How to keep your CISO happy with IT during security audits

Learn how to meet endpoint security compliance with Jamf and partners. Generate data that an auditor wants to see, and an audit that your CIO can be proud of.

October 4 2024 by

Haddayr Copley-Woods

JNUC Nashville: How to keep your CISO happy with IT during security audits

Audits are a necessary and useful tool for businesses, especially for those in compliance-heavy industries such as healthcare. But they can also be a big headache. Not only are audits and audit preparation quite visible and very important, but they also have multiple and sometimes complex requirements.

Todd Clark, Get Well’s Manager of IT Operations, discussed how his company has managed IT security compliance management with Jamf Pro during his JNUC 2024 presentation.

Get Well is a digital healthcare company serving more than 10 million patients annually at over a thousand hospitals and clinical partner sites. To call this a heavily regulated organization is an understatement.

Clark outlined what is expected in common security audits. He also explained how Get Well used Jamf Pro and Jamf Compliance Editor combined with Drata and Ploy integrations to generate data an auditor needs. This is not only helpful, but it also shows auditors and the CISO how seriously IT takes security and compliance at Get Well.

Navigating auditor expectations

An issue that Clark sees regularly is how macOS companies often can’t offer a 1:1 match to auditor requirements, as those requirements are far more often geared toward traditional Windows or Linux enterprise environments.

Clark, with the help of Jamf, proved that his team met auditor expectations and needs even without such a 1:1 match with requirements that assume a different platform. They achieved this by using customizable points within Jamf Pro such as extension attributes and data-gathering with scripts and config profiles. They combined these with integrations.

Three main types of security certifications

While these are the most sought-after certifications, nearly all security compliance audits request these controls. When Clark is facing multiple competing controls, he aims for the strictest one as that should also cover what other auditors need. Get Well has achieved all three of the following certifications.

HiTrust

The Health Information Trust Alliance is a comprehensive framework addressing security, privacy, and regulatory challenges facing healthcare organizations. It seeks to standardize risk management and PHI privacy requirements.

SOC2

Service Organization Control 2 is an auditing procedure ensuring that providers securely manage data and protect client privacy. It is particularly relevant for tech and cloud computing organizations.

FedRAMP

The Federal Risk and Authorization Management Program provides a standardized approach to security assessments, authorization, and continuous monitoring for cloud products and services used by the US federal government.

Tools and integrations

To ensure that Get Well meets the standards of these security audits, they employ the following tools.

Drata

This security compliance automation platform helps organizations streamline the process of achieving and maintaining various compliance standards by:

  • Continually monitoring security controls
  • Offering real-time insights to ensure ongoing compliance
  • Offering true set-it-and-forget-it automation
  • Integrating seamlessly with Jamf Pro

Ploy

Ploy is a SaaS management platform designed to automate ID management, streamline access control and enhance security compliance across an organization. GetWell uses several Ploy features for auditing prep:

  • Custom alerts for suspicious user sign-ups
  • Usage surveys to ensure efficient software license use
  • Ploy AI Security Analyst for information on outside websites
  • Secure off-boarding

The macOS security compliance project and Jamf Compliance Editor

The macOS Security Compliance Project (mSCP) provides a programmatic approach to generating security guidance. The project can be used to:

  • Generate customized documentation
  • Use logging and remediation scripts
  • Define configuration profiles
  • Create audit checklists

Jamf Compliance Editor uses the same compliance tools of the macOS Security Compliance Project but offers IT a graphics-based interface rather than exclusively the Command Line. This can simplify creating benchmarks and compliance configurations.

Jamf Pro

Jamf Pro pulls all of this together by automating distribution, naming config profiles, and more. Clark ran attendees through a demonstration of how to get the data needed into Jamf Pro including scripts, design policies and more.

After getting everything set up, Mac admins run the check once a day and can scope to all or a specific test group and run an inventory update. It’s from these that IT can generate reports for auditors.

Drata + Jamf makes it simple.

Employing Drata and Jamf together simplifies collecting data points.

Mac Admins integrate Drata with Jamf Pro in the Connections section. They also provide a page that walks IT through the process step-by-step, including providing the needed scripts.

After following the instructions, IT can easily provide the exact data auditors want and make it available from every device. Then, Apple Admins can create Smart Groups that monitor these extension attributes for easy reporting.

With the proper preparation and tools, audit preps can feel like showcasing your security compliance rather than a dreaded chore.

Visit the Jamf blog for JNUC updates, sessions recaps and more!