kill five birds with one stone: satisfying multiple...

Access Control Excellence

Kill Five Birds with One Stone: Satisfying Multiple Regulations with Centralized Access Control Enforcement and Compliance Reporting Most companies have to address multiple

regulations related to information security,

and many of the controls that need to be

defined and enforced are common across

these regulations. Using siloed controls and

compliance systems leads to redundant efforts

and increasing costs. Is there a better way

forward?

2

Overview of today’s regulatory environmentThe business regulatory environment across the globe has significantly changed over the last

decade. Organizations are required by law to comply with a growing number of government

and industry-specific regulations designed to safeguard the confidentiality, integrity, and

availability of electronic data from information security breaches. Today there are over 100

regulations in the US alone that focus on information security/availability and that number

continues to grow. A partial list of these regulations includes:

• Sarbanes-Oxley Act requires effective IT controls and processes for validating the

integrity of annual financial reports.

• GLBA requires financial institutions to implement IT controls to maintain the

confidentiality and privacy of consumer information.

• HIPAA regulates the security and privacy of health data, including patient records and all

individually identifiable health information.

• Payment Card Industry (PCI) mandates the protection of customer information residing

with merchants, safe from hackers, viruses and other potential security risks.

• FISMA requires that federal agencies establish risk-based information security programs

to secure federal information.

• CA SB1386 mandates that organizations doing business in California report any cyber

security breaches that may have comprised customer information. Other states have

passed similar laws.

• North American Electric Reliability Council’s Critical Infrastructure Protection (NERC CIP)

standards that establish minimum security requirements for IT assets managing daily

operations for the Utilities.

According to a recent research by Ponemon Institute, the average cost of compliance with

privacy and data protection laws for the organizations was $3.5 million, with a range of

$446,000 to over $16 million. Adjusting total cost by organizational headcount (size)

yields a per capita compliance cost of $222 per employee. In addition, the average cost

for organizations that experience non-compliance problems was nearly $9.4 million. The

study also concluded that in terms of external compliance, the most important and difficult

to comply with according to respondents were the Payment Card Industry Data Security

Standard (PCI DSS), various state privacy and data protection laws, the EU Data Protection

Directive (95/46/EC), and Sarbanes-Oxley Act.

In this document, we will discuss how to effectively implement centralized access management

enforcement and reporting that will address multiple compliance regulations.

Kill Five Birds with One Stone: Satisfying Multiple Regulations with Centralized Access Control Enforcement and Compliance Reporting

3

IT Security requirements in key regulations Forrester in a recent report stated “IT compliance should ensure that an organization is not only adhering to laws and regulations but is also taking into account corporate responsibilities and industry standards. Complying with the Sarbanes-Oxley (SOX) Act or the EU Data Protection Act is important, but an organization should also take into account corporate intellectual property protection responsibilities and develop a control framework based on industry standards such as COBIT”. In this section we will review the IT compliance requirements of certain regulations and how standard frameworks are being used to define and assess specific controls to meet these requirements.

PCI RequirementsThe Payment Card Industry (PCI) Data Security Standard (DSS) is a set of control requirements issued and administered by the PCI Security Standards Council (SSC). PCI SSC was founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. to set standards for the security of payment technologies and the organizations that process cardholder data.

While there are other sets of standards issued by the PCI SSC (Figure 1), the Data Security Standard is the most familiar and widespread. This set of standards applies directly to any merchant or service provider that comes into contact with sensitive card data. This data, which is both imprinted on the card surface and embedded within the card’s magnetic stripe, contains sensitive information regarding the cardholder’s account. If shared or disclosed to third parties, this information can be fraudulently used- potentially costing both the cardholder, as well as the issuing card institution to assume liabilities for the fraud.

The PCI DSS covers nearly 230 individual controls across 12 major control domains (see Figure 2). The DSS is a comprehensive specification for information security, covering topics such as network security, systems security, configuration management, encryption, software development, physical security and information security policy.

4

Note: Requirements 7 and 8 in the table above speak to implementing strong access control measures using access control technology, while requirement 10 speaks to tracking and monitoring all access to network resources and cardholder data. Fox Technologies solution addresses these three requirements and we will describe how in later sections of this paper.

HIPAA RequirementsThe Health Insurance Portability and Accountability Act (HIPAA) of 1996 codified a sea change of patient privacy and institutional accountability standards into law. These standards were primarily aimed at curtailing the widespread sharing and cavalier handling within organizations processing patient health information- practices that had led to widespread fraud and inefficiency throughout the healthcare industry. In response, congress built two specific rules into the legislation to help control the handling and availability of protected health information (PHI): The Privacy Rule and the Security Rule.

Figure 1: Scope of PCI DSS


5

• The Privacy Rule (45 CFR I Part 160 and subparts A and E of Part 164) lays out a comprehensive approach for information ownership, and patient consent. It defines the sensitivity of protected health information and the special processes that need to be in place when such information is collected or shared with third parties. The privacy rule specifically covers protected health information (PHI) and electronic public health information (ePHI), which is defined as any individually identifiable information concerning the health or medical treatment of a patient. However the Privacy Rule does very little in instructing CEs on how to protect PHI/ePHI across an organization’s information systems, workforce, and business processes. Instead, these standards are defined within the Security Rule.

• The Security Rule (45 CFR I Part 160 and Subparts A and C of Part 164) addresses specific administrative, technical, and physical safeguards that must be in place to protect PHI/ePHI within a covered entity (CE). It contains a series of “standards” that are enforced by “required” and “addressable” safeguards. The required safeguards must be in place at all times to protect the confidentiality, integrity, and availability of PHI/ePHI- regardless of customer size or complexity.

The HIPAA Security Rule is located within 45 CFR I Part 160 and Subparts A and C of Part 164. Most of the safeguards are located across 164.308 – 164.316 and cover a wide range of organizational controls, such as:

• 164.308- Administrative Safeguards (Security Management Processes, Assigned Security Responsibility, Workforce Security, Information Access Management, Security Awareness Training, Security Incident Procedures, Business Continuity, Evaluation)

• 164.310- Physical Safeguards (Facility Access Controls, Workstation Use, Workstation Security, Device and Media Controls)

• 164.312- Technical Safeguards (Access Control, Audit Controls, Integrity, Person/ Entity Authentication, Transmission Security)

• 164.314- Organizational Requirements (Business associate contracts, Requirements for Group Health Contracts,

• 164.316- Policy, Procedure, and Documentation Requirements (Policies and Procedures, Documentation)

6

Note: FoxT has prepared a series of control reports that help you quickly gain access to some of the most critical event information that drives your HIPAA access controls program. These reports are aligned to the HIPAA security rule 164.308 and 164.312 safeguards, which we will review in later sections of this paper.

NERC RequirementsThe Critical Infrastructure Protection program is a set of control requirements issued by the North American Electric Reliability Council (NERC). The NERC is an independent standards organization that sets requirements for power generation, distribution, and management organizations across Canada, the United States, and Mexico. These standards seek to ensure that reliable and predictable power is provided throughout the interconnected grids that serve North America. While many of these standards govern the technical and engineering aspects of power generation and distribution, the Council is also responsible for defining and enforcing the standards for infrastructure security needed to ensure ongoing availability of grid power. These standards are defined within the Critical Infrastructure Protection (CIP) program.

CIP applies to “responsible entities” and includes any organization that plays a direct or indirect part in power generation, distribution, or management. These organizations include reliability coordinators, transmission service providers/owners/operators, balancing and interchange authorities, generating owners / operators, and load serving entities. They provide “Critical Assets” (CAs) that are used to maintain reliability functions and processes across regional and national grids. These assets may be IT-based systems or generators, turbines, reactors, transmission lines, distribution controllers, and other assets vital to power reliability.

Lying beneath these assets are critical cyber assets (CCAs), such as networks, servers, supervisory control and data acquisition (SCADA) systems, and applications. CCAs are vital to the reliable function of critical assets and, therefore, to power reliability itself. The loss of CCAs, either by unintentional or intentional actions, can have severe consequences on power reliability across regional and national grids.

CIP is composed of 9 major sets of standards that seek to protect CCAs and the environment in which they operate. These standards cover broad topics such as sabotage reporting, personnel and training, security management, incident response and recovery, and IT systems security. Responsible entities should apply these standards


7

to addresses identified risks to any CCA they control or operate. The latest version of NERC standards consists of:

• CIP-001-1a- (November 2010)- Sabotage Reporting

• CIP-002-3- (December 2009)- Cyber Security- Critical Cyber Asset Identification

• CIP-003-3- (December 2009)- Cyber Security- Security Management Controls

• CIP-004-3- (December 2009)- Cyber Security- Personnel and Training

• CIP-005-3- (December 2009)- Cyber Security- Electronic Security Perimeter(s)

• CIP-006-3c- (February 2010)- Cyber Security- Physical Security of Cyber Assets

• CIP-007-3- (December 2009)- Cyber Security- Systems Security Management

• CIP-008-3- (December 2009)- Cyber Security- Incident Reporting and Response

• CIP-009-3- (December 2009)- Cyber Security- Recovery Plans for Critical Cyber Assets

Each standard contains anywhere from 3 to 9 specific control objectives. The control objectives may contain additional sub-objectives to help further define the requirements and standards.

Note: FoxT has prepared a series of control reports that help you quickly gain access to some of the most critical event information that drives your CIP access controls program. These reports are aligned to the NERC CIP 003, CIP 004, CIP 005 and CIP007 controls. We will review them in later sections of this paper.

SOX RequirementsThe Sarbanes-Oxley (SOX) Act Section 404 requires the management of publicly traded companies to implement and report on the adequacy of the organization’s internal controls over financial reporting. These controls are put into place to reduce the risk of reporting material and/or significant accounting errors that could falsely represent the company’s financial performance to current and prospective stockholders. Contrary to popular belief, SOX does not prescribe any controls that must be present in order to become “compliant” or to satisfactorily maintain an internal controls program. Rather, SOX requires the internal controls to be reviewed regularly by an independent auditor who can render opinions on the effectiveness of management’s risk management program and related internal controls. This review serves two purposes:

8

• To ensure that shareholders are well aware of management’s performance at controlling organizational risk, which can build or damage investor confidence; and

• To establish fiduciary responsibilities within management for the internal controls program. These responsibilities can ultimately carry civil and criminal penalties for misrepresentations.

Most organizations use Committee of Sponsoring Organizations of the Treadway Commission’s (COSO’s) Internal Control Framework for defining and evaluating internal controls for financial processes. However IT systems are the underlying mechanism for financial reporting and COSO does not address IT controls. COBIT (Control Objectives for Information and Related Technologies) is an IT control framework published by the IT Governance Institute and the Information Systems Audit and Control Association (ISACA). COBIT is built in part upon the COSO framework. Most organizations use COBIT for IT controls for SOX compliance.

The COBIT framework addresses four key IT domains:

Plan and Organize: This domain covers strategy and tactics, and concerns the identification of the way IT can best contribute to the achievement of the business objectives. This domain addresses the following questions:

• Are IT and the business strategy aligned?

• Is the enterprise achieving optimum use of its resources?

• Does everyone in the organization understand the IT objectives?

• Are IT risks understood and being managed?

• Is the quality of IT systems appropriate for business needs?

Acquire and Implement: To realize the IT strategy, IT solutions need to be identified, developed or acquired, as well as implemented and integrated into the business process. In addition, changes in and maintenance of existing systems are covered by this domain to make sure the solutions continue to meet business objectives. This domain addresses the following questions:


9

• Are new projects likely to deliver solutions that meet business needs?

• Are new projects likely to be delivered on time and within budget?

• Will the new systems work properly when implemented?

• Will changes be made without upsetting current business operations?

Deliver & Support: This domain is concerned with the actual delivery of required services, which includes service delivery, management of security and continuity, service support for users, and management of data and operational facilities. It addresses the following questions:

• Are IT services being delivered in line with business priorities?

• Is IT cost optimized?

• Is the workforce able to use the IT systems productively and safely?

• Are adequate confidentiality, integrity and availability in place for information security?

Monitor & Evaluate: All IT processes need to be regularly assessed over time for their quality and compliance with control requirements. This domain addresses performance management, monitoring of internal control, regulatory compliance and governance. It addresses the following questions:

• Is IT’s performance measured to detect problems before it is too late?

• Does management ensure that internal controls are effective and efficient?

• Can IT performance be linked back to business goals?

• Are adequate confidentiality, integrity and availability controls in place for information security?

These four domains in the COBIT framework include a total of 34 control objectives (processes) – see figure below.

10

Note: FoxT enables organizations to comply with DS5 and DS9, requirements specified in the COBIT model. We will review them in later sections of this paper.


11

Challenges with complying with multiple regulationsMany companies have to address multiple regulations based on their private/public status, the industry they compete in and the customers they serve. However, many of these organizations take a silo-based approach to complying with these initiatives, where each compliance effort is approached individually by a different set of technologies and processes. Many of the access controls that need to be defined, assessed and enforced, however, are common across these regulations. A silo-based approach leads to redundant compliance efforts and significantly increases the cost of compliance. In addition, companies have realized that as the number and scope of compliance requirements grow, sheer complexity of assessing multi-regulatory compliance with a large number of overlapping technologies and processes becomes a challenge. Using common technology and processes to test and enforce controls, as well as support the audit process not only reduces the cost of compliance, but it also reduces the risk of non-compliance.

For example, a single identity and access management solution can meet the requirements of multiple regulations discussed above – both for implementing fine-controlled access controls across various systems in scope, as well as for creating reports that enable internal and external auditors to validate that the access-related IT controls are working well.

How does FoxT addresses multi-regulatory requirements?

Solution OverviewFoxT enables organizations to dramatically simplify and enforce key aspects of their regulatory access control objectives by establishing a centralized and streamlined approach for access control across critical and non-critical information systems, including diverse servers, applications, databases, and other key infrastructure. More importantly, FoxT provides a single point-of-management and enforcement for access and monitoring policies, ensuring that your control objectives for access provisioning and account management are consistently applied and enforced across the enterprise.

12

FoxT’s Enterprise Access Management (EAM) solution suite provides a common infrastructure and a unique blend of capabilities to enable in-depth, pro-active, non-intrusive access control and enforcement across your diverse servers and applications.

The FoxT Control Center gives security administrators the ability to centrally define access control rules, provision and de-provision user accounts, and identify problematic behavior. The dashboard also provides management and auditors with rapid visibility into the current state of access controls and compliance management across the organization. The FoxT Control Center:

• Centralizes management of access policies and administration of user accounts and host groups across diverse servers and applications through a graphical interface to reduce administration costs.

• Helps you pass IT audits and achieve regulatory compliance with automatic consolidation of user activity logs and pre-built operation, audit, and compliance reports

DataReportingManager

Unix, Linux, Windows

Servers Applications

ERP, Packaged, Legacy

IdentityManagement

AccessManagement

Desktops

CorporateDirectories

Identity Managers

Logging andReporting

Sun OneCA eTrustIBM Tivoli

LogConsolidation

Sun OneCA eTrustIBM Tivoli

GRCReporting

Agent

Agent

Agent

ReportingControl Center

PasswordMinder

Password ServerControl

ApplicationControl

Help Deskelpp DDeesskkl

Authentication SafeWord, RSA, SiteMinder

Data Center Operations

EventManagement

Figure 2: Fox Enterprise Access Management Suite


13

• Integrates seamlessly with and adds value to your existing corporate directories (AD and LDAP) and identity management systems for holistic IAM

• Integrates with your event management, log consolidation, and GRC reporting systems to further streamline operations

FoxT ServerControl provides very fine-grained access controls management for over 60 unique Unix, Linux, IBM z-Linux and Windows physical and virtual servers. The solution reduces the risk of insider fraud and streamlines administration and compliance reporting with the following features:

• Centralized user account administration across diverse servers

• Centralized definition and enforcement of fine-grained authorization rules including management of SSH down to the sub-service level

• Centralized SSH management of keys and permissions

• Controlled delegation of privileged accounts to eliminate privileged password sharing

• Contextual application of multi-factor authentication methods based on the risk level of the access request

• Enable segregation of access down to the OS resource level through an extensible role-based access controls (xRBAC) that harmonizes and leverages the Operating System Vendors’ RBAC capabilities

• Keystroke logging including configurable levels of detail by specific administration sessions

• Consolidated user activity logs for robust audit, operational and compliance reporting

• Active Directory and LDAP interfaces for holistic identity and access management

• Web Services Interface for simplified integration with other systems in the IT ecosystem

14

FoxT ApplicationControl enables organizations to centrally control server-side authorization across diverse business applications. Key features include:

• Centralized management and enforcement of access policies

• Fine-grained authorization

• Contextual enforcement of multi-factor authentication methods based on user and access request

• Simplified enterprise credentials management

• Network communication encryption

• Enterprise single sign-on (ESSO)

• Consolidated user activity logs for robust operational, audit and compliance reporting

FoxT Reporting Manager provides over 60 detailed reports on user access configurations and audit log events for the entire managed domain. This essential set of pre-built reports creates logical views into the user activity and access control policy data for your management and auditors for streamlined response to compliance requirements. FoxT Reporting Manager also enables you to filter reports by host, user, access type, and log message type, and empowers you to easily construct your own powerful queries.

FoxT Compliance Report Packs: FoxT also provides a series of compliance-specific report packs for SOX, PCI, HIPAA, and NERC/CIPs. These packs take the access control information that has been consolidated by the FoxT system, and maps that data to specific access control objectives for each regulation. Auditors can quickly review and verify the state of specific regulatory objectives using the report sets.

FoxT Password Minder: In spite of FoxT ServerControl’s ability to eliminate sharing of privileged passwords for day-to-day operations, there are still rare cases where you will need the root or administrator password such as when a server needs to be logged into in single-user mode to restore service after a cold restart. FoxT Password Minder, an optional add-on module, manages the checkout of privileged account passwords and automatically changes passwords after the configurable checkout period has ended to safeguard against any need to share passwords.


15

Example: How FoxT monitors HIPAA complianceFoxT has prepared a series of control reports that help you quickly gain access to some of the most critical event information that drives your HIPAA access controls program. These reports are aligned to the HIPAA 164.308 and 164.312 safeguards that are directly addressed by FoxT access control functions and processes. These reports contain a variety of information to help you monitor or audit certain HIPAA access control objectives. The control reports address these requirements:

• Requirement 164.308(a)(1) - Security Management Processes

• Requirement 164.308(a)(3) - Workforce Security

• Requirement 164.308(a)(4) - Information Access Management

• Requirement 164.308(a)(5) - Security Awareness and Training

• Requirement 164.312(a)(1) -(2)- Access Control and Audit

Here is one sample of the HIPAA mapping:

Requirement 164.308(a)(5) - Security Awareness and Training

Implement security awareness programs to keep staff and security professionals informed on the organization’s security processes and activities. (While a significant focus is placed on education and communication, the standard also includes specialized training and awareness for certain security related activities and tools, such as login attempts, access monitoring, and antivirus tools)

Logical Access AttemptsHIPAA_308_A_5_Failed_Admin_LoginsHIPAA_308_A_5_Failed_Logins_By_MonthHIPAA_308_A_5_Failed_User_Logins

Password PoliciesHIPAA_308_A_5_user_password_changesHIPAA_308_A_5_password policy exceptions

Example: How FoxT monitors NERC complianceFoxT has prepared a series of control reports that are aligned to the NERC CIP 3 controls. These reports contain a variety of information to help you monitor or audit certain CIP access control objectives. The control reports address these requirements:

• CIP-003-3- (December 2009)- Cyber Security- Security Management Controls

• CIP-004-3- (December 2009)- Cyber Security- Personnel and Training

16

• CIP-005-3- (December 2009)- Cyber Security- Electronic Security Perimeter(s)

• CIP-007-3- (December 2009)- Cyber Security- Systems Security Management

Here is one sample of the NERC/CIP mapping:

Requirement 7.2: Access Control System for System Components

Restrict access based on a user’s need to know, and is set to “deny all” unless specifically allowed.

Activity 7.2.1: Coverage of All System ComponentsPCI_7_2_1_host group listPCI_7_2_1_host listPCI_7_2_1_program group member listPCI_7_2_1_program_list

Activity 7.2.2: Assignment of PrivilegesPCI_7_1_2_List of all user class membersPCI_7_1_2_list of all user classes

Example: How FoxT monitors PCI complianceFoxT has prepared a series of control reports that are aligned to the PCI DSS 1.2.1 controls. These reports contain a variety of information to help you monitor or audit certain PCI DSS access control objectives. These reports address:

• PCI DSS 7.1

• PCI DSS 7.2

• PCI DSS 8.1

• PCI DSS 8.5.5

• PCI DSS 10.2

• PCI DSS 10.3

Requirement 7.2: Access Control System for System Components

Restrict access based on a user’s need to know, and is set to “deny all” unless specifically allowed.

Activity 7.2.1: Coverage of All System ComponentsPCI_7_2_1_host group listPCI_7_2_1_host listPCI_7_2_1_program group member listPCI_7_2_1_program_list

Activity 7.2.2: Assignment of PrivilegesPCI_7_1_2_List of all user class membersPCI_7_1_2_list of all user classes


17

Example: How FoxT monitors SOX complianceFoxT has prepared a series of control reports that are aligned to the COBIT DS Domains:

• Deliver and Support 5.3- Identity Management

• Deliver and Support 5.4- User Account Management

• Deliver and Support 5.5- Security Testing, Surveillance, and Monitoring

• Plan and Organize 7.8- Job Change and Termination

• Plan and Organize 9.3- Event Identification

Here is one sample of the mapping for SOX:

18

SummaryOrganizations are challenged to reduce the cost of compliance, as well as reduce the risk of non-compliance. With organizations needing to address multiple regulations, standardizing on one technology for enforcing and validating compliance with internal controls enables organizations to achieve both these objectives. Many leading companies across the globe are using Fox Technologies’s robust access controls and logging capabilities to comply with the privacy and data protection requirements of regulations such as PCI, SOX, NERC, HIPAA etc. For additional information, please visit us at www.foxt.com

www.foxt.com•883NorthShorelineBlvd.BuildingD,Suite210MountainView,CA94043USA•650.687.6300

Copyright © 2011 FoxT. All rights reserved.

The document is provided for informational purposes only and the contents herein are subject to change without notice. This document is not warranted to be error-free, nor subject to any other warranties or conditions, whether expressed orally or implied in law, including implied warranties and conditions of merchantability or fitness for a particular purpose. We specifically disclaim any liability with respect to this document and no contractual obligations are formed either directly or indirectly by this document. The document may not be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without our prior permission.

FoxT logo is a trademark of FoxT, Inc. Other product and company names herein may be registered trademarks and trademarks of their respective owners.

kill five birds with one stone: satisfying multiple...

Documents