What is the goal of a Security and Compliance Program?

In our digital era of persistent cyber threats it has become necessary for every organization to deeply consider security. By deploying an effective security and compliance program, you can protect your clients (and their data), identify issues within your IT infrastructure, mitigate your risk, and provide a foundation to grow the defensive operations on.

We have various blind spots with our security fundamentals that need to be addressed. A cursory assessment of an organization’s security posture reveal any basic security flaws or operational shortcomings that will need to be addressed to become compliant with government regulations.

Developing a security and compliance plan as well as fostering an organization-wide cyber-secure mindset will greatly help improve security posture.

As the landscape of business changes, it is important that we familiarize ourselves with the new environments and the inherent risks we take by operating in them. Without a Security and Compliance Plan we are essentially operating out in the wild west, completely exposed.

In short, the primary security objectives of establishing a security and compliance framework is to (i) manage and mitigate overall cyber-related risks, (ii) establish applicable governance controls, (iii) prioritize and resourcing enterprise-wide cybersecurity programs, (iv) safeguard sensitive information, and (v) establish a cyber-secure culture within your organization.

Network Segmentation

Network segmentation is strongly recommended to achieve defense in depth (the Castle Approach) where many layers of security controls are placed throughout your information systems. Without adequate network segmentation, every device on the entire network can communicate with one another. If one device becomes compromised, it can broadcast to every other device on its network to potentially gain further unauthorized access.

Segmenting networks can be accomplished through many different physical means: by configuring internal network firewalls, using routers with access control lists, or employing other technologies that restrict access to specified segments of a network.

In addition to installing firewalls and routers, it is necessary to separate Internet facing servers from internal network servers (particularly those which hold sensitive data).

Data Encryption

Data encryption is one of the core principles information security. It is pertinent to PCI DSS, HIPAA and NIST security standards. Methods of encryption/decryption should be implemented immediately where any sensitive information rests (e.g. customer/patient data, sales/billing information, and any non-public internal data).

Storing any personally identifiable information, company-sensitive data, or payment information in hashed form is not enough. It is critical that we implement (at a minimum) 128-bit AES encryption. An organization exposed to payment breaches should use PCI data storage guidelines as a standard of storing and encrypting client payment information.

Any sensitive data left unencrypted remains a high priority risk with the potential for serious impact until otherwise remediated.

Proper Access Controls

Establishing an access control policy that addresses the level of access users have to data in an organization’s information systems is critical. Using the principle of least privilege allows only authorized accesses for users which are necessary to accomplish their assigned tasks. The idea is to allow access only to resource that personnel need to do their job.

If too many people have access to too many resources, the scope of access each employee has must be refined.

Security Training and Awareness Programs

The objective here is to establish a program that fosters an organization-wide cyber-secure mindset by providing all personnel with training in security awareness upon hire and at least once annually.

It is recommended to provide an annual lab-based cybersecurity training program that all personnel can conveniently complete at their desks.

In addition to an end-user security awareness training program, running practical security exercises that test your personnel has proven to be very effective in raising awareness and confidence. An example of this would be an internal phishing exercise where a suspicious e-mail is sent to personnel to try and bait them into a pseudo-compromise.

Refresher courses each year and internal security drill like phishing tests or other attempts at social engineering (with the aim obviously being to educate and empower). It may be a good idea to reward employees who properly identify phishing e-mails and flag them properly.

Policies and procedures to conduct regular device patching, internal vulnerability scans, and monitor network traffic

Focus on remediating any found vulnerabilities, starting with those classified as high-risk.

In addition to regular vulnerability scans, devices should be patched (at least) monthly. It is recommended to install security-relevant software and apply firmware updates as promptly and frequently as you can without causing interruption to operations.

Ensure there are up to date antivirus scanners on all applicable devices; Deploy SIEM software to provide real-time analysis and logging of security alerts generated across our networks; identify high impact vulnerabilities and seek to remediate accordingly.

Create a plan to ensure that patches are applied safely. Determine which devices and systems support automated patching and enable it; follow a monthly schedule ensuring security patches are applied promptly.

Upgrade unsupported legacy hardware / software

Devices throughout your IT architecture should be assessed to ensure that all systems are currently supported by their vendors.

Unsupported components (e.g., when vendors are no longer providing critical security software patches for certain devices) create a rife threat landscape for attackers to exploit due to known vulnerabilities. Prioritize higher risk components that could bring networking or operational benefits (e.g. upgrading bandwidth with new switches/routers or installing new logical security devices like firewalls) first and leaving mission critical systems that lack newer alternatives for later.