Security & Compliance
Those two words typically intimidate most Internal IT, MSP’s, and even MSSP’s for the simple fact of how labor intensive it is to achieve a balance between the two. Unfortunately, there are no single appliances or software packages that will achieve a totally secure environment and to meet compliance, it requires a lot of dedication and documentation.
I liken Security and Compliance to a dedicated orchestra, the amount of work and practice it takes to make the music we appreciate is staggering.
To continue with my simile, lets meet the instruments the IT Stack:
A. We start with an AV that is intelligent and robust to ward off the known and the unusual
B. RMM platform that allows the team to remote monitor the IT environment and all its devices in a detailed and granular fashion. From inventorying to reporting device issues and/or failures, allowing quick but secure access, and more.
C. IT Ticketing System
D. An automated Patch management system from Microsoft to all major 3rd party’s software’s.
E. Vulnerability Scanner
F. DR system that allows for months of onsite retention and an Offsite secure location that backs up nightly along with a strong off-site retention policy with immutability.
G. Routing system with a High level of Security features, with all the available acronyms IPS, IDS, TDR, XDR, etc.
H. SIEM (enough said)
I. Security Awareness Platform – Phishing and Security training videos
J. A Parmiter defense application system
We are never committed to any of our vendors or the tools that we use; we make sure the stack is fluid, with solid working products and high-end support to back it up. We are constantly analyzing new products every month to either replace with a superior product or to add to our stack’s capabilities.
However, a musician is only as good as their instrument, which is why good instruments are typically very expensive, and a solid IT Stack would cost a decent shiny penny. Many folks will argue free tools are available, but unfortunately to achieve compliance FREE typically means lack luster support, few to no updates, and security flaws with no ability to pass a vendor management process.
On to the musicians:
If a musician is only as good as their instrument, then we know our musicians here at Pioneer-360 are setup for success. Our instruments are state of the art, but the musicians must be able to play them well to create a symphony. Our musicians are all highly trained, highly skilled, and able to perform.
Let’s meet the musicians:
Our NOC – Network Operations Center is the heart and start of this process, as they handle all day-to-day noise within our organization. They confirm daily that all patches have been applied to systems within their care; AV, Microsoft, and 3rd party patches. While much of this process is automated, a patch can get stuck on a few systems and when they do, our NOC Team is there to get those patches completed ASAP. Within any infrastructure, a weak link will take down an entire network. They then move on to backups, confirming that they have completed and checking to see if issues arise (AND they do daily). The NOC Team makes sure to correct the issue to allow the backup to complete successfully. Backups are your final fall back; you have to make sure the DR process is doing its job. Our NOC confirms backups by running restores to outside servers a few times a year to confirm data and process are available in case of disaster. Not only is this time consuming for IT, but for the managers within the organization to confirm data and software are operationally good to go.
Moving on to SOC – Security Operations Center, this team is responsible for plowing through the security data form SIEM, Routers, and other defensive logging devices and/or applications on a daily basis to make sure unusual events are prodded and probed. This team’s daily inquisitiveness is of the upmost importance; they are typically hunting apparitions or snippers, and constantly looking for targets. Our SOC Team is the “Gate keeper of the network.”
VRT – Our Vulnerability and Remediation Team; they scan every device that touches the network and most software monthly for vulnerabilities that patching, a security update, or a BIOS in PC/Servers/Switches/Routers/AP’s/DVR/IOT missed, or a device that is reaching/is End of Life or that just needs updated. This team’s duty is to find the chinks in the armor and either fix it or recommend a solution.
GRC team (Governance, Risk Management) – This is the Team that looks at changes to networks devices, new software, policies, etc. A technician can no longer just flip through a device or software settings to try and resolve an issue quickly, instead they must follow the carefully laid out steps that GRC has read and approved. No more can employees just download an app or a piece of software without review and approval. GRC can be slow and cumbersome, but it’s necessary to safeguard the network’s security and it is a mandate for compliance.
SAT – Our Security Awareness Team is the inside mole that train our employees and our clients on what to look for in Phishing emails, bogus web sites, cell phone scams, etc. This threat vector is growing exponentially and having someone to lead this charge is critical. Our SAT Team sends out Phishing Emails to see if any of the employees will bite, and when they do the SAT Team sends them a video on what they didn’t spot on the email. Did you know you should never plug your phone into one of those FREE charging stations you see around shows or airports?
The Sheet Music is Compliance – Plans & Policies make up Compliance
Policies are the road map/instructions to all these repetitive steps and they are documented in detail so our teams can practice. Our Team documents daily in the ticketing system their findings, non-findings, changes, and glitches in detail. Then, all those tickets are typically complied into meaningful reports, logs, and device reports to give to the shareholders and/or Auditors when they come knocking.
We didn’t truly appreciate the detailedness of compliance documentation until we went down the road to get and complete our SOC2 Type2 Certification. It opened our eyes to our internal functionality and how we do things across the map for our clients. Not only our IT Security but our HR and accounting all came under the microscope to show our flaws and weaknesses for all to see.
To quote Warren Buffet “Only when the tide goes out do you discover who’s been swimming naked.” The tide is compliance, and it exposes everyone.
Documenting out plans was an eye-opening process; our Business Continuity Plan (BCP) was an amazing workshop within itself for Pioneer 360. As an example, so many folks were grossly unprepared for the pandemic, and as a result millions of jobs were lost. A BCP plan would have helped companies migrate more smoothly to work from home, and it would have helped them adjust to such an unusual environment that much quicker. Another example is a Ransomware attack. A BCP for a Ransomware Attack would include how and what your organization would do to recover from an event and how long you could expect to be down. Cyber Crime Magazine stated that “In fact, 60 percent of small companies go out of business within six months of falling victim to a data breach or cyber-attack. This can come down to the simple fact of being unprepared for this event.”
To do IT security and meet compliance is daunting task, one of which we excel at here at Pioneer-360. We have grown our Financial Services (Banking IT) over the last few years as our experience in the world of IT Security and Compliance has grown. With our SOC2 Type 2 Certification under our belts, our state-of-the-art instruments, and our highly skilled musicians, we can help any compliance-focused organization exceed their IT needs.
If you googled “What should a compliance plan include?”
Elements of an effective compliance program
· Establish and adopt written policies, procedures, and standards of conduct.
· Create program oversight.
· Provide staff training and education.
· Establish two-way communication at all levels.
· Implement a monitoring and auditing system.
· Enforce consistent discipline.
Author: Joe McCartney, President/CEO