Man working on computer

In 2022, businesses are reliant on IT infrastructure. Whether it’s on-premises, cloud, or outsourced infrastructure, IT supports day-to-day business operations, customer interactions, human resource management, communications, sales and marketing, financial management, web and mobile services, and more. Unexpected downtime in these areas can severely impact operations and cost thousands of dollars every minute.  Has your business planned for how to deal with these kinds of threats?

To prepare for such attacks, your organization needs to have a documented Disaster Recovery Plan (DRP). A DSP is a documented policy detailing an organization’s planned response to unexpected events that disrupt IT infrastructure and operations. DRPs document actions, processes, and systems to re-establish service availability while maintaining security and compliance. Organizations create DRPs to reduce downtime and the potential for financial loss in the face of catastrophic disruption. DRPs also play a key compliance role: many information security regulations and standards require businesses to plan for disaster recovery. 

This article explores disaster recovery plans, the part DRPs play in business continuity planning, and the relationship between disaster recovery planning and compliance. 

What is a Disaster Recovery Plan?

Because businesses depend on IT infrastructure, they are threatened by potential disasters ranging from cybercrime attacks and human error to power outages and tornadoes. A disaster recovery plan is a hedge against risk. Businesses consider potential risk scenarios and implement plans and policies to limit their impact. 

There are obvious financial and operational incentives for creating and maintaining disaster recovery plans. The Uptime Institute’s Outage Analysis for 2022 found that over 60% of IT outages result in losses exceeding $100,000. One in five organizations reported a serious or severe outage in the last three years, and 80% of data center operators reported outages of similar severity. If your business relies on IT infrastructure, it makes sense to plan for disruption. 

Disaster recovery planning aims to provide documented processes employees can follow when the worst happens. Employees should know their roles and responsibilities, the processes they are expected to follow, and how the business plans to overcome IT availability challenges. DRPs also outline technological solutions to downtime, including implementation and maintenance procedures to ensure backups and redundancies work when needed. 

At the policy level, a business may have a single document detailing its disaster recovery policies: its goals for disaster recovery. However, all but the smallest businesses should have multiple disaster recovery plans covering various business operations. For example, a business might have independent disaster recovery plans covering:

  • Data center infrastructure
  • Communication systems
  • Cloud and virtualized infrastructure
  • Network disruptions
  • Cyberattacks and data theft

Although there may be some overlap, each of these scenarios requires a unique response and, therefore, a unique disaster recovery plan. 

Disaster Recovery vs. Business Continuity: What’s the Difference?

Disaster recovery and business continuity are related but distinct responses to risk. Disaster recovery planning is limited to IT infrastructure and resources. It concerns preparations for IT outages and downtime, temporary measures to maintain availability when infrastructure is disrupted, and how the organization plans to recover IT operations to their original state. 

Business continuity planning is broader in scope than disaster recovery planning. It concerns all policies and procedures related to a company’s continued operation during a disruptive event. For example, business continuity plans might include responses to supply chain disruption, pandemics, financial fraud, property theft, the outbreak of war, and so on. 

Disaster recovery planning is typically considered a subset of business continuity planning concerning IT infrastructure. Forward-thinking businesses make business continuity plans for realistic threat and risk scenarios. Plans that focus on IT infrastructure and service availability are called disaster recovery plans. 

Disaster Recovery Planning and Compliance

Many IT and information security regulations and standards mandate disaster recovery planning. There are two main compliance concerns relevant to disaster recovery:

  1. Regulations and standards may require organizations to demonstrate they have implemented effective disaster recovery planning.
  2. Disaster recovery processes and the associated IT infrastructure must comply with information security, privacy, and confidentiality compliance requirements. 

Let’s explore the specific requirements per the different security regulations and standards: 

HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) requires organizations that store electronic protected health information (ePHI) to implement contingency plans, including disaster recovery plans, data backup plans, and emergency operation mode plans. Organizations must be able to recover critical IT systems that store and process PHI in the event of a disruptive incident. As you might expect, all redundant and failover infrastructure implemented as part of a disaster recovery plan must also be HIPAA-compliant. 

SOC 2

A SOC 2 audit verifies that businesses comply with the common criteria of the Trust Services Principles, which are primarily related to information security. However, businesses may also need to comply with additional criteria, including availability, confidentiality, processing integrity, and privacy. The availability criteria address disaster recovery planning and testing. 

Key criteria include A1.2 and A1.3. The former requires organizations to develop, implement, operate, and maintain data backup processes and recovery infrastructure. The latter requires organizations to test recovery plan procedures that support system recovery.  

ISO 27001

ISO 27001 Annex 1.17 focuses on infrastructure redundancy and security continuity. A.17.2.1 concerns the availability of information processing facilities with requirements for redundant infrastructure and testing. A.17.1.1-3 concerns information security continuity and an organization’s ability to maintain information security during disruptive events. Together they require compliant organizations to plan, implement, and evaluate information security continuity policies and processes. 

PCI DSS

The Payment Card Industry Data Security Standard (PCI DSS) does not require disaster recovery planning, but it does include several requirements that impact planning for disasters.  Requirement 12.10 concerns creating and implementing an incident response plan for security breaches. Requirement 9.5.1 addresses storing media backups in secure off-site facilities and periodically reviewing backup security. As with other standards, all infrastructure used for disaster recovery must also be compliant. 

What Should Be Included in a Disaster Recovery Plan?

Disaster recovery plans should be uniquely tailored to each organization and its IT infrastructure. There is no simple disaster recovery plan template that applies to every organization. In fact, your disaster recovery should not be the same in a year as it is today—it must evolve as your business and its infrastructure evolves. 

However, all disaster recovery planning processes should include the following components:

  • Recovery time objectives (RTO): How quickly should services be restored to an acceptable level after an incident? 
  • Recovery point objectives (RPO): What level of data loss is acceptable to your organization?
  • IT Inventory: A complete and up-to-date inventory of IT infrastructure and cloud services your business relies on. 
  • Risk assessment: A thorough assessment of realistic risks and their potential impact. 
  • Personnel responsibilities: Who is responsible for implementing disaster recovery plans; it is vital that roles and responsibilities are clearly documented and that personnel are adequately trained.
  • Disaster recovery and restoration processes: A detailed breakdown of actions to be taken and the resources required to achieve the business’s RTOs and RPOs. 

Validate Your Disaster Recovery Compliance with KirkpatrickPrice

As we’ve discussed, many information security regulations and standards touch on disaster recovery planning. Is your organization certain its disaster recovery plans and systems are secure and compliant? A KirkpatrickPrice compliance audit can assure you that your plans are sufficient and effective for your specific business needs.  As a licensed CPA firm, KirkpatrickPrice’s experienced information security experts carry out a wide range of compliance audits, including:

To learn more, contact a KirkpatrickPrice information security specialist today.

Amazon Web Services (AWS) is the most widely used cloud platform. It offers hundreds of networking, storage, compute, and managed cloud services, each of which helps organizations to build robust and reliable IT infrastructure without the need to manage data centers and physical hardware. 

However, AWS’s richness and complexity can be challenging to configure and administer to maximize security, privacy, and compliance. This is a particular problem for organizations lacking cloud security expertise. They can deploy cloud infrastructure and services, but struggle to secure them. 

AWS CIS Benchmarks provide guidance and recommendations that help organizations to take a systematic, targeted, and effective approach to securing cloud infrastructure. Because CIS Benchmark recommendations map to information security and privacy regulations and standards, they also help organizations to achieve compliance. 

What are AWS CIS Benchmarks?

AWS CIS Benchmarks are platform-specific security recommendations published by the Center for Internet Security and developed by CIS members in a consensus-driven process. CIS membership comprises major cloud providers such as Amazon and Microsoft, as well as corporations, government agencies, and educational institutions. 

AWS CIS Benchmarks provide a secure configuration baseline agreed on by security experts from around the industry. AWS is complex and, as we’ve written before, most cloud security incidents and data leaks result from misconfiguration. As the cliché goes, cloud users don’t know what they don’t know—the AWS CIS Benchmarks provide the knowledge organizations need in a comprehensive and  actionable format.

The CIS publishes Benchmarks focused on many technologies and platforms, including cloud providers Microsoft Azure and Google Cloud Platform. This article focuses on Benchmarks targeting AWS and its services. We discussed CIS Benchmarks more generally in What Are CIS Benchmarks?

How Are AWS CIS Benchmarks Structured?

AWS Benchmark documents comprise a series of prescriptive configuration recommendations designed to optimize security and defend against common attacks. Each recommendation follows a format that includes:

  • A concise title.
  • An assessment status indicating whether the recommendation’s implementation can be automated.
  • A detailed description of the configuration setting and its recommended value.
  • A rationale explaining the reason for the recommendation and its importance.
  • An audit procedure detailing how to determine if a system complies with the recommendation.
  • A remediation procedure to bring the system into compliance.

CIS publishes several benchmarks relevant to AWS, but organizations typically start with CIS Amazon Web Services Foundations Benchmark. The AWS Foundations Benchmark is ideal for configuring an AWS environment with a strong security baseline. It provides recommendations for AWS services used by the majority of organizations, including:

  • AWS Identity and Access Management (IAM)
  • AWS Config
  • AWS CloudTrail
  • AWS Simple Notification Service (SNS)
  • AWS Simple Storage Service (S3)
  • Elastic Compute Cloud (EC2)
  • Relational Database Service (RDS)
  • AWS VPC

The Foundations Benchmark provides recommendations that fall into two profiles: Level 1 and Level 2. Level 1 details basic security recommendations that are straightforward to implement with limited impact on the service’s usefulness. Level 2 extends Level 1 with recommendations suited to environments with more stringent security requirements, such as those storing sensitive data. 

In addition to the Foundations Benchmark, CIS publishes Benchmarks that cover other AWS services and use scenarios. These include:

  • CIS AWS End User Compute Services Benchmark: Covers AWS services that include WorkSpaces, WorkDocs, and AppStream, among others.
  • CIS Amazon Web Services Three-tier Web Architecture Benchmark: Extends the Foundations Benchmark with recommendations for web architectures hosted on VPCs.
  • CIS Amazon Linux 2 Benchmark: Provides recommendations for securely configuring the Amazon Linux 2 distribution.
  • CIS Amazon Elastic Kubernetes Service (EKS) Benchmark: Provides recommendations for securing EKS.

8 AWS CIS Standards You Should Know

The CIS Amazon Web Services Foundations Benchmark is a substantial document with dozens of recommendations. To give you some idea of the type of recommendations, we’d like to highlight and briefly explain eight of the most important for organizations working to secure their AWS environment. 

1. Eliminate use of the ‘root’ user for administrative and daily tasks

The AWS root account has access to all AWS services. It can add and remove users, deploy any infrastructure, and view any data. The root account is useful when initially setting up an AWS account, but it poses a significant security risk and should not be used for day-to-day management. Avoid using the root account wherever possible, and do not share its credentials. 

2. Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password

Enabling IAM multi-factor authentication prevents bad actors from authenticating if passwords are leaked or shared. AWS supports numerous multi-factor authentication methods, including smartphone apps and dedicated MFA devices. 

3. Ensure all S3 buckets employ encryption-at-rest

Data stored in Amazon S3 buckets should be encrypted to prevent unauthorized access to sensitive data. Encryption ensures that data will not be readable to an attacker, even if they manage to circumvent other security precautions. 

The CIS Amazon Web Services Foundations Benchmark also recommends enabling encryption for Elastic Block Storage (EBS), Relational Database Service (RDS), and Elastic File System (EFS). 

4. Ensure that S3 Buckets are configured with ‘Block public access’

S3 buckets can be configured to allow access to anyone without requiring authentication. Although this is occasionally useful when serving data to the public, accidentally or negligently configuring public availability is a major cause of data leaks. Ensure that all S3 buckets block public access unless you are confident public access is safe and necessary. 

5. Ensure CloudTrail is enabled in all regions

AWS CloudTrail is a logging service that records API calls and prepares logs. Administrators can use the logs to monitor AWS usage for unexpected patterns, identify possible attacks, and create an audit trail for compliance auditing. Enabling CloudTrail is essential to gaining transparency into how your AWS environment is used and by whom. 

6. Ensure CloudTrail trails are integrated with CloudWatch Logs

CloudWatch is a monitoring service that uses data, including CloudTrail logs, to provide analysis and actionable insights into your AWS infrastructure. Integrating CloudTrail logs with CloudWatch allows users to detect unusual behavior, analyze and visualize data, and create alarms and alerts for anomalous events. 

7. Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports

Network Access Control Lists provide a stateless firewall that allows AWS users to filter traffic coming into and out of their cloud environment. Blocking unrestricted access to server administration ports such as SSH’s port 22 prevents bad actors from attempting to interact with those services and circumvent their security. 

The AWS Benchmarks include a similar recommendation for Security Groups, another of AWS’s firewall services: “Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports.”

8. Ensure the default security group of every VPC restricts all traffic

When AWS users launch an EC2 instance within a Virtual Private Cloud without specifying a security group, it will be associated with the default security group. The default security group’s initial configuration denies inbound traffic but allows all outbound traffic and all traffic between instances. This is not the optimal security configuration, and the Benchmarks recommend implementing a new default security group configuration that denies all ingress and egress connections. 

Verify Your AWS Environment Conforms To CIS AWS Benchmarks

KirkpatrickPrice’s cloud security audits will help your organization to understand the security and compliance status of its AWS environment. Our cloud audit framework is based on the CIS Benchmarks, and experienced AWS Certified Cloud Practitioners carry out all audits. Contact a cloud security specialist to learn more.

Audits are essential for businesses that need to demonstrate compliance with regulatory frameworks and standards, but they are often time-consuming and disruptive. Businesses must ensure relevant controls are implemented and gather evidence to demonstrate implementation to auditors. Evidence gathering is among the most time-consuming and error-prone aspects of auditing, but it is, fortunately, an aspect that can be automated to some degree. 

AWS Audit Manager is an evidence collection automation tool for the Amazon Web Services cloud platform. In this article, we’ll explore how AWS Audit Manager can streamline your audit process. We’ll also consider what it can’t do and why you should consider using a CPA-backed audit management solution like the KirkpatrickPrice Online Audit Manager

What is an Audit Manager?

Audit management aims to organize, simplify,  and streamline the auditing process. Traditionally, an audit manager was a professional who facilitated audits within a company. Today, the term is increasingly used for software services that perform some of the same roles. 

Audit manager software helps businesses to gather and organize audit evidence. It also tracks the evidence-gathering process so stakeholders can monitor progress and prioritize audit-related work. The software is typically aware of the processes and procedures a business must implement to comply with various regulatory requirements and therefore provides a framework that guides evidence gathering. 

Once the evidence has been gathered, it can then be supplied to the CPA firm carrying out the audit. It is worth noting that CPA-operated audit managers like the KirkpatrickPrice Online Audit Manager allow auditees to communicate directly with their auditor. They can ask the auditor questions and receive advice and guidance. The auditor can review materials as they are gathered. A platform-specific audit management tool like Amazon Audit Manager lacks this facility. However, it can be useful as one platform-specific stage of an end-to-end evidence-gathering process. 

How Does AWS Audit Manager Streamline Compliance Audits?

Amazon Audit Manager is a cloud service that automates the collection of compliance evidence. The business informs the Audit Manager of the relevant controls, where a control is a “rule” from a regulatory framework or standard. Audit Manager pulls relevant data from other AWS services, including AWS Security Hub, AWS Config, and AWS CloudTrail. That data is used as evidence of the control’s implementation and is converted to an auditor-friendly format.  

Continuous Compliance

Continuous compliance is one of the most significant advantages of automated evidence gathering. When evidence gathering is manual, it tends to be carried out periodically. Evidence is gathered for “the big audit,” and because that’s an expensive process, it isn’t repeated until the next audit period rolls around. 

Automated evidence gathering helps businesses to maintain continuous compliance. Evidence gathering becomes a much lower effort, so keeping audit evidence up-to-date makes sense. Because the evidence is always fresh, it’s possible to maintain continuous compliance, and there’s much less evidence gathering overhead when a new audit is required. 

Automatic Evidence Collection

After initial configuration, which we’ll discuss in the next section, Amazon Audit Manager is almost entirely automated. It supports several automated data sources with varying data collection frequencies:

  • Amazon CloudTrail is used to track user activity. Data is collected continuously. 
  • AWS Config provides snapshots of resource security. Data is collected when triggered by an AWS Config rule.
  • AWS Security Hub provides snapshots from security checks. Data is collected per Security Hub check schedules. 
  • AWS API calls collect resource configuration data snapshots from AWS resources daily, weekly, or monthly.
Simplified Audit Workflows

Evidence gathering can be complex and challenging to manage. It’s easy to make mistakes that extend the length and increase the cost of audits. Automatic data collection lifts a significant burden from auditees. The software completes most of the evidence gathering without human intervention, which is possible because AWS Audit Manager is deeply integrated into the AWS platform. 

The tradeoff is that it can only gather evidence from AWS, and you must find another solution for on-premise infrastructure or resources hosted on other cloud platforms. That’s where a platform agnostic audit management solution like the KirkpatrickPrice Online Audit Manager shines: it can be used to gather and manage evidence from all of your business’s infrastructure, including the evidence generated by AWS Audit Manager. 

Audit Evidence Access Controls

Audit evidence is confidential, and access must be controlled and managed. As you might expect, AWS Audit Manager works with AWS Identity and Access Management (IAM), a solution businesses with AWS-based infrastructure use already. Audit Manager can segregate individual assessments to ensure they are accessed only by authorized individuals and groups. 

AWS Audit Manager Frameworks Explained

Thus far, we’ve said little about how users select which evidence is to be gathered. That’s the role of Audit Manager frameworks. Frameworks structure and automate assessments, the Audit Manager function that gathers evidence relevant to an audit. 

Each framework provides groups of audit controls and mappings to AWS resources and data. These mappings are particularly useful: without them, it requires considerable expertise to link the controls in regulatory standards to resources and configurations on real-world infrastructure platforms.

AWS provides pre-built frameworks for a range of compliance standards, including:

  • ISO/IEC 27001:2013 Annex A
  • PCI DSS V3.2.1
  • SOC 2
  • CIS Benchmark for CIS Amazon Web Services Foundations Benchmark
  • General Data Protection Regulation (GDPR)
  • FedRAMP Moderate Baseline
  • Health Insurance Portability and Accountability Act (HIPAA)

In addition to pre-built frameworks, users can build custom frameworks. These allow businesses to deploy AWS Audit Manager assessments for which no pre-built option exists. They can also create assessments and gather evidence to meet other business needs, including internal audits. 

The Limitations of Audit Managers and Audit Automation

AWS Audit Manager is a valuable tool for businesses with AWS-hosted infrastructure and services. It performs well within the limited scope of its capabilities. But it is not a complete audit automation solution. Most importantly, no audit automation tool can complete an audit, assess compliance, and deliver a reputable audit report. For many regulatory standards, only a licensed CPA firm with information security expertise can do so. Amazon’s documentation makes this clear: 

“AWS Audit Manager assists in collecting evidence that’s relevant for verifying compliance with specific compliance standards and regulations. However, it doesn’t assess your compliance itself. “

Other limitations include:

  • Evidence-gathering is limited to AWS and the data sources the platform supports.
  • A lack of direct contact with auditors.
  • Limited project management capabilities.

AWS Audit Manager can be used in conjunction with a CPA-supported audit management tool that helps users to overcome these limitations. KirkpatrickPrice’s Online Audit Manager is used to gather evidence and streamline audits for many infrastructure platforms.  In addition to being an evidence-gathering tool, it is also a powerful communication, accountability, and project management platform that provides direct access to your auditor. Contact a senior audit specialist to learn more. 

CIS Benchmarks are collections of recommendations and best practices for securely configuring servers, networks, software, and other IT systems. Developed by the Center for Internet Security, the benchmarks provide guidance businesses can use to implement secure systems, assess their current level of security, and achieve regulatory compliance. 

Given the number and complexity of IT services and systems, it is challenging for businesses to develop policies and implement procedures that maintain adequate security. CIS Benchmarks provide comprehensive best practices for various platforms and technologies, including cloud platforms like AWS and Microsoft Azure.

In this article, we take a closer look at CIS Benchmarks and how businesses can use them to improve cybersecurity and compliance with information security regulations and standards. 

What is the Center for Information Security?

The Center for Internet Security (CIS) is a non-profit organization that aims to make the internet safe by devising and promoting security best practices. It publishes the CIS Controls and CIS Benchmarks, which are developed in a crowd-sourced consensus-driven process by a membership that includes corporations, government agencies, and other institutions.

What Are CIS Benchmarks?

The CIS Benchmarks are recommendations for securing IT systems. They provide the information businesses need to verify they are following best practices and instructions for best practice implementation.

To look more closely at one of the dozens of CIS Benchmarks, the CIS Amazon Web Services Foundations Benchmark is a 250-page document covering security benchmarks for a wide range of AWS services, including identity and access management, storage, logging, monitoring, and networking. 

Each section provides best practices for commonly used services. For example, the storage section provides guidance for S3, EC2, RDS, and EFS. Each best practice includes a rationale, instructions for verifying the best practice is implemented, and remediation instructions explaining how to secure the service.

The benchmarks are a valuable resource for businesses that need to assess and improve their security posture. That’s why we use the CIS Benchmarks for cloud services—including AWS, Azure, and GCP—as the foundation of our cloud security audits.

CIS Controls vs. CIS Benchmarks

As part of its mission to promote internet security, the CIS publishes the CIS Controls, a compendium of 18 critical security best practices that businesses should follow to defend against known cyberattacks. The controls address many best practices, including for inventory control, data protection, access management, malware, network monitoring, penetration testing, and more. Like the CIS Benchmarks, the CIS Controls are free, and they can be downloaded by any business looking to implement secure systems. 

CIS Controls and CIS Benchmarks differ in specificity. Whereas the CIS Controls offer broad, high-level best practices for a wide range of systems, the CIS Benchmarks offer actionable best practices for specific platforms and technologies, including cloud platforms, operating systems, network-connected devices, and applications. Many CIS Benchmarks refer to the relevant CIS Controls so users can track their progress towards compliance. 

Which Information Security Areas Are Covered By CIS Standards?

CIS Benchmarks cover a wide array of services, platforms, and software, including, among others:

  • Desktop operating systems: Microsoft Windows and macOS.
  • Server operating systems: Debian, Ubuntu, CentOS, RHEL.
  • Server software: Microsoft IIS, Microsoft Windows Server, Nginx, Apache.
  • Virtualization and Cloud Software: VMware, Kubernetes, Docker.
  • Cloud platforms: AWS, Microsoft Azure, Google Cloud Computing Platform, Alibaba Cloud.
  • Desktop software: Microsoft Office, Google Chrome, Safari, Zoom.

What Are CIS Benchmark Levels?

CIS associates each benchmark recommendation with a profile level: Level 1, Level 2, or STIG. The profiles indicate the security level achieved by implementing a recommendation. 

Level 1 recommendations are basic security practices essential to creating a secure IT environment. Level 2 recommendations are high-security recommendations for systems hosting sensitive data or other high-security scenarios. Level 2 recommendations may be more difficult to implement, and they may disrupt a business’s operations. 

For example, the CIS Amazon Web Services Foundations Benchmark contains the following two recommendations, applicable to Level 1 and Level 2, respectively. 

  • Level 1: Ensure CloudTrail is enabled in all regions
  • Level 2: Ensure CloudTrail log file validation is enabled

The STIG profile is intended to help businesses to comply with the Security Technical Implementation Guide, a baseline security standard created by the Defense Information Systems Agency (DISA). The STIG profile includes CIS Level 1 and Level 2 recommendations, as well as additional recommendations required for STIG compliance. 

What are CIS Hardened Images?

CIS Hardened Images are virtual machine (VM) images with configurations that conform to the CIS Benchmarks. A VM image is a snapshot of a computer storage device containing the operating system and key library and utility software. They can be run directly by virtualization software and cloud platforms or copied to a physical server. 

CIS Hardened Images enable businesses to deploy servers and other devices with secure configurations out-of-the-box. Installing a secure VM image is a faster and more reliable way to achieve benchmark compliance than installing an operating system and software and then manually configuring it.

CIS publishes hardened images for most major server operating systems, including Microsoft Windows Server, Amazon Linux, Debian, Ubuntu, CentOS, Oracle Linux, and Red Hat Enterprise Linux. It also publishes images for applications such as Nginx and PostgreSQL. 

Major cloud platforms, including AWS, Microsoft Azure, Google Cloud Platform, and Oracle Cloud, offer CIS Hardened Images in their marketplaces, allowing users to deploy the images directly to virtual servers running on the platform. 

CIS Benchmarks and Regulatory Compliance

Regulatory frameworks and standards impose security and privacy obligations on businesses, but they do not provide concrete guidance for achieving compliance. It’s challenging for businesses to bridge the gap between regulations and real-world implementations on particular platforms. 

CIS Benchmarks are designed to align with major information security regulatory frameworks and standards. In CIS’s language, the recommendations “map” to regulations and standards. Implementing CIS benchmark recommendations can therefore help businesses to comply with aspects of standards and frameworks that include:

  • PCI DSS
  • HIPAA
  • NIST
  • FISMA
  • GDPR
  • ISO 27001

One example of how this works is PCI DSS Requirement 2.2, which requires organizations that process credit card data to “develop configuration standards for all system components…consistent with industry-accepted hardening standards.” CIS Benchmarks qualify as an industry-accepted standard. In fact, they are mentioned in the Requirement as an accepted standard alongside hardening standards from the SANS Institute and the National Institute of Standards Technology (NIST).

Verify Your IT Environment Is Secure and Compliant

CIS Benchmarks make it easier for businesses to secure IT systems and comply with information security standards and regulations. However, compliance should be verified by an independent third party. 

KirkpatrickPrice helps organizations assess, verify, enhance, and demonstrate their security with compliance audits, pen testing, security awareness training, and more. Our comprehensive audit capabilities include:

To learn more, contact a KirkpatrickPrice information security specialist today.

Business managers and IT professionals are inclined to attribute employee-caused security failures to malice, ignorance, or laziness. After all, the business has security policies and procedures. Employees know about them or, at the very least, have signed a declaration affirming they know about them. The IT team has implemented secure systems. 

And yet, employees often circumvent these systems and ignore information security policies, exposing the business to cybersecurity attacks and regulatory risk. Malice and incompetence seem the parsimonious explanation. But the real reasons are more complex.

Why Do Employees Fail to Comply with Security Policies?

A recent study from the Harvard Business Review revealed that few security policy breaches resulted from conscious malice, including incidents where breaches were deliberate. Why Employees Violate Cybersecurity Policies attributes the majority of employee security protocol breaches to four causes:

  • To better accomplish tasks for their job.
  • To access information or functionality they need to do their job.
  • To help other employees to do their work.
  • Because stress drives them to increase productivity at the expense of security.

In short, employees typically fail to comply with security policies for productivity and altruism, not malice or ignorance. That doesn’t make failure to comply any more acceptable or mitigate the regulatory risk, but it may help businesses to build secure and efficient processes. 

The 6 Common Employee Security and Compliance Failures

Understanding why employees fail to comply is helpful, but businesses also need to know how employees typically breach security policies. Let’s explore six of the most common ways employees fail to follow security best practices. 

1. Configuration Errors

Configuration errors expose software and services to increased security risk. For example, it is a configuration error to grant public access to an AWS S3 bucket that stores sensitive information.

The OWASP Top Ten lists misconfiguration as one of the most prevalent web application security vulnerabilities, with almost 90% of web apps exhibiting configuration errors. Misconfiguration is also a significant source of cloud security breaches. The National Security Agency (NSA) says misconfiguration is the most common cloud security vulnerability.

Other common examples of misconfiguration include:

  • Deploying publicly accessible databases with inadequate authentication
  • Using default usernames and passwords
  • Configuring firewalls with overly permissive rules
  • Failing to limit access to sensitive data and resources

2. Falling for Social Engineering Attacks

Social engineering attacks manipulate employees into acting in ways that are contrary to security policies. Phishing attacks are the most common type. In a phishing attack, the attacker sends an email or instant message containing a malicious link to many different employees. The link might lead to a fake login form or a malware-infected site. 

The attacker wants to harvest login credentials or infect a trusted device. Once they can access one device, they can use it to island hop to others, circumvent security controls, and gather sensitive information.

Every organization is at risk of phishing, but it’s far from the only social engineering attack. Others include:

  • Spear phishing: a refined phishing variant that focuses on specific employees within an organization, using knowledge of the individual to craft a convincing deception. High-level executives and technical employees with wide-ranging access to IT systems are frequent spear phishing targets.
  • Smishing: attacks that use SMS to manipulate employees via spoofed phone numbers
  • Executive impersonation attacks: the attacker contacts an employee while pretending to be a high-level executive, often to ask the employee to send money to an account under the attacker’s control. Employees rarely have the confidence to challenge executive requests.

3. Exposing Log-In Credentials

The simplest way to compromise business IT systems is with stolen login credentials and API keys. If an attacker can authenticate, they can bypass security controls and take advantage of the employee’s trusted status. The paradigmatic log-in exposure is a username and password stuck to an employee’s monitor, but that’s not the only way attackers obtain credentials. 

  • Sharing credentials: Employees often share authentication credentials with other employees, including those who may not have the same authorization level.
  • Re-using credentials: Using the same usernames and passwords on business systems and other online services increases the risk that they will be exposed.
  • Uploading credentials to version control systems: Employees may choose to upload credentials and keys to version control instead of using secure secret management services.
  • Phishing attacks: As mentioned above, attackers use phishing attacks to harvest authentication credentials.

4. Circumventing Secure Systems

Security and IT professionals implement and monitor secure systems they expect employees to use. But there is often a trade-off between security and productivity, and employees may seek a more convenient option if it allows them to work more efficiently. 

This phenomenon is one of the key drivers of shadow IT, in which employees, teams, and even whole business units use non-approved devices, software, and IT and cloud services because they are “better” than the services officially approved by the company. Of course, employees and security professionals often define “better” very differently, especially when sensitive data is stored and processed on unvetted third-party services. 

5. Poor Data Storage and Transport Practices

A nightmare scenario for IT security professionals: an employee accesses sensitive data and transfers it unencrypted to a portable drive. They want to work on the data at home but lose the bag containing the drive on their commute. Without training, employees are unlikely to understand the need for encryption and the consequences of removing data from secure storage. 

Alternative risk scenarios include employees who:

  • Email sensitive data to third parties or themselves
  • Share authentication credentials with unauthorized third parties
  • Upload data to insecure cloud services for easier access

In our examples, the employee may be acting from positive motives. But deliberate data theft by departing employees is also a huge issue—one reason removing access from employees who quit or are let go is so important. 

6. Failure to Secure Remote Working Environments

Employees who work remotely present risks that don’t arise when the business controls the working environment. These risks are exacerbated when employees use their personal devices and preferred software to complete tasks. 

Risks include:

  • Unsecured WiFi networks and routers
  • Use of devices that may have been compromised
  • Reduced security awareness and diligence
  • Reduced monitoring and oversight

To learn more about how businesses can reduce remote work risks, visit KirkpatrickPrice’s Remote Access Security Testing resources. 

Risk Management: Reducing Employee Compliance Failures

We’ve seen why employees ignore security policies and how that can increase risk. But what can businesses do to manage that risk? Combatting this type of insider threat may be challenging, but we have identified several approaches that help employees act securely and responsibly.

  • Promote a positive security culture. Ensure security policies are transparent and easy to understand. Encourage employees to report potential security issues and incentivize them to conform to policies.
  • Penetration testing. Pen testing can help to identify potential weaknesses, including those caused by employees.
  • Security awareness training. Ensure all employees understand essential security policies and why the company expects them to be followed.
  • Information security audits. Regular audits help businesses to identify and mitigate inadequate policies, processes, and behaviors.

Connect with an Expert

If you want to talk to an information security and compliance expert about reducing employee risk and combating insider threats, contact KirkpatrickPrice today.