If you are old enough to remember George Carlin’s comedy sketch on the 7 words you can’t say on TV, then you are probably scratching your head at how far we have come on what is considered a dirty word and what is now commonly accepted. If you are a CISO then there are probably a few other words you would like to add to that list with “compliance” being at the top.
Compliance Is A Necessity
It seems that every industry has some level of compliance requirement and these requirements usually have some component of IT security as well. Some of the most common include:
- System and Organization Controls (SOC)
Security Boulevard reports that “The SOCs are a set of compliance standards that were developed by the American Institute of CPAs (AICPA), a member network of more than 430,000 CPAs around the world. SOC audits are designed to examine the policies, procedures, and internal controls of an organizations. Testing and reporting on these controls are important because they impact the security, privacy, and confidentiality of an entity’s sensitive data. Every audit is conducted in accordance with the AIPCA audit guide and Attestation Standards Section 101 more commonly known as AT Section 101).”
- Payment Card Industry Data Security Standard (PCI DSS)
PCIcomplianceguide.org offers that “is a set of security standards designed to ensure that ALL companies that accept, process, store or transmit credit card information maintain a secure environment.”
- Gramm-Leach-Bliley Act (GLBA)
Insurance companies, banks, financial institutions, securities firms, and organizations that provide financial products and services to consumers, such as lending, brokering or servicing any type of consumer loan; transferring or safeguarding money; preparing individual tax returns; providing financial advice or credit counseling; providing residential real estate settlement services; and collecting consumer debts are all subject to GLBA.
- Health Insurance Portability and Accountability Act (HIPAA)
HHS.gov reports “The Health Insurance Portability and Accountability Act of 1996 (HIPAA) required the Secretary of the U.S. Department of Health and Human Services (HHS) to develop regulations protecting the privacy and security of certain health information.1 To fulfill this requirement, HHS published what are commonly known as the HIPAA Privacy Rule and the HIPAA Security Rule. The Privacy Rule, or Standards for Privacy of Individually Identifiable Health Information, establishes national standards for the protection of certain health information.”
- Federal Information Security Management Act (FISMA)
According to Wikipedia “The act recognized the importance of information security to the economic and national security interests of the United States. The act requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source”
Every one of these compliance regulations require some level of assurance that your IT infrastructure can satisfy a base level of protection against outside influences and that is where security assessments come into play.
Compliance Requires Security Assessment
Not all security assessments are created equal. Ultimately you will need to target a specific area for maximum impact in order to satisfy specific compliance reporting requirements. The six area of focus and their corresponding considerations you should include:
- Applications: Securing software for web, client, and server applications requires modeling systems like an attacker would and pinpointing areas of weakness that can be exploited. You will need to provide secure code reviews and web application penetration testing to identify security bugs and flaws while helping development teams rapidly remediate any discovered issues.
- Internet of Things (IoT): The Internet of Things (IoT) presents its own unique set of security challenges and requires a broad skill set for assessing. You should aim to secure your IoT devices and corresponding infrastructure through source code reviews, dynamic software and hardware testing, forensic analysis, and reverse engineering.
- Networks: Your on-premise, cloud, and hybrid network environments are under continuous attack. So, your network security assessments should explore the digital footprint of an organization and rigorously test your organization’s defenses ability to withstand attacks.
- Mobile: Your mobile assessments should explore how an application can expose security and privacy concerns for users and determine how to prevent these issues from happening. You will need a partner that specializes in iOS and Android security and focuses on discovering how security controls can be circumvented in order to breach client-side and server-side defenses.
- Cloud: In order to successfully maintain secure cloud software infrastructures as well as guide teams into the cloud securely you will need a partner that has deep expertise with AWS, Azure, and GCP and supporting multi-cloud deployments.
- Cloud Native: Building systems the Cloud Native way offers security opportunities as well as new challenges. You should perform security testing and help protect Kubernetes, Docker, and the microservices that power your software.
In order to satisfy compliance requirements, your security assessments should go beyond just identifying security defects. You should expect a focus on help for meaningfully triaging and fixing vulnerabilities discovered during testing. When selecting a vendor look to see if they provide exceptional remediation advice, which is specific, actionable, and aimed at reducing engineering overhead typically associated with mitigating security issues of each unique area of assessment.
Satisfying compliance regulations requires that you should understand that risk mitigation extends beyond periodic assessments, training, and code remediation. You should identify partners that have the capabilities to assist your team in implementing strategies, technology, and policies that align with your organization and development methodologies.
nVisium empowers organizations to eliminate application and cloud security vulnerabilities before cyber threats exploit them with proven in-depth security assessments, remediation and training programs. Our experienced team of security-savvy developers and engineers guide organizations to build best practices with high ROI into their engineering and secure development lifecycles across applications, operating systems, networks, mobile, cloud and IoT through services, software solutions and R&D unique to business operations and compliance initiatives. Additionally, nVisium provides a fully managed platform for tracking and measuring performance as well as instructor-led and online training.
Call us when you are ready for security assessments to test the vulnerability of your applications, Internet of Things (IoT), networks, mobile and cloud or better yet, schedule a consultation today or download our new eBook titled “Demystifying DevSecOps” to get started yourself.