Compliance and Privacy (Part 2)

This is a continuation from my previous post. I had left off with organizing and remediating critical vulnerabilities. Now I will go over some more, specific examples related to compliance and privacy.

Expel Local Administrator Rights from Employee Devices

If any employee has local administrator rights on their device, they can be deceived into downloading applications from malicious websites or opening malicious email attachments. Enforce corporate policies utilizing an enterprise app store. An enterprise app store guarantees that administration is set up to install only authorized applications and, unlicensed and black-listed applications from employee devices are removed.

Deploy New Software that is Free from Known Vulnerabilities

The risks of releasing new apps into the environment is higher with the increase of the total number, frequency, and complexity of applications. Organizations should determine whether apps require further mitigation, or they are approved for release.

Uninstall Software that is at End-of-Life(EOL)

Identify software that is EOL and upgrade to a supported version or uninstall it entirely from the device, because the software seller will no longer be fixing security issues or making security updates.

Software Management

A major issue for IT organizations is staying up to date with software updates and fixing existing software when vulnerabilities are detected.

IT Compliance Potholes and Ways to Address Them

Previously, most compliance initiatives were driven by national legislations like HIPAA and SOX and are established in security concerns around hardware and software. So, what are the most significant compliance-related issues that organizations confront today?

  • GDPR:

    GDPR is the latest compliance and data privacy regulation to influence IT security, which requires that every organization subject to the regulation must maintain a record of data-handling activities.

  • IoT:

    To ensure that IoT systems in the enterprise are compliant with security regulations, penetration testing should be scheduled frequently or annually depending upon the changes in an IoT architecture. An alternative approach is to limit the access of IoT devices to sensitive data and credentials by sandboxing them into a separate area of the network.

I hope this blog gave you some insight on compliance and privacy with some real-world examples. Stay tuned for more, new and interesting topics.