No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Featured

The Secret Reason You’re About to Fail Your IT Audit

by Markku Rossi
January 7, 2019
in Featured, Internal Audit
man holding head in front of large grade F

Turning a Key Vulnerability into a Victory

No matter what an organization’s major market is, it is probably subject to regulatory compliance requirements, such as PCI, SOX, FISMA and HIPAA. Failing to comply with any of these requirements could result in a failed audit, which can incur hefty penalties. This article by Markku Rossi of SSH.COM shares one little-known reason why organizations are vulnerable to failing a compliance audit.

No matter your organization’s major market or sector, whether you are in the Fortune 5000 or want to be, you are subject to regulatory compliance requirements such as PCI, SOX, FISMA, GDPR, HIPAA or similar. Failing to comply with the relevant requirements could result in a failed audit, which can incur hefty penalties or loss of business continuity.

Many compliance risk factors are hidden in the plumbing of your organization’s IT infrastructure. This article reveals one little-known reason why your organization is vulnerable to failing a compliance audit, as well as best practices for ensuring you’re prepared the next time you need to demonstrate compliance.

The Secret Key to Compliance

Secure Shell (SSH) is an unseen workhorse in IT infrastructure. The SSH protocol enables secure encrypted remote access and file transfer. SSH keys are the ubiquitous method used to grant access to critical systems and data for humans and machines. SSH keys grease the wheels of finance and industry. However, SSH keys are the domain of sysadmins and app developers, part of the mundane daily work of maintaining databases and editing code.

Many organizations have no visibility into the use of SSH and their SSH key environments, just assuming compliance until an auditor identifies the issue or exception in their reports. How SSH servers/clients and SSH keys are managed is critical for ensuring adequate governance in all corporate IT environments, and it’s an acute issue for cardholder data environments, for business-critical automated data transfers and in enterprise DevOps and application development.

Key Steps to Avoiding a Failed Audit

Ensure you have a holistic and integrated strategy for Secure Shell governance and managing SSH keys. This is essential to avoid failing an audit and incurring fines.

Ask the Right Questions

Here are the critical questions to ask to ensure you don’t fail an audit due to mismanaged SSH keys.

Is Secure Shell deployed within my networks, in e.g. the cardholder data environment, in application development or other critical systems?

Rest assured it is. Some experts would say that it is impossible to implement secure networked environments without leveraging the Secure Shell protocol.

Which systems have Secure Shell enabled?

Secure Shell is typically enabled on all systems.

How is Secure Shell used in my networks?

Secure Shell is used for any of the following: system administrator access, application administrator access, developer access, device admin access, automated processes, file transfers, remote desktop access, backup and restore, system failover, VPN access and contractor/partner access.

What is our process for tracking SSH keys?

Any person or process in possession of a private SSH user key has access to accounts with the corresponding public key. Tracking and controlling configuration and distribution of these keys is a basic and critical security requirement.

How often are SSH keys rotated, and what is the process for rotating keys?

A policy should be in place and enforced for regular key rotation. Treat keys as you would user accounts.

What restrictions are in place to prevent authorized users from using Secure Shell access for an unauthorized purpose?

This applies to both interactive users and automated processes using Secure Shell. Keys should be created, managed and monitored using a central unified console. Only grant least privileged access – enough for users to do their job and nothing more. SSH servers should be hardened. Keys should be configured with quantum-ready encryption.

What monitoring is in place to record encrypted SSH connections and activities performed during encrypted sessions?

Privileged activities, such as those conducted by systems and applications administrators, third parties and subcontractors, should be monitored, logged and reviewed with full audit trail according to defined security policies and procedures.

What mechanisms or controls are in place to prevent SSH-based access between production and non-production environments?

SSH keys used by developers and testers must not enable access from your development servers to production. Remnant nonproduction access may lead to audit infractions, vulnerabilities and breaches.

Looking Ahead

Risk managers and internal auditors have to pick and choose their battles and decide when to take a proactive or reactive stance. When assessing compliance risk from weak Secure Shell governance, you want to know, “Am I ready if and when an auditor comes knocking at my door?”

From the outside, unfortunately, it is not a question of if you will experience a breach – it’s a question of when.

By taking control of Secure Shell governance and implementing integrated SSH key management controls, internal risk managers and auditors can help the organization with a basket of easy wins. You mitigate the risk from external attacks and insider data theft, minimize human errors with critical systems secured by SSH, expedite future breach investigations, stop compliance failure and deliver on your reporting requirements.

Now that you know the secret, you can turn this into a key victory.


Previous Post

The Expanding Role of Technology Asset Management (TAM) in Corporate Compliance

Next Post

4 Steps to Streamline Data Subject Requests in 2019

Markku Rossi

Markku Rossi

Markku Rossi is CTO of SSH.COM. Markku brings close to 25 years of software engineering and architecture experience to the company, is responsible for R&D and directs the company’s technology strategy. Markku has extensive knowledge and experience with SSH Communications Security products, having served the company from 1998 through 2005 as a Chief Engineer and a major contributor to the SSH software architecture. Prior to rejoining the company in 2015, he co-founded several companies, such as Codento and ShopAdvisor, and served as CTO at Navicore and as Chief Architect at Nokia. He has a Master of Science degree in Computer Science from Aalto University.

Related Posts

Phaxis 100 dollars

AML & KYC: Addressing Key Challenges for 2023 and Beyond

by Alex Roberto
March 16, 2023

(Sponsored) In today’s world, financial criminals are often a step ahead of regulators and financial institutions who struggle to effectively...

audit

IIA Survey: Technology Issues Widening Risk Landscape

by Staff and Wire Reports
March 15, 2023

The past year has seen internal audit staffing and budgets continue their recovery to pre-pandemic levels as organizations contend with...

Paul Weiss Economic Sanctions and AML Developments 2022_f

Economic Sanctions and AML Developments

by Corporate Compliance Insights
March 15, 2023

Sanctions start high and stay high 2022 Year in Review Economic Sanctions and AML Developments What’s in this report from...

insider fraud threat

As Layoffs Continue, the Potential for Insider Fraud Is Growing. Are You Ready?

by Chris Gerda
March 15, 2023

From startups to big banks, the technology and financial services sector have already seen tens of thousands of layoffs in...

Next Post
padlock protecting personal information

4 Steps to Streamline Data Subject Requests in 2019

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT