In a recent survey of IBM Power Systems users, 52% state they are focusing security investments on compliance auditing and reporting while 28% said they anticipate increased regulatory complexity as a security challenge for the remainder of the year.
Do you need to accelerate compliance for your IBM i systems? Whether it be for PCI, SOX, GDPR or other regulations, view this 15-minute webcast on-demand to learn more about:
• The importance of security risk assessments for compliance
• Implementing compliance policies that align with regulations
• Generating reports and alerts that flag compliance issues
• Trade-offs between do-it-yourself and third-party solutions
3. Compliance Requirements Are Widespread
Sarbanes-Oxley (SOX), JSOX
PCI DSS (Payment Card Industry Data Security Standard)
HIPAA (Health Insurance Portability and Accountability
Act)
NIST 800-53 (National Institute of Standards Security and
Privacy Controls)
STIG (Security Technical Implementation Guidelines)
HITECH (Health Information Technology for Economic and
Clinical Health)
GLBA (Gramm-Leach-Bliley Act)
FISMA (Federal Information Security Management Act)
FERPA (Family Educational Rights & Privacy Act)
None
Don’t know
Other (please specify)
0% 10% 20% 30% 40%
What regulations must your organization adhere to?
• Organizations are subject to a variety of
regulations
• Some are subject to multiple regulations
• GDPR (not part of this 2017 survey) is now
a global concern
• NYS 23 NYCRR 500 (also not part of the
2017 survey) growing concern
• New “regulations” are being introduced,
i.e: NF525 related to cash machines & POS
in France
Source: Syncsort’s 2018 State of Security Survey
3
4. For the majority of IBM Power users (52%), the trend toward
security investments in the coming year will focus on compliance
auditing and reporting. Compliance standards such as NIST 800-53,
PCI DSS, FISMA, GLBA, SOX, STIG and HIPAA require organizations to
secure their networks, harden servers and desktop computers for
their confidential enterprise assets, and provide network compliance
reports to auditors when demanded.
4
Compliance Auditing and
Reporting Insight
5. Growing Regulatory Complexity
Source: Syncsort’s 2018 State of Resilience Report
What security challenges does your IT organization
anticipate in the coming year?
Adoption of cloud services
Increase in sophistication of attacks
Ransomware
Increased network complexity
Insufficient IT security budget
Increase in number of attacks
Growing complexity of regulations
Data becoming increasingly distributed
Threats attributed to mobile device adoption
Inadequate end-user security training
Insufficient security staffing
Inadequate IT security staff training
Inadequate security reporting/auditing/forensics tools
Lack of management support for security efforts
Growth of non-sanctioned IT (Shadow IT)
None
I don’t know
Other (please specify)
0% 10% 20% 30% 40% 50%
28% of respondents said that they
anticipate increased regulatory
complexity as a security challenge
this coming year.
5
6. Regulations
Sarbanes–Oxley Act
Enacted July 30, 2002
United States federal law
Sets requirements for U.S. public companies.
Certain provisions apply to private companies
Requires corporates to assess the
effectiveness of internal controls and report
this assessment annually to the SEC.
Any review of internal controls would not be
complete with out addressing controls
around information security including
• Security Policy
• Security Standards
• Access and Authentication
• Network Security
• Monitoring
• Segregation of Duties
Payment Card Industry Data
Security Standard (PCI DSS)
V1 released on December 15, 2004
Information security standard for
organizations that handle branded credit
cards from the major card schemes.
Created to increase controls around
cardholder data to reduce credit card fraud.
Validation of compliance is required annually
Requires security practices including
• Firewalls
• Password security
• Cardholder data protection
• Encryption of data in motion
• Monitoring of network and data access
• Regular security testing
6
Health Insurance Portability
and Accountability Act
Originally enacted August 21, 1996
Establishes national standards for electronic
health care transactions and national
identifiers for providers, health insurance
plans, and employers.
Requires security practices such as
• Access control
• Electronic healthcare information
protection
• Protection of data in motion
• Monitoring of system access
• Policies for reporting breaches
7. Regulations
7
General Data Protection
Regulation (GDPR)
Enforcement date: 25 May 2018
Regulation in European Union law on data
protection and privacy for all individuals
within the European Union (EU) and the
European Economic Area (EEA)
Applies to all organizations doing business
with EU citizens
Aims primarily to provide protection and
control over their personal data to citizens
and residents, including
• Access control
• Sensitive data protection
• Restricted user privileges
• System activity logging
• Risk assessments
New York Dept. of Financial
Services Cybersecurity Regulation
NYS 23 NYCRR 500
Enforcement date: February 15, 2018
Requires banks, insurance companies, and
other financial services institutions to
establish and maintain a cybersecurity
program designed to protect consumers
Ensures the safety and soundness of New
York State's financial services industry.
Requirements protect the confidentiality,
integrity and availability of information
systems, including
• Risk assessments
• Restricted user privileges
• Automatic logouts
• Antivirus
• Multi-factor authentication
• System activity logging
8. Challenges
For Companies to Comply to
Regulations:
• Lack of knowledge
• Don’t have the technology
• Lack of resources
• Retaining knowledgeable employees
• Keeping up to date with regulations
• Having what the auditors want
• Maintaining and enhancing a current
system
• Too many systems/LPARs to handle
Areas of Concern:
• Access control
• User profile management
• Elevated authority management
• Sensitive data protection
• Policy compliance management
• System activity logging
• Security violation detection and alerting
• Security risk assessment
8
10. Why do you need a risk assessment?
• Urgency for cyber risk/vulnerability assessment is growing rapidly
• Risk assessment becoming an essential component of many regulatory
compliance requirements
• An assessment tool/service is considered essential to ensure corporate
sustainability
What should an assessment provide?
• Checks of system definitions and settings
• Explanation of what they mean
• Recommended changes if necessary.
Assessment results should be sufficiently detailed to give guidance to the
technical staff responsible for system security while providing a
management overview for non-technical administrators and managers.
10
Security Risk Assessment
11. Solutions
IBM i is a great system, but
security auditing is NOT turned on
by default and some things need
to be developed or purchased. Compliance Acceleration
• Jump-start to Compliance
• Cross-Reference to Regulation
• Alerts, Reports, and Templates
• Professional Services
Data Privacy Solutions
• Encryption
• Field
• File
• Tape
• IFS
• Save File
• Tokenization
• Anonymization
Multi-Factor Authentication
• Strengthens Password Security
• IBM i Logon Integration
• Voice and Mobile Authentication
HA/DR Solution
• Scalable real-time replication
• Comprehensive protection from
downtime and data loss
Cross Platform Compliance
• What about your other platforms?
• Windows
• AIX
• Linux
• SQL Server
• Oracle
11
Access Management
• Network Access
• Socket – IP and Port
• Exit Point
• File
• Commands
• User Management
• Object Level Security
12. Tradeoffs
Doing It Yourself In-House
• Resources may be stretched
and pulled off project
• May need to bring in
consultants or hire new
employee because of lack of
knowledge
• Need to stay on top of
changes to the regulations
• Knowledgeable resource
may leave or retire
Using 3rd party solutions
• Frees up your resources for
more important projects
• Provides separation of duties
• Leverages experts in the field
• Vendor is in the business of
releasing updated software
• Vendors stays informed on
modifications to regulations
12
13. Syncsort can help
with all your
compliance,
security or SIEM
integration needs!
Elevated
Authority
Management
Secure Data
Transfer
Enhanced
Password
Management
System &
Database
Auditing
Access
Control
Security Risk
Assessment
SIEM
Integration
Alerts and
Reports
Sensitive
Data
Protection
Compliance
Acceleration
Job Log
Analysis
Network
Security
Password
Self-Service
Supervised
4-Eyes
Operations
Log
Forwarding
Secure Data
Consolidation
&
Distribution
Learn more at
www.syncsort.com/en/assure
13
14. Protect your mission-critical data with the highest levels of
availability and security with Syncsort’s exclusive Managed Resilience
offerings. Let the experts of the Syncsort Global Services team
handle all of the monitoring, optimization, software updates and
testing of your high availability and security solutions so that staff
can focus on other IT priorities.
• Reduce the chances of a security breach, an unplanned outage or
a compliance violation
• Free your IT staff to work on other important projects
• Benefit from the vast experience of Syncsort experts
• Enjoy the latest availability and security features through
automated software updates
14
Managed Services