WIXLIB

eGuide:Compliance 101: Basics for Security ProfessionalsIn today’s regulatory environment, businesses can be subject to a number of industry standards andregulations, many of which include substantial penalties for non-compliance. These mandates affectcorporate functions far beyond just Compliance, however – IT Security in particular.Security professionals – whether they’re new to their role or have been around since VirusScan was thecutting-edge tool – should have a basic understanding of how compliance impacts the organization,including the stakeholders, the standards and regulations to which the business is held, and what needs tobe done to ensure continued compliance.Compliance is not voluntary and non-compliance can result in a mandatory business disruption – or evenstoppage – until a compliant state is reestablished. Therefore, it behooves Security pros to understand theirrole, as well as other implications of compliance, and this eGuide aims to help get them started.eGuide: Compliance 101: Basics for Security Professionals1

Why Be Concerned About ComplianceCompliance with industry standards and regulations has wide-reaching impacts, for both internal andexternal stakeholders.Organizations dedicate human and financial resources toward compliance for a number of reasons:to avoid liability at the Board and C-levelto preserve their corporate reputationto keep their bottom line safe and shareholders happyto avoid the cost of compensating customers when sensitive data is stolento avoid litigation costs; andto avoid the additional costs associated with increased scrutiny from regulatorsThe consequences of not meeting compliance in the presence of a compromise or a compelling event canhave a considerable negative impact on any business, so it’s imperative to understand the causes of noncompliance along with the impacts associated with increased liability.eGuide: Compliance 101: Basics for Security Professionals2

Compliance Questions to ConsiderHere are just a few of the questions to consider to help familiarize yourself with the compliance function.It’s certainly not an exhaustive list but these items will help you start to understand the scope and impact ofcompliance on your organization. Is your organization held to any compliance regulations or standards? (The answer is almost certainly“yes.”) Some examples include:Sarbanes-OxleyF I SMA How does your organization validate and measure its compliance posture and risk to that posture? How does your organization control in-scope assets and collect compliance information? Does your organization use a third-party assessment entity? Who is that entity, and what do theyprovide to help meet compliance?eGuide: Compliance 101: Basics for Security Professionals3

The Compliance PlayersNearly every internal stakeholder in the organization is attached in some way to the corporate policy.The following list covers the primary players responsible for creating the core policies that establish theorganization’s compliance posture.Establishes the tone for risk appetite and risk management and consider risk andsecurity strategy.Establishes the operational strategy for security and risk management in theorganization. Sets strategic and tactical roles and responsibilities.Often responsible for approving or denying select IT policy and security budgetsand spend.Develops the security policy, and conducts the risk assessments that base the process forvulnerability management, incident management, security awareness and training andCompliance management.Responsible and accountable to deliver the executive policy to the employees. Mustensure and prove compliance with IT policy.eGuide: Compliance 101: Basics for Security Professionals4

The Convergence of Security and ComplianceWhile it may not always be apparent, Security and Compliance are counterparts on a path to a shared goal:managing the organization’s risk.In this regulatory world, virtually every organization is subject to industry standards and/or regulations,and compliance is becoming one of the greatest challenges faced by IT organizations. Now that observingregulatory compliance audit policies is becoming a requisite for every organization, IT spending, priorities,and policies must be put in place across organizational teams to address the challenge.On top of that operations and security teams have a long list of priorities and pressures to deal with. Thesedays, sensitive enterprise data is always at risk of being compromised; therefore, it has also become amandate to secure that information by establishing security processes that address the current threat.With these constraints and what seem to be conflicting priorities, it’s no wonder that the convergence ofsecurity policies and compliance controls has not been seamless. There is hope, however, so let’s dig in toexplore why Security and Compliance are really counterparts on a shared path to the same business goal.eGuide: Compliance 101: Basics for Security Professionals5

Regulations with a Big BiteOrganizations need to ensure compliance with all standards and regulations applicable to their industry,keeping in mind that some mandates (e.g. Sarbanes-Oxley) are horizontal in nature.We’re highlighting the following five standards and regulations because they have a big bite when it comesenforcement, penalties and remediation. They are also commonly associated with media headlines and thenews is typically not good for any organization called out in such reports.FI SMASarbanes-OxleyeGuide: Compliance 101: Basics for Security Professionals6

Payment Card Industry Data Security Standard (PCI DSS)PURPOSE:PCI DSS is designed to ensure the security of cardholder information, andcompliance with PCI-DSS is mandatory for all organizations that store,process, and/or transmit major credit cardholder data. This includes all cardnetwork members such as banks, merchants and service providers.ESTABLISHED:Version 1.0 of the PCI DSS was introduced in December, 2004.GOVERNING BODY:Payment Card Industry Security Standards Council.STRUCTURE:12 major security requirements, broken into six “Control Objectives”: Build and Maintain a Secure NetworkProtect Cardholder DataMaintain a Vulnerability Management ProgramImplement Strong Access Control MeasuresRegularly Monitor and Test NetworksMaintain an Information Security PolicyPENALTIES AND OTHER COSTS RESULTING FROM NON-COMPLIANCE: Loss of credit card privilegesLoss of brand confidence and imageFinancial loss due to recurring fines and penaltiesCosts associated with reassessment by the Qualified Security Assessor (QSA)eGuide: Compliance 101: Basics for Security Professionals7

North American Electric Reliability Corporation CriticalInfrastructure Protection (NERC CIP) StandardsPURPOSE:To “ensure the reliability of the North American bulkpower system.”ESTABLISHED:The first set of legally enforceable Reliability Standards wasintroduced in March, 2007.GOVERNING BODY:North American Electric Reliability Corporation (non-profit).STRUCTURE:Consists of 9 standards with 45 requirements.PENALTIES AND OTHER COSTS RESULTING FROM NON-COMPLIANCE: Levying of fines, sanctions or other actions against covered entities (specific penalties vary from countryto country) The Federal Power Act permits NERC or regional entities to impose civil penalties of up to 1 million perday, per violation, so long as the penalty is proportional to the seriousness of the violationeGuide: Compliance 101: Basics for Security Professionals8

Health Insurance Portability and Accountability Act (HIPAA)PURPOSE:To protect the confidentiality and security ofpatient information.ESTABLISHED:HIPAA August 1996: HIPAA passed into law August, 1998: HIPAA Security and Electronic SignatureStandards (subsequently changed to the Security Rule)first released December, 2000: HIPAA Privacy Rule, first released August, 2002: HIPAA Privacy Rule finalized February, 2003: HIPAA Security Rule finalized April, 2003: Privacy Rule compliance deadline (excluding “small health plans”) April, 2005: Security Rule compliance deadline (excluding “small health plans”) Jan, 2011: Incentives for demonstrating “meaningful use” of electronic health records startedGOVERNING BODY:US Deparment of Health and Human Services (HHS), Office for Civil Rights (OCR).STRUCTURE:Comprised of the Standards for Privacy of Individually Identifiable Health Information (Privacy Rule), whichestablish national standards for the protection of certain health information; and Security Standards for theProtection of Electronic Protected Health Information (the Security Rule), which establish a national set ofsecurity standards for protecting certain health information that is held or transferred in electronic form. TheSecurity Rule operationalizes the protections contained in the Privacy Rule by addressing the technical andnon-technical safeguards that organizations called “covered entities” must put in place to secure individuals’“electronic protected health information” (e-PHI).Source: /srsummary.htmlPENALTIES AND OTHER COSTS RESULTING FROM NON-COMPLIANCE: Fines of up to 250,000 per violationCivil monetary penaltiesCriminal penalties, including imprisonment (enforced by the US Department of Justice)Investigations and increased scrutiny in the event of a data losseGuide: Compliance 101: Basics for Security Professionals9

Sarbanes-Oxley ActPURPOSE:To protect shareholders from harm caused by fraudulent andinaccurate financial reporting.ESTABLISHED:Sarbanes-OxleyThe Act, named after its sponsors, Senator Paul Sarbanes andRepresentative Michael Oxley, was passed into law in July, 2002.GOVERNING BODY:The Act resulted in the creation of the Public Company Accounting Oversight Board, which oversees,regulates, inspects and disciplines accounting firms, subject to approval and oversight by the Securities andExchange Commission.STRUCTURE:Arranged into 11 Titles, each containing numerous Sections, including Section 802, which covers themanagement of electronic records.PENALTIES AND OTHER COSTS RESULTING FROM NON-COMPLIANCE: Multi-million dollar fines for public corporations; auditor fines of up to 100,000 for individual auditorsand 2 million for audit firms Criminal penalties including imprisonment Brand damageeGuide: Compliance 101: Basics for Security Professionals10

Federal Information Security Management Act (FISMA)PURPOSE:To strengthen the security of information systems used oroperated by US federal government agencies, includingcontractors or other organizations on behalf of a federal agency.ESTABLISHED:F I SMAPassed into law in December, 2002 (as Title III of theE-Government Act of 2002).GOVERNING BODY:The Office of Electronic Government within the U.S. Office of Management and Budget, with Guidance fromthe National Institutes of Standards (NIST).STRUCTURE:A series of security standards and guidelines, including the Federal Information Processing StandardPublication 199 (FIPS 199), FIPS 200, NIST Special Publications 800-53, 800-59, 800-60.PENALTIES AND OTHER COSTS RESULTING FROM NON-COMPLIANCE: Congressional censure Reduced federal funding Loss of public confidenceeGuide: Compliance 101: Basics for Security Professionals11

The Fundamentals of Compliance ControlsIT security and compliance professionals must ensure continuous compliance with industry standards andregulations, or face undesirable consequences such as fines and brand damage. A compliant state is built on5 fundamental core controls, which are common across all major regulations and standards.1. Identify, classify & scope critical business processes2. Monitor and prevent change3. Measure, identify and analyze risk4. Detect and prevent malware5. Actively enforce policyWe’ll explore each of these at a high level on the following pages, including a comparison of traditionalmethods vs. a positive security approach.eGuide: Compliance 101: Basics for Security Professionals12