Automation Suite for. 201 CMR 17.00 Compliance



Similar documents
PCI and PA DSS Compliance Assurance with LogRhythm

LogRhythm and PCI Compliance

LogRhythm and NERC CIP Compliance

North American Electric Reliability Corporation: Critical Infrastructure Protection, Version 5 (NERC-CIP V5)

Client Advisory October Data Security Law MGL Chapter 93H and 201 CMR 17.00

MONTSERRAT COLLEGE OF ART WRITTEN INFORMATION SECURITY POLICY (WISP)

WHITEPAPER Complying with HIPAA LogRhythm and HIPAA Compliance

Wellesley College Written Information Security Program

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

74% 96 Action Items. Compliance

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

Automation Suite for NIST Cyber Security Framework

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

LogRhythm and HIPAA Compliance

How To Protect Your Data From Being Stolen

Protecting Personal Information: The Massachusetts Data Security Regulation (201 CMR 17.00)

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)

Overcoming PCI Compliance Challenges

Data Management Policies. Sage ERP Online

Automate PCI Compliance Monitoring, Investigation & Reporting

Did you know your security solution can help with PCI compliance too?

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

PCI DSS Requirements - Security Controls and Processes

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

HIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION TECHNOLOGY GENERAL CONTROLS

SANS Top 20 Critical Controls for Effective Cyber Defense

FINAL May Guideline on Security Systems for Safeguarding Customer Information

SAMPLE TEMPLATE. Massachusetts Written Information Security Plan

Client Security Risk Assessment Questionnaire

Best Practices For Department Server and Enterprise System Checklist

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

Massachusetts Identity Theft/ Data Security Regulations

TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL

University of Pittsburgh Security Assessment Questionnaire (v1.5)

PCI Requirements Coverage Summary Table

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

Central Agency for Information Technology

CNA NetProtect Essential SM. 1. Do you implement virus controls and filtering on all systems? Background:

Achieving PCI-Compliance through Cyberoam

a) Encryption is enabled on the access point. b) The conference room network is on a separate virtual local area network (VLAN)

IDENTITY THEFT: DATA SECURITY FOR EMPLOYERS. Boston, MA Richmond, Virginia Tel. (617) Tel. (804)

PCI Compliance. Top 10 Questions & Answers

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

GFI White Paper PCI-DSS compliance and GFI Software products

APPENDIX 3 TO SCHEDULE 3.3 SECURITY SERVICES SOW

BAE Systems PCI Essentail. PCI Requirements Coverage Summary Table

OSU INSTITUTE OF TECHNOLOGY POLICY & PROCEDURES

Log Management Standard 1.0 INTRODUCTION 2.0 SYSTEM AND APPLICATION MONITORING STANDARD. 2.1 Required Logging

Belmont Savings Bank. Are there Hackers at the gate? 2013 Wolf & Company, P.C.

Rule 4-004M Payment Card Industry (PCI) Monitoring, Logging and Audit (proposed)

Guideline on Auditing and Log Management

New Systems and Services Security Guidance

Automation Suite for. GPG 13 Compliance

PCI Compliance for Cloud Applications

MANAGED FILE TRANSFER: 10 STEPS TO HIPAA/HITECH COMPLIANCE

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Critical Controls for Cyber Security.

Network Security Policy

PCI Compliance Top 10 Questions and Answers

Healthcare IT Compliance Service. Services > Overview MaaS360 Healthcare IT Compliance Service

PCI Requirements Coverage Summary Table

IT Security Standard: Computing Devices

Written Information Security Plan (WISP) for. HR Knowledge, Inc. This document has been approved for general distribution.

How NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements

Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.

SUPPLIER SECURITY STANDARD

How To Ensure The C.E.A.S.A

05.0 Application Development

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4

Fortinet Solutions for Compliance Requirements

PCI Compliance Can Make Your Organization Stronger and Fitter. Brent Harman Manager, Systems Consultant Team West NetPro Computing, Inc.

Consensus Policy Resource Community. Lab Security Policy

SECURITY CONSIDERATIONS FOR LAW FIRMS

Security Management. Keeping the IT Security Administrator Busy

United States Trustee Program s Wireless LAN Security Checklist

Antivirus and Malware Prevention Policy and Procedures (Template) Employee Personal Device Use Terms and Conditions (Template)

SolarWinds Security Information Management in the Payment Card Industry: Using SolarWinds Log & Event Manager (LEM) to Meet PCI Requirements

Breach Findings for Large Merchants. 28 January 2015 Glen Jones Cyber Intelligence and Investigation Lester Chan Payment System Security

Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.

TRIPWIRE NERC SOLUTION SUITE

CloudCheck Compliance Certification Program

Physical Protection Policy Sample (Required Written Policy)

Information Security Policy Manual

How To Control Vcloud Air From A Microsoft Vcloud (Vcloud)

AUTOMATING AUDITS AND ENSURING CONTINUOUS COMPLIANCE WITH ALGOSEC

Technical Standards for Information Security Measures for the Central Government Computer Systems

Transcription:

WHITEPAPER Automation Suite for

Assurance with LogRhythm The Massachusetts General Law Chapter 93H regulation 201 CMR 17.00 was enacted on March 1, 2010. The regulation was developed to safeguard personal information of residents of the commonwealth of Massachusetts. The regulation applies to all organizations (companies or persons) that own or license personal information about Massachusetts residents. All affected organizations must develop, implement and maintain an auditable comprehensive written information security program containing administrative, technical and physical safeguards. The security program must meet industry standards for confidentiality and security to protect Massachusetts residents personal information in both paper and electronic form from threats to security, integrity and unauthorized access. The organization s security program must designate specific employees to oversee and manage the security procedures in the organization and perform continuous monitoring to address security issues. The program should include access policies to address specific employee access to and the transportation of personal information, along with the disciplinary actions for employees who do not conform to the requirements. The plan must also limit the collection of personal information to the minimum required based on appropriate intended use. LogRhythm provides out-of-the-box 201 CMR compliance support. As part of the 201 CMR 17 Compliance Module, enterprise assets are divided into three categories: access control, file integrity monitoring and security systems. LogRhythm s extensive support for both commercial and custom applications enables comprehensive and efficient collection, processing, review and reporting of all log sources specified in 201 CMR security program requirements. To ensure compliance with 201 CMR 17 requirements, information systems and applications are monitored in real-time. AI Engine Rules, Alarms, Investigations, Reports, reporting packages, and tails are provided. They allow for immediate notification and analysis of conditions that impact the integrity of the organization s customer data. Areas of non-compliance can be identified in real time. Reports can be generated as needed or scheduled to run at pre-determined intervals via reporting packages. Additionally, the 201 CMR package elements are provided as part of LogRhythm s standard Knowledge Base to further augment the usefulness of the log data. Protecting Critical Information The collection, management and analysis of log data are integral to meeting 201 CMR 17.00 audit requirements. IT environments include many heterogeneous devices, systems and applications that all report log data. Millions of individual log entries can be generated daily, if not hourly. The task of simply assembling this information can be overwhelming in itself. The additional requirements of analyzing and reporting on log data render manual processes or homegrown remedies inadequate and costly. LogRhythm has extensive experience in helping organizations improve their overall security and compliance posture while reducing costs. Log collection, archive and recovery are fullyautomated across the entire IT infrastructure. LogRhythm automatically performs log data categorization, identification and normalization to facilitate easy analysis and reporting. LogRhythm s best-of-breed log management capabilities enable automatic identification of the most critical events and notification of relevant personnel through its powerful alarming capabilities. PAGE 1

The following table outlines the 201 CMR 17 requirements LogRhythm either directly meets or provides support for the testing process. The requirements listed come directly from the 201 CMR 17 documents located at the Commonwealth of Massachusetts Government web site (http://www.mass.gov/ocabr/docs/idtheft/201cmr1700reg.pdf). 201 CMR Control Requirement Directly Meets Requirements Augments Control Process 17.03: Duty to Protect and Standards for Protecting Personal Information 17.03.2.b, 17.03.2.b.3, 17.03.2.h,, 17.03.2.j 17.03.2.e 17.04: Computer System Security Requirements 17.04.4 17.04.1.d, 17.04.1.e, 17.04.2.a, 17.04.2.b, 17.04.3, 17.04.6, 17.04.7 The tables on the subsequent pages outline how LogRhythm specifically supports requirements of the 201 CMR sections. The How LogRhythm Supports Compliance column describes the capabilities LogRhythm provides that will meet, support or augment 201 CMR 17 compliance. PAGE 2

17.03: Duty to Protect and Standards for Protecting Personal Information LogRhythm provides monitoring of critical resources for security related events, critical errors, and unauthorized access. Compliance Requirements How LogRhythm Supports Compliance 17.03.2.b Identifying and assessing reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing personal information, and evaluating and improving, where necessary, the effectiveness of the current safeguards for limiting such risks. 17.03.2.b by centrally collecting, monitoring, and analyzing security events from IDS/ IPS systems, A/V systems, firewalls, and other security devices across the organization. LogRhythm reports provide evidence of security events (activity, attack, compromise, denial of service, malware, misuse, reconnaissance, suspicious, and vulnerability) and system critical/error conditions. 17.03.2.b.3 Means for detecting and preventing security system failures. 17.03.2.3.b by centrally collecting, monitoring, and analyzing system error conditions from devices across the organization. LogRhythm reports provide evidence of system critical/error conditions. 17.03.2.e Preventing terminated employees from accessing records containing personal information. 17.03.2.e by collecting access control log messages. LogRhythm reports provide disabling, and account locking/unlocking for terminated/disabled accounts. 17.03.2.h Regular monitoring to ensure that the comprehensive information security program is operating in a manner reasonably calculated to prevent unauthorized access to or unauthorized use of personal information; and upgrading information safeguards as necessary to limit risks. 17.03.2.h by collecting logical access control log messages. LogRhythm reports provide evidence of authorized/unauthorized logical access such as access/ authentication successes/failures. 17.03.2.j Documenting responsive actions taken in connection with any incident involving a breach of security, and mandatory post-incident review of events and actions taken, if any, to make changes in business practices relating to protection of personal information. 17.03.2.j by completely automating the process of recording responsive actions taken. LogRhythm reports provide details of all alarms affecting selected systems, lists events, notifications, and response activity associated with each alarm. PAGE 3

17.04: Computer System Security Requirements LogRhythm provides monitoring of critical systems for unauthorized access, unencrypted communication, software updates, antivirus activity, and signature updates. Compliance Requirements How LogRhythm Supports Compliance 17.04.1.d: Restricting access to active users and active user accounts only. 17.04.1.d by collecting access control log messages. LogRhythm reports provide disabling, account locking/unlocking, and account creation/deletion. 17.04.1.e Blocking access to user identification after multiple unsuccessful attempts to gain access or the limitation placed on access for the particular system. 17.04.1.d by collecting access control log messages. LogRhythm reports provide evidence of account enabling/disabling and account locking/unlocking. 17.04.2.a Restrict access to records and files containing personal information to those who need such information to perform their job duties. LogRhythm provide direct support for 201 CMR 17 control requirement 17.04.2.a by providing details of file integrity activity via LogRhythm s File Integrity Monitor Agent. LogRhythm s File Integrity Monitor can be configured to monitor key file or directory activity, deletions, modification, and permission changes. The file integrity capability is completely automated, the agent can be configured to either scan for files/directory changes on a schedule or the kernel level driver can automatically detect file integrity activity in real-time. 17.04.2.b Assign unique identifications plus passwords, which are not vendor supplied default passwords, to each person with computer access, that are reasonably designed to maintain the integrity of the security of the access controls. 17.04.2.b by collecting access control log messages. LogRhythm reports provide disabling, and account locking/unlocking for vendor default accounts. 17.04.3 Encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly. 17.04.3 by collecting electronic access point device log messages (firewalls, VPN servers, networking devices, etc.). LogRhythm reports provide evidence of allowed/denied ingress/egress network communications including source/ destination IP/port. 17.04.4 Reasonable monitoring of systems, for unauthorized use of or access to personal information. 17.04.4 by collecting logical access control log messages. LogRhythm reports provide evidence of authorized/unauthorized logical access such as access/ authentication successes/failures. 17.04.6 For files containing personal information on a system that is connected to the Internet, there must be reasonably up-to-date firewall protection and operating system security patches, reasonably designed to maintain the integrity of the personal information. 17.04.6 by collecting system log messages related to firewall configuration and software updates. LogRhythm reports provide evidence of software patch failures/successes and host firewall critical/error/information conditions. 17.04.7 Reasonably up-to-date versions of system security agent software which must include malware protection and reasonably up-to-date patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions, and is set to receive the most current security updates on a regular basis. 17.04.7 by collecting log messages from antivirus software and other antimalware tools. LogRhythm reports provide evidence of antivirus activity, malware infections, and signature update failures/successes. INFO@LOGRHYTHM.COM PAGE 4 2014 LogRhythm Inc. Whitepaper - - 7.2014

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information