Posts tagged: 'compliance'
The following posts are associated with the tag you have selected. You may subscribe to the RSS feed for this tag to receive future updates relevant to the topic(s) of your interest.
http://blog.logrhythm.com/tags/compliance/feed
Keeping the Information Security Mountain from Erupting
In recent years, it seems that InfoSecurity Europe coincides around pending national disasters. Last year, swine flu was creeping onto the front page headlines. This year, it looked like ash from the 
Eyjafjallajokull volcano might dominate discussions as plucky travellers, myself included, had to find innovative ways to make it back to Blighty in time for the show.
But risks from airborne ash and viruses have been far from the minds of Europe’s IT and security managers. Instead, they’re more concerned with addressing the cyber risks associated with their own IT infrastructures, particularly around information security. The recurring challenge facing the visitors to the LogRhythm stand at InfoSecurity was how they can get a better grasp of user and system activity. And get it quickly.
While this of course is no mean feat, all of these organisations are on the way to achieving this. Every piece of log data generated in an organisation tells a story. The key is being able to piece these stories together to get the bigger picture. And do it quickly, while it’s still relevant.
That’s where we come in. Gone are the days when log data would simply pile up on a server where no one knew what to do with it other than it had to be held for compliance purposes. Log management technology has moved on considerably and is empowering network and security managers to put this data to good work to optimise the network and help drive the organisation to achieve its strategic objectives.
As such, the LogRhythm stand at InfoSecurity attracted a deluge of visitors – from large blue-chip organisations and education establishments to central and local government departments – all seeking to put their log data to better use.
UK Public sector IT and security managers in particular are continuing to reassess how they secure and monitor their information in line with the CESG’s Good Practice Guide 13 (GPG 13). In fact, over 30 percent of the discussions LogRhythm held at InfoSecurity were around how these organisations can take proactive approach to securing and monitoring HMG ICT resources while saving time and money in the process.
Compliance continues to be a big driver for organisations to consider the merits of automated log management. However both public and private organisations are realising the added value that integrating log and event management, file integrity monitoring, and network and user monitoring can positively bring to how the IT infrastructure supports the business as a whole. It is this new thinking that is taking traditional security information event management (SIEM) to a new level.
So as InfoSecurity 2010 draws to a close, and show visitors migrate towards the bars of Earls Court, it’s clear that users are ready to embrace a new era of SIEM that will provide better network awareness and IT forensics than ever before. If only SIEM 2.0 can provide the same awareness and control over when the next volcano is likely to erupt.
Tags: compliance, information security, keywords: log management, siem
Finding the Heart of Security Regulations
Compliance regulations can often seem intimidating and difficult to comprehend when they are first read. Trying to compare two or more different regulations that seem unrelated often leads to frustrating questions, such as “Do we as an organization need to change our approaches to meet new regulations?” Understanding these regulations and quickly mapping them to existing practices can be tremendously helpful, but often sounds like a daunting task. In many ways, however, this is not nearly as difficult a task as it sounds.
At the beginning of most regulations comes a basic mission statement that covers both the scope and the purpose of the regulation. The best example may be the Payment Card Industry’s Digital Security Standard (PCI DSS) that states in the very first line, “The Payment Card Industry (PCI) Data Security Standard (DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally.”
The key components to take from this is “what” is being protected and “who” is affected be the standard. For PCI, it is “cardholder data” and who is “everyone processing cardholder data around the globe.” Still, this would be a fairly small number of computers for a typical mid-sized business. For FISMA, the scope includes not only Federal Government computer systems, but organizations that perform services for the Federal Government as well. Sarbanes-Oxley (SOX) pertains to a company’s accounting systems, NERC CIP applies to the critical assets of the bulk electric grid, and HIPAA is relevant to systems with exposure to Protected Health Information.
The protections that regulations make at this level are either because of something important in the data (PHI, credit cards, customer information, etc.) or a set of systems based on function (accounting, government, bulk electric grid components, etc.). Measures for protection for data versus function creates different strategies – an emphasis on barriers, encryption and isolation would come from data based regulations, while function-based regulations require a more holistic approach.
Once the mission is defined, at some point in the preamble there should be a brief discussion about the approach to be used for securing the organization. Here the principles to follow are defined, setting the tone for how the company will structure their information security strategy. There are different popular approaches, and they may be used in conjunction. Here are a few examples:
Confidentiality, Integrity and Availability
Often referred to as the Three Pillars, the “CIA” model has become the most commonly referenced principle associated with regulation. The first pillar, Confidentiality, explains that data must be kept private and that access rights given to individuals, such as those who need to use the data, contain only the specific privileges needed to perform their job duties. The second pillar, Integrity, refers to preventing corruption, either intentional or unintentional, of the system. And the third pillar, Availability, stipulates that security measures will not hinder an individual’s ability to function effectively, such as making a user enter 10 passwords to log into a computer. The CIA model is a useful way to describe “computer security” as a multi-tier practice (policy, standards and procedures), and is either whole or in part described by FISMA, GLBA, SOX, HIPAA, PCI DSS, fitting virtually all policies and security standards.
Management, Organizational and Technical
Some regulations require a holistic evaluation of security, looking at everything from company management and oversight (vision, policy and standards), to organizational components (employees, physical security, training, etc.), to the technical controls and operating procedures used for information protection. FISMA and HIPAA are excellent examples of regulations that endorse M/O/T controls. These elements are associated with the National Security Agency’s Information Security Assurance Methodology (IAM) and are used to determine a complete picture of organizational information security.
Risk Management
One of the disciplines of project management is assessing risk. The process of doing so is largely a financial exercise to determine the damage per incident, the frequency of occurrence, and to balance the cost of the control to identify and articulate any savings for protecting the asset. Regulations take a generalized approach place an emphasis on risk management, such as SOX with the Commission of the Treadway Administration (COSO) standards, FISMA, and NCUA 748, among others. Risk management is also central to CoBIT policy development.
Minimum Technical Standards
Some regulators prefer to provide a specific standard for security controls in order to ensure compliance, such as requiring firewalls, account security practices, log management and encryption. Regulations such as NERC CIP and PCI DSS have provisions for specifying minimum technical controls that extend past policy and reach the standards and even procedural level. Many regulations also specify responsibility to an outside agency for defining the standards, such as to the National Institute of Standards for Technology used for NIST Special Publication 800-53 for FISMA and NIST Special Publication 800-66 for HIPAA.
Knowing the viewpoint from which a regulation was written can help locate similarities with other regulations. Often, two regulations may intersect with principles that are similar, if not identical, in the way they should be implemented. Once they are identified it is generally easier recycling similar policies and practices between the regulations to ensure compliance, rather than attempting to create and manage them individually.
Tags: compliance, hipaa, information security, risk management
File Integrity Monitoring – an Automated Nanny for your Network
So it occurred to me today how wide ranging the requirements of File Integrity Monitoring (FIM) are….they have even moved into everyday life. I had just got the children ready for nursery all wrapped up and ready to go, just stepped out of the room to get the car keys, when I came back in I had two half-dressed children and a dog dressed head to toe in Baby Gap!
The same story is sadly true in addressing business objectives regarding technology. During the implementation of a server base everything is tested and retested to ensure conformity to standards. Over time though, because of change control breaches due to operational urgency for fixes, processes can then start to deviate from the accepted norm. This variance can then lead to further problems as upgrades and new software may work on some systems and not others. The conformity is then lost and workload increases.
With audit driven requirements such as the UK Government Standard GPG13 (the new benchmarking standard for GCSX CoCo,) PCI:DSS, and ISO27001, there may be a considerable period of time from the install of the system until it is next formally audited. During that period the Security & Compliance Officer (SIRO in UK Government terminology) may be under the false assumption that everything is as it was when they last looked at it. Additionally, there are requirements in these standards to monitor access to protected or sensitive information. FIM can continuously monitor and automatically notify when something occurs that is undesirable – the equivalent of the baby monitor alarming or the dog barking when clothes are “transferred” from a child to the dog.
Using LogRhythm’s File Integrity Monitoring agent, both auditing and operational requirements can be met. Deviations from normal operations and continuous monitoring of sensitive information for PCI:DSS can both notify in a timely and user-friendly nature that there is something undesirable happening. Now….if only I can get something similar developed for the kids!
Tags: compliance, file integrity monitoring, pci dss, protective monitoring
LogRhythm wins "Innovator of the Year" from SC Magazine. "This is not your father's log manager."