Encrypted Backups: What They Are and How to Use Them

Today’s cyber landscape is riddled with advancing threats. From simple phishing attacks to intricate DoS attacks, businesses must ensure that the data they collect, use, store, and transmit is properly and thoroughly secured. After all, the data that companies hold is one of their greatest asset, so being aware of the consequences associated with losing that data is essential. For this reason, we believe that it’s imperative that organizations encrypt their backups. So, what are encrypted backups? What do you need to know about how to encrypt backups? Let’s discuss.

What is an Encrypted Backup?

To put it simply, an encrypted backup is an extra security measure that is used by entities to protect their data in the event that it is stolen, misplaced, or compromised in some way. Often times, however, many businesses confuse encryption with hashing. Let’s be clear: they are not the same.

Hashing vs. Encryption

The main difference between hashing and encryption is that a hash is not reversible. You cannot take a hash value and derive the original source. In fact, a hash acts somewhat as a fingerpoint, and it’s known to attack (i.e. collisions or rainbow tables). On the other hand, encryption is reversible. It can take the ciphertext and derive the original source if the decryption keys are known.

How to Encrypt Backups

There are various ways to create encrypted backups. If you’re stuck on determining how to encrypt backups, you can start by determining which method is best for your organization by considering factors such as types of data stored, environment types (cloud, hybrid, physical), personnel and technical experience, industry, applicable framework requirements, and more. The most common types of encryption are symmetric and asymmetric.

Common Types of Encryption

  • Symmetric Encryption: Symmetric key algorithms for cryptography that use the same cryptographic keys for both encryption of plaintext and decryption of ciphertext.
  • Asymmetric Encryption: Asymmetric encryption is a form of encryption where keys become come in pairs. Frequently, but not necessarily, the keys are interchangeable, in the sense that Key A encrypts a message, then Key B can decrypt it and vice versa. With asymmetric encryption, both the private and public keys make up the key pair, and both are required to encrypt and decrypt the data.

Framework and Legal Requirements for Encryption

While this list is not exhaustive, some of the most common framework and legal requirements for encryption include the following:

  • PCI DSS: Requirement 3.4 says, “Render PAN unreadable anywhere it is stored (including on portable digital media, backup media, and in logs) by using any of the following approaches: one-way hashes based on strong cryptography (hash must be of the entire PAN), truncation (hashing cannot be used to replace the truncated segment of PAN), index tokens and pads (pads must be securely stored), strong cryptography with associated key-management processes and procedures.”
  • HIPAA: According to the HIPAA Security Rule technical safeguards, 45 CFR § 164.312(a)(2)(iv) includes an addressable requirement that covered entities and their business associates, “Implement a mechanism to encrypt and decrypt electronic protected health information.” While this requirement is nebulous, you can learn more about the requirements here.
  • GDPR: Article 32(1)(a) states, “Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: the pseudonymisation and encryption of personal data.”

Benefits of Encrypted Backups

It’s no secret that data is a highly sought-after asset, and malicious hackers and organizations will stop at nothing to get their hands on your organization’s data. However, internal threats are equally as important to consider. But, if you’re proactive and implement robust encryption practices to protect your backups and data, you can reap many rewards. For example, in IBM’s 2019 Cost of a Data Breach Report it’s explained that “extensive use of encryption, data loss prevention, threat intelligence sharing and integrating security in the software development process (DevSecOps) were all associated with lower-than-average data breach costs. Among these, encryption had the greatest impact, reducing breach costs by an average of $360,000.” Aside from lowering the potential cost of a data breach, encrypted backups can protect your organizations assets, position you organization as a trustworthy and reliable organization, and provide your customers with the peace of mind they deserve.

Still questioning what an encrypted backup is? Need more information on how to encrypt backups? Contact us to talk to one of our Information Security Specialists today, and let KirkpatrickPrice be your expert partner as you navigate how to ensure the security of your data through encrypted backups.

More Information Security Resources

How to Scale Your Information Security Program as You Grow

Is Endpoint Protection a Comprehensive Security Solution?

Are Your Remote Employees Working Securely?

What is a Secure Software Development Life Cycle

Have you ever worked on a project without a clear direction or guidelines? It can be stressful and pointlessly chaotic. Without structure and task lists, what could have been a basic project turns into a mess of miscommunication. The same principle applies to software development management.

In an age when software development is a core function of most organizations, specific and detailed processes need to be in place to ensure information systems are well developed. What is a secure software development life cycle (SDLC)? What should you include in your SDLC? Let’s talk through these software development life cycle basics.

What is a Software Development Life Cycle (SDLC)?

A software development life cycle (SDLC) is a framework that helps define tasks and work phases that are used by system engineers and developers to plan, design, build, test, and deliver information systems.

Why is software development management important to your organization?

It’s about maintaining a secure environment that supports your business needs. It’s made up of policies, procedures, and standards that guide your organization’s secure software development processes.

What Are Some Secure Software Development Models?

There are many software development models that can be implemented in your organization. These methodologies include:

  • Waterfall
  • Agile
  • Lean Software Development
  • DevOps
  • Iterative Development
  • Spiral Development
  • V-Model Development

Waterfall

The waterfall is a sequential linear approach to development. A development project passes through clearly defined phases, each of which produces a deliverable that passes into the next phase. Phases include requirements, analysis, design, coding, testing, and operations. 

Agile

Agile development is an iterative and incremental approach to development. In contrast to the waterfall method, the process is broken into short sprints that combine aspects of all development phases. After each sprint, the stakeholders assess progress and set goals for the next. 

Lean Software Development

Lean Software Development attempts to reduce waste by eliminating activities that don’t provide direct value to the customer, including repeated work, ineffective communication, and some management activity.

DevOps

DevOps combines the roles of software development and IT operations with the goal of accelerating the software development lifecycle. It is closely related to both agile and iterative development and is facilitated by cloud technologies and continuous integration and deployment software.

Iterative Development

Iterative Development uses short, repeated cycles to move from a minimal software solution to a complete product. Agile is an iterative development process.

Spiral Development

Spiral Development combines elements of iterative software development and the Waterfall model, focusing on risk reduction.

V-Model Development

V-Model Development is a modification of the Waterfall method that adds testing to each phase of the software development lifecycle.

SDLC Best Practices: The 5 Phases of a Secure Software Development Life Cycle

For whichever software development methodology your organization implements, you’ll find a common structure between the various models. These five phases of a software development life cycle can be identified in each methodology:

  1. Planning – Start your secure software development by mapping out a timeline, requirements, and any preliminary details necessary.
  2. Analysis – The organization defines objectives, project goals, and the functions and operations of the application.
  3. Design – Detailed screen layouts, business rules, process diagrams, pseudocode, and other documentation is laid out. Development begins and secure code is written.
  4. Implementation – Testing and integration bring all the pieces together in an environment that checks for errors, bugs, vulnerabilities, gaps, and interoperability.
  5. Maintenance – Once your software is developed, maintaining updates, performance evaluations, and making any changes to the initial software are key maintenance procedures.

How Will Software Development Management Make You More Secure?

The process of developing and building secure software can help your development team understand common security pitfalls to avoid. In the complex world of software development, it’s easy to miss issues in your code when you aren’t implementing a detailed plan of action.

By using the right tools to aid in secure software development, you can cut down on costs, increase efficiency, and implement continuous testing to reduce risk. If information security is your priority, you need to ensure your software development life cycle is up to standards. To learn more about security testing and third-party penetration testing, contact KirkpatrickPrice today. Let’s make sure your security practices are working for you, not against you.

More Dev Compliance Resources

PCI Requirement 6.5 – Address Common Coding Vulnerabilities in Software-Development Processes

Compliance Is Never Enough: Secure Software Development

Think Like a Hacker: How Could Your Mobile Apps Be Compromised?

How Your Org Chart Can Reflect a Culture of Cybersecurity at Work

The Need for a Culture of Cybersecurity at Work

According to IBM Security’s 2019 Cost of a Data Breach report, “The average total cost of a data breach in the U.S. has grown from $3.54 million in 2006 to $8.19 million in 2019, a 130 percent increase over 14 years.” What does this mean for organizations looking to prevent data breaches and security incidents? It means that in order for organizations to adequately prepare to deal with today’s cyber risks, avoid costly fines and penalties for non-compliance, and give clients the peace of mind they deserve, their corporate structure should reinforce a culture of compliance – one that is strongly embedded into the organization, clearly visible in the company’s org chart, and focused on cybersecurity.

Cybersecurity is a Company-Wide Effort

Establishing a culture of cybersecurity at work is no longer just a best practice – it’s absolutely necessary. But for many organizations, initiatives that emphasize both cybersecurity and compliance haven’t been a major focal point for departments outside of IT. Because IT has traditionally been the sole bearer of cybersecurity and compliance initiatives, cybersecurity and compliance best practices are only seen as a small component of the business strategy instead of being a strategic initiative in itself. In order to make this happen, a culture of cybersecurity should be embedded into every aspect of your organization – even in your org chart. While it will depend on factors like your organization’s size, industry, budget, or personnel experience, there are typically three ways to emphasize cybersecurity through your org chart: top-down, bottom-up, and network. Whichever way you structure it, there needs to be clear lines of communication between personnel vertically and horizontally.

3 Ways an Org Chart Reinforces Cybersecurity

Top-Down Org Chart

Perhaps the most common org chart is the top-down structure; it starts with the Board of Directors and ends with entry- or low-level employees. In order to emphasize a culture of cybersecurity at work in this org chart model, the Board of Directors needs to set the tone for compliance initiatives. This means that in the company’s business strategy, cybersecurity and compliance will be strategic initiatives and not merely a responsibility that IT reports on. A basic rendering of a top-down org chart might look something like this:

Top-Down Org Chart

Bottom-Up Org Chart

Opposite to the top-down org chart model, bottom-up org charts are less common but empower lower-level employees to take part of the culture of cybersecurity at work. In these models, low-level employees often feel like they have a greater role in creating and maintaining a culture that focuses on cybersecurity and compliance because they understand that their day-to-day tasks play a key role in the company’s overall business strategy. This org chart also opens up more lines of communication between upper management and lower-level employees, as employees are likely to feel more empowered to identify and report on issues when they know that their bosses will listen to their concerns and make corrective actions when necessary. A bottom-up org chart typically looks like an inverted pyramid, like the following:

Network Org Chart

More and more businesses are relying on third-parties to supply information security services for their organization, especially those companies who don’t have the time, budget, or personnel resources to meet their growing cybersecurity needs. But when major components of the business are outsourced, maintaining a culture of cybersecurity and compliance becomes more difficult. By developing a network org chart, businesses can clearly see where they’ve outsourced components of the business, where they’re located, who is responsible for overseeing those vendors and their compliance efforts – all while showing where in-house departments are, who oversees them, and what tasks they’re responsible for. A network org chart might look something like this:

 

Regardless of the org chart model your business uses, ensuring that every employee knows who they need to be communicating with is essential, especially in regard to a culture of cybersecurity at work. If you’re looking to revise your company’s org chart, let’s chat so you can find out how KirkpatrickPrice can help!

More Cybersecurity Resources

How to Lead a Cybersecurity Initiative

Auditor Insights: Compliance from the Start

Fact or Fiction: Everything You Need to Know About Leading Compliance Initiatives

How to Build an IT Asset Management Plan

How you can best manage your data and assets in a time where information security threats are everywhere? What is asset management and where do you start with it? Let’s start with a basic definition. Asset management is properly defining and categorizing an organization’s assets. A well-developed asset management plan can help you make strategic moves to increase your organizational security. With any plan for IT asset management in place, you should have established processes for receiving and transferring assets, migrating virtual systems, detecting and responding to incidents, continuous monitoring, and applying patches and updates to address vulnerabilities.

How Can You Benefit from an IT Asset Management Plan?

NIST Special Publication 1800-5 on IT asset management explains the benefits of a thorough asset management plan in six parts:

  1. Proper asset management increases the ability for your organization to respond to security alerts quickly as the location, configuration, and owner of various devices can be accessed quickly.
  2. Your organization can turn its focus to the most valuable assets and therefore increase cybersecurity resilience.
  3. When you conduct an audit, auditors will have detailed information about your systems because of well-managed assets.
  4. It helps to better define your budget as you can determine which software license are actually utilized and which you pay for, but do not use.
  5. Your employees will be able to use your asset management plan to know what is installed and any alerts or errors that might come up, so that you can minimize help desk response times.
  6. Any patching that needs to be done on your software can be done correctly and reduce attack surfaces of devices with a well-developed IT asset management structure.

These benefits arise from a well-developed asset management plan that follows guidelines set up by publications such as NIST. When you face the difficulty of IT asset management, you might find yourself looking for guidance on how to responsibly track the status and configurations of your assets. That’s why we, at KirkpatrickPrice, have developed an outline of an asset management plan to get you started.

 

 

Risk-Based Approach to an Asset Management Plan

While your customized asset management plan will be tailored to your organization’s security needs, this tool can be helpful in giving you a path towards security compliance. Organizing and maintaining an asset inventory works as a foundation for a through information security program. You can organize your asset inventory in many different ways: individually, systematically, or through portfolios. Every organization will define their assets according to their needs, but it is recommended that the selection process be based upon risk. At what risk level is each asset? By classifying and analyzing assets according to what critical risk stage they’re in, you can help measure the effectiveness of your security strategies.

If you’re serious about implementing information security practices, you need to be mindful of the importance of proper asset management. Don’t let undetected vulnerabilities and mismanaged risks be the problems that plague your information security plan. Instead, use asset management tools and perform regular penetration testing to protect your valuable assets. Contact KirkpatrickPrice today to learn how we can help you achieve your information security goals!

More Resources

How Can Penetration Testing Protect Your Assets?

Why Bother With An Information Security Program?

What Should You Really Be Penetration Testing?

15 Must-Have Information Security Policies

What Information Security Policies Do You Need?

Why do you need information security policies? What role do policies play in your organization’s security structure? You’re probably familiar with basic policies such as a Disaster Recovery Policy, Data Backup Policy, or Risk Assessment Policy, but there are other must-have information security policies that you should be implementing. The point of having extensive policies in place is to provide clarity for your employees, direction for proper security procedures, and proof that you’re doing your due diligence to protect your organization against security threats. We’ve gathered a list of 15 must-have information security policies that you can check your own list of policies against to ensure you’re on the path towards security:

  1. Acceptable Encryption and Key Management Policy
  2. Acceptable Use Policy
  3. Clean Desk Policy
  4. Data Breach Response Policy
  5. Disaster Recovery Plan Policy
  6. Personnel Security Policy
  7. Data Backup Policy
  8. User Identification, Authentication, and Authorization Policy
  9. Incident Response Policy
  10. End User Encryption Key Protection Policy
  11. Risk Assessment Standards and Procedures
  12. Remote Access Policy
  13. Secure Systems Management Policy
  14. Monitoring and Logging Policy
  15. Change Management Policy

Information Security Policies Are Not the Finish Line

Now that you know 15 must-have information security policies, you should also know that policies are not the finish line. You also need to implement procedures and standards to give your employees tangible direction on how to follow information security policies – plus, developing procedures and standards are required for compliance with information security frameworks. It’s also not enough to just have written policies and procedures. You need to make sure every employee in your organization has a chance to read, understand, and acknowledge their your policies. That’s why it’s important to develop an Employee Handbook and require each employee to sign a Policy Acknowledgement. These steps help to ensure those 15 must-have information security policies are implemented well and further your information security goals.

How KirkpatrickPrice Can Help You Develop an Information Security Policy

When you engage in a gap analysis with KirkpatrickPrice, the auditor assigned to work with your organization determines if there are any gaps in your information security structure. Many times, we find organizations are missing policies that give structure to their information security plan. After completing a gap analysis, you can elect to have one of KirkpatrickPrice’s Professional Writers develop customized policies to help you meet your specific compliance requirements. Writing or adding to your information security policies based on your gap analysis results will aid in your remediation efforts.

If you’re looking to develop strong policies and procedures or have further questions about how you can partner with KirkpatrickPrice to meet your compliance goals, contact us so we can help you develop standards that fit your organization.

 

 

More Policy Resources

SOC 2 Academy: Expectations of Policies and Procedures

Quickstart to Information Security Policies for Startups

Auditor Insights: Policies and Procedures are Better Than Gold