5. • Federal Bureau of Investigation
– Criminal Justice Information
Systems
• Health Insurance Portability
and Accountability Act
• Payment Card Industry - Data
Security Standard
• The Sarbanes-Oxley Act of
2002
6. What is PCI-DSS
•
PCI DSS applies to organizations that “store, process or transmit
cardholder data” for credit cards. One of the requirements of PCI DSS is to
“track…all access to network resources and cardholder data”.
7. PCI DSS 2.0 Requirements
Penalties: Fines, loss of credit card processing and level 1 merchant requirements
•
5.1.1 - Monitor zero day attacks not covered by antivirus
•
6.5 - Identify newly discovered security vulnerabilities
•
11.2 - Perform network vulnerability scans quarterly by ASV
•
11.4 - Maintain IDS/IPS to monitor and alert personnel; keep engines up to date
•
10.2 - Automated audit trails
•
10.3 - Capture audit trails
•
10.5 - Secure Logs
•
10.6 - Review logs at least daily
•
10.7 - Maintain logs online for three months
•
10.7 - Retain audit trail for at least one year
•
6.6 - Install a web application firewall
8. HIPAA
•
HIPAA includes security standards for certain health information. NIST SP
800-66, An Introductory Resource Guide for Implementing the Health
Insurance Portability and Accountability Act (HIPAA) Security Rule, lists
HIPAA-related log management needs. For example, Section 4.1 of NIST SP
800-66 describes the need to perform regular reviews of audit logs and
access reports. Also, Section 4.22 specifies that documentation of actions and
activities need to be retained for at least six years.
9. •
164.308 (a)(1)(ii)(A): Risk Analysis—Conducts vulnerability assessment
•
164.308 (a))1)(ii)(B): Risk Management—Implements security measures to reduce
risk of security breaches
•
164.308 (a)(5)(ii)(B): Protection from Malicious Software—Procedures to guard
against malicious software host/network IPS
•
164.308(a)(6)(iii): Response & Reporting—Mitigates and documents security
incidents
•
164.308 (a)(1)(ii)(D): Information System Activity Review—Procedures to review
system activity
•
164.308 (a)(6)(i): Log-in Monitoring—Procedures and monitoring log for log-in
attempts on host IDS
•
164.312 (b): Audit Controls—Procedures and mechanisms for monitoring system
activity
•
164.308 (a)(1): Security management process—Implement policies and procedures to
prevent, detect, contain and correct security violations
•
164.308 (a)(6): Incident Procedures (R)— Implement policies and procedures to
address security incidents
10. Sarbanes-Oxley
•
Although SOX applies primarily to financial and accounting practices, it
also encompasses the information technology (IT) functions that support
these practices. SOX can be supported by reviewing logs regularly to look
for signs of security violations, including exploitation, as well as
retaining logs and records of log reviews for future review by auditors.
11. •
DS5.3 Identity Management
•
DS5.4 User Account Management
•
DS5.5 Security Testing, Surveillance and Monitoring
•
DS5.6 Security Incident Definition
•
DS5.7 Protection of Security Technology
•
DS5.9 Malicious Software Prevention, Detection and Correction
•
DS5.10 Network Security
•
DS5.11 Exchange of Sensitive Data
•
ME1 Monitor and Evaluate IT Performance
•
ME1.4 Performance Assessment
•
ME1.5 Board and Executive Reporting
•
ME1.6 Remedial Actions
12. • Since July 2010 ETS has been approved to work with
Police Departments, Fire Departments, EMT and 911
Data Centers through the Texas Department of
Public Safety and the Federal Bureau of
Investigation. All of our managers, technicians and
engineers are required to be approved by
TLETS/CJIS before we allow them to work on any of
our clients.
13. What is CJIS/TLETS
•
TLETS provides intrastate interconnectivity for criminal justice
agencies to a variety of local, state, and federal data base systems.
Additionally, TLETS’ link with Nlets, the International Justice and
Public Safety Network, facilitates exchange between criminal
justice agencies across the state of Texas to their counterparts in
other states. The link with Nlets allows DPS to provide critical
information to the national criminal justice community and allows
TLETS operators to obtain information from a variety of data base
services from other states, Canada, Interpol, and private
companies.
14. The CJIS Addendum requirements are outlined in a 46 page
addendum published by the FBI and collaboratively though the Texas
Department of Public Safety TLETS agency. The Addendum outlines
every aspect of IT security:
•
User security and access
•
Logging
•
Hardware management
•
Software management
•
Mobility
•
BYOD
•
Mobile data terminals
•
Firewall and Workstation Security and updates… And Many more.
16. How to get compliant.
•
Attaining and Maintaining any of the compliances we have talked
about today can be a daunting, scary proposition.
•
Especially with the constant threat of the government handing out
charges, fines and in some cases the threat of the loss of your
business.
•
Here are a few suggestions to help you get started.
17. How to get Compliant
Work with an Industry Consultant. The
task of getting and staying compliant can
be a long, difficult and expensive road.
Consultants are going to be able to tell you
what you need, when you need it and what
you can safely disregard. Good consultant
services are going to stand by you if and
when you have an audit to assist you in
getting through audit and take care of any
failure points the audit may draw out.
1
18. How to get Compliant
•
Partner with a good, well respected Authorized Scanning Vendor.
•
ETS Partners with AlertLogic because they are located in Texas, they have one of
the best reputations in the industry and they have a broad transparent base of
services that cover all the major compliances that are out today.
19. How to get Compliant
• Install a really good firewall. This will not be cheap. If you would buy it to put it
in your house, you need to leave it there.
• A good firewall with provide, Gateway AV, Spam-handling, Intrusion
Prevention, Zero Day Protection, Multi-Layer Packet Scanning. Compliance
with one of the major national compliance standard. Watchguard is our
preferred firewall and it is FIPS-140-2 compliant as well as CIPA compliant.
20. How to get Compliant
• Get good solid, backup, offsite backup. The more secure the better. The
encryption on the backup should be no less that 128bit AES encryption.
• Make sure that you can access your backups realtime.
• Make sure the backup company practices their recoveries.
• Make sure the transmission from your site to the backup site is encrypted at
least 128 bit AES encrypted.
• Discuss a Disaster and Recovery plan with your backup provider and get it in
writing to ensure that everyone is on the same sheet of paper when the
inevitable happens.
21. How to get Compliant
•
GET GOOD ANTI-VIRUS… If it has the word FREE anywhere in it
your are most likely violating the EULA by using it in a business
environment.
•
Free Anti-virus has it’s place. Not it a secure audited business
network.
•
Make sure you set your patches and updates to run when new
software comes out so you always have the latest security updates. If
you have a good IT Company or person they should be making sure
that is done for your. Ask for proof it is being done.
•
Anti-Virus is like a FLU shot. It is your best defense against having
a sick computer.
22. To Wrap Up…
•
ETS is a Premier East Texas Based IT Solutions Company that
specializes in Managed Services, Cloud Services and Advanced
Professional Services.
•
At ETS we do not sell products… We partner with our clients to
provide the best solutions, from hardware to the software to the
financial services and everywhere in between. Because a solution is
not a solution unless it’s a total fit.
•
ETS has a very robust security and compliance offering with various
best of breed partners to further strengthen our efforts to keep your
business secure and compliant.