How I advise my clients on compliance & securityAlex Fields
Information Security is becoming more and more important in today’s world. Here in the North America (including Canada and the US), we have several laws that require us to meet certain compliance requirements as it relates to Information Security for various industries. Other nations, such as those belonging to the European Union, face these challenges as well. However you feel about government regulation, it still pays to take steps toward ensuring that your networks are secure and your users are well-protected.
Compliance does not necessarily equal security, and neither is the reverse true. But I find that the following items are useful toward achieving better results in both categories.
How to prepare for any compliance assessment, initiative or audit
Note that laws like HIPAA, HITECH, PCI and others in the United States, or the European Union’s Directive on Data Protection or Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), all have many things in common. Generally speaking, none of them recommend specific technologies or vendors, but they do call out some guidelines and ask businesses to meet a certain “minimum standard” with whatever technologies they ultimately implement.
In general, how I advise my clients on these topics is always the same, regardless of which laws or compliance standards we’re dealing with. If you do the following things, then you’ll be several steps ahead of where most small to mid-sized businesses find themselves, and you’ll be in a good position with your auditor. Not to mention, you should be doing these things anyway.
First thing is first, you want to get your “ducks in a row” as regards documentation. This is also a good idea in general because going through the exercise will help to extend your visibility and uncover potential issues. Any auditor is going to ask a number of questions about your IT environment and security practices, so I recommend having at least the following prepared in advance:
- Data access policy – how data access is requested, granted and terminated
- Acceptable Use Policy – usually a 1-page Word Doc or pdf that end users must sign, which lays down some rules for determining the acceptable / non-acceptable uses of technology resources in the business
- Data access list – can usually be done in Excel with a username & description field, and a few others as needed:
- Who has access to special or sensitive data sets (personally identifiable, financial, health, HR, etc.)
- Who explicitly does not have special access
- Who has privileged / administrator access
- Any accounts that are “generic” or “service” accounts and their purpose / access
- Network resource list – simple Excel spreadsheet or Word document describing network locations & services, highlighting sensitive data sets
- Backup & recovery procedures – description of what is backed up & how, on what schedule, including retention, as well as the procedures to be followed in the event of:
- Accidental deletion
- Malicious deletion or Malware / infection
- Hardware or production environment failure or unavailability
- Total loss / disaster event
- Network Diagram – usually created in Visio, and details internal network resources as well as WAN connections
Strengthen the Perimeter
Do you have a good firewall that is under warranty–not a consumer brand that came from a retail store, but something that comes in a big brown box, from a reseller? If not, make sure you get one, and don’t forgo the security subscriptions. You need these. In particular, be sure that IPS and Antivirus is enabled, and consider implementing web content filtering, and some more advanced threat protections as well, if they are available. Pro tip: take screenshots of these protection settings as documentation (stored securely) that you can quickly share with an auditor, if needed.
DMZ / Network segmentation
Another item that can help tremendously is properly segmenting different types of network traffic from one another. For example, that web-facing server might not be best located on the same subnet / VLAN as all your other internal data / services and workstations, etc. There is another type of traffic I recommend segmenting, and that is any credit card transactions / processing.
How to secure credit card processing (e.g. for PCI compliance)
How we handle credit cards is like this: Create a completely separate network interface on your firewall device, that has no communication with the internal network (this is your “DMZ” for credit card handling). Make sure that the only devices allowed to process credit card requests (usually via a third party service) are attached to this network. Furthermore, block access to your third party processing service from the primary / internal network. Now only those devices on that special DMZ network can successfully authorize / process credit card requests.
Note: This network must also be completely separate from any other networks, such as web-facing DMZ’s, or “Guest” Wi-Fi networks.
One of the most common requirements we see in any area where sensitive data is stored & transmitted, is encryption. In some industries, such as the financial industry (FINRA in the US), it is very important that the most sensitive information sets remain encrypted both in transit, and at rest. To accomplish this, we think about four major encryption categories: Wi-Fi, remote network access (e.g. over the Internet), email and physical devices.
At the time of this writing, WPA2-AES is probably the most common Wi-Fi security protocol used in the small to mid-sized business. As long as you’re sure that the older, deprecated WEP and WPA-TKIP are disabled, and you’re sticking to WPA2-AES, then you should be covered. However, it is also a very good practice to change the Wi-Fi keys regularly, especially if you have a lot of turnover in your organization. Last, if you provide guest Wi-Fi access, then make sure it is segmented into a separate VLAN, which does not have communication to your internal network.
One of the most common ways of securing communications over the public Internet is implementing a VPN (Virtual Private Network). This is easy to accomplish using Windows Server or (preferably) your firewall vendor (I use and recommend WatchGuard SSL VPN). You should also set up any internal system that is web-facing, such as Remote Desktop, Email, etc. with a third-party SSL certificate. If you have done this correctly, no port other than 443 should be opened on the firewall from the public Internet coming into one of your servers, and that system will have a valid SSL certificate that presents no warnings or pop-ups to end users.
For email systems in particular, you will want to be sure and implement message encryption so that encrypted messages can be retrieved via a secure web page. This is fairly easy to do in Office 365, but it does require the right licensing (Azure Information Protection, which is included with E3, or it can be purchased separately).
Physical / Device
As for “at rest” data, we are typically talking about device encryption, or full disk encryption technologies (e.g. BitLocker). This should be implemented across all devices where corporate data is stored–servers, backup sets, USB drives, workstations, mobile phones (mobile device encryption can be enforced with Mobile Device Management)–the whole works. It may sound like a lot, but it really isn’t too difficult.
If you have automatic updates enabled, be sure you can show that this is actually effective, through some kind of reporting or management tool. This goes for your operating systems as well as antivirus software, and anything else you manage across the endpoints in your environment. For a free tool that you can run against your Windows environment to see how you’re doing, check out Microsoft’s Baseline Security Analyzer.
True up the Directory
You know that documentation I mentioned above? Wouldn’t it be nice if the picture you’ve painted there matched the reality? Make sure it does. Check out AD Info to get a current export of your user accounts, and some other helpful reports out of Active Directory. Then disable users & computer accounts that are old/stale or irrelevant, remove access where it is not needed, and so on.
I recommend making a “Deny” group for each type of sensitive data set in your domain. For example, “Deny-HR data” and “Deny-Health data”–that way you can add everyone who does not explicitly have special access and grant these groups the deny permission on all relevant network locations. This removes question marks quickly.
Don’t be lazy here, like too many of us in the SMB. What does a good password policy look like? For starters:
- Set the minimum length a little higher, like 11 characters
- Require complex character sets (not just alpha-numeric)
- Accounts are automatically locked with multiple invalid login attempts, etc.
- Screens are automatically locked after a few minutes of inactivity, with password protection
Take it further with 2-factor authentication; enable it everywhere the option is available (available in 365).
End User Training
Every organization has at least one user who will click on anything. We may never be able to eliminate all these people, but that doesn’t mean we can’t try. In fact, we must. End user behaviors are still the weakest link in any network. Build a human firewall by encouraging skepticism in your ranks, and raising end-user awareness to phishing, malvertisements and the like.
If you read through this list and didn’t find anything you could be or should be doing differently, then congratulations, you are probably in the top 5% of businesses I’ve ever worked with. Most small to mid-sized organizations still have a long ways to go on this list, and I write these posts in the hopes that I can influence others to raise the bar, and respond to the ever-escalating threats. The compliance piece is really secondary–we should be doing these things anyway, and taking care of them in advance of an audit (not waiting for it to come down on us). So does completing every recommendation here make you bulletproof? Of course not. But you have to start somewhere. So start here.