Are You Prepared for the Top Three Compliance Issues?

Featured article by Fouad Khalil, director of compliance, SSH Communications Security

No matter what an enterprise’s major market is, it is probably subject to regulatory compliance requirements, such as PCI, SOX, FISMA and HIPAA. PCI requirements in particular demand a high level of auditability and controls. What’s more, regulatory agencies are cracking down with stiff penalties. For example, the Department of Health and Human Services’ Office for Civil Rights has levied penalties in its six resolution agreements for 2015 totaling about $6 million.

This trend is unlikely to slow down or reverse, so it’s important to be aware of the primary threats that could undermine compliance efforts. The top three such issues are discussed below.

Privileged Access Management

Privileged access management (PAM) will continue to be a compliance nightmare. In fact, privileged and logical access controls continue to cause the most audit infractions. One of the main reasons for this is the fact that more companies are outsourcing tech support, and more companies are employing remote workers. Both of these groups must be granted remote access to an organization’s production environment and highly sensitive information in order to do their jobs. This access also includes machines talking to other machines in an automated fashion.

Though third-party access is necessary within the enterprise, managing this access often comes as an afterthought in the organization’s overall security strategies and postures. The 2014 U.S. State of Cybercrime Survey revealed some dangerous trends on this topic:

– 70 percent of enterprises enter into contracts with external vendors without having conducted any security checks

– Only 44 percent of enterprises put forth the effort to vet the security of third-party providers and others in their IT supply chain

Third-party and vendor contract agreements may help companies enforce better security and privacy controls, but these actions may not exclude organizations from accountability and responsibility as it relates to a security breach.

HIPAA HITECH

HIPAA/HITECH can be described as Sarbanes-Oxley (SOX-404) on steroids.Organizations may have to comply with PCI, FISMA, SOX, BASEL III or other regulations, but none of these are a match for the HIPAA/HITECH tidal wave in terms of severity. The U.S. federal government (Health and Human Services, Office for Civil rights) is more active than ever in enforcing this law and is levying harsher fines with greater frequency for noncompliance.

Auditors are concentrating their firepower on the areas that healthcare providers have failed at most often in the past and are levying massive fines for noncompliance. Targeted areas include:

* Risk analysis and risk management

* Content and timeliness of breach notifications

* Notice of privacy practices

* Individual access

* Training to policies and procedures

* Device and media controls

* Transmission security

Organizations will need to be cautious about ensuring that any business or market expansion into an area covered by HIPAA is adequately compliant to avoid being hit with heavy fines.

Achieving Continuous Compliance

Sarbanes-Oxley (SOX) requires public companies in the U.S. as well as foreign companies listed on U.S. exchanges to assess their internal controls, have that assessment validated by an external auditor and report the assessment to the SEC. Information security professionals need to ensure that their organization complies with requirement in Section 302 and Section 404 of the legislation.

Sarbanes-Oxley (SOX-404) and internal controls remain the most critical on the financial industry compliance horizon. Financial industry compliance challenges include Annual Financial and SSAE-16 audit requirements. However, audits of identity management (logical access) controls continue to result in exceptions. Companies struggle with adherence to privileged access controls – lack of visibility into what, when and how administrators access production environments.

SSH is one of those unseen workhorses in IT infrastructures, or also referred to as the “dark side” of PCI DSS compliance. Many organizations have no visibility into or assume compliance with their SSH key environments until an auditor identifies the issue or exception in their reports. SSH keys are a critical component for ensuring adequate and compliant controls for cardholder data environments.

Changing industry business models changes the threat landscape and expands the definition of sensitive information. Financial institutions have expanded their business models beyond simply doing payroll, tax, investments etc. They have taken on additional services to expand their markets and revenue potential. These vary from complete HR services to retirement services to medical payment services and much more. Their protected data definitions now go beyond SSN and DOB to also include credit card data and medical data (protected health information). This increases the complexity of their compliance initiatives and the scrutiny of the audits they start to undergo.

Based on the risks identified above, the following best practices can help enterprises improve their SSH environment security – and, therefore, their compliance.

1. Move away from manual key management

With manual key management, your company’s best IT minds are stuck performing repetitive, manual work. A centralized SSH key management system not only ameliorates the issues listed above, it increases your ROI by letting your IT staff tackle more complicated issues.

2. Understand your environment / trust relationships

How many SSH keys do you have? Where are they? Which users have which keys? Once you understand your environment, you can take steps to tame it.

3. Control SSH key deployment

Control who can add keys to your environment, and deploy, remove and rotate keys in a centralized way. While most SSH key deployments are straightforward, rotation and removal can be tricky. Sometimes a rotated key can create a new vulnerability. This encourages the tendency to leave a key in place long after its original user has moved on. Automate SSH key rotation.

4. Real-time auditing capabilities

No company wants to wind up on the wrong side of a SOX audit. Your auditors need to be able to view the source of any breach clearly and perform an audit trail. Make sure your organization has a system in place to provide auditors with exactly the information they need, when they need it.

Ensuring Compliance

When assessing compliance risk, an important first question is, “Am I ready if and when an auditor comes knocking at my door?” Organizations should integrate security and privacy controls into day-to-day processes and procedures to ensure continuous compliance. It is not if you will experience a breach – it is simply a question of when. Well-defined and integrated security controls will help expedite breach investigations and ensure compliance with reporting requirements.

About the author

Fouad Khalil has extensive experience in the technology space with more than 25 years spanning disciplines in software development, IT support, program and project management and most recently IT security and compliance management. Key areas of focus include: information technology, internal controls over financial reporting, Sarbanes-Oxley, PCI DSS, and HIPAA/HITECH compliance. Experienced in security training and awareness as part of corporate governance and regulatory compliance. ISACA member & CISA Certified