2- standards and regulations

7/28/2019 2- Standards and Regulations

1/17

Standards and Regulations

Pertaining to Log Management and SIEM

Pascal OetikerEMEA Sales Lead, [email protected]

Brian SingerSolution Marketing Manager, Security

[email protected]


2/17

Novell, Inc. All rights reserved.2

Regulations Covered Today

SOX

Cobit

ISO/IEC 27002

PCI DSS

Other Regs that may require logging Italian Privacy Act (Garante Privacy)

UK Code of Connection

HIPPA

NERC-CIP

FISMA

BASEL II


3/17


SOX / Cobit

The Sarbanes-Oxley Act (SOX) of 2002 requires strict internal ITcontrols and processes. It applies to all public companies. The purposeof the SOX Section 404 control audit is to identify control deficienciesthat could affect the financial reporting of the company. Sarbanes-Oxleyrecommends regular audits of log files and keeping a record ofaudit logs for up to seven years: audit unauthorized access,misuse and fraud, in order to ensure the accuracy of corporate

financial and business information and maintain financial recordsfor seven years.

The IT Governance Institute's Control Objectives for Information andrelated Technology (COBIT) is frequently used to help achieve

Sarbanes-Oxley Act compliance, but also to ensure security andavailability of IT assets in general. COBIT includes specific controlrequirements: change standards and procedures (AI6.1), application control and audit ability (AI2.3), and network testing,surveillance, monitoring (DS5.5).


4/17


SOX - Cobit

Category COBIT4.0

Control

Identity AndAccess

DS5.3 Identity Management

DS5.3 User account management

PO7.8 J ob change and termination

User Activity PO4.11 Segregation of duties

AI2.3 Application control and audit ability

Change AI6.1 Change standards and proceduresDS9.3 Configuration integrity review

Security DS5.2 IT security plan

DS5.5 Security testing, surveillance, monitoring

DS5.10 Network Security

DS11.6 Security requirements for data mgmt

IT Infrastructure DS1.5 Monitoring of service level agreements

DS2.4 Supplier performance monitoring

DS3.5 Monitoring of performance and capacity

DS13.3 IT Infrastructure monitoring


5/17


ISO/IEC 27002

An information security standard published by the InternationalOrganization for Standardization (ISO) and by the International

Electrotechnical Commission (IEC) as ISO/IEC 17799:2005Provides best practice recommendations on information

security management for use by those who are responsible

for initiating, implementing or maintaining Information

Security Management Systems (ISMS).

Information security is defined within the standard

The preservation of confidentiality (ensuring that information is

accessible only to those authorised to have access), integrity(safeguarding the accuracy and completeness of information andprocessing methods) and availability (ensuring that authorised usershave access to information and associated assets when required).


6/17


Key Elements of ISO/IEC 27002

Security policy

Organizing information security

Asset management

Human resources security

Physical and environmental security

Communications and operations management

Access control

Information systems acquisition, development and maintenance

Information security incident management

Business continuity management

Compliance


7/17


ISO/IEC 27002 and log data

Specifically mandates audit logging in section 10.10.1,but also mandates monitoring of system use in section

10.10.2 and monitoring of administrative and operatoractivity in section 10.10.4.

Log data can prove that many other measures are

implemented properly, such as identity management(8.8.3, timely removal of access rights) and changemanagement (10.1.2).


8/17


What is PCI DSS?

PCI Payment Card Industry

DSS Data Security Standard


9/17


PCI DSS - Background

A data security standard published by the PCI Council

Provides minimumdata security standards

Defines the compliance validation requirements for differenttypes and sizes of merchants

Enforcement provided by card brands

PCI DSS is a document

PCI is a validation and enforcement regime that PCIDSS specifies


10/17


703

362

Level 1

Level 2

2,617 Level 3

Level 4

6 Million

Highly

saturatedw/ security

Untapped

Strict Auditing

Lax Auditing

Who Does PCI Apply To?


11/17


Level / Tier Merchant Criteria ValidationRequirements

1 Merchants processing over 6 million Visatransactions annually (all channels) or Globalmerchants identified as Level 1 by any Visaregion

Annual Report on Compliance (ROC)by Qualified Security Assessor (QSA)

Quarterly network scan by ApprovedScan Vendor (ASV)

Attestation of Compliance Form

2 Merchants processing 1 million to 6 million Visatransactions annually (all channels)

Annual Self-Assessment Questionnaire(SAQ)

Quarterly network scan by ASV


3Merchants processing 20,000 to 1 million Visa e-commerce transactions annually

Annual SAQ

Quarterly network scan by ASV


4 Merchants processing less than 20,000 Visa e-commerce transactions annually and all othermerchants processing up to 1 million Visa

transactions annually

Annual SAQ recommended

Quarterly network scan by ASV ifapplicable

Compliance validation requirementsset by acquirer

Visa Merchant Tiers


12/17


What Does PCI DSS Say?

Build and Maintain aSecure Network

zInstall and Maintain a Firewall

zDo not use vendor supplied defaults for passwords andsecurity paramters

Protect Cardholder Data zProtect stored data

zEncrypt transmission of cardholder data across publicnetworks

Maintain a Vulnerabili tyManagement Program

zUse and update AV software

zDevelop and maintain secure systems and applications

Implement Strong Access

Control Measures

zRestrict access to data by business need-to-know

zAssign a unique ID to each person with computeraccess

zRestrict physical access to cardholder data

Regularly Monitor and

Test Networks

zTrack and monitor all access to network resources

and cardholder datazRegularly test security systems and processes

Maintain an Information zMaintain a policy that addresses information security


13/17


Where Does Logging Fit In

Logging is useful for all 12 PCI DSS reqiurements

Requirement 10 is specifically dedicated to logging

logs for all in-scope systems and components must becollected and reviewed daily

logs from in-scope systems must be retained for 90 days on-

line and 1 year off-line


14/17


Specific Logging Requirements

Requirement 10:

Implement logging on all system components

Record sufficient details (i.e. date, time, username, type ofevent etc.

Link all logged activities to users

Secure stored logs to prevent modification

Review logs for all system components at least daily

Retain logs for at least 1 year


15/17


Other Requirements Where Logging

Applies Requirement 1 install and maintain a firewall configuration to

protect cardholder data

SLM allows orgs to track firewall activity by using firewall logs Requirement 2 Do not use vendor supplied defaults

SLM can detect default password use

Requirement 6 Develop and maintain secure systems andapplications

Secure systems and apps have logging enabled

Requirement 7 Restrict access to cardholder data based onneed-to-know

SLM tracks all logged access to cardholder data

Requirement 8 Assign a unique ID to each person

SLM collects can detect password sharing


16/17


17/17

Click to edit the outline textformat

Second Outline Level

Third Outline Level

Fourth Outline Level

Fifth OutlineLevel

Sixth OutlineLevel

S th O tli

Unpublished Work of Novell, Inc. All Rights Reserved.

This work is an unpublished work and contains confidential, proprietary, and trade secret information of Novell, Inc.

Access to this work is restricted to Novell employees who have a need to know to perform tasks within thescope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised,modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consentof Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator tocriminal and civil liability.

General Disclaimer

This document is not to be construed as a promise by any participating company to develop, deliver, or market aproduct. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon inmaking purchasing decisions. Novell, Inc. makes no representations or warranties with respect to thecontentsof this document, and specifically disclaims any express or implied warranties of merchantability or fitness forany particular purpose. The development, release, and timing of features or functionality described for Novellproducts remains at the sole discretion of Novell. Further, Novell, Inc. reserves the right to revise thisdocument and to make changes to its content, at any time, without obligation to notify any person or entity ofsuch revisions or changes. All Novell marks referenced in this presentation are trademarks or registeredtrademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the propertyof their respective owners.

2- standards and regulations

Documents