By John Carbo, Director of Information Security
The SEC OCIE published a risk alert recently entitled “Safeguarding Customer Records and Information in Network Storage – Use of Third Party Security Features” which contains three main observations:
- Misconfigured network storage solutions.
- Inadequate oversight of vendor-provided network storage solutions.
- Insufficient data classification policies and procedures.
Our AbacusFLEX and AbacusFLEX-Hybrid platforms are designed to meet or exceed regulatory security requirements by following policies and procedures set forth by NIST, COBIT, ISO, Center for Internet Security and the Cloud Security Alliance.
Here is how Abacus addresses the OCIE Risk Alert’s observations:
Misconfigured Network Storage Solutions
The security of Abacus network storage aligns with our defense in depth strategy:
- External (remote) access to network storage requires Citrix or VPN with a valid credential.
- Duo Two Factor Authentication is available to protect compromised credentials from being used to access network storage.
- All Abacus clients have segregated storage containers protected from cross-contamination with Access Control Lists (ACLs).
- Our Abacus SIEM monitors and logs access to network storage. Unauthorized access is centrally logged and alerted.
- All data at rest is encrypted with AES 256 bit encryption.
- All data in transit is encrypted with TLS (Citrix and VPN).
- We recommend Bitlocker encryption for laptops.
- We test the security configuration of network storage during annual penetration tests.
Abacus also has a Benchmark and Device Hardening program. We follow standards set by the Center for Internet Security (CIS). Tenable Security Center is used to scan the Abacus platform and report on configuration settings compared to the CIS Benchmark. This program validates that our platform has the appropriate security controls configured across our infrastructure assets.
Our Vulnerability and Patch Management program is based on ISO 27001 control A.12.6.1. The program focuses on timely identification of vulnerabilities, an assessment of exposure and the risk impact of exploitation. These metrics determine the criticality of a vulnerability and time to patch.
Inadequate Oversight of Vendor-Provided Network Storage Solutions
Abacus follows an approval procedure before granting any rights or making any changes. Only a client’s authorized approver can request changes to permissions.
Our Abacus Client Portal provides a daily report on network storage permissions. We encourage clients to review the report to ensure accounts are properly configured with least privilege.
We also conduct three penetration tests per year and encourage clients to perform their own cybersecurity risk assessments of our platform.
Insufficient Data Classification Policies and Procedures
Abacus recommends that each of our clients have their own Data Classification Policy. This policy will assist in determining the appropriate least privilege permissions. For reference, the Abacus Data Classification Policy is located in our ISO 27002 WISP available to clients via our Portal.
We can assist providing our clients with reports on sensitive data locations according to various data classifications (PII, financial records, GDPR, PHI, PCI, SOX, GLBA, etc.). Sensitive data reports in conjunction with our the file permission reports available in the Abacus Client Portal can be used to validate least privilege for client accounts.