When we first began to offer HighGear in the cloud, we also owned a data center operator, and managed services provider called Swift Systems. That team had built a robust set of compliance policies and controls originally based on the NIST 800-53 standards, with extra elements added across time to address additional standards and protocols such as DIACAP, PCI, and HIPAA. To verify that those extensive operational and security controls were properly implemented, an outside auditor conducted annual SSAE-16 Type II audits.
Technical teams and compliance experts must do a lot of work to define their policies and implement procedures to enforce those policies. But they often overlook the effort required to track activity and prove compliance, which makes the auditor’s visit one of the most dreaded and painful experiences of the year. To avoid this pain, Swift Systems had to build a process management system that would track their IT work with less overhead, making it easier to prove compliance at audit time. Naturally, they turned to HighGear.
At the end of the first audit, the auditor reported “Our examination team was very impressed by the deployment of Swift’s customer hardware and infrastructure in relation to their managed services, and particularly the functionality and reporting capabilities of the HighGear application. We felt that the attestation process was aided and simplified by the user-friendly nature of the system.” Swift Systems’ data center manager said “HighGear helped Swift Systems data center pass the SSAE-16 audit with flying colors. The fact that HighGear was the system of record was fundamental in allowing the auditor to easily identify and examine all change control requests for the past 12 months. I was able to pull that information up easily in a search, export it into a PDF quickly, and pass it off to the auditors. I can’t even imagine how companies that don’t have HighGear get through this process.”
Here are some examples of policies that Swift Systems implemented and how they tracked compliance.
Reliable on-site and off-site backups are vital to ensure that customer data will not be lost in case of a server failure or natural disaster. Just as important is a reliable and fast system for restoring those backups when you need them. Disaster recovery experts commonly say that “if you haven’t tested your restore process, you don’t really have backups.”
To ensure that backups were reliable and available, Swift Systems had automated backup scripts, email notifications about failures, and a monthly process to manually test the restore system. The restore test work was automatically assigned to an engineer each month by way of a HighGear recurring task. After they reviewed the backup logs and finished their restore tests they would record the evidence of their results in the task and close it.
During the audit process, the auditor would pick several random dates and request proof that the restore tests succeeded on those dates. Swift Systems easily opened the HighGear tasks that contained the restore tests and showed the results of the tests, to include a non-repudiated audit-trail showing the automatic assignment, the timely completion of the work (and by whom it was completed), and if called for the review and sign-off steps as well.
Electronic and physical access control
Because the data center contained sensitive data for HighGear and many other customers, Swift Systems had strict rules about which people were allowed access to the facility and the procedures for escorting authorized visitors.
Electronic access control was also vital, to ensure that attackers could not access the data center network or its management servers. Each administrator had a dedicated account on the management domain, and network devices like routers and switches had long, complex passwords that were stored in an access-controlled and encrypted password manager.
Each month a HighGear task instructed the Facility Security Officer to review the sign-in sheets and video recordings to ensure that they matched and that no unauthorized people had entered the facility. Another task required them to review the audit logs for the management domain and key infrastructure devices.
Because the results of each review task were required to be captured and recorded before the task was closed, it was easy for the auditor to review a complete report of all the review activities and zoom in to specific details as needed. Many companies find that this process requires hours of digging through paper or disparate electronic resources and files to prove compliance, or that they don’t have the records needed to prove compliance at all. Using HighGear, Swift Systems was able to easily prove compliance with their review policies in minutes.
It is impossible to keep a production data center stable and secure if multiple people are making changes without coordination. A change management process is essential to ensure that various changes don’t conflict with each other or introduce systemic problems. But if it takes too long to approve changes, the team’s productivity will suffer.
To ensure thorough change control without unnecessary productivity loss, Swift Systems also used HighGear. Whenever a change was needed, an engineer would plan and document it properly, and then create a formal change request task in HighGear. A simple workflow would send the change request to the proper reviewers (configured to follow automated rules according to responsibility domains) and wait for the appropriate systems owners to approve the change, or request clarifications. If a request went unanswered, HighGear would send reminders to everyone before escalating it to the Facility Security Officer. Once the review process was complete and approvals were granted, the workflow would create an Engineering Work Order task and assign it to the original engineer. They could then complete the approved work, record their notes, and close the work order.
This simple workflow quickly routed and processed a high volume of changes every year, while keeping everyone aware of the status of requests and helping the team maintain high productivity. Some changes were flagged as risky or incomplete, and the iterative discussion and review process made them significantly safer when finally approved.
When the auditor asked for a report of changes made, there was no need to hunt through email archives or old documents. The team simply ran their change control report which listed every change with its requestor, description, and change date. The auditor selected a random sample for more analysis and was impressed by the level of detail recorded in each change. They were even able to use the HighGear audit trail to see which person approved each change, and how long they took to review it!
Even with the most careful change control and system engineering, undetected security issues can make a system vulnerable. A key tool for catching unknown issues is an automated vulnerability scan. Swift Systems had a quarterly HighGear process that assigned an engineer to run an enterprise-grade security scanner on all the servers in the data center. They then reviewed the results and created work orders to address any issues that were identified. Finally, they saved the scan reports, and any evidence needed to prove resolution, into the HighGear task itself and closed it.
Auditing these quarterly scans was easy, because they contained all the information about which servers had been scanned, who performed the scan, and the results of the scan and any remediation work completed.
Security incident reporting
Whether by good policy and practice, or extraordinary luck, Swift Systems never experienced any security incidents during the time we operated that company, nor while we remained their client after the sale. But even if you never need it, it is critical to have a clear process for reporting security incidents. Several email addresses were setup as receptacles for internal and external security, vulnerability, or abuse reports. These were routed through a triage and reporting process that assured that security and vulnerability reports were quickly routed to the right individuals or roles, and that abuse reports were routed to the team or role that “owned” the system the report was related to. While there were not any security reports that turned out to be real issues, being able to show an auditor that any possible issues had been tracked and triaged made getting through audits much faster. Numerous valid Abuse reports did come in, such as customers who were sending out spam, or customer owned BGP equipment that was incorrectly configured and sending bad data to other routers on the Internet, and likewise these reports flowed through that system generating traceable action reports and audit-ready records.
If you would like to explore how HighGear could help your team track work in a way that exceeds the needs of compliance and audit requirements of various types, please contact firstname.lastname@example.org.