Compliancy, innovation and security

In this first in-dept topic I will try to cover the impact compliancy can have on security and innovation.

Many companies store customer data like privacy information such as names, email addresses, addresses, phone numbers. But that's not all companies that sell or provide online services might store purchase and payment information like credit card or bank details.

The whole process of obtaining, retrieving and storing the data can be a potential risk and needs to be conform a standard defined by a compliancy institution. Popular certifications and compliancy standards are Sarbanes Oxley, PCI DSS and ISO standards.

It's obvious that compliancy affects many employees, procedures and systems. Therefor it's important to know what is in scope and what not. In my experience I find it use full to set all Internet facing systems in scope. Threating all Internet facing systems the same way as defined by the compliancy standard is a good security practice.
Internet facing systems include mail, voip services, websites and remote access. If these systems must be compliant.

You don't want to be in the middle of a migration when the auditor is looking behind your back. So planning upgrades to new versions or introducing new services need to be between visits of auditors. At least that is what I suggest.

It might be worth to upgrade to a new version or introduce new systems before the auditor comes. If your schedule finds time for planning, deploying, testing and updating documents needed for compliancy.

Upgrades (Microsoft products) that provide better security and are mostly appreciated by auditors are:

• Exchange servers upgraded to Exchange server 2007
• Introducing Office Communicator 2007 and services
• Windows XP to Windows Vista
• Forefront client security

Exchange servers upgraded to Exchange server 2007

1. Removes relaying options on your external SMTP server by introducing the transport role.
2. Adds advanced anti spam functions
3. Advanced antivirus system with forefront for exchange
4. Improved global security with roles and rewritten services and structure

Introducing Office Communicator 2007 and services

1. Secure voip services
2. Encrypted instant messaging (no need for MSN, skype or other)
3. Improved secure communication

Also a drawback which is more externally connected Internet facing IP's and services.

Windows XP to Windows Vista

With the right hardware investment Vista provides a faster and better more secure computer environment. Especially the dreaded UAC which is a really good security feature against, scripts, virus and trojans.

Forefront client security with WSUS and MOM

This gives you full control over the computers in your network.

1. Security state assessment and alert reporting
2. Enforced real-time antivirus scanning with daily updates
3. WSUS for scheduled enforced centrally managed updates
4. AD Group Policy Objects for controlling forefront protected computers

As you can see it can be a good thing to upgrade or introduce new services even if you need to be compliant and are audited. But always take great care in planning and deploying and do a security scan for computers connected to the Internet.

Thank you for reading. Let me know if this works for you.