Home CTR Exclusives Top Five Measures for Security Compliance

Top Five Measures for Security Compliance

Tuesday, 15 December 2009 08:58 Eric Knight, Logrythm

LogRhythmPerhaps the biggest hurdle facing organizations that are governed by regulatory compliance mandates is interpreting how to meet their requirements.  The FISMA Act, for example, applies to the entire Federal Government, but each agency or military branch have their own regulators that add enhancements to FISMA.  From operating manuals such as NISPOM, security standards such as NIST 800-53, or even  memorandums issued by the respective chiefs of each organization -- finding a clear roadmap describing what to do is becoming increasingly more complicated.

HIPAA and the HITECH Act have given the Department of Health and Human Services the power to audit and create security standards for the medical industry.  NERC governs the nation’s bulk electric power system and establishes security standards for electric utilities. The financial sector has been subject to increasing security, transparency and audit pressures from Sarbanes-Oxley, Basel II, The Foreign Corrupt Practices Act, and others regulatory mandates.  Even now, regulations for other industries that impact national security and non-federal government agencies are being proposed and enacted.

In this highly regulated context, even simple directives such as retaining logs on data access can create monumental challenges for organizations with extremely large networks, busy servers, and legacy equipment not built with auditing in mind.  The challenge associated with securing regulated network segments (if they have been segmented at all) is compounded by the adoption of wireless, virtual and cloud technologies.

Can all this complexity be simplified? In a word, yes. At the heart of any regulation is a simple premise: ensure the confidentiality, integrity and availability of the organization’s information technology resources.  There are four general concepts common to most regulatory mandates:

  1. Be aware of what is transpiring on your most sensitive computer systems
  2. Follow security standards that are reasonable for the task your organization is performing
  3. Be prepared for security incidents
  4. Have a way to measure success

Using these concepts as a baseline, we can define the top five measures that will enable most organizations to track their progress against compliance goals. These are:

1. Percentage of Audited Computer Systems

How many devices in the organization have auditing enabled with data being forwarded to a central logging system where the information is being monitored?  The rule of thumb is that if a system is worth protecting, it is worth auditing.  Regulations such as PCI and NERC CIP emphasize the collection of logs from all devices inside the regulated environments.

Regulatory mandates rarely provide a specific percentage of systems that need to be compliant, such as 80% of the total. However, most precisely define exactly which systems are affected by the regulation, such as PCI DSS, NERC CIP, GLBA and Sarbanes-Oxley.

2. Malware Detected Inside the Organization

Once malware has made its way into an organization, it is safe to assume the worst: a command-and-control platform has been installed inside the network security perimeter with hostile intent.  Because of this present danger, as well as the ever increasing advancements in malware technology, many regulations have mandated anti-malware products either directly (NERC CIP, PCI DSS) or indirectly through standards (FISMA, HIPAA.)  Tracking successful infections and infections blocked by anti-virus will reveal both the real threats and the progress of security improvements.

3. Disaster Recovery Testing

Business continuity and disaster recovery are necessary for every organization. Testing disaster recovery preparedness levels involves a walkthrough exercise, checklist exercises, disaster simulation, parallel testing and full interruption testing.  In many cases recovery plans are only tested on pencil and paper, and only rarely are full interruption tests carried out. At a minimum, most organizations should have their accounting or payment environments be able to withstand a full interruption without data corruption.

Even when a full interruption test is performed and passed, there are still ongoing operations concerns.  Does management readily know if their backups are successful or failing?  Is replication being performed between databases, domain controllers, and critical applications?  At a minimum, regulatory mandates that require disaster recovery testing state it should be performed at least once per year.  As a best practice, organizations should be aware of the functional operation of their disaster recovery systems at all times.

4. Computer Security Education

Buried in most regulations is a requirement to communicate the organization’s security policy to employees. Company policies and standards should be referenced as frequently as possible because they eliminate the need for employees to reinvent the security “wheel” over and over again. The percentage of employees, as well as contractors and 3rd parties, educated in the appropriate use of information technology resources is critical to meeting regulatory requirements.

5. Suspicious Access to Sensitive Data

Organizations that reach the point where they are aware of who is trying to access sensitive data have achieved exactly what regulations are intended to bring about.  In the past, this wasn’t a reasonable expectation. Today, this can be accomplished with Security Information and Event Management tools that monitor event data and audit logs.  Although this measure appears as a list, presumably as a “top 10” of potential suspicious users, it demonstrates that the security department is keeping an eye on the organization.

Conclusion

Using these five measures and assessing their level of implementation provides a reliable yardstick for meeting the security requirements of virtually any regulatory mandate.  Likewise, any organization that achieves a passing grade in all five of the above measures has few concerns with respect to complying with current regulations, whether they remain the same or are amended to enforce more stringent security requirements.

Eric Knight is a Senior Knowledge Engineer at log and event management vendor LogRhythm. He is a Certified Ethical Hacker and has over 15 years of experience in the field of network security with an emphasis in vulnerability management and enterprise security architectures.

 

 

White Papers

Achieving Rapid Data Recovery for IBM AIX Environments

The Benefits of Data Replication in HACMP/PowerHA AIX Cluster Management Implementations

Introduction to High Availability for IBM System i High Availability

Five Reasons Why Smaller Organizations Should Consider High Availability

The Benefits of Continuous Data Protection (CDP) for IBM i5/OS and AIX Environments 

State of Resilience of IBM Power Systems (AIX and i5/OS)

Journaling and High Availability - Understanding IBM i Data Protection

Breakthrough Data Recovery for IBM AIX Environments - How New Technologies Are Making Data Protection, Recovery and High Availability Easier and More Affordable

High Availability in an SAP Environment- Keep mission-critical SAP operations running no matter what

How to Solve Downtime Challenges to Manufacturing and Supply Chain Operations

Information Availability: What Every Health Organization Should Know      


Computer Technology News
  See current issue or subscribe below

Subscribe to CTN