2- standards and regulations
TRANSCRIPT
-
7/28/2019 2- Standards and Regulations
1/17
Standards and Regulations
Pertaining to Log Management and SIEM
Pascal OetikerEMEA Sales Lead, [email protected]
Brian SingerSolution Marketing Manager, Security
-
7/28/2019 2- Standards and Regulations
2/17
Novell, Inc. All rights reserved.2
Regulations Covered Today
SOX
Cobit
ISO/IEC 27002
PCI DSS
Other Regs that may require logging Italian Privacy Act (Garante Privacy)
UK Code of Connection
HIPPA
NERC-CIP
FISMA
BASEL II
-
7/28/2019 2- Standards and Regulations
3/17
Novell, Inc. All rights reserved.3
SOX / Cobit
The Sarbanes-Oxley Act (SOX) of 2002 requires strict internal ITcontrols and processes. It applies to all public companies. The purposeof the SOX Section 404 control audit is to identify control deficienciesthat could affect the financial reporting of the company. Sarbanes-Oxleyrecommends regular audits of log files and keeping a record ofaudit logs for up to seven years: audit unauthorized access,misuse and fraud, in order to ensure the accuracy of corporate
financial and business information and maintain financial recordsfor seven years.
The IT Governance Institute's Control Objectives for Information andrelated Technology (COBIT) is frequently used to help achieve
Sarbanes-Oxley Act compliance, but also to ensure security andavailability of IT assets in general. COBIT includes specific controlrequirements: change standards and procedures (AI6.1), application control and audit ability (AI2.3), and network testing,surveillance, monitoring (DS5.5).
-
7/28/2019 2- Standards and Regulations
4/17
Novell, Inc. All rights reserved.4
SOX - Cobit
Category COBIT4.0
Control
Identity AndAccess
DS5.3 Identity Management
DS5.3 User account management
PO7.8 J ob change and termination
User Activity PO4.11 Segregation of duties
AI2.3 Application control and audit ability
Change AI6.1 Change standards and proceduresDS9.3 Configuration integrity review
Security DS5.2 IT security plan
DS5.5 Security testing, surveillance, monitoring
DS5.10 Network Security
DS11.6 Security requirements for data mgmt
IT Infrastructure DS1.5 Monitoring of service level agreements
DS2.4 Supplier performance monitoring
DS3.5 Monitoring of performance and capacity
DS13.3 IT Infrastructure monitoring
-
7/28/2019 2- Standards and Regulations
5/17
Novell, Inc. All rights reserved.5
ISO/IEC 27002
An information security standard published by the InternationalOrganization for Standardization (ISO) and by the International
Electrotechnical Commission (IEC) as ISO/IEC 17799:2005Provides best practice recommendations on information
security management for use by those who are responsible
for initiating, implementing or maintaining Information
Security Management Systems (ISMS).
Information security is defined within the standard
The preservation of confidentiality (ensuring that information is
accessible only to those authorised to have access), integrity(safeguarding the accuracy and completeness of information andprocessing methods) and availability (ensuring that authorised usershave access to information and associated assets when required).
-
7/28/2019 2- Standards and Regulations
6/17
Novell, Inc. All rights reserved.6
Key Elements of ISO/IEC 27002
Security policy
Organizing information security
Asset management
Human resources security
Physical and environmental security
Communications and operations management
Access control
Information systems acquisition, development and maintenance
Information security incident management
Business continuity management
Compliance
-
7/28/2019 2- Standards and Regulations
7/17
Novell, Inc. All rights reserved.7
ISO/IEC 27002 and log data
Specifically mandates audit logging in section 10.10.1,but also mandates monitoring of system use in section
10.10.2 and monitoring of administrative and operatoractivity in section 10.10.4.
Log data can prove that many other measures are
implemented properly, such as identity management(8.8.3, timely removal of access rights) and changemanagement (10.1.2).
-
7/28/2019 2- Standards and Regulations
8/17
Novell, Inc. All rights reserved.8
What is PCI DSS?
PCI Payment Card Industry
DSS Data Security Standard
-
7/28/2019 2- Standards and Regulations
9/17
Novell, Inc. All rights reserved.9
PCI DSS - Background
A data security standard published by the PCI Council
Provides minimumdata security standards
Defines the compliance validation requirements for differenttypes and sizes of merchants
Enforcement provided by card brands
PCI DSS is a document
PCI is a validation and enforcement regime that PCIDSS specifies
-
7/28/2019 2- Standards and Regulations
10/17
Novell, Inc. All rights reserved.10
703
362
Level 1
Level 2
2,617 Level 3
Level 4
6 Million
Highly
saturatedw/ security
Untapped
Strict Auditing
Lax Auditing
Who Does PCI Apply To?
-
7/28/2019 2- Standards and Regulations
11/17
Novell, Inc. All rights reserved.11
Level / Tier Merchant Criteria ValidationRequirements
1 Merchants processing over 6 million Visatransactions annually (all channels) or Globalmerchants identified as Level 1 by any Visaregion
Annual Report on Compliance (ROC)by Qualified Security Assessor (QSA)
Quarterly network scan by ApprovedScan Vendor (ASV)
Attestation of Compliance Form
2 Merchants processing 1 million to 6 million Visatransactions annually (all channels)
Annual Self-Assessment Questionnaire(SAQ)
Quarterly network scan by ASV
Attestation of Compliance Form
3Merchants processing 20,000 to 1 million Visa e-commerce transactions annually
Annual SAQ
Quarterly network scan by ASV
Attestation of Compliance Form
4 Merchants processing less than 20,000 Visa e-commerce transactions annually and all othermerchants processing up to 1 million Visa
transactions annually
Annual SAQ recommended
Quarterly network scan by ASV ifapplicable
Compliance validation requirementsset by acquirer
Visa Merchant Tiers
-
7/28/2019 2- Standards and Regulations
12/17
Novell, Inc. All rights reserved.12
What Does PCI DSS Say?
Build and Maintain aSecure Network
zInstall and Maintain a Firewall
zDo not use vendor supplied defaults for passwords andsecurity paramters
Protect Cardholder Data zProtect stored data
zEncrypt transmission of cardholder data across publicnetworks
Maintain a Vulnerabili tyManagement Program
zUse and update AV software
zDevelop and maintain secure systems and applications
Implement Strong Access
Control Measures
zRestrict access to data by business need-to-know
zAssign a unique ID to each person with computeraccess
zRestrict physical access to cardholder data
Regularly Monitor and
Test Networks
zTrack and monitor all access to network resources
and cardholder datazRegularly test security systems and processes
Maintain an Information zMaintain a policy that addresses information security
-
7/28/2019 2- Standards and Regulations
13/17
Novell, Inc. All rights reserved.13
Where Does Logging Fit In
Logging is useful for all 12 PCI DSS reqiurements
Requirement 10 is specifically dedicated to logging
logs for all in-scope systems and components must becollected and reviewed daily
logs from in-scope systems must be retained for 90 days on-
line and 1 year off-line
-
7/28/2019 2- Standards and Regulations
14/17
Novell, Inc. All rights reserved.14
Specific Logging Requirements
Requirement 10:
Implement logging on all system components
Record sufficient details (i.e. date, time, username, type ofevent etc.
Link all logged activities to users
Secure stored logs to prevent modification
Review logs for all system components at least daily
Retain logs for at least 1 year
-
7/28/2019 2- Standards and Regulations
15/17
Novell, Inc. All rights reserved.15
Other Requirements Where Logging
Applies Requirement 1 install and maintain a firewall configuration to
protect cardholder data
SLM allows orgs to track firewall activity by using firewall logs Requirement 2 Do not use vendor supplied defaults
SLM can detect default password use
Requirement 6 Develop and maintain secure systems andapplications
Secure systems and apps have logging enabled
Requirement 7 Restrict access to cardholder data based onneed-to-know
SLM tracks all logged access to cardholder data
Requirement 8 Assign a unique ID to each person
SLM collects can detect password sharing
-
7/28/2019 2- Standards and Regulations
16/17
-
7/28/2019 2- Standards and Regulations
17/17
Click to edit the outline textformat
Second Outline Level
Third Outline Level
Fourth Outline Level
Fifth OutlineLevel
Sixth OutlineLevel
S th O tli
Unpublished Work of Novell, Inc. All Rights Reserved.
This work is an unpublished work and contains confidential, proprietary, and trade secret information of Novell, Inc.
Access to this work is restricted to Novell employees who have a need to know to perform tasks within thescope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised,modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consentof Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator tocriminal and civil liability.
General Disclaimer
This document is not to be construed as a promise by any participating company to develop, deliver, or market aproduct. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon inmaking purchasing decisions. Novell, Inc. makes no representations or warranties with respect to thecontentsof this document, and specifically disclaims any express or implied warranties of merchantability or fitness forany particular purpose. The development, release, and timing of features or functionality described for Novellproducts remains at the sole discretion of Novell. Further, Novell, Inc. reserves the right to revise thisdocument and to make changes to its content, at any time, without obligation to notify any person or entity ofsuch revisions or changes. All Novell marks referenced in this presentation are trademarks or registeredtrademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the propertyof their respective owners.