whitepaper Ten Essential Steps for Achieving Continuous Compliance: A Complete Strategy for Compliance

Transcription

1 Ten Essential Steps for Achieving Continuous Compliance: A Complete Strategy for Compliance

2 Table of Contents 3 10 Essential Steps 3 Understand the Requirements 4 Implement IT Controls that Affect your Business 4 Define the Compliance Processes and Success Criteria 4 Identify All In-Scope IT Components 5 Collect Relevent User and System Activities 5 Store All Logs Centrally and Effeciently as Required 5 Implement Regular Tasks 6 Verify Continuous Monitoring 6 Demonstrate Compliance Status to Auditors 6 Substantiate Reports and Alerts 6 Conclusion

3 Ten Essential Steps for Achieving Continuous Compliance: A Complete Strategy for Compliance Compliance without Complexity TIBCO LogLogic Compliance Manager lets you monitor enterprise activity and manage risk, as well as manage and review network policies according to mandates and regulations. Each TIBCO LogLogic Compliance Suite edition augments the LogLogic platform with hundreds of specialized reports and alerts specifically tuned to the requirements of an individual mandate: IT Governance Institutes IT governance and control framework (COBIT) Federal Information Security Management Act (FISMA) Health Insurance Portability and Accountability Act (HIPAA) ISO 27002, an international information security standard (ISO) IT Infrastructure Library (ITIL) North America Electric Reliability Council (NERC) Payment Credit Card Industry Data Security Standard (PCI DSS) Sarbanes-Oxley Act (SOX) IT Governance is not security or compliance alone; the challenge is to stay secure and compliant while enhancing business performance. Khalid Kark, Principal Analyst, Information Security and Risk Management at Forrester Research Inc. 10 Essential Steps Getting started with an enterprisewide strategy for compliance requires an understanding of the requirements particular to your industry and business. Then, policies must be put in place for collecting, alerting, reporting on, storing, searching, and sharing data from all systems, applications, and network elements. This creates a closedloop process that governs the lifecycle of enterprise data and ensures your compliance program is successful. Here are the 10 essential steps for implementing a successful enterprisewide compliance program: 1 Understand the Requirements The first step is to understand the requirements of the regulations you must meet in your industry. No matter what industry your company plays in, there are numerous mandates and regulations that apply, as well as frameworks and controls that help various business units within an organization maintain security and risk management policies. Failing to follow certain controls can result in lost customers or lost jobs, whereas failure to meet industry regulations and legal mandates could result in more serious ramifications, such as fines or even imprisonment. A thorough understanding of the requirements applicable to your industry can prevent unnecessary problems. 3

4 2 Implement IT Controls that Affect your Business Putting IT controls and frameworks in place helps govern compliance tasks and keeps companies on track. However, this requires an understanding of the specific language within those frameworks regarding log data management. The most common frameworks COBIT/SOX, ISO, NIST, FISMA, and PCI all have specific language pertaining to log data collection and retention. For example, requirement 10 within the PCI standard states that companies must log and track user activities, automate and secure audit trails, review logs daily, and retain the audit trail for at least a year. Other frameworks have similar requirements for log data collection and retention. It s important that companies not only implement the frameworks, but really understand what they re asking for. Using LogLogic we achieved a return on investment in under six months, something that would have been impossible using an open source solution. But the rewards didn t stop there once we had the LogLogic appliance installed, we noticed that we could see details of our network processes never before possible, significantly improving our awareness of security issues and enabling us to respond accordingly. Florian Gohlke, chairman of LAVEGO AG 3 Define the Compliance Processes and Success Criteria After you understand the requirements of a given regulation or mandate, then determine the scope, configuration, and mechanism for collecting, alerting on, reporting on, and retaining the data necessary to satisfy auditors or stakeholders. This step-by-step process allows you to define goals and key tasks for successful compliance. For example, when you determine the scope, your goal should be to identify all system components that are subject to a given regulation. Then you can define key tasks related to that goal. When those tasks are complete, you can move to configuring network elements, systems, and applications to generate the required log messages. After configuration, you can move to defining dependent tasks for important compliance activities, including the collection and retention of data, setting up automated alerts, and reporting on that data. We needed a solution that would collect all of the necessary logs in one place and that would ensure compliance while also helping us to reduce the time it took to generate reports. Daniel Barone, system administrator, Plantronics Though its TIBCO LogLogic solution was targeted for compliance reporting, Ameren Corporation discovered unexpected benefits, for example, firewall changes were supposed to go through a formal change request process, but were sometimes forgotten in emergencies. Using LogLogic, IT administrators could see when a firewall changed and react accordingly. Additionally, LogLogic shows what changes were requested and approved and compares this information to what was actually changed, ensuring closed loop security. 4 Identify All In-Scope IT Components It s a misconception that only hardware should be monitored for compliance. Servers, applications, and homegrown systems should also be monitored. The specific components that need monitoring will depend on the mandates and regulations that apply to your industry. For example, if PCI applies to your business, all components that transmit, process, or store financial information are in-scope. 4

5 The Lowry, a prestigious theatre and arts center, needed a log management system that would work with its existing infrastructure, meet PCI DSS compliance regulations, and address security, event management, and best practices needs. Beyond compliance, LogLogic alerts The Lowry to any potential external threats. If someone is trying to hack into the website, for example through brute force attacks, the LogLogic appliance alerts the IT team. Prior to LogLogic, the team would have no idea an attack was happening until a security event occurred. In addition to providing PCI compliance, The Body Shop s LogLogic solution helps the IT team discover and troubleshoot other system issues. When the team needed a highly secured network zone for credit card handling to process some noncredit card information, the log data provided by LogLogic helped identify how to make the systems talk to one another. LogLogic software also helped The Body Shop identify pointof-sale software that was generating significant amounts of traffic. Because of the system intelligence provided by LogLogic, The Body Shop was able to reduce traffic by reconfiguring the software. 5 Collect Relevent User and System Activities Log data from IT components across the enterprise provides a fingerprint of user activity. This information includes failed logon attempts, security breaches, file uploads and downloads, credit card data access, information leaks, user and system activity, privileges assigned and changed, runaway applications, customer transactions, and data. This is the information that auditors will expect you to monitor on a daily basis. Log data contains a wealth of information that provides insight into the health and security of the network; hence, it s critical to collect, store, and have access to all of it. 6 Store All Logs Centrally and Effeciently as Required All information from network components (hardware, servers, applications, and homegrown systems) should be collected over geographically distributed locations and placed in a central archive. This archive should be stored long-term for regulatory compliance. Most regulations specify that log data should be stored for 1 7 years: 7 years for long-term archival 1 to 3 years for immediate forensics and compliance access 90 days online for operational use This should never be an all or nothing stop gap. Too much archived information can be as costly and inefficient as not having enough. Ensure all noise or irrelevant data does not take up valuable disk space or slow down your search and discovery efforts. 7 Implement Regular Tasks Although some tasks, such as user activity monitoring, must be completed on a daily basis, others are required on a weekly, monthly, or even on an as-needed basis. It s important to determine ahead of time how often to perform critical tasks. IT controls frameworks and best practices provide recommendations for the frequency of specific tasks. Automated alerts are helpful for as-needed tasks such as monitoring excessive failed user logins or IDS attacks, or reviewing change management requests. Automated reports ease the hassle of daily and weekly tasks like reviewing user access logs or configuration changes, or ensuring backups are conducted properly. When we launch systems at an outstation, we have very little time to get everything up, troubleshoot it, and get it online we need a log solution that is easy to use and as hassle-free as possible. We ve added some new firewalls, and each time we added new equipment to our environment, it took me less than a minute to send the logs to the LogLogic appliance and for it to accept them LogLogic is that easy to use. Christopher Courtright, senior security engineer, Republic Airways Holdings LLC 5

6 8 Verify Continuous Monitoring Hamleys is an internationally recognized toy retailer. With the addition of LogLogic, Hamleys has been able to integrate all of its infrastructure logging for increased cyber security. They are now able to prevent any improper use of confidential data much more comprehensively. The whole estate is being proactively monitored 24x7 with real-time alerts set up to flag any unusual activity taking place in the moment. Rather than providing analysis after a security breach, the solution proactively monitors and takes action on any unusual, suspicious, or malicious activity. The solution also includes data forensics for deep tracking and understanding of how any security compromises may have occurred and how to secure the system in the future. Alerting mechanisms and scheduled reporting let IT personnel know when a componentsystem, or application is not complying with set policies. During an audit, auditors will want specific information about incidents that occurred, and what was done to mitigate or resolve the incident. Questions may include: What active alerts are set to monitor these controls? What was the actual alert you received? Where is the evidence that you acknowledged the alert? Where is the evidence that you investigated the incident? Where is the evidence that you are periodically reviewing user logs? Where is the evidence that you have removed terminated employee accounts? 9 Demonstrate Compliance Status to Auditors Using alerts and scheduled reports, you can also demonstrate compliance status to auditors. Alerts should be set based on compliance with SOX, PCI, ISO, HIPAA, or whatever regulation or best practice you are implementing. Then, reporting can be used to demonstrate compliance. An auditor might want to see the actual report that you are using for demonstrating the segregation of duties, for example. Log management and intelligence solutions, such as TIBCO LogLogic, provide report templates that map to common IT control frameworks to simplify compliance reporting. 10 Substantiate Reports and Alerts Alerting and reporting on logs must be substantiated with immutable log archives. It s critical to store logs centrally with a long-term archival solution that preserves the integrity of the data. Immutable logs require time stamps, digital signature, encryption, and other precautions to prevent tampering, both during transit of the data from the logging device to the storage device, as well as during archiving. Conclusion Compliance is no longer an isolated IT project; it s an enterprisewide endeavor that requires cooperation between business units and a deep understanding of the requirements, regulations, mandates, and IT controls necessary for your particular industry and business. Compliance must be looked upon as a business issue that requires a cross functional approach, involving people, processes, and technology. Taking the steps necessary to understand, define, and implement the appropriate IT controls and frameworks for your business will simplify compliance and reduce the costs and resources involved in completing compliance-related tasks. TIBCO Software Inc. (NASDAQ: TIBX) is a provider of infrastructure software for companies to use on-premise or as part of cloud computing environments. Whether it s efficient claims or trade processing, cross-selling products based on real-time customer behavior, or averting a crisis before it happens, TIBCO provides companies the two-second advantage the ability to capture the right information, at the right time and act on it preemptively for a competitive advantage. More than 4,000 customers worldwide rely on TIBCO to manage information, decisions, processes and applications in real time. Learn more at Global Headquarters 3307 Hillview Avenue Palo Alto, CA Tel: Fax: , TIBCO Software Inc. All rights reserved. TIBCO, the TIBCO logo, TIBCO LogLogic, and TIBCO Software, are trademarks or registered trademarks of TIBCO Software Inc. in the United States and/or other countries. All other product and company names and marks in this document are the property of their respective owners and are mentioned for identification purposes only. 6 exported09jul2013