Compliance issues are unavoidable, regardless of an organization’s primary market. Remaining compliant requires a high level of auditability and controls, adding complexity to the organization’s internal processes. Governing bodies for regulations such as HIPAA, FISMA, SOX and PCI are becoming more determined to ensure compliance and are levying heavy fines on those who fall short – up to $1 million per resolution. This trend is unlikely to slow down or reverse, so it’s important to be aware of the primary threats that could undermine compliance efforts. The top three such issues are discussed below.
SOX: Assessing Internal Controls
Sarbanes-Oxley (SOX) requires public companies in the U.S. and foreign companies that are listed on U.S. exchanges to assess their internal controls, have that assessment validated by an external auditor and report the assessment to the SEC. Information security professionals need to ensure that their organization complies with requirements in Section 302 and Section 404 of the legislation.
In terms of financial compliance for the financial industry, SOX-404 and internal controls remain the most critical requirements. Financial industry compliance challenges include Annual Financial and SSAE-16 audit requirements. However, audits of identity management (logical access) controls continue to result in exceptions. Companies struggle with adherence to privileged access controls – lack of visibility into what, when and how administrators access production environments.
PAM’s Causing Problems
Logical access controls and privileged access management (PAM) continue to cause the most audit infractions and are an ongoing source of compliance nightmares. In fact, privileged and. One of the main reasons for this is the fact that more companies are outsourcing tech support, and more companies are employing remote workers. Both of these groups must be granted remote access to an organization’s production environment and highly sensitive information in order to do their jobs. This access also includes machines talking to other machines in an automated fashion.
Managing third-party access is frequently an afterthought within the enterprise in terms of the organization’s overall security strategies and postures. The 2014 U.S. State of Cybercrime Survey revealed some dangerous trends on this topic:
- 70 percent of enterprises enter into contracts with external vendors without having conducted any security checks
- Only 44 percent of enterprises put forth the effort to vet the security of third-party providers and others in their IT supply chain
Organizations can enforce better security and privacy controls via third-party and vendor contract agreements, but these actions may not exclude organizations from accountability and responsibility as it relates to a security breach.
HIPAA HITECH’s Harsh Reality
Organizations may have to comply with PCI, FISMA, SOX, BASEL III or other regulations, but none of these are a match for the HIPAA/HITECH tidal wave in terms of severity. The U.S. federal government (Health and Human Services, Office for Civil Rights) is more active than ever in enforcing this law and is levying harsher fines with greater frequency for noncompliance.
Healthcare providers tend to fail most often in certain areas, and that is where auditors are focusing their attention and are levying massive fines for noncompliance. Targeted areas include:
- Individual access
- Risk analysis and risk management
- Notice of privacy practices
- Training to policies and procedures
- Device and media controls
- Transmission security
- Content and timeliness of breach notifications
In order to avoid stiff penalties, organizations will need to make sure that any business or market expansion into an area covered by HIPAA is adequately compliant.
No Visibility = No Security
An often-overlooked but essential component of IT infrastructure, SSH is sometimes
referred to as the “dark side” of PCI DSS compliance. Many organizations have no visibility into or assume compliance with their SSH key environments until an auditor identifies the issue or exception in their reports. SSH keys are a critical component for ensuring adequate and compliant controls for cardholder data environments.
What constitutes “sensitive information” changes and expands when industry business models—and the threat landscape—change. Financial institutions have expanded their business models beyond simply doing payroll, tax, investments etc. They have taken on additional services to expand their markets and revenue potential. These vary from complete HR services to retirement services to medical payment services and much more. Their protected data definitions now go beyond SSN and DOB to also include credit card data and medical data (protected health information). This increases the complexity of their compliance initiatives and the scrutiny of the audits they start to undergo.
In light of the compliance-related risks named above, these best practices can help enterprises improve their SSH environment security – and, therefore, their compliance.
- An audit-ready system
A SOX audit is nothing to mess around with. Your auditors need to be able to view the source of any breach clearly and perform an audit trail. Make sure your organization has a system in place to provide auditors with exactly the information they need when they need it.
- Centralize key management
The IT team has more valuable things to do than manual key management. A centralized SSH key management system not only ameliorates the issues listed above, but it increases your ROI by letting your IT staff tackle more complicated issues.
- Learn to ask the right questions
Understand your environment / trust relationships by asking: How many SSH keys do we have? Where are they? Which users have which keys? Once you understand your environment, you can take steps to tame it.
- Control the keys
Deploy, rotate and remove keys in a centralized way and control who can add keys to your environment. While most SSH key deployments are straightforward, rotation and removal can be tricky. Sometimes a rotated key can create a new vulnerability. This encourages the tendency to leave a key in place long after its original user has moved on. Automate SSH key rotation.
You don’t want to be asking yourself and your organization whether you’re ready for an audit as the auditors are walking through the door. Assess compliance risk now, and weave security and privacy controls into day-to-day processes and procedures to ensure continuous compliance. An audit-ready system of controls will stand you in good stead when that auditor comes knocking – because it’s no longer a question of if you will experience a breach, but when.
About the author
Fouad Khalil has extensive experience in the technology space with more than 25 years spanning disciplines in software development, IT support, program and project management and most recently IT Security and Compliance management. Key areas of focus include: Information Technology, Internal Controls over financial reporting, Sarbanes-Oxley, PCI DSS, and HIPAA/HITECH compliance. Experienced in security training and awareness as part of corporate governance and regulatory compliance. ISACA Member & CISA Certified