Have you engaged a service provider? Does it really comply with regulatory requirements, for example in the area of IT security? Use this tool to check the quality of your service provider.
Measures for information security and data protection are complicated and complex
All companies worldwide are subject to various regulatory requirements. The requirements and the associated obligations arise from various sets of rules and standards. For example, the European General Data Protection Regulation (GDPR) is of central importance for the processing of personal information.
There are also supplementary special regulations, for example for companies in the critical infrastructure (CRITIS), telecommunications, finance and insurance sectors.
This means that companies cannot act “bird-free” when it comes to information security and data protection! They must inform themselves about the numerous regulatory / industry-specific requirements and comply with them, otherwise they may face legal consequences.
IT outsourcing is always a matter for the boss in the end
Companies are increasingly taking advantage of outsourcing. Instead of setting up and maintaining IT services internally, these are flexibly purchased from an external IT service provider. This ranges from cloud services to cyber security and support services.
If an IT manager or the company management decides to use special cloud services, for example, the company becomes existentially dependent. This is because it places the availability and further development of the service in the hands of a third party – the IT service provider. It is therefore advisable to outsource only clearly definable functions.
And to further reduce dependence on a service provider, management control over the external partner should remain within the company as far as possible.
After all, if a service fails or even a successful cyber attack occurs, the management is and remains responsible for the damage resulting from the failure!
Why must the IT security quality of a service provider be checked?
If a provider processes personal data, the European GDPR imposes an ongoing monitoring obligation on the management. This means: As a client, companies not only have the right to monitor their processors, but even the obligation!
In order to comply with this obligation, neither the conclusion of a contract processing agreement nor a one-time check is sufficient! Rather, an ongoing control obligation is anchored in the GDPR (the so-called order control). Accordingly, you must check the current data protection level of the processor and, if necessary, suggest changes to the technical and organizational measures.
How exactly this control obligation is implemented is again up to each individual company. But the results of the checks carried out – the audits – must be verifiably documented!
How can legally compliant audits be performed?
Has the service provider performed all Windows or Linux configurations according to the hardening recommendations? What is the compliance status of the settings? Are the systems being supported “state of the art“? Such questions can be quickly clarified with the free AuditTAP.
AuditTAP performs an automated audit by checking – depending on the product or system – up to several hundred configuration settings. Among other things…
- the algorithms and keys used,
- the location of log data,
- the use of TLS 1.2 (or higher),
- the enabled services
- or existing, separate service accounts are checked.
You receive the result of the hardening audit in an easy-to-understand HTML file. System misconfigurations or other grievances are clearly highlighted from a system hardening perspective.
A service provider check can be easy
We often hear the argument that audit reports are difficult to generate. Therefore, it is supposedly extremely time-consuming to check the work and quality of service providers with regard to information security.
This is not true!
With AuditTAP you can really see in a very short time and without any special studies how well your IT systems are hardened or how secure the service provider has configured the systems. It doesn’t matter if it is the hardening of a complete Windows server system or the configuration of a single browser.
This video shows you how to install AuditTAP and generate a report with it:
What you should definitely consider when evaluating the audit report
Is there a lot of “red” in your report based on the AuditTAP? Then this indicates that numerous recommended configurations have not been made and, accordingly, your systems tend to be insufficiently hardened.
But the goal of system hardening is not to achieve the highest possible security at any cost! Instead, the highest possible level of security must be achieved without disrupting or even blocking important business processes. In other words, business applications must continue to function without impairment even after hardening.
And: 100 percent conformity to a standard, for example to the specifications according to CIS, DISA oder BSI, is only a theoretical goal. In reality, this goal is not usually unattainable, nor does it make much sense. Our advice is to aim for 80 to 85 percent compliance with the specifications. In this way, you achieve a high level of security and balance risks appropriately.
What happens after the audit?
Do your audited systems not meet the high requirements of system hardening? Then you need to eliminate this deficiency as quickly as possible! For example, with a solution such as Enforce Administrator, with which even complex IT system landscapes with hundreds or even thousands of systems can be hardened automatically and sustainably.
Like the AuditTAP, the Enforce Administrator is a so-called #NoCodeHardening tool. This means that you do not have to write a line of program code for automation.
Do you need help with system hardening?
Do you have questions about AuditTAP? Do you need assistance with (automated) system hardening? Or would you like to integrate system hardening directly into your deployment or installation processes?
Our experts are here for you! Contact us without obligation and we will get back to you as soon as possible.
Images: Freepik, ScetchBubble