Module 11 Summary of IT Security Compliance Solutions & Best Practices v1.

Module 11

Summary of IT Security Compliance Solutions & Best Practices

By Kefa Rabah, krabah@globalopenversity.org

This module presents a summary on how to design, plan, implement, deploy and audit an IT infrastructure to ensure that it
conforms to regulatory compliance and partners requirements – via analyzing business problem and developing business
solutions to the problems. There are tremendous variety of open-source products and services that can be used to help
companies with regulatory compliance, business partner requirements, and industry standards and practices. These
compliance solutions can help you minimize risk, thereby enable you to focus on your core business goals, and confidently
pursue new business opportunities.

Business Problem
In the current global market and security scenarios, if your business collects or shares customer personal information, you
don’t have much choice. You have to spend time and resources to comply with government regulations and partner
requirements. In this kind of scenario:
• How do you manage multiple audits and requirements across your company?
• How do you create a process for compliance in a continuous ever evolving regulation?

Business Solution
When it comes to information access and security, the best approach is to take an integrated approach to compliance that
addresses the demands on your business while keeping an eye on the bottom line.

Action Required
To help meet the regulations and compliance requirements, companies will need to identify common requirements and
address the range of solutions required. Companies can utilize internal expertise, or they may resort expert third resources
to help in uncovering business opportunities and process improvements that could help their bottom line

Regulatory Compliance
Business Partner Requirements
Standards and Best Practices
Public Sector Regulations
The regulations that govern your business, such as Sarbanes-
Oxley and HIPAA.
Mandates and audits required by your business partners such as
PCI Compliance and RFID Mandates.
Methods and processes to improve security and business
operations such ISO 17799, ITIL, and COBIT
Security and authentication directives, standards and
requirements for government agencies and contractors.

1
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada

www.globalopenversity.org
 Module 11 Summary of IT Security Compliance Solutions & Best Practices v1.0

Sarbanes-Oxley Section 404 Compliance

Business Solutions
Section 404 of the Sarbanes-Oxley Act of 2002 (SOX) requires publicly-traded companies to establish and maintain
internal controls of financial reporting processes. Security controls are one part of the General Computing Controls (GCC)
assessed by auditors during annual 404 audits.

Mapping to Standards
Most organizations map SOX standards and requirements to the Committee of Sponsoring Organizations of the Treadway
Commission (COSO) framework for internal controls. However, COSO does not address information technology controls.
Companies, therefore, apply standards based on the IT Governance Institute’s (ITGI) document, “IT Controls for Sarbanes-
Oxley,” because it is used by many auditors to conduct their reviews.

SOX Requirements
There are various product services, both open-source and proprietary, to help you address IT controls based on COBIT
controls from ITGI standards.

Required Controls Applies To Action To Take

Requires a variety of
assessments to be performed on
a regular basis
Requires the capture, monitoring,
response, and retention of file
logs for at least one year.
Requires regular assessment of
network and application level
vulnerabilities.
Requires intrusion detection for
network security with events
stored for at least one year.
Requires firewalls with logs that
are captured, monitored, and
responded to, retained for at least
one year.
Systems, applications, and Enterprise Compliance
infrastructure that process Assessments
financial information
• Financial systems Log Management Service
• Supporting controls
• Financial systems Vulnerability Management
• Supporting controls Service
Intrusion prevention of financial Intrusion Detection Management
reporting systems, both host and Service (IDS)
network-based
Firewalls, proxies, gateways and Firewall Management Service
network access control devices
that protect financial reporting
systems

Best Practices
These solutions address industry best practices that can augment the above required controls.

Best Practice Applies To Action To Take

Multi-factor Authentication, e.g., Access to any sensitive or Integrated Identity Mgt for
Two-factor authentication. regulated financial data Unified Authentication (SSO)

Encryption and non-repudiation Sensitive or regulated financial Enterprise Key Mgt via:
data and the systems used for • Managed PKI for SSL
storage, processing or • Managed PKI Services
transmitting.

2
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada

www.globalopenversity.org
 Module 11 Summary of IT Security Compliance Solutions & Best Practices v1.0

HIPAA Compliance
The Healthcare Insurance Portability and Accountability Act (HIPAA) was passed in 1996 in response to concerns about
the privacy and security of medical records. Portions of HIPAA require healthcare organizations to conduct a thorough
information technology (IT) risk assessment as well as develop and implement a plan for improving and maintaining
security.

Requirements
The following solutions can help address certain HIPAA requirements.

Key Controls Applies To Action To Take

• Requires a regular risk
assessment (assumed to be
annually).
• Requires that major
infrastructure changes undergo
technical and non-technical
evaluations.
Requires logging of all access to
personal information (by a person
or user to view, read, write, or
delete)
Requires encryption of data at
rest and in transmission, access
to PHI, and integrity controls.
All systems storing, transmitting
or processing regulated data:
electronic Protected Health
Information (ePHI)
Applications, servers,
databases, and network devices
with ePHI
ePHI in storage and in
transmission.
Enterprise Consulting
Assessments
Log Management Service
Enterprise Key Mgt via:
• Managed PKI for SSL
• Managed PKI Services

Best Practices
These solutions address industry best practices that can augment the above required controls.

Best Practice Applies To Action To Take

Periodic vulnerability scanning
Monitoring and intrusion detection
to identify and respond to security
incidents.
Two-factor authentication
Firewall protection
All systems storing, transmitting
or processing ePHI.
All network segments and
systems storing, transmitting or
processing ePHI.
Useful for high level of
compliance to requirements for
remote access/VPN, Web
applications and security device
authentication
Network access to segments
that transmit, store or process
ePHI.
Vulnerability Management
Service
Intrusion Detection Management
Service (IDS)
Integrated Identity Mgt for
Unified Authentication (SSO)
Firewall Management Service
via unified threat mgt (UTM)

3
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada

www.globalopenversity.org
 Module 11 Summary of IT Security Compliance Solutions & Best Practices v1.0

Payment Card Industry Compliance

The Payment Card Industry (PCI) Data Security Standard was created by major credit card companies to safeguard
customer information. Visa, MasterCard, American Express, and other credit card associations mandate that merchants
and service providers meet certain minimum standards of security when they store, process and transmit cardholder data.

Requirements
These solutions help you address PCI standards.

Required Controls Applies To Action To Take

Requires annual assessment for
Level 1 (large) merchants, annual
penetration testing and
application testing Level 1 and 2
service providers.
Requires logging of all access to
credit card data.
Requires quarterly scans and
annual penetration tests. External
scans conducted by an approved
vendor. Requires alerts.
Requires host and/or network
intrusion detection or prevention.
Requires an appropriately
configured and managed firewall.
Requires two-factor
authentication
Requires 128-bit SSL encryption
and effective management of
crypto key transmission and
storage.
Merchants, service providers,
and banks
Credit card processing systems
Credit card processing systems
and network devices
Credit card transmission
networks, processing and
storage systems
Firewalls providing access to
credit card processing and
storage systems
Remote access to credit card
processing environments
Databases, Web servers and
applications that store or
process credit card data
Enterprise Consulting
Assessments
Firewall Management Service
• Technical Security
Assessments
• Vulnerability Management
Service
Intrusion Detection Management
Service (IDS)
Firewall Management Service
Unified Authentication
Managed PKI for SSL

Best Practices
These solutions address industry best practices that can augment the above required controls.

Key Controls Applies To Action To Take

Applications must be developed
appropriately and tested
Respond quickly and effectively
to incidents
Awareness and protection against
the latest threats
All credit card processing
applications
Databases, Web servers and
applications
Credit card transmission
networks, processing and
storage systems
• Security Certification Program
• Technical Security
Assessments
Incident Response and Forensics
iDefense Security Intelligence
Services

Learn More
Visa Cardholder Information Security Links to Visa Web site for more about PCI compliance
Program requirements as well as the Payment Applications Best Practices
program
MasterCard Site Data Protection Links to MasterCard Web site for more about PCI scanning
Program requirements
Enterprise Compliance Solutions for Checkout review of PCI data security standards by VeriSign, using
4
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada

www.globalopenversity.org
 Module 11 Summary of IT Security Compliance Solutions & Best Practices v1.0

the Payment Card Industry VeriSign PCI compliance solutions for merchants, Levels 1-4

5
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada

www.globalopenversity.org
 Module 11
ISO 17799 Standards
ISO17799 is a complex and detailed international information security standard. Compliance and certification enables
companies to show their business partners and customers that they have met a high standard of security. The
requirements, which are programmatic in nature, cover 11 core areas. There are open-source products and services that
can help companies meet standards in each core area for their enterprise security programs.
Standards of Good Practice
Core Area
Security Policy
Security Organization
Asset Management
Personnel Security
Physical Security
Communications and
Operations Management
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
www.globalopenversity.org
Summary of IT Security Compliance Solutions & Best Practices v1.0
Description Action To Take
Management should set a clear Security Policy and Program
policy direction in line with Services
business objectives and
demonstrate support for, and
commitment to, information
security through the issuance
and maintenance of an
information security policy
across the organization.
A management framework • Security Policy and Program
should be established to initiate Services
and control the implementation • Enterprise Consulting
of information security within the Assessments
organization, including
management of third party
security.
The implementation of specific • Security Policy and Program
controls may be delegated by Services
the owner, as appropriate, but • Unified Authentication
the owner remains responsible • Log Management Service
for the proper protection of
assets, including information
classification.
Security responsibilities should Security Policy and Program
be addressed prior to Services
employment. Employees must
also be trained on and aware of
security policies and procedures.
Critical or sensitive information • Unified Authentication
processing facilities should be • Security Policy and Program
housed in secure areas, Services
protected by defined security
perimeters.
Responsibilities and procedures • Intrusion Detection
for the management and Management Service (IDS)
operation of all information • Firewall Management
processing facilities should be Service
established. These procedures • Log Management Service
include the majority of the • Vulnerability Management
requirements for technical Service
security controls such as email • Technical Security
security, scanning/assessment, Assessments
network monitoring, and logging.
6
 Module 11 Summary of IT Security Compliance Solutions & Best Practices v1.0

Core Area Description Action To Take

Access Control Access to information, information
processing facilities, and business
processes should be controlled on the basis
of business and security requirements.
Information Systems The design and implementation of the
Acquisition information system supporting business
Development and process must address security
Maintenance requirements.
Information Security Information security events and
Incident Management weaknesses associated with information
systems should be communicated in a
manner allowing timely corrective action to
be taken.
Business Continuity A business continuity management process
Management should be implemented to minimize the
impact on the organization and recover
from loss of information assets to an
acceptable level through a combination of
preventive and recovery controls.
Compliance The design, operation, use, and
management of information systems may
be subject to statutory, regulatory, and
contractual security requirements.
• Unified Authentication
• Identity and Access
Management Services
• Security Policy and Program
Services
• Technical Security
Assessments
• Security Policy and Program
Services
• Incident Response and
Forensics
• Security Policy and Program
Services
• Intrusion Detection
Management Service (IDS)
• Vulnerability Management
Service
Disaster Recovery and Business
Continuity
• Enterprise Consulting
Assessments
• Security Certification
Program
• Security Policy and Program
Services

7
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada

www.globalopenversity.org
 Module 11 Summary of IT Security Compliance Solutions & Best Practices v1.0

Retailer RFID Mandates

Some major retailers and grocery store chains have required pallet and case level RFID enablement as a condition of
doing business. There are open-source and proprietary product and services that can help you design, deploy and manage
RFID technology and systems that are used today by many of the leading companies in retail, consumer products,
manufacturing, healthcare and logistics, including a top 5 U.S. retailer, and some of Wal-Mart’s suppliers.

Typical Retailer Requirements

Required Controls Applies To Action To Take
RFID enablement Manufacturing, packaging, and Supply Chain Consulting RFID
shipping Enablement
Systems integration to share data Product or pallet data Supply Chain Consulting Data
in a secure, timely way Management

Best Practices
In addition to the required controls above, the following technologies can be applied as best practices to support RFID
implementations.

Controls Applies To Action To Take

128-bit SSL encryption and
effective management of crypto
key transmission and storage.
Two-factor authentication
Databases, Web servers and Managed PKI for SSL
applications that store or
process product data
Remote access to shared data Unified Authentication
and applications

8
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada

www.globalopenversity.org