A Sample Gap Analysis

Addressing Flat Network Architecture

Network segmentation is strongly recommended to achieve defense in depth (the Castle Approach) where many layers of security controls are placed throughout our information systems. Without adequate network segmentation, every device on the entire network can communicate with one another. If one device becomes compromised, it can broadcast to every other device on its network to potentially gain further unauthorized access.

We can segment our network through many different physical means (such as configuring internal network firewalls, routers with access control lists, or other technologies that restrict access to a specified segment of a network). In addition to installing firewalls and routers, it is necessary that we separate Internet facing servers from internal network servers (particularly those which hold sensitive data).

If we do not properly separate our servers then our risk of a compromise spreading is considerably greater. For example, our web server should not sit on our corporate network. If the web server is compromised, an attacker could move laterally across our corporate network to access sensitive information (like our customer’s personal data, ranging from medical information to payment information). It is not only in accordance with being compliant with HIPAA laws and PCI DSS standards, it is a moral imperative to take protecting sensitive customer information seriously.

Resolution: Configuring firewalls, segmenting our networks with routers (which will not create more latency in data traffic), and deploying virtualized servers that are separate from one another and isolated on the network will ensure that if one becomes compromised, the others will remain safe.

Applicable Governance and Compliance Standards
• PCI DSS requirement 1: Install and maintain a firewall configuration to protect cardholder data.
• HIPAA § 164.312(e)(1): Standard: Transmission security
• NIST 800-53, SC-2: Application partitioning
• NIST 800-53, SC-7: Boundary protection

Data Encryption

Data encryption is one of the core principles information security. It is pertinent to PCI DSS, HIPAA and NIST security standards. Methods of encryption/decryption should be implemented immediately where any sensitive information rests (e.g. customer/patient data, sales/billing information, and any non-public internal data).

Storing any personally identifiable information, company-sensitive data, or payment information in hashed form is not enough. It is critical that we implement (at a minimum) 128-bit AES encryption. Any sensitive data left unencrypted will remain a high priority risk with potential for serious impact until otherwise remediated.

Resolution: Implement a 128-bit AES encryption baseline for any stored data. Focus on high priority, sensitive data (like company secrets and customer health and payment information) first using PCI DSS standards for credit card information and HIPAA requirements as guidance.

Applicable Governance and Compliance Standards
• PCI DSS requirement 3: Protect cardholder data
• HIPAA § 164.312(a)(2)(iv): Encryption and decryption
• NIST 800-53, SC-28: Protection of information at rest

Application Process and Application Security

Part I: Develop a software development life cycle (SDLC) to design, develop and test all software. An effective SDLC is a process with distinct stages for planning, creating, testing, and deploying software. This systematic process will enable our organization to elevate our quality and consistency of all software built and deployed. In addition, it is critical that we include individuals on the application development team that possess the requisite security expertise and skills to ensure that necessary security capabilities are effectively integrated.

Part II: Ensure secure software development practices by making continuous, real-time application security a central component of the software development life cycle. Developmental security testing and evaluation should occur at all post-design phases of our SDLC. Thorough security testing and evaluation aims to confirm that all required security controls are implemented properly, operating as intending, and is meeting all established security requirements.

Resolution: Implement a systematic Software Development Lifecycle which includes a thorough application security testing and evaluation program.

Applicable Governance and Compliance Standards
• PCI DSS requirement 6: Develop and maintain secure systems and applications
• HIPAA § 164.312: Technical safeguards
• NIST 800-53, SA-3: System development life cycle
• NIST 800-53, SA-11: Developer security testing and evaluation

Proper Access Controls

Establish an access control policy that addresses the level of access users have to data in our organization’s information systems. Employing the principle of least privilege allows only authorized accesses for users which are necessary to accomplish their assigned tasks. The idea is to allow access only to resource that personnel need to do their job. We need to ensure that we don’t have too many people with access to too many resources; we must refine the scope of access each employee has.

Resolution: Implementing the principle of least privilege for all end-users.

Applicable Governance and Compliance Standards
• PCI DSS requirement 8: Identify and authenticate access to system components
• HIPAA § 164.312(a)(1): Standard: Access control
• NIST 800-53, AC-1: Access control policy and procedures
• NIST 800-53, AC-6: Least privilege

Security training and awareness program (moderate risk)ongoing effort

The objective here is to establish a program that fosters an organization-wide cyber-secure mindset by providing all personnel with training in security awareness upon hire and at least once annually.

We should provide annual lab-based cybersecurity training program that all personnel can conveniently complete at their desks. In addition to end-user security awareness training, it is recommended that we run practical security exercises that test our personnel to further raise awareness. An example of this would be an internal phishing exercise where a suspicious e-mail is sent to personnel to try and bait them into a compromise.

All employees hold the responsibility to report perceived misconduct, including violations of our organization’s compliance program, policies, Code of Conduct, or applicable state or federal laws. The Chief Compliance Officer and relevant Compliance Committee representatives will follow up on all reports and will conduct a thorough investigation if necessary.

Resolution: Provide convenient training for all personnel on an annual basis. Every employee should be required complete a “refresher” course each year and is subject to internal security “drills” like phishing tests or other means of social engineering (with the aim being to educate and empower). Employees who properly identify phishing e-mails or flag them for further investigation by IT/security should be rewarded for their diligence.

Applicable Governance and Compliance Standards
• PCI DSS requirement 12: Maintain a policy that addresses information security for all personnel
• HIPAA § 164.308(5)(i): Standard: Security awareness and training
• NIST 800-53, AT-1 through AT-4: Security awareness and training policy and procedures
• NIST 800-53, CA-2: Security assessments