Thursday, March 23, 2006

"Network Security" -Compliance

Most of the industries such as health care and financial institutions are mandated to be compliant with HIPAA and SOX acts. These acts enforce stringent rules in all aspects of the enterprise including the physical access of information. (This section concetrates on the software requirement of the acts) There are quite a number of agencies that offer the compliance as a service for an enterprise. But it all depends on whether you want to handle compliance yourself or employ a third party vendor to ensure compliance to the acts.


HIPAA Compliance:
HIPAA defines the Security Standards for monitoring and auditing system activity. HIPAA regulations mandate analysis of all logs, including OS and application logs including both perimeter devices, such as IDSs, as well as insider activity. Here are some of the important reports that need to be in place:

1. User Logon report: HIPAA requirements (164.308 (a)(5) - log-in/log-out monitoring) clearly state that user accesses to the system be recorded and monitored for possible abuse. Remember, this intent is not just to catch hackers but also to document the accesses to medical details by legitimate users. In most cases, the very fact that the access is recorded is deterrent enough for malicious activity, much like the presence of a surveillance camera in a parking lot.

2. User Logoff report: HIPAA requirements clearly state that user accesses to the system be recorded and monitored for possible abuse. Remember, this intent is not just to catch hackers but also to document the accesses to medical details by legitimate users. In most cases, the very fact that the access is recorded is deterrent enough for malicious activity, much like the presence of a surveillance camera in a parking lot.

3. Logon Failure report: The security logon feature includes logging all unsuccessful login attempts. The user name, date and time are included in this report.

4. Audit Logs access report: HIPAA requirements (164.308 (a)(3) - review and audit access logs) calls for procedures to regularly review records of information system activity such as audit logs.

5. Security Log Archiving Utility:Periodically, the system administrator will be able to back up encrypted copies of the log data and restart the logs.


SOX Compliance:
Sarbanes-Oxlet defines the collection,retention and review of audit trail log data from all sources under section 404's IT process controls. These logs form the basis of the internal controls that provide corporations with the assurance that financial and business information is factual and accurate. Here are some of the important reports to look for:

1. User Logon report:SOX requirements (Sec 302 (a)(4)(C) and (D) - log-in/log-out monitoring) clearly state that user accesses to the system be recorded and monitored for possible abuse. Remember, this intent is not just to catch hackers but also to document the accesses to medical details by legitimate users. In most cases, the very fact that the access is recorded is deterrent enough for malicious activity, much like the presence of a surveillance camera in a parking lot.

2. User Logoff report:SOX requirements (Sec 302 (a)(4)(C) and (D) clearly state that user accesses to the system be recorded and monitored for possible abuse. Remember, this intent is not just to catch hackers but also to document the accesses to medical details by legitimate users. In most cases, the very fact that the access is recorded is deterrent enough for malicious activity, much like the presence of a surveillance camera in a parking lot.

3. Logon Failure reportThe security logon feature includes logging all unsuccessful login attempts. The user name, date and time are included in this report.

4. Audit Logs access report:SOX requirements (Sec 302 (a)(4)(C) and (D) - review and audit access logs) calls for procedures to regularly review records of information system activity such as audit logs.

5. Security Log Archiving Utility:Periodically, the system administrator will be able to back up encrypted copies of the log data and restart the logs.

6. Track Account management changes:Significant changes in the internal controls sec 302 (a)(6). Changes in the security configuration settings such as adding or removing a user account to a admistrative group. These changes can be tracked by analyzing event logs.

7. Track Audit policy changes:Internal controls sec 302 (a)(5) by tracking the event logs for any changes in the security audit policy.

8. Track individual user actions:Internal controls sec 302 (a)(5) by auditing user activity.

9. Track application access:Internal controls sec 302 (a)(5) by tracking application process.

10. Track directory / file access:Internal controls sec 302 (a)(5) for any access violation.

GLBA Compliance:
The Financial Services Modernization Act (FMA99) was signed into law in January 1999 (PL 106-102). Commonly referred to as the Gramm-Leach-Bliley Act or GLBA, Title V of the Act governs the steps that financial institutions and financial service companies must undertake to ensure the security and confidentiality of customer information. The Act asserts that financial services companies routinely collect Non-Public Personal Information (NPI) from individuals, and must notify those individuals when sharing information outside of the company (or affiliate structure) and, in some cases, when using such information in situations not related to the furtherance of a specific financial transaction.

1. User Logon report:GLBA Compliance requirements clearly state that user accesses to the system be recorded and monitored for possible abuse. Remember, this intent is not just to catch hackers but also to document the accesses to medical details by legitimate users. In most cases, the very fact that the access is recorded is deterrent enough for malicious activity, much like the presence of a surveillance camera in a parking lot.

2. User Logoff report:GLBA requirements clearly state that user accesses to the system be recorded and monitored for possible abuse. Remember, this intent is not just to catch hackers but also to document the accesses to medical details by legitimate users. In most cases, the very fact that the access is recorded is deterrent enough for malicious activity, much like the presence of a surveillance camera in a parking lot.

3. Logon Failure report:The security logon feature includes logging all unsuccessful login attempts. The user name, date and time are included in this report.

4. Audit Logs access report:GLAB requirements (review and audit access logs) calls for procedures to regularly review records of information system activity such as audit logs.

5. Security Log Archiving Utility:Periodically, the system administrator will be able to back up encrypted copies of the log data and restart the logs.