Chamber Technology Committee Presentation


Published on

This is another compliance presentation that I did for the Tyler Chamber of Commerce Technology Committee.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Chamber Technology Committee Presentation

  1. 1. The State of Security and Compliance Exceptional Technology Solutions, LLC Tyler Chamber of Commerce Technology Committee
  2. 2. Social Media SPAM – Spyware - Malware Social Engineering
  3. 3. • Federal Bureau of Investigation – Criminal Justice Information Systems • Health Insurance Portability and Accountability Act • Payment Card Industry - Data Security Standard • The Sarbanes-Oxley Act of 2002
  4. 4. What is PCI-DSS • PCI DSS applies to organizations that “store, process or transmit cardholder data” for credit cards. One of the requirements of PCI DSS is to “track…all access to network resources and cardholder data”.
  5. 5. PCI DSS 2.0 Requirements Penalties: Fines, loss of credit card processing and level 1 merchant requirements • 5.1.1 - Monitor zero day attacks not covered by antivirus • 6.5 - Identify newly discovered security vulnerabilities • 11.2 - Perform network vulnerability scans quarterly by ASV • 11.4 - Maintain IDS/IPS to monitor and alert personnel; keep engines up to date • 10.2 - Automated audit trails • 10.3 - Capture audit trails • 10.5 - Secure Logs • 10.6 - Review logs at least daily • 10.7 - Maintain logs online for three months • 10.7 - Retain audit trail for at least one year • 6.6 - Install a web application firewall
  6. 6. HIPAA • HIPAA includes security standards for certain health information. NIST SP 800-66, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, lists HIPAA-related log management needs. For example, Section 4.1 of NIST SP 800-66 describes the need to perform regular reviews of audit logs and access reports. Also, Section 4.22 specifies that documentation of actions and activities need to be retained for at least six years.
  7. 7. • 164.308 (a)(1)(ii)(A): Risk Analysis—Conducts vulnerability assessment • 164.308 (a))1)(ii)(B): Risk Management—Implements security measures to reduce risk of security breaches • 164.308 (a)(5)(ii)(B): Protection from Malicious Software—Procedures to guard against malicious software host/network IPS • 164.308(a)(6)(iii): Response & Reporting—Mitigates and documents security incidents • 164.308 (a)(1)(ii)(D): Information System Activity Review—Procedures to review system activity • 164.308 (a)(6)(i): Log-in Monitoring—Procedures and monitoring log for log-in attempts on host IDS • 164.312 (b): Audit Controls—Procedures and mechanisms for monitoring system activity • 164.308 (a)(1): Security management process—Implement policies and procedures to prevent, detect, contain and correct security violations • 164.308 (a)(6): Incident Procedures (R)— Implement policies and procedures to address security incidents
  8. 8. Sarbanes-Oxley • Although SOX applies primarily to financial and accounting practices, it also encompasses the information technology (IT) functions that support these practices. SOX can be supported by reviewing logs regularly to look for signs of security violations, including exploitation, as well as retaining logs and records of log reviews for future review by auditors.
  9. 9. • DS5.3 Identity Management • DS5.4 User Account Management • DS5.5 Security Testing, Surveillance and Monitoring • DS5.6 Security Incident Definition • DS5.7 Protection of Security Technology • DS5.9 Malicious Software Prevention, Detection and Correction • DS5.10 Network Security • DS5.11 Exchange of Sensitive Data • ME1 Monitor and Evaluate IT Performance • ME1.4 Performance Assessment • ME1.5 Board and Executive Reporting • ME1.6 Remedial Actions
  10. 10. • Since July 2010 ETS has been approved to work with Police Departments, Fire Departments, EMT and 911 Data Centers through the Texas Department of Public Safety and the Federal Bureau of Investigation. All of our managers, technicians and engineers are required to be approved by TLETS/CJIS before we allow them to work on any of our clients.
  11. 11. What is CJIS/TLETS • TLETS provides intrastate interconnectivity for criminal justice agencies to a variety of local, state, and federal data base systems. Additionally, TLETS’ link with Nlets, the International Justice and Public Safety Network, facilitates exchange between criminal justice agencies across the state of Texas to their counterparts in other states. The link with Nlets allows DPS to provide critical information to the national criminal justice community and allows TLETS operators to obtain information from a variety of data base services from other states, Canada, Interpol, and private companies.
  12. 12. The CJIS Addendum requirements are outlined in a 46 page addendum published by the FBI and collaboratively though the Texas Department of Public Safety TLETS agency. The Addendum outlines every aspect of IT security: • User security and access • Logging • Hardware management • Software management • Mobility • BYOD • Mobile data terminals • Firewall and Workstation Security and updates… And Many more.
  13. 13. Comparing Compliances COMPLIANCE POINT COMPARISON 140 128 120 100 80 60 40 20 0 11 9 11 PCI - DSS HIPAA Sarbanes-Oxley Compliance Points TLETS/CJIS
  14. 14. How to get compliant. • Attaining and Maintaining any of the compliances we have talked about today can be a daunting, scary proposition. • Especially with the constant threat of the government handing out charges, fines and in some cases the threat of the loss of your business. • Here are a few suggestions to help you get started.
  15. 15. How to get Compliant Work with an Industry Consultant. The task of getting and staying compliant can be a long, difficult and expensive road. Consultants are going to be able to tell you what you need, when you need it and what you can safely disregard. Good consultant services are going to stand by you if and when you have an audit to assist you in getting through audit and take care of any failure points the audit may draw out. 1
  16. 16. How to get Compliant • Partner with a good, well respected Authorized Scanning Vendor. • ETS Partners with AlertLogic because they are located in Texas, they have one of the best reputations in the industry and they have a broad transparent base of services that cover all the major compliances that are out today.
  17. 17. How to get Compliant • Install a really good firewall. This will not be cheap. If you would buy it to put it in your house, you need to leave it there. • A good firewall with provide, Gateway AV, Spam-handling, Intrusion Prevention, Zero Day Protection, Multi-Layer Packet Scanning. Compliance with one of the major national compliance standard. Watchguard is our preferred firewall and it is FIPS-140-2 compliant as well as CIPA compliant.
  18. 18. How to get Compliant • Get good solid, backup, offsite backup. The more secure the better. The encryption on the backup should be no less that 128bit AES encryption. • Make sure that you can access your backups realtime. • Make sure the backup company practices their recoveries. • Make sure the transmission from your site to the backup site is encrypted at least 128 bit AES encrypted. • Discuss a Disaster and Recovery plan with your backup provider and get it in writing to ensure that everyone is on the same sheet of paper when the inevitable happens.
  19. 19. How to get Compliant • GET GOOD ANTI-VIRUS… If it has the word FREE anywhere in it your are most likely violating the EULA by using it in a business environment. • Free Anti-virus has it’s place. Not it a secure audited business network. • Make sure you set your patches and updates to run when new software comes out so you always have the latest security updates. If you have a good IT Company or person they should be making sure that is done for your. Ask for proof it is being done. • Anti-Virus is like a FLU shot. It is your best defense against having a sick computer.
  20. 20. To Wrap Up… • ETS is a Premier East Texas Based IT Solutions Company that specializes in Managed Services, Cloud Services and Advanced Professional Services. • At ETS we do not sell products… We partner with our clients to provide the best solutions, from hardware to the software to the financial services and everywhere in between. Because a solution is not a solution unless it’s a total fit. • ETS has a very robust security and compliance offering with various best of breed partners to further strengthen our efforts to keep your business secure and compliant.
  21. 21. Any Questions? Exceptional Technology Solutions, LLC 419 Rice Road Tyler, Texas 75703 903 509 0008 Local 877 281 0008 Toll Free