ForeScout CounterACT and Compliance June 2012 Overview Major Mandates PCI-DSS ISO 27002

Size: px
Start display at page:

Download "ForeScout CounterACT and Compliance June 2012 Overview Major Mandates PCI-DSS ISO 27002"

Transcription

1 ForeScout CounterACT and Compliance An independent assessment on how network access control maps to leading compliance mandates and helps automate GRC operations June 2012 Overview Information security has undergone a sea change in the past 10 years. Compliance mandates in the form of industry standards and Federal rules like NERC, FFIEC, HIPAA/HITECH and PCI-DSS are the new norm. To stay in compliance, IT teams need to be able to keep up with updates and changes to existing mandates while also being prepared for new ones. To maximize efficiency, manage risk and reduce potential violations due to compliance failure, organizations need to security tools whose features support multiple specifications within and across different compliance frameworks. In order to find the right tools, one must first start by mapping functionality to a specific section or requirement in the most critical internal or external compliance mandate. Then, look across other frameworks applicable to your business to see how many can be met by a solution. For example, security monitoring, as well as configuration standards and event logging are mentioned in many guidelines and a tool that provides real-time visibility and endpoint compliance capabilities like NAC can support the requirement across multiple mandates. By filtering the core requirements and mapping it to specific objectives, organizations can find solutions that help them stay ahead and on track for compliance, while realizing additional benefits and savings. Major Mandates Many organizations find themselves complying with mandates that they did not initially realize impacted them. For example, a higher education institution that provides school loans and a health care department may need to comply with PCI, HIPAA, and GLBA. While many compliance frameworks described in this paper are specific to the United States, most have bearing to complementary standards in other countries; for example, PCI-DSS applies to payment processing entities worldwide. HIPAA and privacy laws also apply to entities outside worldwide with unique specifications depending on the origin or destination of the IT resources or sensitive data under management. The major mandates that most companies need to address are outlined below: PCI-DSS A set of security standards issued by the 5 major card brands and overseen by the PCI Security Standards Council. This applies to any entity that stores, processes or transmits credit card data. ISO An internationally accepted framework for ing security management systems supplies a list of security controls, their objectives, and ation guidance spanning access control, endpoint compliance, event logging, incident response and more.

2 FFIEC The Federal Financial Institutions Examination Council (FFIEC) is an interagency body that sets and oversees standards for federal examination of financial institutions by agencies including the FDIC and NCUA. HIPAA/HITECH HIPAA is a healthcare mandate for protection of health or electronic personal health (e-phi). HITECH expanded applicability for safeguarding health and personal identifiable (PII) to business associates of covered entities. GLBA/Privacy Mandates privacy controls and safeguards for customer and nonpublic personal (NPI) managed by financial institutions. This can be extended to include the protection of PII with regards to state and country privacy and privacy breach notification laws. NERC Ensures the reliability of the North American power system by overseeing standards for critical infrastructure protection (CIP) reliability standards. Entities involved with power systems must be in compliance. DISA STIGs The Security Technical Implementation Guides (STIGs) and configuration standards required for DOD systems. Many organizations outside of the DOD have adopted standards as part of their overall security program. The guidelines require port-based control (securing physical and logical network ports to prevent unauthorized access to the enclave), continuous endpoint compliance and active host-based security systems (HBSS). NIST Provides special publications on a variety of cyber-security matters. Many government agencies must comply with NIST standards and organizations outside of the government have adopted NIST standards as part of their program. How Network Access Control (NAC) Works NAC, which stands for network access control, is technology used to assure trusted access to network resources. By employing 802.1x or other security mechanisms, NAC can identify users and network-attached devices while enforcing security policies based on discovered network, identity and device attributes. Beyond allowing, limiting or blocking devices access to network resources and sensitive data, NAC also provides visibility, endpoint compliance and threat prevention capabilities. For example, NAC supports a health-check before an entity is allowed to access network resources. If the entity does not have the proper configuration settings, the latest patches or active host-based security functions, a NAC solution can quarantine the device and support remediation activities to ensure the device is in compliance with a pre-defined corporate policy. NAC can also be used for auto-discovery, classification and policy assessment of devices, and can also be used to resolve endpoint issues and violations. Once a device is on the network, NAC can still monitor the device to ensure continuous compliance and take action when unwanted behavior is detected. Like other tools, NAC platforms interface with an enterprises network, security and identity infrastructure and can support compliance-relevant reporting. Mapping CounterACT to Compliance ForeScout CounterACT is a NAC platform that supports a number of critical security and protection functions across multiple compliance mandates. Many compliance mandates are not prescriptive about specific controls. These compliance frameworks discuss objectives and activities, but leave the final IANS: How NAC maps to leading compliance mandates 2

3 decision regarding which specific tool or solution to be ed to the end-user organization. It is extremely important for each organization to perform a thorough assessment of available solutions and select those that can address the needs of the organization while supporting an efficient compliance program that satisfies multiple mandate requirements. In other words, an effective security solution is a little like a compliance Swiss army knife for IT. More importantly, organizations should look at where security tools can enable or add efficiency to compliance enforcement, auditing, and documentation processes. The table below extracts the core security functions of ForeScout CounterACT for network access control into 9 areas. The table then maps these across 8 mandates to illustrate how a NAC solution such as ForeScout CoutnerAct can be used to address a large number of compliance processes and requirements. Note that these are just a few examples of how NAC can help support compliance programs. When reviewing the table keep in mind that compliance is a holistic process and that even when a specific task is not explicitly called out that does not mean it is not necessary or will not support the overall mission. For example, GLBA does not call out anti-malware by name, but it does require organizations to take appropriate precautions to protect NPI. Validating that anti-malware is active on devices supports NPI protection. Organizations that must adhere to certain mandates that are not listed below can still use the table as a baseline and do their own mapping using the core ForeScout CounterACT features and their security and compliance requirements. IANS: How NAC maps to leading compliance mandates 3

4 ForeScout CounterACT Network Access Control/Port Control Endpoint - Integrity/Com pliance/contin uous Monitoring Identification and removal of rogue WAPs PCI DSS v2 DISA STIGs FFIEC HIPAA/ HITECH limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports. 2.2 Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industryaccepted system hardening standards 11.1 Test for the presence of wireless access points and detect unauthorized wireless access points on a quarterly basis Enclave STIG, V4R The Enclave perimeter must block and/or secure all PPSs in accordance with the Vulnerability Assessments and the DoD PPS CAL See DISA STIGS for Individual Operating Systems. CounterACT can identify all network devices and can classify known and unknown devices. CounterACT can also identify and remediate HBSS (Host-based Security Systems) issues dynamically. General Wireless Policy STIG V1R6 Only authorized wireless systems used SCI Network Access - Access Control SCI Access Control - Operating System Access, FFIEC Supplement Guidance: Controls ebanking - Appendix E: Wireless Banking (a)(1) Access Control (a)(5)(ii)(B) - Protection from 45 CFR Parts 160 and 164, Data comprising PHI can be vulnerable to a breach in any of the commonly recognized data states: data in motion (i.e., data that is moving through a network, including wireless transmission 7); NERC ISO NIST SP SP CIP Requirement R2 - Ports and Services- The establish, document and a process to ensure that only those ports and services required for normal and emergency operations are enabled CIP R2. Critical Cyber Asset Identification Using the list of Critical Assets developed pursuant to Requirement R1, the develop a list of associated Critical Cyber Assets essential to the operation of the Critical Asset. The update this list as necessary, and review it at least annually CIP R1. Electronic Security Perimeter The ensure that every Critical Cyber Asset resides within an Electronic Security Perimeter. The Responsible Entity shall identify and document the Electronic Security Perimeter(s) and all access points to the perimeter(s) Section 11.4 Network Access Control 11.5 Operating system access control 11.7 Mobile computing and teleworking AC - Access Control & AC-3 Access Enforcement CA-7 Continuous Monitoring and CM- 3 Configuration Change Control and CM-8 Information System Component Inventory AC-18 Wireless Access GLBA Standards for safeguarding customer - (3) Protect against unauthorized access to or use of such that could result in substantial harm or inconvenience to any customer IANS: How NAC maps to leading compliance mandates 4

5 End Point Security Mobile Security Threat Remediation 5.1 Deploy anti-virus software on all systems commonly affected by (particularly personal computers and servers) 6.1 Ensure that all system components and software are protected from known vulnerabilities by having the latest vendor-supplied security patches installed. Install critical security patches within one month of release 1.4 Install personal firewall software on any mobile and/or employee-owned computers with direct connectivity to the Internet (for example, laptops used by employees), which are used to access the organization s network 6.6 For public-facing web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attack See DISA STIGS for Individual Operating Systems General Wireless Policy STIG V1R6 Only authorized wireless systems used Enclave STIG, V4R Host-based IDS - (EN550: CAT III) The IAO will ensure the SA is responsible for initial response to real-time alarms and performance of retrospective analysis of reports SCI Access Control - Operating System Access, FFIEC Supplement Guidance: Controls ebanking - Appendix E: Wireless Banking Information Security - Security Monitoring (a)(5)(ii)(B) - Protection from 45 CFR Parts 160 and 164, Data comprising PHI can be vulnerable to a breach in any of the commonly recognized data states: data in motion (i.e., data that is moving through a network, including wireless transmission 7); Response and Reporting (R) (a)(6)(ii) - Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity; and document security incidents and their outcomes. CIP R3. Security Patch Management The Responsible Entity, either separately or as a component of the documented configuration management process specified in CIP Requirement R6, shall establish, document and a security patch management program for tracking, evaluating, testing, and installing applicable cyber security software patches for all Cyber Assets within the Electronic Security Perimeter(s). R4. Malicious Software Prevention The use anti-virus software and other ( malware ) prevention tools, where technically feasible, to detect, prevent, deter, and mitigate the introduction, exposure, and propagation of malware on all Cyber Assets within the Electronic Security Perimeter(s) CIP R2. Critical Cyber Asset Identification Using the list of Critical Assets developed pursuant to Requirement R1, the develop a list of associated Critical Cyber Assets essential to the operation of the Critical Asset. The update this list as necessary, and review it at least annually CIP R8. Cyber Vulnerability Assessment The perform a cyber vulnerability assessment of all Cyber Assets within the Electronic Security Perimeter at least annually. The vulnerability assessment shall include, at a minimum, the following: R8.4. Documentation of the results of the assessment, the action plan to remediate or mitigate vulnerabilities identified in the assessment, and the execution status of that action plan 11.5 Operating system access control 11.7 Mobile computing and teleworking 12.6 Technical vulnerability management, Section 13: Information security incident management CM-2 Baseline Configuration and SI-3 Malicious Code Protection AC-19 Access Control for Mobile Devices SI-2 Flaw Remediation - (3) Detecting, preventing and responding to attacks, intrusions, orother systems failures. IANS: How NAC maps to leading compliance mandates 5

6 Data Leakage Endpoint Intelligence Log Management Assurance Requirement 10: Track and monitor all access to network resources and cardholder data 2.2 Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industryaccepted system hardening standards Requirement 10: Track and monitor all access to network resources and cardholder data Enclave STIG, V4R Host-based Content Security Checking See DISA STIGS for Individual Operating Systems See Network Infrastructure STIGs SCI Access Control - Operating System Access Information Security - Security Controls Implementation and Security Monitoring Information Security - Security Controls Implementation and Security Monitoring (a)(4) Information Access Management (a)(4) Information Access Management (a)(1) Information System Activity Review and (b) Audit Controls CIP R4. Information Protection The and document a program to identify, classify, and protect associated with Critical Cyber Assets CIP R2. Critical Cyber Asset Identification Using the list of Critical Assets developed pursuant to Requirement R1, the develop a list of associated Critical Cyber Assets essential to the operation of the Critical Asset. The update this list as necessary, and review it at least annually CIP R The establish methods, processes, and that generate logs of sufficient detail to create historical audit trails CIP R6. Security Status Monitoring The ensure that all Cyber Assets within the Electronic Security Perimeter, as technically feasible, automated tools or organizational process controls to monitor system events that are related to cyber security of individual user account access activity for a minimum of ninety days 11.6 Application and access control 11.5 Operating system access control PE-19 Information Leakage CA-7 Continuous Monitoring and CM- 3 Configuration Change Control and CM-8 Information System Component Inventory Monitoring SI-4 Information System Monitoring Standards for safeguarding customer - (3) Protect against unauthorized access to or use of such that could result in substantial harm or inconvenience to any customer - (3) Detecting, preventing and responding to attacks, intrusions, orother systems failures. IANS: How NAC maps to leading compliance mandates 6

7 When evaluating the value of a solution like ForeScout CounterACT, it is helpful to assess the tool not only for how it can support compliance for specific mandates, but also how it can be used to meet the intent of various mandates, increase visibility and effectuate controls, improve overall network and device health, as well as yield operational efficiencies. In addition to the specific support for compliance mandates listed above, the ForeScout CounterACT NAC solution provides the following benefits: Fortify IAM for network access Enable port control without requiring agents Enforce guest management Identify and eliminate rogue devices and WAPs Provide device classification and inventory Support application whitelisting and blacklisting Identify and remediate endpoint compliance gaps Enable mobile security and BYOD policy Automate compliance reporting Increase situational awareness and reduce risk profile Conclusion Keeping up with compliance is the new norm for all companies and organizations; no vertical industry or company is exempt, and new rulings and mandates are being introduced and evolve every year. To stay ahead of the compliance onslaught, IT organizations need to comprehensive programs that take into account the entire fabric of compliance and not focus on mandates one at a time. To make this process easier, organizations can security tools that offer features which can be applied to address compliance controls for multiple mandates or to expedite compliance documentation and validation processes. ForeScout CounterACT is a network security tool that can be efficient and effective at addressing a large variety of compliance needs and automating a wide array of GRC processes. IANS: How NAC maps to leading compliance mandates 7

TASK -040. TDSP Web Portal Project Cyber Security Standards Best Practices

TASK -040. TDSP Web Portal Project Cyber Security Standards Best Practices Page 1 of 10 TSK- 040 Determine what PCI, NERC CIP cyber security standards are, which are applicable, and what requirements are around them. Find out what TRE thinks about the NERC CIP cyber security

More information

Everything You Wanted to Know about DISA STIGs but were Afraid to Ask

Everything You Wanted to Know about DISA STIGs but were Afraid to Ask Everything You Wanted to Know about DISA STIGs but were Afraid to Ask An EiQ Networks White Paper 2015 EiQ Networks, Inc. All Rights Reserved. EiQ, the EiQ logo, the SOCVue logo, SecureVue, ThreatVue,

More information

PCI Compliance for Cloud Applications

PCI Compliance for Cloud Applications What Is It? The Payment Card Industry Data Security Standard (PCIDSS), in particular v3.0, aims to reduce credit card fraud by minimizing the risks associated with the transmission, processing, and storage

More information

Altius IT Policy Collection Compliance and Standards Matrix

Altius IT Policy Collection Compliance and Standards Matrix Governance IT Governance Policy Mergers and Acquisitions Policy Terms and Definitions Policy 164.308 12.4 12.5 EDM01 EDM02 EDM03 Information Security Privacy Policy Securing Information Systems Policy

More information

Larry Wilson Version 1.0 November, 2013. University Cyber-security Program Critical Asset Mapping

Larry Wilson Version 1.0 November, 2013. University Cyber-security Program Critical Asset Mapping Larry Wilson Version 1.0 November, 2013 University Cyber-security Program Critical Asset Mapping Part 3 - Cyber-Security Controls Mapping Cyber-security Controls mapped to Critical Asset Groups CSC Control

More information

Maintaining PCI-DSS compliance. Daniele Bertolotti daniele_bertolotti@symantec.com Antonio Ricci antonio_ricci@symantec.com

Maintaining PCI-DSS compliance. Daniele Bertolotti daniele_bertolotti@symantec.com Antonio Ricci antonio_ricci@symantec.com Maintaining PCI-DSS compliance Daniele Bertolotti daniele_bertolotti@symantec.com Antonio Ricci antonio_ricci@symantec.com Sessione di Studio Milano, 21 Febbraio 2013 Agenda 1 Maintaining PCI-DSS compliance

More information

Standard CIP 007 3a Cyber Security Systems Security Management

Standard CIP 007 3a Cyber Security Systems Security Management A. Introduction 1. Title: Cyber Security Systems Security Management 2. Number: CIP-007-3a 3. Purpose: Standard CIP-007-3 requires Responsible Entities to define methods, processes, and procedures for

More information

PCI Data Security Standards (DSS)

PCI Data Security Standards (DSS) ENTERPRISE APPLICATION WHITELISTING SOLUTION Achieving PCI Compliance at the Point of Sale Using Bit9 Parity TM to Protect Cardholder Data PCI: Protecting Cardholder Data As the technology used by merchants

More information

Did you know your security solution can help with PCI compliance too?

Did you know your security solution can help with PCI compliance too? Did you know your security solution can help with PCI compliance too? High-profile data losses have led to increasingly complex and evolving regulations. Any organization or retailer that accepts payment

More information

Attaining HIPAA Compliance with Retina Vulnerability Assessment Technology

Attaining HIPAA Compliance with Retina Vulnerability Assessment Technology l Attaining HIPAA Compliance with Retina Vulnerability Assessment Technology Overview The final privacy rules for securing electronic health care became effective April 14th, 2003. These regulations require

More information

Standard CIP 007 3 Cyber Security Systems Security Management

Standard CIP 007 3 Cyber Security Systems Security Management A. Introduction 1. Title: Cyber Security Systems Security Management 2. Number: CIP-007-3 3. Purpose: Standard CIP-007-3 requires Responsible Entities to define methods, processes, and procedures for securing

More information

74% 96 Action Items. Compliance

74% 96 Action Items. Compliance Compliance Report PCI DSS 2.0 Generated by Check Point Compliance Blade, on July 02, 2013 11:12 AM 1 74% Compliance 96 Action Items Upcoming 0 items About PCI DSS 2.0 PCI-DSS is a legal obligation mandated

More information

PCI DSS Requirements - Security Controls and Processes

PCI DSS Requirements - Security Controls and Processes 1. Build and maintain a secure network 1.1 Establish firewall and router configuration standards that formalize testing whenever configurations change; that identify all connections to cardholder data

More information

GFI White Paper PCI-DSS compliance and GFI Software products

GFI White Paper PCI-DSS compliance and GFI Software products White Paper PCI-DSS compliance and Software products The Payment Card Industry Data Standard () compliance is a set of specific security standards developed by the payment brands* to help promote the adoption

More information

Enterprise Security Solutions

Enterprise Security Solutions Enterprise Security Solutions World-class technical solutions, professional services and training from experts you can trust ISOCORP is a Value-Added Reseller (VAR) and services provider for best in class

More information

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst. 2010. Page 1 of 7 www.ecfirst.com

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst. 2010. Page 1 of 7 www.ecfirst.com Policy/Procedure Description PCI DSS Policies Install and Maintain a Firewall Configuration to Protect Cardholder Data Establish Firewall and Router Configuration Standards Build a Firewall Configuration

More information

Trend Micro VMware Solution Guide Summary for Payment Card Industry Data Security Standard

Trend Micro VMware Solution Guide Summary for Payment Card Industry Data Security Standard Partner Addendum Trend Micro VMware Solution Guide Summary for Payment Card Industry Data Security Standard The findings and recommendations contained in this document are provided by VMware-certified

More information

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL for INFORMATION RESOURCES Updated: June 2007 Information Resources Security Manual 1. Purpose of Security Manual 2. Audience 3. Acceptable

More information

TRIPWIRE NERC SOLUTION SUITE

TRIPWIRE NERC SOLUTION SUITE CONFIDENCE: SECURED SOLUTION BRIEF TRIPWIRE NERC SOLUTION SUITE TAILORED SUITE OF PRODUCTS AND SERVICES TO AUTOMATE NERC CIP COMPLIANCE u u We ve been able to stay focused on our mission of delivering

More information

WHITEPAPER. Addressing Them with Secure Network Access Control. Executive Summary... An Evolving Network Environment... 2

WHITEPAPER. Addressing Them with Secure Network Access Control. Executive Summary... An Evolving Network Environment... 2 WHITEPAPER Top 4 Network Security Challenges in Healthcare Addressing Them with Secure Network Access Control Executive Summary... 1 Top 4 Network Security Challenges Addressing Security Challenges with

More information

CORE Security and the Payment Card Industry Data Security Standard (PCI DSS)

CORE Security and the Payment Card Industry Data Security Standard (PCI DSS) CORE Security and the Payment Card Industry Data Security Standard (PCI DSS) Addressing the PCI DSS with Predictive Security Intelligence Solutions from CORE Security CORE Security +1 617.399-6980 info@coresecurity.com

More information

March 2012 www.tufin.com

March 2012 www.tufin.com SecureTrack Supporting Compliance with PCI DSS 2.0 March 2012 www.tufin.com Table of Contents Introduction... 3 The Importance of Network Security Operations... 3 Supporting PCI DSS with Automated Solutions...

More information

Information Security Handbook

Information Security Handbook Information Security Handbook Adopted 6/4/14 Page 0 Page 1 1. Introduction... 5 1.1. Executive Summary... 5 1.2. Governance... 5 1.3. Scope and Application... 5 1.4. Biennial Review... 5 2. Definitions...

More information

Network Access Control in Virtual Environments. Technical Note

Network Access Control in Virtual Environments. Technical Note Contents Security Considerations in.... 3 Addressing Virtualization Security Challenges using NAC and Endpoint Compliance... 3 Visibility and Profiling of VMs.... 4 Identification of Rogue or Unapproved

More information

CORE Security and GLBA

CORE Security and GLBA CORE Security and GLBA Addressing the Graham-Leach-Bliley Act with Predictive Security Intelligence Solutions from CORE Security CORE Security +1 617.399-6980 info@coresecurity.com www.coresecurity.com

More information

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL WHAT IS CDM? The continuous stream of high profile cybersecurity breaches demonstrates the need to move beyond purely periodic, compliance-based approaches to

More information

Information Security Policy and Handbook Overview. ITSS Information Security June 2015

Information Security Policy and Handbook Overview. ITSS Information Security June 2015 Information Security Policy and Handbook Overview ITSS Information Security June 2015 Information Security Policy Control Hierarchy System and Campus Information Security Policies UNT System Information

More information

BSM for IT Governance, Risk and Compliance: NERC CIP

BSM for IT Governance, Risk and Compliance: NERC CIP BSM for IT Governance, Risk and Compliance: NERC CIP Addressing NERC CIP Security Program Requirements SOLUTION WHITE PAPER Table of Contents INTRODUCTION...................................................

More information

WHITE PAPER. Attaining HIPAA Compliance with Retina Vulnerability Assessment Technology

WHITE PAPER. Attaining HIPAA Compliance with Retina Vulnerability Assessment Technology WHITE PAPER Attaining HIPAA Compliance with Retina Vulnerability Assessment Technology Table of Contents Overview 3 HIPAA & Retina Enterprise Edition 3 Six Steps of Vulnerability Assessment & Remediation

More information

SANS Top 20 Critical Controls for Effective Cyber Defense

SANS Top 20 Critical Controls for Effective Cyber Defense WHITEPAPER SANS Top 20 Critical Controls for Cyber Defense SANS Top 20 Critical Controls for Effective Cyber Defense JANUARY 2014 SANS Top 20 Critical Controls for Effective Cyber Defense Summary In a

More information

NERC CIP VERSION 5 COMPLIANCE

NERC CIP VERSION 5 COMPLIANCE BACKGROUND The North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Reliability Standards define a comprehensive set of requirements that are the basis for maintaining

More information

IT ASSET MANAGEMENT Securing Assets for the Financial Services Sector

IT ASSET MANAGEMENT Securing Assets for the Financial Services Sector IT ASSET MANAGEMENT Securing Assets for the Financial Services Sector V.2 Final Draft May 1, 2014 financial_nccoe@nist.gov This revision incorporates comments from the public. Page Use case 1 Comments

More information

Achieving PCI-Compliance through Cyberoam

Achieving PCI-Compliance through Cyberoam White paper Achieving PCI-Compliance through Cyberoam The Payment Card Industry (PCI) Data Security Standard (DSS) aims to assure cardholders that their card details are safe and secure when their debit

More information

White Paper. Identifying Network Security and Compliance Challenges in Healthcare Organizations

White Paper. Identifying Network Security and Compliance Challenges in Healthcare Organizations Identifying Network Security and Compliance Challenges in Healthcare Organizations Contents Introduction....................................................................... 3 Increased Demand For Access............................................................

More information

North American Electric Reliability Corporation (NERC) Cyber Security Standard

North American Electric Reliability Corporation (NERC) Cyber Security Standard North American Electric Reliability Corporation (NERC) Cyber Security Standard Symantec Managed Security Services Support for CIP Compliance Overviewview The North American Electric Reliability Corporation

More information

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense A Trend Micro Whitepaper I February 2016 Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense How Trend Micro Deep Security Can Help: A Mapping to the SANS Top 20 Critical

More information

Discussion Draft of the Preliminary Cybersecurity Framework Illustrative Examples

Discussion Draft of the Preliminary Cybersecurity Framework Illustrative Examples 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 Discussion Draft of the Preliminary Cybersecurity Framework Illustrative Examples The

More information

LogRhythm and NERC CIP Compliance

LogRhythm and NERC CIP Compliance LogRhythm and NERC CIP Compliance The North American Electric Reliability Corporation (NERC) is a nonprofit corporation designed to ensure that the bulk electric system in North America is reliable, adequate

More information

Payment Card Industry Data Security Standard

Payment Card Industry Data Security Standard Symantec Managed Security Services support for IT compliance Solution Overview: Symantec Managed Services Overviewview The (PCI DSS) was developed to facilitate the broad adoption of consistent data security

More information

University of Sunderland Business Assurance PCI Security Policy

University of Sunderland Business Assurance PCI Security Policy University of Sunderland Business Assurance PCI Security Policy Document Classification: Public Policy Reference Central Register IG008 Policy Reference Faculty / Service IG 008 Policy Owner Chief Financial

More information

The Critical Security Controls: What s NAC Got to Do with IT?

The Critical Security Controls: What s NAC Got to Do with IT? The Critical Security Controls: What s NAC Got to Do with IT? A SANS Product Review 2nd Edition, updated January 2015 Sponsored by ForeScout Technologies 2015 SANS Institute Introduction Although attacks

More information

ForeScout CounterACT. Continuous Monitoring and Mitigation

ForeScout CounterACT. Continuous Monitoring and Mitigation Brochure ForeScout CounterACT Real-time Visibility Network Access Control Endpoint Compliance Mobile Security Rapid Threat Response Continuous Monitoring and Mitigation Benefits Security Gain real-time

More information

WHITEPAPER. Addressing Them with Adaptive Network Security. Executive Summary... An Evolving Network Environment... 2. Adaptive Network Security...

WHITEPAPER. Addressing Them with Adaptive Network Security. Executive Summary... An Evolving Network Environment... 2. Adaptive Network Security... WHITEPAPER Top 4 Network Security Challenges in Healthcare Addressing Them with Adaptive Network Security Executive Summary... 1 Top 4 Network Security Challenges Addressing Security Challenges with Adaptive

More information

Looking at the SANS 20 Critical Security Controls

Looking at the SANS 20 Critical Security Controls Looking at the SANS 20 Critical Security Controls Mapping the SANS 20 to NIST 800-53 to ISO 27002 by Brad C. Johnson The SANS 20 Overview SANS has created the 20 Critical Security Controls as a way of

More information

Payment Card Industry Data Security Standard

Payment Card Industry Data Security Standard Payment Card Industry Data Security Standard Introduction Purpose Audience Implications Sensitive Digital Data Management In an effort to protect credit card information from unauthorized access, disclosure

More information

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE THE CHALLENGE: SECURE THE OPEN AIR Wirelesss communication lets you take your business wherever your customers,

More information

Achieving PCI Compliance with Red Hat Enterprise Linux. June 2009

Achieving PCI Compliance with Red Hat Enterprise Linux. June 2009 Achieving PCI Compliance with Red Hat Enterprise Linux June 2009 CONTENTS EXECUTIVE SUMMARY...2 OVERVIEW OF PCI...3 1.1. What is PCI DSS?... 3 1.2. Who is impacted by PCI?... 3 1.3. Requirements for achieving

More information

LogRhythm and PCI Compliance

LogRhythm and PCI Compliance LogRhythm and PCI Compliance The Payment Card Industry (PCI) Data Security Standard (DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent

More information

Critical Security Controls

Critical Security Controls Critical Security Controls Session 2: The Critical Controls v1.0 Chris Beal Chief Security Architect MCNC chris.beal@mcnc.org @mcncsecurity on Twitter The Critical Security Controls The Critical Security

More information

SECURITY PLATFORM FOR HEALTHCARE PROVIDERS

SECURITY PLATFORM FOR HEALTHCARE PROVIDERS SECURITY PLATFORM FOR HEALTHCARE PROVIDERS Our next-generation security platform prevents successful cyberattacks for hundreds of hospitals, clinics and healthcare networks across the globe. Palo Alto

More information

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster Security Standards Symantec shall maintain administrative, technical, and physical safeguards for the Symantec Network designed to (i) protect the security and integrity of the Symantec Network, and (ii)

More information

Adopt a unified, holistic approach to a broad range of data security challenges with IBM Data Security Services.

Adopt a unified, holistic approach to a broad range of data security challenges with IBM Data Security Services. Security solutions To support your IT objectives Adopt a unified, holistic approach to a broad range of data security challenges with IBM Data Security Services. Highlights Balance effective security with

More information

Defending Against Data Beaches: Internal Controls for Cybersecurity

Defending Against Data Beaches: Internal Controls for Cybersecurity Defending Against Data Beaches: Internal Controls for Cybersecurity Presented by: Michael Walter, Managing Director and Chris Manning, Associate Director Protiviti Atlanta Office Agenda Defining Cybersecurity

More information

Verve Security Center

Verve Security Center Verve Security Center Product Features Supports multiple control systems. Most competing products only support a single vendor, forcing the end user to purchase multiple security systems Single solution

More information

ForeScout CounterACT CONTINUOUS DIAGNOSTICS & MITIGATION (CDM)

ForeScout CounterACT CONTINUOUS DIAGNOSTICS & MITIGATION (CDM) ForeScout CounterACT CONTINUOUS DIAGNOSTICS & MITIGATION (CDM) CONTENT Introduction 2 Overview of Continuous Diagnostics & Mitigation (CDM) 2 CDM Requirements 2 1. Hardware Asset Management 3 2. Software

More information

Department of Management Services. Request for Information

Department of Management Services. Request for Information Department of Management Services Request for Information Cyber-Security Assessment, Remediation, and Identity Protection, Monitoring, and Restoration Services September 3, 2015 Submitted By: Carlos Henley

More information

HIPAA and HITECH Compliance for Cloud Applications

HIPAA and HITECH Compliance for Cloud Applications What Is HIPAA? The healthcare industry is rapidly moving towards increasing use of electronic information systems - including public and private cloud services - to provide electronic protected health

More information

Data Management Policies. Sage ERP Online

Data Management Policies. Sage ERP Online Sage ERP Online Sage ERP Online Table of Contents 1.0 Server Backup and Restore Policy... 3 1.1 Objectives... 3 1.2 Scope... 3 1.3 Responsibilities... 3 1.4 Policy... 4 1.5 Policy Violation... 5 1.6 Communication...

More information

Ecom Infotech. Page 1 of 6

Ecom Infotech. Page 1 of 6 Ecom Infotech Page 1 of 6 Page 2 of 6 IBM Q Radar SIEM Intelligence 1. Security Intelligence and Compliance Analytics Organizations are exposed to a greater volume and variety of threats and compliance

More information

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE THE CHALLENGE: SECURE THE OPEN AIR Wirelesss communication lets you take your business wherever your customers,

More information

Average annual cost of security incidents

Average annual cost of security incidents Breaches reported Annual number of data breaches Average annual cost of security incidents Among companies with revenues over $1 billion Regulatory mandates 900 800 700 600 500 400 300 200 100 0 2011 2012

More information

A MULTIFACETED CYBERSECURITY APPROACH TO SAFEGUARD YOUR OPERATIONS

A MULTIFACETED CYBERSECURITY APPROACH TO SAFEGUARD YOUR OPERATIONS A MULTIFACETED CYBERSECURITY APPROACH TO SAFEGUARD YOUR OPERATIONS CYBER ATTACKS INFILTRATE CRITICAL INFRASTRUCTURE SECTORS Government and enterprise critical infrastructure sectors such as energy, communications

More information

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014 DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014 Revision History Update this table every time a new edition of the document is

More information

Information Security Services. Achieving PCI compliance with Dell SecureWorks security services

Information Security Services. Achieving PCI compliance with Dell SecureWorks security services Information Security Services Achieving PCI compliance with Dell SecureWorks security services Executive summary In October 2010, the Payment Card Industry (PCI) issued the new Data Security Standard (DSS)

More information

HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What?

HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What? HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What? Introduction This material is designed to answer some of the commonly asked questions by business associates and other organizations

More information

Automating Cloud Security Control and Compliance Enforcement for PCI DSS 3.0

Automating Cloud Security Control and Compliance Enforcement for PCI DSS 3.0 WHITE PAPER Automating Cloud Security Control and Compliance Enforcement for 3.0 How Enables Security and Compliance with the PCI Data Security Standard in a Private Cloud EXECUTIVE SUMMARY All merchants,

More information

Agenda. Agenda. Security Testing: The Easiest Part of PCI Certification. Core Security Technologies September 6, 2007

Agenda. Agenda. Security Testing: The Easiest Part of PCI Certification. Core Security Technologies September 6, 2007 Security Testing: The Easiest Part of PCI Certification Core Security Technologies September 6, 2007 Agenda Agenda The PCI Standard: Security Basics and Compliance Challenges Compliance + Validation =

More information

Best Practices in ICS Security for System Operators. A Wurldtech White Paper

Best Practices in ICS Security for System Operators. A Wurldtech White Paper Best Practices in ICS Security for System Operators A Wurldtech White Paper No part of this document may be distributed, reproduced or posted without the express written permission of Wurldtech Security

More information

TOP 10 WAYS TO ADDRESS PCI DSS COMPLIANCE. ebook Series

TOP 10 WAYS TO ADDRESS PCI DSS COMPLIANCE. ebook Series TOP 10 WAYS TO ADDRESS PCI DSS COMPLIANCE ebook Series 2 Headlines have been written, fines have been issued and companies around the world have been challenged to find the resources, time and capital

More information

AlienVault for Regulatory Compliance

AlienVault for Regulatory Compliance AlienVault for Regulatory Compliance Overview of Regulatory Compliance in Information Security As computers and networks have become more important in society they and the information they contain have

More information

Vulnerability. Management

Vulnerability. Management Solutions.01 Vulnerability Management.02 Enterprise Security Monitoring.03 Log Analysis & Management.04 Network Access Control.05 Compliance Monitoring Rewterz provides a diverse range of industry centric

More information

Using Continuous Monitoring Information Technology to Meet Regulatory Compliance. Presenter: Lily Shue Director, Sunera Consulting, LLC

Using Continuous Monitoring Information Technology to Meet Regulatory Compliance. Presenter: Lily Shue Director, Sunera Consulting, LLC Using Continuous Monitoring Information Technology to Meet Regulatory Compliance Presenter: Lily Shue Director, Sunera Consulting, LLC Outline Current regulatory requirements in the US Challenges facing

More information

Best Practices for PCI DSS V3.0 Network Security Compliance

Best Practices for PCI DSS V3.0 Network Security Compliance Best Practices for PCI DSS V3.0 Network Security Compliance January 2015 www.tufin.com Table of Contents Preparing for PCI DSS V3.0 Audit... 3 Protecting Cardholder Data with PCI DSS... 3 Complying with

More information

Automate PCI Compliance Monitoring, Investigation & Reporting

Automate PCI Compliance Monitoring, Investigation & Reporting Automate PCI Compliance Monitoring, Investigation & Reporting Reducing Business Risk Standards and compliance are all about implementing procedures and technologies that reduce business risk and efficiently

More information

PCI DSS Top 10 Reports March 2011

PCI DSS Top 10 Reports March 2011 PCI DSS Top 10 Reports March 2011 The Payment Card Industry Data Security Standard (PCI DSS) Requirements 6, 10 and 11 can be the most costly and resource intensive to meet as they require log management,

More information

CHEAT SHEET: PCI DSS 3.1 COMPLIANCE

CHEAT SHEET: PCI DSS 3.1 COMPLIANCE CHEAT SHEET: PCI DSS 3.1 COMPLIANCE WHAT IS PCI DSS? Payment Card Industry Data Security Standard Information security standard for organizations that handle data for debit, credit, prepaid, e-purse, ATM,

More information

PCI DSS Reporting WHITEPAPER

PCI DSS Reporting WHITEPAPER WHITEPAPER PCI DSS Reporting CONTENTS Executive Summary 2 Latest Patches not Installed 3 Vulnerability Dashboard 4 Web Application Protection 5 Users Logging into Sensitive Servers 6 Failed Login Attempts

More information

Information Technology Security Policy for IBTS

Information Technology Security Policy for IBTS Information Technology Security Policy for IBTS Pakistan Stock Exchange Limited Table of contents Information Technology Security Policy for IBTS 1- INTRODUCTION AND SCOPE... 3 2- CHARTER OF THE DOCUMENT...

More information

IT Security & Compliance. On Time. On Budget. On Demand.

IT Security & Compliance. On Time. On Budget. On Demand. IT Security & Compliance On Time. On Budget. On Demand. IT Security & Compliance Delivered as a Service For businesses today, managing IT security risk and meeting compliance requirements is paramount

More information

Introduction. PCI DSS Overview

Introduction. PCI DSS Overview Introduction Manage Engine Desktop Central is part of ManageEngine family that represents entire IT infrastructure with products such as Network monitoring, Helpdesk management, Application management,

More information

The Protection Mission a constant endeavor

The Protection Mission a constant endeavor a constant endeavor The IT Protection Mission a constant endeavor As businesses become more and more dependent on IT, IT must face a higher bar for preparedness Cyber preparedness is the process of ensuring

More information

1B1 SECURITY RESPONSIBILITY

1B1 SECURITY RESPONSIBILITY (ITSP-1) SECURITY MANAGEMENT 1A. Policy Statement District management and IT staff will plan, deploy and monitor IT security mechanisms, policies, procedures, and technologies necessary to prevent disclosure,

More information

SecureVue Product Brochure

SecureVue Product Brochure SecureVue unifies next-generation SIEM, security configuration auditing, compliance automation and contextual forensic analysis into a single platform, delivering situational awareness, operational efficiency

More information

Unified Security Management

Unified Security Management Unified Security Reduce the Cost of Compliance Introduction In an effort to achieve a consistent and reliable security program, many organizations have adopted the standard as a key compliance strategy

More information

IT Security & Compliance Risk Assessment Capabilities

IT Security & Compliance Risk Assessment Capabilities ATIBA Governance, Risk and Compliance ATIBA provides information security and risk management consulting services for the Banking, Financial Services, Insurance, Healthcare, Manufacturing, Government,

More information

Telemedicine HIPAA/HITECH Privacy and Security

Telemedicine HIPAA/HITECH Privacy and Security Telemedicine HIPAA/HITECH Privacy and Security 1 Access Control Role Based Access The organization shall provide secure rolebased account management. Privileges granted utilizing the principle of least

More information

Privacy & Security: Fundamentals of a Security Risk Analysis. Preparing for Meaningful Use Measure 15

Privacy & Security: Fundamentals of a Security Risk Analysis. Preparing for Meaningful Use Measure 15 Privacy & Security: Fundamentals of a Security Risk Analysis Preparing for Meaningful Use Measure 15 1/18/2012 Why Are We Here? Privacy and Security is a priority for ONC Consistency among Regional Extension

More information

Staying Secure After Microsoft Windows Server 2003 Reaches End of Life. Trevor Richmond, Sales Engineer Trend Micro

Staying Secure After Microsoft Windows Server 2003 Reaches End of Life. Trevor Richmond, Sales Engineer Trend Micro Staying Secure After Microsoft Windows Server 2003 Reaches End of Life Trevor Richmond, Sales Engineer Trend Micro Windows Server 2003 End of Life- Why Care? The next big vulnerability (Heartbleed/Shellshock)

More information

CloudCheck Compliance Certification Program

CloudCheck Compliance Certification Program CloudCheck Compliance Certification Program Ensure Your Cloud Computing Environment is Secure with CloudCheck Certification Organizations today are increasingly relying on a combination of private and/or

More information

How to Secure Your Environment

How to Secure Your Environment End Point Security How to Secure Your Environment Learning Objectives Define Endpoint Security Describe most common endpoints of data leakage Identify most common security gaps Preview solutions to bridge

More information

3rd Party Assurance & Information Governance 2014-2016 outlook IIA Ireland Annual Conference 2014. Straightforward Security and Compliance

3rd Party Assurance & Information Governance 2014-2016 outlook IIA Ireland Annual Conference 2014. Straightforward Security and Compliance 3rd Party Assurance & Information Governance 2014-2016 outlook IIA Ireland Annual Conference 2014 Continuous Education Services (elearning/workshops) Compliance Management Portals Information Security

More information

ALERT LOGIC FOR HIPAA COMPLIANCE

ALERT LOGIC FOR HIPAA COMPLIANCE SOLUTION OVERVIEW: ALERT LOGIC FOR HIPAA COMPLIANCE AN OUNCE OF PREVENTION IS WORTH A POUND OF CURE Alert Logic provides organizations with the most advanced and cost-effective means to secure their healthcare

More information

Security Management. Keeping the IT Security Administrator Busy

Security Management. Keeping the IT Security Administrator Busy Security Management Keeping the IT Security Administrator Busy Dr. Jane LeClair Chief Operating Officer National Cybersecurity Institute, Excelsior College James L. Antonakos SUNY Distinguished Teaching

More information

DeltaV Cyber Security Solutions

DeltaV Cyber Security Solutions TM DeltaV Cyber Security Solutions A Guide to Securing Your Process A long history of cyber security In pioneering the use of commercial off-the-shelf technology in process control, the DeltaV digital

More information

Device Hardening, Vulnerability Remediation and Mitigation for Security Compliance

Device Hardening, Vulnerability Remediation and Mitigation for Security Compliance Device Hardening, Vulnerability Remediation and Mitigation for Security Compliance Produced on behalf of New Net Technologies by STEVE BROADHEAD BROADBAND TESTING 2010 broadband testing and new net technologies

More information

Preemptive security solutions for healthcare

Preemptive security solutions for healthcare Helping to secure critical healthcare infrastructure from internal and external IT threats, ensuring business continuity and supporting compliance requirements. Preemptive security solutions for healthcare

More information

Managing Business Risk

Managing Business Risk Managing Business Risk With Assurance Report Cards April 7, 2015 Table of Contents Introduction... 3 Cybersecurity is a Business Issue... 3 Standards, Control Objectives and Controls... 5 Standards and

More information

White Paper Achieving GLBA Compliance through Security Information Management. White Paper / GLBA

White Paper Achieving GLBA Compliance through Security Information Management. White Paper / GLBA White Paper Achieving GLBA Compliance through Security Information Management White Paper / GLBA Contents Executive Summary... 1 Introduction: Brief Overview of GLBA... 1 The GLBA Challenge: Securing Financial

More information

PCI Compliance for Branch Offices: Using Router-Based Security to Protect Cardholder Data

PCI Compliance for Branch Offices: Using Router-Based Security to Protect Cardholder Data White Paper PCI Compliance for Branch Offices: Using Router-Based Security to Protect Cardholder Data Using credit cards to pay for goods and services is a common practice. Credit cards enable easy and

More information

Vulnerability Management for the Distributed Enterprise. The Integration Challenge

Vulnerability Management for the Distributed Enterprise. The Integration Challenge Vulnerability Management for the Distributed Enterprise The Integration Challenge Vulnerability Management and Distributed Enterprises All organizations face the threat of unpatched vulnerabilities on

More information