Information technology managers today face many challenges due to industry standards like the Payment Card Industry Data Security Standard (PCI DSS), and regulations that are federally mandated, such as:
- Sarbanes-Oxley (SOX)
- Gramm-Leach-Bliley
- Health Insurance Portability Accountability Act (HIPAA)
- National Security Agency (NSA) and Defense Information Systems Agency (DISA) security best practices
Improperly configured hardware can cause organizations to run afoul of federal regulations.Yet even without industry or federal requirements, organizations have a fundamental requirement to protect proprietary data with their access controls. Companies that are subject to HIPAA or SOX may face internal and / or external auditor reviews, some of which are conducted annually, and failing an external audit can be costly. Security configuration management is one of the keys to staying within regulations and protecting proprietary data.
Regulatory Compliance Goals
Regulatory compliance requires that businesses demonstrate they are in compliance through documentation of policies and procedures, and that they have this documentation ready for review if requested. Proper security configuration management and data encryption are part of regulatory compliance. Achieving regulatory compliance requires continued effort and monitoring, yet an organization can quickly fall out of compliance should it accidentally lose its carefully constructed configurations. Trying to recover years of firewall policy can be a nightmare, but fortunately there are solutions like BackBox that can prevent these disasters by securely, regularly, and accurately backing up configurations on a range of devices from routers to switches to filters.
Compliance Is an Ongoing Practice
Companies that are subject to industry or government regulations understand the importance of regular, ongoing validation of network configurations against the standards set by regulatory mandates and best practices. When a network is accidentally configured incorrectly, the results can include
- Network outages
- Degradation of performance
- Heightened security risk
- Breach of regulatory mandates
Any organization subject to industry or governmental regulations should have network configuration backups that allow them to recover quickly when a configuration change causes problems.
Example: HIPAA Compliance
Companies that deal with healthcare data in the US are subject to HIPAA security regulations, which apply to:
- Routers
- VPN
- Firewalls
- Windows-based mail and web servers
- Modems
- Wireless access points
These devices have to be tested regularly to prevent intrusion and violation of regulations to remain in compliance. In addition, other network devices like switches and hubs are also critical to network security, and should be part of regular compliance monitoring under HIPAA too.
What Auditors Look For
Auditors have a long list of items they check for when performing an audit for compliance with regulations, but the following list gives you a general idea what auditors look for.
- Documented systems access controls, user account management practices, and change control practices
- Documented, enforced separation of responsibilities for users and business application accounts
- Documented operations and operator controls, policies, and procedures
- Documented practices and procedures for validated solutions when problems arise
- Documented processes for solution defect management and revalidation against specifications and regulations
Proper network configuration backups can help your organization should it be audited.Auditors also consider network security vulnerabilities that have to do with connectivity at the hardware and software levels. Network security includes security of routers, hubs, firewalls, switches, and their associated software components. All known and applicable security vulnerability fixes should be applied as part of ongoing system maintenance.
“Undoing” Errors Quickly
When a configuration change results in a new risk or security hole, being able to “undo” the configuration change quickly can make the difference between remaining in regulatory compliance and falling out of compliance. With BackBox, network components are all backed up automatically and regularly, so reverting to a stable configuration can be done quickly, without the need to re-implement configurations manually. The amount of time that can be saved is significant, and time is money.
No single security measure provides total security in today’s regulatory environment. Security processes and procedures have to be developed, implemented, and enforced. Security system hardware enforces security rules through its various configurations. When system components are installed properly, and when routers, firewalls, VPNs, switches, and other components are configured properly, they should be backed up regularly. That way, when a configuration change results in an unexpected security vulnerability, the configuration can be changed back before a security breach can occur. BackBox is in the business of helping organizations maintain robust security and compliance with any applicable industry or government regulations.
Photo Credits: scottchan / freedigitalphotos.net, Stuart Miles / freedigitalphotos.net
The post How Regulatory Compliance Affects Security Configuration Management appeared first on BACKBOX BLOG.