CISOs struggling to prep for security audits

Calendars for security and compliance audits are largely unchanged despite COVID-19, yet the pandemic is straining teams as they work remotely, according to Shujinko.

CISOs security audits

Moreover, CISOs are tasked with preparing for more than three audits on average in the next 6-12 months, but struggle with inadequate tools, limited budgets and personnel, and inefficient manual processes.

Furthermore, the results show that migration to the cloud is dramatically increasing the scope and complexity of audit preparation, obsoleting old methods and approaches.

“This survey clearly shows that CISOs at major companies are caught between a rock and hard place when it comes to security and compliance audits over the second half of 2020 and want automated tools to help dig them out. Unfortunately, they’re simply not able to find them,” said Scott Schwan, Shujinko CEO.

“Teams are cobbling together scripts, shared spreadsheets, ticketing systems and a hodgepodge of other applications to try to manage, resulting in inefficiency, lengthy preparation and limited visibility. More than two-thirds of CISOs are looking for something better.”

CISOs preparing for more than three audits

Despite changes in the economic climate due to COVID-19, CISOs are still tasked with preparing for more than three upcoming compliance audits across multiple security frameworks (e.g., PCI, SOC 2, NIST-CSF, ISO 27001, etc.).

Most common audits are for HITRUST, HIPAA and PCI DSS

51% of CISOs surveyed indicated they are preparing for a HITRUST audit in the next six to twelve months, 45% are preparing for HIPAA, 43% for PCI DSS, 41% for CCPA and 36% for an internal audit. In addition, 77% of companies preparing for SOC-2 audits were software companies.

CISOs are worried about doing more with less

COVID-19 has amplified CISOs’ concerns about doing more with less (both people and budget) with both teams and auditors working remotely. Worries over conflicting priorities, draining available resources and ensuring that evidence is complete round out their top five CISO concerns.

CISOs desperately want more automation

72% of security executives say they want to improve the automation of their audit preparation process, and automation was cited as the number one element most CISOs would change if they could. Team communication and collaboration rounded out the top three most desired improvements.

CISOs security audits

Two-thirds of CISOs dislike their current tool set

The survey found that CISOs are currently using a mix of home-grown scripts, spreadsheets, ticketing systems, shared documents, Sharepoint and e-mail to prepare for audits. No CISOs reported having a security audit preparation tool that they are completely satisfied with.

CISOs have poor visibility into the audit process

No CISOs rated visibility into key audit preparation steps a complete success and only one rated it a 4 out of 5 – suggesting poor executive line-of-sight into hitting audit deadlines.

Audit processes don’t fit a cloud development model

Only 1 percent of CISOs said that their audit preparation process completely aligns with the speed and agility that is needed for rapid cloud application development and frequent iteration.

How AI can alleviate data lifecycle risks and challenges

The volume of business data worldwide is growing at an astounding pace, with some estimates showing the figure doubling every year. Over time, every company generates and accumulates a massive trove of data, files and content – some inconsequential and some highly sensitive and confidential in nature.

Throughout the data lifecycle there are a variety of risks and considerations to manage. The more data you create, the more you must find a way to track, store and protect against theft, leaks, noncompliance and more.

Faced with massive data growth, most organizations can no longer rely on manual processes for managing these risks. Many have instead adopted a vast web of tracking, endpoint detection, encryption, access control and data policy tools to maintain security, privacy and compliance. But, deploying and managing so many disparate solutions creates a tremendous amount of complexity and friction for IT and security teams as well as end users. The problem with this approach is that it comes up short in terms of the level of integration and intelligence needed to manage enterprise files and content at scale.

Let’s explore several of the most common data lifecycle challenges and risks businesses are facing today and how to overcome them:

Maintaining security – As companies continue to build up an ocean of sensitive files and content, the risk of data breaches grows exponentially. Smart data governance means applying security across the points at which the risk is greatest. In just about every case, this includes both ensuring the integrity of company data and content, as well as any user with access to it. Every layer of enterprise file sharing, collaboration and storage must be protected by controls such as automated user behavior monitoring to deter insider threats and compromised accounts, multi-factor authentication, secure storage in certified data centers, and end-to-end encryption, as well as signature-based and zero-day malware detection.

Classification and compliance – Gone are the days when organizations could require users to label, categorize or tag company files and content, or task IT to manage and manually enforce data policies. Not only is manual data classification and management impractical, it’s far too risky. You might house millions of files that are accessible by thousands of users – there’s simply too much, spread out too broadly. Moreover, regulations like GDPR, CCPA and HIPAA add further complexity to the mix, with intricate (and sometimes conflicting) requirements. The definition of PII (personally identifiable information) under GDPR alone encompasses potentially hundreds of pieces of information, and one mistake could result in hefty financial penalties.

Incorrect categorization can lead to a variety of issues including data theft and regulatory penalties. Fortunately, machines can do in seconds–and often with better accuracy–what it might take years for a human to do. AI and ML technologies are helping companies quickly scan files across data repositories to identify sensitive information such as credit card numbers, addresses, dates of birth, social security numbers, and health-related data, to apply automatic classifications. They can also track files across popular data sources such as OneDrive, Windows File Server, SharePoint, Amazon S3, Google Cloud, GSuite, Box, Microsoft Azure Blob, and generic CIFS/SMB repositories to better visualize and control your data.

Retention – As data storage costs have plummeted over the past 10 years, many organizations have fallen into the trap of simply “keeping everything” because it’s (deceptively) cheap to do so. This approach carries many security and regulatory risks, as well as potential costs. Our research shows that exposure of just a single terabyte of data could cost you $129,324; now think about how many terabytes of data your organization stores today. The longer you retain sensitive files, the greater the opportunity for them to be compromised or stolen.

Certain types of data must be stored for a specific period of time in order to adhere to various customer contracts and regulatory criteria. For example, HIPAA regulations require organizations to retain documentation for six years from the date of its creation. GDPR is less specific, stating that data shall be kept for no longer than is necessary for the purposes for which it is being processed.

Keeping data any longer than absolutely necessary is not only risky, but those “affordable” costs can add up quickly. AI-enabled governance can track these set retention periods and minimize risk by automatically securing or eliminating any old or redundant files longer required (or allowed). With streamlined data retention processes, you can decrease storage costs, reduce security and noncompliance exposure and optimize data processing performance.

Ongoing monitoring and management – Strong governance gets easier with good data hygiene practices over the long term, but with so many files to manage across a variety of different repositories and storage platforms, it can be challenging to track risks and suspicious activities at all times. Defining dedicated policies for what data types can be stored in which locations, which users can access it, and all parties with which it be shared will help you focus your attention on further minimizing risk. AI can multiply these efforts by eliminating manual monitoring processes, providing better visibility into how data is being used and alerts when sensitive content might have been shared externally or with unapproved users. This makes it far easier to identify and respond to threats and risky behavior, enabling you to take immediate action on compromised accounts, move or delete sensitive content that is being shared too broadly or stored in unauthorized locations, etc.

The key to data lifecycle management

The sheer volume of data, files and content businesses are now generating and managing creates massive amounts of complexity and risk. You have to know what assets exist, where they’re stored, the specific users have access to them, when they’re being shared, what files can be deleted, which need to be stored in accordance with regulatory requirements, and so on. Falling short in any one of these areas can lead to major operational, financial and reputational consequences.

Fortunately, recent advances in AI and ML are enabling companies to streamline data governance to find and secure sensitive data at its source, sense and respond to potentially malicious behaviors, maintain compliance and adapt to changing regulatory criteria, and more. As manual processes and piecemeal point solutions fall short, AI-enabled data governance will continue to dramatically reduce complexity both for users and administrators, and deliver a level of visibility and control that business needs in today’s data-centric world.

Healthcare to become a key player in the IT security market

This is a fact and the professionals are very much keen to see the results till the year 2025. The healthcare systems are mostly developed to communicate with the vendors and the patients that are outside of the secure networks. This is also important and is considered to be a vital part.

The security breach and the cyber-attack can be executed with relative ease. The global market trend is changing with the passage of time and healthcare system is integrating products, services, end-user analysis, delivery mode and the applications of the IT security. The healthcare systems contain critical data about the patients and compromise means huge losses to the sector.

IT security and healthcare

Healthcare CISOs have joined hands to promote IT security as an integral part of the healthcare system. The union will make sure that the advanced IT security measures are adopted and implemented to save breaches and minimize data loss in case of an event.

The healthcare system in the USA relies heavily on the services that are provided by the vendors and this may cause a breach which has happened in the past as well. Vendor security has been made the center point of the conference and the IT professionals from the healthcare system will directly collaborate with the authorities in case of vendor breach.

What 4 Things You Need to Know About HIPAA Certification

The Health Insurance Portability and Accountability Act (HIPAA) were enacted in 1996 towards the protection of employee health insurance treatment and establish regulations for health information in electronic medical records. If you are employed in the health or insurance industry, you have likely heard of HIPAA because it affects you directly. Even if you are not employed in a health or insurance industry, HIPAA affects everyone who accesses or needs access to health care and it is important to understand to protect your personal privacy and rights. Any identifiable personal health information (PHI) is addressed and protected by HIPAA.

The part of HIPAA that affects most of the population directly is the regulations on the privacy of health information. The Administrative Simplification provisions are the part of HIPAA that address health information security and privacy. When healthcare workers are given HIPAA training, this is the area they typically focus on most of the time because they come in direct contact with patient information on a daily basis. As a citizen, here are some things you should know about HIPAA and how it affects your health information:

• HIPAA gives the power and decision of privacy completely to the patient. With the HIPAA regulations in place, patients can decide who has access to their medical records and for what purpose they use them for. If you have visited a health professional in the last few years, they often have you sign a disclaimer giving the doctor and staff access to your medical records for the purpose of treating you. Pay attention to any forms given to you about your information because some will address using your information for marketing purposes. It is your right under HIPAA to decide whether or not you want your information released and used for marketing purposes.

• Under HIPAA regulations, healthcare providers are required to provide you with your medical records upon request. Having a copy of your medical records can be useful for switching doctors, safety reasons, and for personal information and peace of mind. If any healthcare provider denies you access to your medical records you can take legal action.

• The only time a healthcare provider or insurance company can access your PHI without expressed written consent is for use in treatment and payment. Any use of your PHI outside of that scope requires written consent from the patient. Once you have given your written consent for certain use of your PHI, that entity no longer needs to notify you each time they use your PHI in the agreed upon fashion.

• Healthcare providers, insurance, and any other entities with access to your records is required by HIPAA to inform you of any use of your PHI. If you are made aware of any of your PHI or medical records being used without notification or consent, you can take legal action.

To keep yourself protected, it is important to know all you can about HIPAA and your rights concerning your PHI. If you find yourself having questions, ask you healthcare provider directly about how they plan to use your PHI and medical records.

For more information, please visit our HIPAA Certification website.

For more information, please visit our HIPAA Certification website at https://www.hipaaexams.com/hipaa-certification.asp