Existing Members, please login
Not a Member?
Three easy ways to become a member:
- Complete an inquiry form to have a representative contact you.
- Use the search box to the right to look up your affiliate and contact them directly.
- View a complete affiliate listing, select your affiliate based on location, and contact them directly.
For more information about membership questions in general, call 800-910-4283 or email email@example.com.
Find Your Affiliate
Because issues and needs often differ regionally across North America, membership begins at a local level, through your local affiliate association.
Enter your zip code below to locate your affiliate.
What is your Zipcode?
Foundations for Information Security Strategy: SAS 70 and SSAE 16 (Part 2)
In the first article of this series on information security within your facility, we shared some background of why and how people steal names, addresses, social security numbers or credit card information as well as the increased regulations surrounding personal information. This has led to a heightened awareness and use of the SAS 70 audit (now SSAE 16) to provide assurance on processes (such as printing or mailing, which is what makes your business a service organization) when working with sensitive client information to prove to customers and other third parties that sound and secure business processes are used to protect that confidential information. We also discussed a number of key areas where exposure exists.
In this article, the second of a three part series, we will discuss some of the corrective actions that can be taken to mitigate some common exposure areas identified.
Strong Policies and Procedures
Policies and procedures provide the foundation for entity-level controls. They demonstrate management’s commitment to a secure environment. They define acceptable behavior for employees and provide accountability for violations of acceptable behavior. Periodic training is essential to ensure that policy objectives are understood throughout the organization.
Defined User Access Permissions
User permissions define areas within the system that users are allowed to operate. Permissions should be defined for network, business applications, and databases. The concept of least privilege should be used. Least privilege dictates that system users should have access to everything they need for their job functions but nothing that they do not need for their job function. The more granularity that is applied, the more secure the system will be. Sounds simple but this can be a complex process; however, defining access by role and using role templates can be an effective way to administer this process.
Hardened Internal Systems
By default most operating systems and application systems are shipped and installed in a very insecure manner. Specifically, if you install systems and make no changes to the default settings the system will likely have numerous security flaws and will be vulnerable to attack. This condition is known as “default open.” The process of taking the system from a default open condition to a more secure condition is called “hardening.” There are four categories to be considered for hardening:
- Authentication. Default passwords in systems are typically weak and in some cases missing entirely. All default passwords, especially those with super user (administrator) privileges, need to be changed immediately upon install.
- Event Logging. By default event logging is weak and in many cases turned off entirely. Key event logs need to be assessed and turned on as appropriate.
- Default System Settings. By default systems settings can be very insecure. This can be a highly technical process to identify and remediate, often very system-specific. The Center for Internet Security (CIS) is a terrific resource for this issue. CIS provides system specific hardening checklists and, in some cases, even provides software tools to scan your systems for weak settings. CIS can be found at www.cisecurity.org.
- Security Patches. Security patches are provided by software vendors to correct security flaws inherent in the systems. By default no patches are installed. IT staff will need to download and install patches before the systems are put into production.
Data Encryption Strategy
Management should devise a data-driven encryption strategy. The first step is identifying high-risk data and tracking it as it passes through systems and business processes. Encryption then should be applied to such data whenever it passes through public infrastructure (such as the Internet) or leaves the data network on removable media such as a laptop or PDA.
Vulnerability Management Strategy
In the section on hardening we referred to patches that are provided by software vendors to correct security flaws in the systems they provide. A sound security strategy should include a structured process to ensure that these patches are downloaded, tested, and installed on an ongoing basis. This should include all systems: operating systems, application systems, and databases.
Perimeter Security Layers
The goal of perimeter security is to ensure that outside entry points, such as the Internet gateway, wireless access points, remote access systems, etc., are secured from unauthorized access. This is a largely technical process. Firewalls, proxy servers, intrusion detection systems (IDS), and other technologies are typically deployed based on risk analysis. The key is to monitor the performance of these systems to ensure they operate as intended on an ongoing basis.
Event logging at the network, server, workstation, application and database level is a key element to the security strategy. As mentioned in the hardening section, these logs are often turned off by default and need to be properly configured to operate correctly.
Incident Response Plan
An information security plan is designed for risk mitigation. Risk elimination is not possible or feasible. A well-defined incident response plan is key to ensure that threats are identified on a timely basis, responded to correctly, and any loss or damage remediated properly.
Testing and Monitoring
Periodic testing and monitoring are key to ensure that controls that are put in place to mitigate risk are operating as intended and that security objectives are being met on an ongoing basis. For example, a periodic scan of servers using the proper tools can identify any missing security patches that did not install correctly.
By working through these areas within your business, you can mitigate some of the exposure and increase the security in your plant. Once you are comfortable that your business has good controls in place, the next step will be to go through an SAS 70 or SSAE 16 audit to certify your process and provide evidence to your customers. In the third and final article of this series, we will walk through the background and mechanics of completing that certification.
Mark Eich, CPA, CISA, is Principal in Charge of Information Security Services at Larson, Allen, Weishair & Co., LLP. Mark has significant experience with both IT auditing and SAS 70 audits and has been retained by ACA to enhance the PPMS methodology to include physical and data security. He can be reached at firstname.lastname@example.org.
Published on Wednesday, September 28, 2011 (updated 09/28/2011)
- Digital Printing & Marketing Service Providers Thrive, Says PIA Chief Economist t.co/aEwEKVMYMN @PostNet @printind
- RT @quickprinting: Digital Printing & Marketing Service Providers Thrive, Says PIA Chief Economist t.co/CQOeyCQ1D1 @PostNet @PrintInd
- Digital Printing & Marketing Service Providers Thrive, Says PIA Chief Economist t.co/rkJKdiSsZx @PostNet @printind
- Email from Stuart Margolis Ratio deadline June 7. PPI & @PrintInd members can have RATIOS done $150 w/ 2012 P&L email@example.com
- Missing the Optimizing Color Workshop? Check out these great resources on managing and controlling… t.co/X8Y0vMiHxQ