Ask the Expert: InfoSec Requirements for Health Insurance Providers, Part 3
David Pearson, Co-Founder and CTO of Iceberg Networks sat down with us to answer more of the top questions about the concerns he’s hearing from insurance providers surrounding security configuration management. The following is an edited transcript of the conversation.
What are the benefits for an insurance company migrating from their current processes to a new program for continuous monitoring and continuous compliance?
The primary benefit is one of cost savings and there’s a security assurance business case as well. If you look at the whole problem at hand, assuming that you’re doing the configuration properly, just providing the assurance that you’re doing it, you need to go through and check all of these settings. If I take a single web server, the DISA stake for Apache for example, has approximately 400 configuration settings. That’s 400 settings on one server, so if you’re a large organization, multiply that by thousands of servers potentially, you could be looking at millions of configuration checks that need to be performed in order to be able to report on this. For those millions of checks, if you don’t have any form of automation, you’re going to have to have people, such as system admins, logging in to the system and checking each and every one of those settings. It’s a huge laborious task.
Most organizations implement some sort form of automation. A lot of the configuration checks themselves can be performed by vulnerability scan tools; they have the ability to check that all of the settings are configured correctly. But, one of the challenges is that they can’t do all of the checks. If you look at these millions of checks that someone needs to perform, they may still end up with hundreds of thousands of them that the system can’t in fact automate. So, it requires people to actually go in and perform those checks. One of the big problems is just knowing “what do I need to get the people to do?”
A good way to do this is some sort of a system that is able to keep track of all of the checks, not just the automated, not just the manual checks, but the combination of the two. As the organization evolves how the checks are done, it can be on a very routine basis, it can give its employees the right manual checks to perform. If we look at the whole audit and reporting cycle, this is normally done on a quarterly or semi-annual basis. It tends to cause a spike in workload around those reporting cycles where you might have to take a few or a few dozen people and divert their efforts from their normal day-to-day jobs to perform this audit and reporting cycle. It can be very disruptive to an organization to have to divert those people, go collect the information, compile the reporting package to deliver to CMS (the overseeing agency) and then go back to your regular day-to-day job. There’s a work effort requirement as well as a work disruption that occurs. A lot of good benefits come out of putting automation in place, it allows you to smooth the work out over a longer period of time. It also allows you to be efficient and only do the manual work that you need to do. You can’t eliminate it completely, but you can minimize it.