The ETM System and Regulatory Compliance

Transcription

1 The ETM System and Regulatory Compliance A Whitepaper by SecureLogix Corporation In response to concerns of constituents, governments are demanding, through increasing regulations, greater accountability from enterprises for customer privacy and data reliability. This paper explores how the ETM system from SecureLogix Corporation assists enterprise executives in fulfilling their compliance obligations. Regulatory Landscape Following are a few examples from the growing list of regulations faced by enterprises: The Sarbanes-Oxley Act requires that certain executives of publicly traded companies personally certify that the financial statements are accurate and that effective internal controls are in place over procedures for compiling financial information. The Gramm-Leach-Bliley Act applies to banks, securities firms, insurance companies and other financial institutions. It requires the financial industry to protect the privacy of customer data. The Payment Card Industry Data Security Standard (PCI) is a worldwide standard for consumer data protection across the payment industry, born of collaboration between Visa and MasterCard to create common industry requirements that incorporates Visa s Cardholder Information Security Program (CISP) requirements. The Health Insurance Portability and Accountability Act (HIPAA) requires that healthcare providers and insurers (as well as any other enterprise handling medical data) protect patient health information. The Federal Information Security Management Act (FISMA) mandates that federal agencies implement enterprise-wide programs to secure data and information systems in accordance with National Institute of Standards and Technology (NIST) Recommended Security Controls for Federal Information Systems (NIST Special Publication ). The North American Electric Reliability Council (NERC) defines the reliability requirements to ensure that the North American bulk electric system is reliable, adequate and secure. The California Security Breach Information Act (Senate Bill 1386) requires any entity (commercial or government) doing business in California that has computerized personal information data to properly safeguard information and notify consumers of any intrusions or breaches. The Telemarketing and Consumer Fraud and Abuse Prevention Act is enforced by the Federal Trade Commission pursuant to the 2003 Telemarketing Sales Rule, which, among other requirements, prohibits calling consumers who have put their phone numbers on the National Do Not Call Registry. The European Commission requires, through the Directive on Privacy and Electronic Communications (DPEC), that EU member nations adopt regulations regarding privacy and integrity controls over personal information. The Turnbull Report by the Institute of Chartered Accountants in England and Wales sets out how publicly traded companies should address internal controls, including financial, operational, compliance and risk management.

2 Recognizing the mounting challenges of meeting regulatory obligations, while running successful organizations, Gartner, Inc. offered some help in a February 2004 report entitled, IT Security Technologies Can Address Regulatory Compliance, in which Gartner suggested that while IT security management processes and technologies are essential to safeguard successful operations, they also form a foundation upon which to demonstrate a system of controls that help comply with aspects of various regulations. Telecommunications Risks Completing the Security and Control Foundation The ETM system is a full service, voice security and management platform with an integrated set of powerful applications to secure, optimize and efficiently manage voice networks and communications. The core application of the ETM System is the Voice Firewall which assists enterprises with regulatory compliance by completing the security of corporate electronic perimeter and providing the additional capabilities to: Control identity and access management to IT resources and applications The ETM Voice Firewall resides at the edge of your voice network to detect, inspect, log, block, and alert all inbound and outbound voice traffic based on user-defined call admission control policies and patented use of its unique call-typing capability to react to modem, fax, voice or video traffic in real time. It therefore provides centralized visibility and control over access to parts of the interconnected data and telephone networks that can t be controlled by other tools. Key IT and operating systems such as database and management servers, routers, PBXs, voice mail systems, and SCADA systems have modem ports for remote access for routine management and maintenance functions. It is vitally important to restrict access to key resources as a basis for reliability. The need to monitor data-to-telephone network interconnections has been recognized by regulatory bodies which have issued specific requirements for addressing this concern. The following is an example from the financial industry. The Office of the Comptroller of the Currency (OCC) charters, regulates, and supervises all national banks and supervises the federal branches/agencies of foreign banks. The OCC recognizes that modems can provide an uncontrolled and unmonitored area for attack to bank systems, and requires bank officials to identify and either eliminate, or monitor and control modems presenting such vulnerabilities. Such guidance has been incorporated into standard operating and audit procedures of the Federal Financial Institutions Examination Council, an interagency body which prescribes uniform principles, standards, and report forms for the federal examination of financial institutions by the OCC, the Board of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), and the Office of Thrift Supervision (OTS). Protect the organization from external intrusions and attacks In 1999, before Gartner, Inc. was aware of the ETM system, it issued a CIO Alert entitled Modems on the Desktop Can Put Important Enterprise Elements at Risk, which warned enterprises cannot afford to ignore the risks of desktop modem security -- to do so is to be negligent and open the door to the legal and financial consequences of cyber-crime. Except for the availability of the ETM system as a solution to prevent attacks to networks via modems, not much has changed in the scenario of risks painted by Gartner in In fact, the general increase in data security and monitoring on the data network may have increased the incidences of employees connecting modems and dialing out to their local ISPs for private, unmonitored Internet sessions.

3 These unauthorized modem connections provide direct and unmonitored links between the public phone system and data networks, thereby allowing intruders to access an organization s information infrastructure and completely bypass firewall and IDS systems. Installed data network security technologies provide absolutely no visibility or control over these phone network connections. This well-recognized threat is often referred to as the Last Big Back Door into internal data networks. The ETM Voice Firewall unifies the security of telephony traffic and infrastructure across hybrid legacy and VoIP networks. It provides application-layer security to real-time media, and works side-by-side with existing data network firewalls to help complete the security of corporate electronic perimeters to detect, alert, and/or block: VoIP denial of service attacks (signaling and media-based) Malformed SIP signaling attacks against VoIP systems Toll fraud Telecom system tampering and voice mail/pbx attacks War dialing and other external modem attacks against the data network and other critical infrastructure Unauthorized employee dial-up connections and Internet usage over phone lines Virus infections and restricted file transfers over dial-up connections Harassing, threatening, or restricted inbound and outbound calls Fax and VoIP spam VoIP bandwidth abuse/issues Internal voice service misuse/abuse Fraudulent/wasteful employee calling activity: - After-hours and weekend long distance (LD) - Non-business international calls, LD and modem calling on fax lines - Restricted 1-900, and other toll calls - Billed 411 calls - Long duration LD from common resource areas Monitor and detect internal and external threats The Voice Firewall allows you to secure and control which inbound and outbound calls will be allowed or alerted as they flow in and out of your private corporate voice network. The Voice Firewall also inspects each call for voice application layer security threats or unauthorized service use violations. Our ETM Usage Manager is robust automated reporting tool that supplies over 60 out-of-the-box, pre-defined reports to immediately support a broad range of auditing and operational compliance reporting on: Call accounting activities. Telecom resource utilization. Phone network usage. Perform traffic analysis. Report on service performance and call quality. Service abuse, toll fraud and other voice security issues. In addition to the predefined reports, our reporting solution is flexible, allowing customers to alter existing reports or craft new ones tailored to specific compliance needs. It delivers critical telecom control and security information when and where you need it. One can schedule batch reports to run on a daily, weekly, or monthly basis, and have the results sent to compliance managers through , pages, or SNMP traps.

4 New Telecom security and Management Technologies In addition to the Voice Firewall, the ETM Platform hosts an integrated set of additional, powerful applications, including: Performance Manager - Dashboard of enterprise-wide visibility of both TDM and IP trunking infrastructure, with real-time and continuous monitoring of circuit health & status and call quality performance/qos. The system includes telecom error notification and threshold-based voice QoS alerting, with problem diagnosis and resolution tools. Voice IPS - Call pattern anomaly detection and prevention solution for real-time detection of PBX toll fraud, war dialing, and service abuse/misuse for hybrid voice networks. Call Recorder - Policy-based call recording of targeted calls of interest.

5 SecureLogix Corporation ETM System Compliance Assistance for Key Regulations Regulation Section or Requirement Number Control/Log Access Intrusion Monitoring & Prevention Threat Detection Sarbanes-Oxley Act Gramm-Leach-Bliley Act Payment Card Industry Data Security Standard (PCI) Telemarketing and Consumer Fraud and Abuse Prevention Act 302(a)(4) - Officers are responsible for establishing, maintaining and testing internal controls 302(a)(5) - Officers must disclose to the external auditors and the audit committee of the board of directors any fraud, whether or not material, that involves management or other employees who have a significant role in the issuer s internal controls. 302(a)(6) - Officers must indicate in their report whether or not there were significant changes in internal controls subsequent to the date of their evaluation, including any corrective actions with regard to significant deficiencies and material weaknesses Each financial institution has an obligation to protect the security and confidentiality of those customers' nonpublic personal information. 1 - Install and maintain a firewall configuration to protect data and systems from unauthorized access from the Internet and deny all other inbound and outbound traffic not specifically allowed. Prohibit direct public access between external networks and any system component that stores cardholder information. 7 - Limit access to computing resources and cardholder information to only those individuals whose job requires such access Track and monitor all access to network resources and cardholder data via automated audit trails in order to be able to reconstruct events for all system components, including (among other events): invalid logical access attempts and use of identification and authentication mechanisms Regularly test security systems and processes for security controls, limitations, network connections, and restrictions routinely to make sure they can adequately identify or stop any unauthorized access attempts. Prohibits calling consumers who have put their phone numbers on the National Do Not Call Registry

6 Regulation Section or Requirement Number Control/Log Access Intrusion Monitoring & Prevention Threat Detection Health Insurance Portability and Accountability Act (HIPAA) of 1996 Rules for HIPAA standards were published February 2003 in the Health Insurance Reform: Security Standards 45 CFR Federal Information Security Management Act (FISMA) via: NIST Special Publication (a)(1) Requires risk analysis, risk management and information system activity review processes (a)(6) Requires identification and response to suspected or known security incidents and security incidents be documented (a)(1) Implement technical policies and procedures for electronic information systems to control access only to those authorized. AC-17 Remote Access - Employ automated mechanisms to monitor and control remote access. AU-6 Audit Monitoring, Analysis, & Reporting - Review/analyze/investigate audit records for inappropriate or unusual activity. AU-9 Protection of Audit Information - The information system protects audit information and audit tools from unauthorized access, modification, and deletion. AU-11 Audit Retention - Retain audit logs to provide support for after-the-fact investigations of security incidents and to meet information retention requirements. MA-4 Remote Maintenance - Approve, control, and monitor remotely executed maintenance and diagnostic activities. SC-3 Security Function Isolation - Isolate security functions from non-security functions by means of partitions, domains, etc. SC-5 Denial of Service Protection - Protect against or limits the effects of denial of service attacks. SC-6 Resource Priority - Limits the use of resources by priority. SC-7 Boundary Protection - Monitor and control communications at the external boundary. SC-11 Trusted Path - Establishes a trusted communications path between the user and the security functionality of the system SC-19 Voice Over IP - Establish usage restrictions for Voice Over IP (VOIP) technologies based on the potential to cause damage to the information system if used maliciously.

7 Regulation Section or Requirement Number Control/Log Access Intrusion Monitoring & Prevention Threat Detection The North American Electric Reliability Council (NERC) Cyber Security Standards California SB1386 CIP-005 requires identification and protection of Electronic Security Perimeters and implementation of processes for monitoring and logging access twenty-four hours a day, seven days a week, including detection and alerting for attempts at or actual unauthorized accesses. CIP-007 requires methods, processes, and procedures for securing Cyber Assets within the Electronic Security Perimeter(s). CIP-008 requires the identification, classification, response, and reporting of Cyber Security Incidents related to Critical Cyber Assets. Requires any entity that conducts business in California and handles computerized personal information to disclose (in specified ways) any breach of the security of the data, as defined, to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.