The Importance of Configuration Standards for Regulatory Compliance
Developing and implementing strong configuration standards for regulatory compliance is an important aspect of an organization’s cybersecurity strategy. Privacy regulations commonly require configuration standards. Therefore, knowing how to create strong ones is an important part of achieving and maintaining regulatory compliance for frameworks such as HIPAA/HITECH, PCI DSS, and NIST.
What Are Regulatory Compliance Configuration Standards?
All technology comes with a default configuration and, in many cases, this default configuration may be insecure. This is not a fault of a technology producer, rather it is an attempt to allow the technology to be set up easily, allowing the user to make changes to secure the technology after it is operational.
Common issues include default passwords, out-of-date updates, and superfluous programs and services. All of these can increase the attack surface of the system and, depending on where and how the software is deployed, may put an organization out of compliance with applicable regulations.
Configuration standards describe how each system should be configured before deployment in a secure environment.
The specifics of the configuration requirements can vary based upon the technology’s purpose, type, and where it is deployed within the enterprise. For example, a system deployed inside the protected zone of an organization maintaining PCI DSS compliance may have to be configured in a very different way from a similar system deployed in a less secure segment of the company network without access to the protected data.
Designing, implementing, enforcing, and updating these configuration standards is vital to an organization’s cybersecurity posture and regulatory compliance.
Regulatory Configuration Standard Requirements
Most data protection regulations, laws, and compliance/security frameworks have requirements for how sensitive data is to be protected. Configuration standards are an important aspect of an organization’s data protection strategy.
PCI DSS Compliance
Requirement 2.2 of the PCI DSS standards states that organizations should “develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards.” This means that PCI DSS compliance requires developing and implementing security standards based on cybersecurity best practices.
The purpose of the Health Information Portability and Accountability Act (HIPAA) is to protect the personal information of patients collected as part of providing healthcare services. As part of HIPAA compliance, the requirements for technical safeguards of sensitive information are laid out. Part of this includes developing configuration standards to ensure that machines storing, processing, or transmitting protected health information (PHI) are appropriately hardened and secured against attack.
The purpose of NIST (National Institute of Standards and Technology) compliance and security frameworks are to provide guidance on the minimal level of protection needed to protect various levels of sensitive data. These range from commercial data standards like the Cybersecurity Framework (CSF) to Federal and State Government standards like Special Publication 800-171 or 800-53. Additionally, NIST provides supporting standards, like FIPS (Federal Information Processing Standards) that approve certain types of technology such as encryption, that are utilized by other Regulatory Standards such as HIPAA, PCI-DSS, ISO, FERPA, and HITRUST.
Developing Compliant Configuration Standards
Data protection regulations like PCI DSS require that organizations develop and implement configuration standards based upon cybersecurity best practices. However, they acknowledge the fact that organizations are unlikely to have access to world-class experts in all systems that they use to advise them on the specifics of securing each type of system in use in the organization.
Many organizations have developed configuration standards that can be used as a baseline to adopt and build upon to meet the specific requirements of their organization, industry, and regulatory responsibilities. Requirement 2.2 of PCI DSS requires the use of configuration standards that address all known security vulnerabilities and recommends a few sources of sample standards including:
- Center for Internet Security (CIS)
- International Organization for Standardization (ISO)
- SysAdmin Audit Network Security (SANS) Institute
- National Institute of Standards Technology (NIST)
The configuration standards developed and published by these entities are designed to address all known issues at the time of publication. However, they may require updates, additions, or tailoring to an organization’s specific infrastructure and regulatory responsibilities.
The provided standards are a great baseline for regulatory compliance, but, if your organization needs to meet specific requirements, it may be a good idea to call in outside expertise. Sword & Shield has teams of experts in the major regulatory standards (NIST, HIPAA, PCI-DSS, ISO, etc.) and experience in designing, implementing, and maintaining security strategies at the enterprise level.
If you have questions about regulatory requirements or the effectiveness of your current security strategy, reach out for a consultation.