Compliance demands are everywhere. In the past, only banks, publicly traded companies, and those in the health care industry needed to worry about compliance. Today, virtually every organization must deal with regulatory pressure in one form or another. Whether it’s government-mandated compliance such as SOX or HIPAA, industry-enforced regulations such as PCI DSS, or self-imposed controls such as ISO 27002, the alphabet soup of applicable regulations is growing, and the burden to satisfy these demands is becoming more and more challenging.
The logical reaction is to seek a line-by-line assessment of compliance (or non-compliance), often involving an auditor digging for a violation. If a violation is found, the organization is left scrambling to find a way to remediate the violation. Compliance doesn’t have to be complex or reactive. Quest Software’s Tim Sedlack and Todd Peterson suggest five simple tactics that – if followed – can dramatically improve an organization’s chances of passing its next compliance audit.
Click through for five ways to accelerate your path to compliance, as identified by Quest Software’s Tim Sedlack and Todd Peterson.
Tactic #1: Remember that de-provisioning is more important than provisioning
While setting up user accounts (provisioning) in a timely and efficient manner is vital for operations and productivity, regulations don’t care. PCI 8.5 and ISO 2002 A.8.3 (as well as similar sections in virtually every other regulation) require immediate and complete revocation of access for terminated employees. This is called de-provisioning and is perhaps the most often overlooked and highly scrutinized area of compliance.
Tactic #2: Do not ignore privileged accounts
Privileged accounts – those that grant system-level access – are THE primary sources of security breaches, and among the first places auditors look for compliance weakness. Because these accounts are all-powerful, absolutely necessary for system operation and management, and are not tied to an individual (i.e., they are most often shared across all administrators who must use them), privileged – or superuser – accounts are the primary target for the malicious activity that regulations seek to address.
Just because they’re privileged doesn’t mean they’re untouchable. Most data breaches we see are caused by insiders who exploit the privileged accounts only available to insiders. One of the most important things you can do to control access to privileged accounts is to eliminate the sharing of administrator passwords and credentials through technologies that enforce a policy-based request, approval, issuance, return, and resetting of administrative passwords.
Tactic #3: Limit access to critical and controlled resources while watching what people do
Obviously, you are not interested in an employee’s personal data contained on the device they’re using for access, so you need to isolate the company’s critical resources from an individual’s personal information. Strong authentication, ongoing audit of activities and a good, well-maintained password policy will help you here. Reviewing access and content often really is key, because you’re still in charge of compliance both today and tomorrow. Whoever needs access today might not need it tomorrow, and, on the flip side, if a user needs access tomorrow but doesn’t have it, that’s also a compliance failure.
Tactic #4: Codify controls where possible
If you can prove to auditors that you have automated controls in place, they don’t have to keep seeking examples to prove that manual processes are working. Make sure you can generate comprehensive reports for best practices and regulatory compliance mandates, and show them examples of both prevention and the positive outcome of intended access controls.
Tactic #5: Run regular reports that make it easy to spot the outliers and exceptions
Look specifically for things like accounts with non-expiring passwords (some may be legitimate), guest access of accounts, and new resources that need to be controlled.