6
Jul, 2022
restrictedAcess_451965388_400.jpg

Zero-Trust Policies Can Keep Your Business Secure

restrictedAcess_451965388_400.jpg

The modern cyberthreat landscape is nothing to be trifled with, so it makes sense that as threats grow more powerful, so too do the solutions used to address them. Nowadays, there is a practice that is designed to address just how serious the threat of cybersecurity is: zero-trust IT. Let’s discuss these policies and how you might put them in place.

What is Zero-Trust?

Zero-trust is when the default action of an organization or business is to scrutinize every little detail about an individual’s access to its IT infrastructure, from hardware to software to the network connection. In order to gain access, users must authenticate themselves in a trustworthy and secure manner.

This might seem like a lot of work, and that’s because it is. A zero-trust policy is something that may take some time to implement, but it’s proven to decrease the number of security risks a company experiences over time. All aspects of access must be considered for zero-trust to remain effective.

Zero Trust is Surprisingly Simple to Deploy

When adopting zero-trust, you need to take the following steps:

Determine Your Goals for Your Zero-Trust Processes

The NIST, or National Institute of Standards and Technology, has determined that there are two goals behind zero-trust: prevent unauthorized access to a business’ data and resources, and control access so that it is as granular as possible. In other words, prevent unauthorized access and make access as transparent and stringent as possible.

Determine Your Most Important Data

To best protect your business, consider the data that’s most important for your operations and how you want to control access. This will be critical for ensuring your zero-trust strategy can be pulled off.

Determine How Prepared You are for Zero-Trust

Similarly, you will want to ensure that your network is prepared to handle the authentication required of zero-trust policies. Does it have the safeguards needed to ensure it remains secure? What about your endpoints, or the employees accessing them? Are their accounts secured, and are they following best practices? Consider all of these to make sure your policies are implemented correctly.

Determine What You Need to Do to Improve

If you know what you need to improve, there is a greater chance that you will use that knowledge to act. A general rule to follow for zero-trust IT policies is that nothing and no one should be trusted without first being authenticated, coupled with real-time monitoring.

Determine Monitoring Practices

Your real-time monitoring practices should continue even after initial implementation and well into the future so that you can always catch and mitigate potential threats.

Ultimately, a zero-trust policy is one of the best ways to approach network security for your business and its resources. To learn more about how we can help to facilitate the implementation of this type of policy, be sure to contact us at 810.230.9455.

22
Jun, 2020
321060884_PCI_DSS_400.jpg

PCI Compliance 101

321060884_PCI_DSS_400.jpg

Does your business accept credit cards? Of course it does. Regardless of what industry you are in, your customers are now using payment cards for a large portion of their retail transactions both online and in-store. To protect consumers, there has been a compliance standard enacted by credit card companies. Today we will look at this standard.

Introducing PCI DSS

With so many people using credit, debit, and prepaid gift cards to pay for goods and services, the economic ramifications of digital payment fraud, data loss, and other side effects of continued reliance on these methods of payment have led the companies that issue these cards to band together to create what is now known as the PCI Security Standards Council. Since its inception in 2006 the PCI Security Standards Council has been overseeing the establishment and coordination of the PCI DSS, or Payment Card Industry Digital Security Standard. Let’s take a look at how PCI compliance works.

Taking a Look at PCI 

PCI DSS was established in 2006 by credit card companies as a way to regulate business use of personal payment card information. That means all businesses. If your business processes or stores payment card information as a means of accepting digital payment, you need to maintain your PCI compliance. PCI DSS demands that businesses satisfactorily take the following steps:

  1. Change passwords from system default
  2. Install all sufficient network security tools (antivirus, firewalls, etc.) that will work to protect card data
  3. Encrypt transmission of card data across public networks
  4. Restrict the transmission of card and cardholder data to “need to know” basis
  5. Assign user ID to all users with server or database access
  6. Make efforts to protect physical and digital access to card and cardholder data
  7. Monitor and maintain system security
  8. Test system security regularly
  9. Create written policies and procedures that address the importance of securing cardholder data
  10. Train your staff on best practices of accepting payment cards

While many businesses already do these things in the normal course of doing business, if you currently don’t and you still allow for the use of payment cards, your business could have a problem on its hands. 

Business Size and Compliance 

Once you understand what you need to do to be PCI compliant, you then need to comply with the standards of your business’ merchant status. They are defined as follows:

  • Merchant Level #1 – A business that processes over six million payment card transactions per year.
  • Merchant Level #2 – A business that processes between one million-to-six million payment card transactions per year.
  • Merchant Level #3 – A business that processes between 20,000-to-one million e-commerce payment card transactions per year.
  • Merchant Level #4 – A business that processes less than 20,000 e-commerce payment transactions, and fewer than one million overall payment card transactions per year.

Since a business with more transactions has a better chance to foul up a situation concerning payment card compliance, they are required to do more to prove compliance than smaller businesses do. Here are the expectations for businesses in each merchant level:

Merchant Level #1

Doing massive business online and otherwise brings with it more responsibility. To maintain PCI compliance, Level one merchants need to:

  • Perform a yearly Report on Compliance (ROC) through a Qualified Security Assessor (QSA)
  • Allow an Approved Security Vendor (ASV) to complete a quarterly network scan
  • Complete the Attestation of Compliance Form for PCI Council records

Merchant Level #2

As transactions begin to decrease there are less stringent standards. Level twos include:

  • Perform a yearly Self-Assessment Questionnaire (SAQ)
  • Allow an ASV to complete a quarterly network scan
  • Complete the Attestation of Compliance Form for PCI Council records

Merchant Level #3

Many medium-sized businesses will fall under this level and need to:

  • Perform an SAQ
  • Allow an ASV to complete a quarterly network scan
  • Complete the Attestation of Compliance Form for PCI Council records

Merchant Level #4

The majority of small businesses fall into level #4 status and, like levels two and three, need to:

  • Perform a SAQ
  • Allow an ASV to complete a quarterly network scan
  • Complete the Attestation of Compliance Form for PCI Council record

Businesses that are non-compliant will face fines, extra scrutiny, or risk having the privilege of accepting payment cards officially revoked. If you have questions about the particulars of PCI DSS compliance, call the knowledgeable professionals at NuTech Services today at 810.230.9455.

23
Oct, 2019
steps_244849832_400.jpg

The Truth About Compliance and Cybersecurity

steps_244849832_400.jpg

To the average person there are some definite blurred lines between IT security and IT compliance. In fact, these lines are so blurry to most people that they would consider them the same thing. They aren’t. How is it possible to create a fully compliant, completely secure computing environment? You start by understanding how to make both possible.

IT Security

Let’s start with IT security because it’s undeniably important if you want to maintain not just IT regulatory compliance, but business on your own terms. IT security, like the act of complying with regulations, is an act of risk mitigation. In the case of IT security, the risks are many and complex. You have the risk of operational issues like downtime. You have the risk of system corruption from hackers and other outside entities who are trying to break through (or in) and get access to your assets. There is also internal risk to physical systems, central computing infrastructure, and every endpoint on the network.  

In IT security, the amount of risk often dictates what kind of action is necessary, since reacting to the problems themselves isn’t a viable option. Thus, when protecting your network from threats, you will likely have to be much more comprehensive about your attention to detail as you would even under the most strictest compliance standards.

IT Compliance

Compliance also is all about minimizing risk, but to stay compliant, it’s more about focusing on following set-in-stone rules than it is about keeping systems secure. Most of the regulations that have been passed down by a government entity, third-party security framework, or customer contract have very specific requirements. This gives network administrators a punch-list of tasks that need to happen to keep their organization’s IT compliant with their various IT mandates. 

Insofar as it works to maintain digital asset security, many regulations are created to ensure that risky behavior is not introduced, while others are very specific about what data needs to be protected, and what systems need protection. In fact, some regulations barely touch the IT infrastructure, only dictating that the business purchase regulation-compliant hardware. 

Where Your Company Stands

Compliance standards typically depend on which vertical market your business does business in, or more specifically, how it uses sensitive information in the course of doing business. That doesn’t speak to your organization’s complete IT security strategy. In order to keep all of your digital (and physical) assets secure, there needs to be a dedicated plan to do it. After all, today the user is the most common breach point. 

With that truth it is important for the business that operates under the watchful eyes of a regulatory body to understand that you may be compliant, but still be at risk. It’s important that aside from meeting all the compliance standards set forth by your industry’s regulatory mandates, you need to put together a cybersecurity strategy that prioritizes the ongoing training of your endpoint operators. 

At NuTech Services, our technicians are experts in modern compliance standards and cybersecurity. Our team can work to simultaneously build an IT infrastructure, the policies to govern that infrastructure, and the endpoint monitoring and protection solution that will keep your business secure from threats, while also being compliant to any mandated regulations your business is under. Call us today at 810.230.9455 to learn more.