Blog / CYBERSECURE CANADA Part IV… An In-Depth Look at Security Controls 10 to 13
In this newsletter I will conclude the in-depth look into this new Business Certification, by covering Security Controls numbers 10 through 13. The next newsletter will have some of my final thoughts and analysis of the Certification as a whole.
10. Secure Cloud and outsourced IT Services
This Certification is aimed at smaller organizations, where an IT department may be undersized, or entirely non-existent. This can mean that an external Provider is contracted for certain IT Services to help supplement an existing IT staff. It could also mean that an external Supplier acts as the entire IT department for the company. In any situation where outside IT may have access to (or store) your sensitive information, you need to take the proper precautions.
When it comes to Cloud Services, you can’t just take them at face value. It’s important to evaluate them properly. Part of that is to make sure they are fulfilling their contractual obligations for the service they provide:
1) Organizations should require their Cloud Service Providers share an SSAE 16 SOC 3 Report.
An SSAE 16 SOC 3 Report is a fancy name for a report that gets performed on a service by an external Auditor, in order to verify that the service has met its contractual obligations for a certain time period (generally 6 months.) If you google around, you will find that many Cloud Services (Office 365, for example) already publish SSAE 16 SOC 3 reports on a regular basis.
2) Evaluate your comfort level with how outsourced IT Suppliers handle and access sensitive info.
As an organization, you need to be aware of exactly what information your outsourced IT has access to and ask yourself if you are comfortable with this or not. If you are not comfortable with the access level the outsourced IT has, then it should be reduced.
3) Evaluate your comfort level with the legal jurisdictions where outsourced Providers store or use their sensitive information.
Don’t blindly give away the keys to the kingdom. Sit down and evaluate how important this information is and if you should be providing an outsourced IT department access to it in the first place. Make sure to look at the potential impact and any possible legal ramifications.
4) Ensure that IT infrastructure and users communicate securely with all Cloud Services & Apps.
Never use plain text protocols over the Internet to access important information or resources. Make sure that whatever methods are used to access Cloud Services, are encrypted.
5) Ensure that Administrative accounts for Cloud Services use Two-Factor Authentication and differ from internal Admin accounts.
Not every Cloud Service supports the use of Two-Factor Authentication. Many do, and simply don’t promote it. This should be a consideration, when choosing Cloud Service providers. Also, when these services are configured, make sure not to duplicate Administrative users who already exist internally in your network.
11. Secure Websites
This doesn’t mean that every external website your organization operates needs to use HTTPS. The intent is that if you have a website on the Internet that contains sensitive information (like an Outlook web login for users’ email), it needs to be properly secured. For starters, this means that for any website containing sensitive information, the access to should be by using HTTPS. It also means the software should conform to certain guidelines. Specifically, it should accommodate to OWASP ASVS guidelines.
OWASP stands for the “Open Web Application Security Project.” They are an organization that comes up with processes, procedures and tests designed to help keep organizations and products secure. ASVS stands for Application Security Verification Standard: a method for testing software to help make sure it has been properly-examined for bugs.
12. Use Access Control and Authentication
Many outfits are already doing this. What it means is that users should be created and handled by using the ideas of “Least privilege” (a topic I covered in a previous newsletter.) Any user account should only have permission to perform the actions intended to be done with it. Administrative users should only be used when they are required to perform activities that need administrative privilege (reading emails and creating Word documents don’t require an Admin user.)
To help ensure clear accountability, users should be issued to individuals and shared users should be avoided whenever possible. There should be a clear process in place to revoke no longer required user accounts, such as when an employee leaves an organization.
13. Secure Portable Media
Portable Media (Hard drives, USB, etc.) are convenient, but they can also be used to very easily remove large amounts of data from an organization. This is also a topic that I have touched on in previous newsletters. This risk needs to be recognized by an organization and appropriate policies, procedures and tracking should be put in place, to minimize the risks with Portable Media.
Mandate the sole use of organization-owned secure Portable Media. This would need a Policy to ensure that employees agree with and are aware of the rule. Make sure that strong asset controls for these devices are in place. Don’t treat USB drives like they are simply disposable and top up the “Bucket o’ USB sticks” periodically. Track their use, distribution and return to the pool.
Since portable drives will be used to transfer organizational data, they should all be encrypted. There are multiple ways this can be easily accomplished, that I will not cover here.
Make sure there is a process in place for sanitizing and disposing of Portable Media. Again, don’t treat them like they are simply dispensable. Devices like USB sticks have a lifespan that is measured in Read/Write Operations. Simply put, the more they’re used, the faster they break. By comparison, Hard Drives have a lifespan that is rating in hours of operation, so the amount of usage they get has little-to-no-impact on their lifespan. Have a process in place to periodically replace old media and properly dispose of the old ones; even if they aren’t “broken.” Proper disposal is important, since you can’t tell exactly what data has been stored on a USB stick over time, so it may be safe to simply throw away or it may not. It’s not worth the risk. Yes, it’s a little long, but that covers all 13 security controls.
In the next newsletter, I’ll do a little wrap-up of the whole saga and go over a couple of items that popped-up along the way, which may have inspired some queries.
If you have any questions about CYBERSECURE CANADA Certification, please reach out to your TRINUS Account Manager for some stress-free IT.
By Kind Courtesy of Your Friendly Neighbourhood Cyber-man.