• Overview
• Intellitactics Security Manager
• Intellitactics SAFE
• Intellitactics SAM
• Intellitactics Advanced Analytics
• Request a demo

Controls & Standards

Regulatory compliance requirements themselves are very high level and provide little in the way of concrete implementation guidance. Instead, IT security engineering standards provide frameworks of capability that enable IT organizations to implement security controls and practices to address the regulatory requirements.

ISO 17799

ISO 17799 is a complex and detailed international information security standard. Intellitactics’ meta controls is a superset of controls from widely known best practice frameworks: NIST 800-53 and ISO 17799. The requirements, which are programmatic in nature, cover 11 core areas.

• Intellitactics Control Reports

Learn More

• Learn more about ISO 17799

NIST 800-53

Under the Information Technology Management Reform Act (Public Law 104-106), the Secretary of Commerce approves standards and guidelines that are developed by the National Institute of Standards and Technology for federal computer systems. These standards and guidelines are issued by NIST as Federal Information Processing Standards (FIPS) for use government-wide. NIST developed FIPS because there were compelling federal government requirements, such as for security and interoperability, and there were no acceptable industry standards or solutions. Agencies use the explicit NIST control framework to enforce policy to reduce risk.

Federal Information Processing Standards (FIPS) are developed by NIST in accordance with FISMA, are approved by the Secretary of Commerce and are compulsory and binding for federal agencies. Since FISMA requires that federal agencies comply with these standards, agencies may not waive their use.

Guidance documents and recommendations are issued in the NIST Special Publication (SP) 800-series. Office of Management and Budget (OMB) policies (including OMB FISMA Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management) state that for other than national security programs and systems, agencies must follow NIST guidance.

Other security-related publications, including interagency and internal reports (NISTIRs), and ITL Bulletins, provide technical and other information about NIST's activities. These publications are mandatory only when so specified by OMB.

In the FY 2006 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management, OMB stated that for fiscal year 2007 and beyond, “agencies will be required to use FIPS 200/NIST Special Publication 800-53 for the specification of security controls and NIST Special Publication 800-53A for the assessment of security control effectiveness.”.

• Intellitactics Control Reports

Learn More

• Learn more about NIST
• FIPS 200/NIST Special Publication 800-53

COBIT

COBIT is adopted as a full framework across the IT lifecycle to measure what controls have been implemented and how well they are working.

COBIT provides IT a definition of security capabilities. The capabilities include IT goals, processes and most important controls. These controls, implied by the compliance legislation and regulations, enable the security organization to explicitly secure information in support of compliance mandates.

COBIT's greatest success is that it provides an element of consistency – bridging diverse working groups and analytical needs by providing a single model. The benefits are lower overall IT costs which significantly lowers risk. The COBIT framework consists of 34 IT processes and 7 information criteria; 300 plus control objectives; audit guidelines, management guidelines, as well as an implementation guide.

Intellitactics’ reporting facility provides for many reports that measure the effectiveness of key processes for COBIT, other infrastructure frameworks like ISO, Information Technology Infrastructure Library (ITIL) or NIST. Our reports enable you to measure security capability when you are implementing COBIT key processes: assessing risk, managing changes, ensuring system security, managing problems and incidents, assessing adequacy of internal controls and others. Regardless of your framework of choice, adopting a framework and having reports to measure effectiveness lowers the cost to manage and provides guidelines for maturing security capabilities.

• Intellitactics CoBit Controls

Learn More

• Learn more about COBIT

PCI: Payment Card Industry

In 2004 the Visa Cardholder Information Security Program (CISP) requirements became part of a new industry standard known as the Payment Card Industry (PCI) Data Security Standard (DSS). Credit card associations and banks mandate that agencies, merchants, banks and service providers meet certain minimum standards of security when they store, process and transmit cardholder data. The stringent requirements of the PCI Data Security Standard are compelling retailers to face the severe penalties for disclosure in the event of a security breach of protected cardholder information.

The PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. This comprehensive standard is intended to help organizations, private or public, proactively protect customer account data.

The core of the PCI DSS is a group of principles and accompanying requirements, around which the specific elements of the DSS are organized:

1. Build and Maintain a Secure Network
2. Protect Cardholder Data
3. Maintain a Vulnerability Management Program
4. Implement Strong Access Control Measures
5. Regularly Monitor and Test Networks
6. Maintain an Information Security Policy

• Intellitactics PCI Reports
• Intellitactics Control Reports

Learn More

• PCI Standards Web site
• Links to Visa Web site for more about PCI compliance requirements as well as the Payment Applications Best Practices program
• Links to MasterCard Web site for more about PCI scanning requirements

Control Frameworks: Most government agencies and state and local government organizations follow the best practices outlined by the National Institute of Standards and Technology (NIST) for federal computer systems. Increasingly, many companies in the private sector have adopted NIST controls for the explicit and detailed guidance. Intellitactics has incorporated the NIST controls into its management products: hundreds of packaged reports are categorized by these controls and alerts are automatically generated when controls are violated or anomalies occur. Control frameworks, like NIST, facilitate compliance and security management.

SOX: Sarbanes-Oxley

Highly publicized accounting scandals led to the creation of the US Public Company Accounting Reform and Investor Protection Act of 2002, commonly referred to as Sarbanes-Oxley. This law holds officers and directors of public companies accountable for decisions made that impact the welfare of shareholders.

In Section 404 of SOX – identification of internal controls compliance process – the enterprise must respond to the outside attestation auditor, internal auditors and retained counsel’s view of necessary and sufficient capabilities. Sections 302 and 404 require management to consider managed security monitoring to increase the effectiveness of controls over data used to file financial disclosures. Additionally, management is required to certify in writing their confidence in the accuracy of and the way in which the information is compiled and their personal liability relative to the certification.

In this section, the term “control criteria” implies the internal controls in place to earn this confidence; there are no detailed procedures for evaluating these internal controls. Individuals, with their auditors, agree on how much risk they are willing to take relative to the certification of financial information

• Intellitactics SOX Control Reports

Learn More

• Learn more about Sarbanes Oxley
• Learn more about the ITGI IT controls
• Learn more about Control Objectives for IT from ITGI and ISACA

FISMA: Federal Information Systems Management Act

The Federal Information Systems Management Act of 2002 (FISMA) requires government agencies to institute an information security program that effectively manages and periodically re-assesses risk. FISMA mandates the need to centrally track attacks and vulnerabilities. A primary requirement of FISMA is extensive reporting – at a level that can actually cripple an agency’s productivity if done manually.

Intellitactics enables FISMA-compliant agencies to accept appropriate risk and implement NIST and Federal Information Processing Standards (FIPS) defined security controls. Many successful agencies have implemented Intellitactics to consolidate huge amounts of monitored event data to validate controls are working. Intellitactics automates demanding FISMA reporting and enables security analysts to determine what additional controls are required to increase confidence in their security programs.

Intellitactics mitigates risk with proactive, automated event monitoring and increases organization effectiveness by automating reports for FISMA and other applicable regulatory standards. In addition, packaged reports are categorized by a superset of controls derived from NIST 800-53. Alerts are tagged with control ids and Intellitactics control reports present violations and anomalies that put the agency at risk

• Intellitactics FISMA Reports
• Intellitactics Control Reports

Learn More

• Learn more about FISMA
• Learn more about NIST
• Learn more about FIPS

HIPAA: Health Insurance Portability and Accountability Act

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) provides for the protection of patient information. Sections 261 through 264 require the Secretary of the US Department of Health and Human Services to publicize standards for the electronic exchange, privacy and security of health information. The Privacy of Individually Identifiable Health Information (i.e. the Privacy Rule) establishes national standards for the use and disclosure of individuals' health information defined as Protected Health Information (PHI) within an organization.

The primary goal of the Privacy Rule is to assure that individuals’ health information is properly protected while not hindering the availability of critical health information to provide and promote high quality healthcare. Additionally, the Rule attempts to establish a balance between the privacy needs of individuals and the requirements of individual agencies.

IT must ensure the confidentiality, availability and integrity of all electronic PHI the organization creates, receives, maintains or transmits by protecting against reasonably anticipated threats or hazards to such information.

• Intellitactics HIPAA Compliance Reports
• Intellitactics Control Reports

Learn More

• Learn more about HIPAA

GLB: Gramm-Leach-Bliley Act

The GLB Financial Services Modernization Act of 1999 enables banks to engage in a wide range of financial services. This led to legislation favoring improved protection of personal data held by banks that could be shared with outside companies.

Under the legislation, customers of financial institutions have the ability to opt out of programs that share their personal data with affiliated or outside companies. Under Section 501b, firms must establish precautions to ensure the security and confidentiality of customer records and information. The implication for IT is that in order to protect confidentiality, IT should protect against threats or hazards that would impact the confidentiality of such records; and be able to prove that controls to protect against threats and attacks are working. Additionally, IT should protect against unauthorized access to or use of such information that could result in harm or inconvenience for the customer.

• Intellitactics GLB Control Reports

Learn More

• Learn more about GLB