White Paper. Regulatory Compliance and the IBM Mainframe: Key Requirements

Size: px
Start display at page:

Download "White Paper. Regulatory Compliance and the IBM Mainframe: Key Requirements"

Transcription

1 White Paper Regulatory Compliance and the IBM Mainframe: Key Requirements Reg Harbeck, Global Mainframe Solution Manager Sumner Blount, Director of Security Solutions February 2007

2 Table of Contents The Rise of Compliance as a Business Imperative The Role of Frameworks in Mainframe Regulatory Compliance Key Controls for Mainframe Compliance Controlling Access to Business Data and Functions Orphaned Accounts Excessive Entitlements Control over Superuser Privileges Separation/Segregation of Duties Security Event Auditing Proper Data Classification Software Configuration Detection and Correction Encryption of Offsite Information Key Technologies for Mainframe Compliance Conclusion The CA Solution for Mainframe Compliance Key Compliance Requirements and CA Solutions

3 The Rise of Compliance as a Business Imperative Recent corporate financial scandals and increased concerns over privacy of user information are factors that have led to a rise in governmental laws and industry regulations around financial reporting, security and data privacy. These factors create compliance pressures that place heavy burdens on internal IT groups. Failure to secure sensitive information can result in irreparable damage to the corporate reputation, and failure to achieve compliance has financial consequences as well. While governmental regulations cover a wide range of target areas, regulations that impact IT generally fall into one of three major categories: Governance. These regulations deal with issues related to the transparency and accuracy of financial records, the retention of records within the corporation, and requirements of disaster recovery and business continuity. Most notably with SOX, this type of regulation was heavily driven by corporate scandals and financial fraud cases. Privacy. These regulations are often specific to a single vertical market, and dictate how a user s personal information must be handled by the corporation. There are regulations that specify what type of personal information may be kept, how that information may be handled (including who, if anyone, it may be given to), and what actions are required in the event of a breach of established privacy restrictions. Security. These regulations are intended to protect a corporation s critical infrastructure, and specify how users will be identified, how their access to sensitive resources must be controlled, and how that access may be tracked and audited. Figure 1 illustrates these three primary areas of compliance, and highlights some of the major regulations in each area. Note that some regulations fall into multiple categories. While there are a large number and wide variety of regulations, each has unique requirements for compliance, many of which cannot be solved merely through technology and/or procedural changes. However, one element common to all regulations is the need for strong and effective controls over various enterprise business processes. A control is a set of procedures or steps that can be used to ensure the successful operation of a business practice or transaction. These controls ensure, for example, that private customer data is not accessed by unauthorized people, that platforms and systems are protected from breach, and that all data and applications are protected from inappropriate access. Internal controls can be weak, strong, or anywhere in-between. It is the job of compliance auditors to ensure and attest that these controls are effective enough to meet the requirements of the regulation. Figure 1. Classification of Regulations. 3

4 The Role of Frameworks in Mainframe Regulatory Compliance Generally, a governmental regulation does not specify what technology is required in order to meet its requirements. In fact, many regulations do not even specify any details of an effective internal control. Therefore, administrators and compliance officers are left to determine what methods they will use to meet the often vague requirements within each regulation. In the area of overall corporate governance, the internal control framework developed by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) has become widely adopted. Although COSO contains requirements for a range of areas of governance, there is little in the COSO framework regarding specific IT controls. Given this, management should either look to industry best practices, which are often subjective, or look to another controls-oriented framework from an authoritative source. To solve this problem, many companies have begun to look to the Control Objectives for Information and related Technology (COBIT) framework published by the IT Governance Institute, which is affiliated with the Information Systems Audit and Control Association (ISACA). COBIT contains a broad set of IT control objectives that provide statements of the desired result or purpose to be achieved by implementing control procedures in a particular IT activity. Among these IT controls are many that are directly related to security management processes and systems. Other IT frameworks exist (for example, ITIL, SAS 70, ISO 17799, and others), and their use is dependent on whether they can help establish (to the auditors) a strong case for successful compliance. Let s look at COBIT in more detail, since it has emerged as a widely adopted framework for IT controls. The COBIT control objectives are organized into four areas: Planning and Organization Acquisition and Implementation Delivery and Support Monitoring. One of the key activities within the Delivery and Support area of COBIT is an activity entitled Ensure Systems Security. The purpose of this activity is to provide controls that safeguard information against unauthorized use, disclosure or modification, damage or loss through logical access controls that ensure access to systems, data and programs is restricted to authorized users. Within Ensure Systems Security there are a group of discrete control objectives that COBIT has identified, including: Manage Security Measures Identification, Authentication and Access Security of Online Access to Data User Account Management Management Review of User Accounts User Control of User Accounts Security Surveillance Data Classification Central Identification and Access Rights Management Violation and Security Activity Reports Incident Handling Re-accreditation Counterpart Trust Transaction Authorization Non-repudiation Trusted Path Protection of Security Functions Cryptographic Key Management Malicious Software Protection, Detection and Correction Firewall Architectures and Connections with Public Networks Protection of Electronic Value A detailed discussion of these controls is beyond the scope of this paper. The next section, however, discusses some of the key issues involved in implementing some of these controls on mainframe platforms. Key Controls for Mainframe Compliance By now, most organizations have recognized their responsibilities within regulations (such as Sarbanes- Oxley, HIPAA, and others) and have introduced some level of processes and procedures to comply with them. However, one area that often does not get adequate attention in many environments is the mainframe environment. Despite the past predictions by some people of the demise of the mainframe, it remains, and will continue to be, a critical computing platform for many enterprises. The mainframe is here to stay, and therefore it is a requirement to include mainframes when planning a broad IT compliance strategy. 4

5 The COBIT controls described earlier can be instrumental in supporting compliance with most of the major regulations that organizations are facing today, such as Sarbanes-Oxley, HIPAA, and Gramm-Leach-Bliley, among others. On the mainframe, there are some specific controls that are essential yet often overlooked. These controls are focused on the following mainframe security issues: Controlling Access to Business Data and Functions Orphaned Accounts Excessive Entitlements Control over Superuser Privileges Separation/Segregation of Duties Security Event Auditing Proper Data Classification Software Configuration Detection and Correction Encryption of Offsite Information Let s look at each of these areas in more depth. Controlling Access to Business Data and Functions Controlling access to critical IT resources (files, applications, databases, etc) on the mainframe is an absolute requirement for regulatory compliance. Not only must unauthorized individuals be prevented completely from accessing these resources, but even authorized users must be able to perform only those operations and actions for which they have been explicitly approved. In many cases, these authorizations need to include external factors such as the day of the week, time of day, the user s organizational unit or role, and the like. Some accesses, for example, might be allowed during work hours but need to be prevented during off-hours. In addition, a key element of regulatory compliance is policy-based controls. In other words, a security administrator should not have to understand the underlying technical details of a system in order to set up a permission that responds to a simple requirement in all cases. Therefore, it is essential to externalize security outside of applications, so that it can be enforced centrally based on a set of security policies defined for the complete IT environment. These security policies are generally based on a set of user roles defined for the entire user population. It is also important for an organization to be able to determine, at any point in time, the existing user roles that they have defined, and the access rights assigned to each such role. And, auditors will want those roles to be consistent, well-defined, and have as little overlap as feasible. An organization with well-defined roles and access requirements will be much better-aligned with regulatory requirements than one in which everyone has their own individual set of access rights, built up whenever they encounter a new need, but rarely removed when the need no longer exists. Orphaned Accounts Mainframes have become a victim of their own reliability and security in regards to orphaned accounts. A mainframe running in a production environment may have been implemented thirty plus years ago. During that time frame, thousands, sometimes even millions, of employees and customers have been provisioned to the mainframe. Often, those accounts are not removed, and orphaned accounts accumulate. Orphaned accounts also occur when a user simply stops using an account for any reason the account remains valid even though it is not being actively accessed. Until the regulatory controls were established focusing on the need to maintain these accounts and have controls in place to manage, report on, and enforce compliance for them, they often went almost unchecked by many organizations. Any unused account represents a security, and therefore compliance, risk. Some organizations utilize manual processes for the provisioning and de-provisioning of mainframe accounts. This process is error-prone, and does not provide a welldocumented method for ensuring proper entitlements. Others developed applications internally to help manage these accounts. The underlying problem still existed, though to a lesser degree. These solutions typically don t or can t address the problem of ensuring that all existing accounts have proper owners. Figure 2 illustrates this important problem. The line represents entitlements granted to (and removed from) a typical user over their lifecycle. It illustrates that entitlements are often not removed until the user actually leaves the organization. And, when this happens, some accounts are often missed and not removed appropriately. This creates the problem of orphaned accounts, and is represented by the bottom right corner of the graphic. 5

6 Figure 2. User Entitlement Compliance Issues. Beyond user accounts, utility accounts (accounts used for testing or background tasks) often exist from previous projects. Default accounts, while less common on the mainframe than other platforms, can also be overlooked and not deleted or disabled, opening up the opportunity for an unauthorized individual to access information inappropriately. The problem is compounded when applications attempt to enforce their own security policies, rather than externalizing security to a centralized service. This causes these types of accounts to increase in number, and the management of them becomes much more difficult. The security of these applications should be externalized, taking advantage of the security software package running on the mainframe. Examples of such accounts include: UNIX (USS) and Linux native security accounts, defined to the OS and not to external security DB2 accounts, if DB2 is not fully externally secured Internal application controls not externalized Excessive Entitlements Figure 2 also illustrates another common problem that can impact your compliance efforts. Similar to the problem of obsolete accounts, people also tend to accrue access rights over the course of their identity lifecycle, but generally do not ask to have them removed when no longer needed. As a result, most users accumulate unneeded access rights so that the line representing their access entitlements is monotonically increasing over time. This hampers compliance because critical IT resources can often be accessed by users who have no valid business need to do so. In fact, a common back door to many computer systems and applications is to go to a person who has retained old access but is in a new role that has no official need of that access. This violates the integrity of a system in a way that is almost certain to contradict corporate guidelines. It would also render a system out of compliance with respect to many regulatory mandates today. 6

7 Control over Superuser Privileges One of the most exploited and costly vulnerabilities on many systems is the superuser account ( Root in UNIX and Linux, including on the mainframe). Superusers can generally do whatever they want to, without restriction and often without adequate audit and tracking. Because of the unlimited power of this account, no file, device or command is off-limits. Even the auditing services on the system are not immune from this account, and the integrity of system audit logs is therefore vulnerable to inadvertent or malicious actions. This issue is amplified when superuser access is not rolebased, and a common password and user id is shared among administrators and developers. This creates a serious accountability problem. This situation often makes it very difficult, if not impossible, to determine specifically which person performed a particular destructive act, since there is no authentication of superusers as individuals. Effective compliance requires that users, especially Root-level users, have only the level of privilege that they actually need. For this reason, more granular access and administrative rights are required than are generally offered by the native operating system. In addition, compliance requires that all users be individually identified, so that multiple users would not be using the same account in such a way as to make them effectively anonymous in the audit log. Separation/Segregation of Duties A key principle inherent in a regulatory-compliant and audit-proof environment is separation of duties (aka segregation of duties). As a general principle, this means that the person who initiates a given transaction cannot also be the person who approves that transaction. For example, a situation in which someone could create a new vendor record as well as approve a payment to that vendor would constitute a segregation of duties violation. Another, possibly more common, example occurs when a single person can both install and maintain applications as well as administer their security. Why is this an issue? There are two problems that these types of situations create. First, there is insufficient oversight and visibility for potentially fraudulent activities. In the example cited above, someone could create new vendor records and then approve payments to those vendors, possibly escaping detection for a long time. The second problem is that this situation makes security auditing much harder because it is difficult if not impossible to identify who might have performed an improper or malicious operation on critical data. Security Event Auditing Regulatory compliance is effectively impossible without the ability to prove compliance. IT Auditors want to be able to view proof that all your internal security controls are not only comprehensive and consistent, but are also functioning correctly and effectively. This requires the ability to uniquely identify the specific individual responsible for each security event or operation. Not only is this required for compliance, but it is also essential for immediately stopping any improper or suspicious activity that might have occurred. One possible example of this would be the case where someone attempted successively to login to different user accounts. In some environments, successive failed attempts to access a given account would result in the immediate suspension of that account. If these accounts are in different departments, it may never occur to anyone that they could be related and that a serious breach is being attempted. However, with strong auditing records (such as generated by CA ACF2 and CA Top Secret ) and a powerful correlation and reporting engine (such as provided by CA Security Command Center), it becomes possible to discover: 1. That there were a number of suspensions around the same time coming from the same location (because an automatic alarm was generated) 2. That it therefore seems likely that a single individual has been trying to access the system by guessing at passwords until the accounts were suspended 3. Whether any accounts have been successfully accessed yet, and which ones 4. Whether the behavior in question is still continuing, in which case the perpetrator may be easily located Without this ability, it is possible that someone may gain illicit access to the system and abuse the authorities of the accounts they access, a clear violation of system integrity and related regulatory requirements. In short, in order to achieve compliance, you need to be able to be alerted when security is being challenged, identify sources of potential compromise, and demonstrate that your security controls are effective. Proper Data Classification A common criterion in data classification is need to know. When information is classified within an organization, determining appropriate levels of access can be a challenge. It is often true that access to business critical data is granted as a result of a person s job responsibilities. 7

8 For example, it may be very appropriate to grant update access for the payroll files to a payroll clerk role. However, it is not appropriate for that payroll clerk to be able to copy or write that data to another file such as one that may begin with a common high level qualifier that other employees have access to, thus allowing them access to the data beyond what their role and business responsibilities prescribe. This is known as a write down and is a potential exposure of the business critical data. Such an exposure would certainly be detected in a compliance audit. With MLS (Multi-Level Security), classification levels can be assigned to data such that an individual with a certain level can access data, while those without, cannot. This would also prevent the copying or writing of data down to a lower classification level as described in the above example. Software Configuration Detection and Correction Mainframe operating systems are notoriously complex. These complexities have made auditing the actual operating system very time consuming and difficult. Any operating system, even on a mainframe, can be subject to security exposures due to errors on configuration, installation, or administration of all software components. Computer worms, Trojan horses, and trap doors of all kinds would threaten the security of the entire mainframe and all its applications. Malicious (or at least unintentionally destructive) procedures, configurations and programs can be introduced to the mainframe, either by authorized individuals actions that are not in the organization s best interest, or by skilled intruders. Therefore, strong and effective security controls should include a complete review and audit not only of all datasets and applications, but also of the operating system that physically controls these resources. Traditionally, only experienced auditors or specialists with a systems programming background could perform such an extensive operating system review. Much of the work was manual, and low-level tools available were difficult to use and not comprehensive enough to truly audit the system. A z/os review, for example, might take weeks or months to perform. However, higher-level software exists today to ease this burden and enable a more complete and simple approach to this important task. Encryption of Offsite Information An important element of several recent regulations is the requirement to inform an individual if their personal data has been exposed to unauthorized third parties. An example of this type of regulation that has achieved significant publicity recently is California bill SB This bill requires any organization doing business in California to notify any customers if there is a significant chance that their personal information has been disclosed inappropriately. A situation where this requirement would be applicable would be the loss of a backup tape containing this personal information where the data was stored on the tapes in plaintext. Other regulations may not address the issue of public disclosure, but nonetheless require strict protection of confidential consumer information, with encryption being a common technique for doing this. Is the solution to avoid sending such personal customer data off-site? Hardly. Sending these tapes off-site is generally part of a healthy disaster recovery program and data archiving practice. It may also be a key part of certain established electronic commerce practices. Key Technologies for Mainframe Compliance The security issues described above require comprehensive mainframe solutions, in order to achieve regulatory compliance. In attempting to address these issues, there are several critical technology areas that can assist you. More specifically, when planning compliance initiatives on your mainframe, the following approaches and technology solutions should be considered. 1. Centralized Access Control On today s mainframe, no application should be running with internal security. Attempting to enforce security within each application greatly increases your security administration costs, complicates your application development and maintenance effort, and potentially reduces your overall security due to inconsistent policy enforcement across applications. Externalizing security enforcement in a central service eliminates these problems, as well as making it much easier to validate compliance to your IT auditors. The essential way to implement a mainframe control on user access is a software solution that can effectively provide access control for all mainframe data and applications. It should allow easy, policybased controls to be created that will ensure that all access is controlled according to these policies. In addition, it should leverage and integrate with existing directory, auditing, and access management solutions on distributed platforms in order to make compliance activities more consistent across platforms. 8

9 External security solutions such as CA Top Secret and CA ACF2 allow for the complete externalizing of application and database security. This provides the ability to centrally control all access to critical mainframe resources and enforce security policies relating to these resources. 2. User Provisioning Centralized user provisioning provides an automated way to create user accounts and assign access rights when a new user is entered into the system. It can also provide an automated technique for deprovisioning these same accounts and access rights when the user is removed from the system. Both capabilities are important for achieving strong and effective IT security controls. In particular, User Provisioning can help avoid the creation of excessive entitlements, as well as orphaned accounts, since entitlements and accounts are immediately removed as a user s role changes, or when that user departs the organization. This is done according to specific security policies defined by the IT Administrators, and can be a completely automated process. Provisioning solutions can also help answer one of the most important questions asked by your compliance auditors: Who has access to What resources? Without the ability to easily answer that question, your compliance efforts will be greatly hindered. In addition, a comprehensive identity management and provisioning solution should be capable of providing information or reports about potentially problematic overlapping role or access right definitions. This information, along with clearly defined internal processes, can help highlight and correct existing or potential segregation of duties violations. 3. Host Access Management Excessive entitlements for superusers, and the inability to uniquely identify each superuser can be significant problems on UNIX and Linux systems. A Host Access Management external security solution (for mainframe Linux and USS, for example) can be used to provide fine-grained entitlements for superusers so that each such user only has the privileges that they absolutely need. In addition, it can uniquely identify users so that audit logs can associate each administrative event with a specific person. 4. Automated cleanup of Inactive Accounts Inactive (orphan) accounts, and unused entitlements, are significant problems on mainframes and can reduce your compliance effectiveness. Tools such as CA Cleanup are available today to monitor and report on entitlements (and IDs) that are not used within the mainframe security database. The removal of such leftover accesses eliminates loose ends and the accompanying security and regulatory concerns, while aligning the security environment for consistent rolebased provisioning and de-provisioning. 5. Automated Software Configuration Analysis Effective regulatory compliance requires controls over the entire mainframe configuration, including both hardware and software components. These controls should start with an automated analysis of all relevant configuration information so that potential anomalies (such as unpatched system vulnerabilities) can be identified and quickly remediated. This analysis should provide information on the current status and settings for such key system elements as: Software and hardware configurations and versions Hardware errors Administrative consoles System Management Facility (SMF) information System customization variables for key system libraries, system catalogs, and parameter libraries System executables Critical programs JES environment File usage Compliance requires that effective controls over all critical system components be in place and functioning effectively. Tools such as CA Auditor for z/os and CA Security Command Center can greatly simplify and expedite these important tasks. 6. Centralized Auditing and Monitoring A centralized auditing mechanism can aggregate, filter, and analyze all security events within the entire IT environment, highlighting those that need priority attention. Such a solution also has very significant cost savings and productivity benefits. Manually reading system log files to search for serious security events is not only time-consuming, but very error-prone. And, it is virtually impossible to manually correlate security events that might, when taken as a whole, constitute a potential security breach. A comprehensive auditing solution such as CA Security Command Center (CA SCC) can automate this process, not only saving massive amounts of system administrator time, but also reducing security risk because critical events can be more correctly identified for further administrator analysis and remediation. 9

10 7. Information Encryption Solutions, such as CA s BrightStor Tape Encryption, exist today to encrypt the data that is written to tapes. If this is done and the tape is later compromised, it will not be readable without the required keys to decrypt the data. This, of course, also requires appropriate key management functionality (such as provided by the above product) to ensure that they keys don t fall into the wrong hands or get lost, making critical data unavailable. Conclusion As the number and variety of regulations increases, today s organizations are faced with daunting challenges to comply with all relevant mandates. These challenges include not only actually meeting the specific requirements of each regulation, but also doing so in a cost-effective and sustainable way. Unless an organization can achieve continuous compliance, their compliance costs and efforts will continue to remain unacceptably high. The mainframe is a critical element in any IT compliance initiative. It often houses some of the enterprise s most critical IT assets, both data and applications, and therefore must have strong and effective controls over use of these assets. Without a consistent and auditable set of controls across all major system platforms, an organization will not be able to achieve regulatory compliance in a costeffective manner. The final section of this paper will highlight some CA solutions that can help you achieve sustainable and continuous compliance on your mainframe platforms. The CA Solution for Mainframe Compliance CA offers the broadest set of security solutions on the mainframe today that can greatly enable your compliance activities as part of an integrated, enterprise-wide approach. Specifically, the CA Mainframe Identity and Access Management suite is the most comprehensive and integrated platform on the market today. It enables enterprises to efficiently and securely manage the digital identities and access rights of users, devices and applications. This includes ensuring that only properly authorized identities can access your critical IT resources. It provides a complete and proven platform for protecting your IT assets across all platforms and environments within your enterprise, thereby helping you achieve continuous compliance across your mainframe and connected platforms. The CA mainframe security and compliance solutions include: CA ACF2 and CA Top Secret. Providing leading-edge security for the z/os, z/vm and z/vse business transaction environments including z/os UNIX as well as authentication for Linux for zseries (using the included PAM component). Built-in, comprehensive administrative and reporting tools, along with detailed event logging capabilities, simplify the management of users and their access rights. These solutions give you the tools to monitor the efficiency of your security policies and provide end-to-end security for the enterprise when deployed with other CA solutions. CA Cleanup for ACF2, CA Cleanup for Top Secret, CA Cleanup for RACF. Offers easily automated, continuous and unattended security file cleanup by monitoring security system activity to identify security definitions that are currently unused. Specifically, CA Cleanup solutions identify accounts and access unused beyond a specified threshold and generate commands to remove unused user IDs, entitlements, permissions, and profile and group connections that each user has but does not use. These solutions effectively resolve the accumulation of obsolete and excessive access rights that otherwise occurs within a security file over time, a key requirement for compliance with many regulations. CA Cleanup deploys easily and can enable you to: Identify and remove individual user entitlements and access groups that are no longer used. Identify entitlements (such as permissions and rules) actually used and create commands to remove those that are unused. This includes user-defined resources. Identify user IDs actually used and create delete commands for those unused. This is based on actual security usage, not reported last-use dates, which are often unreliable. Identify the IBM RACF Groups and Profiles that each ID actually uses and create the RACF Commands to remove those that are unused. Produce reports detailing both used and unused entitlements. Generate commands to enact or restore security cleanup. 10

11 CA Auditor for z/os. CA Auditor for z/os (CA Auditor) is an industry leader in automated review and auditing for z/os operating system integrity and verification. It provides important information about system security, integrity and control mechanisms, which are extremely difficult to obtain from other sources. CA Auditor helps identify and control security exposures, trap doors, Trojan horses and logic bombs that can destroy production dependability and circumvent existing security mechanisms. All of these exposures can exist in the form of improper or misused operating system code, supervisor calls (SVCs), exits, libraries, functions and facilities. Through the use of proficient system techniques and an English-language interface, information that is otherwise difficult or time-consuming to obtain can be instantly provided. In addition, CA Auditor identifies potential problems, makes suggestions and, with the dialog feature, answers your questions. CA Access Control (on mainframe Linux). CA Access Control delivers consistently strong access control across distributed platforms and mainframe operating systems. This solution provides policy-based control of who can access specific systems, applications and files; what they can do within them; and when they are allowed access. It also provides capabilities for management of Root privileges across mixed platforms (Linux, UNIX, Windows) for greater administrative security and easier compliance. It also enhances compliance auditing because all Root users are uniquely identified so that all security actions can be associated with their originator. CA Access Control also extends the security capability of the native operating system, across heterogeneous platforms throughout the entire IT environment so that security can be managed in a consistent way across all platforms. This includes the ability to propagate password changes and status (i.e. suspended/unsuspended) across the enterprise, including to the mainframe. This reduces administrative effort and cost, and provides easier compliance. CA Identity Manager. CA Identity Manager provides a graphical, integrated identity management and user provisioning platform that automates the creation, modification, and suspension of user identities and their access to resources, enterprise-wide (including the mainframe), to increase security levels and compliance, while reducing administration costs and enhancing the user experience. In addition, Identity Manager provides auditing services that can be used by both internal and external auditors to help determine if the entitlement granting practices of the organization are in control and effectively keeping private data private. CA Security Command Center. CA Security Command Center (CA SCC) is essential to proactively managing the complexities of an organization s security environment. It helps you discover and prioritize relevant security data to effectively manage your security risks in real time. By correlating security risks to assets, you can take corrective action and investigate security incidents through a centralized command and control center. CA SCC can also process security events generated by mainframe access management products, so that events across the entire IT environment can be analyzed more effectively. CA SCC will not only enabled easier compliance for your IT environment, it can also reduce your administrative costs and reduce the risk of undetected security issues. Key Compliance Requirements and CA Solutions The following table lists the key compliance solution areas discussed in this paper, along with specific CA mainframe solutions that can provide you with these compliance capabilities. For more information on any of these solutions, feel free to visit ca.com or contact your local CA representative. 11

12 Compliance Capability Centralized Access Control User Provisioning Host Access Management Automated cleanup of inactive accounts Automated Software Configuration Analysis Separation/segregation of duties Centralized Auditing and Monitoring Information Encryption CA Mainframe-related Solution(s) CA ACF2 and CA Top Secret, plus their DB2 Options; CA Access Control on mainframe Linux CA Cleanup for ACF2 CA Cleanup for Top Secret CA Cleanup for RACF CA Identity Manager CA ACF2 and CA Top Secret, plus their DB2 Options; CA Access Control on mainframe Linux CA Cleanup for ACF2 CA Cleanup for Top Secret CA Cleanup for RACF CA Auditor for z/os CA ACF2 and CA Top Secret, plus their DB2 Options CA Access Control on mainframe Linux CA ACF2 and CA Top Secret, plus their DB2 Options CA Auditor for z/os CA Security Command Center BrightStor Tape Encryption About the Authors Reginald (Reg) Harbeck is CA s Global Mainframe Solution Manager. In the two decades since he received his Bachelor s Degree in Computer Science he has worked with operating systems, networks, security and applications on mainframes, UNIX, Linux, Windows and other platforms. Reg has been with CA for nine years, during which time he has met with and presented to IT management and technical audiences in Europe, the Middle East and many locations across North America, including at Gartner, IBM zseries, CMG, SHARE and CA World user conferences. Reg is the published author of several whitepapers and articles which are also available online. Sumner Blount is the CA Director of Security Solutions. He has worked in a variety of Product Management and Engineering roles, including managing the development of all large operating systems at Digital Equipment and Prime Computer, and managing engineering and product management groups at other companies. He is also the author of a number of industry articles, and has spoken at many industry conferences in the past. Copyright 2007 CA. All rights reserved. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies. This document is for your informational purposes only. To the extent permitted by applicable law, CA provides this document AS IS without warranty of any kind, including, without limitation, any implied warranties of merchantability, fitness for a particular purpose, or non-infringement. In no event will CA be liable for any loss or damage, direct or indirect, from the use of this document, including, without limitation, lost profits, business interruption, goodwill or lost data, even if CA is expressly advised of such damages. MP

How can Identity and Access Management help me to improve compliance and drive business performance?

How can Identity and Access Management help me to improve compliance and drive business performance? SOLUTION BRIEF: IDENTITY AND ACCESS MANAGEMENT (IAM) How can Identity and Access Management help me to improve compliance and drive business performance? CA Identity and Access Management automates the

More information

CA Mainframe Security Management solutions helps you reduce costs, facilitate new business opportunities, address regulatory compliance requirements,

CA Mainframe Security Management solutions helps you reduce costs, facilitate new business opportunities, address regulatory compliance requirements, SOLUTION BRIEF CA Mainframe Security Management Solutions September 2010 how can mainframe security management solutions from CA Technologies help me simplify and unify security? we can CA Mainframe Security

More information

How can Content Aware Identity and Access Management give me the control I need to confidently move my business forward?

How can Content Aware Identity and Access Management give me the control I need to confidently move my business forward? SOLUTION BRIEF Content Aware Identity and Access Management May 2010 How can Content Aware Identity and Access Management give me the control I need to confidently move my business forward? we can CA Content

More information

CA Top Secret r15 for z/os

CA Top Secret r15 for z/os PRODUCT SHEET: CA TOP SECRET FOR z/os we can CA Top Secret r15 for z/os CA Top Secret for z/os (CA Top Secret ) provides innovative, comprehensive security for your business transaction environments, including

More information

White paper September 2009. Realizing business value with mainframe security management

White paper September 2009. Realizing business value with mainframe security management White paper September 2009 Realizing business value with mainframe security management Page 2 Contents 2 Executive summary 2 Meeting today s security challenges 3 Addressing risks in the mainframe environment

More information

SOLUTION BRIEF Improving SAP Security With CA Identity and Access Management. improving SAP security with CA Identity and Access Management

SOLUTION BRIEF Improving SAP Security With CA Identity and Access Management. improving SAP security with CA Identity and Access Management SOLUTION BRIEF Improving SAP Security With CA Identity and Access Management improving SAP security with CA Identity and Access Management The CA Identity and Access Management (IAM) suite can help you

More information

Security management solutions White paper. IBM Tivoli and Consul: Facilitating security audit and compliance for heterogeneous environments.

Security management solutions White paper. IBM Tivoli and Consul: Facilitating security audit and compliance for heterogeneous environments. Security management solutions White paper IBM Tivoli and Consul: Facilitating security audit and March 2007 2 Contents 2 Overview 3 Identify today s challenges in security audit and compliance 3 Discover

More information

MANAGED FILE TRANSFER: 10 STEPS TO SOX COMPLIANCE

MANAGED FILE TRANSFER: 10 STEPS TO SOX COMPLIANCE WHITE PAPER MANAGED FILE TRANSFER: 10 STEPS TO SOX COMPLIANCE 1. OVERVIEW Do you want to design a file transfer process that is secure? Or one that is compliant? Of course, the answer is both. But it s

More information

TECHNOLOGY BRIEF: INTEGRATED IDENTITY AND ACCESS MANAGEMENT (IAM) An Integrated Architecture for Identity and Access Management

TECHNOLOGY BRIEF: INTEGRATED IDENTITY AND ACCESS MANAGEMENT (IAM) An Integrated Architecture for Identity and Access Management TECHNOLOGY BRIEF: INTEGRATED IDENTITY AND ACCESS MANAGEMENT (IAM) An Integrated Architecture for Identity and Access Management Table of Contents Executive Summary 1 SECTION 1: CHALLENGE 2 The Need for

More information

Data Management Policies. Sage ERP Online

Data Management Policies. Sage ERP Online Sage ERP Online Sage ERP Online Table of Contents 1.0 Server Backup and Restore Policy... 3 1.1 Objectives... 3 1.2 Scope... 3 1.3 Responsibilities... 3 1.4 Policy... 4 1.5 Policy Violation... 5 1.6 Communication...

More information

Build (develop) and document Acceptance Transition to production (installation) Operations and maintenance support (postinstallation)

Build (develop) and document Acceptance Transition to production (installation) Operations and maintenance support (postinstallation) It is a well-known fact in computer security that security problems are very often a direct result of software bugs. That leads security researches to pay lots of attention to software engineering. The

More information

An Oracle White Paper December 2010. Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance

An Oracle White Paper December 2010. Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance An Oracle White Paper December 2010 Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance Executive Overview... 1 Health Information Portability and Accountability Act Security

More information

CA HalvesThe Cost Of Testing IT Controls For Sarbanes-Oxley Compliance With Unified Processes.

CA HalvesThe Cost Of Testing IT Controls For Sarbanes-Oxley Compliance With Unified Processes. TECHNOLOGY BRIEF: REDUCING COST AND COMPLEXITY WITH GLOBAL GOVERNANCE CONTROLS CA HalvesThe Cost Of Testing IT Controls For Sarbanes-Oxley Compliance With Unified Processes. Table of Contents Executive

More information

A Websense Research Brief Prevent Data Loss and Comply with Payment Card Industry Data Security Standards

A Websense Research Brief Prevent Data Loss and Comply with Payment Card Industry Data Security Standards A Websense Research Brief Prevent Loss and Comply with Payment Card Industry Security Standards Prevent Loss and Comply with Payment Card Industry Security Standards Standards for Credit Card Security

More information

SOLUTION BRIEF THE CA TECHNOLOGIES SOLUTION FOR PCI COMPLIANCE. How Can the CA Security Solution Help Me With PCI Compliance?

SOLUTION BRIEF THE CA TECHNOLOGIES SOLUTION FOR PCI COMPLIANCE. How Can the CA Security Solution Help Me With PCI Compliance? SOLUTION BRIEF THE CA TECHNOLOGIES SOLUTION FOR PCI COMPLIANCE How Can the CA Security Solution Help Me With PCI Compliance? SOLUTION BRIEF CA DATABASE MANAGEMENT FOR DB2 FOR z/os DRAFT CA Technologies

More information

Employing Best Practices for Mainframe Tape Encryption

Employing Best Practices for Mainframe Tape Encryption WHITE PAPER: DATA ENCRYPTION BEST PRACTICES FOR MAINFRAME TAPE Employing Best Practices for Mainframe Tape Encryption JUNE 2008 Stefan Kochishan CA MAINFRAME PRODUCT MARKETING John Hill CA MAINFRAME PRODUCT

More information

Surviving an Identity Audit

Surviving an Identity Audit What small and midsize organizations need to know about the identity portion of an IT compliance audit Whitepaper Contents Executive Overview.......................................... 2 Introduction..............................................

More information

Governance and Control of Privileged Identities to Reduce Risk

Governance and Control of Privileged Identities to Reduce Risk WHITE PAPER SEPTEMBER 2014 Governance and Control of Privileged Identities to Reduce Risk Merritt Maxim CA Security Management 2 WHITE PAPER: PRIVILEGED IDENTITY GOVERNANCE Table of Contents Executive

More information

Standard: Information Security Incident Management

Standard: Information Security Incident Management Standard: Information Security Incident Management Page 1 Executive Summary California State University Information Security Policy 8075.00 states security incidents involving loss, damage or misuse of

More information

CA point of view: Content-Aware Identity & Access Management

CA point of view: Content-Aware Identity & Access Management TECHNOLOGY BRIEF CA Point of View: Content-Aware Identity and Access Management March 2011 CA point of view: Content-Aware Identity & Access Management table of contents EXECUTIVE SUMMARY SECTION 1 Challenge

More information

CA Compliance Manager for z/os

CA Compliance Manager for z/os PRODUCT SHEET CA Compliance Manager for z/os CA Compliance Manager for z/os CA Compliance Manager for z/os (CA Compliance Manager) provides your organization with a single source for real-time, compliancerelated

More information

Strengthen security with intelligent identity and access management

Strengthen security with intelligent identity and access management Strengthen security with intelligent identity and access management IBM Security solutions help safeguard user access, boost compliance and mitigate insider threats Highlights Enable business managers

More information

SOLUTION BRIEF SEPTEMBER 2014. Healthcare Security Solutions: Protecting your Organization, Patients, and Information

SOLUTION BRIEF SEPTEMBER 2014. Healthcare Security Solutions: Protecting your Organization, Patients, and Information SOLUTION BRIEF SEPTEMBER 2014 Healthcare Security Solutions: Protecting your Organization, Patients, and Information SOLUTION BRIEF CA DATABASE MANAGEMENT FOR DB2 FOR z/os DRAFT 94% of healthcare organizations

More information

Payment Card Industry Data Security Standard

Payment Card Industry Data Security Standard Symantec Managed Security Services support for IT compliance Solution Overview: Symantec Managed Services Overviewview The (PCI DSS) was developed to facilitate the broad adoption of consistent data security

More information

Managing Privileged Identities in the Cloud. How Privileged Identity Management Evolved to a Service Platform

Managing Privileged Identities in the Cloud. How Privileged Identity Management Evolved to a Service Platform Managing Privileged Identities in the Cloud How Privileged Identity Management Evolved to a Service Platform Managing Privileged Identities in the Cloud Contents Overview...3 Management Issues...3 Real-World

More information

SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA

SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA SITA Information Security SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA September, 2012 Contents 1. Introduction... 3 1.1 Overview...

More information

Understanding Enterprise Cloud Governance

Understanding Enterprise Cloud Governance Understanding Enterprise Cloud Governance Maintaining control while delivering the agility of cloud computing Most large enterprises have a hybrid or multi-cloud environment comprised of a combination

More information

White Paper. Ensuring Network Compliance with NetMRI. An Opportunity to Optimize the Network. Netcordia

White Paper. Ensuring Network Compliance with NetMRI. An Opportunity to Optimize the Network. Netcordia White Paper Ensuring Network Compliance with NetMRI An Opportunity to Optimize the Network Netcordia Copyright Copyright 2006 Netcordia, Inc. All Rights Reserved. Restricted Rights Legend This document

More information

TECHNOLOGY BRIEF: PREVENTING UNAUTHORISED ACCESS TO CRITICAL SYSTEMS AND DATA. Colruyt ensures data privacy with Identity & Access Management.

TECHNOLOGY BRIEF: PREVENTING UNAUTHORISED ACCESS TO CRITICAL SYSTEMS AND DATA. Colruyt ensures data privacy with Identity & Access Management. TECHNOLOGY BRIEF: PREVENTING UNAUTHORISED ACCESS TO CRITICAL SYSTEMS AND DATA Colruyt ensures data privacy with Identity & Access Management. Table of Contents Executive Summary SECTION 1: CHALLENGE 2

More information

Security Controls What Works. Southside Virginia Community College: Security Awareness

Security Controls What Works. Southside Virginia Community College: Security Awareness Security Controls What Works Southside Virginia Community College: Security Awareness Session Overview Identification of Information Security Drivers Identification of Regulations and Acts Introduction

More information

Three significant risks of FTP use and how to overcome them

Three significant risks of FTP use and how to overcome them Three significant risks of FTP use and how to overcome them Management, security and automation Contents: 1 Make sure your file transfer infrastructure keeps pace with your business strategy 1 The nature

More information

HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER

HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER With technology everywhere we look, the technical safeguards required by HIPAA are extremely important in ensuring that our information

More information

Supplier Information Security Addendum for GE Restricted Data

Supplier Information Security Addendum for GE Restricted Data Supplier Information Security Addendum for GE Restricted Data This Supplier Information Security Addendum lists the security controls that GE Suppliers are required to adopt when accessing, processing,

More information

ISO 27001 COMPLIANCE WITH OBSERVEIT

ISO 27001 COMPLIANCE WITH OBSERVEIT ISO 27001 COMPLIANCE WITH OBSERVEIT OVERVIEW ISO/IEC 27001 is a framework of policies and procedures that include all legal, physical and technical controls involved in an organization s information risk

More information

Health Insurance Portability and Accountability Act Enterprise Compliance Auditing & Reporting ECAR for HIPAA Technical Product Overview Whitepaper

Health Insurance Portability and Accountability Act Enterprise Compliance Auditing & Reporting ECAR for HIPAA Technical Product Overview Whitepaper Regulatory Compliance Solutions for Microsoft Windows IT Security Controls Supporting DHS HIPAA Final Security Rules Health Insurance Portability and Accountability Act Enterprise Compliance Auditing &

More information

Feature. Log Management: A Pragmatic Approach to PCI DSS

Feature. Log Management: A Pragmatic Approach to PCI DSS Feature Prakhar Srivastava is a senior consultant with Infosys Technologies Ltd. and is part of the Infrastructure Transformation Services Group. Srivastava is a solutions-oriented IT professional who

More information

10 Steps to Establishing an Effective Email Retention Policy

10 Steps to Establishing an Effective Email Retention Policy WHITE PAPER: 10 STEPS TO EFFECTIVE EMAIL RETENTION 10 Steps to Establishing an Effective Email Retention Policy JANUARY 2009 Eric Lundgren INFORMATION GOVERNANCE Table of Contents Executive Summary SECTION

More information

Security Information Lifecycle

Security Information Lifecycle Security Information Lifecycle By Eric Ogren Security Analyst, April 2006 Copyright 2006. The, Inc. All Rights Reserved. Table of Contents Executive Summary...2 Figure 1... 2 The Compliance Climate...4

More information

GAO INFORMATION SECURITY. Weak Controls Place Interior s Financial and Other Data at Risk. Report to the Secretary of the Interior

GAO INFORMATION SECURITY. Weak Controls Place Interior s Financial and Other Data at Risk. Report to the Secretary of the Interior GAO United States General Accounting Office Report to the Secretary of the Interior July 2001 INFORMATION SECURITY Weak Controls Place Interior s Financial and Other Data at Risk GAO-01-615 United States

More information

Self-Service SOX Auditing With S3 Control

Self-Service SOX Auditing With S3 Control Self-Service SOX Auditing With S3 Control The Sarbanes-Oxley Act (SOX), passed by the US Congress in 2002, represents a fundamental shift in corporate governance norms. As corporations come to terms with

More information

Sarbanes-Oxley Control Transformation Through Automation

Sarbanes-Oxley Control Transformation Through Automation Sarbanes-Oxley Control Transformation Through Automation An Executive White Paper By BLUE LANCE, Inc. Where have we been? Where are we going? BLUE LANCE INC. www.bluelance.com 713.255.4800 info@bluelance.com

More information

White Paper. Regulatory Compliance and Database Management

White Paper. Regulatory Compliance and Database Management White Paper Regulatory Compliance and Database Management March 2006 Introduction Top of mind in business executives today is how to meet new regulatory compliance and corporate governance. New laws are

More information

agility made possible

agility made possible SOLUTION BRIEF CA Technologies and NetApp Integrated Service Automation Across the Data Center can you automate the provisioning and management of both virtual and physical resources across your data center

More information

OVERVIEW. In all, this report makes recommendations in 14 areas, such as. Page iii

OVERVIEW. In all, this report makes recommendations in 14 areas, such as. Page iii The Office of the Auditor General has conducted a procedural review of the State Data Center (Data Center), a part of the Arizona Strategic Enterprise Technology (ASET) Division within the Arizona Department

More information

What IT Auditors Need to Know About Secure Shell. SSH Communications Security

What IT Auditors Need to Know About Secure Shell. SSH Communications Security What IT Auditors Need to Know About Secure Shell SSH Communications Security Agenda Secure Shell Basics Security Risks Compliance Requirements Methods, Tools, Resources What is Secure Shell? A cryptographic

More information

Information Resources Security Guidelines

Information Resources Security Guidelines Information Resources Security Guidelines 1. General These guidelines, under the authority of South Texas College Policy #4712- Information Resources Security, set forth the framework for a comprehensive

More information

INFORMATION TECHNOLOGY SECURITY STANDARDS

INFORMATION TECHNOLOGY SECURITY STANDARDS INFORMATION TECHNOLOGY SECURITY STANDARDS Version 2.0 December 2013 Table of Contents 1 OVERVIEW 3 2 SCOPE 4 3 STRUCTURE 5 4 ASSET MANAGEMENT 6 5 HUMAN RESOURCES SECURITY 7 6 PHYSICAL AND ENVIRONMENTAL

More information

content-aware identity & access management in a virtual environment

content-aware identity & access management in a virtual environment WHITE PAPER Content-Aware Identity & Access Management in a Virtual Environment June 2010 content-aware identity & access management in a virtual environment Chris Wraight CA Security Management we can

More information

CA Vulnerability Manager r8.3

CA Vulnerability Manager r8.3 PRODUCT BRIEF: CA VULNERABILITY MANAGER CA Vulnerability Manager r8.3 CA VULNERABILITY MANAGER PROTECTS ENTERPRISE SYSTEMS AND BUSINESS OPERATIONS BY IDENTIFYING VULNERABILITIES, LINKING THEM TO CRITICAL

More information

CA Endevor Software Change Manager Release 15.1

CA Endevor Software Change Manager Release 15.1 PRODUCT SHEET CA Endevor Software Change Manager CA Endevor Software Change Manager Release 15.1 agility made possible CA Endevor Software Change Manager (CA Endevor SCM) helps organizations control all

More information

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL for INFORMATION RESOURCES Updated: June 2007 Information Resources Security Manual 1. Purpose of Security Manual 2. Audience 3. Acceptable

More information

HIPAA Security Alert

HIPAA Security Alert Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information

More information

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

REGULATIONS FOR THE SECURITY OF INTERNET BANKING REGULATIONS FOR THE SECURITY OF INTERNET BANKING PAYMENT SYSTEMS DEPARTMENT STATE BANK OF PAKISTAN Table of Contents PREFACE... 3 DEFINITIONS... 4 1. SCOPE OF THE REGULATIONS... 6 2. INTERNET BANKING SECURITY

More information

How To Manage Security On A Networked Computer System

How To Manage Security On A Networked Computer System Unified Security Reduce the Cost of Compliance Introduction In an effort to achieve a consistent and reliable security program, many organizations have adopted the standard as a key compliance strategy

More information

AlienVault for Regulatory Compliance

AlienVault for Regulatory Compliance AlienVault for Regulatory Compliance Overview of Regulatory Compliance in Information Security As computers and networks have become more important in society they and the information they contain have

More information

Stay ahead of insiderthreats with predictive,intelligent security

Stay ahead of insiderthreats with predictive,intelligent security Stay ahead of insiderthreats with predictive,intelligent security Sarah Cucuz sarah.cucuz@spyders.ca IBM Security White Paper Executive Summary Stay ahead of insider threats with predictive, intelligent

More information

FIVE KEY CONSIDERATIONS FOR ENABLING PRIVACY IN HEALTH INFORMATION EXCHANGES

FIVE KEY CONSIDERATIONS FOR ENABLING PRIVACY IN HEALTH INFORMATION EXCHANGES FIVE KEY CONSIDERATIONS FOR ENABLING PRIVACY IN HEALTH INFORMATION EXCHANGES The implications for privacy and security in the emergence of HIEs The emergence of health information exchanges (HIE) is widely

More information

The NIST Framework for Improving Critical Infrastructure Cybersecurity - An Executive Guide

The NIST Framework for Improving Critical Infrastructure Cybersecurity - An Executive Guide SOLUTION BRIEF NIST FRAMEWORK FOR IMPROVING CRITICAL INFRASTRUCTURE CYBERSECURITY The NIST Framework for Improving Critical Infrastructure Cybersecurity - An Executive Guide SOLUTION BRIEF CA DATABASE

More information

Data Security Incident Response Plan. [Insert Organization Name]

Data Security Incident Response Plan. [Insert Organization Name] Data Security Incident Response Plan Dated: [Month] & [Year] [Insert Organization Name] 1 Introduction Purpose This data security incident response plan provides the framework to respond to a security

More information

TECHNOLOGY BRIEF: HOST ACCESS MANAGEMENT. Windows Host Access Management with CA Access Control

TECHNOLOGY BRIEF: HOST ACCESS MANAGEMENT. Windows Host Access Management with CA Access Control TECHNOLOGY BRIEF: HOST ACCESS MANAGEMENT Windows Host Access Management with CA Access Control Table of Contents Executive Summary SECTION 1 2 Windows Servers in Today s Security Management Environment

More information

WHITEPAPER. Identity Management and Sarbanes-Oxley Compliance. T h i n k I D e n t i t y. September 2005

WHITEPAPER. Identity Management and Sarbanes-Oxley Compliance. T h i n k I D e n t i t y. September 2005 Identity Management and Sarbanes-Oxley Compliance September 2005 T h i n k I D e n t i t y Table of Contents INTRODUCTION...3 THE SARBANES-OXLEY ACT OF 2002...3 HOW SARBANES-OXLEY AFFECTS IT PROCESSES...6

More information

CA Technologies Healthcare security solutions:

CA Technologies Healthcare security solutions: CA Technologies Healthcare security solutions: Protecting your organization, patients, and information agility made possible Healthcare industry imperatives Security, Privacy, and Compliance HITECH/HIPAA

More information

UPSTREAM for Linux on System z

UPSTREAM for Linux on System z PRODUCT SHEET UPSTREAM for Linux on System z UPSTREAM for Linux on System z UPSTREAM for Linux on System z is designed to provide comprehensive data protection for your Linux on System z environment, leveraging

More information

ELECTRONIC INFORMATION SECURITY A.R.

ELECTRONIC INFORMATION SECURITY A.R. A.R. Number: 2.6 Effective Date: 2/1/2009 Page: 1 of 7 I. PURPOSE In recognition of the critical role that electronic information systems play in City of Richmond (COR) business activities, this policy

More information

Leveraging Privileged Identity Governance to Improve Security Posture

Leveraging Privileged Identity Governance to Improve Security Posture Leveraging Privileged Identity Governance to Improve Security Posture Understanding the Privileged Insider Threat It s no secret that attacks on IT systems and information breaches have increased in both

More information

IBM PowerSC. Security and compliance solution designed to protect virtualized datacenters. Highlights. IBM Systems and Technology Data Sheet

IBM PowerSC. Security and compliance solution designed to protect virtualized datacenters. Highlights. IBM Systems and Technology Data Sheet IBM PowerSC Security and compliance solution designed to protect virtualized datacenters Highlights Simplify security management and compliance measurement Reduce administration costs of meeting compliance

More information

CA Tape Encryption Key Manager

CA Tape Encryption Key Manager PRODUCT BRIEF: CA TAPE ENCRYPTION KEY MANAGER Manager CA TAPE ENCRYPTION KEY MANAGER IS THE FIRST z/os-based, SOFTWARE TAPE ENCRYPTION KEY SOLUTION THAT CONSOLIDATES AND UNIFIES MANAGEMENT ACROSS MULTIPLE

More information

SOLUTION BRIEF CA TECHNOLOGIES IDENTITY-CENTRIC SECURITY. How Can I Both Enable and Protect My Organization in the New Application Economy?

SOLUTION BRIEF CA TECHNOLOGIES IDENTITY-CENTRIC SECURITY. How Can I Both Enable and Protect My Organization in the New Application Economy? SOLUTION BRIEF CA TECHNOLOGIES IDENTITY-CENTRIC SECURITY How Can I Both Enable and Protect My Organization in the New Application Economy? CA Security solutions can help you enable and protect your business

More information

Securely Outsourcing to the Cloud: Five Key Questions to Ask

Securely Outsourcing to the Cloud: Five Key Questions to Ask WHITE PAPER JULY 2014 Securely Outsourcing to the Cloud: Five Key Questions to Ask Russell Miller Tyson Whitten CA Technologies, Security Management 2 WHITE PAPER: SECURELY OUTSOURCING TO THE CLOUD: FIVE

More information

CA Technologies Solutions for Criminal Justice Information Security Compliance

CA Technologies Solutions for Criminal Justice Information Security Compliance WHITE PAPER OCTOBER 2014 CA Technologies Solutions for Criminal Justice Information Security Compliance William Harrod Advisor, Public Sector Cyber-Security Strategy 2 WHITE PAPER: SOLUTIONS FOR CRIMINAL

More information

defending against advanced persistent threats: strategies for a new era of attacks agility made possible

defending against advanced persistent threats: strategies for a new era of attacks agility made possible defending against advanced persistent threats: strategies for a new era of attacks agility made possible security threats as we know them are changing The traditional dangers IT security teams have been

More information

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Information Security Policy September 2009 Newman University IT Services. Information Security Policy Contents 1. Statement 1.1 Introduction 1.2 Objectives 1.3 Scope and Policy Structure 1.4 Risk Assessment and Management 1.5 Responsibilities for Information Security 2. Compliance 3. HR Security 3.1 Terms

More information

How To Manage A Privileged Account Management

How To Manage A Privileged Account Management Four Best Practices for Passing Privileged Account Audits October 2014 1 Table of Contents... 4 1. Discover All Privileged Accounts in Your Environment... 4 2. Remove Privileged Access / Implement Least

More information

Solution Brief for ISO 27002: 2013 Audit Standard ISO 27002. Publication Date: Feb 6, 2015. EventTracker 8815 Centre Park Drive, Columbia MD 21045

Solution Brief for ISO 27002: 2013 Audit Standard ISO 27002. Publication Date: Feb 6, 2015. EventTracker 8815 Centre Park Drive, Columbia MD 21045 Solution Brief for ISO 27002: 2013 Audit Standard Publication Date: Feb 6, 2015 8815 Centre Park Drive, Columbia MD 21045 ISO 27002 About delivers business critical software and services that transform

More information

Boosting enterprise security with integrated log management

Boosting enterprise security with integrated log management IBM Software Thought Leadership White Paper May 2013 Boosting enterprise security with integrated log management Reduce security risks and improve compliance across diverse IT environments 2 Boosting enterprise

More information

Achieving and Maintaining PCI DSS Compliance with Centralized, Automated Application and Middleware Change Control TECHNICAL WHITE PAPER

Achieving and Maintaining PCI DSS Compliance with Centralized, Automated Application and Middleware Change Control TECHNICAL WHITE PAPER Achieving and Maintaining PCI DSS Compliance with Centralized, Automated Application and Middleware Change Control TECHNICAL WHITE PAPER Table of Contents Executive Summary... 3 PCI DSS Breaches. Huge

More information

System Change Management - A Key to Success

System Change Management - A Key to Success Position Paper: Keys to Effective Systems Change Management Executive Overview The Institute of Internal Auditors, in its guide to Section 404 of the Sarbanes- Oxley Act, states that IT general controls

More information

Solving the Security Puzzle

Solving the Security Puzzle Solving the Security Puzzle How Government Agencies Can Mitigate Today s Threats Abstract The federal government is in the midst of a massive IT revolution. The rapid adoption of mobile, cloud and Big

More information

IBM Data Security Services for endpoint data protection endpoint data loss prevention solution

IBM Data Security Services for endpoint data protection endpoint data loss prevention solution Automating policy enforcement to prevent endpoint data loss IBM Data Security Services for endpoint data protection endpoint data loss prevention solution Highlights Facilitate policy-based expertise and

More information

SAS 70 Type II Audits

SAS 70 Type II Audits Thinking from IntraLinks SAS 70 Type II Audits SAS 70 Type II Audits Ensuring Data Security, Reliability and Integrity If your organization shares sensitive data over the Internet, you need rigorous controls

More information

Information Security Policy

Information Security Policy Information Security Policy Touro College/University ( Touro ) is committed to information security. Information security is defined as protection of data, applications, networks, and computer systems

More information

Leveraging a Maturity Model to Achieve Proactive Compliance

Leveraging a Maturity Model to Achieve Proactive Compliance Leveraging a Maturity Model to Achieve Proactive Compliance White Paper: Proactive Compliance Leveraging a Maturity Model to Achieve Proactive Compliance Contents Introduction............................................................................................

More information

Securing and protecting the organization s most sensitive data

Securing and protecting the organization s most sensitive data Securing and protecting the organization s most sensitive data A comprehensive solution using IBM InfoSphere Guardium Data Activity Monitoring and InfoSphere Guardium Data Encryption to provide layered

More information

How Can I Better Manage My Software Assets And Mitigate The Risk Of Compliance Audits?

How Can I Better Manage My Software Assets And Mitigate The Risk Of Compliance Audits? SOLUTION BRIEF CA SERVICE MANAGEMENT - SOFTWARE ASSET MANAGEMENT How Can I Better Manage My Software Assets And Mitigate The Risk Of Compliance Audits? SOLUTION BRIEF CA DATABASE MANAGEMENT FOR DB2 FOR

More information

CA NSM System Monitoring Option for OpenVMS r3.2

CA NSM System Monitoring Option for OpenVMS r3.2 PRODUCT SHEET CA NSM System Monitoring Option for OpenVMS CA NSM System Monitoring Option for OpenVMS r3.2 CA NSM System Monitoring Option for OpenVMS helps you to proactively discover, monitor and display

More information

CA Chorus for Security and Compliance Management Deep Dive

CA Chorus for Security and Compliance Management Deep Dive Mainframe Optimization and Modernization CA Chorus for Security and Compliance Management Deep Dive Maddalena Tosoni Principal Engineering Services Architect CA Chorus Recap Improve Staff Efficiency CA

More information

WHITE PAPER May 2012. How Can Identity and Access Management Help Me with PCI Compliance?

WHITE PAPER May 2012. How Can Identity and Access Management Help Me with PCI Compliance? WHITE PAPER May 2012 How Can Identity and Access Management Help Me with PCI Compliance? Table of Contents Executive Summary 3 SECTION 1: Challenge 4 Protection of confidential cardholder information SECTION

More information

Implementing HIPAA Compliance with ScriptLogic

Implementing HIPAA Compliance with ScriptLogic Implementing HIPAA Compliance with ScriptLogic A ScriptLogic Product Positioning Paper By Nick Cavalancia 1.800.424.9411 www.scriptlogic.com Table of Contents INTRODUCTION... 3 HIPAA BACKGROUND... 3 ADMINISTRATIVE

More information

The Challenges and Myths of Sarbanes-Oxley Compliance

The Challenges and Myths of Sarbanes-Oxley Compliance W H I T E P A P E R The Challenges and Myths of Sarbanes-Oxley Compliance Meeting the requirements of regulatory legislation on the iseries. SOX-001 REV1b FEBRUARY 2005 Bytware, Inc. All Rights Reserved.

More information

identity as the new perimeter: securely embracing cloud, mobile and social media agility made possible

identity as the new perimeter: securely embracing cloud, mobile and social media agility made possible identity as the new perimeter: securely embracing cloud, mobile and social media agility made possible IT transformation and evolving identities A number of technology trends, including cloud, mobility,

More information

Plain English Guide To Common Criteria Requirements In The. Field Device Protection Profile Version 0.75

Plain English Guide To Common Criteria Requirements In The. Field Device Protection Profile Version 0.75 Plain English Guide To Common Criteria Requirements In The Field Device Protection Profile Version 0.75 Prepared For: Process Control Security Requirements Forum (PCSRF) Prepared By: Digital Bond, Inc.

More information

CA Process Automation for System z 3.1

CA Process Automation for System z 3.1 PRODUCT SHEET CA Process Automation for System z CA Process Automation for System z 3.1 CA Process Automation for System z helps enable enterprise organizations to design, deploy and administer automation

More information

IBM Tivoli Netcool Configuration Manager

IBM Tivoli Netcool Configuration Manager IBM Netcool Configuration Manager Improve organizational management and control of multivendor networks Highlights Automate time-consuming device configuration and change management tasks Effectively manage

More information

Compliance Guide ISO 27002. Compliance Guide. September 2015. Contents. Introduction 1. Detailed Controls Mapping 2.

Compliance Guide ISO 27002. Compliance Guide. September 2015. Contents. Introduction 1. Detailed Controls Mapping 2. ISO 27002 Compliance Guide September 2015 Contents Compliance Guide 01 02 03 Introduction 1 Detailed Controls Mapping 2 About Rapid7 7 01 INTRODUCTION If you re looking for a comprehensive, global framework

More information

March 2012 www.tufin.com

March 2012 www.tufin.com SecureTrack Supporting Compliance with PCI DSS 2.0 March 2012 www.tufin.com Table of Contents Introduction... 3 The Importance of Network Security Operations... 3 Supporting PCI DSS with Automated Solutions...

More information

FINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information

FINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information FINAL May 2005 Guideline on Security Systems for Safeguarding Customer Information Table of Contents 1 Introduction 1 1.1 Purpose of Guideline 1 2 Definitions 2 3 Internal Controls and Procedures 2 3.1

More information

The Impact of HIPAA and HITECH

The Impact of HIPAA and HITECH The Health Insurance Portability & Accountability Act (HIPAA), enacted 8/21/96, was created to protect the use, storage and transmission of patients healthcare information. This protects all forms of patients

More information

FairWarning Mapping to PCI DSS 3.0, Requirement 10

FairWarning Mapping to PCI DSS 3.0, Requirement 10 FairWarning Mapping to PCI DSS 3.0, Requirement 10 Requirement 10: Track and monitor all access to network resources and cardholder data Logging mechanisms and the ability to track user activities are

More information

IBM InfoSphere Guardium Data Activity Monitor for Hadoop-based systems

IBM InfoSphere Guardium Data Activity Monitor for Hadoop-based systems IBM InfoSphere Guardium Data Activity Monitor for Hadoop-based systems Proactively address regulatory compliance requirements and protect sensitive data in real time Highlights Monitor and audit data activity

More information