AlienVault for Regulatory Compliance



Similar documents
Click&DECiDE s PCI DSS Version 1.2 Compliance Suite Nerys Grivolas The V ersatile BI S o l uti on!

Self-Service SOX Auditing With S3 Control

Net Report s PCI DSS Version 1.1 Compliance Suite

A Websense Research Brief Prevent Data Loss and Comply with Payment Card Industry Data Security Standards

AISA Sydney 15 th April 2009

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

TNHFMA 2011 Fall Institute October 12, 2011 TAKING OUR CUSTOMERS BUSINESS FORWARD. The Cost of Payment Card Data Theft and Your Business

PCI Compliance for Cloud Applications

Compliance and Industry Regulations

Navigate Your Way to PCI DSS Compliance

Compliance Management, made easy

Did you know your security solution can help with PCI compliance too?

Security standards PCI-DSS, HIPAA, FISMA, ISO End Point Corporation, Jon Jensen,

How To Protect Your Data From Being Stolen

White Paper. Ensuring Network Compliance with NetMRI. An Opportunity to Optimize the Network. Netcordia

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

Feature. Log Management: A Pragmatic Approach to PCI DSS

How To Manage Security On A Networked Computer System

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4

Security Controls What Works. Southside Virginia Community College: Security Awareness

Agenda. Agenda. Security Testing: The Easiest Part of PCI Certification. Core Security Technologies September 6, 2007

The Business Case for Security Information Management

Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008

SECURELINK.COM COMPLIANCE AND INDUSTRY REGULATIONS

Security management solutions White paper. IBM Tivoli and Consul: Facilitating security audit and compliance for heterogeneous environments.

Security Information Lifecycle

The 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance

The Cost of Payment Card Data Theft and Your Business. Aaron Lego Director of Business Development

White Paper Achieving PCI Data Security Standard Compliance through Security Information Management. White Paper / PCI

Payment Card Industry Data Security Standard

Log Management How to Develop the Right Strategy for Business and Compliance. Log Management

Achieving Regulatory Compliance through Security Information Management

How to use Alertsec to Enable SOX Compliance for Your Customers

HIPAA and HITECH Compliance for Cloud Applications

Key Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking

PCI Compliance. Top 10 Questions & Answers

PCI Compliance - A Realistic Approach. Harshul Joshi, CISM, CISA, CISSP Director, Information Technology CBIZ MHM hjoshi@cbiz.com

IT Security Compliance PCI DSS FOR MERCHANTS THE PAYMENT CARD INDUSTRY DATE SECURITY STANDARD WHITE PAPER

Franchise Data Compromise Trends and Cardholder. December, 2010

IT Security & Compliance. On Time. On Budget. On Demand.

Information Security Services. Achieving PCI compliance with Dell SecureWorks security services

White Paper. What Auditors Want Database Auditing. 5 Key Questions Auditors Ask During a Database Compliance Audit

Project Title slide Project: PCI. Are You At Risk?

Security Survey 2009: Privileged User Management It s Time to Take Control Frequently Asked Questions and Background

Payment Card Industry Data Security Standards.

Security Considerations

PCI DSS Requirements - Security Controls and Processes

The SIEM Evaluator s Guide

Online Lead Generation: Data Security Best Practices

PCI Policy Compliance Using Information Security Policies Made Easy. PCI Policy Compliance Information Shield Page 1

PCI DSS Payment Card Industry Data Security Standard. Merchant compliance guidelines for level 4 merchants

MEETING PCI COMPLIANCE WITH SONICWALL GLOBAL MANAGEMENT SYSTEM

Maintaining PCI-DSS compliance. Daniele Bertolotti Antonio Ricci

PCI Compliance Top 10 Questions and Answers

How To Achieve Pca Compliance With Redhat Enterprise Linux

Credit Cards and Oracle: How to Comply with PCI DSS. Stephen Kost Integrigy Corporation Session #600

PCI General Policy. Effective Date: August Approval: December 17, Maintenance of Policy: Office of Student Accounts REFERENCE DOCUMENTS:

Meeting PCI Data Security Standards with

University of Dayton Credit / Debit Card Acceptance Policy September 1, 2009

PCI Data Security Standards

When it Comes to Monitoring and Validation it Takes More Than Just Collecting Logs

Four keys to effectively monitor and control secure file transfer

Teleran PCI Customer Case Study

Compliance Guide: PCI DSS

PCI Compliance: How to ensure customer cardholder data is handled with care

PCI DSS COMPLIANCE DATA

The Need for Real-Time Database Monitoring, Auditing and Intrusion Prevention

Automate PCI Compliance Monitoring, Investigation & Reporting

Adopt and implement privacy procedures, train employees on requirements, and designate a responsible party for adopting and following procedures

WHITE PAPER. PCI Basics: What it Takes to Be Compliant

Privacy Legislation and Industry Security Standards

Using Data Loss Prevention for Financial Institutions Banks, Credit Unions, Payments

ForeScout CounterACT and Compliance June 2012 Overview Major Mandates PCI-DSS ISO 27002

Overcoming Active Directory Audit Log Limitations. Written by Randy Franklin Smith President Monterey Technology Group, Inc.

An article on PCI Compliance for the Not-For-Profit Sector

whitepaper 4 Best Practices for Building PCI DSS Compliant Networks

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

whitepaper The Benefits of Integrating File Integrity Monitoring with SIEM

Tripwire Log Center NEXT GENERATION LOG AND EVENT MANAGEMENT WHITE PAPER

The Comprehensive Guide to PCI Security Standards Compliance

Tripwire Log Center NEXT GENERATION LOG AND EVENT MANAGEMENT WHITE PAPER

Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015

MANAGED FILE TRANSFER: 10 STEPS TO SOX COMPLIANCE

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)

Cautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work

PCI Compliance Can Make Your Organization Stronger and Fitter. Brent Harman Manager, Systems Consultant Team West NetPro Computing, Inc.

PCI Requirements Coverage Summary Table

Important Info for Youth Sports Associations

What are the PCI DSS requirements? PCI DSS comprises twelve requirements, often referred to as the digital dozen. These define the need to:

DMZ Gateways: Secret Weapons for Data Security

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

What IT Auditors Need to Know About Secure Shell. SSH Communications Security

How an Endace Monitoring and Recording Fabric aids corporate compliance

SecurityMetrics. PCI Starter Kit

Need to be PCI DSS compliant and reduce the risk of fraud?

PCI Data Security Standards (DSS)

Comprehensive Compliance Auditing and Controls for BI/DW Environments

Transcription:

AlienVault for Regulatory Compliance Overview of Regulatory Compliance in Information Security As computers and networks have become more important in society they and the information they contain have come under increasing legal and industry regulation. However these regulations evolve they will always imply the need for diligence on the part of network owners and operators. Diligence is most easily demonstrated by proving that you have exercised all reasonable efforts at monitoring your information system and ensuring that it has the requisite technologies deployed and policies enforced on it. Monitoring your network is what Security Information and Event Management (SIEM) solutions like the AlienVault Professional SIEM are all about. The AlienVault Professional SIEM includes hundreds of automated compliance reports and a Report Wizard that allows for unlimited customization to fit your unique needs. Raw logs and other data is stored forensically in the AlienVault Logger with full chain-of-custody and digital signatures to ensure validity. As we will discuss below, AlienVault provides built-in functionality for many controls under PCI and other regulatory regimes. But first let us take a look at how we got here. It is the best way to determine where you are and to see the road ahead. History of Regulatory Compliance in Information Security Gramm-Leach-Bliley Act of 1999 - While not chronologically the first piece of regulation to in some way address the policies and practices of information security, the evolution of regulatory regimes impacting information security in the United States can nonetheless be effectively seen as beginning with the Gramm-Leach-Bliley Act of 1999, commonly referred to as GLBA or Glibba. While designed to establish processes and address information stored on paper more so than electronically networked information, GLBA established a precedent for how we think about responsibility and liability regarding information security. GLBA was most notable for replacing portions of the 1933 Glass-Steagall Act, allowing financial institutions to combine functions previously reserved for separate institutions. Due to this sharing of functions within the financial community GLBA also included enforceable legal mandates impacting the management and security of customer information. This was broken down into three major areas: 1. The Financial Privacy Rule This rule required financial organizations to tell customers what data they collected, who it was shared with, what is done with the information and how it is being protected. 2. The Safeguards Rule The Safeguards Rule required organizations to create a written security policy describing how customer data will be protected. Most notably for our purposes here and for understanding the on-going thrust of information security regulations, the Safeguards Rule of GLBA also required the regulated organizations to develop, monitor and test a program to secure the pertinent information. This intent of monitoring and testing your organization s information security solution is found throughout all regulations that follow GLBA, as should not be surprising. The act of simply implementing an information security solution is in the end pointless if this solution is not subject to constant monitoring and testing to ensure that it is achieving the goal of protecting the subject information. 3. Pretexting Protection Industry Pretexting is another word for social engineering or any of the more traditional words for bluffing or Copyright AlienVault, LLC, 2010 info@alienvault.com USA, Spain, Germany, Mexico +1 408 465-9989

impersonating to gain unauthorized access to personal information. This requirement in GLBA and other regulatory structures has helped promote authentication systems in IT and led to significant testing and auditing of processes. The intent noted under GLBA s Safeguards Rule - that any acceptable solution deployed by an organization subject to the law must include aspects of monitoring and testing - is the first clear indication that SIEM would become central to any regulatory compliance effort. Without the ability to know what you have and to see what it is doing, for the present and for the past, there should be no real reason to believe that your information system has been secure or that you could consistently demonstrate its security to others. The Sarbanes Oxley Act of 2002, commonly referred to as SOX, is a United States federal law regarding accounting practices which was in part brought about by the notorious events at Enron, WorldCom and other companies of the preceding period. SOX created requirements for publicly traded accounting firms to increase transparency into their operations, and the controls they have built into them, through a regime of reporting. The sections of SOX which most directly or implicitly impact Information Technology are 302, 404 and 409. SOX Section 302 Corporate Responsibility for Financial Reports - places responsibility on the company s officers to verify accuracy of quarterly and annual financial statements. SOX Section 404 Management Assessment of Internal Controls requires submission of an annual report to the Securities Exchange Commission detailing the effectiveness of internal controls over accounting practices. Control over the IT systems that these accounting practices are performed on and in is implicit in SOX 404 compliance. SOX Section 409 Real-Time Issuer Disclosures requires regulated organizations to be diligent about maintaining awareness of the controls on their operations and on the financial condition of their organization, and to report within 48 hours any material changes to them. Security breaches of the information systems that the financial information is contained within are well within the definition of material changes to these controls and can dramatically impact an accounting firm s financial condition. SOX was one of the first regulatory regimes to drive a significant adoption of SIEM technologies as companies sought to secure their ability to demonstrate adequate controls over their accounting data. AlienVault Professional SIEM contains built-in SOX reporting capabilities. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was intended to protect the health insurance coverage of workers when they changed employers (HIPAA Title I) and additionally created the requirement to provide a structure for managing the security of patient records and other medical data (HIPAA Title II). The Privacy Rule provision of HIPAA Title II came into effect in the spring of 2003, providing regulation and disclosure of how organizations handle patient records including medical records themselves as well as patient financial records. Protected Health Information (PHI) must be secured and organizations must be able to demonstrate to auditors that they are capable of managing the security of their systems. As Health Information Technology (HIT) efforts increase and automation at last spreads throughout healthcare providers in the United States, HIPAA compliance will become a much more common concern. Healthcare providers are today digitizing patient medical records at a historic and increasing pace and industry-wide communications are emerging. The need for management and monitoring of the transmission and handling of data as sensitive as individual medical and genetic information will without doubt drive increased demand for robust and sophisticated SIEM deployments throughout the medical community. AlienVault Professional SIEM contains built in HIPAA/HIT reporting capabilities. - Page 2 -

The Cybersecurity Act of 2009 (S.773) has, as of this writing, not yet passed into law. Whether or not it ultimately does become law it does provide strong indications of future directions for the evolution of regulatory compliance in the information security world: Purpose: To ensure the continued free flow of commerce within the United States and with its global trading partners through secure cyber communications, to provide for the continued development and exploitation of the Internet and intranet communications for such purposes, to provide for the development of a cadre of information technology specialists to improve and maintain effective cyber security defenses against disruption, and for other purposes. Section 6 of S.773 specifically dwells on information security regulation, stating that the National Institute for Standards and Technology shall establish measurable and auditable cybersecurity standards for all Federal Government, government contractor, or grantee critical infrastructure information systems and networks Of significant note as well in the Cybersecurity Act is the subsection 6(d)2: shall require each Federal agency, and each operator of an information system or network designated by the President as a critical infrastructure information system or network, periodically to demonstrate compliance with the standards established under this section. In other words: critical infrastructure comes to mean what the President says it means, and there are strong indications throughout the Act that this will include networks critical to the functioning of the United States other than the traditional power and water control system networks. We leave it as an exercise for the reader to interpret that statement, but it is certainly an implication that economic, educational, health and many other systems may well fall under this or other future regulatory regimes. Regulatory Compliance Detailed Example: AlienVault and PCI The Payment Card Industry Data Security Standard (PCI DSS) PCI emerged from VISA s earlier standards and is now maintained by the PCI Security Standards Council, an organization created by the major credit card brands in reaction to various highly publicized breaches of credit card information. The PCI DSS has prompted significant adoption of SIEM and other information security technologies and best practices for the simple reason that it has the type of teeth that strongly motivate business executives: financial. Failure to maintain PCI compliance can cost an organization on-going fines until compliance is reached and could result in an organization losing the ability to accept credit cards (which for most merchants is tantamount to a death sentence). If credit card holders information is compromised then the merchant organization could be held financially liable for the total losses and replacement costs for all parties involved, adding up potentially to many millions of dollars. PCI audits require the signature of a C- level executive, who bears personal responsibility for the accuracy of the compliance reports. The DSS imposes a variety of requirements on Merchant organizations (organizations which handle credit card transactions) based on the number of transactions they handle each year: Level 1 PCI Merchants are companies handling greater than six million credit card transactions per year. Level 2 PCI Merchants are companies handling between one and six million transactions per year. Level 3 PCI Merchants handle between twenty thousand and one million transactions per year. Level 4 PCI Merchants handle less than twenty thousand transactions per year. Level 4 merchants quite often outsource all of their credit card handling needs and can avoid incurring significant overhead due to PCI compliance. Level 1 Merchants will almost always need to perform significant diligence to comply with the PCI DSS. The PCI DSS - While SIEM is not specifically mentioned in the PCI standard documentation, all of the twelve sections implicitly require the functionality provided by AlienVault Professional SIEM. Section 1: Install and maintain a firewall configuration to protect cardholder data. - Page 3 -

AlienVault Professional SIEM allows you to determine what traffic is using your network at layers 1-7 to assist with the creation and enforcement of firewall configurations. Section 2: Do not use vendor supplied defaults for system passwords and other security parameters AlienVault Professional SIEM provides visibility into user login activity and detects the use of weak (unencrypted) logins. Section 3: Protect Cardholder Data AlienVault Professional SIEM detects out-of-policy access to cardholder data and provides the reporting and response platform for such incidents. Section 4: Encrypt transmission of cardholder data across open, public networks. AlienVault Professional SIEM is able to detect unencrypted traffic leaving areas of the network containing cardholder data. Section 5: Use and regularly update anti-virus software or programs. AlienVault Professional SIEM deployed on PCI networks can enable prioritization of antivirus, can confirm that updates are propagating regularly and can integrate antivirus alerts into network monitoring and correlation. AlienVault s NAC capability can integrate with network infrastructure to enforce antivirus update levels on laptops, hosts and workstations. Section 6: Develop and maintain secure systems and applications. SIEM is a virtual requirement to maintaining secure systems, providing the monitoring and reporting platforms to verify consistently applied security. Every aspect of the AlienVault Professional SIEM is specifically designed to ensure the maintenance of secure systems and applications. Section 7: Restrict access to cardholder data by business need to know. Confirmation of access policy application is provided by the AlienVault Professional SIEM, detecting and recording configuration changes to systems holding cardholder data and detecting and recording suspicious login attempts to these systems Section 8: Assign a unique ID to each person with computer access. AlienVault Professional SIEM monitors user logins to all systems in the PCI domain, detecting nonstandard login attempts and relating user IDs to originating IP and in some cases MAC addresses. Section 9: Restrict physical access to cardholder data. Areas that are controlled by card or biometric access can have these systems integrate with AlienVault Professional SIEM, providing confirmation of access by physical identification and correlation with events with occur on the information system before and after an individual physically accesses a controlled area. Section 10: Track and monitor all access to network resources and cardholder data. AlienVault Professional SIEM is designed specifically to track and monitor activities such as access to network resources and data stores. AlienVault Professional SIEM will by nature retain a complete audit trail of all access to all components in the PCI domain and provide the capability to alert on all out-ofpolicy access violations. Section 11: Regularly test security systems and processes. AlienVault Professional SIEM deployed in a PCI environment is an active and on-going test of the security of that information system. Constantly monitoring all aspects of the PCI domain and providing a central console to oversee and investigate the results of testing exercises, AlienVault Professional SIEM is the active testing center for PCI compliance. Section 12: Maintain a policy that addresses information security for employers and contractors. AlienVault Professional SIEM in a PCI environment provides an active representation of existing policies, a platform for detecting policy violations as well as a platform for determining necessary policy changes. - Page 4 -

For all aspects of PCI compliance, AlienVault Professional SIEM provides the reporting and forensics platform necessary to both demonstrate a given aspect of compliance as well as investigate any incident that occurs on the network. Conclusions Regulatory compliance is only going to increase in coming years. The criticality of information systems to the safety of the individual, the organization and the state will drive a continuous raising of the bar in terms of the diligence that those managing information systems will be mandated to demonstrate. Performing and demonstrating the diligence required by regulatory regimes calls for the visibilities embodied in SIEM technologies. The AlienVault Professional SIEM is specifically well suited for the task of regulatory compliance for organizations of all sizes. - Page 5 -

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information