empayre/fleet
14
0
Fork 0
mirror of https://github.com/empayre/fleet.git synced 2024-11-06 08:55:24 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
30aa31e763
fleet/articles/stay-on-course-with-your-security-compliance-goals.md
Mike Thomas 759850ed21
Update stay-on-course-with-your-security-compliance-goals.md (#6794) 
Updated category from guides to security.

Co-authored-by: Mike McNeil <mikermcneil@users.noreply.github.com>
2022-07-21 05:45:34 -05:00

66 lines
6.5 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Stay on course with your security compliance goals
![Security compliance goals](../website/assets/images/articles/security-compliance-goals-cover-800x450@2x.jpg)
Pursuing security compliance is a long journey. It isnt so much taking a road trip as its setting sail on the open ocean. Regulatory changes can knock you off course. Learning new technology can take the wind out of your sails. And no matter how hard you try, you can never reach the horizon.
Are you feeling a little seasick? Dont worry. There are ways to navigate the waters of security compliance and still enjoy smooth sailing.
Weve explored how to [get and stay compliant](https://fleetdm.com/use-cases/get-and-stay-compliant-across-your-devices-with-fleet) before. In this article, well walk through the steps you can take to measure progress toward compliance — and how Fleet can make this task more manageable.
## Set your goals
One of the reasons compliance is so complicated is that there isnt a single set of rules. You have to determine what compliance means for your organization.
Are you creating internal processes and controls to stay secure? Is there a law or regulation required to do business? Which industry standards should you meet if you truly want to compete?
Answering questions like these is the first step to becoming compliant. After all, you cant measure progress until you know where youre going.
## Be realistic
Achieving the highest level of compliance for your industry is an admirable goal. But pursuing compliance perfection could tie up daily business operations.
For instance, if your organization has 30 employees who use MacBooks, it might be possible to make sure they all have the latest version of macOS installed. That goal gets more challenging to achieve as those MacBooks multiply to the hundreds or even thousands. In which case, you should focus on MacBooks accessing critical systems first. Then you can make sure most MacBooks across your organization are up to date within 30 days of a patch being released.
With scale comes complexity — especially for large companies. Different teams need different tools to get the job done. Databases must balance security with accessibility. Updating legacy platforms, when possible at all, could disrupt availability.
Holding so many people, teams, and departments to the highest security standards takes a lot of work. And, at the end of the day, you might just be getting in the way.
Be sure to set goals based on the resources you have available — and try not to let perfection stand in the way of progress.
## Limit the scope
While your industry probably has compliance standards, these recommendations may not apply to your entire organization.
Lets look at the [Payment Card Industry Data Security Standard](https://www.pcisecuritystandards.org/) or PCI DSS. This is a set of standards that aims to protect credit card data against data theft and fraud. This is pretty important if your organization plans to accept card payments. But how many of your teams are in the position to collect payments — or even interact with customers?
There may be controls that apply to your entire company, like using multi-factor authentication. Security requirements like these make a real difference, and should be done even if you have no compliance requirement, but this isnt always the case. Some guidelines either don't make sense for your business, or they dont do much to actually improve security. Knowing which compliance standards apply to which teams and systems will help lighten the load across your organization, especially around audit season.
## Partner with technical experts
Ultimately, your Chief Information Security Officer, Head of Security or Chief Compliance Officer is responsible for ensuring compliance, depending on the structure of your organization. While security and compliance teams are often responsible for tracking compliance, they don't usually implement the controls on every platform. How could this scale?
Your company could hire more security specialists. Some organizations have thousands on staff, but we know this isnt always a realistic option. The good news is that you dont necessarily need more security and compliance people — just more people with security skills.
IT professionals and system administrators are in the perfect position to help you measure and improve compliance progress. They have the skills to keep your companys devices secure. Applying those skills in time can be difficult. Make it easy for technical experts to see the compliance status of each system.
Now, your technical experts have more visibility. What should they do with it? If you explain the reasons behind compliance requirements, they can look for security issues proactively — and prevent concerns from becoming problems.
## Fleet makes tracking compliance easy
A little insight goes a long way. The right tools will take you even further. Fleet lets you create [policies](https://fleetdm.com/securing/what-are-fleet-policies) that ask questions about your devices — questions you can customize to meet your compliance goals. You can group these custom queries with [teams](https://fleetdm.com/docs/using-fleet/teams), eliminating unnecessary processes and lowering the level of effort for your organization.
If a device doesnt comply with one of your policies, [Fleet can automatically create tickets in external systems](https://fleetdm.com/docs/using-fleet/automations#policy-automations) — so employees can fix the problem right away.
Fleet also lets you [assign users different levels of access](https://fleetdm.com/docs/using-fleet/permissions): Observer, Maintainer, and Admin. So, your CISO can create policies and assign them to different teams — preparing technical experts to run queries for up-to-the-minute data on devices. Though that might not be necessary. Fleet policies automatically refresh every hour.
Fleet policies, teams, and permissions empower employees at every level of your organization to share the responsibility of measuring compliance. With more hands on deck, going after your goals will be a breeze.
<meta name="category" value="security">
<meta name="authorFullName" value="Chris McGillicuddy">
<meta name="authorGitHubUsername" value="chris-mcgillicuddy">
<meta name="publishedOn" value="2022-07-18">
<meta name="articleTitle" value="Stay on course with your security compliance goals">
<meta name="articleImageUrl" value="../website/assets/images/articles/security-compliance-goals-cover-800x450@2x.jpg">
Reference in New Issue View Git Blame Copy Permalink