October 2017: Does your organization need to comply with regulatory standards, either by law or voluntarily? Then you know compliance standards tell you what to do but not HOW to do it — they leave the details up to you. When it comes to figuring out the details, running the necessary tools, and documenting everything, IT has major roles to play. Here’s how IT can help keep your compliance ducks in a row:
1. Partner in creating the policies and procedures
IT needs to be at the table when your organization creates the policies and procedures it will follow to be compliant. IT can advise on how to effectively design a reasonable, doable control that meets each standard, and advise on the best tools for the job. Without IT’s participation on the front end, your organization runs the risk of IT not being able to deliver on its own policies and procedures. Which puts you out of compliance.
If your organization creates a policy, for example, that requires patches to be applied within 24-48 hours after their release, it’s likely your IT team can’t pull that off. While patching as soon as possible is the goal, applying a patch requires a scheduled outage window for the network to be available and enough time for the patch to be tested to make sure it doesn’t create any unintended problems in your IT environment. Both of these things take time, which makes the 24-48 hour window not very doable.
Policies and procedures need to reflect what IT can realistically deliver. So, IT should be involved from the beginning. It’s a good idea for your compliance advisor (who is usually from the same firm that does your voluntary audits and has a ton of experience) to participate in planning as well.
2. Implement the necessary tools and controls
Your policies and procedures will define a lot of different IT tools — firewalls, encryption packages, multifactor authentication tools, and others. These tools will need to be added (or subscribed) to your IT environment, which is clearly IT’s role. Your policies and procedures also define a lot of controls that have nothing to do with tools directly. They’re all about the way things are done.
For example, let’s say an IT tech is on his way to the break room and Sally stops him in the hall to ask about a computer problem. He sits down at her desk, logs into her computer, and fixes the problem. Then, he keeps going to the break room. This is natural and Sally is happy.
However, there’s no record of Sally’s request or how the IT tech delivered the resolution. While it may seem like no big deal to jump on her computer to fix a little problem, if he logged into her computer with administrative credentials or logged into the server from her computer, he may have violated a procedure. Or if someone in another department happened to click on a piece of ransomware at the same time and it started encrypting files, it can appear as though there was an unauthorized login from Sally’s computer that may have been part of the problem. The IT tech should’ve asked Sally to open a ticket or entered a ticket for her before he started working on her computer.
Or ,let’s say Sally gets fired. You have an HR policy that states your company is going to disable an employee’s access to the network within 30 minutes of being terminated. But if the IT tech doesn’t document the ticket or if HR asked IT to do it without having first documented it in a ticket, it will look like Sally still has access to the network because there’s no evidence — a log, ticket, checklist, or other document — that she has been locked out. And without documentation, you can’t prove it to an auditor.
3. Document your compliance
Keeping records that prove your policies and procedures are being followed can take more time than not keeping records — of course. And while IT departments tend to do things in a secure way because they know what they’re doing, they also tend to have a reputation for not naturally gravitating toward a documentation process. However, it is IT’s role to document everything because being compliant isn’t just about being secure. Being compliant is about being able to prove you’re adhering to your own policies and procedures.
The level to which your IT team documents each action can determine your compliance and your ability to solve problems within your IT environment when they happen.
And they will happen — no IT environment is forever flawless. Being compliant and documenting everything doesn’t mean you won’t ever have a security event, but it will minimize the impact of an event because you are compliant.. It can also help you win new business.
Leapfrog helps clients design policies and procedures that meet regulatory compliance, both voluntary or required, and operate our clients’ IT environments in ways that are easily evidenced — we log everything! For example, we require multifactor authentication for all remote access, record all inbound calls, document all privileged logins, and follow dozens of other processes that ensure proving compliance is as simple as running a report. Not every client needs this level of documentation, but for those who may only need it occasionally, it’s reassuring to know it’s there. If you’d like to discuss how Leapfrog can help your organization with compliance issues or preparing for an audit, please give us a call.
If you liked this post, don’t forget to subscribe to FrogTalk, our monthly newsletter.