eGuide: Compliance 101: Basics for Security Professionalsf6ce14d4647f05e937f4-4d6abce208e5e17c2085b466b98c2083.r3.cf… · eGuide: Compliance 101: Basics for Security Professionals

eGuide: Compliance 101: Basics for Security Professionals 1

eGuide: Compliance 101: Basics for Security Professionals

In today’s regulatory environment, businesses can be subject to a number of industry standards and regulations, many of which include substantial penalties for non-compliance. These mandates affect corporate functions far beyond just Compliance, however – IT Security in particular.

Security professionals – whether they’re new to their role or have been around since VirusScan was the cutting-edge tool – should have a basic understanding of how compliance impacts the organization, including the stakeholders, the standards and regulations to which the business is held, and what needs to be done to ensure continued compliance.

Compliance is not voluntary and non-compliance can result in a mandatory business disruption – or even stoppage – until a compliant state is reestablished. Therefore, it behooves Security pros to understand their role, as well as other implications of compliance, and this eGuide aims to help get them started.


Why Be Concerned About Compliance

Compliance with industry standards and regulations has wide-reaching impacts, for both internal and external stakeholders.

Organizations dedicate human and financial resources toward compliance for a number of reasons:

to avoid liability at the Board and C-level

to preserve their corporate reputation

to keep their bottom line safe and shareholders happy

to avoid the cost of compensating customers when sensitive data is stolen

to avoid litigation costs; and

to avoid the additional costs associated with increased scrutiny from regulators

The consequences of not meeting compliance in the presence of a compromise or a compelling event can have a considerable negative impact on any business, so it’s imperative to understand the causes of non-compliance along with the impacts associated with increased liability.


Compliance Questions to Consider

Here are just a few of the questions to consider to help familiarize yourself with the compliance function. It’s certainly not an exhaustive list but these items will help you start to understand the scope and impact of compliance on your organization.

• Is your organization held to any compliance regulations or standards? (The answer is almost certainly “yes.”) Some examples include:

• How does your organization validate and measure its compliance posture and risk to that posture?

• How does your organization control in-scope assets and collect compliance information?

• Does your organization use a third-party assessment entity? Who is that entity, and what do they provide to help meet compliance?

FISMASarbanes-Oxley


The Compliance Players

Nearly every internal stakeholder in the organization is attached in some way to the corporate policy. The following list covers the primary players responsible for creating the core policies that establish the organization’s compliance posture.

Responsible and accountable to deliver the executive policy to the employees. Must ensure and prove compliance with IT policy.

Establishes the tone for risk appetite and risk management and consider risk and security strategy.

Establishes the operational strategy for security and risk management in the organization. Sets strategic and tactical roles and responsibilities.

Often responsible for approving or denying select IT policy and security budgets and spend.

Develops the security policy, and conducts the risk assessments that base the process for vulnerability management, incident management, security awareness and training and Compliance management.


The Convergence of Security and Compliance

While it may not always be apparent, Security and Compliance are counterparts on a path to a shared goal: managing the organization’s risk.

In this regulatory world, virtually every organization is subject to industry standards and/or regulations, and compliance is becoming one of the greatest challenges faced by IT organizations. Now that observing regulatory compliance audit policies is becoming a requisite for every organization, IT spending, priorities, and policies must be put in place across organizational teams to address the challenge.

On top of that operations and security teams have a long list of priorities and pressures to deal with. These days, sensitive enterprise data is always at risk of being compromised; therefore, it has also become a mandate to secure that information by establishing security processes that address the current threat.

With these constraints and what seem to be conflicting priorities, it’s no wonder that the convergence of security policies and compliance controls has not been seamless. There is hope, however, so let’s dig in to explore why Security and Compliance are really counterparts on a shared path to the same business goal.


FISMA

Regulations with a Big Bite

Organizations need to ensure compliance with all standards and regulations applicable to their industry, keeping in mind that some mandates (e.g. Sarbanes-Oxley) are horizontal in nature.

We’re highlighting the following five standards and regulations because they have a big bite when it comes enforcement, penalties and remediation. They are also commonly associated with media headlines and the news is typically not good for any organization called out in such reports.

Sarbanes-Oxley


Payment Card Industry Data Security Standard (PCI DSS)

PURPOSE:

PCI DSS is designed to ensure the security of cardholder information, and compliance with PCI-DSS is mandatory for all organizations that store, process, and/or transmit major credit cardholder data. This includes all card network members such as banks, merchants and service providers.

ESTABLISHED:

Version 1.0 of the PCI DSS was introduced in December, 2004.

GOVERNING BODY:

Payment Card Industry Security Standards Council.

STRUCTURE:

12 major security requirements, broken into six “Control Objectives”:

• Build and Maintain a Secure Network• Protect Cardholder Data• Maintain a Vulnerability Management Program• Implement Strong Access Control Measures• Regularly Monitor and Test Networks• Maintain an Information Security Policy

PENALTIES AND OTHER COSTS RESULTING FROM NON-COMPLIANCE:

• Loss of credit card privileges • Loss of brand confidence and image• Financial loss due to recurring fines and penalties• Costs associated with reassessment by the Qualified Security Assessor (QSA)


North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) Standards

PURPOSE:

To “ensure the reliability of the North American bulk power system.”

ESTABLISHED:

The first set of legally enforceable Reliability Standards was introduced in March, 2007.

GOVERNING BODY:

North American Electric Reliability Corporation (non-profit).

STRUCTURE: Consists of 9 standards with 45 requirements.


• Levying of fines, sanctions or other actions against covered entities (specific penalties vary from country to country)

• The Federal Power Act permits NERC or regional entities to impose civil penalties of up to $1 million per day, per violation, so long as the penalty is proportional to the seriousness of the violation


Health Insurance Portability and Accountability Act (HIPAA)

PURPOSE:

To protect the confidentiality and security of patient information.

ESTABLISHED:

• August 1996: HIPAA passed into law• August, 1998: HIPAA Security and Electronic Signature

Standards (subsequently changed to the Security Rule) first released

• December, 2000: HIPAA Privacy Rule, first released• August, 2002: HIPAA Privacy Rule finalized• February, 2003: HIPAA Security Rule finalized• April, 2003: Privacy Rule compliance deadline (excluding “small health plans”)• April, 2005: Security Rule compliance deadline (excluding “small health plans”)• Jan, 2011: Incentives for demonstrating “meaningful use” of electronic health records started

GOVERNING BODY:

US Deparment of Health and Human Services (HHS), Office for Civil Rights (OCR).

STRUCTURE:

Comprised of the Standards for Privacy of Individually Identifiable Health Information (Privacy Rule), which establish national standards for the protection of certain health information; and Security Standards for the Protection of Electronic Protected Health Information (the Security Rule), which establish a national set of security standards for protecting certain health information that is held or transferred in electronic form. The Security Rule operationalizes the protections contained in the Privacy Rule by addressing the technical and non-technical safeguards that organizations called “covered entities” must put in place to secure individuals’ “electronic protected health information” (e-PHI).

Source: http://www.hhs.gov/ocr/privacy/hipaa/understanding/srsummary.html


• Fines of up to $250,000 per violation• Civil monetary penalties• Criminal penalties, including imprisonment (enforced by the US Department of Justice)• Investigations and increased scrutiny in the event of a data loss

HIPAA

http://www.hhs.gov/ocr/privacy/hipaa/understanding/srsummary.html


Sarbanes-Oxley Act

PURPOSE:

To protect shareholders from harm caused by fraudulent and inaccurate financial reporting.

ESTABLISHED:

The Act, named after its sponsors, Senator Paul Sarbanes and Representative Michael Oxley, was passed into law in July, 2002.

GOVERNING BODY:

The Act resulted in the creation of the Public Company Accounting Oversight Board, which oversees, regulates, inspects and disciplines accounting firms, subject to approval and oversight by the Securities and Exchange Commission.

STRUCTURE:

Arranged into 11 Titles, each containing numerous Sections, including Section 802, which covers the management of electronic records.


• Multi-million dollar fines for public corporations; auditor fines of up to $100,000 for individual auditors and $2 million for audit firms

• Criminal penalties including imprisonment• Brand damage

Sarbanes-Oxley


Federal Information Security Management Act (FISMA)

PURPOSE:

To strengthen the security of information systems used or operated by US federal government agencies, including contractors or other organizations on behalf of a federal agency.

ESTABLISHED:

Passed into law in December, 2002 (as Title III of the E-Government Act of 2002).

GOVERNING BODY:

The Office of Electronic Government within the U.S. Office of Management and Budget, with Guidance from the National Institutes of Standards (NIST).

STRUCTURE:

A series of security standards and guidelines, including the Federal Information Processing Standard Publication 199 (FIPS 199), FIPS 200, NIST Special Publications 800-53, 800-59, 800-60.


• Congressional censure

• Reduced federal funding

• Loss of public confidence

FISMA


The Fundamentals of Compliance Controls

IT security and compliance professionals must ensure continuous compliance with industry standards and regulations, or face undesirable consequences such as fines and brand damage. A compliant state is built on 5 fundamental core controls, which are common across all major regulations and standards.

1. Identify, classify & scope critical business processes

2. Monitor and prevent change

3. Measure, identify and analyze risk

4. Detect and prevent malware

5. Actively enforce policy

We’ll explore each of these at a high level on the following pages, including a comparison of traditional methods vs. a positive security approach.


IDENTIFY, CLASSIFY & SCOPE CRITICAL BUSINESS PROCESSESA foundational security control associated with nearly every standard and regulation speaks to inventorying/identifying/classifying (or insert other applicable verb here) critical data. However it’s labeled, this essential control requires the organization to pinpoint where the critical data resides so it can be safeguarded, with auditable proof.

TRADITIONAL APPROACH

» Manual process of identifying and classifying files

» Cumbersome and static, relies on scan-based technologies

POSITIVE SECURITY APPROACH

» Real-time sensor provides visibility into what’s running at any point in time

» Continuous monitoring and recording of all endpoint activity, providing details about processes, including where/how they originated and if they created child processes


MONITOR AND PREVENT CHANGEThe next common control covers file integrity and is typically called File Integrity Monitoring – or FIM. This essentially requires organizations to ensure that unauthorized changes to critical files, such as operating system and core application files, do not occur. Such a change – or attempted change – is an indicator of compromise and, therefore, must be taken seriously.


» Identify and analyze all changes after they’ve occurred, potentially resulting in significant administrative burden

» No easy way to filter authorized changes vs. unauthorized changes, producing a lot of “noise” for the security team


» Introduce “control” (i.e. File Integrity Control), using policy to prevent unauthorized changes from occurring and eliminating the need to do post-event analysis

» Filter out all irrelevant changes and focus only on changes that are important to security and compliance


MEASURE, IDENTIFY AND ANALYZE RISKMost standards and regulations require organizations to identify and analyze the compliance risk caused by the introduction of vulnerabilities into the enterprise. This helps organizations understand the impact that these vulnerabilities have on their compliance posture.


» Reactive, manual vulnerability classification & remediation, subject to human error

» Relies on sources such as news groups and other occasionally-updated feeds


» Proactive, automated vulnerability – and threat – identification based on real-time intelligence

» Dynamic updating, using cloud-delivered threat and reputation intelligence from dozens of sources

{Desktops & Laptops

Windows & Macs

Real-time UpdatesNo Scanning!

No Polling!

Visibility: Instant Intelligence

Detection: Identify Threats

Console

Real-time and Recorded Data

Big Data AnalyticsOpen APIs

Virtual/PhysicalServers

Fixed-Function

Cloud-delivered Advanced Threat Indicators (signature-less)

Cloud-delivered Attack Attribution

Cloud-delivered Reputation

Threat Intelligence Cloud

ThreatIndicators Reputation Attack

Classi�cation

All Registry Modi�cations

All Network Connections

All Cross-Process Events

All File Modi�cations

Copy of Every Executed Binary

All File Executions


DETECT AND PREVENT MALWARECompliance standards and regulations call for the detection and prevention of malware, as the introduction of such files can clearly lead to security and compliance concerns. Regardless of the compliance standard, this requirement is almost universally written identifying “anti-virus” technologies as the means to ensure compliance.


» Based on negative, blacklisting type approach

» Essentially impossible to keep up with the list of known bad file hashes, which changes by the minute

» Scanning requires heavy use of processing resources


» Blocks any untrusted processes from executing

» Does not require updating and maintaining a list of known bad hashes

» Lightweight sensor uses minimal processing power and does not require constant scanning or frequent endpoint updates


ACTIVELY ENFORCE POLICYA final common control aims to ensure that the security and compliance policies are pushed out to the entire organization and that each of the stakeholders understands his/her roles and responsibilities under that policy.


» No audit trail of policy acceptance and testing

» Often ad-hoc, with no method to enforce compliance

» Results in increased compliance costs if third party organization is hired


» Full audit trail of policy awareness

» Policies are pushed out automatically, with auditable evidence of consumption

» Can be managed in-house, minimizing compliance costs

ABOUT BIT9 + CARBON BLACK

Bit9 + Carbon Black provides the most complete solution against advanced threats that target organizations’ endpoints and servers, making it easier to see—and immediately stop—those threats. The company enables organizations to arm their endpoints by combining continuous, real-time visibility into what’s happening on every computer; real-time signature-less threat detection; incident response that combines a recorded history with live remediation; and prevention that is proactive and customizable. More than 1,000 organizations worldwide—from Fortune 100 companies to small enterprises—use Bit9 + Carbon Black to increase security, reduce operational costs and improve compliance. Leading managed security service providers (MSSP) and incident response (IR) companies have made Bit9 + Carbon Black a core component of their detection and response services.

© 2015 Bit9 and Carbon Black are trademarks of Bit9, Inc.

•P

BIT9 + CARBON BLACK COVERS ALL ESSENTIAL COMPLIANCE CONTROLS

Provide full visibility of what is running within your enterprise

Eliminate the noise associated with FIM - immediately identify the critical changes

Gain immediate threat and trust measure across the entire enterprise

Eliminate the burden of negative technologies and the maintenance associated

Ensure total enforcement, compliance, and audit with security policy

18Aligning with the Critical Security Controls to Achieve Quick Security Wins 1100 Winter Street, Waltham, MA 02451 USAP 617.393.7400 F 617.393.7499 www.bit9.com

20150803

Documents

eGuide: Compliance 101: Basics for Security Professionalsf6ce14d4647f05e937f4-4d6abce208e5e17c2085b466b98c2083.r3.cf… · eGuide: Compliance 101: Basics for Security Professionals