CloudCheck Compliance Certification Program

Similar documents
CLOUD GUARD UNIFIED ENTERPRISE

Achieving SOX Compliance with Masergy Security Professional Services

Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES

NERC CIP Compliance with Security Professional Services

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

Information Security Services. Achieving PCI compliance with Dell SecureWorks security services

Cautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work

PCI Compliance Top 10 Questions and Answers

PCI Compliance. Top 10 Questions & Answers

PCI Requirements Coverage Summary Table

Virtualization Impact on Compliance and Audit

PCI DSS Requirements - Security Controls and Processes

PCI Requirements Coverage Summary Table

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

PCI Compliance for Cloud Applications

74% 96 Action Items. Compliance

Maintaining PCI-DSS compliance. Daniele Bertolotti Antonio Ricci

Accelerating PCI Compliance

Becoming PCI Compliant

Payment Card Industry Data Security Standard

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

How To Secure Your Store Data With Fortinet

Preemptive security solutions for healthcare

Anypoint Platform Cloud Security and Compliance. Whitepaper

BAE Systems PCI Essentail. PCI Requirements Coverage Summary Table

Achieving Compliance with the PCI Data Security Standard

Adopt a unified, holistic approach to a broad range of data security challenges with IBM Data Security Services.

3rd Party Assurance & Information Governance outlook IIA Ireland Annual Conference Straightforward Security and Compliance

Unified Security Anywhere PCI COMPLIANCE PCI COMPLIANCE WE CAN HELP MAKE IT HAPPEN

APPENDIX G ASP/SaaS SECURITY ASSESSMENT CHECKLIST

Achieving PCI-Compliance through Cyberoam

Security Controls What Works. Southside Virginia Community College: Security Awareness

Conquering PCI DSS Compliance

White Paper. Guide to PCI Application Security Compliance for Merchants and Service Providers

CONTENTS. PCI DSS Compliance Guide

PCI COMPLIANCE REQUIREMENTS COMPLIANCE CALENDAR

05.0 Application Development

TOP 10 WAYS TO ADDRESS PCI DSS COMPLIANCE. ebook Series

White Paper Achieving PCI Data Security Standard Compliance through Security Information Management. White Paper / PCI

Unified Threat Management, Managed Security, and the Cloud Services Model

How To Comply With The Pci Ds.S.A.S

Introduction. PCI DSS Overview

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

An article on PCI Compliance for the Not-For-Profit Sector

How To Achieve Pca Compliance With Redhat Enterprise Linux

Data Security & PCI Compliance & PCI Compliance Securing Your Contact Center Securing Your Contact Session Name :

PCI Data Security Standards

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense

Thoughts on PCI DSS 3.0. September, 2014

Securing the Service Desk in the Cloud

PCI Data Security Standards (DSS)

What IT Auditors Need to Know About Secure Shell. SSH Communications Security

Professional Services Overview

Secure Clouds - Secure Services Trend Micro best-in-class solutions enable data center to deliver trusted and secure infrastructures and services

Voltage SecureData Web with Page-Integrated Encryption (PIE) Technology Security Review

Lot 1 Service Specification MANAGED SECURITY SERVICES

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

Payment Card Industry Data Security Standards.

How To Protect Your Data From Being Stolen

Infor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security

PCI DSS. Payment Card Industry Data Security Standard.

Best Practices for PCI DSS V3.0 Network Security Compliance

PCI PA - DSS. Point XSA Implementation Guide. Atos Worldline Banksys XENTA SA. Version 1.00

2012 North American Managed Security Service Providers Growth Leadership Award

BMC s Security Strategy for ITSM in the SaaS Environment

Payment Card Industry Data Security Standard

Trend Micro VMware Solution Guide Summary for Payment Card Industry Data Security Standard

FORT HAYS STATE UNIVERSITY CREDIT CARD SECURITY POLICY

How NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements

PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor January 23, 2014

SUPPLIER SECURITY STANDARD

PCI Compliance. How to Meet Payment Card Industry Compliance Standards. May cliftonlarsonallen.com CliftonLarsonAllen LLP

PCI DSS 3.0 Compliance

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

NEXPOSE ENTERPRISE METASPLOIT PRO. Effective Vulnerability Management and validation. March 2015

Everything You Wanted to Know about DISA STIGs but were Afraid to Ask

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4

CHEAT SHEET: PCI DSS 3.1 COMPLIANCE

worldpay.com Understanding the 12 requirements of PCI DSS SaferPayments Be smart. Be compliant. Be protected.

Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015

Josiah Wilkinson Internal Security Assessor. Nationwide

The Comprehensive Guide to PCI Security Standards Compliance

White Paper How Noah Mobile uses Microsoft Azure Core Services

SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA

Managing Cloud Computing Risk

Best Practices For Department Server and Enterprise System Checklist

Strategies for assessing cloud security

Security Management. Keeping the IT Security Administrator Busy

End-user Security Analytics Strengthens Protection with ArcSight

PCI DSS Top 10 Reports March 2011

University of Sunderland Business Assurance PCI Security Policy

Information Security Services

PCI Compliance We Can Help Make it Happen

Full-Context Forensic Analysis Using the SecureVue Unified Situational Awareness Platform

Achieving PCI Compliance Using F5 Products

SERENA SOFTWARE Serena Service Manager Security

Transcription:

CloudCheck Compliance Certification Program Ensure Your Cloud Computing Environment is Secure with CloudCheck Certification Organizations today are increasingly relying on a combination of private and/or public cloud computing infrastructures to support their overall business requirements. Given an erratic global economy, this shift toward a virtualized world is inevitable, since it provides the efficiencies, flexibility and overall cost-savings that most businesses desperately need in order to remain competitive. Unfortunately, a side effect of this computing transformation is that the concept of an organization s network security perimeter is dramatically different, making it even more challenging to maintain the level of network security that is essential for ensuring regulatory compliance within cloud and/or hybrid environments. As industry analysts will attest, adequate cloud security continues to be the single largest impediment to widespread cloud computing adoption, since most businesses view the mitigation of risk within the cloud to be a daunting task one that requires substantial and knowledgeable IT resources in order to provide thorough planning, auditing, and increased visibility into the cloud s physical and virtual infrastructure. With this need in mind, Masergy has developed the CloudCheck Certification Program. CloudCheck Certification is a vendor-neutral services portfolio that provides comprehensive and cost-effective cloud security assessment and validation for organizations interested in taking advantage of the economies of scale that cloud computing affords. For businesses of all sizes, cloud computing represents the promise of lower cost while establishing the foundation for a new wave of innovation and growth. Concerns about security, however, are a key barrier to adoption that must be overcome to give organizations the confidence to place their business-critical applications and data in the cloud. Aberdeen s research has consistently shown that the most successful organizations ensure that their IT infrastructure is first secure, then compliant, and then work to improve operational efficiencies and reduce overall cost. Masergy s initiative to certify security and compliance for cloud computing environments aligns well with what we have seen as the best-in-class approach. - Derek E. Brink, vice president and research fellow for IT Security, Aberdeen Group CloudCheck Certification Program Overview The way in which an organization approaches compliance policy enforcement and validation changes as portions of the company s infrastructure migrates to the cloud. Specific compliance-based policies and processes relevant to a cloud environment are crucial for defining an organization s implementation of industry or government standards, regulations, and requirements (e.g., PCI DSS, HIPAA, NERC-CIP, etc.). Consideration of such compliance requirements is an integral component of Masergy s CloudCheck Certification Program. Masergy is working with SaaS providers such as Amazon Web Services (AWS) to provide additional security functionality to their cloud deployments, and the CloudCheck Certification Program is a continuation of that effort. It offers a comprehensive, step-bystep approach to compliance that incorporates security processes, policies, and technology to ensure that critical customer data

in the cloud is untouchable by unauthorized personnel. As part of this program, world-class security experts are available when you need them to perform periodic audits, monitoring and testing to help keep your systems up-to-date and secure. The CloudCheck professional services portfolio includes: Security Assessments gap analyses to evaluate cloud security policies, processes, people and products. Periodic Audits monitoring and testing based on compliance requirements to validate that a company s software, systems and security programs are up-to-date. Web Application Assessments monitoring and testing of user access privileges to ensure that only authorized users can gain access to sensitive system and user information. Vulnerability Assessments quarterly testing of the effectiveness of security measures to ensure that networked systems and high-risk data are secure. CloudCheck Certification enables businesses to authenticate the security of their cloud deployment through a unique security toolkit IDS/IPS, vulnerability scanning, and log monitoring and management services that validates actual application instances within a cloud environment. This advanced security capability is made possible by Masergy s Unified Enterprise Security architecture, which transparently attaches to each application instance in the cloud. It moves with the application, continually assessing the security posture of each individual cloud computing environment. Similar to the way vulnerability scanning, log monitoring, and IDS functions are utilized in a traditional premise-based security infrastructure, Cloud Guard virtual security products are deployed in a cloud environment in order to bond with each application and then assess and certify the security of a specific cloud deployment. Masergy s Cloud Packet Analysis Approach Integrated with Virtual Firewall to Block Malicious Traffic Network Traffic ECn ECn Unified Administration & Monitoring Firewall Network Behavior Analysis Threat Network Access Policy & Monitoring Suspicious Traffic Intrusion Detection Service Security Information/Event Vulnerability ECn Syslogs Network Access Violations Vulnerability Scanning Cloud Applications Masergy s CloudCheck Compliance Certification is based on a modular systemic architecture that utilizes 100% passive technology and is hybrid Cloud/CPE enabled.

CloudCheck Certification Levels The CloudCheck Certification Program is comprised of two certification levels. CloudCheck Silver Certification focuses on the required cloud security risk management administrative controls appropriate for an organization carrying out the necessary level of cloud-centric due diligence and due care. CloudCheck Gold Certification builds upon the services available at the Silver level, and adds additional technical controls that an organization should deploy when migrating applications to the cloud. CloudCheck Silver Certification An organization s security governance and management relative to its migration to cloud computing is thoroughly evaluated. For example, critical areas such as security policy, standards, and procedures are assessed. Other key areas that are evaluated include information classification and handling, training, and configuration management. Analysis of an intended cloud provider s policies, SLAs, and documented security infrastructure are also a key component of this assessment. All of these security governance considerations are assessed for optimum cloud computing security. An all too common misconception is that a network breach is a singular event that occurs during a brief period of time. In reality, 82% of successful breaches were actually preceded by a series of successive reconnaissance activities, intentionally spanning days weeks and even months in an effort to avoid detection. Data Breach Investigations Report CloudCheck Gold Certification Building on the CloudCheck Silver Certification assessment, Gold Certification includes an assessment of critical technical controls related to the cloud-computing infrastructure. Examples of these technical controls are encryption, anti-malware, access control, network monitoring, vulnerability scanning, and log monitoring. Masergy will deploy its unique Cloud Guard virtual security tools in order to perform this comprehensive security assessment. Based upon an organization s security assessment requirements, detailed penetration testing can also be added. These cloud-centric assessment tools provide Masergy with visibility into the physical and virtual layers of the cloud-computing infrastructure a capability that other vendors do not have. CloudCheck Certification Program Assessment Areas Security Policy Since the security policy is the document from senior management that drives the organization with respect to the role that security plays, it is important that this document be appropriately updated to include the organization s foray into cloud computing.

Information Classification Information must be classified according to its risk (i.e., financial information or cardholder data would be of a higher classification than customer names). Protection Information must be protected according to its classification level as defined in policy. Storage When necessary to store sensitive information (e.g., cardholder data), it must be encrypted according to its classification level. Transmission Information in transit must be encrypted according to its classification level. This is to include information transmitted between virtual machines located on the same physical device when the physical device is not dedicated to, or physically controlled by, the organization. Encryption All cryptographic operations must be performed using cryptographic algorithms and corresponding key lengths as specified in the approved cryptographic algorithms. Digital Network Protection In order to maintain the confidentiality, integrity, and availability of sensitive information, the following security controls must be in place within the digital network. Note that both the organization s network assets with access to the cloud, and assets leveraged in the cloud should be considered in scope for this assessment: ACCESS CONTROL Network Network-level access control must be in place to protect sensitive information on network assets from external and internal attacks. User User-level access control must be in place to provide users with the minimum level of access required to perform their job. Information Access to sensitive information must be limited by user based on business need, in accordance with policy. MONITORING Network All network traffic to and from assets which store, process, or have access to sensitive information must be monitored on a 24/7 basis. Logs All logging by assets which store, process, or have access to sensitive information must be regularly monitored. VULNERABILITY MANAGEMENT Regular Vulnerability Scanning (Network and Application Level) Network-level vulnerability scanning will be performed at an appropriate frequency, with approved scanning tools. Vulnerability Remediation A program must be in place to remediate any discovered vulnerabilities in a timely manner. Anti-Virus Anti-virus software must be in place on all assets, and virus signatures must be regularly updated. Penetration Testing (Optional) A penetration test should at least be performed annually, and any time there are significant changes occur on the network or in applications. The penetration testing must include web applications. CONFIGURATION MANAGEMENT Change Any changes must be documented and approved prior to being made. Patch A patch management system must be in place to test and apply operating system and application patches and updates in a timely manner. Password Vendor-supplied default passwords must not be used. Passwords protecting sensitive information must meet complexity requirements. Passwords protecting sensitive information must be changed minimally every ninety (90) days. PASSWORD STORAGE Passwords must not be stored in either plain text or in any format that is reversible. Instead, a cryptographic hash of passwords should be stored.

SOX Compliance Flexible Managed Services for Your Cloud Computing Needs Once you have the CloudCheck seal, you can keep your cloud computing solution operating at peak efficiency with our world-class 24/7 managed or co-managed services. You can cost-effectively allocate your internal resources and outsource network security requirements based on your company s specific needs. Additional Resources Contact Masergy Today For more information regarding our Unified Enterprise Security solutions, contact us at 1 (866) 588-5885 or visit us online at www.masergy.com. 2009 Best Products & Services Reader s Trust Award Network Products Guide has named Masergy a winner of the 2009 Best Products and Services - Reader s Trust Award for Unified Security. 2009 Global Product Excellence - Customer Trust Award Info Security Products Guide has named Masergy a winner of the 2009 Global Product Excellence Customer Trust Award for Integrated Security. 2009 Product Innovation Award Network Products Guide has named Masergy s Enterprise UTM++ a winner of the 2009 Product Innovation Award for the overall Security Solution (Hardware and Software) category. Masergy also receive the Product Innovation award in 2008 for its All-n-One Security Module for Enterprise UTM. 2009 Tomorrow s Technology Today Award Info Security Products Guide has named Masergy s Enterprise UTM++ a winner of the 2009 Tomorrow s Technology Today Award for the Integrated Security Solution (Hardware and Software) category. Masergy has also received the Tomorrow s Technology Today award in prior years (2006, 2007 & 2008) for Unified Security, Network Security and Security Risk Managed Security Services. SC Magazine 2008 Industry Innovator SC Magazine has recognized Masergy for its industry innovation in the unified threat management category. Rev. 032015 www.masergy.com +1 (866) MASERGY (627-6749) Masergy Communications, Inc.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information