Considerations and Solutions: Juniper Networks and Compliance with Standards and Regulations

Transcription

1 WHITE PAPER Considerations and Solutions: Juniper Networks and Compliance with Standards and Regulations Copyright 2009, Juniper Networks, Inc.

2 Table of Contents Table of Figures Introduction...1 Defining Standards, Regulations and Their Differences...2 Using Standards to Ensure Regulatory Compliance...3 Processes... 4 Criteria... 4 Resources... 5 Using Standards like COBIT...5 Solutions Provided by Juniper Networks...5 High-Performance Networking... 5 Protection and Recovery... 5 Consolidation and Delivery... 6 Operations... 6 High-Performance Networking and COBIT Controls... 6 COBIT Control Domain 1: Planning and Organizing... 6 COBIT Control Domain 2: Acquiring and Implementing... 6 COBIT Control Domain 3: Delivery and Support... 7 Conclusion...10 References...10 Appendix 1: Sample International Standards...12 Appendix 2: US Regulatory Enforcement and Penalties Example...14 Appendix 3: US Regulatory Enforcement and Penalties Example...15 Appendix 4: COBIT Controls Objectives...17 About Juniper Networks...18 Figure 1: A world of information assurance...1 ii Copyright 2009, Juniper Networks, Inc.

3 Introduction As the information age evolves and markets expand and shift globally, knowledge and its exchange remain the currency of international trade and commerce. Its value is its own risk, requiring complex assemblies of processes and technologies to protect that most valued asset (information) from declining through mismanagement, fraud or theft. Every country has a currency of information, which many trade liberally, and sometimes recklessly. To protect the right of free societies to exchange information, standards of conduct and practices, as well as regulation governing controls to provide critical protection to private and confidential information, have been designed and implemented. The nature of many of these standards, their requirements for compliance, the importance of compliance, the penalties in place for noncompliance, and their relevance to global trade is difficult to grasp without a Rosetta stone and a map. In today s climate of increasingly complex regulations and standards, companies often struggle to navigate their way toward compliance. Charting that course can be a challenge, but knowing what those requirements mean to situations that evolve from daily events, how to prevent them from happening, what the penalties are for not meeting compliance requirements, how meeting one standard reflects on requirements to meet another, and what the international requirements are that is an effort of circumnavigation. The various (and often redundant) bodies of regulations and standards, and their variety of application, penalties and enforcement by different agencies, can confuse even the best-trained compliance officer. Complying with various regulations is simplified through the adoption of a widely used comprehensive standard with the broadest collection of practices, one that meets the requirements of the most regulations. One such standard is the IT Governance Institute s Control Objectives for Information and related Technology (COBIT). COBIT, which encompasses the practices of other well known standards, contains a list of practices that should be followed by organizations to ensure organizational well being in terms of information protection and security. Using COBIT, organizations can develop specific objectives that align practices with business requirements, capabilities and regulatory requirements. Juniper Networks approach to high-performance networking aligns with the IT practices delineated in COBIT. High-performance networking describes capabilities that provide fast, reliable and secure information delivery over networks, and positions Juniper as an ideal partner for organizations that are adopting best practices for ensuring regulatory compliance and increasing competitiveness. Individual Regulations and Standards SOX Comprehensive Standard Reference architecture for enterprise networking HIPAA BASEL II HIPAA High Performance Network Framework Controls on: Demonstration of Compliance Etc. Scope of this document Figure 1: A world of information assurance Because Juniper Networks products and solutions are designed to deliver the functionalities and benefits integral to the high-performance network, organizations can implement solutions today that will alleviate IT challenges faced by companies required to comply with assorted regulations. Further, as innovation within the high-performance network architecture continues, organizations will be able to protect their technology investments while improving compliance effectiveness and efficiency helping them achieve strategic advantages in their markets. Copyright 2009, Juniper Networks, Inc. 1

4 Defining Standards, Regulations and Their Differences A variety of standards and regulations exist related to business functions and processes, including technology, operations, administration and legal. Many have evolved from policies that have been agreed upon and adopted by businesses over time to achieve effectiveness, efficiency, and reliability in their operations. Requirements corresponding to policies that ensure confidentiality, integrity and availability of information have evolved into standards defined to assure the market that a business is literal, practicable and transparent. Having said this, however, two common themes emerge from the various standards, and their related frameworks for assessment and compliance documentation: A need for controls to protect private information A need for controls to manage information in a secure environment. Companies in today s global market are subject to a variety of regulatory, legal, operational and market standards that serve to protect the market, shareholders, employees and customers. Some standards, introduced as frameworks for evaluating functions and operating processes, such as the ISO (Security) and (Common Criteria), are generally understood across industries as operational improvement or standardization efforts to create efficiencies and protection through shared knowledge of best market practices. Other standards are industry-specific requirements. However, they frequently have effect across obvious boundaries of industry, such as the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach Bliley Act (GLBA) that are often found to have coincidental compliance requirements in banking and healthcare, since health insurance processing has become almost completely transacted via electronic means. Other standards are defined through professional organizations such as those established by the American Institute of Certified Public Accountants (AICPA), including the Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework and COBIT, frameworks supported by the Information Systems Audit and Control Association (ISACA). These are often mistakenly believed to be the requisite guidance to meet the reporting requirements levied by the Sarbanes-Oxley Act (SOX), with which they are most commonly associated. Finally, international standards, such as International Standards Organization (ISO) and the British Standards (BS) overlap, modify or diverge from other countries standards; for instance the ISO emerges from the BS , while BS is an enhancement over the ISO that has yet to be widely adopted as it includes domains also found in BS and the Information Technology Information Library (ITIL) standard. There are many standards competing for attention, and confusion concerning which standards should get attention is understandable (see Appendix 1). Standards have varying degrees of application to a company according to the financial, operational, administrative or market focus of the standards. In some instances, standards may appear to conflict conceptually, yet when applied to specific purposes, help to elaborate the controls specific to the requirement under review. For example, while HIPAA and GLBA may seem to be redundant and to conflict in certain application criteria, one addresses the protection of personal privacy information and the other the protection of personal health information. Table 1 illustrates how different standards and regulations are relevant to different types of businesses. Table 1: Standards and regulations, and the businesses they affect. HIPAA GLBA BASEL II FERC NIST ISO SOX COBIT Healthcare Public companies Utilities Financial services Retail Manufacturing Government Since different countries and industries require adherence to different regulations and standards, companies subject to international compliance face a complex task for meeting requirements (see Appendix 1). 2 Copyright 2009, Juniper Networks, Inc.

5 The essential difference between a best-practice standard and a regulatory standard is that a regulatory standard enforces the legal will of the state, agency or national government interest through combined review audits and applied penalties for noncompliance. In cases involving individual privacy or security, penalties include several remedies. For example, while the California Security Breach Act (also known as California Senate Bill 1386), imposes a legislative duty on a company to protect against the unauthorized release of non-public personal information, and criminal penalties may be involved in cases of gross negligence or malfeasance, civil remedies are also available. This situation also exists in certain other U.S. regulatory standards (see Appendix 2). Regulatory standards are enforced by different agents according to the purpose of the audit, such as financial audits to detect fraud (SOX and Regulation E) enforced by the Securities and Exchange Commission and Federal Reserve Board; security audits to protect personal health privacy (HIPAA) enforced by the Health and Human Services Office for Civil Rights; and operational audits to assure the reliability of key national infrastructure services and technology (FERC/NERC CS 1200) enforced by regional electrical compliance committees. In contrast, operational and administrative standards such as ISO (Security), ISO (Common Criteria), COSO and COBIT are applied as frameworks that support the practical definition of tests to meet related market regulatory requirements and carry no direct penalties; however, the lack of compliance to these standards may bear on corresponding regulatory compliance, as in the case of COSO, or may impact a company s competitive position in the market, as in the case of ISO 9001/14000 or ISO Using Standards to Ensure Regulatory Compliance A typical approach for managing regulatory compliance is the adoption of a comprehensive standard of practices one that encompasses the broadest range of controls for the fulfillment of the broadest range of requirements. In the United States, COBIT has emerged as the de facto standard for measuring cooperative risks and rewards of a company s operating strategy. Though organizations may adopt other broad standards, the principle s general requirements remain the same. COBIT provides a framework for controls definition and evaluation. It covers both protection of private information and the management of information in a secure environment. It is applicable to enterprise-wide information systems and organizational information-management procedures. These controls are created through a combined effort of automation and process definition including training, risk awareness programs, executive sponsorship, crisis management and response, and a unified organizational strategy towards information security. In implementing COBIT, an organization will gain efficiency over the audit process for meeting corresponding regulatory compliance requirements (SOX, HIPAA or GLBA, for example). Organizations can implement COBIT to meet several concurrent compliance and competitive objectives. Several best practices were utilized in the definition of the COBIT framework (see Appendix 3) to provide a comprehensive evaluation methodology that can integrate operational, administrative, legal and regulatory standards, including: Technical standards from ISO or EDIFACT Codes of Conduct issued by Council of Europe, OECD or ISACA Qualification criteria for IT systems and processes from ISO, SPICE or TickIT Professional standards in internal control and auditing published by COSO, AICPA, GAO and ISACA Industry practices and requirements from industry forums (ESF, I4) and government-sponsored platforms such as FDIC, SEC or NIST Emerging industry-specific requirements such as those from banking, electronic commerce and IT manufacturing The COBIT framework provides a dimensional view of the business strategy. This view is supported by the business functions and capabilities, as defined through and measured by its processes and the resources needed to execute those processes to meet criteria of organizational performance. COBIT is based upon generally accepted information security principles of confidentiality, integrity and availability. Strengths and weaknesses are determined using performance metrics of effectiveness, efficiency, compliance and reliability. Copyright 2009, Juniper Networks, Inc. 3

6 Processes COBIT processes are divided into four Domains that provide an outline of the main information technology control areas that are concerned with organizational management. The Domains include: Planning and organizing Adopting strategies and tactics, and defining information architecture Acquiring and implementing Identifying, implementing and integrating technologies with business practices Delivering and supporting Ensuring the availability, performance and security of services and the integrity of key information Monitoring Providing an audit trail to allow for internal transparency of reporting and external auditing The Domains are designed to assist management in assessing the adequacy of controls for determining the state of the organization. Each Domain contains processes that define several activities that correlate tasks to Domains. The correlation, through processes, maps responsibilities for activities by organizational elements and consequently responsibilities of management are mapped to organizational domains. Criteria COBIT outlines management responsibilities to stakeholders (shareholders, employees and consumers) categorized as quality, fiduciary and security requirements. Each of these responsibilities requires further, more detailed requirements (see Table 2). Table 2: Responsibility requirements Requirements Subcategories Description Quality Fiduciary Security Quality Cost Delivery Effectiveness Efficiency Reliability Compliance Confidentiality Integrity Availability Controls to assist in accurate definition of resource requirements, planning and management to meet customer requirements Controls to ensure accurate, reliable information is available in a consistent manner; and to relate necessary controls to assist in meeting regulatory, legal and operational reporting requirements Controls to protect sources and methods of information, including its classification, management, handling, retention and destruction Effectiveness The relevancy of information to the business process being measured, as well as the ability of the organization to deliver information in a timely, consistent, accurate and usable manner Efficiency The ability of the organization to provide information with a constancy and measured economy of resources Reliability The accuracy of information provided to management for operating and reporting on the performance of the business to both internal and external entities Compliance The relationship of the business to its legal and regulatory requirements, and its measured or reported conformity to stated criteria Confidentiality The protection of sensitive information (including private, protected and privileged) from unauthorized disclosure Integrity The accuracy and completeness of information as well as its validity in accordance with the business set of values and expectations Availability The organization s ability to provide or restore access to information when required by the business process 4 Copyright 2009, Juniper Networks, Inc.

7 Resources The information that business processes need is provided through the use of IT resources. People Training, culture, awareness and staff to accomplish business processes Application systems Automated and manual procedures including systems and processes Technology Operating systems, networks, hardware, software, database management systems, imaging and printing systems Facilities The physical operating environment consisting of buildings, supporting electrical and climate controls, and related safety and health equipment and structures Data Electronic information and paper documents as stored and managed by the organization Appendix 4 relates the primary and secondary objectives of each identified COBIT control for performance measurement. Using Standards like COBIT A successful implementation of a comprehensive standard will provide controls that encompass corresponding regulatory compliance requirements (HIPAA, GLBA, SOX, or as required), that will reduce the organization s resource commitments to meet otherwise overlapping requirements of regulations. In a word, these standards offer efficiency. For example, COBIT is COSO-compliant (thus SOX requirements are met), it is an acceptable IT framework (thus ISO and industry-specific regulatory requirements are met), and it can be adjusted for implementation according to the needs of the organization (to include only the necessary components). One size does not fit all, so COBIT has been defined with self-inclusive controls. To understand how COBIT can be implemented to assist an organization in meeting internal organizational management goals, as well as redundant regulatory compliance requirements, two useful cases are available (source: ISACA 2005; Though generalized as an objective control, COBIT does offer specific guidance for some IT functions. For example, COBIT contains 21 controls that specifically relate to the responsibilities of an organization to ensure confidentiality, integrity and availability through ensuring systems security. By performing the activities delineated in COBIT, companies can achieve and document regulatory compliance. Solutions Provided by Juniper Networks Because the best solutions vary by environment, a comprehensive list of controls provided by Juniper Networks goes beyond the scope of any single paper. In general, the requirements for ensuring compliance for operational, administrative or regulatory standards are to exhibit controls to protect private information, and controls to manage information in a secure environment. The following section maps Juniper Networks solutions, products and services to relevant COBIT control domains to assist companies implementing controls. Juniper Networks offers a unique architecture for providing these benefits, which enables organizations to provide fast, secure and reliable application delivery, and demonstrate compliance. High-Performance Networking High-performance network infrastructures create responsive and trusted environments for accelerating the deployment of services and applications over a single network. Responsiveness and trust are established through controls in the areas of IP routing, security and WAN application acceleration, and result in the following: Protection and recovery of services and applications Consolidation and improvement of service and application delivery Operational improvements Protection and Recovery Protection and recovery controls secure services and applications from internal and external threats, and they mitigate risks that can lead to downtime and degraded service. In cases where systems or applications stall or fail, these controls help institute timely and full recovery. Copyright 2009, Juniper Networks, Inc. 5

8 Consolidation and Delivery Consolidation of networks, network resources, applications and data simplifies protection and recovery and reduces the cost of compliance. Delivery improvements maximize uptime, increase responsiveness and accelerate performance. Operations Operational improvements simplify training and reduce administrative, customer care and labor costs. They can also help reduce human error, decreasing downtime and degraded service. High-Performance Networking and COBIT Controls Because high-performance networking is designed to provide fast, reliable and secure access to applications and services over a single network, it addresses thoroughly many of the IT controls delineated in COBIT and other such best-practices standards by design. COBIT Control Domain 1: Planning and Organizing The controls in this domain are largely strategic in nature, and involve such processes and activities as: Defining a strategic IT plan Defining the information architecture Determining the technological direction Assessing risks Managing quality Juniper Networks can act in an advisory capacity to help organizations implement these strategic controls through our strategic vision experience and expertise. High-performance networking, essentially a framework of network service requirements and fulfillment through processes and technology, defines both long-term objectives and short-term product development. Juniper Networks can help organizations at the earliest stages of adopting best practices by applying the framework to that organization s current technology stance and future plans. Juniper Networks has over 10 years experience developing and deploying networking technologies for carriers and enterprises. During this period, the company has established itself as both a technology leader and market leader. Organizations implementing COBIT can benefit from Juniper Networks broad exposure to stringent networking and security requirements, as well as successful implementations in thousands of organizations in various industries around the world. Further, customers can utilize statistics provided by Juniper Networks products to assess existing systems before reevaluating and adapting plans for new initiatives. Understanding technology evolution and costs is required for developing long-term plans. Juniper Networks is staffed by technology experts including contributors to standards bodies. Developing solutions based on open standards helps customers control costs and protect technology investments. Juniper has also developed models, lifecycle costs, and total cost of ownership (TCO) analyses that can help organizations understand costs over time. COBIT Control Domain 2: Acquiring and Implementing The controls in this domain bridge IT strategy and organizational operations, and involve such processes and activities as: Designing audit trails Designing and implementing Technology and Economic feasibility studies Acquiring and maintaining technology infrastructure Installing and accrediting systems Training As with the Planning and Organizing controls described above, Juniper Networks can act in an advisory capacity for many of the activities outlined. Feasibility studies, audit trail design and other activities can be performed with the help of Juniper s technology and business experts. Additional services include certification training for routing and security platforms, as well as comprehensive support contracts for designing maintenance schedules and for resolving issues that may develop during implementation. 6 Copyright 2009, Juniper Networks, Inc.

9 In addition, Juniper Networks extensive network of certified resellers J-Partners can provide valuable services that ease acquisition, support and training. In order to be certified, J-Partners undergo comprehensive training and must exhibit extensive knowledge of network routing and security. With distributors, resellers, support partners and other value-adding organizations located around the world, the acquisition and implementation of Juniper Networks solutions can be accomplished in line with COBIT practices. Finally, with strategic technology partners that include leaders in applications, networking, security, communications and more, organizations can ensure interoperability and optimization of Juniper Networks solutions with existing and future applications and infrastructure. COBIT Control Domain 3: Delivery and Support The controls in this domain are tactical and involve the actual delivery, security and performance of IT services. Some Delivery and Support processes and activities include: Defining and managing service levels Managing performance and capacity Ensuring continuous service Ensuring system security Managing the configuration Managing problems and incidents Managing facilities Managing operations The majority of controls in the domain correlate to the capabilities described by a high-performance networking architecture, namely availability, reliability, performance, capacity for growth, continuity planning and security. With products targeted at multiple strategic areas throughout the network, Juniper Networks offers numerous methods for implementing COBIT controls. The following are examples of how Juniper Networks solutions help with delivery and support: Control over the IT Process of Defining and Managing Service Levels Juniper Networks can help develop the criteria by which the organization should measure service levels, and can provide the products for achieving them. Juniper solutions provide detailed reporting on network performance, the achievement of the specified service performance, and details into network usage. These details simplify investigation of failures and speed the adoption of corrective actions. All products are available in a choice of platforms to ensure adequate capacity and throughput. Juniper Networks provides a catalog of solutions with a selection of prices and capacities for greater operational control. Service improvement requirements that result from management and user agreements can be fulfilled while maximizing investment protection. Also, all products include comprehensive reporting capabilities that provide visibility into network traffic and usage patterns for monitoring and reporting. These reports can indicate trends in traffic fluctuations for purposes of forecasting and scheduling. Control over the IT Process of Managing Third-Party Services The J-Partner program described above helps channel partners streamline their business dealings with Juniper Networks, making it easier for them to respond to their customers needs. J-Partner members are well trained and certified accordingly, enabling them to reduce the costs of implementation, configuration and management. This helps customers evaluate and identify qualified third parties. Though Juniper Networks manages the size of the channel to avoid potential conflicts, J-Partners are located throughout the world and can be reached easily. Organizations will typically be able to work with preferred vendors, and can easily identify secondary vendors for service continuity purposes. In addition to the J-Partner network, Juniper Networks is committed to maintaining strong direct relationships with customers through comprehensive support and training programs. Support levels are available to meet the needs of every organization, including dedicated Juniper technical account managers (JTAC), if required. Customers can also undergo training and achieve certification for all products. Copyright 2009, Juniper Networks, Inc. 7

10 Juniper Networks J-Security Center enables customers to interact with the company regarding security concerns. Additionally, Juniper delivers daily updates for the Juniper Networks IDP Series Intrusion Detection and Prevention Appliances to ensure protection against the latest security threats. Control over the IT Process of Managing Performance and Capacity Central to deploying networked applications is ensuring the availability and optimization of adequate capacity to meet required performance needs. In the case of networking, this does not only mean provisioning adequate bandwidth. It also requires ensuring that bandwidth usage is optimized and that other factors impacting traffic, like latency, are minimized or overcome completely. Furthermore, it requires the deployment of network systems with adequate capacity and intelligence to handle fluctuating bandwidth requirements, while ensuring the performance levels of traffic according to application requirements. Juniper Networks solutions ensure the availability and performance of applications over networks and network segments of any size. Juniper Networks solutions are characterized by high-performance and capacity. Routers are available in a choice of configurations. Whatever capacity specifications are required by the organization, Juniper s routers are the highest performing in their class. Routers are also available with comprehensive quality of service (QoS) features to manage and ensure performance levels for critical applications. Firewalls integrate purpose-built hardware and software to enhance operational stability while providing high performance. Performance-intensive applications like voice and multimedia are accommodated for all sizes of organizations. The IDP Series and the Deep Inspection capabilities found in routers and firewalls eliminate threats such as worms and Denial of Service (DoS) attacks that can hamper performance. Furthermore, application acceleration platforms increase the performance of server farms as well as the path from the data center, through the internal network, and across the WAN. Control over the IT Process of Ensuring Continuous Service The importance of availability and contingency planning, in particular to such customers as carriers and financial institutions, is well known to Juniper Networks. In addition to ensuring the availability and performance of systems as described above, organizations must plan for network downtime and degraded service on both small and large scales. For this reason, the stability, resiliency and high availability (HA) capabilities of high-performance networking are central to all Juniper Networks products, not only to those designed to provide HA. Routing platforms provide layers of availability through redundant components, sub-second failover, and support BGP multi-homing to overcome Internet service provider (ISP) failure. Juniper Networks firewalls, which are categorized by their enhanced operational stability, provide sub-second failover. To maintain information privacy, VPNs are used by companies to encrypt backup data that is broadcast to remote sites. Application acceleration solutions speed up replication across the WAN, ensuring successful backup and restore to offsite locations while controlling costs. Typically, manual backup is subject to high rates of failure and incompleteness, which is particularly problematic for organizations with many remote and branch offices. Since application acceleration solutions enable real-time data replication, organizations can operate backup sites in an active/active mode. This helps them test the IT continuity plan by establishing that backup sites are up-to-date and properly functioning at all times. Control over the IT Process of Ensuring System Security Juniper Networks helps organizations implement security system controls in line with high-performance network architectures. Many security control features are available in product lines not traditionally thought of as security related. The result is a layered defense for organizations where Juniper Networks solutions defend themselves and network resources at critical points across the organization. This pervasive security protects systems and information from a large variety of attacks originating internally and externally, and aimed at users, applications, data and devices. Because Juniper Networks is a leader in network security solutions, offering a spectrum of market-leading products that include firewall, VPN, intrusion detection and prevention, and antivirus features, we can help to devise and implement comprehensive security plans that are in line with business objectives, industry practices, standards and regulations, and that align with other IT requirements like performance and availability. Additionally, Juniper Networks partners with other industry-leading security organizations to provide comprehensive solutions that include leading-edge security techniques and systems. 8 Copyright 2009, Juniper Networks, Inc.

11 Routers are available with firewall, MPLS and IPsec VPN, and Deep Inspection functionality. Additionally, Juniper Networks routers are themselves secure and are not exposed to the large number of exploits and attacks aimed at competitive routers. COBIT specifically requires the implementation of firewalls by organizations connected to the Internet. In addition to controlling bidirectional traffic flows and protecting against DoS attacks as required, Juniper Networks firewalls deliver other critical capabilities. For example, Juniper s unified threat management (UTM) firewalls support Deep Inspection and antivirus functionality to detect and remove malicious software like viruses from network traffic. Also, Juniper Networks firewalls can be used to create network security zones that help limit access to areas of the network, making it easier to enforce needs-based access to certain data. Trusted paths for systems access can be created using a combination of IPsec, SSL and MPLS-based VPNs, and contribute to the organization s identification, authentication and access-control processes. Juniper Network VPNs can integrate with third-party authentication systems to simplify creating and managing centralized sign-on requirements. IDP Series Intrusion Detection and Prevention Appliances monitor network traffic and detect and block malicious traffic in real time. Some of this traffic, like worms, trojan horses and other malicious software can compromise data, applications and devices across the network. Also, the IDP Series provides comprehensive and detailed logging of network traffic and events for purposes of surveillance logging and the compilation of violation and security activity reports. In addition to the examples given above, Juniper Networks products, solutions and partner relationships contribute to implementing these COBIT delivery and support controls in ways not described, as well as supporting many of those controls not listed. COBIT Control Domain 4: Monitoring The controls in this domain are tactical and provide critical feedback for ongoing tactical and strategic processes and activities. Monitoring processes and activities include: Collecting monitoring data Assessing performance Assuring operational security and internal control Providing for independent audit As noted above, Juniper Networks products provide comprehensive logs and reports of events and performance. Additionally, Juniper Networks partners have developed extremely detailed reporting mechanisms that compile and format information from Juniper Networks products for both internal and external auditing purposes. Copyright 2009, Juniper Networks, Inc. 9

12 Conclusion References The goal of every standard is to have an assurance of measurable attributes. In information security or information management, the objective is to define and test to a rigorous standard in order to provide information assurance. Information assurance is achieved by demonstrating the confidentiality of information maintained, proving the integrity of data, testing the availability of systems and processes, and ensuring efficiency of scale and operations. Effectiveness is determined by all concerned parties through repeatable processes, including education and management of the organization. A myriad of complex standards and regulations exist, and as the global marketplace continues to evolve and expand, information assurance must necessarily also evolve and expand. As more standards emerge, more assurance with increasingly exacting requirements will be needed. Adopting a system of standards of practice, like COBIT, will help organizations navigate the complex world of regulations, and position themselves for efficient and effective compliance with additional regulations as they are developed, or as the organization grows. Based on its high-performance network architecture, which maps to a broad collection of controls like those in COBIT, Juniper Networks provides products, services and expertise that can help organizations design and implement organizational controls to ensure regulatory compliance. AICPA/CICA SysTrust Principles and Criteria for Systems Reliability, Version 1.0: American Institute of Certified Public Accountants, New York, and Canadian Institute of Chartered Accountants, Toronto, An Introduction to Computer Security: The NIST Handbook: NIST Special Publication , National Institute of Standards and Technology, U.S. Department of Commerce, Washington, DC, BS7799-Information Security Management: British Standards Institute, London, COBIT 3rd Edition: Framework, IT Governance Institute, Rolling Meadows, IL, USA, COBIT 3rd Edition: Management Guidelines, IT Governance Institute, Rolling Meadows, IL, USA, Common Criteria and Methodology for Information Technology Security Evaluation: CSE (Canada), SCSSI (France), BSI (Germany), NLNCSA (Netherlands), CESG (United Kingdom), NIST (USA) and NSA (USA), COSO: Committee of Sponsoring Organizations of the Treadway Commission. Internal Control Integrated Framework. 2 Vols. American Institute of Certified Accountants, New Jersey, Denmark Generally Accepted IT Management Practices: The Institute of State Authorized Accountants, Denmark, DRI International, Professional Practices for Business Continuity Planners: Disaster Recovery Institute International. Guideline for Business Continuity Planners, St. Louis, MO, DTI Code of Practice for Information Security Management: Department of Trade and Industry and British Standard Institute. A Code of Practice for Information Security Management, London, 1993, Financial Information Systems Control Audit Manual (FISCAM): US General Accounting Office, Washington, DC, Government Auditing Standards: US General Accounting Office, Washington, DC, Guide for Developing Security Plans for Information Technology: NIST Special Publication , National Institute for Standards and Technology, US Department of Commerce, Washington, DC, ISO : International Organization for Standardization. Quality Management and Quality Assurance Standards Part 3: Guidelines for the Application of ISO 9001 to the development, supply and maintenance of software, Switzerland, ISO 9001, International Organization for Standardization (ISO), Quality Management Standard, Switzerland, ISO IEC 15408, International Organization for Standardization (ISO), Evaluation Criteria for Information Technology Security, Switzerland, ISO IEC 17799, International Organization for Standardization (ISO), Code of Practice for Information Security Management, Switzerland, Copyright 2009, Juniper Networks, Inc.

13 ISO IEC JTC1/SC27 Information Technology Security: International Organisation for Standardisation (ISO) Technical Committee on Information Technology Security, Switzerland, ISO IEC JTC1/SC7 Software Engineering: International Organization for Standardization (ISO) Technical Committee on Software Process Assessment. An Assessment Model and Guidance Indicator, Switzerland, ISO TC68/SC2/WG4, Information Security Guidelines for Banking and Related Financial Services: International Organization for Standardization (ISO) Technical Committee on Banking and Financial Services, Draft, Switzerland, ISO TR 13334, International Organization for Standardization (ISO), Information Technology Guidelines for the Management of IT Security, Switzerland, ISO/IEC TR 1335-n Guidelines for the Management of IT Security (GMITS), Parts 1-5: International Organization for Standardization, Switzerland, IT Infrastructure Library (ITIL), British Office of Government Commerce (OCG), Central Computer and Telecommunications Agency (CCTA), London, ITIL IT Management Practices: Information Technology Infrastructure Library. Practices and guidelines developed by the Central Computer and Telecommunications Agency (CCTA), London, Japan Information Systems Auditing Standards: Information System Auditing Standard of Japan. Provided by the Chuo Audit Corporation, Tokyo, National Institute of Standards and Technology (NIST), An Introduction to Computer Security: The NIST Handbook, Special Publication , USA, OECD Guidelines: Organization for Economic Co-operation and Development. Guidelines for the Security of Information, Paris, Paulk, M.C., et al: Capability Maturity Models for Software, CMU/SEI-93-TR-24, Carnegie Mellon University, Software Engineering Institute, Pittsburgh, PA, USA, SPICE: Software Process Improvement and Capability Determination. A standard on software process improvement, British Standards Institution, London, TickIT: Guide to Software Quality Management System Construction and Certification, British Department of Trade and Industry (DTI), London, Copyright 2009, Juniper Networks, Inc. 11

14 Appendix 1: Sample International Standards SUBJECT STANDARDS REGION a. IT Management - COBIT - BS IT Information Library (ITIL) - Microsoft Operations Framework (MOF) Project Management - PRINCE2 - Project Management Body of Knowledge (PMBOK) Security Management - ISO / / / / 15485/ BS Handbook on IT Security - IT Baseline Protection Manual - Australian Communications Electronic Security Instruction (ACSI 33) - National Institute of Science and Technology (NIST SP800-12) - COBIT Security Baselinetm - Information Security Forum Standard of Good Practice - Federal Information Processing Standards (FIPS 87/112/197) - Federal Energy Reliability Commission / North American Electrical Reliability Conference Urgent Action Standard Cyber Security 1200 (CS1200) - European Telecommunications Standards Institute (ETSI Baseline Security) - Organisation for Economic Co-operation and Development (OECD) Security Guidelines - Office of Management & Budget (OMB) Circular A National Security Telecommunications & Information Security Systems Instructions (NSTISSI) - Internet Engineering Task Force (IETF) RFC Federal Communications Commission / Network Reliability & Interoperability Council (FCC/NRIC) - Generally Accepted System Security Principles (GASSP) - Federal Information Systems Management Act (FISMA) Privacy Management - EU Data Protection Directive - EU Directive on Privacy in Electronic Communication - Health Insurance Portability & Accountability Act (HIPAA) - Gramm-Leach Bliley Act (GLBA) - California Security Breach Information Act (SB1386) - Personal Information Protection and Electronic Documents Act (PIPEDA) - OECD Privacy Directive - Asia-Pacific Economic Co-operation (APEC) Privacy Principle (in development) - Children s Online Privacy Protection Act (COPPA) - ENV12924 Quality Management - ISO 9001 / European Foundation for Quality Management (EFQM) - Baldrige National Quality Program /Canada - UK - Canada - Germany - Australia US/Canada - EU - EU - EU (California) - Canada - EU - EU 12 Copyright 2009, Juniper Networks, Inc.

15 SUBJECT STANDARDS REGION Change management IT governance - TickIT - Capability Maturity Model Integration (CMMI) - SPICE - COBIT, IT Governance Implementation Guide - COSO Internal Control Integrated Framework - COSO Enterprise Risk Management Integrated Framework - Australia Standard (AS) Risk management - Australia/New Zealand Standards (AS/NZS) COSO - Securities & Exchange Commission (SEC) Rules 7/8(a) - Federal Deposit Insurance Corporation (FDIC) Regulation E/Z Business continuity Auditing - BS PAS-56 - AS/NZS 4360, AS HB National Fire Protection Association (NFPA) General Accounting Office (GAO) - COBIT - COSO - ISO SOX - Information System Auditing Standard - Generally Accepted IT Audit Standard - UK - UK /Canada /Canada /Canada - Australia - Australia /Canada - Australia /Canada /Canada - Japan - Denmark Copyright 2009, Juniper Networks, Inc. 13

16 Appendix 2: US Regulatory Enforcement and Penalties Example REGULATIONS ENFORCED BY PENALTIES REVIEW TIMING FCC Privacy FCC Up to $11,000 per violation Ad hoc EU Directive EU Commission Civil Criminal Business Sanctions HIPAA HHS/CMS Civil: GLBA FRB, FDIC, SEC, FTC, OCC, OTS Up to $100/violation per person Criminal: Up to $250,000, 10 years in prison Civil: Officers and Directors personal liability Up to $10,000 per violation Criminal: Business liability $100,000 per violation Up to 5-10 years in prison according to corresponding violations Sanctions: FDIC Insurance Termination Up to $1,000,000 FDIC penalty or 1% of financial assets Removal of Directors and Officers SOX SEC Up to $500,000 Fine Up to 10 years in prison Annually Annually Annually Annually FERC/NERC CS1200 FERC, Regional CEP Civil Remedies & Criminal Penalties - UK IT Governance CA SB1386 FRCP COBIT, IT Governance Law Enforcement Agencies Law Enforcement Agencies Civil Remedies & Criminal Penalties Contempt of Court - UK Quarterly In response to an incident Ad hoc 14 Copyright 2009, Juniper Networks, Inc.

17 Appendix 3: US Regulatory Enforcement and Penalties Example COBIT Control Objectives and Procedures Best Practices Legal Regulatory Plan and Organize PO1* Define a strategic IT plan PO2* Define the information architecture PO3 PO4* Determine the technological direction Define the IT organization and relationships PO5 Manage the IT investment 3 3 PO6* Communicate management aims and direction PO7* Manage human resources PO8* Ensure compliance with external requirements PO9* Assess risks PO10 Manage projects PO11* Manage quality Acquire and Implement AI1* Identify automated solutions AI2 AI3* Acquire and maintain application software Acquire and maintain technology infrastructure AI4* Develop and maintain procedures AI5* Install and accredit systems AI6* a. Manage changes Deliver and Support DS1* Define and manage service levels DS2* Manage third-party services DS3 Manage performance and capacity DS4* Ensure continuous service DS5* Ensure systems security DS6 Identify and allocate costs 3 3 DS7* Educate and train users DS8* Assist and advise customers 3 ISO ISO ISO DS9* Manage the configuration DS10* Manage problems and incidents DS11* Manage data DS12* Manage facilities DS13 Manage operations ITIL BASEL II FRCP CA SB1386 HIPAA GLBA SOX FERC/NERC FCC FDIC Copyright 2009, Juniper Networks, Inc. 15

18 COBIT ISO ISO ISO ITIL BASEL II FRCP CA SB1386 HIPAA GLBA SOX FERC/NERC FCC FDIC Control Objectives and Procedures Best Practices Legal Regulatory Monitor and Evaluation M1* Monitor the processes M2* Assess internal control adequacy M3* Obtain independent assurance M4 Provide for independent audits *Notes security controls objectives 16 Copyright 2009, Juniper Networks, Inc.

19 Appendix 4: COBIT Controls Objectives COBIT EFFECTIVENESS EFFICIENCY CONFIDENTIALITY INTEGRITY AVAILABILITY COMPLIANCE RELIABILITY PEOPLE APPLICATIONS TECHNOLOGY FACILITIES DATA COBIT Control Objectives and Processes Information Criteria IT Resources Plan and Organize PO1 Define a strategic IT plan P S PO2 Define the information architecture P S S S 3 3 PO3 Determine the technological direction P S 3 3 PO4 Define the IT organization and relationships P S PO5 Manage the IT investment P P S 3 PO6 Communicate management aims and direction P S 3 PO7 Manage human resources P P 3 PO8 Ensure compliance with external requirements P P S PO9 Assess risks P S P P P S S PO10 Manage projects P P PO11 Manage quality P P P S Acquire and Implement AI1* Identify automated solutions P S AI2 AI3 Acquire and maintain application software Acquire and maintain technology infrastructure P P S S S 3 P P S 3 AI4 Develop and maintain procedures P P S S S AI5 Install and accredit systems P S S AI6 a. Manage changes P P P P S Deliver and Support DS1 Define and manage service levels P P S S S S S DS2 Manage third-party services P P S S S S S DS3 Manage performance and capacity P P S DS4 Ensure continuous service P S P DS5 Ensure systems security P P S S S DS6 Identify and allocate costs P P DS7 Educate and train users P S 3 DS8 Assist and advise customers P P 3 3 DS9 Manage the configuration P S S DS10 Manage problems and incidents P P S DS11 Manage data P P 3 DS12 Manage facilities P P 3 DS13 Manage operations S S Copyright 2009, Juniper Networks, Inc. 17

20 COBIT EFFECTIVENESS EFFICIENCY CONFIDENTIALITY INTEGRITY AVAILABILITY COMPLIANCE RELIABILITY PEOPLE APPLICATIONS TECHNOLOGY FACILITIES DATA COBIT Control Objectives and Processes Information Criteria IT Resources Monitor and Evaluation M1 Monitor the processes P P S S S S S M2 Assess internal control adequacy P P S S S P S M3 Obtain independent assurance P P S S S P S M4 Provide for independent audits P P S S P P S (P) primary (S) secondary (3) applies to About Juniper Networks Juniper Networks, Inc. is the leader in high-performance networking. Juniper offers a high-performance network infrastructure that creates a responsive and trusted environment for accelerating the deployment of services and applications over a single network. This fuels high-performance businesses. Additional information can be found at Corporate And Sales Headquarters Juniper Networks, Inc North Mathilda Avenue Sunnyvale, CA USA Phone: 888.JUNIPER ( ) or Fax: APAC Headquarters Juniper Networks (Hong Kong) 26/F, Cityplaza One 1111 King s Road Taikoo Shing, Hong Kong Phone: Fax: To purchase Juniper Networks solutions, please contact your Juniper Networks representative at or authorized reseller. EMEA Headquarters Juniper Networks Ireland Airside Business Park Swords, County Dublin, Ireland Phone: Fax: Copyright 2009 Juniper Networks, Inc. All rights reserved. Juniper Networks, the Juniper Networks logo, JUNOS, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. Engineered for the network ahead and JUNOSe are trademarks of Juniper Networks, Inc. All other trademarks, service marks, registered marks, or registered service marks are the property of their respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice Feb 2009 Printed on recycled paper. 18