Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Pass the technical audit and secure your environment

713 views

Published on

In the past, audit checks were compartmentalized and IT staff were enforcers. It can’t be that way anymore. Make sure you are using the proper tools to easily pass the technical audit so you can focus on improving your overall security posture. Users need to be educated about the proper use of hardware, software, and understand security. When an auditor comes on site, they aren’t just looking to check a box, they are validating policies and procedures. They will go to users and ask questions like, “are you aware” or “how do you”. Because of the recent breaches, they understand it’s not just IT, but all employees who must understand security policy and procedures. There needs to be companywide education and support for security. As a CISO that’s your primary goal.

Published in: Technology
  • Be the first to comment

Pass the technical audit and secure your environment

  1. 1. Pass the technical audit and secure your environment Protect your data from the pain and cost of data breaches © 2014 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED.
  2. 2. Housekeeping » Everyone is on mute, use your GoToMeeting® console to chat or ask questions » Feel free to ask questions throughout the webcast, however all questions will be held until the live Q&A session at the end of the webcast » We are recording this webcast and will send a link to view the archive via email once the on demand is available © 2014 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED.
  3. 3. Introductions Meet Today’s Presenter • Rob Johnson, LEM Product Specialist, SolarWinds © 2014 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED.
  4. 4. Agenda  Audit Prep - A Corporate Wide Policy  Audit Prep - The Technical Audit  How Can SolarWinds Help  Benefits & Summary © 2014 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED.
  5. 5. Important Dates  1st Jan 2014 - PCI DSS v3 became effective  31st Dec 2014 - PCI v2 expires  Great articles on Compliance Preparation  http://searchsecurity.techtarget.com/tip/IT-compliance-planning-How-to-maintain-IT-compliance-documentation  http://searchsecurity.techtarget.com/tip/How-to-use-compliance-automation-to-reduce-compliance-risk  http://searchsecurity.techtarget.com/tip/How-descoping-measures-can-help-reduce-regulatory-compliance-burden © 2014 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED.
  6. 6. Why is Compliance Important? Business Disruption - Negligence of security best practices leading to security breach, can incur huge losses in company profits. Loss of Brand Image - Security breaches with trusted retailers, consumer backlash is harsh and can result in tremendous damage to brand and stockholder equity. Polls show that nearly half, i.e. 45% of card holders reluctant to return to regular stores that experienced a recent data breach, this holiday season. - CreditCards.com Fines & Penalties - Violators may also experience severe losses due to assessment of fixed and variable penalties, obligation to pay investigation and forensic costs and liability from defending against lawsuits. © 2014 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED.
  7. 7. Audit Prep – A Company Wide Policy  Cross department communication is critical to audit success • Involve all department heads in the entire audit process. • Ensure each department has a clear understanding of their requirements. • Assign a dollar value to audit failure.  Educate your company on security and audit policies and procedures • Everyone is affected by failed audits • Auditors will randomly verify so ensure all employees clearly understand security policies and procedures. • On-going employee education is critical to audit success and a better security posture.  Document EVERYTHING! • Up-to-date Documentation is absolutely critical to audit success. You may be asked for documentation before the auditors even come on site. Everything from access lists, network diagrams and configuration files to business and risk assessment plans may be required. • Policies and procedures should be clear and easy to follow. Ask the question, “If I am unable to respond can anyone follow the written procedures?” © 2014 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED.
  8. 8. Audit Prep - The Technical Audit  Perform a self assessment based on previous audit or upcoming audit requirements • Test your IT staff and users on existing policies and procedures. • Research and discover any new requirements  Determine the advanced information that may be required. • Network diagrams, inventory, process diagrams, incident response procedures • Designate and prepare key IT personnel that will communicate with auditors  Scope and De-Scope the network • At a high level, isolates systems that store, process, or transmit sensitive data from those that do not. • Implement network segmentation if possible • Isolate data that falls under compliance to specific systems and control access to those systems • Internal network partitioning can be accomplished using firewalls and routers • The network segments can be easily presented via compliance reports • Reduces the scope of an audit - less effort, documentation, time, resources and money will logically be required to complete the audit process.  Use Purpose Built Tools • Improve availability of mission critical IT infrastructure by reducing downtime due to human errors • Set up real-time alerts for any device configuration change • Introduce accountability and audit ability with role based access control • Improve admin productivity by eliminating manual compliance checks © 2014 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED.
  9. 9. Technical Audit Prep - Network Segmentation © 2014 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED. RETAIL STORE POINT-OF-SALE NETWORK Prevent unauthorized internal or external access to the data stored in the network segment. BACK-OFFICE NETWORK DATACENTER SERVICE PROVIDER ACQUIRING BANK BRANCH NETWORK AUDIT SCOPE Without segmentation the entire network is a scope for audit. Segmentation simplifies maintenance and reduces audit costs.
  10. 10. Technical Audit Prep - Network Security Basics © 2014 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED. Mitigate fundamental security weaknesses with perimeter network defenses and basic security practices » Use Secure Protocols – SSH/SNMPv3 » Log Access Control Lists (ACL’s) » Review Defaults & Disable Services » Archive Audit Logs and Configs » Separate management services from production to reduce security risk
  11. 11. Technical Audit Prep - Business-as-usual It is important to incorporate these practices in day-to-day IT operations and not a fire drill in view of an imminent certification audit. © 2014 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED.
  12. 12. Technical Audit - Use Purpose-built Tools  Using purpose built tools can significantly improve audit preparation by:  Centralizing information – One time information requests, incident response, forensics and reporting are significantly improved when data is aggregated into a single location.  Improving availability of mission critical IT infrastructure and reducing downtime due to human errors  Providing real-time alerts and scheduled audit specific reports  Providing accountability and audit ability access control  Automating incident response through templates and educating staff. © 2014 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED.
  13. 13. Technical Demonstration © 2014 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED.
  14. 14. Benefits & Summary  Mitigate security weaknesses and compliance through consistency and education  Improve audit preparation efficiency using purpose built tools  Implement, educate and enforce basic network security  Ensure compliance and security become part of the corporate culture © 2014 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED.
  15. 15. © 2014 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED. Questions?
  16. 16. © 2014 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED. Thank You! The SOLARWINDS and SOLARWINDS & Design marks are the exclusive property of SolarWinds Worldwide, LLC and its affiliates, are registered with the U.S. Patent and Trademark Office, and may be registered or pending registration in other countries. All other SolarWinds trademarks, service marks, and logos may be common law marks, registered or pending registration in the United States or in other countries. All other trademarks mentioned herein are used for identification purposes only and may be or are trademarks or registered trademarks of their respective companies.

×