AWS Vulnerabilities

Amazon Web Services (AWS) dominates the enterprise cloud landscape. Around two-thirds of business cloud users host infrastructure on AWS.  That includes many of the biggest companies in the world and small and medium businesses in the tens of thousands. AWS’s popularity makes it a tempting target for cybercriminals: AWS vulnerabilities could let them steal data from thousands of businesses.

Amazon regularly finds and fixes vulnerabilities in the platform’s code and networks. However, many common AWS vulnerabilities originate with users.  AWS provides tools to help cloud users secure their data and infrastructure, but it is a complex cloud platform. Inexperienced users often misconfigure cloud resources, creating security vulnerabilities. 

This article will help you understand frequently exploited AWS vulnerabilities and how to guard against them. 

AWS Root Account Credential Leaks

The AWS root account controls every aspect of your AWS environment. The root account can add new users, modify user permissions,  create and destroy cloud resources, and access all of your data.  It’s important to have a root account. Without it, you would not be able to set up your AWS environment in the first place. But if it leaks, that environment has no protection. 

You should share the root account’s credentials only with trusted senior employees who need root access. It should not be widely shared within your organization, and it should not be used during the day-to-day operation of your AWS environment. Use the root account to set up IAM users with appropriate permissions, then rely on the new user accounts going forward. To further improve AWS security, activate two-factor authentication on the root account and disable the account’s API access key. 

Exposed AWS Access Keys

AWS access keys are credentials used for programmatic access to AWS APIs. Your code can use access keys to carry out tasks that the associated user has permission to perform. For example, your app might use access keys to deploy EC2 instances or store data in an S3 bucket. 

Misused access keys can create an AWS vulnerability. They are often embedded in code, which is then uploaded to a version control system like GitHub. Bad actors frequently target businesses that upload access keys to public repositories. But it is also dangerous to store keys in private repositories. Just like usernames and passwords, access keys should not be shared widely within your organization. If you put them in a private repository, anyone with access to the repository can see the keys. 

We explored how businesses can better protect their AWS access keys in How to Keep AWS Access Keys and Other Secrets Safe.

Sensitive Resources on Public Subnets

Amazon Virtual Private Cloud (VPC) allows businesses to create virtual network environments. VPC gives AWS users control over their network, including network security, routing, resource deployment, and subnets. 

Subnets are one of VPC’s biggest security and availability advantages. Businesses can create logically isolated subnets with traffic screening and access restrictions. For example, they can deploy public subnets connected to an internet gateway and private subnets that are not accessible from the internet. Private subnets can only be accessed by internal resources, making them an excellent option for database servers and other resources that should be hidden from the internet.

When you first provision a VPC, it contains a default public subnet. Unfortunately, many users do not change the original configuration. They deploy servers and databases to the default subnet, exposing them to the internet and creating a dangerous security vulnerability. 

Overly Broad IAM Permissions

AWS Identity and Access Management (IAM) allows businesses to specify user access permissions, groups, and roles. IAM permissions limit the actions these entities can take and the resources they can access.  Permissions should be limited to provide only the access an entity needs. 

Businesses often fail to set permissions correctly, configuring overly broad permissions or failing to re-assess permissions over time. If credentials leak, an attacker gains more access than they otherwise would have. But even if the credentials don’t leak, internal users may access sensitive resources and cause security and availability issues. 

Public Access to Origin Databases

Origin databases should be hidden from the internet. These databases support your apps and services. They may need to be accessible to web servers and other public-facing resources. But there is rarely a good reason to expose their IP address to external connections. 

An exposed origin database IP allows attackers to exploit other vulnerabilities. For example, an attacker could connect and exfiltrate data if the database’s access permissions are not correctly configured. This type of vulnerability has been the root cause of numerous data leaks.

Permissive Security Groups Rules

Security groups are AWS’s virtual firewall. They allow businesses to restrict traffic to and from AWS resources. The user creates a security group and configures inbound and outbound traffic rules. They can then assign the security group to other resources, such as EC2 instances. Security groups are highly flexible, empowering users to create custom firewalls for different scenarios. 

All AWS accounts have a default security group. The default group has permissive rules: it allows inbound traffic on all ports from network interfaces and instances within the same security group. It also allows all outbound traffic. The default group is automatically used for new resources when a custom group is not specified. 

If you don’t adjust the default security group’s rules or create and assign custom groups, instances and other resources are deployed with broad permissions. Many businesses fail to do so. Consequently, instances are often deployed with vulnerable ports that are accessible from the internet. 

We covered AWS security in greater detail in 10 Top Tips For Better AWS Security Today?

Server-Side Request Forgery

In 2019, the Capital One credit card company leaked customer details from 100 million accounts exposing AWS vulnerabilities. The attack was later found to have exploited Server-Side Request Forgery (SSRF). SSRF turns a business’s cloud infrastructure against it.  

Imagine a business that stores sensitive information in a database. The database is hosted on a cloud server without an external IP. The attacker can’t connect to it directly. But they may be able to connect to an internet-facing server with permission to access the database. In an SSRF attack, the attacker exploits a vulnerability in the internet-facing server and uses the server to send hostile requests to the target database. 

For that to work, a resource on an external IP must be improperly configured. In the Capital One case, the attackers exploited overly broad Web Application Firewall (WAF) rules—similar to the situation described in the previous section. However, many different configuration errors might open the door to an SSRF attack. 

Misconfigured S3 Storage Buckets 

We have left one of the most common AWS vulnerabilities until last. AWS S3 is a popular block storage service used by thousands of businesses. S3 stores data in buckets with flexible access permissions. Misconfiguring those permissions may allow malicious third parties to access sensitive data.

A huge number of businesses have been caught out in this way. They deliberately or unintentionally configure S3 buckets for public access. Bad actors scan for misconfigured buckets and exfiltrate the data. Victims of this AWS vulnerability include Twilio, BHIM, Attunity, and dozens more. 

How KirkpatrickPrice Helps

KirkpatrickPrice is a licensed CPA firm specializing in information security. We provide services to help clients secure their cloud infrastructure and comply with information security and privacy regulations, including:

Contact us today to begin your journey to improved AWS security.

The global information technology industry is worth around $5 trillion. To put that in perspective, the global oil and gas market is worth $5.8 trillion. IT is an enormous industry because every business depends on IT infrastructure. That makes infrastructure security a priority for organizations, from sole proprietorships to multinational corporations and governments.

As a business owner or executive, you are responsible for creating and managing a secure infrastructure platform. But how can you build secure IT infrastructure when your business lacks infrastructure security expertise and experience?

Every business is unique, and there is no one-size-fits-all security solution. However, we can explore five strategies that help companies protect their data while complying with security and privacy regulations.

Why IT Infrastructure Security Is Important

We all understand why IT infrastructure security matters. Leaked private data may have catastrophic legal and financial consequences. Ransomware infections force businesses to choose between losing a valuable asset and handing money to criminals. Cybercrime can take down critical systems, disrupting business operations and damaging reputations.

But few are aware of cybercrime’s true scale, prevalence, and cost.

  • The average cost of a data breach in the U.S. is $8.64 million.
  • The global cost of cybercrime is an estimated $6 trillion and is expected to grow to $10 trillion by 2025.
  • There were 304 million ransomware attacks in 2020, double the previous year.
  • The average ransomware payout grew from less than $10,000 in 2018 to more than $233,000 by the end of 2020.
  • In 2020, 300 million people were impacted by data breaches.

Cybercrime is a risk every business faces. Asking whether criminals will attack your IT infrastructure is the wrong question. Your infrastructure will be attacked; it’s just a matter of time. The real question is what you can do to make sure that the attackers fail.

5 Steps to Outstanding IT Infrastructure Security

The specifics of IT infrastructure security depend on your business’s infrastructure needs and regulatory environment. An SME storing customer relationship management records in the cloud has different security and privacy requirements from a healthcare provider storing private healthcare information or a payment processor who must comply with PCI DSS.

However, the following high-level guidelines will help any business to build a more secure IT infrastructure.

Build on Secure Cloud Platforms

Cloud platforms are a more secure option than colocated or managed servers hosted in a data center. The self-managed non-cloud option may be suitable for companies with infrastructure security expertise and resources. But for the average business, cloud platforms offer a superior balance of control, cost,  and security.

Businesses hosting code on infrastructure they own and operate are entirely responsible for securing that infrastructure. That includes the servers, their operating systems and library code, services such as databases and web servers, application code, networks, and more.

In contrast, the cloud vendor takes care of the low-level security details on a cloud platform, including physical security. That doesn’t mean cloud platforms are intrinsically secure. They are not, but they help businesses with limited security resources to achieve better security outcomes than they otherwise could. They provide a solid foundation on which companies can build secure infrastructure.

Building in the cloud doesn’t absolve businesses of security obligations. Cloud security is a shared responsibility. Companies that don’t follow cloud security best practices put their data at risk, which brings us to our next infrastructure security strategy.

Create and Enforce IT Security Policies

IT infrastructure security starts at the top of the org chart. As KirkpatrickPrice Information Security Auditor Shannon Lane points out, “When building a foundation for a culture of compliance, you must start from the top.” The leadership team and senior executives must craft policies and implement organizational structures that support infrastructure security and compliance.

We explored this concept in more detail in How to Design Effective Security Compliance Programs. In essence, businesses who want to improve IT infrastructure security should:

  • Create policies that set minimum security standards for IT infrastructure.
  • Make executives, managers, and team members responsible for implementing those policies.
  • Monitor and audit infrastructure security to ensure that policies are complied with.

The last of these points is particularly important. Without a feedback structure, an organization’s leadership is likely unaware of how security policies are implemented or if they are implemented at all.

Employ Cloud Security Experts to Verify Your Cloud Configurations

As we mentioned in this article’s introduction, cloud platforms like AWS and Microsoft Azure operate a shared responsibility model for security. They provide secure foundations but don’t prevent misconfigurations that may lead to security vulnerabilities.

For example, businesses can store sensitive data securely in AWS S3 buckets if access permissions are correctly configured. However, S3 users often accidentally expose sensitive data with permissive access permissions. We explored several AWS security vulnerabilities caused by human error in Do These 8 Vulnerabilities Affect Your Infrastructure’s AWS Security?

We recommend hiring a third-party cloud expert to verify your cloud configurations. A Remote Cloud Security Assessment reviews AWS, Azure, and Google Cloud configurations to identify potential vulnerabilities and provide actionable guidance to help businesses mitigate cloud infrastructure security risks.

Invest in Security Awareness Training for Employees

A lack of security awareness is often the root cause of cloud security vulnerabilities and data breaches. Managers and employees make mistakes when they are not aware of the risks and how to deploy and configure cloud infrastructure securely.

Security firm Kaspersky Lab recently revealed that most cloud security breaches are a consequence of social engineering, not technology failures. Bad actors use phishing attacks, executive impersonation techniques, and other forms of social engineering to gain access. These attacks target senior executives (whaling) and other employees with access to sensitive data.

Correct cloud security configurations and access controls are of limited help. Bad actors manipulate insiders with legitimate access to bypass security controls. Security awareness training helps employees to understand security risks and comply with security and privacy best practices.

Conduct Regular Cloud Security Audits

A cloud security audit is a comprehensive review of a business’s cloud security controls. Cloud security auditors analyze and report on controls for data, operating systems, networks, and access controls, among other relevant factors. An audit helps businesses to verify that their cloud security policies, configurations, and training are effective.

Audits have two primary benefits:

  • An independent expert verifies cloud infrastructure security and highlights failings that may expose businesses to security and compliance risks.
  • The business can demonstrate to customers and clients that it takes security seriously and complies with recognized industry standards.

Cloud security audits are based on the CIS benchmarks for AWS, Azure, and GCP. Businesses required to comply with other information security frameworks such as PCI DSS, HIPAA, and SOC 2 benefit from audits tailored to those frameworks.

KirkpatrickPrice is a licensed CPA firm that specializes in information security audits for regulatory frameworks and industry standards that include:

To learn more about AWS security, visit our AWS Cybersecurity Services, which offers an extensive library of actionable cloud security guidance.

A Guessing Game

Picture this – Halloween in the ’80s. A classroom full of students at their desks, staring at a large object hidden under a blanket. The guessing game had only just begun. Gasps filled the room as our teacher revealed a gigantic pumpkin. “If you guess how much it weighs, it’s yours!” Our teacher was encouraging a creative lesson on estimation.

The only thing keeping that pumpkin from being carved and glowing on my front porch was my correct estimation of its weight. Some of my peers jotted down their answers without a second thought, and others stared at the ceiling in boredom, but those that were crafty compared with objects that were similar in size. So that is just what I did.

Comparing Vulnerabilities from Past Projects

The process of penetration testing is often the same.

Penetration testers are expected to find the unseen cracks in an organization’s security. Just as the pumpkin from the story had an unknown weight, client environments have undiscovered vulnerabilities. When an organization undergoes a penetration test, they expect the hired tester to discover all their neglected vulnerabilities within the limited amount of time in the engagement. Because of this, penetration testers can often compare tests to those they have done in the past. If they have observed one organization make a mistake, they will see a similar vulnerability hidden in another.

For example, when I examine a web application and find an area for file uploads, I immediately reference past projects where I succeeded in compromising a similar vulnerability. In a recent penetration test, I noticed that the web application contained an area in a note for embedding HTML code. Referencing a previous test, I began writing a new note with HTML tags and JavaScript code to test for Cross-Site Scripting. Sure enough, the application was vulnerable to Stored Cross-Site Scripting.

You Need Experienced Penetration Testers

Experience is what makes penetration testers experts that can make educated comparisons and conduct advanced testing. Without past projects to reference, inexperienced penetration testers are just playing a guessing game. At KirkpatrickPrice, our team has an average of fifteen years in the industry. You can count on our penetration testers to make the most of the time restraints and discover your most vulnerable gaps.

As for the pumpkin contest, I did win. The correct guess was 75.5 pounds, and I put down 75. When my teacher asked how I came to that estimation, I merely answered: “The pumpkin looked about the size of my sister.”

Who knew that I would spend the rest of my life playing a similar game of comparison.

Cloud platforms make it easier for businesses to leverage complex technologies. Instead of buying, configuring, and managing a physical server, you deploy an instance of a server in the cloud. Instead of licensing, installing, and updating enterprise software, you deploy software for the time and purpose that you need through your provider. Cloud platforms provide many technical intricacies through a user interface, but sometimes how and what you should configure securely is not obvious. You may not be responsible for physical servers and networks, but you are responsible for the security configuration and privacy of business and customer data in the cloud.

That’s why it’s vital your company chooses the right cloud security provider or managed cloud security service to support you in your objectives. In this article, we will explore what a cloud security provider is and help you choose the right provider for your business. We’ll also take a look at some of the limitations of cloud security providers and what they can’t do. 

What is a Cloud Security Provider?

Cloud security providers offer services that help businesses to use cloud environments securely. Companies in this space range from managed security service providers (MSSPs) who offer outsourced cloud monitoring and management to SaaS and cloud software vendors with products that help businesses to avoid common cloud security issues. Cloud security software typically leverages platform APIs, adding enhanced security functionality that is not available on the platform itself. 

Among the services a cloud security provider may offer are:

  • Security hardening, including configuration analysis to identify and mitigate vulnerable security and privacy configurations. 
  • Log analysis to identify security events and threats.
  • Exploit prevention through patching or firewall configuration. 
  • Network intrusion and threat detection. 
  • Malware scanning and ransomware protection. 

Cloud security providers typically have expertise in a specific cloud platform, although some offer solutions targeting multiple cloud platforms or hybrid clouds with cloud and on-premises infrastructure. 

Does Your Business Need a Cloud Security Service?

Cloud platforms, including Amazon Web Services (AWS), operate a shared responsibility model for security. The vendor takes care of some aspects of security, leaving others to the customer. Where exactly the line is drawn depends on the service: IaaS leaves more to the user than SaaS, but the user always retains some responsibility. 

For example, AWS provides secure data storage, but if the user uploads unencrypted data to an S3 bucket with misconfigured access permissions, the platform will do nothing to stop them. 

That’s where cloud security providers come in. Cloud security providers help cloud users with their share of the cloud security and privacy burden. They offer services that enable businesses to avoid the type of mistake just described. However, the ultimate responsibility for information security and privacy always rests with your company. If private customer data leaks or your business fails to comply with HIPAA or PCI DSS, you will suffer the consequences, not the cloud security provider. 

5 Questions to Ask Cloud Security Service Providers

Businesses should assess cloud security providers before engaging them, but information asymmetry can make this difficult. You may need help precisely because your organization lacks internal cloud security expertise. But without that expertise, how can you adequately assess the services on offer? A vendor compliance assessment can help, and in the initial stages of vendor research, asking the following questions will give you an idea of a prospective vendor’s capabilities. Ultimately, communication and clear expectations are key.

Is Cloud Security Your Core Competency?

Many MSSPs and cloud outsourcing service providers offer security-related services. However, “cloud security” is a broad area. A service provider may advertise their ability to make your cloud environment more secure. But their security efforts may be limited to deploying an off-the-shelf monitoring solution that will bombard your internal team with alerts. Also, the default services may not be as comprehensive as you need. For example, they may monitor Windows systems but not Linux. 

That may be all you’re looking for, but an expert cloud security provider can go much further. They will employ a technical team with expertise in IT and cloud security. Their technicians will have hands-on experience with real-world cloud environments and understand how to mitigate potential security issues. Just as important, they will understand the regulatory environment your company operates in and how to leverage cloud technologies to maintain compliance. 

Before engaging a cloud security vendor, ask about their experience, qualifications, certifications, and tools. 

What Will You Do to Keep Our Data Secure?

This question elicits information about the vendor’s products and processes. As we said earlier, businesses need to know what cloud vendors mean by “cloud security.” You may want to ask the following questions:

  • Will you assess our cloud environment’s configuration for mistakes that may cause security vulnerabilities?
  • Will you monitor our environment for potential intrusions and malware?
  • When you find a problem, will you help mitigate the risk, and what form will that help take?
  • Do your services include asset discovery, threat intelligence, and behavioral monitoring?
  • How do you document actions taken and assigned tasks? 

If possible, you should have a clear idea of your cloud security issues before beginning the vendor selection process. If you know what you are trying to achieve, you can ask focused questions about how the vendor can help you meet those objectives. Businesses lacking internal cloud security expertise should consider hiring an independent third party to assess cloud security risks and develop a mitigation plan. 

Does Your Infrastructure Comply with Information Security Standards?

Consider the following scenario. A company contracts with a cloud security provider to reduce risk and ensure sensitive data storage and processing complies with information security and privacy standards. The company gives the provider access to its cloud environment. Later, the provider’s network is hacked, and bad actors gain access to the data the company hired the vendor to protect. 

This is not an unusual outcome, so it’s essential to verify prospective cloud security vendors follow best practices for their own infrastructure and software. Third-party security audits are helpful here. Ask prospective vendors to demonstrate they are compliant with relevant industry standards, such as SOC 2 and ISO 27001. Also, be sure to inspect their penetration testing results.

Do You Understand the Security and Privacy Concerns of My Industry?

Ensure that cloud security vendors understand your industry’s legal and regulatory requirements. The specifics vary, and a vendor focused on general cloud security concerns may not have the experience or expertise to help you comply with HIPAA, PCI DSS, FISMA, and other standards. 

Do You Offer Security Awareness Training?

Cloud security concerns more than just technology. Many data breaches result from human error and inadequate awareness of security risks. Security awareness training tailored to your company’s security and compliance needs can reduce security risk while improving compliance. 

The Limitations of Cloud Security Providers

A cloud security provider or managed security service provider can reduce security risks, but they can’t objectively verify that your cloud environment is secure or compliant. The optimal approach combines cloud security best practices with cloud security assessments and audits by a qualified independent auditor with cloud and information security expertise. 

KirkpatrickPrice is a licensed CPA firm specializing in information security compliance. Contact a cloud security expert to learn how we can help your business improve cloud security and comply with relevant regulations and industry standards.

Security compliance is a primary concern for data-driven, technology-empowered businesses. On the one hand, they face internal and external security threats ranging from ransomware and phishing attacks to malicious insiders and human error. On the other hand, regulatory frameworks such as HIPAA and the GDPR impose stringent security and privacy standards with legal and financial penalties for non-compliance. 

A security compliance program helps a business to own its compliance risks. However, there are numerous challenges along the path to a security compliance program that supports long-term compliance goals. This article explores security compliance programs and suggests strategies to help businesses manage security compliance risks.

What Is a Security Compliance Management Program?

A security compliance program is the policies, procedures, and processes an organization creates to maintain security standards, typically based on regulatory frameworks such as HIPAA or recognized industry standards such as SOC 2. 

Security compliance programs also encompass the mechanisms by which the organization reviews and assesses information management practices. Without ongoing monitoring and auditing, it’s impossible to verify the organization is complying with its own policies.

Perhaps most important, security compliance programs are people-focused; they aim to create a management framework with resources and incentives that encourage employees to follow security best practices. 

An organization without a security compliance program may follow security best practices in an ad-hoc manner, but then again, they may not. Information security and privacy concerns are often deprioritized relative to other business goals. A security management program supported by an organization’s leadership helps align business practices with security compliance objectives. 

A security compliance management program enables organizations to:

  • Comply with regulations such as Sarbanes-Oxley, the Health Insurance Portability and Accountability Act (HIPAA), and the Payment Card Industry Data Security Standards (PCI DSS), among many others. 
  • Protect data assets and reduce the legal, financial, and reputational risk of regulatory compliance failures. 
  • Design policies and implement processes that allow executives to exercise control over the organization’s security posture.
  • Monitor and verify security compliance 

Those interested in building a security compliance program may find it instructive to read the U.S. Department of Justice Criminal Division’s Evaluation of Corporate Compliance Programs. Although broader in scope than information security, it explains the factors that prosecutors look for when evaluating compliance.  These include the presence of risk assessments and risk management processes, well-designed and comprehensive policies, risk-based training, properly scoped investigations by qualified personnel, internal and external audits, and more. 

The Components of Effective Security Compliance Management 

A security compliance management plan is tailored to the business’s needs and the environment in which it operates, but effective security compliance programs are built on the following components. 

Security Compliance Policies

Policies are the key documents in a security compliance management program. Security compliance policies describe the minimum security standards with which the organization intends to comply. Policies should be informed by a variety of factors, including:

  • The organization’s business objectives,
  • The regulatory environment in which the business operates, and
  • The specific risks the organization faces. 

Policies are long-lasting, high-level documents, but they are not permanent. A company must be prepared to evolve policies in response to changes in the organization, its operating environment, and the technology on which it relies. 

Structures to Implement Security Compliance Policies

Policies are only useful insofar as they are implemented, but this is often the biggest challenge. Security compliance impacts almost all aspects of modern business: data is a key asset, and information technology is ubiquitous. 

There are two possible approaches. The first is to “bolt” security compliance onto existing business processes. However, as Gartner’s research makes clear, this is unsustainable and unscalable. It makes security a potential hindrance to normal operations, creating the risk that compliance processes are bypassed as managers and employees prioritize efficiency. 

The second approach is to make security compliance an integral part of business processes. As workflows are designed, compliance is “baked in,” informing organizational structures, processes, relationships with business partners, and technology choices. 

Learn more about building compliant business processes in Auditor Insights: Compliance from the Start.

Whichever approach is chosen, security compliance management requires leadership and clear communication with stakeholders throughout the organization. A typical security compliance management structure includes:

  • A leader with authority to sponsor security compliance projects. This may be an executive or a security compliance steering team with executive support. 
  • Participation from relevant stakeholders within the organization. This might include stakeholders from IT, information security, sales, finance, and other business units. The IT department plays a critical role in security compliance. Still, other stakeholders should also be involved to reduce the risk of security compliance procedures failing to align with broader business objectives. 
  • A compliance manager or managers with information security expertise. The compliance manager is responsible for overseeing compliance projects that integrate security compliance throughout the business. For example, the compliance manager may work with IT to implement encryption policies for sensitive data. The compliance manager also gathers evidence to assess compliance efforts’ effectiveness and inform future policy and process changes. 

Additionally, it is usually necessary to offer information security training. Any employee who has access to potentially sensitive data should receive security awareness training that prepares them to comply with information security policies. 

Security Compliance Evaluation and Auditing

Compliance monitoring and internal audits are essential. Security compliance is a continuous process of implementation and evaluation. Policies evolve as regulatory standards change, and procedures and outcomes must be re-evaluated to ensure they meet security compliance objectives. Internal monitoring and evaluation should be augmented by external audits conducted by experienced auditors with information security expertise

Implementing a Security Compliance Management Program for Your Business

There is no universally applicable template for building a compliance management program. Every company is different, and so are its compliance requirements. However, most businesses benefit from a plan which follows these steps. 

  • Conduct a risk assessment to establish which risks the company faces, including compliance risks. 
  • Develop policies and standards to mitigate those risks. 
  • Appoint a compliance leader to oversee implementation and communication with stakeholders. 
  • Implement processes, procedures, and tools that support compliance policies. 
  • Train and educate employees to understand your compliance objectives and the role they play in achieving them. 
  • Monitor compliance and conduct internal and external audits to measure how effective your compliance efforts are. 
  • Act to correct risks and compliance failings identified by monitoring and audits. 

As we mentioned earlier, security compliance management is an ongoing process. The steps outlined above should be thought of as a cycle rather than a linear process that will be complete at a point in the future. 

To learn more about how audits can help your business achieve its security compliance objectives, visit KirkpatrickPrice’s Compliance Audit Services or contact a security and compliance expert today.