SELECTING FOUNDATIONAL CONTROLS MAKES HIPAA COMPLIANCE EASIER

Transcription

1 Simple. Automated. Affordable. SELECTING FOUNDATIONAL CONTROLS MAKES HIPAA COMPLIANCE EASIER By: Steven Marco and Joseph Grettenberger Modern Compliance Solutions Commissioned by: page 1

2 Table of Contents Part 1 Updates to Regulations and IT Security Compliance Implications:... 3 Health Insurance Portability and Accountability Act (HIPAA)... 3 Part 2: Introduction to Dell s GRC Product Suite: ChangeAuditor, InTrust, Enterprise Reporter and the Dell Knowledge Portal... 6 Dell GRC Product Suite... 6 ChangeAuditor... 7 InTrust... 9 Enterprise Reporter Dell Knowledge Portal Part 3: Dell Product to HIPAA Mandate Mapping Tables Health Insurance Portability and Accountability Act (HIPAA) page 2

3 Part 1 Updates to Regulations and IT Security Compliance Implications With the current information security challenges facing almost all organizations and the risk of being another front page news story, information risk and IT security should not only be on the agenda of just about every corporate risk program, but they should be in sync. Sadly, such is often not the case. Even today, compliance mandates frequently drive, rather than inform, an organization s approach to enterprise-wide IT control selection and, consequentially its information security baseline. Meanwhile, information risks confirmed from actual security incidents are being addressed by those on the front line. Inevitably, three groups - risk management, IT security, and compliance - get involved when reacting to news stories. Yet, barring such an event, scarce resources, company culture, organizational misalignment and a host of other factors often keep these groups from comparing notes. The stark reality is that the job of selecting and approving the adoption of IT Security controls for many organizations has been left to misguided reactions. The result is that prioritizing the process of monitoring and reassessing IT controls in light of actual risk is most often done in a firefighting or ad hoc manner. The idea of selecting key, foundational, high performance controls by pointing to carefullyconsidered corporate risk that is informed by a well-performed risk analysis still seems to be the exception rather than the rule across virtually all industries. Nevertheless, different approaches to IT security, if taken from what s been proven in the industry, are not necessarily bad, because whether from a risk program or a compliance mandate, smart IT security has become a survival issue. A key component of regulatory compliance these days is the demonstration of appropriate ITrelated internal controls that mitigate fraud risk and the implementation of necessary safeguards for legally protected information that is stored and transmitted in electronic form. Naturally, this requirement for demonstration of IT compliance also applies to the users of systems accessing this information. This paper addresses the area of IT Security compliance from an auditor s perspective for the Health Insurance Portability and Accountability Act (HIPAA) in the U.S. 1 Health Insurance Portability and Accountability Act (HIPAA) The Health Insurance Portability and Accountability Act (HIPAA) was signed into law on August 21, 1996 adding a new part C to title XI of the Social Security Act (sections ). One of the most important provisions of HIPAA is the mandatory safeguarding of all recorded personal health information (PHI), including PHI stored in an electronic form (ephi). The reach of HIPAA s safeguarding provisions for PHI was extended and strengthened under the Health Information Technology for Economic and Clinical Health (HITECH) Act on February 17, 2009, as Title XIII of Division A and Title IV of Division B of the American Recovery and Reinvestment Act of 2009 (ARRA) and again on January 25, 2013 in HIPAA s final omnibus rule. 1 This paper addresses HIPAA which is only a sample of compliance mandates that include significant IT safeguard requirements. page 3

4 With HITECH, HIPAA s traditional safeguard requirements extend directly to business associates of covered entities. 1. Covered entities include hospitals, medical billing centers, health insurance companies, healthcare clearinghouses and other health care providers. HIPAA s final Omnibus Rule expanded HITECH s already broad business associates category that included health information exchange organizations, e-gateways handling ephi, and vendors assisting a covered entity with personal health records 2 to subcontractors that create, receive, maintain, or transmit protected health information on behalf of a business associate. Increased enforcement to ensure covered entities and business associates are compliant with the HIPAA Security, Privacy and Breach Notification Rules has raised public awareness for the need to protect ephi. The Office of Civil Rights (OCR), a division of Health and Human Services (HHS), is the enforcer of HIPAA compliance and breach investigations. The OCR in recent years has imposed fines through settlements against providers who have failed to take reasonable and appropriate safeguards to protect their ephi. Specifically, HIPAA requires health care organizations to: 1. Ensure the confidentiality, integrity, and availability of all electronically protected health information created, received, maintained, or transmitted, 2. Regularly review system activity records, such as audit logs, access reports, and security incident tracking reports, 3. Establish, document, review, and modify a user s right of access to a workstation, transaction, program, or process containing ephi, 4. Monitor login attempts and report discrepancies and 5. Identify, respond to and document PHI breach incidents as well as properly notify the specified parties Under ARRA and HIPAA s final omnibus rule, virtually all organizations that access, maintain, retain, modify, record, store, destroy, or otherwise hold, use, or disclose ephi must also comply with rigorous breach notification rules when PHI is compromised. For example, if the number of people affected by a data privacy breach is more than 500 for a given state or jurisdiction, the media must be notified. 3 The HIPAA standard for audit controls states, Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information. 4 To comply, affected organizations must have systems and processes that collect, store, alert, and report on non-compliant ephi access, use, or disclosure (i.e., breach), thus creating the required audit trail. The HIPAA Security Rule imposes standards in five categories: administrative safeguards, physical safeguards, technical safeguards, organizational requirements, and documentation requirements (policies, procedures, etc.). If a standard applies to ephi, compliance is not optional. Strict adherence to specially marked implementation specifications, however, can be considered optional, if after an assessment is performed, they are determined to be not reasonable and appropriate, the rationale to forgo the specification is documented, and evidence can be produced that a good faith effort was page 4

5 made to identify and implement an equivalent alternative measure. Thus, implementation specifications are categorized as either required or addressable : Required: If an implementation specification is marked as required, it must be implemented by every covered entity. Addressable: If an implementation specification is marked as addressable it may be assessed to determine if it is reasonable and appropriate. If deemed reasonable and appropriate to protect ephi, it must be adopted and followed. If, however, a covered entity has determined that an addressable implementation specification is unreasonable and inappropriate for its environment, the entity should make a good faith effort to identify, implement, and document an equally effective alternative solution, or justify and document the decision to do neither. With HIPAA, while the databases of EMR systems are obvious areas where ephi resides, there are many other systems in which ephi may be stored or transmitted including personal (implanted) medical devices, modern medical equipment, tablets, cell phones, copiers, scanners, fax machines, multi-function devices, print servers, ephi databases, encrypted , voice mail servers, security camera systems, protected file servers, network shared drives and even on local machines. These adjunct areas of ephi storage may be within the organization s policy restrictions or not. Compliance with protecting all ephi, however, is required. A table reflecting the current penalty amounts for violations of HIPAA 5 follows: Violation category Section 1176(a)(1) Each violation Maximum penalty of all such violations of an identical provision in a calendar year (A) Did Not Know $100 $50,000 $1,500,000 (B) Reasonable Cause 1,000 50,000 1,500,000 (C)(i) Willful Neglect Corrected 10,000 50,000 1,500,000 (C)(ii) Willful Neglect Not Corrected 50,000 1,500,000 1 HITECH Act Subtitle D, Section HITECH Act Subtitle D, Section HITECH Act Subtitle D, Section CFR (b). 5 See page 5583 of the Federal Register, January 25, The table is referred to as TABLE 2 CATEGORIES OF VIOLATIONS AND RESPECTIVE PENALTY AMOUNTS AVAILABLE page 5

6 Part 2: Introducing Dell s GRC Product Suite: ChangeAuditor, InTrust, Enterprise Reporter and the Dell Knowledge Portal Dell GRC Product Suite With the proliferation of information security threats mixed with the complexity of compliance mandates, organizations today need as much compliance automation they can get. The Dell GRC Product Suite helps organizations automate many of the assurance safeguards required by today s IT security mandates while also providing foundational IT security measures. For example, the Dell GRC Product Suite addresses IT general controls (ITGCs) for 11 of the 18 standards in HIPAA s Security Rule. Monitoring primary databases of protected information is not enough to safeguard that information. The support systems (e.g. , file servers, Active Directory) that make up the environment outside the primary database often store protected information and related access controls making them additional components of a risk analysis. Dell s product suite offers organizations the ability to monitor many of HIPAA s security safeguards within these support systems. The Dell GRC Product Suite enables organizations to monitor, perform self-audits, and respond to inquiries with reports that demonstrate historical compliance with many information system components of regulatory compliance security policies and procedures. In addition, the Dell GRC Product Suite can report on suspicious activities such as identifying unlocked user accounts and activity for accounts of terminated and transferred personnel. These tools provide separate databases and a variety of reports that can substantiate evidence of policy violations when personnel sanctions related to the security of information systems need to be applied. In short, The Dell GRC Product Suite is designed to continuously monitor, evaluate and assess the IT general control areas of an organization s system of internal control. The tools equip organizations to adopt robust continuous auditing and monitoring practices that augment and to some extent preempt standard network vulnerability scanning practices. While not a replacement for network vulnerability tools, when regularly used as part of a continuous monitoring program, InTrust, ChangeAuditor, and Enterprise Reporter can discover a host of information system vulnerabilities (e.g. outdated patch levels, unauthorized ports, protocols, and services) before network vulnerability scanning tools and technical surveillance countermeasure surveys can discover them. By enabling the assurance functions of real-time audits, continuous monitoring and the generation of information system documentation for discrete environments, the Dell GRC Product Suite helps organizations not only watch their production operating environments but monitor critical controls in security architectures that are anticipated in all phases of the system development life cycle. The suite is built around the following Dell products: 1. ChangeAuditor 2. InTrust page 6

7 3. Enterprise Reporter 4. Dell Knowledge Portal Audit, Alert and Report with ChangeAuditor Dell ChangeAuditor helps IT staff, security and compliance officers audit, alert and report on user and administrator activity, configuration and application changes in real-time across the Microsoft-centered enterprise. This solution is critical to addressing and preventing risk of system downtime, misuse of sensitive data, failed audits and security breaches whilst ensuring business management can prove to auditors and internal stakeholders that compliance and security policies are enforced throughout the organization. Knowing who accessed, deleted, moved, created or modified data and settings is critical to achieving internal and external compliance. Unlike native tools, ChangeAuditor provides visibility into enterprise-wide activities from one central console. Organizations can instantly see who, what, when, where, from what workstation and why a change was made, with before and after values. What separates ChangeAuditor from other solutions is the ability to close potential security gaps by enabling customers to see the full context of how data is being handled in relation to other events and answers tough questions such as: How do you know if the change is suspicious? What other change occurred around this event and if it is critical? Should the user/administrator be accessing this resource? Does this resource contain sensitive data? Need to know more about the user making these changes? Need to know more about the user being changed? This helps speed resolution of security issues, as well as identify misconfigurations; enabling a better understanding and forensic analysis of events and trends. If a critical change is made, an alert is sent to any device with the option to immediately respond to any threats. ChangeAuditor also provides powerful preventative controls for Active Directory, Exchange, and Windows File Server that protect objects within these environments against attempted changes deemed too dangerous to permit. Thus, attempted changes to critical files (e.g. financial data) on a file server, even with native Windows administrator privileges, not only get noticed, but are blocked at the source. page 7

8 Figure 1. Prevent sensitive files from being modified or deleted with object protection and see all related searches with one click. ChangeAuditor also simplifies external compliance audits and strengthens internal controls with over 700 out of the box auditor-ready and scheduled reports. Additionally, ChangeAuditor has role-based access, enabling auditors to have access to only the information they need to quickly perform their job, freeing administrators to go about their daily work without interruption. page 8

9 Figure 2. Built-in regulatory compliance and best practice reporting Last but not least, ChangeAuditor has a high performance auditing engine that doesn t require native auditing to be enabled and can perform at much faster speeds for the end user than other solutions that rely on native auditing. This saves on server resources that would otherwise impact storage, processors and memory. Forensic Investigation and Event Archival with InTrust Dell InTrust helps organizations address regulatory compliance and internal security risks through the secure, real-time collection and compression of event logs. Using InTrust, administrators can reduce the complexity of event log management across a heterogeneous network, reduce storage administration costs and improve the efficiency of security, operational and compliance reporting. Specifically, Dell InTrust: Monitors user access to critical systems and applications, and enables forensic analysis of user and system activity based on historical event data Collects events on user and administrator activity from diverse and widely dispersed systems and applications, and presents them in an easy-to-use and complete form suitable for ongoing reporting and ad-hoc analysis Provides unparalleled long-term data compression at a 1:40 ratio to meet compliance requirements versus storing the same amount of data in a database, providing storage savings Creates a cached location on each remote server where logs can be duplicated as they are created, preventing a rouge user or administrator from tampering with audit log evidence page 9

10 Conducts an interactive search through historical event log data for on-the-spot investigation of security incidents and policy violations, and preparation of evidence for submission to the court Enriches SIEM with intelligent data feeds that capture crucial aspects of user activity on Windows systems, which can detect internal threats in less time and with less overhead Audits the use of shared and super user accounts to meet compliance-driven requirements and implement accountability of the shared accounts usage. This minimizes security risks by knowing what was done during privileged or sensitive access Figure 3. Event log management for security and compliance. From Windows, to UNIX and Linux, InTrust enables you to eliminate the silos of gathering, analyzing and reporting on suspicious event data from disparate IT environments. From the time users log on until the time they log off, Dell InTrust provides a complete and connected view of the security events happening in organizations environments. Having all this tamper-proof information easily available on-the-fly helps users address internal security policies and achieves regulatory compliance. page 10

11 Assess Compliance and Security with Enterprise Reporter Dell Enterprise Reporter collects, stores, and reports on network security and share and folderlevel permissions-related information, offering a scalable solution that enables administrators to easily assess who has access to what resources, and delivers reports to consumers across the organization. These reports give you the information you need to control access to the corporate network and its data. Armed with this information, organizations can meet compliance requirements and security best practices with answers to questions auditors ask including: Who can do what and where? Who has administrative access to Windows servers and workstations? Who has access to what printers, shares, folders, files and SQL databases? How servers are configured such as general computer information, network settings, services running, installed programs and custom registry keys? How does the configuration of servers change over time? What local users and groups along with membership exist on every server? What software is installed on each server? What logins exist on each SQL Server database? Figure 4. Enterprise Reporter provides unparalleled visibility into the configuration of critical IT assets. Organizations can easily determine who has access to what resources, identify users with inappropriate access, and ensure that access is provided on a business-needs-to-know basis to ensure successful audits. page 11

12 Dell Knowledge Portal Dell Knowledge Portal offers unified web-based compliance reporting and filtering of Dellcollected monitoring and audit data for structured, audience-specific and tailored views of this information. Dell Knowledge Portal can provide supporting evidence that security policies and operational procedures for managing vendor defaults, monitoring access to network resources & protected data and other security parameters are in use. Users get access to only the information they need. Figure 5: Consolidate data into a single pane of glass for reporting across Dell compliance solutions. page 12

13 Part 3: Dell Product to Mandate Mapping Tables Health Insurance Portability and Accountability Act (HIPAA) HIPAA Standard and related Implementation How Dell Helps Specifications ADMINISTRATIVE SAFEGUARDS (a)(1)(i) Security Management Process (a)(1)(ii)(A) Risk Analysis (R) (a)(1)(ii)(C) Sanction Policy (R) (a)(1)(ii)(D) Information System Activity Review (R) Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate. Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity or business associate. Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. With cross-enterprise views and reports of system security settings and user access controls, InTrust and Enterprise Reporter can provide valuable information in a risk assessment. For example, they assist with: Inventory of downloaded files in common directories where ephi is stored locally Identifying remote users of ephi systems Detailed server and user info ephi security policy parameters Account policies Administrator Access by Computer Auto logon status Identifying exposed data Shares with everyone full control Trusts with external partners The ChangeAuditor and InTrust event tracking databases are separate from the logging mechanisms of the systems they track and therefore can elude much of the log tampering seen with security & privacy incidents and workforce member policy violations. In short, these tools can be used to audit and securely report evidence of workforce member non-compliance with the organization s security policies. The Dell GRC Product Suite is designed to continuously monitor system activity including Unauthorized access Logon activity File access Audit logs Access to files and objects page 13

14 HIPAA Standard and related Implementation Specifications How Dell Helps Security incidents (a)(3)(i) Workforce Security (a)(3)(ii)(A) Authorization and/or Supervision (A) Implement procedures for the authorization and/or supervision of workforce members who work with electronic protected health information or in locations where it might be accessed. Enterprise Reporter can assist organizations in managing and monitoring the following workforce member security mechanisms: Workforce Member Authorization: Preserve Data Confidentiality Domain trusts Group membership distribution lists Shares and folder permissions User rights by computer Admin rights control Administrative access by computer Group membership by User InTrust can assist organizations in managing and monitoring the following workforce member security mechanisms: Workforce Member Supervision: Privileged user activity: Group membership management User rights changes User account management Group management Computer account management Domain trust management (a)(3)(ii)(B) Workforce Clearance Procedure (A) (a)(3)(ii)(C) Termination Implement procedures to determine that the access of a workforce member to electronic protected health information is appropriate. Implement procedures for terminating access to electronic protected ChangeAuditor can assist organizations in managing and monitoring: Non-owner access attempts and access to Access attempts and access to files and objects Enterprise Reporter can assist organizations in managing and monitoring: Management of terminated users page 14

15 HIPAA Standard and related Implementation Specifications How Dell Helps Procedures (A) health information when the employment of, or other arrangement with, a workforce member ends or as required by determinations made as specified in paragraph (a)(3)(ii)(b) of this section. Inactive accounts Disabled accounts ChangeAuditor and InTrust can assist organizations in managing and monitoring: Removal from access lists: Group membership changes User rights changes Group membership management User account management (a)(4)(i) Information access management (a)(4)(ii)(A) Isolating health care clearinghouse functions (R) If a health care clearinghouse is part of a larger organization, the clearinghouse must implement policies and procedures that protect the electronic protected health information of the clearinghouse from unauthorized access by the larger organization. The Dell GRC Product Suite provides enterprise grade monitoring and auditing support for many access controls (e.g. domains, groups, protected file systems, etc.) that are implemented to protect special business units and subsidiaries that store ephi from access by the larger organization (a)(4)(ii)(C) Access Establishment and Modification (A) Implement policies and procedures that, based upon the covered entity's or the business associate's access authorization policies, establish, document, review, and modify a user's right of access to a workstation, transaction, program, or process. InTrust can confirm establishment of the following user account access policies: Logons Access to files and objects Remote access Mailbox access Active Directory and Group Policy Objects change requests InTrust can alert on modification of the following user account access policies: Group membership management Permission changes User rights management (a)(5)(i) Security Awareness and Training page 15

16 HIPAA Standard and related Implementation Specifications How Dell Helps (a)(5)(ii)(B) Protection from Malicious Software (A) (a)(5)(ii)(C) Log-in Monitoring (A) (a)(5)(ii)(D) Password Management (A) Procedures for guarding against, detecting, and reporting malicious software. Procedures for monitoring log-in attempts and reporting discrepancies. Procedures for creating, changing, and safeguarding passwords. Enterprise Reporter can identify Installed software (helps identify if antivirus software is installed) Service pack information InTrust can assist organizations in managing and monitoring activities where malicious software is known to infect a network: New Software Downloads Software Update Process tracking Software installation InTrust provides organizations the ability to alert, review and report on suspicious, unauthorized and multiple repeated log-in attempts to identify potential brute-force (high number of failed login attempts) login attacks for Windows, MS Exchange, and MS SQL Server logons. Enterprise Reporter addresses this specification by identifying computer settings for: Security policies Account policies Password policies InTrust addresses this specification by identifying all instances of: Password changes Password resets (a)(6)(i) Security Incident Procedures (a)(6)(ii) Response and Reporting (R) Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity or business associate; and document With real-time alerting features, both ChangeAuditor and InTrust can assist organizations in identifying and responding to suspected or known security incidents such as: User behavior anomalies Common security incidents page 16

17 HIPAA Standard and related Implementation Specifications How Dell Helps security incidents and their outcomes (a)(7)(i) Contingency Plan (a)(7)(ii)(C) Emergency mode operation plan (R) (a)(7)(ii)(D) Testing and revision procedures (A) Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operating in emergency mode. Implement procedures for periodic testing and revision of contingency plans. Many safeguards may not be in place or functioning when an organization is operating in emergency mode. Compliance with HIPAA could suffer as a result. Dell offers redundant architecture guidance for its GRC Product Suite and recommends organizations who store ephi implement a robust implementation of emergency mode ephi monitoring along with periodic emergency mode testing to ensure the ability to review, record, audit and report on organizational compliance with HIPAA security system access & review safeguards during emergency mode operations. PHYSICAL SAFEGUARDS (b) Workstation Use Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic protected health information. InTrust and Enterprise Reporter help organization s identify suspicious use and violations of workstation use policies such as: An employee logged in on multiple workstations / at multiple locations An employee accessing systems after hours An employee accessing systems while on vacation or absent from work An employee accessing areas not appropriate for his/her job. A physician accessing records outside his/her specialty. An employee accessing high profile or VIP accounts inappropriately. An employee inappropriately accessing PHI An employee account accessing ephi after employment termination An employee downloading page 17

18 HIPAA Standard and related Implementation Specifications How Dell Helps unauthorized/unapproved software TECHNICAL SAFEGUARDS (a)(1) Access Control (a)(2)(i) Unique User Identification (R) Assign a unique name and/or number for identifying and tracking user identity. Enterprise Reporter addresses this specification by providing reports that identify All UNIX-enabled Active Directory Users Cross-platform users (a)(2)(iii) Automatic Logoff (A) (b) Audit Controls (d) Person or entity authentication Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity. Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information. Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed. Enterprise Reporter addresses this specification by providing Session timeout settings Enterprise Reporter InTrust Preserve data confidentiality Audit policies by Computer Audit policy changes Audit policy settings Enterprise Reporter can report on user accounts that are leveraging smart cards to assist with the process of verifying two-factor authentication. ChangeAuditor and InTrust can identify remote interactive logons for easy correlation with personnel (e.g. employee) and vendor accounts. While InTrust and ChangeAuditor s 2-factor authentication verification is limited, they supplement authentication validation controls by helping organization s identify suspicious user account behavior such as: An employee account logged in on multiple workstations / at multiple page 18

19 HIPAA Standard and related Implementation Specifications How Dell Helps locations An employee account accessing systems after hours An employee account accessing systems while on vacation or absent from work An employee account accessing areas not appropriate for his/her job. A physician account accessing records outside his/her specialty. An employee account accessing high profile or VIP accounts inappropriately. An employee account inappropriately accessing PHI An employee account accessing ephi after employment termination An employee account downloading known malware (e)(1) Transmission security (e)(2)(i) Integrity controls (A) (e)(2)(ii) Encryption (A) Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner. Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate. InTrust and Enterprise Reporter enable organizations to ensure all non-console administrative access uses strong cryptography by supporting continuous monitoring and auditing activities of all networked, privileged access user activities, disconnect data, trusted path data elements, system cryptography security options, DNS connection specifics and local DNS record changes. ChangeAuditor tracks public key attribute modifications. Enterprise Reporter permits authorized system administrators and auditors the ability to see the type of encryption supported in network protocols and review related system cryptography security options on both local and remote machines. In addition, ChangeAuditor tracks changes to these settings and to public key attribute page 19

20 HIPAA Standard and related Implementation Specifications How Dell Helps modifications permitting continuous monitoring of encryption settings for remote access to the cardholder data environment (CDE). Conclusion With the proliferation of information security threats mixed with the complexity of compliance mandates, organizations today need as much compliance automation they can get. The Dell GRC Product Suite helps organizations automate many of the assurance safeguards required by today s IT security mandates while also providing foundational IT security measures. While not a replacement for network vulnerability tools, when regularly used as part of a continuous monitoring program, InTrust, ChangeAuditor, and Enterprise Reporter can discover a host of information system vulnerabilities (e.g. outdated patch levels, unauthorized ports, protocols, and services) before network vulnerability scanning tools and technical surveillance countermeasure surveys can discover them. By enabling the assurance functions of real-time audits, continuous monitoring and the generation of information system documentation for discrete environments, the Dell GRC Product Suite helps organizations not only watch their production operating environments but monitor critical controls in security architectures that are anticipated in all phases of the system development life cycle. For more information, visit About the Authors Steven Marco, President has a passion for IS Security and over 18 years as a leader in executing various regulatory compliance mandates and Health IT. A CISA since 1999, he helped pioneer Internet Security Services and manage risk for numerous Fortune 500 companies while at Deloitte & Touche. At Resources Global Professionals, he led IT through their Sarbanes Oxley 404 audit and successful IPO in He successfully pioneered a Health IT professional services line leading hundreds of compliance and security projects. Prior to founding Modern Compliance Solutions, Steve was Product Director at DirectPointe, where he successfully integrated HIPAA and PCI security protocols for their Healthcare and MAS clients. Steve holds a Bachelor s Degree from Ryerson University in Computer Information Systems Management and Corporate Law. For more information, visit Joe Grettenberger, CISA, CCEP has over 25 years experience as an IT Assurance professional with 8 years of technology auditing experience both in the public and private sectors. Having started his own consulting practice in 2008, Grettenberger is certified as an information systems auditor (CISA) and compliance & ethics professional (CCEP). He has served clients for over 5 years as an IT governance and risk management consultant covering a wide range of IT assurance issues within the regulatory, legal, and industry compliance space. Grettenberger has page 20

21 held assurance and advisory positions at a number of organizations including Quest Software, Vintela, Center 7, Franklin Covey and SAIC. He was a recent participant in the Internet Security Alliance initiative to promote cross-industry IT security standards and has also participated in several other standard-setting best practice initiatives such as serving on the SunTone Architecture Council and chairing the MSP Association s Best Practice Committee. For more information, visit About Dell Software Dell Software helps customers unlock greater potential through the power of technology delivering scalable, affordable and simple-to-use solutions that simplify IT and mitigate risk. The Dell Software portfolio addresses five key areas of customer needs: data center and cloud management, information management, mobile workforce management, security and data protection. This software, when combined with Dell hardware and services, drives unmatched efficiency and productivity to accelerate business results. Notice: The information presented herein is made available solely for general informational purposes for organizations facing compliance initiatives that include an IT component. While every effort has been made to confirm the accuracy of the information, the information provided may not be complete or accurate, may not be applicable to you and may not reflect recent developments in your regulated information systems environment. You should not act or refrain from acting based on the any of the information provided by Dell without first obtaining guidance and input from your professional advisors, including qualified counsel. This information is provided as-is and Dell disclaims all representations and warranties, express or implied, statutory or otherwise, including the implied warranties of merchantability and fitness for a particular purpose. page 21