|
Compliance Requirements
Compliance can be expensive. Billions of dollars are spent annually to comply with evolving federal and industry regulations, and organizations face significant on-going systems, storage, human resources and audit expenditures.
PCI DSS The financial fraud associated with payment card theft affects millions of people annually. In response to this situation, the major credit card issuers formed an independent organization and issued the Payment Card Industry Data Security Standard (PCI DSS) to provide a single set of standards to secure this data. The collection, retention and analysis of event and log data is a key requirement for compliance.
HIPAA HIPAA (Health Insurance Portability and Accountability Act) mandates that covered organizations ensure the confidentiality, integrity, and availability of Electronic Protected Health Information (EPHI) that is created, received, maintained or transmitted within their environment. Woven throughout the regulation is the need to monitor "access to" and "activities affecting" EPHI data. Specifically, Section § 164.308(a)(1) calls for the implementation of an information system activity review and audit process.
SOX
The Sarbanes-Oxley Act of 2002 (SOX) mandates that publicly held companies employ safeguards to assure greater financial accuracy, disclosures and controls. The collection, retention and analysis of event and log data is a key requirement for compliance.
NISPOM The National Industrial Security Program Operating Manual (NISPOM), developed by the Department of Defense, sets comprehensive standards for protecting classified data. All government agencies and commercial contractors who have access to classified data are required to implement system protection processes to ensure continued availability and integrity of this data, and prevent its unauthorized disclosure. These regulations apply to systems used in the capture, creation, storage, processing or distribution of restricted information.
FISMA The Federal Information Security Management Act (FISMA) mandates security programs for all organizations which possess or use Federal information systems on behalf of a Federal agency. In a Special Publication 800-53, in particular, The National Institute of Standards and Technology (NIST) details the safeguards needed to ensure the effectiveness of security controls over Federal agency systems and information. At the heart of these controls is an infrastructure with expensive logging and auditing mechanisms capable of storing and protecting massive volumes of log data throughout a network.
DCID The Director of Central Intelligence Directive 6/3 Manual imposes strict controls for the protection of information systems containing intelligence data. It requires that information systems with access to such data be classified according to a specific High Confidentiality Level-of-Concern, and retain activity logs over a period of five years. The DCID 6/3 guidelines also specify log monitoring, auditing, and reporting requirements. Among them is the automated creation of audit trails on security-relevant activities, their analysis on a weekly basis, and their protection against unauthorized access.
FERC Federal Energy Regulatory Commission (FERC)/North American Electric Reliability Corporation (NERC) compliance is a requirement for all bulk power electricity providers in North America. NERC is a self-regulatory body charged with ensuring industry compliance with Critical Infrastructure Protection (CIP) standards that require organizations that deliver bulk electricity to the North American electrical grid to identify and protect critical cyber assets. FERC oversees the power industry, but gives NERC the responsibility for maintaining and complying with CIP. Organizations affected by FERC/NERC must define methods, processes, and procedures for securing those systems determined to be critical cyber assets, as well as the non-critical cyber assets within the electronic security perimeter. "Cyber assets" are loosely defined as all "programmable electronic devices and communication networks including hardware, software, and data."
ISO 27002 Regardless of industry vertical, global enterprises face a multi-faceted regulatory standards conundrum. For example, all publicly-traded companies are required to comply with SOX regulations. However, the subset of publicly-traded financial services is further required to comply with FFIEC and GLBA mandates, while publicly traded health services enterprises must concurrently meet SOX and HIPAA standards. Because of the many common control objectives existing among these various mandates, a unified framework for corporate governance would yield the most efficient approach to regulatory compliance. A number of organizations have elected to use ISO 27002, Code of Practice for Information Security Management, as their governing framework. Most analysts agree that using the twelve domains of ISO 27002 as a governing framework, is an effective method to reduce risk and document compliance performance, and demonstrate security due diligence to auditors, board members, and customers.
Contact More Power Computers for addtional information, or for a trial version of Symantec Control Compliance Suite.
| 
