Upload
brooke-rogers
View
212
Download
0
Embed Size (px)
Citation preview
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PulbicPresentation_ID 1
Compliance and theIntelligent Information Network
Fred Colacchio, CISSP
Security Specialist
October 3, 2007
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PulbicPresentation_ID 2
Agenda
Compliance
Mapping IIN to CompliancePCI Prescriptive
Summary
Reference
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PulbicPresentation_ID 3
Compliance
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PulbicPresentation_ID 4
The Four Main Themes in Compliance: Think “CIAA”
1. Confidentiality - Keep it Secret
2. Integrity of Data - Protect against improper alteration or destruction
3. Audit/reporting/monitoring/logging - Security activity must be tracked and auditable to demonstrate compliance and incident investigation
4. Availability - Regulated data must be available to authorized users/consumers
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PulbicPresentation_ID 5
Compliance Drivers
U.S. Public Company Accounting Reform and Investor Protection Act of 2002 (“Sarbanes-Oxley”)
Protects investors by improving the accuracy and reliablity of corporate disclosures.
The Financial Services Modernization Act of 1999 (“Gramm-Leach-Bliley”)Provides a framework for the affiliation of banks, securities firms, insurance companies, and other financial service providers. Establishes the Financial Privacy Rule and the Safeguards Rule.
Health Insurance Portability and Accounting Act of 1996Improve portability and continuity of health insurance coverage; combat waste, fraud, and abuse in health insurance and health care delivery; promote the use of medical savings accounts; improve access to long-term care services and coverage; simplify the administration of health insurance
California SB 1386Requires any entity that conducts business in California to disclose any breach of the security of any data which includes personal information
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PulbicPresentation_ID 6
Compliance Drivers
Family Educational Rights and Privacy ActProtects the privacy of student educational records.
Payment Card Industry Data Security StandardsApplies to all merchants and service providers that store, process, or transmit credit card data, and provides the tools and measurements needed to protect against cardholder data exposure and compromise
Notification of Risk to Personal Data Act (S. 1350, pending)Would require Federal agencies, and persons engaged in interstate commerce, in possession of electronic data containing personal information, to disclose any unauthorized acquisition of such information
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PulbicPresentation_ID 7
RegulationDate of
EnforcementFine Imprisonment Industry
HIPAA 1996 $250,000 10 years Health
GLBA 1999 $100,000 per incident 5 years Financial
SOX 2002 $22 million per violation (Former Gemstar CEO, May 9, 2006)
20 years Information Security
CA SB 1386
2003 Any customer injured by a violation of this act may institute a civil action to recover damages
None—Customers must be notified
Personal Information
PCI 2005 $500k per incident + $100k if VISA is not notified
None—Rescind the right to accept credit card payments
Credit Card Security
Sanctions for Regulatory Non-Compliance
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PulbicPresentation_ID 8
S-OX
Applies to public companies
Section 302 compliance – Attestation to validity of public reports
Section 404 compliance – Attestation to the effectiveness of internal control structures
Section 409 compliance – “real time” public disclosure of material changes in the financial conditions or operations of a company
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PulbicPresentation_ID 9
GLBA
Applies to “Financial Institutions”Includes not only banks, securities firms, and insurance companies, but also companies providing many other types of financial products and services to consumers (student loans)
Financial Privacy RuleGoverns the collection and disclosure of customers' personal financial information
Safeguards RuleRequires all financial institutions to design, implement and maintain safeguards to protect customer information.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PulbicPresentation_ID 10
In summary, the objectives of GLBA are to:
• Protect the security and confidentiality of customers' nonpublic personal information
• Institute administrative, technical, and physical safeguards
• Protect against anticipated threats and hazards to information security
• Protect against unauthorized access to or use of information
A further objective is to establish a continuous risk-based information security program with:
• Board oversight
• Assessment of threats and vulnerabilities
• Risk management and controls
• Training and testing
• Vendor oversight
• Monitoring, auditing, adjusting, and reporting
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PulbicPresentation_ID 11
Who is affected by GLBA?Banks, securities firms, and insurance companies
• Mortgage lenders or brokers
• Check cashers and payday lending services
• Credit counseling service and other financial advisors
• Medical-services providers with long-term, interest-bearing payment plans for a significant number of its patients
• Financial or investment advisory services including tax planning, tax preparation, and individual financial management
• Retailers that issue their own credit cards
• Auto dealers that lease or finance purchases
• Higher education institutions providing financial aid or student loans
• Collection agencies
• Government entities that provide financial products such as student loans or mortgages
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PulbicPresentation_ID 12
HIPAA
Applies to health care providers, clearinghouses, and plans
The Privacy RuleIncludes standards to protect the privacy of individually identifiable health information
The Security RuleSpecifies a series of administrative, technical, and physical security procedures for covered entities to use to assure the confidentiality of electronic protected health information
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PulbicPresentation_ID 13
Who is affected by HIPPA?
In general, the requirements, standards, and implementation specifications of the HIPAA Security Rule apply to the following entities:
• Covered Health Care Providers-Any provider of medical or other health services or supplies, who transmits any health information in electronic form in connection with a transaction
• Health Plans-Any individual or group plan that provides or pays the cost of medical care, including certain specifically listed governmental programs
• Health Care Clearinghouses-A public or private entity that processes another entity's healthcare transactions from a standard formation to a nonstandard one, or vice versa
• Medicare Prescription Drug Card Sponsors-A nongovernmental entity that offers an endorsed discount drug program under the Medicare Modernization Act
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PulbicPresentation_ID 14
Family Educational Rights and Privacy Act
Applies to all schools that receive funds under an applicable program of the U.S. Department of Education
Establishes:Inspection right
Correction right
Restrictions on disclosure
Notification obligation
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PulbicPresentation_ID 16
Addressing Compliance
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PulbicPresentation_ID 17
“ An entire organization, despite its best efforts to prevent wrongdoing in its ranks, can still be held criminally liable for any of its employees’ illegal actions.”
Paula DesioDeputy General Counsel
United States Sentencing Commission
An Overview of the Organizational Sentencing Guidelines
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PulbicPresentation_ID 18
“ [The Sentencing Commission] attempted to alleviate the harshest aspects of...institutional vulnerability...by mitigating the potential fine...if an organization can demonstrate that it had put in place an effective compliance program.”
Paula DesioDeputy General Counsel
United States Sentencing Commission
An Overview of the Organizational Sentencing Guidelines
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PulbicPresentation_ID 19
Three Pieces of the Puzzle
People
Process
Technology
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PulbicPresentation_ID 23
Why use PCI for our discussion?
Regulatory programs open to interpretation
May require teams of experts: General Counsel, Finance, Risk, etc. to determine organizational compliance requirements, “fuzzy”
PCI is the most prescriptive and easily to map against and measure
The PCI DSS embodies information security best practices
The process of complying with PCI can benefit and likely transfer over to other compliance programs, GLBA, HIPPA, etc.
Demonstrating controls in place with regards to data protection, regardless if that data is corporate, personal, financial, health, or in the case of PCI, credit card information can be leveraged
PCI Compliance may prove “due care”
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PulbicPresentation_ID 24
General Security Recommendations Store Less Data
–Reduce the scope–Justify why you’re storing critical data
Understand the Flow of Data–Diagrams, understanding where data is stored, how far it travels
Encrypt Data Address Application and Network Vulnerabilities
–Update your software with patches as they are released.–Have a third party conduct an application test and code review
Improve Security Awareness and Training Monitor Systems for Intrusions and Anomalies
–Place IDS devices near the assets you want to protect.–Establish a centralized server for reviewing, correlating, andmanaging IDS logs.
Segment Data Sensitive Networks and Control Access to Them Change default passwords immediately
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PulbicPresentation_ID 25
Payment Card Industry (PCI) Solution &Prescriptive
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PulbicPresentation_ID 26
PCI Defined
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PulbicPresentation_ID 27
The PCI Data Security Standard
Published January 2005 Impacts all who:
Process
Transmit
Store cardholder data
Developed by MasterCard and Visa, endorsed by the other payment brands
Pertinent for all industries and company size
SMB to large enterprise and service providers
Global in nature
PCI Data Security Standard
January 2005
Visa says approximately 22% of Tier 1 Merchants are currently compliant. Computerworld, July 10, 2006.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PulbicPresentation_ID 28
The PCI Data Security Standard
PCI applies to all companies that handle credit card information—not just credit card processing
Merchants are tiered based on transaction volume and each level has different requirements
Penalties associated with the levels
Applies globally to all environments including physical, electronic commerce, wireless, etc.
PCI covers systems, policies, and procedures
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PulbicPresentation_ID 29
It’s About Good Business Practices
Providing a secure shopping environment whether in the store or online
Prevention of identity theft for customers
Securely and reliably protecting brand image and assets
Mitigating financial risk associated with fines and penalties due to failure in compliance (and breach!)
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PulbicPresentation_ID 30
Category Criteria RequirementLevel 1 Merchants
6,000,000 Visa/MC transactions per year.*
*Any merchant that has suffered a hack or an attack that resulted in an account data compromise
Annual onsite PCI Data Security Assessment
Quarterly network scan
Level 2 Merchants
1 million – 6 million
transactions per year.Quarterly networks scan
Annual self-assessment
Level 3 Merchants
20K –1 million e-commerce transactions per year
Quarterly network scan Annual self-
assessment
Level 4 Merchants
< 20,000 VISA e-commerce transactions per year
Quarterly network scan Annual self-assessment
Categories of Merchants
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PulbicPresentation_ID 31
Critical Role of the Network for PCI Compliance
PCI Data Security Standard Requirements
Build and Maintain a Secure Network
Protect Cardholder Data
Maintain a Vulnerability Management Program
Implement Strong Access Control Measures
Regularly Monitor and Test Networks
Maintain an Information Security Policy
1. Install and maintain a firewall configuration to protect data2. Do not use vendor-supplied defaults for system passwords
and other security parameters
3. Protect stored data4. Encrypt transmission of cardholder data and sensitive
information across public networks
5. Use and regularly update anti-virus software6. Develop and maintain secure systems and applications
7. Restrict access to data by business need-to-know8. Assign a unique ID to each person with computer access9. Restrict physical access to cardholder data
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
12. Maintain a policy that addresses information security
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PulbicPresentation_ID 33
Where Most Assessments Are FailingPCI Requirement
Percentage of Assessments Failing
Requirement 3: Protect Stored Data 79%
Requirement 11: Regularly Test Security Systems and Processes
74%
Requirement 8: Assign a Unique ID to Each Person with Computer Access
71%
Requirement 10: Track and Monitor All Access to Network Resources and Cardholder Data
71%
Requirement 1: Install and Maintain a Firewall Configuration to Protect Data
66%
Requirement 2: Do Not Use Vendor-supplied Defaults for System Passwords and Other Security Parameters
62%
Requirement 12: Maintain a Policy That Addresses Information Security
60%
Requirement 9: Restrict Physical Access to Cardholder Data 59%
Requirement 6: Develop and Maintain Secure Systems and Applications
56%
Requirement 4: Encrypt Transmission of Cardholder Data and Sensitive Information Across Public Networks
45%
Source: VeriSign. “Lessons Learned: Top Reasons for PCI Audit Failure and How to Avoid Them.”
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PulbicPresentation_ID 35
Compliance Is Still an Issue
Forrester Research: Self-assessment in payment card security is not enough
Forrester concludes: “Information security (or a lack of it) is not an area in which banks and retailers should try to save money or compete.”
Gartner: The PCI Data Security Standard was created in 2001, yet the card-accepting industry still struggles to demonstrate compliance with it, let alone protect cardholder data in many cases
The Logic Group, September 27, 2006: Survey reveals alarmingly low levels of compliance for PCI DSS—Only 3% of merchants were ready
PC-Based Point of Sale Systems Experienced
the Largest Percentage of Compromises in
2005 in the US PC POS84%
Mainframe 1%
Backend2%Shopping Cart
12%Physical1%
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PulbicPresentation_ID 36
The Risks are Real
1/06 University of Delaware
1/06 Pittsburg University Medical
1/06 Illinois Education Assoc
1/06 Oregon Dept of Revenue
1/06 California National Guard
1/06 Atlantis Resort-Kerzner
1/06 People’s Bank
1/06 NYC Teachers’ Retirement
1/06 Presbyterian Health Care
1/06 Notre Dame University
1/06 Ken State University
1/06 City of San Diego
1/06 State of Washington Health
1/06 Honeywell International
1/06 Ameriprise financial1/06 Boston Globe
1/06 FedEx Freight West
2/06 Blue Cross Blue Shield NC
2/06 Ernst & Young
2/06 US Agriculture Department
2/06 Blue Cross Blue Shield FL
2/06 Deloitte & Touche / McAfee
3/06 American International Group
3/06 University of Michigan
3/06 Verizon Communications
3/06 General Motors
3/06 Fidelity Investments4/06 Nationwide Retirement Services
4/06 US Department of Defense
4/06 Iron Mountain
4/06 Fifth Third Bank
4/06 University of South Carolina
4/06 Ross-Simons
4/06 University of Alaska, Fairbanks
4/06 Boeing
4/06 University of Virginia
4/06 State of Georgia
4/06 Union Pacific corporation
5/06 Internal Revenue Service
5/06 Equifax
5/06 Northwestern University
5/06 Hotels.com
5/06 Wells Fargo
5/06 Mercantile Bankshares
5/06 Minnesota Revenue Dept
5/06 Frost Bank
5/06 YMCA
5/06 VyStar Credit Union
6/06 Federal Trade Commission
6/06 US Navy Recruiting
6/06 Fluor Hanford
6/06 Humana Health Plans
6/06 Royal Ahold USA
6/06 Barnard College
Over 192 disclosed security breaches through October 2006, potentially affecting more than 12 million individuals
6/06 Department of Energy
6/06 Minnesota State Auditor
6/06 ING
6/06 VA Bureau of Insurance
6/06 ADP TotalSource
6/06 Visa USA
6/06 National Institute on Health Federal Credit Union
7/06 US Citizenship and Immigration Services
7/06 Riverside City Hall (CA)
7/06 US Navy
7/06 Moraine Park Technical College
7/06 Mississippi Secretary of State
7/06 PSA Healthcare
7/06 Hampton Roads, VA Circuit Court
7/06 Helnet, Inc.
9/06 Madrona medical Group
8/06 Hospital corporation of America
8/06 Williams Sonoma, Inc.
8/06 Weyerhaeuser
8/06 Louisiana State University
8/06 Transportation Security Admin
8/06 Linden Lab
8/06 Toyota
8/06 Columbus Income Tax Division
8/06 MI Dept of Community Health
8/06 Dept of Veteran Affairs
8/06 Illinois Dept of Corrections
8/06 Adams State College 8/06 University of Texas
8/06 CA Dept of Mental Health
8/06 US Department of Education
8/06 Sovereign Bank
8/06 Federal Motor Carrier Safety
8/06 AT&T
8/06 University of Colorado
8/06 PortTix
9/06 Berry College
9/06 North Carolina Division of Motor Vehicles
9/06 Purdue College of Science
9/06 Louisiana State University
9/06 Kentucky Personnel Cabinet
9/06 US Census Bureau
9/06 Nikon world Magazine
9/06 Erlanger Hospital
9/06 DePaul medical Center
9/06 Life is Good, Inc.
9/06 General Electric Co.
9/06 University of Texas
9/06 University of Iowa
10/06 Lexis Nexis
10/06 Cumberland County, PA Government
10/06 Chicago Board of Elections
10/06 Colorado Dept of Human Services
Source: www.idtheftcenter.org
2007 Breach List:9/25/2007
Breaches: 297 Exposed: 75,926,667
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PulbicPresentation_ID 37
Implications of Non-Compliance
Fines levied by the PCI Data Security Standards BodyUp to $500K per incident for any merchant or SP not compliant at the time of the compromise
Increased transaction costs
Restrictions on card acceptance: Temporary suspension with possible permanent implications
Consumer confidence and retailer brand integrity compromised by data security breach
Loss of cardholder data due to network attack
Liable for cleanup & notification costs**
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PulbicPresentation_ID 38
Differences between PCI DSS 1.0 and 1.1 PCI DSS 1.1 went into effect on October 1, 2006.
All QSA and Network scans as of Jan 1, 2007 must use 1.1
Some specific changes:
Section 6.6 – Added requirement for application code review or application firewall to be used
Section 11.1 Clarified that wireless analyzers should be used periodically, even if wireless is not currently deployed.
Section 12 Added requirement for a policy to manage connected entities, including maintaining a list, implementing appropriate due diligence, ensuring connected entities are PCI DSS compliant, and having an established process to connect and disconnect entities.
NEW appendices that were added:
Appendix A: PCI DSS Applicability for Hosting Providers
Appendix B: Compensating Control – with example for stored data encryption
For the specific 1.1 difference see: https://www.pcisecuritystandards.org/pdfs/pci_summary_of_pci_dss_changes_v1-1.pdf
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PulbicPresentation_ID 39
Cisco and PCI
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PulbicPresentation_ID 40
How Cisco Is Helping Retailers
Provide an end-to-end secured solution to address PCI requirements
Provide a set of recommended architectures for small, medium, and large footprint stores
Ensuring data security as you build out advanced capabilities in your network
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PulbicPresentation_ID 41
Our Partners for PCI Solution for Retail
We are working with leading industry partners to join us in providing recommended network architectures to meet compliance
Audit and remediation servicesCybertrust
AmbironTrustWave
Hardware and software partners
POS: IBM, Wincor Nixdorf
Handheld devices: Intermec
Anti-virus software: TrendMicro
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PulbicPresentation_ID 42
Recommended Architectures
Cisco worked with PCI auditors to develop architectures that address the requirements of PCI compliance
Lab tested and audited architectures to provide guidance on the best configuration of various network products
Tested architectures provide guidance to maximize integration with various technology partners
Reduce the amount of complexity for retailers configuring networks for PCI compliance
Mapping of Cisco products directly to PCI requirements
The Benefits of Recommended Architectures
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PulbicPresentation_ID 43
Applying theIntelligent Information Network to PCI DSS
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PulbicPresentation_ID 44
Internet
Credit cardstorage
Sample Network Environment
Desktop
POS terminal
Wireless POS
Policies
POS Server
REMOTE LOCATION INTERNETEDGE
ISR4500switch
ASA
6500/7600FWSM
CS-MARS
NACAppliance
CSA
CSA
DATA CENTERMAIN OFFICE
LAN switch
CSA
CSA
WAP
On-Line store
ASA
CSA
ASA
CSMNCM/CAS
LWAPP
IronportPostx
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PulbicPresentation_ID 45
PCI DSS Requirement 1
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PulbicPresentation_ID 46
PSS DSS Requirement 1 (continued)
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PulbicPresentation_ID 47
Internet
Credit cardstorage
Desktop
POS terminal
Wireless POS
Policies
POS Server
REMOTE LOCATION INTERNETEDGE
ISR4500switch
ASA
6500/7600FWSM
CS-MARS
NACAppliance
CSA
CSA
DATA CENTERMAIN OFFICE
LAN switch
CSA
CSA
WAP
On-Line store
ASA
CSA
ASA
CSMNCM/CAS
Requirement 1: Install and maintain a firewall configuration to protect data
Requirement 1
CSA
CSA
LWAPP
IronportPostx
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PulbicPresentation_ID 48
PCI DSS Requirement 2
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PulbicPresentation_ID 49
Internet
Credit cardstorage
Desktop
POS terminal
Wireless POS
Policies
POS Server
REMOTE LOCATION INTERNETEDGE
ISR4500switch
ASA
6500/7600FWSM
CS-MARS
NACAppliance
CSA
CSA
DATA CENTERMAIN OFFICE
LAN switch
CSA
CSA
WAP
On-Line store
ASA
CSA
ASA
CSMNCM/CAS
Requirement 2: Do not use vendor-supplied defaults for system settings
CSA
CSA
LWAPP
Requirement 1Requirement 2
IronportPostx
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PulbicPresentation_ID 50
PCI DSS Requirement 3
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PulbicPresentation_ID 51
PCI DSS Requirement 3 (continued)
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PulbicPresentation_ID 52
Internet
Credit cardstorage
Desktop
POS terminal
Wireless POS
Policies
POS Server
REMOTE LOCATION INTERNETEDGE
ISR4500switch
ASA
6500/7600FWSM
CS-MARS
NACAppliance
CSA
CSA
DATA CENTERMAIN OFFICE
LAN switch
CSA
CSA
WAP
On-Line store
ASA
CSA
ASA
CSMNCM/CAS
Requirement 3: Protect Stored Data
CSA
CSA
LWAPP
Requirement 1Requirement 2Requirement 3
IronportPostx
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PulbicPresentation_ID 53
PCI DSS Requirement 4
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PulbicPresentation_ID 54
Internet
Credit cardstorage
Desktop
POS terminal
Wireless POS
Policies
POS Server
REMOTE LOCATION INTERNETEDGE
ISR4500switch
ASA
6500/7600VPN/FW
CS-MARS
NACAppliance
CSA
CSA
DATA CENTERMAIN OFFICE
LAN switch
CSA
CSA
WAP
On-Line store
ASA
CSA
ASA
CSMNCM/CAS
Requirement 4: Encrypt transmission of cardholder data across public networks
CSA
CSA
LWAPP
Requirement 1Requirement 2Requirement 3
Requirement 4
IronportPostx
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PulbicPresentation_ID 55
PCI DSS Requirement 5
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PulbicPresentation_ID 56
Internet
Credit cardstorage
Desktop
POS terminal
Wireless POS
Policies
POS Server
REMOTE LOCATION INTERNETEDGE
ISR4500switch
ASA
6500/7600FWSM
CS-MARS
NACAppliance
CSA
CSA
DATA CENTERMAIN OFFICE
LAN switch
CSA
CSA
WAP
On-Line store
ASA
CSA
ASA
CSMNCM/CAS
Requirement 5: Use and Regularly update anti-virus software
CSA
CSA
LWAPP
Requirement 1Requirement 2Requirement 3
Requirement 4Requirement 5
IronportPostx
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PulbicPresentation_ID 57
PCI Requirement 6
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PulbicPresentation_ID 58
PCI DSS Requirement 6 (continued)
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PulbicPresentation_ID 59
Internet
Credit cardstorage
Desktop
POS terminal
Wireless POS
Policies
POS Server
REMOTE LOCATION INTERNETEDGE
ISR4500switch
ASA
6500/7600FWSM
CS-MARS
NACAppliance
CSA
CSA
DATA CENTERMAIN OFFICE
LAN switch
CSA
CSA
WAP
On-Line store
ASA
CSA
ASA
CSMNCM/CAS
Requirement 6: Develop and maintain secure systems and applications
CSA
CSA
LWAPP
Requirement 1Requirement 2Requirement 3
Requirement 4Requirement 5Requirement 6
IronportPostx
ACE ACE XML
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PulbicPresentation_ID 60
PCI DSS Requirement 7
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PulbicPresentation_ID 61
Internet
Credit cardstorage
Desktop
POS terminal
Wireless POS
Policies
POS Server
REMOTE LOCATION INTERNETEDGE
ISR4500switch
ASA
6500/7600FWSM
CS-MARS
NACAppliance
CSA
CSA
DATA CENTERMAIN OFFICE
LAN switch
CSA
CSA
WAP
On-Line store
ASA
CSA
ASA
CSMNCM/CAS
Requirement 7: Restrict access to data by business need-to-know
CSA
CSA
LWAPP
Requirement 1Requirement 2Requirement 3
Requirement 4Requirement 5Requirement 6
Requirement 7
IronportPostx
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PulbicPresentation_ID 62
PCI DSS Requirement 8
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PulbicPresentation_ID 63
Internet
Credit cardstorage
Desktop
POS terminal
Wireless POS
Policies
POS Server
REMOTE LOCATION INTERNETEDGE
ISR4500switch
ASA
6500/7600FWSM
CS-MARS
NACAppliance
CSA
CSA
DATA CENTERMAIN OFFICE
LAN switch
CSA
CSA
WAP
On-Line store
ASA
CSA
ASA
CSMNCM/CAS
Requirement 8: Assign a unique ID to each person with computer access
CSA
CSA
LWAPP
Requirement 1Requirement 2Requirement 3
Requirement 4Requirement 5Requirement 6
Requirement 7Requirement 8
ACS
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PulbicPresentation_ID 64
PCI DSS Requirement 9
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PulbicPresentation_ID 65
Internet
Credit cardstorage
Desktop
POS terminal
Wireless POS
Policies
POS Server
REMOTE LOCATION INTERNETEDGE
ISR4500switch
ASA
6500/7600FWSM
CS-MARS
NACAppliance
CSA
CSA
DATA CENTERMAIN OFFICE
LAN switch
CSA
CSA
WAP
On-Line store
ASA
CSA
ASA
CSMNCM/CAS
Requirement 9: Restrict physical access to cardholder data
CSA
CSA
LWAPP
Requirement 1Requirement 2Requirement 3
Requirement 4Requirement 5Requirement 6
Requirement 7Requirement 8
ACS
Digital VideoSurveillance
Requirement 9
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PulbicPresentation_ID 66
PCI DSS Requirement 10
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PulbicPresentation_ID 67
Internet
Credit cardstorage
Desktop
POS terminal
Wireless POS
Policies
POS Server
REMOTE LOCATION INTERNETEDGE
ISR4500switch
ASA
6500/7600FWSM
CS-MARS
NACAppliance
CSA
CSA
DATA CENTERMAIN OFFICE
LAN switch
CSA
CSA
WAP
On-Line store
ASA
CSA
ASA
CSMNCM/CAS
Requirement 10: Track and Monitor all access to network and cardholder data
CSA
CSA
LWAPP
Requirement 1Requirement 2Requirement 3
Requirement 4Requirement 5Requirement 6
Requirement 7Requirement 8
ACS
Digital VideoSurveillance
Requirement 9
Requirement 10
IronportPostx
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PulbicPresentation_ID 68
PCI DSS Requirement 11
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PulbicPresentation_ID 69
Internet
Credit cardstorage
Desktop
POS terminal
Wireless POS
Policies
POS Server
REMOTE LOCATION INTERNETEDGE
ISR4500switch
ASA
6500/7600FWSM
CS-MARS
NACAppliance
CSA
CSA
DATA CENTERMAIN OFFICE
LAN switch
CSA
CSA
WAP
On-Line store
ASA
CSA
ASA
CSMNCM/CAS
Requirement 11: Regularly test security systems and processes
CSA
CSA
LWAPP
Requirement 1Requirement 2Requirement 3
Requirement 4Requirement 5Requirement 6
Requirement 7Requirement 8
ACS
Digital VideoSurveillance
Requirement 9
Requirement 10Requirement 11
IronportPostx
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PulbicPresentation_ID 70
PCI DSS Requirement 12
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PulbicPresentation_ID 71
PCI DSS Requirement 12 (continued)
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PulbicPresentation_ID 72
Internet
Credit cardstorage
Desktop
POS terminal
Wireless POS
Policies
POS Server
REMOTE LOCATION INTERNETEDGE
ISR4500switch
ASA
6500/7600FWSM
CS-MARS
NACAppliance
CSA
CSA
DATA CENTERMAIN OFFICE
LAN switch
CSA
CSA
WAP
On-Line store
ASA
CSA
ASA
CSMNCM/CAS
Requirement 12: Maintain a policy that addresses information security
CSA
CSA
LWAPP
Requirement 1Requirement 2Requirement 3
Requirement 4Requirement 5Requirement 6
Requirement 7Requirement 8
ACS
Digital VideoSurveillance
Requirement 9
Requirement 10Requirement 11Requirement 12
IronportPostx
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PulbicPresentation_ID 73
Applying IIN Components to PCI Product Details
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PulbicPresentation_ID 74
Cisco Security Routers:Addressing PCI Requirements
Applies to PCI Requirements 1, 2, 4, 6, 10, 11
Integrates PCI Control into Network Infrastructure
Reduces ComplexityLess products to manage
Enables future business initiatives
Cisco® Security Routers: Core Platform for PCI
SSL and IPSec VPN
WAN Backup
Network Admission
ControlApplication
FirewallIntrusion
Prevention
Network Foundation ProtectionWireless
IP Telephony
URL Filtering
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PulbicPresentation_ID 75
Cisco Security Routers:Addressing PCI: Core Platform
Cisco® Security Routers: Core Platform for PCI
SSL and IPSec VPN
WAN Backup
Network Admission
ControlApplication
FirewallIntrusion
Prevention
Network Foundation ProtectionWireless
IP Telephony
URL Filtering
Applies to PCI Requirement 1, 2, 4, 6, 10, 11
Encrypt transmission of all cardholder data
Limit access to cardholder resourcesHide Internal IP addresses (NAT)Stateful firewall between wired & wirelessBlock unused ports
Network IDS/IPS
Reduce devices w/integral WAP
All Systems Secured-AutoSecure-Secure Management
Business Resiliency
IntegratedCall ManagerVoIP
WPA
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PulbicPresentation_ID 76
Secure Router
Addresses PCI Requirement 1, 2, 4, 6, 10, 111. Stateful IOS firewall separates wired and wireless networks2. Apply NSA guidelines for secure router configuration with one click
AutoSecure (or network-wide with NCM)4. Provides high-performance encryption of sensitive data6. Offers secure device management (HTTPS, SSH, SCP, etc.)10. Provides forensic logging using NetFlow and syslog 11. Integrates IPS for wired and wireless networks
Application inspection and URL filtering, exceeding PCI requirementsIntegrated with other advanced technologies – VoIP & wireless in the
same platform
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PulbicPresentation_ID 77
ASA
Addresses PCI Requirement 1, 2, 4, 6, 10, 111. Stateful IOS firewall separates wired and wireless networks2. GUI Device manager to change system default passwords4. Provides high-performance encryption of sensitive data, ideal at headend and
at larger remote locations that need dedicated security device6. Offers secure device management (HTTPS, SSH, SCP, etc.)10. Anti-X capabilities protect against malicious attempts11. Integrates IPS for wired and wireless networks
Application inspection and URL filtering, exceeding PCI requirements
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PulbicPresentation_ID 78
Catalyst 6500/Cisco 7600 Security Service Modules
Addresses PCI Requirements 1,2,3,6,11,12Similar to ASA, appropriate for large enterprises and service providers
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PulbicPresentation_ID 79
Cisco Security AgentPC and Server Protection
Desktop Protection:• Distributed Firewall• Day Zero Virus/Worm Protection• File Integrity Checking• Application security• Policy Enforcement
Server Protection:• Host-based Intrusion Prevention• Day Zero Virus/Worm Protection• Operating System Hardening• Web Server Protection• Security for other applications• Application Data Protection
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PulbicPresentation_ID 80
Cisco Security Agent
Addresses PCI Requirements 1,2,3, 5, 6, 7,10,11,121. Personal firewall on end devices
2. Disables unnecessary and insecure services, protocols and functionality on servers
3. Data Theft Prevention Rule protects stored data on servers and clients, as well as prohibits copying/tampering of information
5. Augments anti-virus software via Day Zero protection
6. Protects devices during security patch testing and enables effective patch management process
7. Data Theft Prevention Rule allows only authorized users access to information
10. Can maintain per-system audit logs, providing a forensic behavior trail
11. Provides host-based intrusion prevention, and performs file integrity monitoring & protection against unauthorized modification
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PulbicPresentation_ID 81
Network Admission Control
(Clean Access Server)
(Clean Access Manager)
AuthenticationServer
NAC Appliance
NAC Appliance
Wired
Wireless
VPN
IPSec/SSL
Network Access Device
1. End user attempts to access a Network
Network access is blocked until end user provides login information.
2. User is redirected to a login page
User login validated. Device scanned to assess vulnerabilities and posture
3a. Device is noncompliant
User is denied network access. Assigned to a quarantine role. Device remediation takes place.
3b. Device is compliantMachine gets on “clean list”and is granted access to network.
Posture Assessment
Compliant Not compliant
Quarantine
Please enter username:
devicesecurity
networksecurity
identity
SiSi SiSi
NACNAC
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PulbicPresentation_ID 82
Cisco NAC Appliance
Addresses PCI Requirements 5, 6, 11, 125. Checks that anti-virus software on end point is up to date and
consistent with current security policy
6. Checks to ensure that all relevant security patches are installed on end device
11. Prevents unauthorized access to the network from the inside
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PulbicPresentation_ID 83
Intellectual Property Protection (NPI Data)Policy rules for specific senders/recipients
Block messages containing confidential data
Acceptable Use Policy EnforcementBlock profanity
Email attachment controls (size, type, content)
Legal disclaimers on specific messages
Archive specific messages
Regulatory ComplianceScan for PHI/NPI and block infractions
Secure business partner communication
Compliance quarantines for remediation policies
IronPort Email & Content Security At WorkIronPort Customer Use Cases
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PulbicPresentation_ID 84
IronPort Content SecurityOverview
Powerful attachment scanning technology for Intellectual Property Protection (NPI Data)
Complete on-box or off-box end user to end user Encryption capability
Turnkey solution for Regulatory Compliance (HIPPA, SOX, etc)
Flexible system for creating and enforcing corporate Acceptable Use Policy
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PulbicPresentation_ID 85
IronPort Email EncryptionThe Easiest Path to Protecting Confidential Email
Universal ReachUniversal Reach: send to any email user
Auditable Policy EnforcementAuditable Policy Enforcement Content scanning at gateway drives encryption
Does not rely on or require user action
Easiest to useEasiest to useTransparent to sender
No client software for sender or receiver
Easiest to Deploy and ManageEasiest to Deploy and ManageNo client software
Hosted key management system
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PulbicPresentation_ID 86
IronPort
Addresses PCI requirement 4, 7, 10, 124. Enforces encryption of confidential information
7. Restricts access to cardholder data
Data Theft Prevention Rule allows only authorized users to access/send/open confidential information
10. Tracks and Monitors access to cardholder data
12. Demonstrates/maintains security policy
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PulbicPresentation_ID 87
Cisco Wireless Access Points
Addresses PCI Requirements 2,4,6,11,122. WPA encryption support
4. WPA encryption support
11.Wireless intrusion detection support within Wireless access points
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PulbicPresentation_ID 88
Cisco Secure MARSMonitor, Analysis and Response System
Multi-vendor
Powerful monitoring, analysis, response system
Multi-vendor support
Correlate events frommultiple sources suchas vulnerabilityassessment and NetFlowdata to detect anomalies
Visualization Reduced Complexity
Lower TCOAppliance based
Simple to install solution
Simple licensing, nosoftware agents
Mitigation of Attacks
Mitigate attacks by isolatingswitch ports and applyingACLs closest to source
Know “what, where, and how” of threats
Leverage the intelligencein the network to enforce security policies
Visualize attack paths andidentify network hot spots
Identifies valid incidentsand minimizes falsepositives
Higher network availabilityIdentify day-zero attacks, reduce resolution time
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PulbicPresentation_ID 89
CS-MARS
Multi-vendor event correlation
Network-wide security monitoring, attack visualization and response
Addresses PCI Requirements 10, 11, 12Receives logs, alerts, audit trails from systems throughout the network and creates reports to use for compliance
Must review device logs. Provides correlation, aggregation and comparisons of information
Gather/Analyze NetFlow data
Generate incident reports
Immediate incident response: CS-MARS defines appropriate mitigation response
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PulbicPresentation_ID 90
CS-MARS
Addresses PCI Requirements 10, 11, 12
10. Receives logs, alerts, audit trails from systems throughout the network and creates reports to use for compliance
Creates operational efficiencies for log review
11. Provides correlation, aggregation and comparisons of information
CS-MARS is the primary tool for reducing costs and increasing reporting efficiencies around maintaining compliance
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PulbicPresentation_ID 91
Policy Administration
Centrally provision policies for firewalls , VPN’s and IPS
Very scalable
Policy Inheritance feature enables consistent policies across enterprise
Powerful device grouping Options
Role-based access: Change Control
Configure policies for ASA, PIX, FW SM and IOS
Single rule table for all platforms
Intelligent analysis of policies
Sophisticated rule table editing
Compresses the number of access rules required
VPN Administration
VPN Wizard setup Site-to-Site, hub-spoke and full mesh VPN’s with a few mouse clicks
Configure remote-access VPN, DMVPN, and Easy VPN devices
Superior Usability
Administer policiesvisually on tables ortopology map
Jumpstart help: an extensive animated learning tool
Flexible management views:- Policy-based - Device-based - Map-based- VPN based
IPS Administration
Automatic updates to theIPS Sensors
Support for Outbreak Prevention Services
Firewall Administration
Cisco Security ManagerMulti-product, multi-technology configuration
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PulbicPresentation_ID 92
Cisco Security Manager (CSM)
Addresses PCI Requirements 11, 1211. Provides comparisons of configurations (diffs)
12. Maintains a Security Policy (FW, IDS, VPN, Switches)
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PulbicPresentation_ID 93
Cisco Secure Access Control Server (ACS)
AAA logging/Audit: Who, What, When
Support strong password requirements/change mgmt.
Two-Factor authentication
Administration authentication, access rights
Network device authentication
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PulbicPresentation_ID 94
Cisco Access Control Server
Addresses PCI Requirements 8, 10, 128. Provides authentication, authorization, and accounting (AAA) for network devices through TACACS+. Provides unique username for all users
10. Maintains a forensic audit trail of who accessed the network, what they did, and when they did it
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PulbicPresentation_ID 95
Network Compliance Manager
Addresses PCI Requirements 10, 1210. Maintains a forensic audit trail of who accessed the network, what they did, and when they did it
Alerts on configuration modifications, deviations
Full Audit trail
Validates Config. against NSA, SAFE, best practice
Tracks system compliance metrics
Demonstrable controls
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PulbicPresentation_ID 96
Audit Processand Lessons Learned
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PulbicPresentation_ID 97
Audit ProcessAssessment and ROC
The QSA’s Assessment report is the written response to the audit process.
For areas that do not pass, they will recommend compensating controls
Remediation services are typically required after the audit.
After audit and remediation, the retailer can submit their Report of Compliance for review by a PCI Company (e.g., Visa, MasterCard) for final approval.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PulbicPresentation_ID 98
Audit Process Best Practices for Retailers
Be proactive - Collecting information required for the audit in advance can shorten the process
Study a sample ROC – shows the whole spec and helps clarify focus on areas
Centralized network management tools save time and costs in managing remote device configurations
Partner with your Qualified Security Assessor (QSA)The QSA is strategic to becoming PCI compliant.
Most companies will not pass on the first try
Understand the QSA’s process and their approach to the audit and remediation.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PulbicPresentation_ID 99
Design Validation Lessons learned
ISR is ideal for retail because it addresses many PCI requirements in a single device –Router, FW, IDS
MARS reduces labor requirements for event correlation
Wireless scanning for rouge AP detection is required – whether a WLAN is installed or not. (PCI 11.1b)
WCS, ACS and MARS require compensating controls for administrative authentication
“CSA was impressive” – it ensures file integrity of audit logs on systems that had no file integrity system
Source: Cybertrust auditor Dec 2006
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PulbicPresentation_ID 100
Summary Enterprises are still struggling with compliance, as
evidenced with fines, lawsuits, and breaches The IIN plays a critical role in addressing various
compliance programs…Internal, Regulatory, or Commercial PCI DSS can be leveraged for other compliance programs Cisco continues provide customers with a framework for
compliance
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PulbicPresentation_ID 101
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PulbicPresentation_ID 102
Reference & Supplemental Material
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PulbicPresentation_ID 103
Links
Compliance related on Cisco.com
http://www.cisco.com/pcgi-bin/search/search.pl?searchPhrase=compliance&accessLevel=Guest&language=en&country=US&Search+All+Cisco.com=cisco.com
Cisco’s PCI for Retail architectures
http://www.cisco.com/web/strategy/retail/pci.htmlRelated
VISA CISP website
http://usa.visa.com/merchants/risk_management/cisp.html SANS
www.sans.org
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PulbicPresentation_ID 104
PCI SolutionProduct Alignment
Solution Feature PCI Value
Requirement 1: Install and maintain a firewall configuration to protect cardholder data.
Integrated Service Router (ISR) Network security (firewall segmentation/filtering), stateful filtering
CiscoWorks (LMS), CSM Configuration management/secure configurations
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters.
ISRs, switches, wireless devices, WCS, ACS, CiscoWorks (LMS), CSA, CSM
Vendor defaults changed
WCS/wireless controllers Wireless security (WPA/WPA2, SSID broadcast disabled)
ISRs, switches, wireless controllers (CSA Manager, CSM, CiscoWorks (LMS)
Best practice security parameters enabled
ISRs, switches, wireless controllers (CSA Manager, CSM, CiscoWorks (LMS), CS-MARS, ACS, WCS)
Non-console encrypted administrative access
Requirement 4: Encrypt transmission of cardholder data across open, public networks.
Wireless controllers WPA wireless security
Requirement 5: Use and regularly update anti-virus software or programs.
Cisco Security Agent Anti-virus protection, malware/spyware protection, alerting
Requirement 6: Develop and maintain secure systems and applications.
CiscoWorks (LMS), CSM (Workflow mode) Change control
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PulbicPresentation_ID 105
PCI SolutionProduct Alignment
Requirement 7: Restrict access to cardholder data by business need-to-know.
ISRs, switches, wireless controllers CSA Manager, CSM, CiscoWorks (LMS), CS-MARS, ACS, WCS
Least-privilege, role-based access
Requirement 8: Assign a unique ID to each person with computer access.
ISRs, switches, wireless controllers CSA Manager, CSM, CiscoWorks (LMS), CS-MARS, ACS, WCS
Unique user IDs, authenticated access, encrypted passwords, no group/shared IDs/passwords
ISRs, switches, wireless controllers CSA Manager, CSM, CiscoWorks (LMS), CS-MARS, ACS
Password strength requirements
ISRs, switches, wireless controllers CSA Manager, CSM, CiscoWorks (LMS), CS-MARS, ACS
Account lockout requirements
Requirement 10: Track and monitor all access to network resources and cardholder data.
ISRs, switches, wireless devices, WCS, ACS, CiscoWorks (LMS) CSA
Audit trails, time synchronization
Requirement 11: Regularly test security systems and processes.
Wireless controllers Rogue wireless AP/device detection
ISRs (sensor), CSM (policy, signature updates) Network IDS
CSA Host-based IDS
CSA File integrity
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PulbicPresentation_ID 106
GLBA Financial Privacy The Gramm-Leach Bliley Act The Financial Modernization Act of 1999, also known as the "Gramm-Leach-Bliley Act" or GLB Act, includes
provisions to protect consumers’ personal financial information held by financial institutions. There are three principal parts to the privacy requirements: the Financial Privacy Rule, Safeguards Rule and pretexting provisions.
The GLB Act gives authority to eight federal agencies and the states to administer and enforce the Financial Privacy Rule and the Safeguards Rule. These two regulations apply to "financial institutions," which include not only banks, securities firms, and insurance companies, but also companies providing many other types of financial products and services to consumers. Among these services are lending, brokering or servicing any type of consumer loan, transferring or safeguarding money, preparing individual tax returns, providing financial advice or credit counseling, providing residential real estate settlement services, collecting consumer debts and an array of other activities. Such non-traditional "financial institutions" are regulated by the FTC. For more information on the types of financial activities covered, click here.
The Financial Privacy Rule governs the collection and disclosure of customers' personal financial information by financial institutions. It also applies to companies, whether or not they are financial institutions, who receive such information. For a summary overview of the Financial Privacy Rule, see In Brief: The Financial Privacy Requirements of the Gramm-Leach-Bliley Act.
The Safeguards Rule requires all financial institutions to design, implement and maintain safeguards to protect customer information. The Safeguards Rule applies not only to financial institutions that collect information from their own customers, but also to financial institutions "such as credit reporting agencies" that receive customer information from other financial institutions.
The Pretexting provisions of the GLB Act protect consumers from individuals and companies that obtain their personal financial information under false pretenses, a practice known as "pretexting."
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PulbicPresentation_ID 107
Which Cisco Products and Solutions Help Address the SOX Requirements?
Intrusion Detection and Prevention—Cisco IPS 4200 Series Sensors, Cisco Integrated
Integrated Services Routers with Security Bundle, Cisco ASA 5500 Series Adaptive Security
Appliances, Cisco Catalyst® Security Services Modules Logging, Authentication, Access Control—Cisco Secure Access Control Server
(ACS), Cisco Security Agent, Cisco Security Mitigation, Analysis and Response System
(MARS) Antivirus Policy—Cisco ASA 5500 Series, Cisco Firewall Services Module,
Integrated Services Routers, Cisco IPS 4200 Series, Cisco Security Agent Remote-Access Policy—Cisco ASA 5500 Series, Cisco Integrated Services
Routers Configuration Policy—Cisco Security Device Manager (Security Bundles), Cisco
Security Network Compliance Manager Agent, Cisco Security MARS, Cisco Security Manager, Network Admission Control Regular Vulnerability Assessment
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PulbicPresentation_ID 108
Which Cisco Products and Solutions Help Address the GLBA Requirements?
Protect Against Unauthorized Access
Cisco Access Control Servers, 802.1x, Network Admission Control, Cisco Integrated Services Routers, Cisco ASA 5500 Series Adaptive Security Appliances
Secure Data Exchange with Affiliates and Service Providers
VPNs (such as those using IP Security, DMVPN, and Secure Sockets Layer VPN technologies), Cisco ASA 5500 Series & ISRs, IronPort PostX
Detecting, Preventing, and Responding to Attacks and Intrusions
Cisco Security Monitoring, Analysis and Response System, Cisco IPS solutions, Cisco Security Agent, Cisco Security Manager
Implement, Test, and Adjust a Security Plan on a Continuing Basis
Cisco Network Compliance Manager, Configuration Assurance Solution, Cisco Security Posture Assessment, and Penetration Testing Services
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PulbicPresentation_ID 109
Which Cisco Products and Solutions Help Address the HIPAA Requirements?
Protect Against Unauthorized Access
Cisco Access Control Server, 802.1x, Network Admission Control, Cisco Integrated Services Routers, Cisco ASA 5500 Series Adaptive Security Appliances
Secure Data Exchange with Affiliates and Service Providers
VPNs (such as those using IP Security, DMVPN, and Secure Sockets Layer VPN technologies), IronPort PostX
Detecting, Preventing, and Responding to Attacks and Intrusions
Cisco Security Monitoring, Analysis and Response System, Cisco Intrusion Prevention System solutions, Cisco Security Agent, Cisco Security Manager
Implement, Test, and Adjust a Security Plan on a Continuing Basis
Cisco Security Posture Assessment and Penetration Testing Services, Network Compliance Manager, Configuration Assurance Manager