and the local device has full disk encryption enabled.
Auditing such an implementation would require demonstration of the configured rules, matching policies and processes to negate countermeasures for incorrect classification.
A company must meet be PCI certified before credit card vendors allow them to handle credit card information. The PCI standard classifies an environment that contains cardholder data as Cardholder Data Environments (CDE). Companies which are subject to PCI regulations are required to meet configuration and auditing requirements for each CDE.
Attaching metadata data to identify the cardholder helps to prevent CDE scope creep by identifying where cardholder data exists and paths of transmission. Knowing where the data exists improves the ability to report on system configuration, monitoring, and security controls. Disk encryption s automatically enforced on any system identified within the CDE. Encryption of tables, rows, or columns identified as holding cardholder data within a database.
The use of metadata to enforce regulatory policies reduces the risk of failing a compliance report and drastically reduces the complexity of testing and reporting on the methods used to meet these policies.
Audits can be a stressful time for many companies, especially for those who do not perform regular audits on themselves. They will need to reallocate staff from other tasks, recruiting more contractors, and begin the frantic search for missing documentation.
A well planned and executed metadata strategy allows companies to gather a significant portion of the required information quickly and validate how well policies are met.
Compliance reporting simplicity transforms auditing into a standard operational task, with the potential to automate flag and remediation of breaches if they occur. This results in a reduction of stress endured during an audit and the chance of failing.
Using metadata for compliance and auditing depends on the accuracy of the metadata referenced. It is essential that policies and processes are in place to manage the full metadata lifecycle to ensure that standards are met, and reduction of blind spots are met, and blind spots are reduced.