Now more than ever, technology and compliance teams need to work together to protect the integrity of their organizations. Sensitive information is stored and transferred in digital form and associated regulations are becoming increasingly strict and complex. While compliance is responsible for identifying the regulations which pertain to information security, technology teams must identify and implement the strongest solutions to adhere to those regulations.
Active Directory is a key application for maintaining compliance because it acts as a window into an organization’s IT activities and policies – it must be protected in order to maintain corporate integrity and compliance. Any company that deals with sensitive customer data, such as financial or health records, must ensure the security of their Active Directory environment and perform regular audits to scan for information security risks. When not actively monitored, stale user accounts and loose controls around administrative access all pose threats to Active Directory security and put organizations at risk of non-compliance.
Information Security Compliance
Regulations, such as SOX and HIPAA, were created to protect consumers and shareholders, mandating that organizations audit Active Directory for suspicious behavior, protect digital records from misuse and secure private customer information. While the specific regulation may vary by industry, the general rule is the same: establish procedures and controls that secure your firm’s sensitive information. With so many laws to abide by, it’s hard to know which regulations apply to your company, so we’ve decrypted the regulation acronyms to make compliance a little easier to follow.
SOX: S is for Shareholder – The Sarbanes-Oxley Act (SOX) mandates that any publicly-held company establish procedures to protect financial records from destruction, loss and misuse in order to protect the company’s shareholders and decrease the possibility of corporate fraud. SOX also mandates that that the company audits and reports on these controls.
PCI: P is for Payments – The Payment Card Industry Data Security Standard (PCI DSS) regulation states that any company that accepts card payments, through storing, processing and transmitting cardholder data, must host this data securely using a PCI-compliant hosting provider. In order to be PCI-compliant, you must monitor all access to network resources, regularly test security systems and maintain an information security policy.
GLBA: GL is for Gives Loans – The Gramm-Leach-Bliley Act (GLBA), also known as the Financial Modernization Act of 1999, controls how financial institutions handle private customer information. GLBA’s Safeguards Rule mandates that all financial institutions create, execute and maintain safeguards to protect customer information. Under the Safeguards Rule, financial institutions must identify operational risks to customer data, implement an information security program and regularly audit the safeguards program.
HIPAA: H is for Health – HIPAA, the Health Insurance Portability and Accountability Act, was initially created to protect health care coverage for people who lose or change their jobs and has now evolved into a set of standards for securing patient data. HIPAA dictates that any company that deals with protected health information (PHI) implements and adheres to physical, network, and process security measures. Electronically transmitted PHI, or e-PHI, is protected under HIPAA’s Security Rule and organizations must secure this information by identifying and protecting against threats.
FISMA: F is for Federal Government – The Federal Information Security Management Act (FISMA) was established by the Department of Homeland Security in order to protect government information, operations and assets from all threats, natural or man-made. It also states that government agencies must implement tools to audit their information security programs, test security procedures and perform periodic risk assessments.
Active Directory Auditing and Compliance
Regardless of industry, regulations like these require organizations to monitor their IT environment in order to detect and remediate potential threats. The Semperis Active Directory State Manager (ADSM) helps organizations maintain compliance through real-time auditing and reporting on potential gaps, including:
- Auditing Active Directory changes – Government audits require organizations to know what changes are being made and who is making them.
- Identifying inactive enabled accounts – Stale and unused accounts pose a risk to Active Directory security because these accounts can be exploited and used as breach vectors.
- Tracking sensitive and privileged user accounts – Tracking modifications to sensitive and privileged user accounts allows you to ensure that your company is adhering to the information security policies implemented as part of information security regulations.
Most of these information security regulations were created in the aftermath of the financial crisis and corporate scandals that took place at the turn of the century. As cyberattacks grow in frequency and scale, and in light of the major breaches in the last year, organizations have become more sensitive to cybersecurity issues. New regulations are being set forth to ensure that enterprises are putting cybersecurity measures into place to protect sensitive data from data breaches. To get ahead of the curve, it’s essential to start actively auditing Active Directory and protect against and remediate threats.