The compliance world loves acronyms: COBIT, GLBA, GDPR, HIPAA, HITRUST, ISO-27002, ITIL, MASS 201, NERC-FERC, NIST, PCI, SOX...the list goes on and on.
Each of these acronyms represents a compliance organization or government regulation that impacts the cybersecurity space in some way. Regardless of which industry you’re in, it’s likely that your organization and your IT practices are required to meet compliance standards or benchmarks under several of these governing bodies and rules.
If you don’t have a clear picture of how your organization needs to operate to comply with relevant regulations, your organizational risk starts ballooning. The list of compliance requirements can quickly become overwhelming, but the best approach is to start your compliance efforts by establishing some key benchmarks that are easily trackable and readily accessible.
Before we dive into some typical cybersecurity compliance benchmarks that you can leverage to control your risk, let’s first review some background on cybersecurity compliance standards.
What are cybersecurity compliance standards?
The digital economy is here, and regardless of whether your organization conducts business, provides healthcare, or educates students, that means that some or all of your interactions are online. As we all know, online activity presents sizable risks – particularly when it comes to cybercrime.
Tasked with protecting the myriad of online environments from malicious cyber criminals and state-sponsored actors, industry organizations and government agencies created compliance standards with the end goal of reducing cybersecurity threats.
Different industries are regulated in different ways, and by different entities. Here’s a look at some typical regulatory bodies by industry type:
- The financial industry has extensive cybersecurity requirements set by a number of federal and state regulators including the Federal Reserve Board (FRB), the Federal Deposit Insurance Corporation (FDIC), and the Securities and Exchange Commission (SEC).
- The best-known standard for cybersecurity compliance in the healthcare sector is the Health Insurance Portability and Accountability Act, better known as “HIPAA,” which is managed by the U.S. Department of Health and Human Services (HHS)
- Within the energy industry, utility companies are regulated by the Federal Energy Regulatory Commission (FERC), with standards created by a nonprofit authority known as the North American Electric Reliability Corporation (NERC).
- There are no federal regulations for the retail industry, but there are relevant requirements from PCI DSS, the Payment Card Industry Security Council’s Data Security Standard for processing transactions.
- There are numerous federal and state regulations in the public education sector, such as the Family Educational Rights and Privacy Act (FERPA), managed by the United States Department of Education.
Your specific industry may have a number of compliance standards and regulations. Think of these as the rules to a game. But games also need to have a score to determine who wins and who loses, which is where benchmarks come in.
What are compliance benchmarks?
Compliance benchmarks are essentially the scorecard that determines if you are “winning” the “game” of compliance. Whether you refer to these scores as benchmarks, metrics, or key performance indicators (KPIs), their purpose is to help you determine if you are keeping within the boundaries of pertinent policies, standards, or regulations, and to ensure you maintain ongoing compliance
Measuring against benchmarks is a vital step in being able to protect your IT infrastructure against cybercrime and other headaches. With benchmarks in place, you essentially have an “early warning system” to detect issues and help your organization move quickly to implement controls to prevent regulatory action, bad publicity, or customer or employee dissatisfaction.
What does a compliance benchmark look like? Here are a few that are commonly used by SecOps and ITOps teams:
- Vulnerability Readiness - How many devices on your network have fully patched software and are current with all operating system updates? An automated tool that can scan and inventory all devices with installed software can make this a quick, regular process. This is a vital benchmark that should be as close to 100% as possible.
- Unidentified Endpoints - Bring Your Own Device (BYOD) policies are now common, yet many connected devices are not secure. How many are on your network? Identifying and counting the number and location of BYOD devices can be a huge step towards protecting your enterprise because it gives you a better picture of what you need to protect.
- Mean Time to Detect (MTTD) - How long does it take your organization to become aware of a potential security issue? MTTD is calculated as the difference between the start of an incident or interruption to systems and the time it took to detect the incident, typically reported in aggregate. MTTD is not always easy to calculate as it can be difficult to know exactly when an incident started, but even an estimate can help provide insights to make better business decisions and process improvements.
- Mean Time to Recovery (MTTR) - A very common metric that measures the time it takes to recover from a system failure. MTTR is calculated from the period between the start of an incident to the moment a system returns to production, including the time needed to notify technicians, diagnose the issues, fix the issues, and setup, test, and start the asset back into production, and is typically reported across the enterprise. Your goal should be to make your MTTR as short as possible; as you track your recovery times your team will be able to identify trends and ideas for improvement.
- Days to Patch - How long does it take your team to patch critical vulnerabilities? Remember that cyber criminals weaponize vulnerabilities in an average of 7 days, and most organizations need an average of 205 days to remediate vulnerabilities. Automating your patching can bring your patch time down to hours vs. days.
A good resource for getting started: CIS benchmarks
No discussion around compliance benchmarks is complete without mentioning the work of the Center for Internet Security. CIS® , as it is commonly known, is an independent, nonprofit organization whose mission is to safeguard public and private organizations against cyber threats.
CIS publishes the CIS Benchmarks™, a list of over 100 configuration guidelines, developed through the collaboration of IT security professionals from around the world.
The CIS Benchmarks lay out best practices for securely configuring potential targets. They have established best practices for:
- Operating systems
- Server software
- Cloud providers
- Mobile devices
- Network devices
- Desktop software
- Multi-function print devices
CIS Benchmarks are free to download and are a convenient way to measure your environment with best practices developed by industry experts.
In addition to the CIS Benchmarks, you’ll almost certainly need to develop your own specific benchmarks that fit your unique IT environments and organizational needs. If your team is using the Automox platform, you can automate almost any action to help improve your benchmark scores and better align to cybersecurity compliance standards.
How to Meet Compliance Benchmarks with Automox Worklets™
Setting compliance benchmarks and meeting compliance requirements is definitely challenging, especially if you’re strapped for resources or managing your enterprise environment manually. You can leverage Automox Worklets to automate compliance tasks - here’s how.
What’s an Automox Worklet?
Think of Automox Worklets as a “unit of work” that can automate virtually any custom task or scriptable action on one or many devices, regardless of location or domain. Whether you are deploying or patching software, or enforcing configuration policies, Automox Worklets can automate the task across Windows, macOS, or Linux systems to get things done faster, and to support and enforce compliance standards.
Here are several Automox Worklets you can implement today that were built to keep your environment safe, help you effectively meet your compliance standards, and measure your progress against benchmarks.
Enforce Password Complexity and Rotation
Ensuring password parameters are implemented effectively across users can help decrease the probability of an attacker gaining access through password-guessing techniques. This can help you achieve compliance with National Institute of Standards and Technology (NIST) guidelines.
Disable File Sharing
File sharing can present an additional attack vector for bad actors. Disabling this feature reduces the attack surface and risk of unauthorized access to stored files, as may be required under HIPAA compliance regulations.
Disable Remote Management
Remote management should only be enabled when a directory is in place to manage the accounts with access. Otherwise, a system could accept connections from untrusted hosts. This is a best practice that can help prevent an attack similar to what happened to the City of Oldsmar in Florida earlier this year.
Enforce BitLocker Encryption
Ensuring that data is encrypted on local drives can add a layer of security by making sure threat actors do not have the means to access your critical data, as may be needed to ensure compliance under General Data Protection Regulation (GDPR) and other regulations.
Disable Remote Login
Disabling remote login mitigates the risk of an unauthorized individual gaining access to the system through Secure Shell (SSH) as advised by the US Cybersecurity and Infrastructure Security Agency (CISA) and other government entities.
Disable Bluetooth
Bluetooth is particularly susceptible to a diverse set of security vulnerabilities involving identity detection, location tracking, denial of service, unintended control of data, and voice channels as well as unauthorized device control and data access. Automox Worklets can help you align to NIST recommended guidelines for Bluetooth.
Disable USB
USB ports can be useful for data transfer needs, but can also present the opportunity for an attacker or insider threat to exfiltrate data for malicious purposes. Automox Worklets can help you align to NIST best practices for USB drives.
Kill Open Process
Disabling specific processes that should not be running and may pose a potential threat to data integrity and system security. This is another best practice that transcends many security standards and regulations.
Automox Worklets are created by experienced IT professionals, and are imagined, built, and shared in the Automox Community. You can request and develop customized, automated compliance benchmark solutions for your specific business needs. All published Automox Worklets are tested and verified by Automox experts before publication.
- What are the advantages of an automated patch update service?
- What are the top 3 best practices for cloud patch management?
- How can I ensure patch compliance to the latest cybersecurity standards?
Automox for Easy IT Operations
Automox is the cloud-native IT operations platform for modern organizations. It makes it easy to keep every endpoint automatically configured, patched, and secured – anywhere in the world. With the push of a button, IT admins can fix critical vulnerabilities faster, slash cost and complexity, and win back hours in their day.
Grab your free trial of Automox and join thousands of companies transforming IT operations into a strategic business driver.