Controls & Standards
Many civilian and defense agencies, as well as state governments, are realizing that a strategic framework-based approach to compliance is more effective than extreme searching of logs to demonstrate compliance with multiple regulations. By implementing a control framework, you address multiple regulations simultaneously and get a more comprehensive grasp on what it takes to manage enterprise security.
Government agencies work to improve their FISMA compliance report cards, but are equally aware of the need to comply with PCI standards for credit card transactions and in some cases HIPAA standards when dealing with employee or citizen health data. Compliance with multiple standards creates management challenges that can be solved with automated security information and event management solutions:
- Managers realize that “compliance in a box” doesn’t exist and that effectiveness requires processes and controls
- Audits are disruptive; key resources are pulled from important work to generate reports having no long-term value
- Compliance requires daily attention: audit drift is time consuming and expensive
- Compliance doesn’t equal security; recent history has shown that agencies can earn A’s on their FISMA report card and still be under investigation by Congress for a highly publicized data breach
Regulatory Standards: Intellitactics for Compliance supports multiple regulatory standards like FISMA, PCI and HIPAA and provides hundreds of audit-worthy reports. Intellitactics alerts notify security when user behavior or systems are causing an agency to fall out of compliance.
FISMA: Federal Information Systems Management Act
The Federal Information Systems Management Act of 2002 (FISMA) requires government agencies to institute an information security program that effectively manages and periodically re-assesses risk. FISMA mandates the need to centrally track attacks and vulnerabilities. A primary requirement of FISMA is extensive reporting – at a level that can actually cripple an agency’s productivity if done manually.
Intellitactics enables FISMA-compliant agencies to accept appropriate risk and implement NIST and Federal Information Processing Standards (FIPS) defined security controls. Many successful agencies have implemented Intellitactics solutions to consolidate huge amounts of monitored event data to validate controls are working. Intellitactics automates demanding FISMA reporting and enables security analysts to determine what additional controls are required to increase confidence in their security programs.
Intellitactics mitigates risk with proactive, automated event monitoring and increases organization effectiveness by automating reports for FISMA and other applicable regulatory standards. In addition, packaged reports are categorized by a superset of controls derived from NIST 800-53. Alerts are tagged with control ids and Intellitactics control reports present violations and anomalies that put the agency at risk
Learn More
HIPAA: Health Insurance Portability and Accountability Act
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) provides for the protection of patient information. Sections 261 through 264 require the Secretary of the US Department of Health and Human Services to publicize standards for the electronic exchange, privacy and security of health information. The Privacy of Individually Identifiable Health Information (i.e. the Privacy Rule) establishes national standards for the use and disclosure of individuals' health information defined as Protected Health Information (PHI) within an organization.
The primary goal of the Privacy Rule is to assure that individuals’ health information is properly protected while not hindering the availability of critical health information to provide and promote high quality healthcare. Additionally, the Rule attempts to establish a balance between the privacy needs of individuals and the requirements of individual agencies.
IT must ensure the confidentiality, availability and integrity of all electronic PHI the organization creates, receives, maintains or transmits by protecting against reasonably anticipated threats or hazards to such information.
Learn More
PCI: Payment Card Industry
In 2004 the Visa Cardholder Information Security Program (CISP) requirements became part of a new industry standard known as the Payment Card Industry (PCI) Data Security Standard (DSS). Credit card associations and banks mandate that agencies, merchants, banks and service providers meet certain minimum standards of security when they store, process and transmit cardholder data. The stringent requirements of the PCI Data Security Standard are compelling retailers to face the severe penalties for disclosure in the event of a security breach of protected cardholder information.
The PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. This comprehensive standard is intended to help organizations, private or public, proactively protect customer account data.
The core of the PCI DSS is a group of principles and accompanying requirements, around which the specific elements of the DSS are organized:
- Build and Maintain a Secure Network
- Protect Cardholder Data
- Maintain a Vulnerability Management Program
- Implement Strong Access Control Measures
- Regularly Monitor and Test Networks
- Maintain an Information Security Policy
Learn More
- PCI Standards Web site
- Links to Visa Web site for more about PCI compliance requirements as well as the Payment Applications Best Practices program
- Links to MasterCard Web site for more about PCI scanning requirements
Control Frameworks: Most government agencies and state and local government organizations follow the best practices outlined by the National Institute of Standards and Technology (NIST) for federal computer systems. Increasingly, many companies in the private sector have adopted NIST controls for the explicit and detailed guidance. Intellitactics has incorporated the NIST controls into its management products: hundreds of packaged reports are categorized by these controls and alerts are automatically generated when controls are violated or anomalies occur. Control frameworks, like NIST, facilitate compliance and security management.
NIST 800-53
Under the Information Technology Management Reform Act (Public Law 104-106), the Secretary of Commerce approves standards and guidelines that are developed by the National Institute of Standards and Technology for federal computer systems. These standards and guidelines are issued by NIST as Federal Information Processing Standards (FIPS) for use government-wide. NIST developed FIPS because there were compelling federal government requirements, such as for security and interoperability, and there were no acceptable industry standards or solutions. Agencies use the explicit NIST control framework to enforce policy to reduce risk.
Federal Information Processing Standards (FIPS) are developed by NIST in accordance with FISMA, are approved by the Secretary of Commerce and are compulsory and binding for federal agencies. Since FISMA requires that federal agencies comply with these standards, agencies may not waive their use.
Guidance documents and recommendations are issued in the NIST Special Publication (SP) 800-series. Office of Management and Budget (OMB) policies (including OMB FISMA Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management) state that for other than national security programs and systems, agencies must follow NIST guidance.
Other security-related publications, including interagency and internal reports (NISTIRs), and ITL Bulletins, provide technical and other information about NIST's activities. These publications are mandatory only when so specified by OMB.
In the FY 2006 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management, OMB stated that for fiscal year 2007 and beyond, “agencies will be required to use FIPS 200/NIST Special Publication 800-53 for the specification of security controls and NIST Special Publication 800-53A for the assessment of security control effectiveness.”
Learn More
ISO 27001/2
ISO 27001/2 is a complex and detailed international information security standard. Intellitactics’ meta controls is a superset of controls from widely known best practice frameworks: NIST 800-53 and ISO 27001/2. The requirements, which are programmatic in nature, cover 11 core areas.