Most recent

You've Been Audited —Is your PCI DSS, SOX & HIPAA Compliance in Order?

By Eitan Bremler
hipaa compliancetitle="" width="180" height="110"> You're an IT guy, and the auditor is coming tomorrow. Although PCI DSS is different from SOX which in turn is different from HIPAA, each of these compliance regimes has a common origin, and covers a similar set of concerns. Here are a few things that you may want to look out for.

Do You Know What Your Network Looks Like?

Here's one of the biggest stumbling blocks for enterprises trying to pass an audit: the network. Passing a network audit means knowing every device that might play host to sensitive data, plus version numbers, serial numbers, and even what rack they're located in. It also means having basic security precautions such as firewalls and network segmentation.

Now, we're not suggesting that most IT administrators don't know about firewalls. Rather, we're saying that many networks tend to avoid the principle of defense-in-depth. As opposed to having one network that stores and transfers low-sensitivity information, firewalled off from another, more tightly secured network for sensitive data, many enterprises just have one big network. Not only is this not great for security—because a hacker might find critical data at any point of entry—it also means that your entire network is in scope for the audit.

Who Else is Using Your Data?

Both PCI DSS and HIPAA compliance mandate that organizations keep an eye on external users of their network. Who else has access to your sensitive data? There's a lot of room for error in this particular instance. For example, you may be required to keep a detailed record of how many vendors are allowed to access your network, how they access your network, whether they have access to any of your secure data, and how this data is documented.

This stage is crucial from a security perspective. Many of the world's most damaging security breaches, such as the Target breach, have been accomplished by hacking into third parties with network access to large organizations. Passing an audit, and securing your customers' PII, means making sure that even if sensitive data is outside your network, it's still being kept safe.

How do Your Employees Exchange Data?

Secure communication—secure email especially—is an enormous component of PCI and HIPAA compliance. Failure to send out secure records in an encrypted format equals an instant data breach under HIPAA compliance, even if those records never reach the hands of a criminal. An audit will ask what encryption standard you're using for data at rest, whether all of your devices' hard drives are encrypted (they should be), and how you encrypt data as it is transmitted (via SSL, TLS, VPN, and so on).

Don't Expect to Pass on the First Try

Standards change, your company may switch assessors, and software becomes out-of-date. The data exchange solution, encryption standard, and firewall that passed an audit last year might not pass in 2016. It is recommended that you regularly perform a controlled self-assessment of your environment in preparation for an audit, but also to properly secure your data and ensure you are compliant with regulations and security standards.  << Take this Quiz to find out if your company is GDPR compliant >>

When your auditor tells you that you need to upgrade your security in order to become compliant - whether to meet PCI DSS, SOX, HIPAA compliance or any other regulation, consider Safe-T. We're able to provide security products that allow enterprises to pass the major requirements of compliance regimes with flying colors.

SDA provides ways for security administrators to reinforce their data access scenarios in order to enhance firewalls, and further segment their networks. In practical terms, this innovation does away with the practice of putting application servers, databases, keys and certificates into the DMZ by migrating them into segmented and secured networks, as well as close incoming rules in your firewall.

Safe-T's Software-Defined Access solution provides peace of mind to IT administrators who are worried about providing an audit trail. Admins can deploy settings to automatically capture and store records of every email that is sent containing PII, to whom, and where that data travels after being sent. This solution also automatically applies security layers (encryption, authentication, etc) to outgoing emails, and works on users' desktops, laptops, and mobile devices—effectively preventing them from sending unencrypted sensitive documents.

When the auditor comes knocking, it can be a scary time for IT professionals. It doesn't have to be. For more information about Safe-T, and other ways in which our products can help reinforce your security and compliance efforts, get a free trial today! 

Software Defined Access

Editor's Note: This post was originally published in June 2016 and has been updated for accuracy and comprehensiveness.

All posts