whitepaper Ten Essential Steps for Achieving Continuous Compliance: A Complete Strategy for Compliance

Similar documents
Log Management Solution for IT Big Data

SOLUTION BRIEF. How to Centralize Your Logs with Logging as a Service: Solving Logging Challenges in the Face of Big Data

TOP 10 WAYS TO ADDRESS PCI DSS COMPLIANCE. ebook Series

How To Manage Log Management

TIBCO Foresight Transaction Insight

Cautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work

Security Information Lifecycle

How To Achieve Pca Compliance With Redhat Enterprise Linux

TIBCO Cyber Security Platform. Atif Chaughtai

Integration Maturity Model Capability #5: Infrastructure and Operations

whitepaper Five Principles for Integrating Software as a Service Applications

Maintaining PCI-DSS compliance. Daniele Bertolotti Antonio Ricci

LogInspect 5 Product Features Robust. Dynamic. Unparalleled.

End-to-end Processing with TIBCO Managed File Transfer (MFT) Improving Performance and Security during Internet File Transfer

DETECT AND RESPOND TO THREATS FROM THE DATA CENTER TO THE CLOUD

Partner Collaboration Blueprint for ICD-10 Transition

LogPoint 5.1 Product Features Robust. Dynamic. Unparalleled.

Tripwire Log Center NEXT GENERATION LOG AND EVENT MANAGEMENT WHITE PAPER

Tripwire Log Center NEXT GENERATION LOG AND EVENT MANAGEMENT WHITE PAPER

White Paper Achieving PCI Data Security Standard Compliance through Security Information Management. White Paper / PCI

PCI DSS Reporting WHITEPAPER

An Introduction to SIEM & RSA envision (Security Information and Event Management) January, 2011

Payment Card Industry Data Security Standard

PCI DSS Top 10 Reports March 2011

TIBCO StreamBase High Availability Deploy Mission-Critical TIBCO StreamBase Applications in a Fault Tolerant Configuration

MANAGED FILE TRANSFER: 10 STEPS TO SOX COMPLIANCE

DEFENSE THROUGHOUT THE VULNERABILITY LIFE CYCLE WITH ALERT LOGIC THREAT AND LOG MANAGER

CHEAT SHEET: PCI DSS 3.1 COMPLIANCE

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

SecureVue Product Brochure

Protection & Compliance are you capturing what s going on? Alistair Holmes. Senior Systems Consultant

with Managing RSA the Lifecycle of Key Manager RSA Streamlining Security Operations Data Loss Prevention Solutions RSA Solution Brief

Symantec Security Compliance Solution Symantec s automated approach to IT security compliance helps organizations minimize threats, improve security,

whitepaper The Benefits of Integrating File Integrity Monitoring with SIEM

Adopt a unified, holistic approach to a broad range of data security challenges with IBM Data Security Services.

Click&DECiDE s PCI DSS Version 1.2 Compliance Suite Nerys Grivolas The V ersatile BI S o l uti on!

Caretower s SIEM Managed Security Services

Protect the data that drives our customers business. Data Security. Imperva s mission is simple:

Enterprise Security Solutions

The Firewall Audit Checklist Six Best Practices for Simplifying Firewall Compliance and Risk Mitigation

PCI Compliance for Cloud Applications

Tech Brief. Choosing the Right Log Management Product. By Michael Pastore

Feature. Log Management: A Pragmatic Approach to PCI DSS

Log Management Standard 1.0 INTRODUCTION 2.0 SYSTEM AND APPLICATION MONITORING STANDARD. 2.1 Required Logging

LOG MANAGEMENT: BEST PRACTICES

LogRhythm and PCI Compliance

LogLogic. Application Security Use Case: PCI Compliance. Jaime D Anna Sr Dir of Product Strategy, TIBCO Software

TIBCO Managed File Transfer Suite

whitepaper 4 Best Practices for Building PCI DSS Compliant Networks

MANAGED FILE TRANSFER: 10 STEPS TO PCI DSS COMPLIANCE

SOLUTION BRIEF. TIBCO LogLogic A Splunk Management Solution

North American Electric Reliability Corporation (NERC) Cyber Security Standard

Netwrix Auditor. Сomplete visibility into who changed what, when and where and who has access to what across the entire IT infrastructure

ALERT LOGIC FOR HIPAA COMPLIANCE

IT Security & Compliance. On Time. On Budget. On Demand.

FairWarning Mapping to PCI DSS 3.0, Requirement 10

Log Management How to Develop the Right Strategy for Business and Compliance. Log Management

LOG MANAGEMENT AND SIEM FOR SECURITY AND COMPLIANCE

Self-Service SOX Auditing With S3 Control

Virtual Compliance In The VMware Automated Data Center

Security Information & Event Management A Best Practices Approach

TIBCO Nimbus Cloud Service

Implementing TIBCO Nimbus with Microsoft SharePoint

Predictive Straight- Through Processing

Security Threat Kill Chain What log data would you need to identify an APT and perform forensic analysis?

Boosting enterprise security with integrated log management

Information Security Services. Achieving PCI compliance with Dell SecureWorks security services

A MULTIFACETED CYBERSECURITY APPROACH TO SAFEGUARD YOUR OPERATIONS

whitepaper The Evolutionary Steps to Master Data Management

WHITEPAPER. Beyond Infrastructure Virtualization Platform Virtualization, PaaS and DevOps

IBM InfoSphere Guardium Data Activity Monitor for Hadoop-based systems

Integration Maturity Model Capability #1: Connectivity How improving integration supplies greater agility, cost savings, and revenue opportunity

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

IBM PowerSC. Security and compliance solution designed to protect virtualized datacenters. Highlights. IBM Systems and Technology Data Sheet

ALERT LOGIC LOG MANAGER & LOGREVIEW

Compliance Management, made easy

How To Manage Security On A Networked Computer System

IBM Tivoli Netcool Configuration Manager

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security

Solution Brief for ISO 27002: 2013 Audit Standard ISO Publication Date: Feb 6, EventTracker 8815 Centre Park Drive, Columbia MD 21045

Information Security Services

The Sumo Logic Solution: Security and Compliance

Sarbanes-Oxley Compliance for Cloud Applications

eguide: Designing a Continuous Response Architecture Executive s Guide to Windows Server 2003 End of Life

Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified

White Paper. PCI Guidance: Microsoft Windows Logging

Transcription:

Ten Essential Steps for Achieving Continuous Compliance: A Complete Strategy for Compliance

Table of Contents 3 10 Essential Steps 3 Understand the Requirements 4 Implement IT Controls that Affect your Business 4 Define the Compliance Processes and Success Criteria 4 Identify All In-Scope IT Components 5 Collect Relevent User and System Activities 5 Store All Logs Centrally and Effeciently as Required 5 Implement Regular Tasks 6 Verify Continuous Monitoring 6 Demonstrate Compliance Status to Auditors 6 Substantiate Reports and Alerts 6 Conclusion

Ten Essential Steps for Achieving Continuous Compliance: A Complete Strategy for Compliance Compliance without Complexity TIBCO LogLogic Compliance Manager lets you monitor enterprise activity and manage risk, as well as manage and review network policies according to mandates and regulations. Each TIBCO LogLogic Compliance Suite edition augments the LogLogic platform with hundreds of specialized reports and alerts specifically tuned to the requirements of an individual mandate: IT Governance Institutes IT governance and control framework (COBIT) Federal Information Security Management Act (FISMA) Health Insurance Portability and Accountability Act (HIPAA) ISO 27002, an international information security standard (ISO) IT Infrastructure Library (ITIL) North America Electric Reliability Council (NERC) Payment Credit Card Industry Data Security Standard (PCI DSS) Sarbanes-Oxley Act (SOX) IT Governance is not security or compliance alone; the challenge is to stay secure and compliant while enhancing business performance. Khalid Kark, Principal Analyst, Information Security and Risk Management at Forrester Research Inc. 10 Essential Steps Getting started with an enterprisewide strategy for compliance requires an understanding of the requirements particular to your industry and business. Then, policies must be put in place for collecting, alerting, reporting on, storing, searching, and sharing data from all systems, applications, and network elements. This creates a closedloop process that governs the lifecycle of enterprise data and ensures your compliance program is successful. Here are the 10 essential steps for implementing a successful enterprisewide compliance program: 1 Understand the Requirements The first step is to understand the requirements of the regulations you must meet in your industry. No matter what industry your company plays in, there are numerous mandates and regulations that apply, as well as frameworks and controls that help various business units within an organization maintain security and risk management policies. Failing to follow certain controls can result in lost customers or lost jobs, whereas failure to meet industry regulations and legal mandates could result in more serious ramifications, such as fines or even imprisonment. A thorough understanding of the requirements applicable to your industry can prevent unnecessary problems. 3

2 Implement IT Controls that Affect your Business Putting IT controls and frameworks in place helps govern compliance tasks and keeps companies on track. However, this requires an understanding of the specific language within those frameworks regarding log data management. The most common frameworks COBIT/SOX, ISO, NIST, FISMA, and PCI all have specific language pertaining to log data collection and retention. For example, requirement 10 within the PCI standard states that companies must log and track user activities, automate and secure audit trails, review logs daily, and retain the audit trail for at least a year. Other frameworks have similar requirements for log data collection and retention. It s important that companies not only implement the frameworks, but really understand what they re asking for. Using LogLogic we achieved a return on investment in under six months, something that would have been impossible using an open source solution. But the rewards didn t stop there once we had the LogLogic appliance installed, we noticed that we could see details of our network processes never before possible, significantly improving our awareness of security issues and enabling us to respond accordingly. Florian Gohlke, chairman of LAVEGO AG 3 Define the Compliance Processes and Success Criteria After you understand the requirements of a given regulation or mandate, then determine the scope, configuration, and mechanism for collecting, alerting on, reporting on, and retaining the data necessary to satisfy auditors or stakeholders. This step-by-step process allows you to define goals and key tasks for successful compliance. For example, when you determine the scope, your goal should be to identify all system components that are subject to a given regulation. Then you can define key tasks related to that goal. When those tasks are complete, you can move to configuring network elements, systems, and applications to generate the required log messages. After configuration, you can move to defining dependent tasks for important compliance activities, including the collection and retention of data, setting up automated alerts, and reporting on that data. We needed a solution that would collect all of the necessary logs in one place and that would ensure compliance while also helping us to reduce the time it took to generate reports. Daniel Barone, system administrator, Plantronics Though its TIBCO LogLogic solution was targeted for compliance reporting, Ameren Corporation discovered unexpected benefits, for example, firewall changes were supposed to go through a formal change request process, but were sometimes forgotten in emergencies. Using LogLogic, IT administrators could see when a firewall changed and react accordingly. Additionally, LogLogic shows what changes were requested and approved and compares this information to what was actually changed, ensuring closed loop security. 4 Identify All In-Scope IT Components It s a misconception that only hardware should be monitored for compliance. Servers, applications, and homegrown systems should also be monitored. The specific components that need monitoring will depend on the mandates and regulations that apply to your industry. For example, if PCI applies to your business, all components that transmit, process, or store financial information are in-scope. 4

The Lowry, a prestigious theatre and arts center, needed a log management system that would work with its existing infrastructure, meet PCI DSS compliance regulations, and address security, event management, and best practices needs. Beyond compliance, LogLogic alerts The Lowry to any potential external threats. If someone is trying to hack into the website, for example through brute force attacks, the LogLogic appliance alerts the IT team. Prior to LogLogic, the team would have no idea an attack was happening until a security event occurred. In addition to providing PCI compliance, The Body Shop s LogLogic solution helps the IT team discover and troubleshoot other system issues. When the team needed a highly secured network zone for credit card handling to process some noncredit card information, the log data provided by LogLogic helped identify how to make the systems talk to one another. LogLogic software also helped The Body Shop identify pointof-sale software that was generating significant amounts of traffic. Because of the system intelligence provided by LogLogic, The Body Shop was able to reduce traffic by reconfiguring the software. 5 Collect Relevent User and System Activities Log data from IT components across the enterprise provides a fingerprint of user activity. This information includes failed logon attempts, security breaches, file uploads and downloads, credit card data access, information leaks, user and system activity, privileges assigned and changed, runaway applications, customer transactions, and email data. This is the information that auditors will expect you to monitor on a daily basis. Log data contains a wealth of information that provides insight into the health and security of the network; hence, it s critical to collect, store, and have access to all of it. 6 Store All Logs Centrally and Effeciently as Required All information from network components (hardware, servers, applications, and homegrown systems) should be collected over geographically distributed locations and placed in a central archive. This archive should be stored long-term for regulatory compliance. Most regulations specify that log data should be stored for 1 7 years: 7 years for long-term archival 1 to 3 years for immediate forensics and compliance access 90 days online for operational use This should never be an all or nothing stop gap. Too much archived information can be as costly and inefficient as not having enough. Ensure all noise or irrelevant data does not take up valuable disk space or slow down your search and discovery efforts. 7 Implement Regular Tasks Although some tasks, such as user activity monitoring, must be completed on a daily basis, others are required on a weekly, monthly, or even on an as-needed basis. It s important to determine ahead of time how often to perform critical tasks. IT controls frameworks and best practices provide recommendations for the frequency of specific tasks. Automated alerts are helpful for as-needed tasks such as monitoring excessive failed user logins or IDS attacks, or reviewing change management requests. Automated reports ease the hassle of daily and weekly tasks like reviewing user access logs or configuration changes, or ensuring backups are conducted properly. When we launch systems at an outstation, we have very little time to get everything up, troubleshoot it, and get it online we need a log solution that is easy to use and as hassle-free as possible. We ve added some new firewalls, and each time we added new equipment to our environment, it took me less than a minute to send the logs to the LogLogic appliance and for it to accept them LogLogic is that easy to use. Christopher Courtright, senior security engineer, Republic Airways Holdings LLC 5

8 Verify Continuous Monitoring Hamleys is an internationally recognized toy retailer. With the addition of LogLogic, Hamleys has been able to integrate all of its infrastructure logging for increased cyber security. They are now able to prevent any improper use of confidential data much more comprehensively. The whole estate is being proactively monitored 24x7 with real-time alerts set up to flag any unusual activity taking place in the moment. Rather than providing analysis after a security breach, the solution proactively monitors and takes action on any unusual, suspicious, or malicious activity. The solution also includes data forensics for deep tracking and understanding of how any security compromises may have occurred and how to secure the system in the future. Alerting mechanisms and scheduled reporting let IT personnel know when a componentsystem, or application is not complying with set policies. During an audit, auditors will want specific information about incidents that occurred, and what was done to mitigate or resolve the incident. Questions may include: What active alerts are set to monitor these controls? What was the actual alert you received? Where is the evidence that you acknowledged the alert? Where is the evidence that you investigated the incident? Where is the evidence that you are periodically reviewing user logs? Where is the evidence that you have removed terminated employee accounts? 9 Demonstrate Compliance Status to Auditors Using alerts and scheduled reports, you can also demonstrate compliance status to auditors. Alerts should be set based on compliance with SOX, PCI, ISO, HIPAA, or whatever regulation or best practice you are implementing. Then, reporting can be used to demonstrate compliance. An auditor might want to see the actual report that you are using for demonstrating the segregation of duties, for example. Log management and intelligence solutions, such as TIBCO LogLogic, provide report templates that map to common IT control frameworks to simplify compliance reporting. 10 Substantiate Reports and Alerts Alerting and reporting on logs must be substantiated with immutable log archives. It s critical to store logs centrally with a long-term archival solution that preserves the integrity of the data. Immutable logs require time stamps, digital signature, encryption, and other precautions to prevent tampering, both during transit of the data from the logging device to the storage device, as well as during archiving. Conclusion Compliance is no longer an isolated IT project; it s an enterprisewide endeavor that requires cooperation between business units and a deep understanding of the requirements, regulations, mandates, and IT controls necessary for your particular industry and business. Compliance must be looked upon as a business issue that requires a cross functional approach, involving people, processes, and technology. Taking the steps necessary to understand, define, and implement the appropriate IT controls and frameworks for your business will simplify compliance and reduce the costs and resources involved in completing compliance-related tasks. TIBCO Software Inc. (NASDAQ: TIBX) is a provider of infrastructure software for companies to use on-premise or as part of cloud computing environments. Whether it s efficient claims or trade processing, cross-selling products based on real-time customer behavior, or averting a crisis before it happens, TIBCO provides companies the two-second advantage the ability to capture the right information, at the right time and act on it preemptively for a competitive advantage. More than 4,000 customers worldwide rely on TIBCO to manage information, decisions, processes and applications in real time. Learn more at www.tibco.com. Global Headquarters 3307 Hillview Avenue Palo Alto, CA 94304 Tel: +1 650-846-1000 +1 800-420-8450 Fax: +1 650-846-1005 www.tibco.com 2008 2013, TIBCO Software Inc. All rights reserved. TIBCO, the TIBCO logo, TIBCO LogLogic, and TIBCO Software, are trademarks or registered trademarks of TIBCO Software Inc. in the United States and/or other countries. All other product and company names and marks in this document are the property of their respective owners and are mentioned for identification purposes only. 6 exported09jul2013

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information