White Paper. Regulatory Compliance and the IBM Mainframe: Key Requirements
|
|
- Anis Chambers
- 8 years ago
- Views:
Transcription
1 White Paper Regulatory Compliance and the IBM Mainframe: Key Requirements Reg Harbeck, Global Mainframe Solution Manager Sumner Blount, Director of Security Solutions February 2007
2 Table of Contents The Rise of Compliance as a Business Imperative The Role of Frameworks in Mainframe Regulatory Compliance Key Controls for Mainframe Compliance Controlling Access to Business Data and Functions Orphaned Accounts Excessive Entitlements Control over Superuser Privileges Separation/Segregation of Duties Security Event Auditing Proper Data Classification Software Configuration Detection and Correction Encryption of Offsite Information Key Technologies for Mainframe Compliance Conclusion The CA Solution for Mainframe Compliance Key Compliance Requirements and CA Solutions
3 The Rise of Compliance as a Business Imperative Recent corporate financial scandals and increased concerns over privacy of user information are factors that have led to a rise in governmental laws and industry regulations around financial reporting, security and data privacy. These factors create compliance pressures that place heavy burdens on internal IT groups. Failure to secure sensitive information can result in irreparable damage to the corporate reputation, and failure to achieve compliance has financial consequences as well. While governmental regulations cover a wide range of target areas, regulations that impact IT generally fall into one of three major categories: Governance. These regulations deal with issues related to the transparency and accuracy of financial records, the retention of records within the corporation, and requirements of disaster recovery and business continuity. Most notably with SOX, this type of regulation was heavily driven by corporate scandals and financial fraud cases. Privacy. These regulations are often specific to a single vertical market, and dictate how a user s personal information must be handled by the corporation. There are regulations that specify what type of personal information may be kept, how that information may be handled (including who, if anyone, it may be given to), and what actions are required in the event of a breach of established privacy restrictions. Security. These regulations are intended to protect a corporation s critical infrastructure, and specify how users will be identified, how their access to sensitive resources must be controlled, and how that access may be tracked and audited. Figure 1 illustrates these three primary areas of compliance, and highlights some of the major regulations in each area. Note that some regulations fall into multiple categories. While there are a large number and wide variety of regulations, each has unique requirements for compliance, many of which cannot be solved merely through technology and/or procedural changes. However, one element common to all regulations is the need for strong and effective controls over various enterprise business processes. A control is a set of procedures or steps that can be used to ensure the successful operation of a business practice or transaction. These controls ensure, for example, that private customer data is not accessed by unauthorized people, that platforms and systems are protected from breach, and that all data and applications are protected from inappropriate access. Internal controls can be weak, strong, or anywhere in-between. It is the job of compliance auditors to ensure and attest that these controls are effective enough to meet the requirements of the regulation. Figure 1. Classification of Regulations. 3
4 The Role of Frameworks in Mainframe Regulatory Compliance Generally, a governmental regulation does not specify what technology is required in order to meet its requirements. In fact, many regulations do not even specify any details of an effective internal control. Therefore, administrators and compliance officers are left to determine what methods they will use to meet the often vague requirements within each regulation. In the area of overall corporate governance, the internal control framework developed by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) has become widely adopted. Although COSO contains requirements for a range of areas of governance, there is little in the COSO framework regarding specific IT controls. Given this, management should either look to industry best practices, which are often subjective, or look to another controls-oriented framework from an authoritative source. To solve this problem, many companies have begun to look to the Control Objectives for Information and related Technology (COBIT) framework published by the IT Governance Institute, which is affiliated with the Information Systems Audit and Control Association (ISACA). COBIT contains a broad set of IT control objectives that provide statements of the desired result or purpose to be achieved by implementing control procedures in a particular IT activity. Among these IT controls are many that are directly related to security management processes and systems. Other IT frameworks exist (for example, ITIL, SAS 70, ISO 17799, and others), and their use is dependent on whether they can help establish (to the auditors) a strong case for successful compliance. Let s look at COBIT in more detail, since it has emerged as a widely adopted framework for IT controls. The COBIT control objectives are organized into four areas: Planning and Organization Acquisition and Implementation Delivery and Support Monitoring. One of the key activities within the Delivery and Support area of COBIT is an activity entitled Ensure Systems Security. The purpose of this activity is to provide controls that safeguard information against unauthorized use, disclosure or modification, damage or loss through logical access controls that ensure access to systems, data and programs is restricted to authorized users. Within Ensure Systems Security there are a group of discrete control objectives that COBIT has identified, including: Manage Security Measures Identification, Authentication and Access Security of Online Access to Data User Account Management Management Review of User Accounts User Control of User Accounts Security Surveillance Data Classification Central Identification and Access Rights Management Violation and Security Activity Reports Incident Handling Re-accreditation Counterpart Trust Transaction Authorization Non-repudiation Trusted Path Protection of Security Functions Cryptographic Key Management Malicious Software Protection, Detection and Correction Firewall Architectures and Connections with Public Networks Protection of Electronic Value A detailed discussion of these controls is beyond the scope of this paper. The next section, however, discusses some of the key issues involved in implementing some of these controls on mainframe platforms. Key Controls for Mainframe Compliance By now, most organizations have recognized their responsibilities within regulations (such as Sarbanes- Oxley, HIPAA, and others) and have introduced some level of processes and procedures to comply with them. However, one area that often does not get adequate attention in many environments is the mainframe environment. Despite the past predictions by some people of the demise of the mainframe, it remains, and will continue to be, a critical computing platform for many enterprises. The mainframe is here to stay, and therefore it is a requirement to include mainframes when planning a broad IT compliance strategy. 4
5 The COBIT controls described earlier can be instrumental in supporting compliance with most of the major regulations that organizations are facing today, such as Sarbanes-Oxley, HIPAA, and Gramm-Leach-Bliley, among others. On the mainframe, there are some specific controls that are essential yet often overlooked. These controls are focused on the following mainframe security issues: Controlling Access to Business Data and Functions Orphaned Accounts Excessive Entitlements Control over Superuser Privileges Separation/Segregation of Duties Security Event Auditing Proper Data Classification Software Configuration Detection and Correction Encryption of Offsite Information Let s look at each of these areas in more depth. Controlling Access to Business Data and Functions Controlling access to critical IT resources (files, applications, databases, etc) on the mainframe is an absolute requirement for regulatory compliance. Not only must unauthorized individuals be prevented completely from accessing these resources, but even authorized users must be able to perform only those operations and actions for which they have been explicitly approved. In many cases, these authorizations need to include external factors such as the day of the week, time of day, the user s organizational unit or role, and the like. Some accesses, for example, might be allowed during work hours but need to be prevented during off-hours. In addition, a key element of regulatory compliance is policy-based controls. In other words, a security administrator should not have to understand the underlying technical details of a system in order to set up a permission that responds to a simple requirement in all cases. Therefore, it is essential to externalize security outside of applications, so that it can be enforced centrally based on a set of security policies defined for the complete IT environment. These security policies are generally based on a set of user roles defined for the entire user population. It is also important for an organization to be able to determine, at any point in time, the existing user roles that they have defined, and the access rights assigned to each such role. And, auditors will want those roles to be consistent, well-defined, and have as little overlap as feasible. An organization with well-defined roles and access requirements will be much better-aligned with regulatory requirements than one in which everyone has their own individual set of access rights, built up whenever they encounter a new need, but rarely removed when the need no longer exists. Orphaned Accounts Mainframes have become a victim of their own reliability and security in regards to orphaned accounts. A mainframe running in a production environment may have been implemented thirty plus years ago. During that time frame, thousands, sometimes even millions, of employees and customers have been provisioned to the mainframe. Often, those accounts are not removed, and orphaned accounts accumulate. Orphaned accounts also occur when a user simply stops using an account for any reason the account remains valid even though it is not being actively accessed. Until the regulatory controls were established focusing on the need to maintain these accounts and have controls in place to manage, report on, and enforce compliance for them, they often went almost unchecked by many organizations. Any unused account represents a security, and therefore compliance, risk. Some organizations utilize manual processes for the provisioning and de-provisioning of mainframe accounts. This process is error-prone, and does not provide a welldocumented method for ensuring proper entitlements. Others developed applications internally to help manage these accounts. The underlying problem still existed, though to a lesser degree. These solutions typically don t or can t address the problem of ensuring that all existing accounts have proper owners. Figure 2 illustrates this important problem. The line represents entitlements granted to (and removed from) a typical user over their lifecycle. It illustrates that entitlements are often not removed until the user actually leaves the organization. And, when this happens, some accounts are often missed and not removed appropriately. This creates the problem of orphaned accounts, and is represented by the bottom right corner of the graphic. 5
6 Figure 2. User Entitlement Compliance Issues. Beyond user accounts, utility accounts (accounts used for testing or background tasks) often exist from previous projects. Default accounts, while less common on the mainframe than other platforms, can also be overlooked and not deleted or disabled, opening up the opportunity for an unauthorized individual to access information inappropriately. The problem is compounded when applications attempt to enforce their own security policies, rather than externalizing security to a centralized service. This causes these types of accounts to increase in number, and the management of them becomes much more difficult. The security of these applications should be externalized, taking advantage of the security software package running on the mainframe. Examples of such accounts include: UNIX (USS) and Linux native security accounts, defined to the OS and not to external security DB2 accounts, if DB2 is not fully externally secured Internal application controls not externalized Excessive Entitlements Figure 2 also illustrates another common problem that can impact your compliance efforts. Similar to the problem of obsolete accounts, people also tend to accrue access rights over the course of their identity lifecycle, but generally do not ask to have them removed when no longer needed. As a result, most users accumulate unneeded access rights so that the line representing their access entitlements is monotonically increasing over time. This hampers compliance because critical IT resources can often be accessed by users who have no valid business need to do so. In fact, a common back door to many computer systems and applications is to go to a person who has retained old access but is in a new role that has no official need of that access. This violates the integrity of a system in a way that is almost certain to contradict corporate guidelines. It would also render a system out of compliance with respect to many regulatory mandates today. 6
7 Control over Superuser Privileges One of the most exploited and costly vulnerabilities on many systems is the superuser account ( Root in UNIX and Linux, including on the mainframe). Superusers can generally do whatever they want to, without restriction and often without adequate audit and tracking. Because of the unlimited power of this account, no file, device or command is off-limits. Even the auditing services on the system are not immune from this account, and the integrity of system audit logs is therefore vulnerable to inadvertent or malicious actions. This issue is amplified when superuser access is not rolebased, and a common password and user id is shared among administrators and developers. This creates a serious accountability problem. This situation often makes it very difficult, if not impossible, to determine specifically which person performed a particular destructive act, since there is no authentication of superusers as individuals. Effective compliance requires that users, especially Root-level users, have only the level of privilege that they actually need. For this reason, more granular access and administrative rights are required than are generally offered by the native operating system. In addition, compliance requires that all users be individually identified, so that multiple users would not be using the same account in such a way as to make them effectively anonymous in the audit log. Separation/Segregation of Duties A key principle inherent in a regulatory-compliant and audit-proof environment is separation of duties (aka segregation of duties). As a general principle, this means that the person who initiates a given transaction cannot also be the person who approves that transaction. For example, a situation in which someone could create a new vendor record as well as approve a payment to that vendor would constitute a segregation of duties violation. Another, possibly more common, example occurs when a single person can both install and maintain applications as well as administer their security. Why is this an issue? There are two problems that these types of situations create. First, there is insufficient oversight and visibility for potentially fraudulent activities. In the example cited above, someone could create new vendor records and then approve payments to those vendors, possibly escaping detection for a long time. The second problem is that this situation makes security auditing much harder because it is difficult if not impossible to identify who might have performed an improper or malicious operation on critical data. Security Event Auditing Regulatory compliance is effectively impossible without the ability to prove compliance. IT Auditors want to be able to view proof that all your internal security controls are not only comprehensive and consistent, but are also functioning correctly and effectively. This requires the ability to uniquely identify the specific individual responsible for each security event or operation. Not only is this required for compliance, but it is also essential for immediately stopping any improper or suspicious activity that might have occurred. One possible example of this would be the case where someone attempted successively to login to different user accounts. In some environments, successive failed attempts to access a given account would result in the immediate suspension of that account. If these accounts are in different departments, it may never occur to anyone that they could be related and that a serious breach is being attempted. However, with strong auditing records (such as generated by CA ACF2 and CA Top Secret ) and a powerful correlation and reporting engine (such as provided by CA Security Command Center), it becomes possible to discover: 1. That there were a number of suspensions around the same time coming from the same location (because an automatic alarm was generated) 2. That it therefore seems likely that a single individual has been trying to access the system by guessing at passwords until the accounts were suspended 3. Whether any accounts have been successfully accessed yet, and which ones 4. Whether the behavior in question is still continuing, in which case the perpetrator may be easily located Without this ability, it is possible that someone may gain illicit access to the system and abuse the authorities of the accounts they access, a clear violation of system integrity and related regulatory requirements. In short, in order to achieve compliance, you need to be able to be alerted when security is being challenged, identify sources of potential compromise, and demonstrate that your security controls are effective. Proper Data Classification A common criterion in data classification is need to know. When information is classified within an organization, determining appropriate levels of access can be a challenge. It is often true that access to business critical data is granted as a result of a person s job responsibilities. 7
8 For example, it may be very appropriate to grant update access for the payroll files to a payroll clerk role. However, it is not appropriate for that payroll clerk to be able to copy or write that data to another file such as one that may begin with a common high level qualifier that other employees have access to, thus allowing them access to the data beyond what their role and business responsibilities prescribe. This is known as a write down and is a potential exposure of the business critical data. Such an exposure would certainly be detected in a compliance audit. With MLS (Multi-Level Security), classification levels can be assigned to data such that an individual with a certain level can access data, while those without, cannot. This would also prevent the copying or writing of data down to a lower classification level as described in the above example. Software Configuration Detection and Correction Mainframe operating systems are notoriously complex. These complexities have made auditing the actual operating system very time consuming and difficult. Any operating system, even on a mainframe, can be subject to security exposures due to errors on configuration, installation, or administration of all software components. Computer worms, Trojan horses, and trap doors of all kinds would threaten the security of the entire mainframe and all its applications. Malicious (or at least unintentionally destructive) procedures, configurations and programs can be introduced to the mainframe, either by authorized individuals actions that are not in the organization s best interest, or by skilled intruders. Therefore, strong and effective security controls should include a complete review and audit not only of all datasets and applications, but also of the operating system that physically controls these resources. Traditionally, only experienced auditors or specialists with a systems programming background could perform such an extensive operating system review. Much of the work was manual, and low-level tools available were difficult to use and not comprehensive enough to truly audit the system. A z/os review, for example, might take weeks or months to perform. However, higher-level software exists today to ease this burden and enable a more complete and simple approach to this important task. Encryption of Offsite Information An important element of several recent regulations is the requirement to inform an individual if their personal data has been exposed to unauthorized third parties. An example of this type of regulation that has achieved significant publicity recently is California bill SB This bill requires any organization doing business in California to notify any customers if there is a significant chance that their personal information has been disclosed inappropriately. A situation where this requirement would be applicable would be the loss of a backup tape containing this personal information where the data was stored on the tapes in plaintext. Other regulations may not address the issue of public disclosure, but nonetheless require strict protection of confidential consumer information, with encryption being a common technique for doing this. Is the solution to avoid sending such personal customer data off-site? Hardly. Sending these tapes off-site is generally part of a healthy disaster recovery program and data archiving practice. It may also be a key part of certain established electronic commerce practices. Key Technologies for Mainframe Compliance The security issues described above require comprehensive mainframe solutions, in order to achieve regulatory compliance. In attempting to address these issues, there are several critical technology areas that can assist you. More specifically, when planning compliance initiatives on your mainframe, the following approaches and technology solutions should be considered. 1. Centralized Access Control On today s mainframe, no application should be running with internal security. Attempting to enforce security within each application greatly increases your security administration costs, complicates your application development and maintenance effort, and potentially reduces your overall security due to inconsistent policy enforcement across applications. Externalizing security enforcement in a central service eliminates these problems, as well as making it much easier to validate compliance to your IT auditors. The essential way to implement a mainframe control on user access is a software solution that can effectively provide access control for all mainframe data and applications. It should allow easy, policybased controls to be created that will ensure that all access is controlled according to these policies. In addition, it should leverage and integrate with existing directory, auditing, and access management solutions on distributed platforms in order to make compliance activities more consistent across platforms. 8
9 External security solutions such as CA Top Secret and CA ACF2 allow for the complete externalizing of application and database security. This provides the ability to centrally control all access to critical mainframe resources and enforce security policies relating to these resources. 2. User Provisioning Centralized user provisioning provides an automated way to create user accounts and assign access rights when a new user is entered into the system. It can also provide an automated technique for deprovisioning these same accounts and access rights when the user is removed from the system. Both capabilities are important for achieving strong and effective IT security controls. In particular, User Provisioning can help avoid the creation of excessive entitlements, as well as orphaned accounts, since entitlements and accounts are immediately removed as a user s role changes, or when that user departs the organization. This is done according to specific security policies defined by the IT Administrators, and can be a completely automated process. Provisioning solutions can also help answer one of the most important questions asked by your compliance auditors: Who has access to What resources? Without the ability to easily answer that question, your compliance efforts will be greatly hindered. In addition, a comprehensive identity management and provisioning solution should be capable of providing information or reports about potentially problematic overlapping role or access right definitions. This information, along with clearly defined internal processes, can help highlight and correct existing or potential segregation of duties violations. 3. Host Access Management Excessive entitlements for superusers, and the inability to uniquely identify each superuser can be significant problems on UNIX and Linux systems. A Host Access Management external security solution (for mainframe Linux and USS, for example) can be used to provide fine-grained entitlements for superusers so that each such user only has the privileges that they absolutely need. In addition, it can uniquely identify users so that audit logs can associate each administrative event with a specific person. 4. Automated cleanup of Inactive Accounts Inactive (orphan) accounts, and unused entitlements, are significant problems on mainframes and can reduce your compliance effectiveness. Tools such as CA Cleanup are available today to monitor and report on entitlements (and IDs) that are not used within the mainframe security database. The removal of such leftover accesses eliminates loose ends and the accompanying security and regulatory concerns, while aligning the security environment for consistent rolebased provisioning and de-provisioning. 5. Automated Software Configuration Analysis Effective regulatory compliance requires controls over the entire mainframe configuration, including both hardware and software components. These controls should start with an automated analysis of all relevant configuration information so that potential anomalies (such as unpatched system vulnerabilities) can be identified and quickly remediated. This analysis should provide information on the current status and settings for such key system elements as: Software and hardware configurations and versions Hardware errors Administrative consoles System Management Facility (SMF) information System customization variables for key system libraries, system catalogs, and parameter libraries System executables Critical programs JES environment File usage Compliance requires that effective controls over all critical system components be in place and functioning effectively. Tools such as CA Auditor for z/os and CA Security Command Center can greatly simplify and expedite these important tasks. 6. Centralized Auditing and Monitoring A centralized auditing mechanism can aggregate, filter, and analyze all security events within the entire IT environment, highlighting those that need priority attention. Such a solution also has very significant cost savings and productivity benefits. Manually reading system log files to search for serious security events is not only time-consuming, but very error-prone. And, it is virtually impossible to manually correlate security events that might, when taken as a whole, constitute a potential security breach. A comprehensive auditing solution such as CA Security Command Center (CA SCC) can automate this process, not only saving massive amounts of system administrator time, but also reducing security risk because critical events can be more correctly identified for further administrator analysis and remediation. 9
10 7. Information Encryption Solutions, such as CA s BrightStor Tape Encryption, exist today to encrypt the data that is written to tapes. If this is done and the tape is later compromised, it will not be readable without the required keys to decrypt the data. This, of course, also requires appropriate key management functionality (such as provided by the above product) to ensure that they keys don t fall into the wrong hands or get lost, making critical data unavailable. Conclusion As the number and variety of regulations increases, today s organizations are faced with daunting challenges to comply with all relevant mandates. These challenges include not only actually meeting the specific requirements of each regulation, but also doing so in a cost-effective and sustainable way. Unless an organization can achieve continuous compliance, their compliance costs and efforts will continue to remain unacceptably high. The mainframe is a critical element in any IT compliance initiative. It often houses some of the enterprise s most critical IT assets, both data and applications, and therefore must have strong and effective controls over use of these assets. Without a consistent and auditable set of controls across all major system platforms, an organization will not be able to achieve regulatory compliance in a costeffective manner. The final section of this paper will highlight some CA solutions that can help you achieve sustainable and continuous compliance on your mainframe platforms. The CA Solution for Mainframe Compliance CA offers the broadest set of security solutions on the mainframe today that can greatly enable your compliance activities as part of an integrated, enterprise-wide approach. Specifically, the CA Mainframe Identity and Access Management suite is the most comprehensive and integrated platform on the market today. It enables enterprises to efficiently and securely manage the digital identities and access rights of users, devices and applications. This includes ensuring that only properly authorized identities can access your critical IT resources. It provides a complete and proven platform for protecting your IT assets across all platforms and environments within your enterprise, thereby helping you achieve continuous compliance across your mainframe and connected platforms. The CA mainframe security and compliance solutions include: CA ACF2 and CA Top Secret. Providing leading-edge security for the z/os, z/vm and z/vse business transaction environments including z/os UNIX as well as authentication for Linux for zseries (using the included PAM component). Built-in, comprehensive administrative and reporting tools, along with detailed event logging capabilities, simplify the management of users and their access rights. These solutions give you the tools to monitor the efficiency of your security policies and provide end-to-end security for the enterprise when deployed with other CA solutions. CA Cleanup for ACF2, CA Cleanup for Top Secret, CA Cleanup for RACF. Offers easily automated, continuous and unattended security file cleanup by monitoring security system activity to identify security definitions that are currently unused. Specifically, CA Cleanup solutions identify accounts and access unused beyond a specified threshold and generate commands to remove unused user IDs, entitlements, permissions, and profile and group connections that each user has but does not use. These solutions effectively resolve the accumulation of obsolete and excessive access rights that otherwise occurs within a security file over time, a key requirement for compliance with many regulations. CA Cleanup deploys easily and can enable you to: Identify and remove individual user entitlements and access groups that are no longer used. Identify entitlements (such as permissions and rules) actually used and create commands to remove those that are unused. This includes user-defined resources. Identify user IDs actually used and create delete commands for those unused. This is based on actual security usage, not reported last-use dates, which are often unreliable. Identify the IBM RACF Groups and Profiles that each ID actually uses and create the RACF Commands to remove those that are unused. Produce reports detailing both used and unused entitlements. Generate commands to enact or restore security cleanup. 10
11 CA Auditor for z/os. CA Auditor for z/os (CA Auditor) is an industry leader in automated review and auditing for z/os operating system integrity and verification. It provides important information about system security, integrity and control mechanisms, which are extremely difficult to obtain from other sources. CA Auditor helps identify and control security exposures, trap doors, Trojan horses and logic bombs that can destroy production dependability and circumvent existing security mechanisms. All of these exposures can exist in the form of improper or misused operating system code, supervisor calls (SVCs), exits, libraries, functions and facilities. Through the use of proficient system techniques and an English-language interface, information that is otherwise difficult or time-consuming to obtain can be instantly provided. In addition, CA Auditor identifies potential problems, makes suggestions and, with the dialog feature, answers your questions. CA Access Control (on mainframe Linux). CA Access Control delivers consistently strong access control across distributed platforms and mainframe operating systems. This solution provides policy-based control of who can access specific systems, applications and files; what they can do within them; and when they are allowed access. It also provides capabilities for management of Root privileges across mixed platforms (Linux, UNIX, Windows) for greater administrative security and easier compliance. It also enhances compliance auditing because all Root users are uniquely identified so that all security actions can be associated with their originator. CA Access Control also extends the security capability of the native operating system, across heterogeneous platforms throughout the entire IT environment so that security can be managed in a consistent way across all platforms. This includes the ability to propagate password changes and status (i.e. suspended/unsuspended) across the enterprise, including to the mainframe. This reduces administrative effort and cost, and provides easier compliance. CA Identity Manager. CA Identity Manager provides a graphical, integrated identity management and user provisioning platform that automates the creation, modification, and suspension of user identities and their access to resources, enterprise-wide (including the mainframe), to increase security levels and compliance, while reducing administration costs and enhancing the user experience. In addition, Identity Manager provides auditing services that can be used by both internal and external auditors to help determine if the entitlement granting practices of the organization are in control and effectively keeping private data private. CA Security Command Center. CA Security Command Center (CA SCC) is essential to proactively managing the complexities of an organization s security environment. It helps you discover and prioritize relevant security data to effectively manage your security risks in real time. By correlating security risks to assets, you can take corrective action and investigate security incidents through a centralized command and control center. CA SCC can also process security events generated by mainframe access management products, so that events across the entire IT environment can be analyzed more effectively. CA SCC will not only enabled easier compliance for your IT environment, it can also reduce your administrative costs and reduce the risk of undetected security issues. Key Compliance Requirements and CA Solutions The following table lists the key compliance solution areas discussed in this paper, along with specific CA mainframe solutions that can provide you with these compliance capabilities. For more information on any of these solutions, feel free to visit ca.com or contact your local CA representative. 11
12 Compliance Capability Centralized Access Control User Provisioning Host Access Management Automated cleanup of inactive accounts Automated Software Configuration Analysis Separation/segregation of duties Centralized Auditing and Monitoring Information Encryption CA Mainframe-related Solution(s) CA ACF2 and CA Top Secret, plus their DB2 Options; CA Access Control on mainframe Linux CA Cleanup for ACF2 CA Cleanup for Top Secret CA Cleanup for RACF CA Identity Manager CA ACF2 and CA Top Secret, plus their DB2 Options; CA Access Control on mainframe Linux CA Cleanup for ACF2 CA Cleanup for Top Secret CA Cleanup for RACF CA Auditor for z/os CA ACF2 and CA Top Secret, plus their DB2 Options CA Access Control on mainframe Linux CA ACF2 and CA Top Secret, plus their DB2 Options CA Auditor for z/os CA Security Command Center BrightStor Tape Encryption About the Authors Reginald (Reg) Harbeck is CA s Global Mainframe Solution Manager. In the two decades since he received his Bachelor s Degree in Computer Science he has worked with operating systems, networks, security and applications on mainframes, UNIX, Linux, Windows and other platforms. Reg has been with CA for nine years, during which time he has met with and presented to IT management and technical audiences in Europe, the Middle East and many locations across North America, including at Gartner, IBM zseries, CMG, SHARE and CA World user conferences. Reg is the published author of several whitepapers and articles which are also available online. Sumner Blount is the CA Director of Security Solutions. He has worked in a variety of Product Management and Engineering roles, including managing the development of all large operating systems at Digital Equipment and Prime Computer, and managing engineering and product management groups at other companies. He is also the author of a number of industry articles, and has spoken at many industry conferences in the past. Copyright 2007 CA. All rights reserved. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies. This document is for your informational purposes only. To the extent permitted by applicable law, CA provides this document AS IS without warranty of any kind, including, without limitation, any implied warranties of merchantability, fitness for a particular purpose, or non-infringement. In no event will CA be liable for any loss or damage, direct or indirect, from the use of this document, including, without limitation, lost profits, business interruption, goodwill or lost data, even if CA is expressly advised of such damages. MP
How can Identity and Access Management help me to improve compliance and drive business performance?
SOLUTION BRIEF: IDENTITY AND ACCESS MANAGEMENT (IAM) How can Identity and Access Management help me to improve compliance and drive business performance? CA Identity and Access Management automates the
More informationCA Mainframe Security Management solutions helps you reduce costs, facilitate new business opportunities, address regulatory compliance requirements,
SOLUTION BRIEF CA Mainframe Security Management Solutions September 2010 how can mainframe security management solutions from CA Technologies help me simplify and unify security? we can CA Mainframe Security
More informationHow can Content Aware Identity and Access Management give me the control I need to confidently move my business forward?
SOLUTION BRIEF Content Aware Identity and Access Management May 2010 How can Content Aware Identity and Access Management give me the control I need to confidently move my business forward? we can CA Content
More informationCA Top Secret r15 for z/os
PRODUCT SHEET: CA TOP SECRET FOR z/os we can CA Top Secret r15 for z/os CA Top Secret for z/os (CA Top Secret ) provides innovative, comprehensive security for your business transaction environments, including
More informationWhite paper September 2009. Realizing business value with mainframe security management
White paper September 2009 Realizing business value with mainframe security management Page 2 Contents 2 Executive summary 2 Meeting today s security challenges 3 Addressing risks in the mainframe environment
More informationSOLUTION BRIEF Improving SAP Security With CA Identity and Access Management. improving SAP security with CA Identity and Access Management
SOLUTION BRIEF Improving SAP Security With CA Identity and Access Management improving SAP security with CA Identity and Access Management The CA Identity and Access Management (IAM) suite can help you
More informationSecurity management solutions White paper. IBM Tivoli and Consul: Facilitating security audit and compliance for heterogeneous environments.
Security management solutions White paper IBM Tivoli and Consul: Facilitating security audit and March 2007 2 Contents 2 Overview 3 Identify today s challenges in security audit and compliance 3 Discover
More informationMANAGED FILE TRANSFER: 10 STEPS TO SOX COMPLIANCE
WHITE PAPER MANAGED FILE TRANSFER: 10 STEPS TO SOX COMPLIANCE 1. OVERVIEW Do you want to design a file transfer process that is secure? Or one that is compliant? Of course, the answer is both. But it s
More informationTECHNOLOGY BRIEF: INTEGRATED IDENTITY AND ACCESS MANAGEMENT (IAM) An Integrated Architecture for Identity and Access Management
TECHNOLOGY BRIEF: INTEGRATED IDENTITY AND ACCESS MANAGEMENT (IAM) An Integrated Architecture for Identity and Access Management Table of Contents Executive Summary 1 SECTION 1: CHALLENGE 2 The Need for
More informationData Management Policies. Sage ERP Online
Sage ERP Online Sage ERP Online Table of Contents 1.0 Server Backup and Restore Policy... 3 1.1 Objectives... 3 1.2 Scope... 3 1.3 Responsibilities... 3 1.4 Policy... 4 1.5 Policy Violation... 5 1.6 Communication...
More informationBuild (develop) and document Acceptance Transition to production (installation) Operations and maintenance support (postinstallation)
It is a well-known fact in computer security that security problems are very often a direct result of software bugs. That leads security researches to pay lots of attention to software engineering. The
More informationAn Oracle White Paper December 2010. Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance
An Oracle White Paper December 2010 Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance Executive Overview... 1 Health Information Portability and Accountability Act Security
More informationCA HalvesThe Cost Of Testing IT Controls For Sarbanes-Oxley Compliance With Unified Processes.
TECHNOLOGY BRIEF: REDUCING COST AND COMPLEXITY WITH GLOBAL GOVERNANCE CONTROLS CA HalvesThe Cost Of Testing IT Controls For Sarbanes-Oxley Compliance With Unified Processes. Table of Contents Executive
More informationA Websense Research Brief Prevent Data Loss and Comply with Payment Card Industry Data Security Standards
A Websense Research Brief Prevent Loss and Comply with Payment Card Industry Security Standards Prevent Loss and Comply with Payment Card Industry Security Standards Standards for Credit Card Security
More informationSOLUTION BRIEF THE CA TECHNOLOGIES SOLUTION FOR PCI COMPLIANCE. How Can the CA Security Solution Help Me With PCI Compliance?
SOLUTION BRIEF THE CA TECHNOLOGIES SOLUTION FOR PCI COMPLIANCE How Can the CA Security Solution Help Me With PCI Compliance? SOLUTION BRIEF CA DATABASE MANAGEMENT FOR DB2 FOR z/os DRAFT CA Technologies
More informationEmploying Best Practices for Mainframe Tape Encryption
WHITE PAPER: DATA ENCRYPTION BEST PRACTICES FOR MAINFRAME TAPE Employing Best Practices for Mainframe Tape Encryption JUNE 2008 Stefan Kochishan CA MAINFRAME PRODUCT MARKETING John Hill CA MAINFRAME PRODUCT
More informationSurviving an Identity Audit
What small and midsize organizations need to know about the identity portion of an IT compliance audit Whitepaper Contents Executive Overview.......................................... 2 Introduction..............................................
More informationGovernance and Control of Privileged Identities to Reduce Risk
WHITE PAPER SEPTEMBER 2014 Governance and Control of Privileged Identities to Reduce Risk Merritt Maxim CA Security Management 2 WHITE PAPER: PRIVILEGED IDENTITY GOVERNANCE Table of Contents Executive
More informationStandard: Information Security Incident Management
Standard: Information Security Incident Management Page 1 Executive Summary California State University Information Security Policy 8075.00 states security incidents involving loss, damage or misuse of
More informationCA point of view: Content-Aware Identity & Access Management
TECHNOLOGY BRIEF CA Point of View: Content-Aware Identity and Access Management March 2011 CA point of view: Content-Aware Identity & Access Management table of contents EXECUTIVE SUMMARY SECTION 1 Challenge
More informationCA Compliance Manager for z/os
PRODUCT SHEET CA Compliance Manager for z/os CA Compliance Manager for z/os CA Compliance Manager for z/os (CA Compliance Manager) provides your organization with a single source for real-time, compliancerelated
More informationStrengthen security with intelligent identity and access management
Strengthen security with intelligent identity and access management IBM Security solutions help safeguard user access, boost compliance and mitigate insider threats Highlights Enable business managers
More informationSOLUTION BRIEF SEPTEMBER 2014. Healthcare Security Solutions: Protecting your Organization, Patients, and Information
SOLUTION BRIEF SEPTEMBER 2014 Healthcare Security Solutions: Protecting your Organization, Patients, and Information SOLUTION BRIEF CA DATABASE MANAGEMENT FOR DB2 FOR z/os DRAFT 94% of healthcare organizations
More informationPayment Card Industry Data Security Standard
Symantec Managed Security Services support for IT compliance Solution Overview: Symantec Managed Services Overviewview The (PCI DSS) was developed to facilitate the broad adoption of consistent data security
More informationManaging Privileged Identities in the Cloud. How Privileged Identity Management Evolved to a Service Platform
Managing Privileged Identities in the Cloud How Privileged Identity Management Evolved to a Service Platform Managing Privileged Identities in the Cloud Contents Overview...3 Management Issues...3 Real-World
More informationSITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA
SITA Information Security SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA September, 2012 Contents 1. Introduction... 3 1.1 Overview...
More informationUnderstanding Enterprise Cloud Governance
Understanding Enterprise Cloud Governance Maintaining control while delivering the agility of cloud computing Most large enterprises have a hybrid or multi-cloud environment comprised of a combination
More informationWhite Paper. Ensuring Network Compliance with NetMRI. An Opportunity to Optimize the Network. Netcordia
White Paper Ensuring Network Compliance with NetMRI An Opportunity to Optimize the Network Netcordia Copyright Copyright 2006 Netcordia, Inc. All Rights Reserved. Restricted Rights Legend This document
More informationTECHNOLOGY BRIEF: PREVENTING UNAUTHORISED ACCESS TO CRITICAL SYSTEMS AND DATA. Colruyt ensures data privacy with Identity & Access Management.
TECHNOLOGY BRIEF: PREVENTING UNAUTHORISED ACCESS TO CRITICAL SYSTEMS AND DATA Colruyt ensures data privacy with Identity & Access Management. Table of Contents Executive Summary SECTION 1: CHALLENGE 2
More informationSecurity Controls What Works. Southside Virginia Community College: Security Awareness
Security Controls What Works Southside Virginia Community College: Security Awareness Session Overview Identification of Information Security Drivers Identification of Regulations and Acts Introduction
More informationThree significant risks of FTP use and how to overcome them
Three significant risks of FTP use and how to overcome them Management, security and automation Contents: 1 Make sure your file transfer infrastructure keeps pace with your business strategy 1 The nature
More informationHIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER
HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER With technology everywhere we look, the technical safeguards required by HIPAA are extremely important in ensuring that our information
More informationSupplier Information Security Addendum for GE Restricted Data
Supplier Information Security Addendum for GE Restricted Data This Supplier Information Security Addendum lists the security controls that GE Suppliers are required to adopt when accessing, processing,
More informationISO 27001 COMPLIANCE WITH OBSERVEIT
ISO 27001 COMPLIANCE WITH OBSERVEIT OVERVIEW ISO/IEC 27001 is a framework of policies and procedures that include all legal, physical and technical controls involved in an organization s information risk
More informationHealth Insurance Portability and Accountability Act Enterprise Compliance Auditing & Reporting ECAR for HIPAA Technical Product Overview Whitepaper
Regulatory Compliance Solutions for Microsoft Windows IT Security Controls Supporting DHS HIPAA Final Security Rules Health Insurance Portability and Accountability Act Enterprise Compliance Auditing &
More informationFeature. Log Management: A Pragmatic Approach to PCI DSS
Feature Prakhar Srivastava is a senior consultant with Infosys Technologies Ltd. and is part of the Infrastructure Transformation Services Group. Srivastava is a solutions-oriented IT professional who
More information10 Steps to Establishing an Effective Email Retention Policy
WHITE PAPER: 10 STEPS TO EFFECTIVE EMAIL RETENTION 10 Steps to Establishing an Effective Email Retention Policy JANUARY 2009 Eric Lundgren INFORMATION GOVERNANCE Table of Contents Executive Summary SECTION
More informationSecurity Information Lifecycle
Security Information Lifecycle By Eric Ogren Security Analyst, April 2006 Copyright 2006. The, Inc. All Rights Reserved. Table of Contents Executive Summary...2 Figure 1... 2 The Compliance Climate...4
More informationGAO INFORMATION SECURITY. Weak Controls Place Interior s Financial and Other Data at Risk. Report to the Secretary of the Interior
GAO United States General Accounting Office Report to the Secretary of the Interior July 2001 INFORMATION SECURITY Weak Controls Place Interior s Financial and Other Data at Risk GAO-01-615 United States
More informationSelf-Service SOX Auditing With S3 Control
Self-Service SOX Auditing With S3 Control The Sarbanes-Oxley Act (SOX), passed by the US Congress in 2002, represents a fundamental shift in corporate governance norms. As corporations come to terms with
More informationSarbanes-Oxley Control Transformation Through Automation
Sarbanes-Oxley Control Transformation Through Automation An Executive White Paper By BLUE LANCE, Inc. Where have we been? Where are we going? BLUE LANCE INC. www.bluelance.com 713.255.4800 info@bluelance.com
More informationWhite Paper. Regulatory Compliance and Database Management
White Paper Regulatory Compliance and Database Management March 2006 Introduction Top of mind in business executives today is how to meet new regulatory compliance and corporate governance. New laws are
More informationagility made possible
SOLUTION BRIEF CA Technologies and NetApp Integrated Service Automation Across the Data Center can you automate the provisioning and management of both virtual and physical resources across your data center
More informationOVERVIEW. In all, this report makes recommendations in 14 areas, such as. Page iii
The Office of the Auditor General has conducted a procedural review of the State Data Center (Data Center), a part of the Arizona Strategic Enterprise Technology (ASET) Division within the Arizona Department
More informationWhat IT Auditors Need to Know About Secure Shell. SSH Communications Security
What IT Auditors Need to Know About Secure Shell SSH Communications Security Agenda Secure Shell Basics Security Risks Compliance Requirements Methods, Tools, Resources What is Secure Shell? A cryptographic
More informationInformation Resources Security Guidelines
Information Resources Security Guidelines 1. General These guidelines, under the authority of South Texas College Policy #4712- Information Resources Security, set forth the framework for a comprehensive
More informationINFORMATION TECHNOLOGY SECURITY STANDARDS
INFORMATION TECHNOLOGY SECURITY STANDARDS Version 2.0 December 2013 Table of Contents 1 OVERVIEW 3 2 SCOPE 4 3 STRUCTURE 5 4 ASSET MANAGEMENT 6 5 HUMAN RESOURCES SECURITY 7 6 PHYSICAL AND ENVIRONMENTAL
More informationcontent-aware identity & access management in a virtual environment
WHITE PAPER Content-Aware Identity & Access Management in a Virtual Environment June 2010 content-aware identity & access management in a virtual environment Chris Wraight CA Security Management we can
More informationCA Vulnerability Manager r8.3
PRODUCT BRIEF: CA VULNERABILITY MANAGER CA Vulnerability Manager r8.3 CA VULNERABILITY MANAGER PROTECTS ENTERPRISE SYSTEMS AND BUSINESS OPERATIONS BY IDENTIFYING VULNERABILITIES, LINKING THEM TO CRITICAL
More informationCA Endevor Software Change Manager Release 15.1
PRODUCT SHEET CA Endevor Software Change Manager CA Endevor Software Change Manager Release 15.1 agility made possible CA Endevor Software Change Manager (CA Endevor SCM) helps organizations control all
More informationLAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES
LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL for INFORMATION RESOURCES Updated: June 2007 Information Resources Security Manual 1. Purpose of Security Manual 2. Audience 3. Acceptable
More informationHIPAA Security Alert
Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information
More informationREGULATIONS FOR THE SECURITY OF INTERNET BANKING
REGULATIONS FOR THE SECURITY OF INTERNET BANKING PAYMENT SYSTEMS DEPARTMENT STATE BANK OF PAKISTAN Table of Contents PREFACE... 3 DEFINITIONS... 4 1. SCOPE OF THE REGULATIONS... 6 2. INTERNET BANKING SECURITY
More informationHow To Manage Security On A Networked Computer System
Unified Security Reduce the Cost of Compliance Introduction In an effort to achieve a consistent and reliable security program, many organizations have adopted the standard as a key compliance strategy
More informationAlienVault for Regulatory Compliance
AlienVault for Regulatory Compliance Overview of Regulatory Compliance in Information Security As computers and networks have become more important in society they and the information they contain have
More informationStay ahead of insiderthreats with predictive,intelligent security
Stay ahead of insiderthreats with predictive,intelligent security Sarah Cucuz sarah.cucuz@spyders.ca IBM Security White Paper Executive Summary Stay ahead of insider threats with predictive, intelligent
More informationFIVE KEY CONSIDERATIONS FOR ENABLING PRIVACY IN HEALTH INFORMATION EXCHANGES
FIVE KEY CONSIDERATIONS FOR ENABLING PRIVACY IN HEALTH INFORMATION EXCHANGES The implications for privacy and security in the emergence of HIEs The emergence of health information exchanges (HIE) is widely
More informationThe NIST Framework for Improving Critical Infrastructure Cybersecurity - An Executive Guide
SOLUTION BRIEF NIST FRAMEWORK FOR IMPROVING CRITICAL INFRASTRUCTURE CYBERSECURITY The NIST Framework for Improving Critical Infrastructure Cybersecurity - An Executive Guide SOLUTION BRIEF CA DATABASE
More informationData Security Incident Response Plan. [Insert Organization Name]
Data Security Incident Response Plan Dated: [Month] & [Year] [Insert Organization Name] 1 Introduction Purpose This data security incident response plan provides the framework to respond to a security
More informationTECHNOLOGY BRIEF: HOST ACCESS MANAGEMENT. Windows Host Access Management with CA Access Control
TECHNOLOGY BRIEF: HOST ACCESS MANAGEMENT Windows Host Access Management with CA Access Control Table of Contents Executive Summary SECTION 1 2 Windows Servers in Today s Security Management Environment
More informationWHITEPAPER. Identity Management and Sarbanes-Oxley Compliance. T h i n k I D e n t i t y. September 2005
Identity Management and Sarbanes-Oxley Compliance September 2005 T h i n k I D e n t i t y Table of Contents INTRODUCTION...3 THE SARBANES-OXLEY ACT OF 2002...3 HOW SARBANES-OXLEY AFFECTS IT PROCESSES...6
More informationCA Technologies Healthcare security solutions:
CA Technologies Healthcare security solutions: Protecting your organization, patients, and information agility made possible Healthcare industry imperatives Security, Privacy, and Compliance HITECH/HIPAA
More informationUPSTREAM for Linux on System z
PRODUCT SHEET UPSTREAM for Linux on System z UPSTREAM for Linux on System z UPSTREAM for Linux on System z is designed to provide comprehensive data protection for your Linux on System z environment, leveraging
More informationELECTRONIC INFORMATION SECURITY A.R.
A.R. Number: 2.6 Effective Date: 2/1/2009 Page: 1 of 7 I. PURPOSE In recognition of the critical role that electronic information systems play in City of Richmond (COR) business activities, this policy
More informationLeveraging Privileged Identity Governance to Improve Security Posture
Leveraging Privileged Identity Governance to Improve Security Posture Understanding the Privileged Insider Threat It s no secret that attacks on IT systems and information breaches have increased in both
More informationIBM PowerSC. Security and compliance solution designed to protect virtualized datacenters. Highlights. IBM Systems and Technology Data Sheet
IBM PowerSC Security and compliance solution designed to protect virtualized datacenters Highlights Simplify security management and compliance measurement Reduce administration costs of meeting compliance
More informationCA Tape Encryption Key Manager
PRODUCT BRIEF: CA TAPE ENCRYPTION KEY MANAGER Manager CA TAPE ENCRYPTION KEY MANAGER IS THE FIRST z/os-based, SOFTWARE TAPE ENCRYPTION KEY SOLUTION THAT CONSOLIDATES AND UNIFIES MANAGEMENT ACROSS MULTIPLE
More informationSOLUTION BRIEF CA TECHNOLOGIES IDENTITY-CENTRIC SECURITY. How Can I Both Enable and Protect My Organization in the New Application Economy?
SOLUTION BRIEF CA TECHNOLOGIES IDENTITY-CENTRIC SECURITY How Can I Both Enable and Protect My Organization in the New Application Economy? CA Security solutions can help you enable and protect your business
More informationSecurely Outsourcing to the Cloud: Five Key Questions to Ask
WHITE PAPER JULY 2014 Securely Outsourcing to the Cloud: Five Key Questions to Ask Russell Miller Tyson Whitten CA Technologies, Security Management 2 WHITE PAPER: SECURELY OUTSOURCING TO THE CLOUD: FIVE
More informationCA Technologies Solutions for Criminal Justice Information Security Compliance
WHITE PAPER OCTOBER 2014 CA Technologies Solutions for Criminal Justice Information Security Compliance William Harrod Advisor, Public Sector Cyber-Security Strategy 2 WHITE PAPER: SOLUTIONS FOR CRIMINAL
More informationdefending against advanced persistent threats: strategies for a new era of attacks agility made possible
defending against advanced persistent threats: strategies for a new era of attacks agility made possible security threats as we know them are changing The traditional dangers IT security teams have been
More informationInformation Security Policy September 2009 Newman University IT Services. Information Security Policy
Contents 1. Statement 1.1 Introduction 1.2 Objectives 1.3 Scope and Policy Structure 1.4 Risk Assessment and Management 1.5 Responsibilities for Information Security 2. Compliance 3. HR Security 3.1 Terms
More informationHow To Manage A Privileged Account Management
Four Best Practices for Passing Privileged Account Audits October 2014 1 Table of Contents... 4 1. Discover All Privileged Accounts in Your Environment... 4 2. Remove Privileged Access / Implement Least
More informationSolution Brief for ISO 27002: 2013 Audit Standard ISO 27002. Publication Date: Feb 6, 2015. EventTracker 8815 Centre Park Drive, Columbia MD 21045
Solution Brief for ISO 27002: 2013 Audit Standard Publication Date: Feb 6, 2015 8815 Centre Park Drive, Columbia MD 21045 ISO 27002 About delivers business critical software and services that transform
More informationBoosting enterprise security with integrated log management
IBM Software Thought Leadership White Paper May 2013 Boosting enterprise security with integrated log management Reduce security risks and improve compliance across diverse IT environments 2 Boosting enterprise
More informationAchieving and Maintaining PCI DSS Compliance with Centralized, Automated Application and Middleware Change Control TECHNICAL WHITE PAPER
Achieving and Maintaining PCI DSS Compliance with Centralized, Automated Application and Middleware Change Control TECHNICAL WHITE PAPER Table of Contents Executive Summary... 3 PCI DSS Breaches. Huge
More informationSystem Change Management - A Key to Success
Position Paper: Keys to Effective Systems Change Management Executive Overview The Institute of Internal Auditors, in its guide to Section 404 of the Sarbanes- Oxley Act, states that IT general controls
More informationSolving the Security Puzzle
Solving the Security Puzzle How Government Agencies Can Mitigate Today s Threats Abstract The federal government is in the midst of a massive IT revolution. The rapid adoption of mobile, cloud and Big
More informationIBM Data Security Services for endpoint data protection endpoint data loss prevention solution
Automating policy enforcement to prevent endpoint data loss IBM Data Security Services for endpoint data protection endpoint data loss prevention solution Highlights Facilitate policy-based expertise and
More informationSAS 70 Type II Audits
Thinking from IntraLinks SAS 70 Type II Audits SAS 70 Type II Audits Ensuring Data Security, Reliability and Integrity If your organization shares sensitive data over the Internet, you need rigorous controls
More informationInformation Security Policy
Information Security Policy Touro College/University ( Touro ) is committed to information security. Information security is defined as protection of data, applications, networks, and computer systems
More informationLeveraging a Maturity Model to Achieve Proactive Compliance
Leveraging a Maturity Model to Achieve Proactive Compliance White Paper: Proactive Compliance Leveraging a Maturity Model to Achieve Proactive Compliance Contents Introduction............................................................................................
More informationSecuring and protecting the organization s most sensitive data
Securing and protecting the organization s most sensitive data A comprehensive solution using IBM InfoSphere Guardium Data Activity Monitoring and InfoSphere Guardium Data Encryption to provide layered
More informationHow Can I Better Manage My Software Assets And Mitigate The Risk Of Compliance Audits?
SOLUTION BRIEF CA SERVICE MANAGEMENT - SOFTWARE ASSET MANAGEMENT How Can I Better Manage My Software Assets And Mitigate The Risk Of Compliance Audits? SOLUTION BRIEF CA DATABASE MANAGEMENT FOR DB2 FOR
More informationCA NSM System Monitoring Option for OpenVMS r3.2
PRODUCT SHEET CA NSM System Monitoring Option for OpenVMS CA NSM System Monitoring Option for OpenVMS r3.2 CA NSM System Monitoring Option for OpenVMS helps you to proactively discover, monitor and display
More informationCA Chorus for Security and Compliance Management Deep Dive
Mainframe Optimization and Modernization CA Chorus for Security and Compliance Management Deep Dive Maddalena Tosoni Principal Engineering Services Architect CA Chorus Recap Improve Staff Efficiency CA
More informationWHITE PAPER May 2012. How Can Identity and Access Management Help Me with PCI Compliance?
WHITE PAPER May 2012 How Can Identity and Access Management Help Me with PCI Compliance? Table of Contents Executive Summary 3 SECTION 1: Challenge 4 Protection of confidential cardholder information SECTION
More informationImplementing HIPAA Compliance with ScriptLogic
Implementing HIPAA Compliance with ScriptLogic A ScriptLogic Product Positioning Paper By Nick Cavalancia 1.800.424.9411 www.scriptlogic.com Table of Contents INTRODUCTION... 3 HIPAA BACKGROUND... 3 ADMINISTRATIVE
More informationThe Challenges and Myths of Sarbanes-Oxley Compliance
W H I T E P A P E R The Challenges and Myths of Sarbanes-Oxley Compliance Meeting the requirements of regulatory legislation on the iseries. SOX-001 REV1b FEBRUARY 2005 Bytware, Inc. All Rights Reserved.
More informationidentity as the new perimeter: securely embracing cloud, mobile and social media agility made possible
identity as the new perimeter: securely embracing cloud, mobile and social media agility made possible IT transformation and evolving identities A number of technology trends, including cloud, mobility,
More informationPlain English Guide To Common Criteria Requirements In The. Field Device Protection Profile Version 0.75
Plain English Guide To Common Criteria Requirements In The Field Device Protection Profile Version 0.75 Prepared For: Process Control Security Requirements Forum (PCSRF) Prepared By: Digital Bond, Inc.
More informationCA Process Automation for System z 3.1
PRODUCT SHEET CA Process Automation for System z CA Process Automation for System z 3.1 CA Process Automation for System z helps enable enterprise organizations to design, deploy and administer automation
More informationIBM Tivoli Netcool Configuration Manager
IBM Netcool Configuration Manager Improve organizational management and control of multivendor networks Highlights Automate time-consuming device configuration and change management tasks Effectively manage
More informationCompliance Guide ISO 27002. Compliance Guide. September 2015. Contents. Introduction 1. Detailed Controls Mapping 2.
ISO 27002 Compliance Guide September 2015 Contents Compliance Guide 01 02 03 Introduction 1 Detailed Controls Mapping 2 About Rapid7 7 01 INTRODUCTION If you re looking for a comprehensive, global framework
More informationMarch 2012 www.tufin.com
SecureTrack Supporting Compliance with PCI DSS 2.0 March 2012 www.tufin.com Table of Contents Introduction... 3 The Importance of Network Security Operations... 3 Supporting PCI DSS with Automated Solutions...
More informationFINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information
FINAL May 2005 Guideline on Security Systems for Safeguarding Customer Information Table of Contents 1 Introduction 1 1.1 Purpose of Guideline 1 2 Definitions 2 3 Internal Controls and Procedures 2 3.1
More informationThe Impact of HIPAA and HITECH
The Health Insurance Portability & Accountability Act (HIPAA), enacted 8/21/96, was created to protect the use, storage and transmission of patients healthcare information. This protects all forms of patients
More informationFairWarning Mapping to PCI DSS 3.0, Requirement 10
FairWarning Mapping to PCI DSS 3.0, Requirement 10 Requirement 10: Track and monitor all access to network resources and cardholder data Logging mechanisms and the ability to track user activities are
More informationIBM InfoSphere Guardium Data Activity Monitor for Hadoop-based systems
IBM InfoSphere Guardium Data Activity Monitor for Hadoop-based systems Proactively address regulatory compliance requirements and protect sensitive data in real time Highlights Monitor and audit data activity
More information