Difference between compliance and non-compliance cost

$0.00

$2.00

$4.00

$6.00$5.47

FY2017

$3.53

$14.82

$9.37

$8.00

$10.00

$12.00

$14.00

$16.00

FY2011Compliance Cost Non-compliance Cost

2securelink.com© SecureLink, Inc.

Third-Party Remote Access Compliance Guide

Understanding compliance is a nuanced and difficult undertaking. Almost all industries are reliant on guidelines that govern compliance. Most industry guidelines are complex and winding rubrics with rules about everything from physical document disposal to remote network access. Making sense of it all and finding a solution for each need can be tough. Because of this, you’ll find so many complex and multifaceted conversations around compliance that it can sometimes be hard to orient yourself. However, it is critical to the network and financial health of an organization to maintain compliance.

This guide focuses the conversation on remote access. Whether your industry is beholden to HIPAA, CJIS, PCI DSS, or any other standard, there are specific remote access compliance guidelines you must follow.

Within this document, we’ll explain the key remote access requirements and terms. In addition, we’ve also included interactive checklists for HIPAA, CJIS, PCI DSS, and a general compliance checklist.

Vendor remote access is one of the most critical network security vectors for IT and security teams to address. Use the following information and checklists to help you evaluate your current connection methods or potential solutions for the future.

It is critical to the network and financial health of an organization to maintain compliance.

The cost of non-compliance is more than two-and-a-half times that of being compliant1

$14.82 millionis the average per-year cost of non-

compliance1

1 The True Cost of Compliance with Data Protection Regulations, Globalscape. (http://dynamic.globalscape.com/files/Whitepaper-The-True-Cost-of-Compliance-with-Data-Protection-Regulations.pdf)

Compliance is essential to network security

3securelink.com© SecureLink, Inc.

Third-Party Remote Access Compliance Guide

Unique login credentials Termination protocols

Login credentials are one of the easier to understand basics of remote access. We all have usernames and passwords, and can easily picture what it means to have an “account” or “sign-in.” Where most compliance guidelines set themselves apart is the requirement that each user be uniquely identified. This requirement makes it easy to identify any action taken by a specific user.

Requiring and assigning unique logins will also reduce usersecurity vulnerabilities like shared credentials and unauthorizedpermissions. When accounts and authentication are linked to anindividual, users can no longer share logins. This security designallows access permissions to be tied to authorized users ratherthan communal logins that can’t be tracked or controlled, which is a common source for data breaches.

If a third-party vendor needs remote access, assign each authorized user a unique login tied to their individual emailaddress, or work ID. This process can be managed through a credential vault application. (Credential management is often a sub-feature of remote access software).

Summary

• Requirement: Each user must be uniquely identified.

• Solution: A credential vault that assigns each user a unique login tied to their individual email address or employee ID.

Termination protocols tie in very closely to the unique login requirement. The standard necessitates the ability to immediately revoke network access of an employee or vendor technician that ceases employment. Protocols must be established in order to quickly identify and deactivate user credentials the moment an individual no longer has a business need for access.

Summary

• Requirement: Administrators must be able to quickly revoke access or deactivate login credentials.

• Solution: Alerts should notify administrators upon each connection and software solutions should be implemented to terminate connections if necessary.

Unique logins reduce user security vulnerabilities like shared credentials and unauthorized permissions

4securelink.com© SecureLink, Inc.

Third-Party Remote Access Compliance Guide

Access control Audit and monitoring

Access controls should enable authorized users to access the least amount of necessary information needed to perform essential job functions. However, access control paradigms vary depending on specific industry guidelines. Though they may differ, access to information should always be limited to role-appropriate needs.

Maintaining access control is often done via complex Active Directory permissions or real-time monitoring. While these methods do fall in line with compliance standards, there are solutions designed to alleviate overhead and micromanagement. For instance, once unique logins are established, permissions can be tied to an individual’s login, including setting application permissions, or limited access windows which ensure security without burdensome oversight and regular maintenance.

Summary

• Requirement: Users should only have access to what they need.

• Solution: Enable least privileged access controls.

There is no singular method of audit; each industry sets their own standard. In fact, the audit requirements can vary depending on a vendor’s or an organization’s role. For that reason it is best to employ a complete strategy for recording all remote access events and transactional support instances.

Access monitoring solutions are essential because they contain the who, when, and why of all remote access instances within your audit trail. Additionally, a robust monitoring solution has measurable benefits beyond their contributions to an audit trail. In the unfortunate event that a data breach occurs, catastrophe can often be controlled, or even averted, if the breach point of origin can be quickly identified and addressed.

Comprehensive auditing not only protects your enterprise in the event of a compliance review, but serves as a failsafe for your vendor interactions, ensure data integrity, and act as early warning indicators for your network systems.

Summary

• Requirement: Log all remote access interactions for auditing and monitoring purposes.

• Solution: For your convenience, we’ve included links to the specific audit and monitoring requirements for the most common compliance standards below:

• HIPAA | CJIS | PCI DSS

Zero trust or least privileged access models are best.

5securelink.com© SecureLink, Inc.

Third-Party Remote Access Compliance Guide

Multi-factor authentication (MFA)

If you must allow remote access, demand your vendors use multi-factor authentication to support your business and protect their login events.

Multi-factor authentication is a credential system beyond a simple password. It requires additional authentication via two or more pieces of evidentiary verification that only the user in question can provide. Be it a code sent to a secondary device, a secure token passkey, or some other unique method of authentication.

Multi-factor authentication prevents the hazard of shared logins, but also serves as additional protection against weak passwords, brute force attempts, phishing attacks, and other malicious methods that exploit the weakness inherent in single-factor sign-ons.

Summary

• Requirement: Multi-factor authentication must be implemented for remote access users.

• Solution: Implement a software solution that allows for additional authentication (e.g. a mobile authenticator application).

Implement a software solution that allows for additional authentication.

76% of organizations experienced phishing attacks in 2017.2

2 Wombat 2018 State of the Phish. (https://www.wombatsecurity.com/state-of-the-phish)

6securelink.com© SecureLink, Inc.

Third-Party Remote Access Compliance Guide

Everyone benefits from compliant third-party remote access.

YOUR COMPLIANCE CHECKLISTS FOR HIPAA AND HITECH, PCI DSS, CJIS, AND GENERAL SECURITY COMPLIANCE

Use these interactive checklists on the following pages to make sure your network is protected and you’re in compliance with the appropriate federal regulations.

7securelink.com© SecureLink, Inc.

Third-Party Remote Access Compliance Guide

Access control / unique user identification / automatic logoff

Audit controls

Data integrity

Transmission security

HIPAA and HITECH Compliance ChecklistEveryone benefits from HIPAA compliance.

Because of the rules implemented in HIPAA and the further business associate (BA) requirements found within the HITECH Act, it benefits both covered entities and BAs to regularly check their systems to ensure compliance.

This interactive checklist represents a few essential components necessary to ensure your network setup is HIPAA compliant and that ePHI is protected. This checklist is composed of tasks your organization should have in place to aid you with your HIPAA compliance goals.

Improve compliance and mitigate liability

• Facilitate and access control audit

• Locate need for activity audit controls

• Catalog entry points and users

• Identify remediation points

Multi-factor authentication

Unique username/password combination for all logins

Restricted access as to time, scope, function, and file

System or user-level access rights

Unilateral ability to terminate sessions at any time

Automatic logoff after 10 minutes of inactivity

Detailed logs of each support connection session

Complete historical reporting

Strict control of remote access to limit support-related data corruption

Detailed audit to identify changes and enable corrections

Customer configurable encryption

AES 128, 192, and 256-bit modes

Triple DES10

HIPAA and HITECH Compliance

8securelink.com© SecureLink, Inc.

Third-Party Remote Access Compliance Guide

Access control / unique user identification / automatic logoff

Audit controls

Data protection and integrity

Transmission security

PCI DSS Compliance ChecklistPCI DSS compliance is critical.

The Payment Card Industry Data Security Standard (PCI DSS) is a minimum set of technical and operational requirements designed to protect payment cardholder data against data theft and unauthorized access.

This interactive checklist is designed to assist enterprises and their vendors to ensure compliance with new, and existing, PCI DSS compliance regulations.

Ensure passwords are not vendor-supplied defaults

Restrict access based on need-to-know practices

Insist on unique user access credentials for system and network components

Track and monitor all access to network resources and cardholder data

Capture detailed audit logs of each session involving cardholder data

Implement an audit trail system for all internal and third-party e-commerce environments

Maintain a firewall configuration to protect cardholder data

Install, and monitor, malware and anti-virus protections

Disable SSL and update TSL versions 1.0 to 1.1. (TLS 1.2 strongly recommended.)

Encrypt transmissions of cardholder data over all open or public networks

PCI DSS third-party remote access recommendations

• Ensure third-party web hosting providers have hardened, secure systems

• All vendor/partner transaction processing hardware and software must be PCI DSS compliant

• Implement bi-annual audits with partners and third-party vendors to ensure compliance with PCI DSS

• Providers should perform quarterly adherence reviews of security policies and systems (e.g. ensuring active security alerts and daily audit logs are functional)

PCI DSS Compliance

9securelink.com© SecureLink, Inc.

Third-Party Remote Access Compliance Guide

Auditing and user accountability

Access controls

Identification and authentication

CJIS Compliance ChecklistCJIS compliance is critical

The Criminal Justice Information Services (CJIS) Security Policy contains specific IT requirements. We’ve provided a checklist of rules from the CJIS compliance guidelines focusing on remote access, audit trails, and password requirements. Allow privileged users to easily see who has access to passwords, and

when and how they’re being used.

Generate detailed audit reports based on user access, permissions, and passwords.

Allow password restriction based on a user’s role (job duties or administrative levels).

Establish a centralized password management system so that a user’s access and permissions can be easily changed or restricted should they leave their role.

Lock access based on failed login attempts, and automatically notify administrators of such an event.

Require re-authentication after a set period of inactivity.

Allow administrators to create a password policy that meets CJIS complexity requirements (at least eight characters long, expire within 90 days, etc.).

Require multi-factor authentication (MFA).

CJIS third-party remote access recommendations

• Implement a software access solution featuring a “credential vault” or other form of password management.

• Maintain a detailed audit log. The audit should record the who, what, when, and why of remote access.

• Require multi-factor authentication (MFA) for all remote access.

• Discontinue using solutions like VPN, remote desktop, or WebEX as a method of remote access.

CJIS Compliance

10securelink.com© SecureLink, Inc.

Third-Party Remote Access Compliance Guide

Third-party evaluation

Access control / unique user identification / automatic logoff

Audit controls

Data protection and integrity

General Security ChecklistCompliance is critical.

For highly regulated industries, and government entities, adherence to compliance guidelines are essential. And the challenges for government agencies, enterprise organizations, and the technology vendors that support them are ever present.

This interactive checklist is designed to assist enterprises, agencies, and vendors with an initial security audit in order to better adhere to industry compliance regulations.

Identify and categorize third-party vendor and partner access needs

Perform access assessments for each vendor and partner

No vendor-supplied security parameters or default passwords

Implement least privileged access

Insist on unique user access credentials

Encrypt transmissions for all open or public networks

Track and monitor all access to network resources and critical data

Capture detailed audit logs of each support session

Install and maintain a firewall configuration to protect data

Develop secure application and system implementation

Protect all systems against malware and regularly monitor anti-virus protections

Restrict physical access

Recommendations

• Identify problem areas or gaps in security policies

• Construct a remediation readiness, or action, plan

• Ensure vendor adherence to enterprise policies

• Revisit partner and/or third-party security processes

General Compliance

SecureLink is the leader in managing secure third-party remote

access and remote support for both highly regulated enterprise

organizations and technology vendors. More than 30,000

organizations across multiple industries including healthcare,

financial services, legal, gaming, and retail rely on SecureLink’s

secure, purpose-built platform. SecureLink is headquartered in

Austin, Texas.

securelink.com - 888.897.4498 - contact@securelink.com

About SecureLink