How can high requirements of a information security certification be met? Especially when preventive measures like system hardening are a must have. This is how ESRB mastered that with our powerful hardening tool.
The Entertainment Software Rating Board (ESRB) is the non-profit, self-regulatory body for the video game industry that assigns age and content ratings to video games and apps to help consumers, especially parents, make informed choices about which are appropriate for their family.
The initial position
In order to secure critical systems and infrastructure, it is necessary to increase the level of security. Therefore, ESRB introduced an Information Security Management System (ISMS), which had to be certified. For this well known SOC 2 standard was chosen.
In order to increase information security and meet the corresponding requirements in the technical environment, ESRB decided, among other things, to professionalize its system hardening.
The goal was to comprehensively secure the Windows based workstation and server infrastructure with an industry-proven, centrally manageable system hardening. In addition, it should be possible to continuously monitor the secure configurations to detect anomalies.
Timing was another requirement: Due to the SOC2 certification process, the schedule was very tight.
What does a SOC2 certification cover?
SOC2 (System and Organization Controls) is a compliance standard for service organizations developed by the American Institute of Certified Public Accountants (AICPA). This specifies how organizations should manage their confidential and sensitive data.
The standard is based on the following TSC (Trust Services Criteria):
- Integrity of processing
A SOC2 report is tailored to individual needs. That means, anyone can develop controls that follow one or more trust principles.
Internal reports provide regulators, business partners, and suppliers with important information about how a company or organization manages its data.
Thanks to the #NoCodeHardening technology, ESRB is able to perform system hardening in a convenient way. The hardening is based on various established standards – for example, CIS recommendations and the Microsoft Security Baselines.
All this is possible without accepting GPOs disadvantages and without writing a line of script code. This is because hardening settings are configured centrally via the intuitive Enforce Administrator´s web interface. Distribution and rollout are then handled by the security configuration management tool.
In addition the Enforce Administrator ensures “self-healing systems”. Deviations are automatically detected, corrected and made transparent via a intuitive reporting system.
The FB Pro team supported the ESRB in a phased implementation of Enforce Administrator into the existing infrastructure landscape. In the first step, we provided test systems with a basic hardening configuration, then tested business-relevant applications and services.
After approval, a pilot rollout was done, followed by the area rollout. During all phases, the FB Pro experts worked closely with ESRB’s IT professionals.
ESRB’s IT systems are now permanently configured as required by external recommendations and internal company guidelines. This sustainably increases the level of information security at ESRB.
In addition, IT managers at ESRB now have the ability to quickly and easily produce regulatory evidence for the implementation of the technical measures “system hardening”.
Andrew S. Baker, external information security consultant contracted by ESRB, states the following:
“System hardening helps to protect IT systems effectively – and that to common and proven standards. Especially with increasing information security requirements and upcoming SOC2 certification, Enforce Administrator is a very powerful tool to achieve business-relevant compliance goals.”
FB Pro GmbH provides its customers with information security, data protection and compliance at the highest level. For this our team relies on solutions such as the Enforce Administrator, which we implement for our customers.
In addition, we are also happy to provide support for our customers as part of our “managed service”. Are you interested in such solutions? Contact us without any obligation!
Image by Freepik & ESRB