ForeScout CounterACT and Compliance June 2012 Overview Major Mandates PCI-DSS ISO 27002
|
|
- Sophia Palmer
- 8 years ago
- Views:
Transcription
1 ForeScout CounterACT and Compliance An independent assessment on how network access control maps to leading compliance mandates and helps automate GRC operations June 2012 Overview Information security has undergone a sea change in the past 10 years. Compliance mandates in the form of industry standards and Federal rules like NERC, FFIEC, HIPAA/HITECH and PCI-DSS are the new norm. To stay in compliance, IT teams need to be able to keep up with updates and changes to existing mandates while also being prepared for new ones. To maximize efficiency, manage risk and reduce potential violations due to compliance failure, organizations need to security tools whose features support multiple specifications within and across different compliance frameworks. In order to find the right tools, one must first start by mapping functionality to a specific section or requirement in the most critical internal or external compliance mandate. Then, look across other frameworks applicable to your business to see how many can be met by a solution. For example, security monitoring, as well as configuration standards and event logging are mentioned in many guidelines and a tool that provides real-time visibility and endpoint compliance capabilities like NAC can support the requirement across multiple mandates. By filtering the core requirements and mapping it to specific objectives, organizations can find solutions that help them stay ahead and on track for compliance, while realizing additional benefits and savings. Major Mandates Many organizations find themselves complying with mandates that they did not initially realize impacted them. For example, a higher education institution that provides school loans and a health care department may need to comply with PCI, HIPAA, and GLBA. While many compliance frameworks described in this paper are specific to the United States, most have bearing to complementary standards in other countries; for example, PCI-DSS applies to payment processing entities worldwide. HIPAA and privacy laws also apply to entities outside worldwide with unique specifications depending on the origin or destination of the IT resources or sensitive data under management. The major mandates that most companies need to address are outlined below: PCI-DSS A set of security standards issued by the 5 major card brands and overseen by the PCI Security Standards Council. This applies to any entity that stores, processes or transmits credit card data. ISO An internationally accepted framework for ing security management systems supplies a list of security controls, their objectives, and ation guidance spanning access control, endpoint compliance, event logging, incident response and more.
2 FFIEC The Federal Financial Institutions Examination Council (FFIEC) is an interagency body that sets and oversees standards for federal examination of financial institutions by agencies including the FDIC and NCUA. HIPAA/HITECH HIPAA is a healthcare mandate for protection of health or electronic personal health (e-phi). HITECH expanded applicability for safeguarding health and personal identifiable (PII) to business associates of covered entities. GLBA/Privacy Mandates privacy controls and safeguards for customer and nonpublic personal (NPI) managed by financial institutions. This can be extended to include the protection of PII with regards to state and country privacy and privacy breach notification laws. NERC Ensures the reliability of the North American power system by overseeing standards for critical infrastructure protection (CIP) reliability standards. Entities involved with power systems must be in compliance. DISA STIGs The Security Technical Implementation Guides (STIGs) and configuration standards required for DOD systems. Many organizations outside of the DOD have adopted standards as part of their overall security program. The guidelines require port-based control (securing physical and logical network ports to prevent unauthorized access to the enclave), continuous endpoint compliance and active host-based security systems (HBSS). NIST Provides special publications on a variety of cyber-security matters. Many government agencies must comply with NIST standards and organizations outside of the government have adopted NIST standards as part of their program. How Network Access Control (NAC) Works NAC, which stands for network access control, is technology used to assure trusted access to network resources. By employing 802.1x or other security mechanisms, NAC can identify users and network-attached devices while enforcing security policies based on discovered network, identity and device attributes. Beyond allowing, limiting or blocking devices access to network resources and sensitive data, NAC also provides visibility, endpoint compliance and threat prevention capabilities. For example, NAC supports a health-check before an entity is allowed to access network resources. If the entity does not have the proper configuration settings, the latest patches or active host-based security functions, a NAC solution can quarantine the device and support remediation activities to ensure the device is in compliance with a pre-defined corporate policy. NAC can also be used for auto-discovery, classification and policy assessment of devices, and can also be used to resolve endpoint issues and violations. Once a device is on the network, NAC can still monitor the device to ensure continuous compliance and take action when unwanted behavior is detected. Like other tools, NAC platforms interface with an enterprises network, security and identity infrastructure and can support compliance-relevant reporting. Mapping CounterACT to Compliance ForeScout CounterACT is a NAC platform that supports a number of critical security and protection functions across multiple compliance mandates. Many compliance mandates are not prescriptive about specific controls. These compliance frameworks discuss objectives and activities, but leave the final IANS: How NAC maps to leading compliance mandates 2
3 decision regarding which specific tool or solution to be ed to the end-user organization. It is extremely important for each organization to perform a thorough assessment of available solutions and select those that can address the needs of the organization while supporting an efficient compliance program that satisfies multiple mandate requirements. In other words, an effective security solution is a little like a compliance Swiss army knife for IT. More importantly, organizations should look at where security tools can enable or add efficiency to compliance enforcement, auditing, and documentation processes. The table below extracts the core security functions of ForeScout CounterACT for network access control into 9 areas. The table then maps these across 8 mandates to illustrate how a NAC solution such as ForeScout CoutnerAct can be used to address a large number of compliance processes and requirements. Note that these are just a few examples of how NAC can help support compliance programs. When reviewing the table keep in mind that compliance is a holistic process and that even when a specific task is not explicitly called out that does not mean it is not necessary or will not support the overall mission. For example, GLBA does not call out anti-malware by name, but it does require organizations to take appropriate precautions to protect NPI. Validating that anti-malware is active on devices supports NPI protection. Organizations that must adhere to certain mandates that are not listed below can still use the table as a baseline and do their own mapping using the core ForeScout CounterACT features and their security and compliance requirements. IANS: How NAC maps to leading compliance mandates 3
4 ForeScout CounterACT Network Access Control/Port Control Endpoint - Integrity/Com pliance/contin uous Monitoring Identification and removal of rogue WAPs PCI DSS v2 DISA STIGs FFIEC HIPAA/ HITECH limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports. 2.2 Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industryaccepted system hardening standards 11.1 Test for the presence of wireless access points and detect unauthorized wireless access points on a quarterly basis Enclave STIG, V4R The Enclave perimeter must block and/or secure all PPSs in accordance with the Vulnerability Assessments and the DoD PPS CAL See DISA STIGS for Individual Operating Systems. CounterACT can identify all network devices and can classify known and unknown devices. CounterACT can also identify and remediate HBSS (Host-based Security Systems) issues dynamically. General Wireless Policy STIG V1R6 Only authorized wireless systems used SCI Network Access - Access Control SCI Access Control - Operating System Access, FFIEC Supplement Guidance: Controls ebanking - Appendix E: Wireless Banking (a)(1) Access Control (a)(5)(ii)(B) - Protection from 45 CFR Parts 160 and 164, Data comprising PHI can be vulnerable to a breach in any of the commonly recognized data states: data in motion (i.e., data that is moving through a network, including wireless transmission 7); NERC ISO NIST SP SP CIP Requirement R2 - Ports and Services- The establish, document and a process to ensure that only those ports and services required for normal and emergency operations are enabled CIP R2. Critical Cyber Asset Identification Using the list of Critical Assets developed pursuant to Requirement R1, the develop a list of associated Critical Cyber Assets essential to the operation of the Critical Asset. The update this list as necessary, and review it at least annually CIP R1. Electronic Security Perimeter The ensure that every Critical Cyber Asset resides within an Electronic Security Perimeter. The Responsible Entity shall identify and document the Electronic Security Perimeter(s) and all access points to the perimeter(s) Section 11.4 Network Access Control 11.5 Operating system access control 11.7 Mobile computing and teleworking AC - Access Control & AC-3 Access Enforcement CA-7 Continuous Monitoring and CM- 3 Configuration Change Control and CM-8 Information System Component Inventory AC-18 Wireless Access GLBA Standards for safeguarding customer - (3) Protect against unauthorized access to or use of such that could result in substantial harm or inconvenience to any customer IANS: How NAC maps to leading compliance mandates 4
5 End Point Security Mobile Security Threat Remediation 5.1 Deploy anti-virus software on all systems commonly affected by (particularly personal computers and servers) 6.1 Ensure that all system components and software are protected from known vulnerabilities by having the latest vendor-supplied security patches installed. Install critical security patches within one month of release 1.4 Install personal firewall software on any mobile and/or employee-owned computers with direct connectivity to the Internet (for example, laptops used by employees), which are used to access the organization s network 6.6 For public-facing web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attack See DISA STIGS for Individual Operating Systems General Wireless Policy STIG V1R6 Only authorized wireless systems used Enclave STIG, V4R Host-based IDS - (EN550: CAT III) The IAO will ensure the SA is responsible for initial response to real-time alarms and performance of retrospective analysis of reports SCI Access Control - Operating System Access, FFIEC Supplement Guidance: Controls ebanking - Appendix E: Wireless Banking Information Security - Security Monitoring (a)(5)(ii)(B) - Protection from 45 CFR Parts 160 and 164, Data comprising PHI can be vulnerable to a breach in any of the commonly recognized data states: data in motion (i.e., data that is moving through a network, including wireless transmission 7); Response and Reporting (R) (a)(6)(ii) - Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity; and document security incidents and their outcomes. CIP R3. Security Patch Management The Responsible Entity, either separately or as a component of the documented configuration management process specified in CIP Requirement R6, shall establish, document and a security patch management program for tracking, evaluating, testing, and installing applicable cyber security software patches for all Cyber Assets within the Electronic Security Perimeter(s). R4. Malicious Software Prevention The use anti-virus software and other ( malware ) prevention tools, where technically feasible, to detect, prevent, deter, and mitigate the introduction, exposure, and propagation of malware on all Cyber Assets within the Electronic Security Perimeter(s) CIP R2. Critical Cyber Asset Identification Using the list of Critical Assets developed pursuant to Requirement R1, the develop a list of associated Critical Cyber Assets essential to the operation of the Critical Asset. The update this list as necessary, and review it at least annually CIP R8. Cyber Vulnerability Assessment The perform a cyber vulnerability assessment of all Cyber Assets within the Electronic Security Perimeter at least annually. The vulnerability assessment shall include, at a minimum, the following: R8.4. Documentation of the results of the assessment, the action plan to remediate or mitigate vulnerabilities identified in the assessment, and the execution status of that action plan 11.5 Operating system access control 11.7 Mobile computing and teleworking 12.6 Technical vulnerability management, Section 13: Information security incident management CM-2 Baseline Configuration and SI-3 Malicious Code Protection AC-19 Access Control for Mobile Devices SI-2 Flaw Remediation - (3) Detecting, preventing and responding to attacks, intrusions, orother systems failures. IANS: How NAC maps to leading compliance mandates 5
6 Data Leakage Endpoint Intelligence Log Management Assurance Requirement 10: Track and monitor all access to network resources and cardholder data 2.2 Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industryaccepted system hardening standards Requirement 10: Track and monitor all access to network resources and cardholder data Enclave STIG, V4R Host-based Content Security Checking See DISA STIGS for Individual Operating Systems See Network Infrastructure STIGs SCI Access Control - Operating System Access Information Security - Security Controls Implementation and Security Monitoring Information Security - Security Controls Implementation and Security Monitoring (a)(4) Information Access Management (a)(4) Information Access Management (a)(1) Information System Activity Review and (b) Audit Controls CIP R4. Information Protection The and document a program to identify, classify, and protect associated with Critical Cyber Assets CIP R2. Critical Cyber Asset Identification Using the list of Critical Assets developed pursuant to Requirement R1, the develop a list of associated Critical Cyber Assets essential to the operation of the Critical Asset. The update this list as necessary, and review it at least annually CIP R The establish methods, processes, and that generate logs of sufficient detail to create historical audit trails CIP R6. Security Status Monitoring The ensure that all Cyber Assets within the Electronic Security Perimeter, as technically feasible, automated tools or organizational process controls to monitor system events that are related to cyber security of individual user account access activity for a minimum of ninety days 11.6 Application and access control 11.5 Operating system access control PE-19 Information Leakage CA-7 Continuous Monitoring and CM- 3 Configuration Change Control and CM-8 Information System Component Inventory Monitoring SI-4 Information System Monitoring Standards for safeguarding customer - (3) Protect against unauthorized access to or use of such that could result in substantial harm or inconvenience to any customer - (3) Detecting, preventing and responding to attacks, intrusions, orother systems failures. IANS: How NAC maps to leading compliance mandates 6
7 When evaluating the value of a solution like ForeScout CounterACT, it is helpful to assess the tool not only for how it can support compliance for specific mandates, but also how it can be used to meet the intent of various mandates, increase visibility and effectuate controls, improve overall network and device health, as well as yield operational efficiencies. In addition to the specific support for compliance mandates listed above, the ForeScout CounterACT NAC solution provides the following benefits: Fortify IAM for network access Enable port control without requiring agents Enforce guest management Identify and eliminate rogue devices and WAPs Provide device classification and inventory Support application whitelisting and blacklisting Identify and remediate endpoint compliance gaps Enable mobile security and BYOD policy Automate compliance reporting Increase situational awareness and reduce risk profile Conclusion Keeping up with compliance is the new norm for all companies and organizations; no vertical industry or company is exempt, and new rulings and mandates are being introduced and evolve every year. To stay ahead of the compliance onslaught, IT organizations need to comprehensive programs that take into account the entire fabric of compliance and not focus on mandates one at a time. To make this process easier, organizations can security tools that offer features which can be applied to address compliance controls for multiple mandates or to expedite compliance documentation and validation processes. ForeScout CounterACT is a network security tool that can be efficient and effective at addressing a large variety of compliance needs and automating a wide array of GRC processes. IANS: How NAC maps to leading compliance mandates 7
TASK -040. TDSP Web Portal Project Cyber Security Standards Best Practices
Page 1 of 10 TSK- 040 Determine what PCI, NERC CIP cyber security standards are, which are applicable, and what requirements are around them. Find out what TRE thinks about the NERC CIP cyber security
More informationEverything You Wanted to Know about DISA STIGs but were Afraid to Ask
Everything You Wanted to Know about DISA STIGs but were Afraid to Ask An EiQ Networks White Paper 2015 EiQ Networks, Inc. All Rights Reserved. EiQ, the EiQ logo, the SOCVue logo, SecureVue, ThreatVue,
More informationAltius IT Policy Collection Compliance and Standards Matrix
Governance IT Governance Policy Mergers and Acquisitions Policy Terms and Definitions Policy 164.308 12.4 12.5 EDM01 EDM02 EDM03 Information Security Privacy Policy Securing Information Systems Policy
More informationPCI Compliance for Cloud Applications
What Is It? The Payment Card Industry Data Security Standard (PCIDSS), in particular v3.0, aims to reduce credit card fraud by minimizing the risks associated with the transmission, processing, and storage
More informationDid you know your security solution can help with PCI compliance too?
Did you know your security solution can help with PCI compliance too? High-profile data losses have led to increasingly complex and evolving regulations. Any organization or retailer that accepts payment
More informationMaintaining PCI-DSS compliance. Daniele Bertolotti daniele_bertolotti@symantec.com Antonio Ricci antonio_ricci@symantec.com
Maintaining PCI-DSS compliance Daniele Bertolotti daniele_bertolotti@symantec.com Antonio Ricci antonio_ricci@symantec.com Sessione di Studio Milano, 21 Febbraio 2013 Agenda 1 Maintaining PCI-DSS compliance
More informationLarry Wilson Version 1.0 November, 2013. University Cyber-security Program Critical Asset Mapping
Larry Wilson Version 1.0 November, 2013 University Cyber-security Program Critical Asset Mapping Part 3 - Cyber-Security Controls Mapping Cyber-security Controls mapped to Critical Asset Groups CSC Control
More informationPCI Data Security Standards (DSS)
ENTERPRISE APPLICATION WHITELISTING SOLUTION Achieving PCI Compliance at the Point of Sale Using Bit9 Parity TM to Protect Cardholder Data PCI: Protecting Cardholder Data As the technology used by merchants
More informationStandard CIP 007 3a Cyber Security Systems Security Management
A. Introduction 1. Title: Cyber Security Systems Security Management 2. Number: CIP-007-3a 3. Purpose: Standard CIP-007-3 requires Responsible Entities to define methods, processes, and procedures for
More informationStandard CIP 007 3 Cyber Security Systems Security Management
A. Introduction 1. Title: Cyber Security Systems Security Management 2. Number: CIP-007-3 3. Purpose: Standard CIP-007-3 requires Responsible Entities to define methods, processes, and procedures for securing
More information74% 96 Action Items. Compliance
Compliance Report PCI DSS 2.0 Generated by Check Point Compliance Blade, on July 02, 2013 11:12 AM 1 74% Compliance 96 Action Items Upcoming 0 items About PCI DSS 2.0 PCI-DSS is a legal obligation mandated
More informationPCI DSS Requirements - Security Controls and Processes
1. Build and maintain a secure network 1.1 Establish firewall and router configuration standards that formalize testing whenever configurations change; that identify all connections to cardholder data
More informationAttaining HIPAA Compliance with Retina Vulnerability Assessment Technology
l Attaining HIPAA Compliance with Retina Vulnerability Assessment Technology Overview The final privacy rules for securing electronic health care became effective April 14th, 2003. These regulations require
More informationPCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst. 2010. Page 1 of 7 www.ecfirst.com
Policy/Procedure Description PCI DSS Policies Install and Maintain a Firewall Configuration to Protect Cardholder Data Establish Firewall and Router Configuration Standards Build a Firewall Configuration
More informationInformation Security Policy and Handbook Overview. ITSS Information Security June 2015
Information Security Policy and Handbook Overview ITSS Information Security June 2015 Information Security Policy Control Hierarchy System and Campus Information Security Policies UNT System Information
More informationGFI White Paper PCI-DSS compliance and GFI Software products
White Paper PCI-DSS compliance and Software products The Payment Card Industry Data Standard () compliance is a set of specific security standards developed by the payment brands* to help promote the adoption
More informationEnterprise Security Solutions
Enterprise Security Solutions World-class technical solutions, professional services and training from experts you can trust ISOCORP is a Value-Added Reseller (VAR) and services provider for best in class
More informationNetwork Access Control in Virtual Environments. Technical Note
Contents Security Considerations in.... 3 Addressing Virtualization Security Challenges using NAC and Endpoint Compliance... 3 Visibility and Profiling of VMs.... 4 Identification of Rogue or Unapproved
More informationWHITEPAPER. Addressing Them with Secure Network Access Control. Executive Summary... An Evolving Network Environment... 2
WHITEPAPER Top 4 Network Security Challenges in Healthcare Addressing Them with Secure Network Access Control Executive Summary... 1 Top 4 Network Security Challenges Addressing Security Challenges with
More informationNERC CIP VERSION 5 COMPLIANCE
BACKGROUND The North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Reliability Standards define a comprehensive set of requirements that are the basis for maintaining
More informationTrend Micro VMware Solution Guide Summary for Payment Card Industry Data Security Standard
Partner Addendum Trend Micro VMware Solution Guide Summary for Payment Card Industry Data Security Standard The findings and recommendations contained in this document are provided by VMware-certified
More informationCORE Security and the Payment Card Industry Data Security Standard (PCI DSS)
CORE Security and the Payment Card Industry Data Security Standard (PCI DSS) Addressing the PCI DSS with Predictive Security Intelligence Solutions from CORE Security CORE Security +1 617.399-6980 info@coresecurity.com
More informationWhite Paper. Identifying Network Security and Compliance Challenges in Healthcare Organizations
Identifying Network Security and Compliance Challenges in Healthcare Organizations Contents Introduction....................................................................... 3 Increased Demand For Access............................................................
More informationMarch 2012 www.tufin.com
SecureTrack Supporting Compliance with PCI DSS 2.0 March 2012 www.tufin.com Table of Contents Introduction... 3 The Importance of Network Security Operations... 3 Supporting PCI DSS with Automated Solutions...
More informationLAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES
LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL for INFORMATION RESOURCES Updated: June 2007 Information Resources Security Manual 1. Purpose of Security Manual 2. Audience 3. Acceptable
More informationSANS Top 20 Critical Controls for Effective Cyber Defense
WHITEPAPER SANS Top 20 Critical Controls for Cyber Defense SANS Top 20 Critical Controls for Effective Cyber Defense JANUARY 2014 SANS Top 20 Critical Controls for Effective Cyber Defense Summary In a
More informationWHITEPAPER. Addressing Them with Adaptive Network Security. Executive Summary... An Evolving Network Environment... 2. Adaptive Network Security...
WHITEPAPER Top 4 Network Security Challenges in Healthcare Addressing Them with Adaptive Network Security Executive Summary... 1 Top 4 Network Security Challenges Addressing Security Challenges with Adaptive
More informationAchieving PCI-Compliance through Cyberoam
White paper Achieving PCI-Compliance through Cyberoam The Payment Card Industry (PCI) Data Security Standard (DSS) aims to assure cardholders that their card details are safe and secure when their debit
More informationNorth American Electric Reliability Corporation (NERC) Cyber Security Standard
North American Electric Reliability Corporation (NERC) Cyber Security Standard Symantec Managed Security Services Support for CIP Compliance Overviewview The North American Electric Reliability Corporation
More informationThe Critical Security Controls: What s NAC Got to Do with IT?
The Critical Security Controls: What s NAC Got to Do with IT? A SANS Product Review 2nd Edition, updated January 2015 Sponsored by ForeScout Technologies 2015 SANS Institute Introduction Although attacks
More informationLogRhythm and PCI Compliance
LogRhythm and PCI Compliance The Payment Card Industry (PCI) Data Security Standard (DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent
More informationLooking at the SANS 20 Critical Security Controls
Looking at the SANS 20 Critical Security Controls Mapping the SANS 20 to NIST 800-53 to ISO 27002 by Brad C. Johnson The SANS 20 Overview SANS has created the 20 Critical Security Controls as a way of
More informationDiscussion Draft of the Preliminary Cybersecurity Framework Illustrative Examples
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 Discussion Draft of the Preliminary Cybersecurity Framework Illustrative Examples The
More informationAutomate PCI Compliance Monitoring, Investigation & Reporting
Automate PCI Compliance Monitoring, Investigation & Reporting Reducing Business Risk Standards and compliance are all about implementing procedures and technologies that reduce business risk and efficiently
More informationPayment Card Industry Data Security Standard
Symantec Managed Security Services support for IT compliance Solution Overview: Symantec Managed Services Overviewview The (PCI DSS) was developed to facilitate the broad adoption of consistent data security
More informationLogRhythm and NERC CIP Compliance
LogRhythm and NERC CIP Compliance The North American Electric Reliability Corporation (NERC) is a nonprofit corporation designed to ensure that the bulk electric system in North America is reliable, adequate
More informationUniversity of Sunderland Business Assurance PCI Security Policy
University of Sunderland Business Assurance PCI Security Policy Document Classification: Public Policy Reference Central Register IG008 Policy Reference Faculty / Service IG 008 Policy Owner Chief Financial
More informationForeScout CounterACT CONTINUOUS DIAGNOSTICS & MITIGATION (CDM)
ForeScout CounterACT CONTINUOUS DIAGNOSTICS & MITIGATION (CDM) CONTENT Introduction 2 Overview of Continuous Diagnostics & Mitigation (CDM) 2 CDM Requirements 2 1. Hardware Asset Management 3 2. Software
More informationAverage annual cost of security incidents
Breaches reported Annual number of data breaches Average annual cost of security incidents Among companies with revenues over $1 billion Regulatory mandates 900 800 700 600 500 400 300 200 100 0 2011 2012
More informationCORE Security and GLBA
CORE Security and GLBA Addressing the Graham-Leach-Bliley Act with Predictive Security Intelligence Solutions from CORE Security CORE Security +1 617.399-6980 info@coresecurity.com www.coresecurity.com
More informationSECURITY PLATFORM FOR HEALTHCARE PROVIDERS
SECURITY PLATFORM FOR HEALTHCARE PROVIDERS Our next-generation security platform prevents successful cyberattacks for hundreds of hospitals, clinics and healthcare networks across the globe. Palo Alto
More informationDefending Against Data Beaches: Internal Controls for Cybersecurity
Defending Against Data Beaches: Internal Controls for Cybersecurity Presented by: Michael Walter, Managing Director and Chris Manning, Associate Director Protiviti Atlanta Office Agenda Defining Cybersecurity
More informationBSM for IT Governance, Risk and Compliance: NERC CIP
BSM for IT Governance, Risk and Compliance: NERC CIP Addressing NERC CIP Security Program Requirements SOLUTION WHITE PAPER Table of Contents INTRODUCTION...................................................
More informationInformation Security Services. Achieving PCI compliance with Dell SecureWorks security services
Information Security Services Achieving PCI compliance with Dell SecureWorks security services Executive summary In October 2010, the Payment Card Industry (PCI) issued the new Data Security Standard (DSS)
More informationWHITE PAPER. Attaining HIPAA Compliance with Retina Vulnerability Assessment Technology
WHITE PAPER Attaining HIPAA Compliance with Retina Vulnerability Assessment Technology Table of Contents Overview 3 HIPAA & Retina Enterprise Edition 3 Six Steps of Vulnerability Assessment & Remediation
More informationData Management Policies. Sage ERP Online
Sage ERP Online Sage ERP Online Table of Contents 1.0 Server Backup and Restore Policy... 3 1.1 Objectives... 3 1.2 Scope... 3 1.3 Responsibilities... 3 1.4 Policy... 4 1.5 Policy Violation... 5 1.6 Communication...
More informationAddressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense
A Trend Micro Whitepaper I February 2016 Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense How Trend Micro Deep Security Can Help: A Mapping to the SANS Top 20 Critical
More informationCritical Security Controls
Critical Security Controls Session 2: The Critical Controls v1.0 Chris Beal Chief Security Architect MCNC chris.beal@mcnc.org @mcncsecurity on Twitter The Critical Security Controls The Critical Security
More informationTRIPWIRE NERC SOLUTION SUITE
CONFIDENCE: SECURED SOLUTION BRIEF TRIPWIRE NERC SOLUTION SUITE TAILORED SUITE OF PRODUCTS AND SERVICES TO AUTOMATE NERC CIP COMPLIANCE u u We ve been able to stay focused on our mission of delivering
More informationBest Practices in ICS Security for System Operators. A Wurldtech White Paper
Best Practices in ICS Security for System Operators A Wurldtech White Paper No part of this document may be distributed, reproduced or posted without the express written permission of Wurldtech Security
More informationPayment Card Industry Data Security Standard
Payment Card Industry Data Security Standard Introduction Purpose Audience Implications Sensitive Digital Data Management In an effort to protect credit card information from unauthorized access, disclosure
More informationForeScout CounterACT. Continuous Monitoring and Mitigation
Brochure ForeScout CounterACT Real-time Visibility Network Access Control Endpoint Compliance Mobile Security Rapid Threat Response Continuous Monitoring and Mitigation Benefits Security Gain real-time
More informationIT ASSET MANAGEMENT Securing Assets for the Financial Services Sector
IT ASSET MANAGEMENT Securing Assets for the Financial Services Sector V.2 Final Draft May 1, 2014 financial_nccoe@nist.gov This revision incorporates comments from the public. Page Use case 1 Comments
More informationCONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL
CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL WHAT IS CDM? The continuous stream of high profile cybersecurity breaches demonstrates the need to move beyond purely periodic, compliance-based approaches to
More informationUsing Continuous Monitoring Information Technology to Meet Regulatory Compliance. Presenter: Lily Shue Director, Sunera Consulting, LLC
Using Continuous Monitoring Information Technology to Meet Regulatory Compliance Presenter: Lily Shue Director, Sunera Consulting, LLC Outline Current regulatory requirements in the US Challenges facing
More informationHow To Manage Security On A Networked Computer System
Unified Security Reduce the Cost of Compliance Introduction In an effort to achieve a consistent and reliable security program, many organizations have adopted the standard as a key compliance strategy
More informationAIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE
AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE THE CHALLENGE: SECURE THE OPEN AIR Wirelesss communication lets you take your business wherever your customers,
More informationTOP 10 WAYS TO ADDRESS PCI DSS COMPLIANCE. ebook Series
TOP 10 WAYS TO ADDRESS PCI DSS COMPLIANCE ebook Series 2 Headlines have been written, fines have been issued and companies around the world have been challenged to find the resources, time and capital
More informationAdopt a unified, holistic approach to a broad range of data security challenges with IBM Data Security Services.
Security solutions To support your IT objectives Adopt a unified, holistic approach to a broad range of data security challenges with IBM Data Security Services. Highlights Balance effective security with
More informationAlienVault for Regulatory Compliance
AlienVault for Regulatory Compliance Overview of Regulatory Compliance in Information Security As computers and networks have become more important in society they and the information they contain have
More informationensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster
Security Standards Symantec shall maintain administrative, technical, and physical safeguards for the Symantec Network designed to (i) protect the security and integrity of the Symantec Network, and (ii)
More informationA MULTIFACETED CYBERSECURITY APPROACH TO SAFEGUARD YOUR OPERATIONS
A MULTIFACETED CYBERSECURITY APPROACH TO SAFEGUARD YOUR OPERATIONS CYBER ATTACKS INFILTRATE CRITICAL INFRASTRUCTURE SECTORS Government and enterprise critical infrastructure sectors such as energy, communications
More informationAutomating Cloud Security Control and Compliance Enforcement for PCI DSS 3.0
WHITE PAPER Automating Cloud Security Control and Compliance Enforcement for 3.0 How Enables Security and Compliance with the PCI Data Security Standard in a Private Cloud EXECUTIVE SUMMARY All merchants,
More informationSecurity Management. Keeping the IT Security Administrator Busy
Security Management Keeping the IT Security Administrator Busy Dr. Jane LeClair Chief Operating Officer National Cybersecurity Institute, Excelsior College James L. Antonakos SUNY Distinguished Teaching
More informationAIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE
AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE THE CHALLENGE: SECURE THE OPEN AIR Wirelesss communication lets you take your business wherever your customers,
More informationTelemedicine HIPAA/HITECH Privacy and Security
Telemedicine HIPAA/HITECH Privacy and Security 1 Access Control Role Based Access The organization shall provide secure rolebased account management. Privileges granted utilizing the principle of least
More informationVerve Security Center
Verve Security Center Product Features Supports multiple control systems. Most competing products only support a single vendor, forcing the end user to purchase multiple security systems Single solution
More informationA Websense Research Brief Prevent Data Loss and Comply with Payment Card Industry Data Security Standards
A Websense Research Brief Prevent Loss and Comply with Payment Card Industry Security Standards Prevent Loss and Comply with Payment Card Industry Security Standards Standards for Credit Card Security
More informationDepartment of Management Services. Request for Information
Department of Management Services Request for Information Cyber-Security Assessment, Remediation, and Identity Protection, Monitoring, and Restoration Services September 3, 2015 Submitted By: Carlos Henley
More informationDIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014
DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014 Revision History Update this table every time a new edition of the document is
More informationHow To Achieve Pca Compliance With Redhat Enterprise Linux
Achieving PCI Compliance with Red Hat Enterprise Linux June 2009 CONTENTS EXECUTIVE SUMMARY...2 OVERVIEW OF PCI...3 1.1. What is PCI DSS?... 3 1.2. Who is impacted by PCI?... 3 1.3. Requirements for achieving
More informationIT Security & Compliance Risk Assessment Capabilities
ATIBA Governance, Risk and Compliance ATIBA provides information security and risk management consulting services for the Banking, Financial Services, Insurance, Healthcare, Manufacturing, Government,
More informationPreemptive security solutions for healthcare
Helping to secure critical healthcare infrastructure from internal and external IT threats, ensuring business continuity and supporting compliance requirements. Preemptive security solutions for healthcare
More informationWhat is required of a compliant Risk Assessment?
What is required of a compliant Risk Assessment? ACR 2 Solutions President Jack Kolk discusses the nine elements that the Office of Civil Rights requires Covered Entities perform when conducting a HIPAA
More informationHIPAA and HITECH Compliance for Cloud Applications
What Is HIPAA? The healthcare industry is rapidly moving towards increasing use of electronic information systems - including public and private cloud services - to provide electronic protected health
More informationBest Practices for PCI DSS V3.0 Network Security Compliance
Best Practices for PCI DSS V3.0 Network Security Compliance January 2015 www.tufin.com Table of Contents Preparing for PCI DSS V3.0 Audit... 3 Protecting Cardholder Data with PCI DSS... 3 Complying with
More informationIntroduction. PCI DSS Overview
Introduction Manage Engine Desktop Central is part of ManageEngine family that represents entire IT infrastructure with products such as Network monitoring, Helpdesk management, Application management,
More informationPCI DSS Top 10 Reports March 2011
PCI DSS Top 10 Reports March 2011 The Payment Card Industry Data Security Standard (PCI DSS) Requirements 6, 10 and 11 can be the most costly and resource intensive to meet as they require log management,
More informationAgenda. Agenda. Security Testing: The Easiest Part of PCI Certification. Core Security Technologies September 6, 2007
Security Testing: The Easiest Part of PCI Certification Core Security Technologies September 6, 2007 Agenda Agenda The PCI Standard: Security Basics and Compliance Challenges Compliance + Validation =
More informationHITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What?
HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What? Introduction This material is designed to answer some of the commonly asked questions by business associates and other organizations
More informationPCI DSS Reporting WHITEPAPER
WHITEPAPER PCI DSS Reporting CONTENTS Executive Summary 2 Latest Patches not Installed 3 Vulnerability Dashboard 4 Web Application Protection 5 Users Logging into Sensitive Servers 6 Failed Login Attempts
More informationPCI COMPLIANCE REQUIREMENTS COMPLIANCE CALENDAR
PCI COMPLIANCE REQUIREMENTS COMPLIANCE CALENDAR AUTHOR: UDIT PATHAK SENIOR SECURITY ANALYST udit.pathak@niiconsulting.com Public Network Intelligence India 1 Contents 1. Background... 3 2. PCI Compliance
More informationCloudCheck Compliance Certification Program
CloudCheck Compliance Certification Program Ensure Your Cloud Computing Environment is Secure with CloudCheck Certification Organizations today are increasingly relying on a combination of private and/or
More informationSecureVue Product Brochure
SecureVue unifies next-generation SIEM, security configuration auditing, compliance automation and contextual forensic analysis into a single platform, delivering situational awareness, operational efficiency
More informationNERC CIP Compliance with Security Professional Services
NERC CIP Compliance with Professional Services The North American Electric Reliability Corporation (NERC) is a nonprofit corporation designed to ensure that the bulk electric system in North America is
More informationDevice Hardening, Vulnerability Remediation and Mitigation for Security Compliance
Device Hardening, Vulnerability Remediation and Mitigation for Security Compliance Produced on behalf of New Net Technologies by STEVE BROADHEAD BROADBAND TESTING 2010 broadband testing and new net technologies
More informationAuditing Mission-Critical Databases for Regulatory Compliance
Auditing Mission-Critical Databases for Regulatory Compliance Agenda: It is not theoretical Regulations and database auditing Requirements and best practices Summary Q & A It is not theoretical Database
More informationPII Compliance Guidelines
Personally Identifiable Information (PII): Individually identifiable information from or about an individual customer including, but not limited to: (a) a first and last name or first initial and last
More informationTop Three POS System Vulnerabilities Identified to Promote Data Security Awareness
CISP BULLETIN Top Three POS System Vulnerabilities Identified to Promote Data Security Awareness November 21, 2006 To support compliance with the Cardholder Information Security Program (CISP), Visa USA
More information3rd Party Assurance & Information Governance 2014-2016 outlook IIA Ireland Annual Conference 2014. Straightforward Security and Compliance
3rd Party Assurance & Information Governance 2014-2016 outlook IIA Ireland Annual Conference 2014 Continuous Education Services (elearning/workshops) Compliance Management Portals Information Security
More informationThe Protection Mission a constant endeavor
a constant endeavor The IT Protection Mission a constant endeavor As businesses become more and more dependent on IT, IT must face a higher bar for preparedness Cyber preparedness is the process of ensuring
More informationIT Security & Compliance. On Time. On Budget. On Demand.
IT Security & Compliance On Time. On Budget. On Demand. IT Security & Compliance Delivered as a Service For businesses today, managing IT security risk and meeting compliance requirements is paramount
More informationTrend Micro Healthcare Compliance Solutions
How Trend Micro s innovative security solutions help healthcare organizations address risk and compliance challenges WHITE Worry-Free Business Security Fast, effective, and simple protection against viruses
More informationManaging Business Risk
Managing Business Risk With Assurance Report Cards April 7, 2015 Table of Contents Introduction... 3 Cybersecurity is a Business Issue... 3 Standards, Control Objectives and Controls... 5 Standards and
More informationPCI Compliance for Branch Offices: Using Router-Based Security to Protect Cardholder Data
White Paper PCI Compliance for Branch Offices: Using Router-Based Security to Protect Cardholder Data Using credit cards to pay for goods and services is a common practice. Credit cards enable easy and
More informationInformation Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis
Information Security Risk Assessment Checklist A High-Level Tool to Assist USG Institutions with Risk Analysis Updated Oct 2008 Introduction Information security is an important issue for the University
More informationPCI and PA DSS Compliance Assurance with LogRhythm
WHITEPAPER PCI and PA DSS Compliance Assurance PCI and PA DSS Compliance Assurance with LogRhythm MAY 2014 PCI and PA DSS Compliance Assurance with LogRhythm The Payment Card Industry (PCI) Data Security
More informationAre You Prepared to Successfully Pass a PCI-DSS and/or a FISMA Certification Assessment? Fiona Pattinson, SHARE: Seattle 2010
Are You Prepared to Successfully Pass a PCI-DSS and/or a FISMA Certification Assessment? Fiona Pattinson, SHARE: Seattle 2010 atsec information security, 2010 About This Presentation About PCI assessment
More information