Whether you call it a review, audit, or evaluation, any time you conduct a serious assessment of the state of your network and data security, along with your related policies and procedures, it’s a good and valuable process.
For the State of Ohio Critical Security Controls Compliance, we like the description given by Michelle Burk, CIO/Deputy Director of DoDD:
” It’s an evaluation of security and privacy safeguards of your systems and organization to demonstrate and document ongoing compliance.”
This 3-part series addresses all 15 Sections with ideas and best practices to assist your organization.
Before proceeding, it’s crucial to point out that there is no magic spell or single switch to throw when it comes to securing your network and data. The best plan involves many different layered solutions working together effectively in order to properly secure your information technology environment.
Done on its own or individually, network security can be expensive, it involves a vast amount of time, and requires current knowledge and wide-ranging experience. It demands all of this and more to properly implement and manage for your entire organization and infrastructure.
Most importantly, while this state-requested review may be a one-time or initial assessment, protecting your network and data is an ongoing and evolving process that requires you to be proactive and constantly vigilant. Reliable information technology security is paramount and requires a comprehensive solution.
Here are some ideas and best practices for all developmental disabilities-related organizations.
- Inventory and Control of Hardware Assets
- Install a management agent on all hardware.
- A Remote Monitoring and Management (RMM) solution will give you better control, management, and support of your devices, even if they’re not on your LAN.
- Mobile devices also need a management agent, which is often referred to as a Mobile Device Management (MDM) solution.
- Prevent unauthorized hardware from connecting to your internal network.
- Use WPA2-Enterprise on your WIFI instead of a Pre-Shared Key.
- Disable unused switch ports to prevent unauthorized wired connections to your network.
- Restrict the number of MAC addresses allowed on a switch port.
- Inventory and Control of Software Assets
- The management agent installed on your hardware should be able to report what software is installed.
- Users should not be able to install software. Users should NEVER have admin rights to their computers.
- Some older software might say it must be run as an admin, but in most cases, the software will work without admin rights by adjusting file and registry permissions.
- Use Software Restriction Policies to only allow authorized software to run.
- Continuous Vulnerability Management
- External Vulnerability Scans
- Only secure encrypted protocols should be made accessible to the Internet.
- Use SSLLabs.com as a free assessment of the SSL security of your server.
- Internal IT Assessment Scan Tool
- Locates all devices on network
- Compare to the inventory from your management system to identify unauthorized devices.
- Controlled Use of Administrative Privileges
- Do not give administrative rights to end users.
- A secondary account should be created for users with administrative access so the account they use for internet browsing, email access, etc., doesn’t have administrative access.
- Use group policies to control members of the local admin group.
- Implement a system to manage the local administrator accounts. Each computer should have a different administrator password, and the password should periodically change automatically.
- Monitor privileged Active Directory groups like “Domain Admins” for any changes. Deny interactive log on for service accounts.
- Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
- All computers should be re-imaged before deployment. By using an Operating System Deployment (OSD) solution, you can automate this process to save time and ensure that every computer has the same initial configuration.
- For Windows computers, all operating system settings should be controlled with Group Policies instead of making individual changes to each computer. This ensures a consistent configuration across your computers and saves you time from having to individually touch each computer to make changes.
- Your RMM tool should be configured to verify that devices are correctly configured and “compliant” with your secure configurations.
- All devices should report to a central Patch Management server to control which patches are installed, when they are installed, and identify devices missing patches.
- Your MDM tool should enforce that devices are used in a way that meets your organization’s policies. Enforcing a passcode, data encryption, controlling which apps can be installed, and other settings of the operating system should be controlled with your MDM tool.
- Maintenance, Monitoring, and Analysis of Audit Logs
- Use NTP to synchronize the time on all your servers.
- ntp.org is a free NTP service that has over 500 NTP servers in the US alone.
- Set NTP servers on your Primary Domain Controller (PDC), network equipment, Network Video Recorders (NVR), and access control systems. You do not need to specify NTP servers on your workstations if they are joined to an Active Directory domain, they will automatically sync to your PDC.
- Use group policy to increase the size of the security event log. This is the log that stores login history, failed login attempts, and user lockout events. Information that is vital when responding to a security incident.
- We recommend it be at least 1 GB (1048576 kilobytes)
- Email and Web Browser Protections
- Use an RMM solution that supports third-party patching, so Google Chrome and Firefox are up to date, and you can identify any computers that need to be updated.
- Use group policy to manage which Outlook add-ons can be used and prevent unauthorized add-ons from running.
- Content filters are an important layer of security for organizations of any size. Not just for security reasons, but also for employee productivity. End users should not be able to bypass the content filter through proxy settings, cached pages on Google, or HTTPS.
- Phishing and fraudulent emails are the biggest security threat organizations face today. SPF, DMARC, and DKIM are three technologies that work together to prevent anyone from spoofing the “from” address to look like it the message was sent from your domain.
- SPF (Sender Policy Framework) is a record of the mail servers authorized to send as your domain.
- DMARC (Message Authentication, Reporting and Conformance) is used to control how your SPF record is enforced, such as marking the message as spam or blocking them, as well as reporting on who is trying to send as your domain.
- DKIM (Domain Keys Identified Mail) signs the email with a digital signature in the email header to further validate the email is coming from a trusted source.
- Malware Defenses
- Use an Antivirus that is integrated into RMM to ensure it is up to date and IT staff is immediately alerted of any threats detected.
- Enable DNS debug logging on your domain controllers. These logs are valuable when locating the source of malware on your network and provide information about how the malware was communicating on the network.
- Limitation and Control of Network Ports, Protocols, and Services
- Regularly conduct External Vulnerability Scans. The information security landscape is always changing, new threats are detected daily, so even if no changes are made to your network, there are always new vulnerabilities being detected that your network may be susceptible to. It is typically best to work with an independent third party to conduct an unbiased vulnerability scan.
- Enforce and manage Windows firewall with group policies. Client-side software firewalls provide an extra layer of protection and control on your network. Third part solutions are also available, but the firewall included with Windows 10 and centrally enforcing its settings with group policy provide a good solution at no additional cost.
- Data Recovery Capabilities (note: this is a broad and complex topic that warrants its own blog post, so this is merely a condensed list of the most critical items to consider.)
- Find the right backup solution for your environment.
- If your servers are virtual machines (VM), use a Hypervisor level backup solution, which will take a snapshot of each VM to backup. By having a full VM backup, you will have more robust and reliable recovery options
- If you’re using physical servers, use a backup solution that can perform a “bare metal restore,” which allows you to recover the data directly on to new hardware without having to install the operating system or programs.
- Follow the 3-2-1 Backup rule
- 3 Different copies of the data.
- 2 Different forms of media.
- 1 Copy stored offsite.
- An example of a basic setup that meets this criterion would be: a server storing data, that backups up to a USB drive and then replicates the backup to cloud storage.
- Use encryption on your backups; both while the data is in transit and while it is at rest.
- Create a backup plan and retention policy that meets the needs of your organization.
- Identify critical data that needs backed up and include it in your plan.
- Backup data should be retained to meet the regulatory requirements of your organization.
- Consider adding an air-gapped backup to your backup plan. An air-gapped backup is stored offsite and is not connected to the network. This is a countermeasure to protect against a situation where someone gains access to your backup system and deletes or encrypts all your backup data.
- Document your disaster recovery plan and test yearly.
- Have confidence that your backups work by regularly testing them.
- Data Protection
- Block file sharing and cloud storage services – You should be using a firewall that gives you the ability to block unauthorized file sharing services like Dropbox, Box, or OneDrive. Only authorized file-sharing services should be allowed.
- Disk Encryption – laptops, desktop, mobile devices, and servers should all have disk encryption enabled and enforced by policy. Even if ePHI is not explicitly saved on the device and it is just used to access ePHI, the device should still be encrypted.
- Removable Media Controls – On Windows, group policy can be used to restrict the use of USB drives and other removable media. Remote access solutions should not allow redirecting local drives into the remote session.
- Controlled Access Based on the Need to Know
- VLAN Segmentation – VLANs (Virtual LAN) is a feature in all business-grade network switches which allows you to logically segment your network. With the use of VLANs you have complete control of the data allowed between your logical networks. The number of VLANs will depend on your environment, but here is an example of how a network might be segmented:
- Office LAN (wired computer connections)
- Office WLAN (wireless computer connections)
- Office Voice (Network for VOIP Phones)
- Office Mobile (Network for managed mobile devices)
- Security (IP Cameras, door controllers, etc. Limited access from other networks)
- Management (management interfaces of network equipment and UPS, no communication with other networks)
- Public (Used by guests and non-staff. Only communicates out to the internet, no communication with other networks)
- Principle of Least Privilege – Each employee should have just enough permission to perform their job duties. Roles and permissions on each system should be granularly defined so employees aren’t given too much access. There should be a process for removing access when an employee leaves and all permissions should be reviewed at least annually.
- Account Monitoring and Control
- Automated Provisioning and Decommissioning of Accounts – Automated user account creation not only saves your IT staff time but removes the possibility of human error in the creation process. One example would be to have a portal that allows your HR department to maintain the list of active employees, and from that portal employee accounts will automatically be created or disabled when they are added or removed. Another example would be to use a PowerShell script to create new users in Active Directory, instead of setting them up manually. Creating users with automated scripts ensures a consistent setup.
- Regularly Audit Active Accounts – Keep your active directory tidy and secure by disabling user and computer accounts that are inactive for 30 days. PowerShell can make this task simple and with many examples available online, you don’t need to be a PowerShell expert to implement it.
- Lock Workstations after Inactivity – Employees should be trained to lock their computer whenever they leave their work area. As a technical safeguard, you can enable a Group Policy to automatically lock the computer after being inactive for a certain amount of time. While a lower timeout provides better security, we’ve found that 15mins secures the computer within a reasonable amount of time without disrupting a user working on the computer.
- Implement a Security Awareness and Training Program
- Ongoing Security Awareness Training – Recent security reports reveal that 95% of data breaches are caused by employee error. A good security awareness platform can transform your weakest link into your strongest defense.
- Simulated Phishing Attacks – It only takes one employee to fall for a phishing scam. Regularly testing your employee’s ability to spot phishing emails will improve their awareness for this type of threat, which is now commonplace.
- Dark Web Breach Assessments (DWBA) will identify hidden risks to employees and your organization.
- Incident Response and Management
- Document Incident Response Procedures – To ensure proper procedure and fastest, most effective incident response, it is critical to have fully documented procedures that properly detail all roles and responsibilities. It is also important to keep these in a secure, central location that is insured to be accessible in the event of an incident. Equally as vital is the need to review these procedures on a regular basis and insure they are current and accurate, and any impacted employees are informed of changes if/when they occur.
- Train Employees – Every employee needs to know how to act if there is a security breach or other HIPAA-related incident. Reviewing the policy and having employees sign off in acknowledgment should be part of your onboarding process and ongoing employee training.
- Test Preparedness, Practice Response – Conduct periodic incident simulations to test employee decision making and response. Regularly practice scenarios where employees encounter a security incident and ensure their response meets your documented procedure.
GO Concepts has been providing managed information technology services for Ohio County Boards of Developmental Disabilities since 2013 and consulting to numerous other governmental subdivisions since 1997.
You can reach us at:
(513) 934-2800 OPTION 3