Skip to main content

Automated vs Manual Security Controls - Comparison of 2 Organizations | Week 2

Have you ever been working on a routine task at work like running reports or queries when suddenly you remember to yourself, “I use to have to do this manually? I was talking to an ex-coworker a few weeks back and he brought up this point as we were talking about his new job in a healthcare analytics startup.  

In healthcare, an IT department needs to be able to prove any computer that has access to PHI and the internal network are fully encrypted and can be tracked for compliance. In my friend’s case at his new startup company, this involves physically allocating out computers. Each PC will need to be encrypted and encryption verified. Users will need to be assigned to machines and logs of encryption and change of possession needs to be kept for auditing and HIPAA compliance. For the startup, this is a manual process of typing PC serial numbers into a shared Excel sheet of verified whole disk encryption. It’s tracking to whom the PC belongs and when they picked it up from the secured IT lab. All this information is manually entered spreadsheets on a network drive and is incredibly labor intensive. 

Just a few short months before that my friend was working with me for a larger healthcare IT organization. All the same regulations applied but the control process was automated, making it faster and much less of a burden on the IT department. We use a remote management tool called Dell KACE that reports and logs statuses and changes to PCs over the network. Instead of manually checking and logging encryption statuses for each build, KACE will report back to us when encryption was completed, along will all relevant serial numbers and ownership of the PC. If any PC is assigned to a user and in production that does not have whole disk encryption, KACE actively checks and will report back to us to remedy the issue. It’s an automated hands-off control that is HIPAA compliant and makes life much easier for auditors and the IT department. Given this example alone, it’s no wonder over 57% of “CISOs, CIOs, CTOs, architects, engineers, and analysts across the finance, healthcare, public sector, federal industries surveyed cited lack of automation was a pressing concern for their organization, making it the top priority.” (Help Net Security, August, 2019). 

References: 
Help Net Security. (2019). Automation, visibility remain biggest issues for cybersecurity teams. Retrieved From:  
https://www.helpnetsecurity.com/2019/08/08/automation-visibility-cyber-terrain/ 

Comments

Post a Comment

Popular posts from this blog

A Balancing Act: When Security Controls Disrupt Operations | Week 10

In an ideal world security controls should integrate seamlessly with business strategy and through policy and procedure support operations.  In reality however  security controls often disrupt operations. From a user perspective an Information Security Department is simply a group of people sitting behind computers all day saying “no” to everyone. Although that is sometimes the case (“no” is a common word in their vocabulary from what I have seen), there are reasons behind it.   This week I want to share a story of how a change in policy and procedure by one security department, disrupted current operational workflow in another. Our AV engineering team works with integration vendors to build out the videoconferencing infrastructure through our offices. One day our director of security decided this  vendor  had too many badges assigned to them and wanted to reel back access to physical locations by limiting the badges to 2.    The reasonin...
Post a Comment
Read more

A Test of Physical Security - A Real World Example | Week 5

I would like to build off last week’s post by sharing a real-world example of how no matter how many security controls you have in place, employee engagement and adherence to policy will inevitably determine their effectiveness.   The organization I work for have two separate departments, one for data security (think workstations, servers, etc.) and the other for physical security (think door/badge access, security cameras, etc.). Both departments are completely separated from each other and operate in their own silos. One day the security operations center who manages the physical security of our buildings decided to run a penetration test. They hired an outside contractor, gave him a “lost employee bade” with basic access, and told him to see what he can gain access to in a day before getting caught.    So  off this contractor went wearing a badge without his picture on it, no knowledge of the key combination to use with the badge, but simply followin...
Post a Comment
Read more

Bitlocker, Filevault, JAMF, and KACE – Auditable Encryption Verification | Week 9

As you can clearly tell from my previous posts, I am a big fan of automated controls. This week I want to share with you a story of a recent computer upgrade. I had an old 2013  Macbook  Air. Our Desktop Engineering team was tasked with rolling out the new OS, Mojave, to all outdated Mac systems. Now my Air was a test Mac I got years ago and never really had much need to upgrade. Through automated controls, specifically a tool called Casper JAMF, our Desktop  Eng  team was able to tell that my Mac was outdated and needed an upgrade.   They reached out to me, set up a time to update, and realized that the hardware was simply too old for the new OS. To accommodate they initiated an update procedure. A new  MacbookPro  was imaged, updated, and given to me. They jumped the gun when they distributed it to me in production however and the disk encryption,  FileVault , was not completed before it left the secured image lab. Once again, the JAMF s...
Post a Comment
Read more