Fortinet Solutions for Compliance Requirements



Similar documents
ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

University of Pittsburgh Security Assessment Questionnaire (v1.5)

Security Controls What Works. Southside Virginia Community College: Security Awareness

Compliance and Industry Regulations

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

SECURELINK.COM COMPLIANCE AND INDUSTRY REGULATIONS

74% 96 Action Items. Compliance

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

Client Security Risk Assessment Questionnaire

SECTION: SUBJECT: PCI-DSS General Guidelines and Procedures

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

PCI DSS. Get Compliant, Stay Compliant Seminar

CHIS, Inc. Privacy General Guidelines

Credit Card Acceptance Policy. Vice Chancellor of Business Affairs. History: Effective July 1, 2011 Updated February 2013

Did you know your security solution can help with PCI compliance too?

Through the Security Looking Glass. Presented by Steve Meek, CISSP

March

Network Security: 30 Questions Every Manager Should Ask. Author: Dr. Eric Cole Chief Security Strategist Secure Anchor Consulting

Introduction. PCI DSS Overview

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

Payment Card Industry Self-Assessment Questionnaire

GFI White Paper PCI-DSS compliance and GFI Software products

SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA

Bendigo and Adelaide Bank Ltd Security Incident Response Procedure

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4

Payment Card Industry Data Security Standard PCI-DSS #SA7D, Platform Database, Tuning & Security

Achieving PCI Compliance: How Red Hat Can Help. Akash Chandrashekar, RHCE. Red Hat Daniel Kinon, RHCE. Choice Hotels Intl.

Are You Prepared to Successfully Pass a PCI-DSS and/or a FISMA Certification Assessment? Fiona Pattinson, SHARE: Seattle 2010

PCI DSS Requirements - Security Controls and Processes

Data Management & Protection: Common Definitions

Securing Your Customer Data Simple Steps, Tips, and Resources

PCI Overview. PCI-DSS: Payment Card Industry Data Security Standard

Maintaining PCI-DSS compliance. Daniele Bertolotti Antonio Ricci

How To Protect Data From Attack On A Network From A Hacker (Cybersecurity)

Security Controls for the Autodesk 360 Managed Services

Name: Position held: Company Name: Is your organisation ISO27001 accredited:

PCI Data Security Standards

Josiah Wilkinson Internal Security Assessor. Nationwide

The Education Fellowship Finance Centralisation IT Security Strategy

PCI Data Security and Classification Standards Summary

Achieving PCI-Compliance through Cyberoam

The 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

STATE OF NEW JERSEY Security Controls Assessment Checklist

Managed Hosting & Datacentre PCI DSS v2.0 Obligations

PCI and PA DSS Compliance Assurance with LogRhythm

CONTENTS. PCI DSS Compliance Guide

Payment Card Industry Data Security Standard

PCI Compliance. Top 10 Questions & Answers

Guide to Vulnerability Management for Small Companies

How To Achieve Pca Compliance With Redhat Enterprise Linux

FBLA Cyber Security aligned with Common Core FBLA: Cyber Security RST RST RST RST WHST WHST

PCI Requirements Coverage Summary Table

PCI COMPLIANCE GUIDE For Merchants and Service Members

Telemedicine HIPAA/HITECH Privacy and Security

IT Security Procedure

Automate PCI Compliance Monitoring, Investigation & Reporting

CSU, Chico Credit Card PCI-DSS Risk Assessment

CREDIT CARD MERCHANT PROCEDURES MANUAL. Effective Date: 5/25/2011

University of Dayton Credit / Debit Card Acceptance Policy September 1, 2009

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

PCI Requirements Coverage Summary Table

Information Security Services. Achieving PCI compliance with Dell SecureWorks security services

DHHS Information Technology (IT) Access Control Standard

PCI Compliance Top 10 Questions and Answers

Demonstrating Regulatory Compliance

Central Agency for Information Technology

HIPAA Security Alert

SonicWALL PCI 1.1 Implementation Guide

Log Management Standard 1.0 INTRODUCTION 2.0 SYSTEM AND APPLICATION MONITORING STANDARD. 2.1 Required Logging

Minnesota State Colleges and Universities System Procedures Chapter 5 Administration. Guideline Payment Card Industry Technical Requirements

How NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements

BMC s Security Strategy for ITSM in the SaaS Environment

Miami University. Payment Card Data Security Policy

Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES

Visa U.S.A Cardholder Information Security Program (CISP) Payment Application Best Practices

HIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION TECHNOLOGY GENERAL CONTROLS

ITECH Net Monitor. Standards Compliance

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

New Boundary Technologies. The Payment Card Industry (PCI) Security Guide. New Boundary Technologies PCI Security Configuration Guide

8/17/2010. Over 90% of all compromised merchants are PCI level 4 (small) merchants or merchants with less than 1 million transactions per year

How To Write A Health Care Security Rule For A University

787 Wye Road, Akron, Ohio P F

A Decision Maker s Guide to Securing an IT Infrastructure

TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL

HIPAA Compliance Evaluation Report

Project Title slide Project: PCI. Are You At Risk?

PCI Data Security Standards (DSS)

White Paper: Ensuring HIPAA Compliance by Implementing the Right Security Strategy

PCI DATA SECURITY STANDARD OVERVIEW

LogRhythm and PCI Compliance

PCI Compliance - A Realistic Approach. Harshul Joshi, CISM, CISA, CISSP Director, Information Technology CBIZ MHM hjoshi@cbiz.com

Achieving Compliance with the PCI Data Security Standard

University of Sunderland Business Assurance PCI Security Policy

Teleran PCI Customer Case Study

Cyber-Ark Software and the PCI Data Security Standard

U06 IT Infrastructure Policy

Automation Suite for. 201 CMR Compliance

Supplier Information Security Addendum for GE Restricted Data

Transcription:

s for Compliance Requirements Sarbanes Oxley (SOX / SARBOX) Section / Reference Technical Control Requirement SOX references ISO 17799 for Firewall FortiGate implementation specifics IDS / IPS Centralized Logging Recommended Network Anti-Spyware Network Anti-Virus Instant Messaging Security Patch Management Anti-Virus & Spyware Scanning Web, Mail, FTP IM Rate Limiting, Logging and/or Prevention 24 Hours for Critical Updates Applies to all publicly traded companies. A majority of the regulations apply to auditing, the board of directors, disclosures, and improper trading. Section 404 (below), is interpreted to apply to IT. SOX, as it reads, is highly subjective with few IT specifics. ISO7799, PCI, or HIPPA provide better implementation specifics that you may wish to follow. IT Requirements Summary: 1. You must have a written security policy. 2. You should baseline your current compliance state and be prepared to show progress towards full compliance. SOX is commonly applied with progressive requirements year over year. 3. Additional sections of SOX require timely monitoring and response to issues that may materially affect data used or relied upon to generate public financial

reports. In IT terms you need to monitor your logs, and respond to threats. SEM tools and IPS are commonly inferred from timely monitoring. Gramm-Leach-Bliley Act (GLBA, GLB) Section / Reference Technical Control Requirement GLBA references ISO 17799 as a guideline Firewall FortiGate IDS / IPS Recommended FortiGate Instant Messaging Security IM Rate Limiting, Logging and/or Prevention (if IM is used/permitted) FortiGate Centralized Logging Recommended Patch Management 24 Hours for Critical Updates Network Anti-Spyware Network Anti-Virus Anti-Virus & Spyware Scanning Web, Mail, FTP Recommended FortiGate Applies to the financial services industry (Insurance, Securities, Banking). With the exception of a few specific acts being made illegal, and fair credit and consumer rights being spelled out, little of the legislation is directly applicable to IT. ISO7799 is referred to as a starting point in many of the legislative summaries and practical implementation guides. PCI or HIPPA provide more tangible implementation specifics, that should, if followed, also provide proper controls for GLBA as well.

IT Requirements Summary: 1. You must have a written security policy. 2. You must establish a baseline risk assessment vulnerability scan 3. You must monitor and report on access to any files, folders, or databases that contain consumer financial information. 4. You must notify any consumer if you believe their information has been compromised. HIPPA Health Insurance Portability and Accountability Act Section / Reference Technical Control Requirement High, Medium & Low Systems Firewall FortiGate High & Medium Systems IDS / IPS 16, 18 Centralized Logging 1 Addressable / Recommended Addressable / Recommended FortiGate High & Medium Systems Patch Management 24 Hours for Critical Updates 17, 19 Encryption (for transmission of patient data) FortiGate VPN (SSL or IPSEC 3 DES or AES) The standard and summaries are quite lengthy and verbose in nature, but not difficult to implement, and relatively IT friendly with quite a bit of latitude in methods and implementation specifics.

Applies to organizations colleting, processing or storing medical information, specifically: Health Care Providers Health Plans Health Clearinghouses Medicare Prescription Drug Card Sponsors HIPPA - IT Requirements Summary: HIPPA has an extended set of security requirements and controls with both required and addressable (optional) components. Addressable components of HIPPA not selected must be documented with associated reasoning as to why the specific control was not applied in a given organization. Further classification, and stricter compliance with optional controls are also applied based on system designation as HIGH, MODERATE, or LOW information systems. A summary of key requirements is listed below: 1. Conduct an initial risk assessment, periodic reviews and reassessments. 2. Written security policy. 3. Designated security person. 4. Written incident handling policy. 5. Backup, Emergency Operations, and Disaster Recovery plan. 6. Reuse and disposal plan for reusable media. 7. Audit controls are required, including unique user identifiers. 8. Termination Policy and Procedures 9. Implement user level processes of least privilege. 10. Log/audit login and logoffs 11. Secure and authenticate before physical access to the facility and sensitive areas is granted. 12. Written usage policies by system type (laptop, desktop, server ). 13. Physical removal tracking and policy of all systems and data (including removable media). 14. Create an exact copy backup prior to being moving data or systems. 15. Logout/disconnect inactive sessions 16. Audit access to secure data 17. Encrypt sensitive data 18. Monitor and audit access and alterations to sensitive data 19. Protect data in transmission 20. Multi-Factor authentication and/or non-repudiation

FISMA - Federal Information Security Act (HR 2458-51) Section / Reference Technical Control Requirement FIPS 199 & 200, DOD 8500.2 Firewall FortiGate FIPS 199 & 200, NIST 800-94 NIST 800-92 IDS / IPS Centralized Logging Recommended A & B, NIST 800-26 NIST 800-40 Patch Management 24 Hours for Critical Updates NIST 800-77 Encryption (128 bit+) (for FortiGate VPN transmission of (SSL or IPSEC cardholder data) 3 DES or AES) FISMA discusses a pyramid of goals based on Availability, Integrity and Confidentiality in order to provide security. Applies to governmental agencies, governmental contractors and telecommunications providers who provide services to anything deemed related to national security (very broad stroke). Also applies to Federal agencies, contractors, and any other company or organization that uses or operates an information system on behalf of a federal agency. IT Requirements Summary: There are an extensive series of explicit controls and inter-related publications from NIST and FIPS that specify various controls for Low, Moderate and High Impact systems. A. Assess Existing State (create a baseline) B. Create a Risk Summary, and categorize systems as low, moderate, or high impact relative to security. 1. Check FIPS 199 and determine the class of system (Low, Moderate, High) 2. Review the NIST standards for the type of system (email, DNS, Wireless, etc )

3. Apply appropriate controls (800-53 appendix D), and amend or create policies (NIST 800-12) C. Review Internally, and Independently (annually) for compliance. PCI Payment Card Industry Requirement Technical Control Requirement 1 Firewall FortiGate 2 IDS / IPS 4 Encryption (128 bit+) 5 & 6 5 & 6 Anti-Virus (for FortiGate VPN transmission of (SSL or IPSEC cardholder data) 3 DES or AES) Patch Management / 24 Hours for Change Control (FW) Critical Updates 10 Centralized Logging Local AV, with Up to date signatures Recommended 11 Applies to merchants and processors of Visa or MasterCard transactions. Unlike SOX and GLBA, The standard is quite straight forward and IT specific and should be read and reviewed in it s entirety. IT Requirements Summary: Taken Directly from the PCI_DSS 1.1 Documentation 1: Install and maintain a firewall configuration to protect cardholder data 2: Do not use vendor-supplied defaults for system passwords and other security 3: Protect stored cardholder data 4: Encrypt transmission of cardholder data across open, public networks 5: Use and regularly update anti-virus software

6: Develop and maintain secure systems and applications 7: Restrict access to cardholder data by business need-to-know 8: Assign a unique ID to each person with computer access 9: Restrict physical access to cardholder data 10: Track and monitor all access to network resources and cardholder data 11: Regularly test security systems and processes 12: Maintain a policy that addresses information security ISO 17799 / 27001 / BS7799 / NZS 7799 / AS 7799 / IEC 17799 Section / Reference Technical Control Requirement 8 Firewall FortiGate 8 IDS / IPS 11 & 12 Centralized Logging Recommended 6, 7, & 11 11 & 12 Patch Management 24 Hours for Critical Updates Twelve Steps 1. Establish Importance 2. Define the Scope 3. High Level Policy 4. Establish a Security Organization 5. Identify and Classify 6. Identify and Classify Risks 7. Plan for Risk Management 8. Implement Risk Mitigation Strategies 9. Statement of Applicability (gap analysis, exclusions/exceptions) 10. Training and Security Awareness

11. Monitor and Review 12. Maintain and Improve Focus Risk Analysis Threat X Risk Common / Non-Specific Requirements Addressed by, Inc. Section / Reference Technical Control Requirement Instant Messaging Security IM Rate Limiting, Logging and/or Prevention Denial of Service Prevention DoS / DDoS mitigation IM / P2P Rate Limiting IM / P2P security Profiles Network Anti-Virus Network Anti-Spyware Anti-Virus Scanning Web, Mail, FTP Anti-Spyware Scanning Web, Mail, FTP Anti-Spam Host Based IPS/AV/AS/FW Mail profiles RBL, Black/White, Keywords Client Side Anti- Virus/Spam, Firewall, Recommended and Intrusion Prevention

Generic Report Output for Compliance (common to nearly all regulations) 1. Logons / Logoffs Successful and Unsuccessful 2. Adding Rights to an Account 3. Adding an account to a group 4. Access to sensitive files (read, or edit) 5. Attacks against systems with sensitive data (Worm, Virus, Buffer Overflow) 6. Breaches of access to any sensitive system Elements of an Operational Compliance Report 1. Output Should include: a. User Event Report b. Top Attacker Report c. Top Attacks Report d. Top Targets e. Report f. Risk Report 2. Ideally, to minimize the report length, and improve relevance, you may also: a. Identify Critical Assets i. Assign Higher Threat Weightings to systems with financial data & critical systems b. Segregate Assets that must be audited i. Create an Area in SMC for Audited Devices (i.e. accounting area). ii. Create IP objects in the audited device area for all critical assets. c. Create an Audit Event Attack Method for events that are audit specific (i.e. Windows: 560, 567- File Access, 642 Account Modification, 628 - Change of Password, 644 - Account Lockout, etc ). And add a report to your compound audit report for by Attack Method to match the custom audit event attack method create. d. Annotate each event as cleared with the time it was cleared, who cleared the event, and what the resolution was. Add a report to the compliance compound report for cleared events to include the comments to show timely resolution (not currently required, but somewhat implied).

Summary Preparing in advance and deploying solutions to meet minimum and recommended standards can drastically reduce the length, and cost of compliance audits, and provide the controls, tools, and reports necessary to conform to nearly any compliance regulation. Basics: 1. A written security policy is a must 2. If you haven t already done an assessment, start as soon as you can. 3. Turn on operating system and application auditing for sensitive data. 4. Create a process to regularly monitor and report on access, failed access, and attacks on sensitive data. 5. Reassess regularly. A single multi-function integrated solution can deliver the security controls needed to assist a well prepared security team in meeting and exceeding any compliance requirement. CSE Team

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information