Compliance Challenges | Strategic IT Security Planning

The scale, scope and complexity of regulatory compliance rules continue to increase – for good reason. Compliance mandates exist to hold companies accountable, mitigate risk and protect employees and customers from fraud, unfair practices and increasingly against malicious cyber activity. Today’s threat landscape has pushed compliance mandates to new levels, making it more difficult to ensure compliance. In order for you to meet audit and certification requirements, it is important to leverage best-practice frameworks like ITIL and NIST, and methodologies need to be put in place to ensure that when (not if) your organization is audited you will pass or face stiff penalties.

PCI-DSS 

When there is a breach or theft of credit card data, customers lose trust and confidence in the merchant, and financial institution involved can be subject to numerous financial liabilities. Small businesses are particularly vulnerable. In 2105 alone, Symantec reported that close to half of cyber-attacks worldwide were against small business with less than 250 employees. Larger credit card breach examples include Target, Walmart, Home Depot and JPMorgan Chase. E-commerce sites are also a frequent target.

The Payment Card Industry Data Security Standard (PCI-DSS) is a set of requirements that must be followed by anyone who processes payments by credit card to keep that payment information secure. Point-of-sale systems, online shopping carts, and wireless access routers are all covered in the regulations.  New guidelines were published in 2016 to keep up with new threats, and it is important to make sure that you have made the necessary updates to in order to remain compliant.

PCI DSS includes the following six objectives that companies are required to abide by:

• Protect cardholder data.
• Maintain an information security policy.
• Build and maintain a secure network.
• Implement strong access control mechanisms.
• Maintain a vulnerability management program.
• Regularly monitor and test networks.

HIPAA

For companies in the healthcare sector, Health Insurance Portability and Accountability Act (HIPAA) standards are in place to secure protected health information (PHI) and to protect a patient’s personally identifiable information (PII). In 2015, healthcare was the top target for breaches due to the value of patient data, and as a result, the Office of Civil Rights has been conducting random HIPAA audits. The top four HIPAA rules that must be met include:

• Ensure the company’s employees practice compliance.
• Protect against inappropriate information disclosures.
• Identify likely security threats, and establish protected measures against those.
• Ensure that all electronic PHI that is created or stored remain confidential.

HIPPA implementations include requirements such as encryption, strong passwords and multi-authentication systems, and a lapse in a single implementation can compromise an organization’s entire security posture.

Three Critical Compliance Mistakes

While compliance mandates may vary from one industry to another, there are common mistakes that appear across all sectors.

• Mistake 1: Little to No Extensive Evaluation of IT Solution Providers
  Carefully consider the qualifications of your IT solutions provider, as a breach at their facility can affect your audit and leave you subject to non-compliance and regulatory fines. You will need to validate your third-party IT service provider’s certifications and investigate their record relating to the compliance standards that you are required to comply with. Ask questions to understand what policies and procedures your provider has in place to mitigate threats, their disaster recovery plan and how they will respond to any incidents.
• Mistake 2: Neglecting Physical Security
  Physical security is often an afterthought but it is a critical requirement for staying in compliance and preventing unauthorized access to your network. If the facility does not have policies and procedures in place, it can mean unauthorized access to your organization’s data that could be carried out of a facility on a laptop or flash drive. Policies should cover who has access to locked server racks, suites and cages, who is authorized and how much access they are granted. Is two-factor authentication required for building access?  Is there 24/7 monitoring, and security cameras and alarm systems in place?  
• Mistake 3: Not Routinely Monitoring Security and Compliance Processes
  Compliance mandates are constantly changing to keep up with current economic and threat landscape. Being in compliance is one thing – staying in compliance is a whole other being. Your service provider must provide you with guidelines that they follow to continually evaluate their facility, procedures and infrastructure. Many security breaches are due in part to organizations that are too lax with their administrative rights and privileges, as well as the result of human negligence. Ask questions to find out how often policies are updated, how new threats are responded to and how often employees are evaluated.

Trusting Your IT Service Provider

It is imperative that your IT service provider is a true partner that you can trust to maintain your security and meet your compliance requirements. OneNeck IT Solutions leverages best practices frameworks, like ITIL and NIST, to ensure your compliance needs are met.  We leverage these methodologies to document, train and govern our services effectively, allowing us to address our customer’s compliance needs and auditor reviews, giving you the peace of mind you need to ensure your compliant and secure…