The Evidence You Need: Compliance Made Easier

Compliance with industry regulations can be complicated. One way to make things easier is to know in advance what types of evidence will be acceptable with your standards body. This article offers an overview of some typical requirement areas and what you might put aside for future proof.

Compliance Needs and Proper Evidence

Whether you're a financial institution, payment industry player, healthcare organization, or utility or energy sector business, there are some commonalities when it comes to the proof you might provide for compliance reporting. Here are some of the main areas to consider.

Consistent Vulnerability Testing

There are different levels of risk assessment and vulnerability scanning, but no matter your industry, you'll likely need to prove that you are testing on a regular basis to identify potential threats. Thorough, proactive testing can help your organization prioritize protection of organizational assets (i.e. hardware, systems, data, and applications) based on data classification and business value.

A comprehensive cybersecurity posture holistically considers all of the system, object, network, virtual machine, and application controls. Your team needs to not only manage and monitor perimeter defense tools such as border routers and firewalls, but also keep systems configurations (for servers, desktops, routers, etc.) up to industry standards.

At the same time, you'll typically need to demonstrate a deep understanding of what is interacting with what and that every computer system component or process is only configured to connect with other components it must necessarily access. Segmentation testing should demonstrate that connections attempted from out-of-scope networks and systems are denied.

What counts?

• The security plan document, which includes groupings of critical cyber assets, cyber system identifications, and impact categorizations.
• Electronic or physical dated records of review via vulnerability scanning or the more in-depth penetration testing
• Written or electronic proof of procedures in place for coordination and communication between entities working to ensure system, network, application reliability and operability

Delineation of Roles and Responsibilities

Your business needs to demonstrate who is in charge of what, and often needs to inform industry standard keepers of any change within a pre-established time frame.

Your organization should have established in advance who is in charge of monitoring threats and vulnerabilities, who will be using new threat information to proactively enhance internal risk management and controls, and who will be pressed into action if a threat is identified and remediation is needed.

At the same time, you would want to use this organizational chart to limit employee access to systems and confidential data based on their job responsibilities minimizing user profile privileges based on job necessity.

What counts?

• An organizational chart identifying senior managers in charge of cybersecurity and their responsibilities.

Employee Training

An annual information security training for your employees should include incident response, emerging issues, and current threats (i.e. phishing, spear phishing, social engineering, mobile security, etc.). You'll need to speak to employees on an ongoing basis about password protection and accessing information remotely.

What counts?

• Presentations, instructor notes, handouts or other materials from the training
• Written company-wide communications regarding password protocols, malware awareness or risk reduction initiatives.

Policies and Procedures to Safeguard PII

By PII we mean Personally-Identifying Information. Anyone who has this data can guess that their industry watchdogs are going to want proof that this is properly secured. You should have a plan in place that identifies any reasonable and foreseeable internal and external threats, the likelihood and potential damage of threats, and how your organization is set up to detect, prevent, protect, and respond to any such threats.

What counts?

• Indicators that encryption and termination on the intermediate system are utilized for all interactive remote access sessions
• Screen captures or written documentation of multi-factor authentication requirements
• Evidence that action is taken, prior to the disposal of cyber assets, to prevent the unauthorized retrieval of data.

Physical Security Protocols

Controlling physical access is essential too.

For compliance, you will likely need to prove not only that you have a monitoring system in place, but that you also effectively manage employee access on an ongoing basis. This can mean having a process established to remove an individual's unescorted physical access, interactive remote access, and access to designated storage locations within 24 hours of a termination action or their transfer to a new role or responsibility with different privileges attached.

What counts?

• Documentation of methods to control physical access (this might include physical logs, security camera video, or computerized access logs)
• Proof of processes used to confirm identity of personnel with access to cyber systems and their associated assets
• Certification of alarm systems being up-to-date
• Identification of the alerts or alarms used to identify unauthorized access through a physical access or physical access control point (and to whom these go)
• Records of criminal history record check and risk assessments done for contractors or service vendors.

Remediation Actions

Incident handling protocols need to be clearly established to remain compliant, yes, but also because this will expedite your organization's ability to respond efficiently and effectively. Processes should be established to identify, classify, and respond to cyber security incidents. Conditions for activation of a recovery plan ought also to be defined.

What counts?

• Logs of successful login attempts, failed access and login attempts, and malicious code detection
• Written proof of process established to review or sample logged events to identify undetected cyber security incidents
• Proof of processes in place for testing, installing, and update of signature and patterns
• Documents related to reportable cyber security incidents (such as security logs, police reports, emails, forensic analysis results, restoration records, and post-incident review notes)
• Evidence of one or more process for the backup and storage of information required to recover.

Being proactive and filing away the types of evidence we've identified here can be a time-saver down the road.

Meanwhile, although this blog has focused specifically on the types of documentation you want to save, record, and store to make it easier to comply with industry regulations, RedTeam Security industry experts are always available to help your business exceed industry standards. We can do the necessary penetration testing to identify threats, cybersecurity weaknesses, or potential issues with your network, system, or applications. Let RedTeam Security experts amp up your prevention and protection activities starting with a free consultation today.

Click To Schedule Your Free Consultation‍