White Paper: Windstream's Position on Security Compliance


Published on

Our customers are under increasing pressure to adhere to numerous security compliance standards and design networks that address the best practices
associated with these standards. As any healthcare provider can tell you, the content of the standards themselves can be daunting to understand and apply,
which has driven organizations to look outside for assistance.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

White Paper: Windstream's Position on Security Compliance

  1. 1. WHITE PAPER Windstream’s Position on Security Compliance Compliance In General Our customers are under increasing Government Mandated Privacy Acts pressure to adhere to numerous security (Massachusetts, California, and compliance standards and design Minnesota, with others to follow) – networks that address the best practices Applies to anyone doing business in associated with these standards. As these states any healthcare provider can tell you, the Health Insurance Portability and content of the standards themselves can Accountability Act (HIPAA) – be daunting to understand and apply, Applies to the healthcare vertical which has driven organizations to look Gramm-Leach-Bliley Act (GLBA) – outside for assistance. Applies to the financial vertical Sarbanes-Oxley Act (SOX) – Top Five Industry Compliance Applies to public companies Standards Payment Card Industry Digital Security Standard (PCI DSS) – Applies to any company processing, transporting, or storing credit card information Overview of Standards PCI DSS – The goal of PCI DSS 1, 2010. It applies generally to those is to create a framework for good businesses that own or license personal security practice around the handling information about Massachusetts of cardholder data. A PCI-compliant residents. Personal information includes operating environment is one in which Massachusetts residents’ first and last the cardholder data exists (i.e., it does names, or first initials and last names, in NOT refer to the whole corporate combination with any of the following: network), and PCI DSS defines the Social Security number, driver’s license requirements for how access to this data number or state-issued identification must be controlled, monitored, logged, card number, financial account and audited. number, or credit or debit card number. Therefore, if you have any employees, Government Mandated Privacy Acts receive payments from individuals (Massachusetts) – The Massachusetts (whether by check or credit card), or Data Privacy Act (201 CMR 17), now send out 1099s, your business owns or recently revised, went into effect March licenses personal information and, thus, © Windstream 2012 DATE: 3.27.12 | REVISION: 2 | 009574_Windstream’s_Position | CREATIVE: MF | JOB#: 9574 - Windstream’s Position on Security Compliance | COLOR: GS | TRIM: 8.5” x 11”
  2. 2. WHITE PAPER Overview of Standards must comply with the law. Minnesota applies to information of any consumers (Cont.) and California recently passed similar past or present of the financial laws and it’s expected that this trend institution’s products or services.) will continue for the remaining 47 This plan must include: states in the near future. Denoting at least one employee to manage the safeguards HIPAA – HIPAA covers a number of Constructing thorough risk healthcare standards, one of which management on each department is the HIPAA Security Rule, which handling the non-public information requires implementation of three types Developing, monitoring, and testing a of safeguards: program to secure the information Modifying the safeguards as needed Administrative with the changes in how information is Physical collected, stored, and used Technical This rule is intended to do what most In addition, it imposes other businesses should already be doing: organizational requirements and protecting their clients. The Safeguards a need to document processes Rule forces financial institutions to analogous to the Privacy Rule. take a closer look at how they manage Implementing within and adhering private data and to do a risk analysis to this rule is extremely difficult due on their current processes. No process to the highly technical nature of the is perfect, so this has meant that every contents of the rule. financial institution has had to make some effort to comply with the GLBA. GLBA – The Safeguards Rule, a part of the GLB Act, requires SOX – The impact of IT security within financial institutions to develop a SOX is somewhat indirect since the law written information security plan is primarily focused on the accuracy of that describes how the company is financial reporting data. IT security is prepared for, and plans to continue to important under SOX only to the extent protect clients’ non-public personal that it enhances the reliability and information. (The Safeguards Rule integrity of that reporting. © Windstream 2012
  3. 3. WHITE PAPERWindstream’s Strategy Around The Internet Service Provider (ISP) 10. Continuous Vulnerability Assessment Compliance has an interesting role in compliance. and Remediation Since the essential underlying focus of 11. Account Monitoring and Control popular compliance standards today 12. Malware Defenses is on individual enterprise context, it’s 13. Limitation and Control of Network impossible for Windstream to provide Ports, Protocols, and Services “instant on” compliance. However, with 14. Wireless Device Control our Security Consultation services, as 15. Data Loss Prevention well as the best practices that we’ve 16. Secure Network Engineering implemented internally and consult 17. Penetration Tests and Red Team our customers to follow, Windstream Exercises has made it as easy as possible for 18. Incident Response Capability customers from all verticals to meet and 19. Data Recovery Capability exceed the standards laid out for them 20. Security Skills Assessment and by the various regulatory bodies. Each Appropriate Training to Fill Gaps compliance standard is built around a foundation of concepts best outlined Furthermore, Windstream is actively by the SANS Institute and mirrored by taking advantage of the SAS 70 auditing Windstream’s business best practices. process to provide customers with the They include: necessary information to inform their auditors and planners of compliance- 1. Inventory of Authorized and friendly topologies and practices. A Unauthorized Devices SAS 70 is performed by a third party 2. Inventory of Authorized and that reviews our security controls, then Unauthorized Software verifies that we’re adhering to them by 3. Secure Configurations for Hardware reviewing, auditing, and scoring our and Software on Laptops, performance. Since our customers are Workstations, and Servers under a myriad of compliance standards, 4. Secure Configurations for Network we developed our controls based upon Devices such as Firewalls, Routers, the best practices mentioned above and Switches and mapped our practices to PCI 5. Boundary Defense DSS and other compliance standards. 6. Maintenance, Monitoring, and This way, we can present our SAE Analysis of Audit Logs 16 documentation to any customer 7. Application Software Security who needs to prove that Windstream 8. Controlled Use of Administrative practices security standards which Privileges exceed the compliance standards to 9. Controlled Access Based on Need which they’re being held. This approach to Know makes the most sense for both Windstream and our customers. © Windstream 2012
  4. 4. WHITE PAPER Things We’re Watching & Since Windstream’s role is central to there are a number of best practices What We’re Doing customer network security, we as an ISP and technologies that we’re focusing and Managed Security Service Provider on to control access, then monitor and (MSSP) must be “ahead of the curve” to equip zones within the organization with maintain our position within the confines legitimate access to these services to of the popular compliance standards properly handle threats. because the overwhelming buying triggers for our services surround these Enclaving – There is no ‘silver bullet’ in standards. We see emerging threats and security. If there were, this multi-billion general business practices that require dollar industry would not exist. Given review and standards application on a that reality, it’s becoming increasingly regular basis. more prudent to design networks (LAN and WAN) that are zoned (or Top Three Emerging Trends enclaved) in such a way that in the event of a successful attack or breach, Best practices surrounding safe and the impact to the organization as a secure utilization of social media whole is minimized. As threats grow in Best practices incorporating enclaving complexity, best practices around this of network elements to reduce the concept are increasing in value. impact of a breach or incident Best practices surrounding the Mobile Devices – Innovation and deployment, control, and risk incorporation of mobile devices is mitigation associated with mobile skyrocketing across all industries. Mobile technology (Android, iPad, iPhone, device security, as a result, is becoming WiFi, etc.) a targeted focus for our customers and our organization. The development of Social Media – Malware and bot-net best practices and the deployment threats are synonymous with social of security technology with a focus media. While it’s a well known best on mobile device risk reduction and practice to develop Web acceptable mitigation is a top priority at Windstream. use policies that block access to these services, an increasing number of organizations use social media as an advertising and information distribution outlet. With this trend,009574 | 3/12 © Windstream 2012