Attaining and maintaining compliance for organizations has never been an easy task. There is a delicate balance in “how-to” achieve and uphold constantly evolving compliance standards with “how-much” the organization should be investing financially and through dedicated expert resources on an annual basis.
In order to strike the perfect balance, you must evaluate all of the many factors that influence both ends of the scale. Does the organization:
- Have the internal skills to manage the tools
- Understand the current environment
- Have insight into the future threat landscape & compliance demands
- Know business processes & procedures
- Have time to remediate findings
When investigating the compliance and security needs for an organization, the areas of technical skillsets and time availability can often be overlooked. Evaluating and understanding the future demand and landscape can also pose a challenge. Yet, most organizations tend to have a general understanding that process changes are in order with a good pulse on their current environment.
There must also be a solid understanding of the relationship compliance and security hold in the realm of Information Security. This is due to the increasingly stringent reporting requirements that several compliance standards like PCI DSS, SSAE 18 SOC, ISO 20000-1, and ISO 27001 have in place.
Reporting, such as authentication reports for administrative access, failed authentication attempts, vulnerability scan reports, patching status, anti-virus status, and many others fall in both compliance and security buckets. With this in mind, it is important to leverage tools that can be implemented for multiple purposes to check multiple audit boxes for your organization. This guarantees that resources are being spent as efficiently as possible.
Security and Compliance Tools
While there are many tools available to assist in your journey to top compliance and security, there is not a standardized answer for all organizations. This is where understanding your environment comes into the equation. It is not a one-size-fits-all situation. There are many factors like company size, budget, industry, and IT environment that come into play as far as which tools will be best and the specific purposes they serve. For example, if a business with a complex IT environment purchased an anti-virus product, it would not install or monitor their systems. They would need to evaluate separate tools that work hand-in-hand with the anti-virus to fulfill those roles.
Many times, we have witnessed companies purchasing costly systems that are not compatible with one another and also do not possess the capability to patch their devices. In these instances, we have had to come in to assist customers that are juggling too many different tools and are stuck in a vicious cycle of manual and time-consuming processes just to maintain them and meet compliance standards.
The toughest pill to swallow is when organizations realize they purchased the wrong tool and still feel compelled to continuing using the product that does not meet their needs. When an organization comes to this realization, there is one key question to ask that will determine their new direction. Will the current product cost the company more in the long run than replacing the bad investment with a product that does meet the organization’s needs?
The best and worst thing about technology is that it is always improving, evolving, and changing. There may not have been a product to meet a certain need when the decision to purchase the wrong tool was made. That is why it’s critical to stay up-to-date on advancements and improvements at all times.
Understand your IT Environment
Understanding your IT environment is one of the toughest tasks in compliance and security. This is because environments change alongside technology, staff come and go, and businesses can change what products or services they provide.
Inevitably, as companies attempt to remain compliant, standards, processes, and audits will occur that few are prepared for. If compliance and security is not your main job, it is best to get experts involved. Compliance standards and audits are rigorous and must not be taken lightly.
Part of this task is knowing where your data is going and at what times. This is imperative when looking for data leaks or indicators of compromise. For example, if there is a process that transfers large amounts of data every day at the same time, it is good to know and monitor. Then if this data transfer were to occur at a different time than expected or was send to an unintended destination, the organization would be notified immediately, and have an actionable event to investigate.
It is also good to know what accounts are being used for which processes. If you see the account that has been identified for one process and find it performing other functions, it is time to investigate. This documentation will show that monitoring is occurring and being acted upon for the organization.
Another task is knowing the ingress and egress points on your network. It is critical to monitor the traffic and know the types of devices that are communicating through these points and contacts when your monitoring program finds suspicious traffic patterns.
Know Your Business Processes
Understanding the different business processes that a company has is vital. Typically, during or after a discovery process, a long-forgotten process becomes visible. There is a myriad of reasons why this could happen. From employee turnover to infrequent process procedures or poor documentation, this happens more often than not. Fortunately, this is not a bad thing. Discovering these processes only improves the overall business, and is a good example of how compliance and security processes are working correctly.
Monitoring business processes is not only essential to meet the organization’s compliance and security goals, but to ensure that the processes are working as expected. If they are not, it can become an indicator if there is a compromised system or protocol that needs to be changed.
Time to Remediate Findings?
Whether an organization is working on achieving compliance and security standards or maintaining their existing compliance, there will always be items to remediate. If the compliance and security program is not bringing items to remediate to the table, it may be time to evaluate the program’s effectiveness in catching weak spots or areas of improvement.
Time to remediate should be built into the organization’s compliance and security program. Whether this is time to perform vulnerability remediation, authentication failure investigation, investigating suspicious connections to and from the organization, or any other findings. There needs to be an understanding in the organization that this is a priority to achieve and maintain compliance.
This factor is commonly overlooked by organizations who may have staff that are already tasked with full workloads. There are many ways to address this issue, from staff augmentation, shifting priorities, hiring staff, leveraging service provider relationships, automation efforts and much more.
With that being said, there are still 5 critical points that can make or break the compliance and security program.
5 Points that Will Make or Break your Compliance and Security Program
- Software and Hardware Inventory
- Secure Configuration Guidelines
- Regularly Scheduled Patching and Software Updates
- Requirements for User ID’s and Passwords
- Regular assessments of Third-Party Vendors and Services
Software and Hardware Inventory
An inventory of software and hardware is crucial as this is the basis for an enterprise’s vulnerability and patch management program. For effective programs, getting processes in place to keep the inventory up to date is key. Whether the process is manual or automated, you cannot protect the organization if you do not know what assets you are working to protect.
Establish Secure Configuration Guidelines
This can be one of the more complicated items to address as your configurations for one server of the same OS may not work for others due to the processes it supports. Another item that impacts this is time. If you do not have the budget, systems, tools, and processes in place to do bulk deployments of replacement systems, then careful planning and implementing the secure OS and proceeding forward is a good strategy. From there, an organization understands that this strategy is being implemented and older systems will be phased out after a certain date.
The important lesson here is these configurations need to be reviewed, updated, and replaced when new operating systems and applications are released. In some cases, updates to company best practices need to be made.
Today, there are several resources to assist in this area; NIST and Center for Internet Security are two of these resources.
Regularly Scheduled Patching and Software Updates
In October 2003, Microsoft introduced “Patch Tuesday” which began an era of being able to make patching a scheduled process. Not too long afterward, other vendors implemented similar programs. With this, organizations could implement patching processes that were cyclical, keep systems up to date to address newly released exploits, and provide the opportunity to have scheduled maintenance windows just for the patching practice.
Requirements for User ID’s and Passwords
Passwords have been an item to address for a long time. More systems require passwords to access the employee base, and many individuals now have some interesting ways to keep their passwords handy for both business and personal needs. Even with all the training, policies, and communication reinforcing the need for strong passwords, “123456” and “password” are still the top 2 passwords in use, reported Security Magazine.
When considering the characteristics of passwords to enforce for your organization, there are more resources that ever before for best practice guidelines. However, you still need to consider the workforce and their ability to manage their passwords and remember them.
In the realm of User ID’s, it is best practice to have clear characteristics separating a user account from a service account from an administrators account, and so on. This assists your compliance and security personnel during their analytics in monitoring and finding suspicious account behavior.
Regular Assessments of Third-Party Vendors and Services
Depending on your company, business practice assessments may be required. It is best to review the vendors and services annually. The depth of the business relationship would be a factor in how deep the review should be performed. If an enterprise has established VPN tunnels or regular data transfers, then ensuring the third-party is meeting a minimum level of compliance and security should be performed.
With these points in mind, an enterprise still has one last line of defense to consider. That is encryption. Encrypt the data, make the encryption strong, and have processes in place to update your organizations encryption schemes. If encryption keys become compromised, an enterprise will not know it until after the breach. Updating the encryption keys can keep the enterprise’s data secure.
By now, you may have noticed there has been no specific reference to which tools you should be purchasing to help your organization. I have focused mainly on important questions to ask, provided information on the policies and processes required to maintain a compliant and secure environment, and other best practice information to get you thinking on and evaluating your ultimate business goals and requirements. Once you’re able to fully understand all of those elements, the information should be used to help guide your organization in prioritizing which tools would work best for the company’s unique business needs. It’s crucial to know where you should be going before planning how to get there.
Get the Right Cyber Protection
No matter the level of protection, no system is 100 percent secure from cybercriminals. However, with a solid understanding of the threats you face and the knowledge to combat them, you can improve your compliance and security strategy. Finding a provider that meets the security requirements above will allow for you to grow your business without fear of interrupting your mission-critical infrastructure.
Now that you’re aware, it is time to defend your company. LightEdge specializes in high security hosting and compliance for all organizations. Our expertise is especially valuable to those with sensitive data, such as the healthcare and financial industries.
LightEdge is committed to keeping your data safe, secure, and compliant. LightEdge offers a comprehensive product portfolio to ensure complete protection and uninterrupted performance of IT operations and mission-critical systems in the event of a disaster.
Redundancy is built into each of our data centers in Kansas City, Omaha, Austin and Raleigh data center facilities. Each of our LightEdge facilities strive to deliver more than traditional data centers. We have created true Hybrid Solution Centers designed to offer a complete portfolio of high speed, secure, redundant, local cloud services and managed gateways to public clouds through our hardened facilities.
Want to learn more about LightEdge’s safe, secure, and compliant services? Contact one of our technical experts to get started or to schedule your private tour of any of our data center facilities. We have disaster recovery, colocation and business continuity experts standing by to answer any of your questions.
- Why the Cloud is Safer than CIOs Believe: 6 Best Practices for Data Security
- Network Security is the Cornerstone in your Security Infrastructure
- Ultimate Guide to a Highly Compliant Cloud Environment
- HIPAA in the Cloud Infographic
- PCI Compliance: Everything You Need to Know about Payment Security
- HIPAA Guidelines: Maintaining Security and Compliance in the Cloud
Rob Bennett has served in a variety of leadership positions focusing on Security Operations & Business Continuity since 1993. His roles included a 12-year stint as the Director of IT Operations for a global telecommunications company, implementing video and VOIP communications systems and ITIL-based processes. Rob has also spent 7 years in consulting roles with regulated companies seeking to attain specific compliance certifications.