One of the top questions I hear as an IT profressional is “Are we X compliant?” HIPAA, FINRA, SEC, etc – insert your favorite regulatory framework at the X.
Everyone, of course, wants to hear “Yes” – but the truth is complicated. A more realistic but still positive answer is, “We’re constantly working on it” – which is the right attitude to have. Compliance is, in general, a process and not a firm deliverable. No matter how much work goes into an organization’s compliance preparedness, there will ALWAYS be something out-of-compliance which an auditor can sniff out somewhere.
The key is to minimize the outliers as much as possible. We want these to be small things, not big things – so it’s important to put the right investment into the big things, which will allow us to focus on improving the small things.
While the major compliance standards address different industries with varying objectives, many of the major compliance items overlap from framework to framework. Below are three compliance items I’ve seen again and again on different questionnaires from across varying industries and frameworks. Regardless of which compliance standards you adhere to, I guarantee that proper investment in the below tips will increase your readiness in every case:
1) Encrypt your mobile / remote computers.
Unencrypted hard disks in computers are readable by anyone. If a thief snags one of your company laptops, they might not be able log into it – but they can rip out the hard drive, plug it into their own PC, and use sophisticated but freely-available cracking tools to get at the data therein.
An encrypted drive, however, cannot even be read by another computer – it won’t have any idea what to do with the encrypted drive without the decryption key. While encryption is not 100% uncrackable – nothing ever is – a drive with business-grade encryption like Bitlocker is going to be so hard to crack that nobody outside of a well-funded state actor will ever realistically be able to break it.
I usually see this question positioned toward mobile computers (and sometimes phones), but I don’t doubt that certain frameworks may insist on encrypting ALL computers belonging to the company. Either way, encryption is the solution – all that remains is the question of scale.
2) Multifactor Authentication (MFA) for e-mail / cloud / remote access.
I have written about MFA time and again. Studies from Microsoft have shown that a simple MFA policy can prevent 99.9% of all hacking attempts, and no business should go without it any longer. I always make it very clear to my clients: “You are not secure until you have this.”
MFA should be leveraged to protect any external access to sensitive/privileged information, systems, or applications – some of the prime examples being e-mail, VPN/remote access servers, and cloud applications like Dropbox of Office 365. Implementing MFA is not always free – you may need to invest in licensing or special application pieces in order to use MFA to protect your particular systems and workflows; in which case, make the investment and don’t pinch pennies.
I don’t think I’ve ever seen a compliance audit that did NOT ask about MFA on sensitive access, so I consider this a given. Expect to need it and don’t delay.
3) Restrict USB Devices.
Another common question is something like, “Are all non-approved USB devices blocked from use?” The true point of this is meant for USB storage – flash drives, externals HDs, etc – in the potential case of a user extricating sensitive data from the company on digital storage in violation of privacy or secrecy standards (whether accidental or purposeful).
I spent 6 years in the military – the Department of Defense bans ALL unapproved USB devices from being plugged into DoD computers, bar none and at all times. I witnessed a few occasions where some airhead plugged their iPhone into a PC to get a quick charge and was hit with a nasty message along with an instant computer lockdown; they take this compliance measure with absoute seriousness.
There are a huge number of ways by which to do this and no single easy solution – it’s highly dependent on the internal IT infrastructure of the firm and how your users operate. The solutions range from comprehensive software that can control and audit all aspects of the environment, to the ad hoc and minimalist – such as using Group Policy to block USB devices on machines. I would strongly encourage the former over the latter where feasible, as you retain far more control and can actually PROVE your compliance when audited – as an inevitable question from every auditor is “Show me the records.” You can find a rundown on comprehensive DLP solutions here.
If you focus some time and investment on addressing these three compliance items, then I guarantee you’ll have already come a long way within all of the major compliance frameworks. Figure out what works best for the business and make a move!