3 Key Areas for Security Controls
Sep, 27, 2019
Today, companies must have networks that are simultaneously secure and porous to engage business partners and embed services in client organizations.
The question is, how can technology leaders secure information flow without restricting work and what are the controls needed to dampen threats that are inevitable in today’s connected world?
The first step in building some controls is to understand the source of threats. Research in how security failures happen is showing the overwhelming source of the issues are humans. Access then becomes a key issue in creating security protocols to only allow access to verified sources.
A survey by ALM determined the top three threats for cybersecurity are:
- Employee Mistakes
- Third-Party Mistakes
Knowing this, the basis of security controls will have to do with who can access the system and how they are able to gain permission for actions.
3 Key Areas for Security Controls
Encryption is a security measure thrown around often and is growing in its importance and complexity. Typically, when you think of encryption, it refers to a key locking on a particular set of data.
Now for maximum security, it’s important to have multiple levels of encryption with different access points. More keys mean more protection and less vulnerability for the information in your system.
The approach to encryption goes deeper than a one-size-fits-all model. This multiple-level way of thinking should also lead you to dig deeper into understanding the importance of partners and vendors place on encryption with their own data.
Best Practice Guidelines
Since humans present the biggest potential for problems, it’s not good enough to create strong security measures from your technology department. You need to educate your team on best practices.
A 2017 Verizon report found that 81% of hacking-related breaches employ were from stolen, and reused passwords. By implementing the following guidelines you can prevent avoidable human errors:
Hardware security module: Encryption is great, but only works if there is no access to the keys. A hardware security module is basically a vault - a combination of both software and hardware - that stores your keys in a safe way. The HSM minimizes the ability for individuals to access those keys who shouldn't be touching them but still allows the keys to be available to when they need to be used for encrypting services.
Virus, malware, ransomware protection: Part of best practices is ensuring all systems are up-to-date with the latest protections for potential threats. NetDocuments provides these updates complimentary to all of their customers through their compliance-as-a-service model.
Multi-level user authentication: Make sure your users have to verify who they are when accessing the system. This helps ensure the right people access the right data and prevents easy access for hackers.
Regular testing: Security is a process, not a destination. Part of your best practices will be ongoing testing and evaluation for threats. Don’t work through a one-time audit and sit back and relax. Build in testing to your ongoing process. Otherwise, you will be waiting for problems and only reacting after something has gone wrong.
Separation of duties: Another best practice is making sure there is accountability at every level. Don’t ever let one person have access without another person who is able to see what’s been going on. Separating duties means you keep people in check and have visibility on each person who accesses information.
Compliance Certifications and Attestations
A simple way of thinking about security controls is to use standards to guide your efforts.
There are broadly applicable industry standards, provided by ISO that can be used to ensure a minimum level of control has been established. These standards give a general level of confidence, knowing you’ve been through a specified checklist.
Other examples of certifications are provided by the US government, like the FedRamp audit. These audits are not all-encompassing or guaranteeing you are free from a threat. However, they provide a helpful guideline that you can be confident in the practices of your team and point out vulnerabilities along the way.
As an example, NetDocuments undergoes annual Type 2 SOC 2 audits for security and availability and annual ISO 27001 certification audits. The scope of the ISO 27001 certification includes all of the data centers used by NetDocuments. The SOC audit includes key service providers engaged by NetDocuments.
In addition to these annual audits, NetDocuments actively reviews applicable industry security requirements as well as local, state, and national security regulations to determine appropriate compliance efforts. NetDocuments regularly modifies and expands its security controls to maintain the highest levels of security for customer data around the world by complying with appropriate standards and regulations.
When you use NetDocuments as your DMS, you inherit these security levels, knowing you are meeting the important regulations.
What to do now
Security is an ongoing process and needs to be proactive rather than reactive. As a business, you can’t afford to have data compromised, so security controls are imperative.
To start, review this post then put your firm through some of the standardized audits to ensure you are up to the baseline level. This should give you a gauge on where you stand.
Once you’ve passed the certifications, implement the best practice guidelines listed in this post to give direction to your team and give confidence in the security.
To go deeper into these strategies, check out this webinar on Information Security in an Insecure World.