1. Compliments of al Edition
Trend Micro Speci
Co n q u e ri n g
Com pl ia nce
Learn to:
• Reduce the cost and complexity
of security compliance
• Solve the toughest regulatory
compliance challenges
• Maximize the real security value
of your investments
Kevin Faulkner
Lawrence Miller
2. Trend Micro Incorporated, a global leader in Internet
content security and threat management, aims to create
a world safe for the exchange of digital information for
businesses and consumers. A pioneer in server-based
antivirus with over 20 years experience, Trend delivers
top-ranked security that fits customer needs, stops new
threats faster, and protects data in physical, virtualized,
and cloud environments.
Trend Micro Enterprise Security is a tightly integrated
offering of content security products, services, and
solutions powered by the Smart Protection Network.
Together they keep customers both compliant and
secure by addressing a broad range of compliance
controls, solving tough compliance challenges,
and delivering maximum protection with minimal
complexity.
These materials are the copyright of Wiley Publishing, Inc. and any
dissemination, distribution, or unauthorized use is strictly prohibited.
3. Conquering
Compliance
FOR
DUMmIES
‰
TREND MICRO SPECIAL EDITION
by Kevin Faulkner
and Lawrence Miller
These materials are the copyright of Wiley Publishing, Inc. and any
dissemination, distribution, or unauthorized use is strictly prohibited.
5. Introduction
I n the not-too-distant past, information security and compli-
ance for most organizations was the exclusive dominion
of a small security staff with little or no support (or budget),
engaged in a tug-of-war with users that constantly sought
creative new ways to circumvent seemingly needless security
measures that hindered productivity.
But now that PCI, HIPAA, SOX, and a plethora of European
and other privacy regulations have become a part of our
modern lexicon, information security and regulatory compli-
ance have become the focus of many corporate boards and
senior managers — and the subject of this book!
About This Book
This book explains the challenges of regulatory compliance
and how to address these challenges using a holistic, cost-
effective approach that not only helps you achieve compli-
ance across all applicable regulations but also to get real
security for your organization and your valuable data.
We show you how to achieve and maintain compliance by:
✓ Focusing on core cross-regulation controls
✓ Conquering the toughest compliance challenges
✓ Maximizing your protection and minimizing your costs
Simply stated, that’s compliance without compromise!
The contents of this custom book were provided by and pub-
lished specifically for Trend Micro.
These materials are the copyright of Wiley Publishing, Inc. and any
dissemination, distribution, or unauthorized use is strictly prohibited.
6. 2 Conquering Compliance For Dummies
Foolish Assumptions
We assume that you’re reading this book because you’re
responsible for ensuring that your organization complies with
a myriad of government and industry regulations — and you
need some help. You may be a corporate officer, executive, or
other senior manager, or you may be an IT security manager,
network engineer, or system administrator.
We assume that you have at least a basic understanding of
the key security and privacy regulations that are relevant to
your industry, the technology challenges of compliance, and a
desire to make your compliance programs simpler and more
cost-effective.
How This Book Is Organized
This book consists of six short chapters, summarized below.
Chapter 1: Understanding the
Compliance Mandate
We start by exploring the regulatory landscape and clarifying
the differences between security and compliance.
Chapter 2: Targeting Core
Compliance Controls
In this chapter, we present a comprehensive, secure-once
approach to achieving cross-regulatory compliance by identi-
fying common technical controls and themes.
Chapter 3: Addressing
Compliance Challenges
In this chapter, we discuss how to deal with specific compli-
ance challenges, including evolving technology trends such as
virtualization, teleworking, and cloud computing.
These materials are the copyright of Wiley Publishing, Inc. and any
dissemination, distribution, or unauthorized use is strictly prohibited.
7. Introduction 3
Chapter 4: Charging
Through PCI DSS
Chapter 4 focuses on the Payment Card Industry Data Security
Standard (PCI DSS), showing you how to cost effectively safe-
guard your business infrastructure and cardholder data —
achieving both security and compliance.
Chapter 5: Examining HIPAA
and Healthcare Compliance
Next, we take a closer look at U.S. HIPAA and other regulatory
and privacy challenges facing the healthcare industry.
Chapter 6: Ten Reasons to Use
Trend Micro Enterprise Security
Finally, in true For Dummies form, we conclude with a list of
great reasons to use Trend Micro Enterprise Security solu-
tions to help you achieve compliance without compromise!
Icons Used in This Book
Throughout this book, we occasionally use icons to call
attention to important information that is particularly worth
noting. Here’s what to look for and what to expect:
This icon points out information that may well be worth com-
mitting to memory.
This icon explains material of a technical nature and may be
of more interest to a tech-savvy reader.
This icon points out potential pitfalls and easily confused or
difficult-to-understand terms and concepts.
These materials are the copyright of Wiley Publishing, Inc. and any
dissemination, distribution, or unauthorized use is strictly prohibited.
8. 4 Conquering Compliance For Dummies
This icon points out helpful suggestions and useful nuggets of
information that may just save you some time and headaches.
Where to Go from Here
Each chapter in this book is written to stand on its own. You
don’t necessarily need to start at the beginning to follow a sto-
ryline! Chapters 2 and 3 give you the insights you need to effec-
tively tackle most any regulation worldwide, while chapters
4 and 5 target the specific requirements of PCI and HIPAA. So
jump right in wherever it makes the most sense for you.
At a minimum, we recommend reading Chapters 2 and 3 to
gain insights into solving cross-regulation compliance chal-
lenges. Finally, Chapter 6 will show you how Trend Micro
Enterprise Security solutions can help you rapidly implement
the cost effective, no-compromise strategies of this book.
Or, you could just turn the page and start at the beginning!
These materials are the copyright of Wiley Publishing, Inc. and any
dissemination, distribution, or unauthorized use is strictly prohibited.
9. Chapter 1
Understanding the
Compliance Mandate
In This Chapter
▶ Navigating the regulatory landscape
▶ Achieving both compliance and security
W ith more than 400 regulations and over 10,000
overlapping controls in 38 countries, compliance
has become a challenging and complex mandate for organiza-
tions everywhere.
Furthermore, the rapid pace and constantly evolving nature of
technology and strategic business and IT initiatives makes attain-
ing and maintaining regulatory compliance still more difficult.
And finally, regulations typically lack detail, are subject to
interpretation, and provide only minimum baseline security
requirements. Thus, organizations can get compliance right,
but still not be truly secure.
In this chapter, we explore the vast expanse (and expense)
of the regulatory compliance landscape and its associated
challenges.
The Compliance Maze
Driven by the need to protect the private data (such as per-
sonally identifiable information, financial data, and health
records) of individual citizens from cybercriminals and iden-
tity thieves, governments throughout the world and at every
These materials are the copyright of Wiley Publishing, Inc. and any
dissemination, distribution, or unauthorized use is strictly prohibited.
10. 6 Conquering Compliance For Dummies
level have caught the regulatory bug. Information security
best practices are rapidly being codified with legal mandates
that seek to ensure that corporate governance, internal con-
trols, business processes, and operations of organizations in
various industries are safe, sound, and secure.
These regulations often require specific controls, corporate
compliance programs, audits, and public disclosures, and levy
stiff penalties for noncompliance. Some of the more significant
information and data security regulations include:
✓ PCI DSS: Payment Card Industry Data Security Standard.
A worldwide industry mandate that establishes informa-
tion security requirements for organizations that process
payment card transactions (such as credit and debit
cards). See Chapter 4 for more on PCI DSS.
✓ EU Data Protection Directive: The EU directive and vari-
ous country-specific acts protect individual information
of a private or sensitive nature.
✓ FISMA: Federal Information Security Management Act.
Applicable to U.S. Government agencies and contractors.
✓ GLBA: Gramm-Leach-Bliley Act. Standards required
of financial institutions relating to administrative, techni-
cal, and physical safeguards for customer records and
information.
✓ HIPAA: Healthcare Insurance Portability and
Accountability Act. Security and Privacy Rules apply to
“covered entities” and their business associates in the
healthcare industry. See Chapter 5 for more on HIPAA.
✓ HITECH: Health Information Technology for Economic
and Clinical Health Act. Provides funding for electronic
health records (EHR) and safe harbor from disclosure
requirements for breached data that is encrypted, among
other things. See Chapter 5 for more on HITECH.
✓ SOX: Sarbanes-Oxley. Publicly traded companies must
implement a framework of computer controls. Several
mandates can’t be accomplished without prudent use of
technology and information security.
✓ J-SOX: Formally, the Financial Instruments and Exchange
Law, J-SOX is the Japanese implementation of internal
controls similar to U.S. SOX.
These materials are the copyright of Wiley Publishing, Inc. and any
dissemination, distribution, or unauthorized use is strictly prohibited.
11. Chapter 1: Understanding the Compliance Mandate 7
✓ EuroSox: Comprised of two EU statutes, formally known
as the Statutory Audit and the Company Reporting
Directives. Requires EU member states to implement
internal controls similar to U.S. SOX by 2010.
✓ MITS: Management of Information Technology Security
(Canada). Monitoring, lifecycle management, technical
and operational safeguards for risk mitigation, applicable
to Canadian government agencies.
Compliance and Security
Aren’t One and the Same
Being compliant doesn’t necessarily mean being safe and
secure. Even the most stringent regulations define only a mini-
mum baseline for good security. So it is certainly possible, if
not even probable, that an organization can be fully compli-
ant with all applicable legal requirements and standards for
its industry, yet still be vulnerable to security breaches and
incidents.
Regulations and standards mandate information security best
practices and governance, reassure the public at large, and
set forth penalties (including fines, disclosures) for noncom-
pliance. In other words, when a noncompliant organization
suffers a major security breach, security regulations ensure
that there will be repercussions
Regulatory compliance also, at least in theory, serves a more
benign purpose. Disclosure laws, in addition to “shaming” an
organization into compliance, are intended to give a timely
warning to individuals whose private information may have
been compromised. That way, the individuals may take proac-
tive steps to avoid being victimized by identity theft.
Finally, regulations help to clarify the standards of due care
and due diligence. Due care and due diligence are related, but
distinctly different:
✓ Due care: In the practice of information security, due
care relates to the steps that individuals or organizations
take to perform their duties and implement security best
practices and regulations.
These materials are the copyright of Wiley Publishing, Inc. and any
dissemination, distribution, or unauthorized use is strictly prohibited.
12. 8 Conquering Compliance For Dummies
✓ Due diligence: In the context of information security, due
diligence commonly refers to risk identification and risk
management practices.
An organization or individual that fails to exercise due care
and due diligence in the performance of their duties can be
found criminally negligible and personally liable.
So what is the state of enterprise security today? Trend
Micro’s onsite security threat assessments of hundreds of
enterprises throughout the world have shown that 100 per-
cent are infiltrated by active malware — over 50 percent with
data stealing malware and 77 percent with bots (see Figure
1-1). Organizations need to be aware that basic compliance
controls aren’t sufficient to protect against a serious security
data breach.
Threats found in enterprises
100% Active malware
77% Bots
56% Data stealers
42% Worms
Figure 1-1: Threats found in enterprises.
And without a comprehensive security strategy and a strong
understanding of regulatory issues affecting them, many organi-
zations risk spending needlessly, while chasing redundant — or
worse, conflicting — administrative, technical, or operational
controls, in the quest for compliance.
These materials are the copyright of Wiley Publishing, Inc. and any
dissemination, distribution, or unauthorized use is strictly prohibited.
13. Chapter 2
Targeting Core
Compliance Controls
In This Chapter
▶ Getting an overview of the controls common to most regulations
▶ Covering all the controls in more depth
B y focusing on the core compliance controls common to
most regulations you will help reduce cost and dupli-
cation of effort. If you properly secure once, you can meet a
majority of individual compliance regulations without further
effort. And when implemented appropriately, these controls
put you well down the road toward a strong security posture.
Developing and implementing clear policies and processes,
and selecting the right technology solutions that support a
broad range of common security mandates will help organiza-
tions succeed in their quest to achieve cost-effective security
and compliance.
Addressing Core Controls
For the most part, information security and privacy regula-
tions are based on well-established information security best
practices. Because many of these best practices are common
across regulations, focusing your efforts on these core con-
trols, and adopting a technology infrastructure that meets the
intent of the various compliance mandates, will allow you to
build a strong security foundation while simultaneously satis-
fying many of the compliance requirements applicable to your
These materials are the copyright of Wiley Publishing, Inc. and any
dissemination, distribution, or unauthorized use is strictly prohibited.
14. 10 Conquering Compliance For Dummies
organization. These core compliance controls are identified
and described in the following sections.
The core compliance controls are directly specified or implied
by a broad range of regulatory and IT standards across the
globe. The core security compliance controls and a few exam-
ples of applicable regulations are listed in Figure 2-1.
Core Security Privacy Laws Financial Fraud Government
Compliance Controls Protection IT Security
• EU Data Protection
• IT Risk Assessment Directive
• Australia Priv. Act • SOX • US FISMA; NIST
• Vulnerablilty & Patch Mgt • Canado PAPEDA • J-SOX • Canada MITS
• IT Policy Adherence
Credit Card Healthcare Finanacial
• Incident Response Security Data Privacy Data Privacy
• Sensitive Data Protection • PCI DSS • US HIPAA • US GLBA
• US HITECH Act
• Firewall, IDS/IPS
• Anti-virus/Anti-malware IT Frameworks Other Regulation & Standards
US NERC, FERC; UK,German,
• Anti-spam/Anti-phishing
• COBIT; COSO Swiss Data Protection; Sys Trust;
• Logging & Reporting • ITIL; ISO USAe 3402
Figure 2-1: Core security compliance controls and examples of regulations.
See Appendixes A and B to learn how the core controls
specifically apply to HIPAA and PCI.
IT Risk Assessment
Maintaining an ongoing security risk assessment program
helps an organization identify relevant assets that must be
protected, and what threats and vulnerabilities they must
be protected against.
A risk assessment is a critical early (and ongoing) step in the
IT risk management process. A risk assessment identifies
three specific elements of risk:
✓ Assets. This includes an inventory and valuation of all
organizational information assets including systems,
devices, applications, data, and processes.
✓ Threats. This includes an analysis to determine actual
threats, possible consequences, likelihood of occurrence,
and probable frequency.
These materials are the copyright of Wiley Publishing, Inc. and any
dissemination, distribution, or unauthorized use is strictly prohibited.
15. Chapter 2: Targeting Core Compliance Controls 11
✓ Vulnerabilities. This includes a vulnerability assessment
to determine weaknesses and to establish a baseline for
determining appropriate and necessary safeguards.
Don’t confuse vulnerability assessments with vulnerability
management (discussed later in this chapter). They are
distinctly different concepts.
Vulnerability and Patch
Management
Effective vulnerability management requires periodic and
frequent (automated) scans of all systems, applications, and
network devices to identify, prioritize, mitigate, and patch
security vulnerabilities that may be exploited.
A vulnerability in information security is defined as the
absence or weakness of a safeguard in an information asset
that makes a threat potentially more harmful or costly, more
likely to occur, or likely to occur more frequently.
Vulnerabilities can exist for a number of reasons, including
✓ Programming/development bugs or flaws
✓ Improper system or device configurations
✓ Human errors
Additionally, new vulnerabilities are discovered, literally
every day, because
✓ Flaws and weaknesses are discovered in both new and
legacy information assets
✓ New flaws and weaknesses are created by changes
to existing information assets, such as configuration
changes, software updates, and patches
Patch management must be performed regularly to ensure
applications, databases, and systems are updated with the
latest security patches provided by the product vendors.
These materials are the copyright of Wiley Publishing, Inc. and any
dissemination, distribution, or unauthorized use is strictly prohibited.
16. 12 Conquering Compliance For Dummies
Virtual patching or shielding refers to using rules defined
in IDS/IPS agents to stop known vulnerabilities from being
exploited. Virtual patching is an excellent security practice
that provides protection until patches can be deployed. It
may also be accepted as a compensating control for systems
that are difficult or impossible to patch in a timely manner.
Effective patch management requires awareness of new vul-
nerabilities and security patches, risk analysis, optional vir-
tual patching, and the testing, deployment, and verification of
final patches.
IT Policy Adherence
Assuring endpoint and server compliance with OS configura-
tion and application access control policies increases security
and allows organizations to clearly document compliance
with security regulations and company policies.
A formal, written security policy — along with supporting
standards, guidelines, and procedures — forms the basis for
the organization’s information security program.
Incident Response
A well-written incident response plan helps ensure that prop-
erly trained personnel can quickly and effectively respond to
a security incident in order to minimize the potential damage
and return the business to normal operation.
An incident response plan should include detailed procedures
and technologies that will be used to rapidly address all
foreseeable incidents.
Sensitive Data Protection
Organizations must locate, identify, classify, and protect regu-
lated data, whether it is being stored (at rest), processed (in
use), or transmitted (in motion).
These materials are the copyright of Wiley Publishing, Inc. and any
dissemination, distribution, or unauthorized use is strictly prohibited.
17. Chapter 2: Targeting Core Compliance Controls 13
Data loss prevention (DLP) is critical to stopping accidental
and malicious data leaks. A robust DLP solution helps you:
✓ Discover, monitor, block, and encrypt sensitive data.
✓ Control removable media and I/O devices such as USB
drives, CD/DVD, Bluetooth, and external drives.
Encryption has almost universally become the accepted
standard for protecting the confidentiality of sensitive data.
Encryption solutions can be hardware- or software-based, and
can encrypt sensitive files on an entire disk (full-disk encryp-
tion) or on an individual file or folder level (file-based encryp-
tion). Under many laws and regulations, an organization that
suffers a data loss incident may be able to avoid any public
disclosure requirements or penalties if the data was properly
encrypted.
Firewalls and Intrusion Detection/
Prevention (IDS/IPS)
Firewall and IDS/IPS protection is generally required for
systems that process or house regulated data.
These systems have traditionally been deployed at the
corporate perimeter. However with increasingly mobile
employees and the advent of virtualization, host-based (or
endpoint) firewalls and intrusion detection/prevention
systems are becoming increasingly necessary.
Anti-Virus and Anti-Malware
Since the early days of computing, anti-virus software has
been, and remains, a basic and vital component of security.
Anti-malware protects systems and data from viruses, as well
as Trojans, worms, spyware, and other threats. Anti-malware
can be signature-based and/or behavior-based. However, many
non-standard, critical, and legacy devices may not be compat-
ible with traditional anti-malware software that is typically
installed directly on a system or device. Instead, network-
based anti-malware solutions may be necessary.
These materials are the copyright of Wiley Publishing, Inc. and any
dissemination, distribution, or unauthorized use is strictly prohibited.
18. 14 Conquering Compliance For Dummies
Anti-Spam and Anti-Phishing
Protection from e-mail and blended e-mail/Web threats is vital
to the security of employee devices and blocking the entry of
malware to corporate infrastructure.
Spam and phishing have evolved from the preferred method
for directly spreading malware to become the preferred way
to lure users to malicious Web sites where data-stealing mal-
ware can be unwittingly downloaded. State-of-the-art e-mail
protection solutions now include Web site reputation capa-
bilities to help protect users from these dangerous embedded
e-mail links.
Logging and Reporting
Organizations must ensure that secure log files are created
and maintained on all systems and devices in order to identify
and respond to security incidents and enforce policy compli-
ance. Detailed reporting capabilities are needed to demon-
strate compliance to management, auditors, and customers.
Log files are only valuable when someone is monitoring them
for unusual or suspicious activity. Additionally, active moni-
toring may also be required to ensure compliance. Automated
log collection and analysis tools are required to make these
tasks efficient and effective.
These materials are the copyright of Wiley Publishing, Inc. and any
dissemination, distribution, or unauthorized use is strictly prohibited.
19. Chapter 3
Addressing Compliance
Challenges
In This Chapter
▶ Tackling the toughest operating environments
▶ Securing virtual and cloud infrastructures
▶ Automating visibility and risk management
Y our organization’s unique operating environment, busi-
ness and IT initiatives, and everyday constraints create
tough challenges for your security and compliance posture
that include:
✓ Risk visibility and control
✓ Server and desktop virtualization
✓ Public cloud computing
✓ Web sites and portals
✓ Non-standard and legacy systems
✓ Distributed locations
✓ Worker mobility
✓ Mitigating information risk
These materials are the copyright of Wiley Publishing, Inc. and any
dissemination, distribution, or unauthorized use is strictly prohibited.
20. 16 Conquering Compliance For Dummies
Evolving Technology
Technology evolves quickly, but regulations don’t. Current
trends include server and desktop virtualization and public
cloud computing, which enable your organization to rapidly
adapt to new business requirements with minimal IT infra-
structure and investment. What are the risks? How can you
remain compliant?
Server and desktop virtualization
Virtualization is one of the hottest trends in enterprise IT
today. Server virtualization provides significant direct cost
savings in terms of server hardware and operating expenses,
and allows companies to embrace the efficiencies of a private
cloud IT model. Desktop virtualization is also a rapidly grow-
ing trend due to its ability to significantly reduce PC costs,
management complexity, and enterprise risk.
According to IDC, virtualization is now the default approach
at most enterprise IT organizations, and Gartner projects that
the number of virtual machines will grow ten times by 2012.
But the complexity and fluidity of virtualized environments
pose special security and compliance challenges, rendering
perimeter-based firewalls, intrusion detection and prevention
systems (IDS/IPS), as well as traditional anti-malware protec-
tion insufficient to prevent attacks on virtual machines.
According to Information Week, 88 percent of North American
enterprises don’t have a virtualization security strategy in
place — leaving them both at risk and noncompliant.
Some specific security and compliance challenges associated
with virtual server and desktop environments include:
✓ Inter-VM traffic. Traditional network IPS systems are
blind to potentially malicious inter-VM traffic.
✓ VM mobility. Virtual machine migration provides flexibil-
ity and resilience, but creates configuration and update
difficulties for traditional perimeter security.
✓ Dormant VMs. Dormant VMs can’t run scanning agents,
download signatures, or install patches, yet they’re still
These materials are the copyright of Wiley Publishing, Inc. and any
dissemination, distribution, or unauthorized use is strictly prohibited.
21. Chapter 3: Addressing Compliance Challenges 17
vulnerable to tampering and open to immediate attack
upon reactivation.
✓ Resource contention and full system scans. Standard anti-
malware solutions aren’t VM-aware and thus simultaneous
scanning can cause severe performance degradation.
The best answer is system self-defense. Look for host-based
virtualization-aware solutions that can secure both physical
and virtual servers and endpoints with the same levels of pro-
tection, integrity monitoring, compliance controls, and perfor-
mance. A solution should include the following capabilities:
✓ Protection from both conventional and new virtual
threats
✓ Optimized for virtualization system performance
✓ Integrated with VMware and/or Citrix management
✓ Software-based, single agent/appliance deployment
Cloud computing
While most organizations are already experiencing the sav-
ings of virtualization and private cloud computing, industry
experts predict that many enterprises will also eventually
adopt public cloud computing (that is, making use of pub-
licly shared general purpose server and storage services) to
further enable business agility and IT savings. However, in
addition to all the security threats inherent in virtualization,
public cloud computing poses unique security and compli-
ance challenges to systems and data, including:
✓ Compliance framework and risk responsibility. Cloud
computing creates unique compliance challenges. Service
providers know this and, for the most part, simply pass
liability for compliance on to you, the customer.
✓ Multi-tenancy. VMs for different customers with varying
security policies may coexist with your VMs.
✓ Data protection. Encryption of application and system
data is vital in a publicly shared environment.
✓ Lack of security visibility. Your virtual infrastructure is
remotely located and thus real-time visibility and control
are of concern.
These materials are the copyright of Wiley Publishing, Inc. and any
dissemination, distribution, or unauthorized use is strictly prohibited.
22. 18 Conquering Compliance For Dummies
You’re ultimately on your own for compliance and risk man-
agement in the public cloud. To protect your total computing
environment, choose specialized solutions that include:
✓ Dedicated virtualization host protection
✓ Volume-level data encryption to protect data at all times
✓ Strong remote management for systems security and
encryption key management
Business Innovations
Innovations such as mobile technology and Web sites with
dynamic content and powerful capabilities are challenging tra-
ditional perimeter-based security and compliance solutions.
Web sites and portals
Your Web site’s public exposure and ever-changing content
make it extremely attractive to cybercriminals attempting to
steal private customer information or sensitive company data.
And although it is less of a motive for hackers today, a com-
promised or defaced Web site can still do major harm to an
organization’s reputation.
Web sites and external portals need the same host protec-
tion and vulnerability management as any mission-critical
server, plus specific application vulnerability scanning, virtual
application patching, and perhaps approved PCI scanning to
ensure protection of your data, and more importantly, your
reputation.
Worker mobility
Today’s workforce is more mobile than ever with laptop PCs,
smartphones, and other portable devices enabling work from
practically anywhere, at any time.
Teleworking creates new security and compliance challenges,
because remote employees working outside the corporate
perimeter must be as protected as any office worker. Remote
access security, personal use of devices, and the potential
These materials are the copyright of Wiley Publishing, Inc. and any
dissemination, distribution, or unauthorized use is strictly prohibited.
23. Chapter 3: Addressing Compliance Challenges 19
for data leakage must be addressed. Smartphones and wire-
less devices (such as Blackberries and iPhones) are capable
of carrying as much (sensitive) data as a laptop PC, and are
far more susceptible to loss or theft. How can you effectively
manage compliance in your mobile workforce?
Only a cloud-enabled endpoint security solution can pro-
tect a full range of devices from Web, e-mail, and file threats
wherever they roam. You’ll also want to investigate endpoint
encryption and DLP — they’re becoming essential as these
devices increasingly store protected data.
Implementation Difficulties
Applying security and compliance controls to a highly distrib-
uted store/branch environment or to non-standard systems can
be difficult and cost-prohibitive. And implementing risk man-
agement and data protection solutions that truly fit your par-
ticular needs requires a clear strategy and strong processes.
Risk visibility and control
Everyone’s familiar with the constant drumbeat of software
vulnerabilities and subsequent exploits, and it’s critical that
you be able to rapidly and reliably discover and mitigate them.
How can you automate this process? How do you protect sys-
tems when patches aren’t yet available? How do you ensure
employees follow your organization’s IT security policies?
But managing security risks isn’t just about vulnerability and
policy management. Even the best vulnerability management
and security defenses can be penetrated by zero-day and tar-
geted threats. And once they’re in, they’re difficult to detect
with standard security tools.
An end-to-end vulnerability management strategy involves
multiple products and procedures to rigorously discover,
shield, and successfully patch systems on a continual basis.
The best place to start is with a vulnerability management
platform that offers scanning plus overall process manage-
ment. Consider addressing your risk visibility challenges with
a threat management solution that offers continual network-
level infiltration discovery and remediation.
These materials are the copyright of Wiley Publishing, Inc. and any
dissemination, distribution, or unauthorized use is strictly prohibited.
24. 20 Conquering Compliance For Dummies
Silgan Containers dramatically improves
risk visibility and incident response
With more than 38 manufacturing As a result, IT has gained more con-
plants, Silgan Containers (www. trol of security. The increased visibil-
silgancontainers.com) is the ity provided by Threat Management
largest manufacturer of metal food Services reports has helped them
containers in its markets. Its custom- strengthen overall security and more
ers include many of the biggest names effectively enforce company poli-
in the food industry, and the company’s cies. Automatic remediation speeds
continued success depends on its incident response actions while
uninterrupted supply lines. saving time for IT.
Although Silgan has a robust, multi- “With Threat Management Services,
layered security solution protecting infections are being caught and
the company’s infrastructure, infec- cleaned up without taking hours
tions still occurred and IT had to of my time,” said Draeger. “With
devote significant resources to mon- the overwatch provided by Threat
itoring security status and ensuring Management Services, we now have
that employees were not breaking a stronger level of confidence that
security policies. Clean-up efforts we have ultimate protection of cor-
consumed valuable IT time and IT porate assets . . . I gain the visibility
lacked the overall risk visibility and and control over my security posture
control it desired. that I’ve never had before.”
“We deployed the Trend Micro The key benefits of the Trend Micro
Threat Discovery Appliance to gain solution include:
insights into the state of our security,”
✓ Continuous risk assessment:
explained Michael Draeger, in charge
Detailed daily threat discovery
of network and computer security for
reports and analysis expose
all Silgan Containers sites. “Before
active threats and malicious
we had this solution, we had no way
activity.
to really see where our vulnerabili-
ties were. As an extra layer on top of ✓ Incident response: Automated
our existing security solutions, Trend detection and remediation cuts
Micro Threat Management Services management costs by 50 percent.
tells me exactly what’s happening on
✓ Management reporting: Security
the network.”
posture and policy adherence
evaluation and guidance.
These materials are the copyright of Wiley Publishing, Inc. and any
dissemination, distribution, or unauthorized use is strictly prohibited.
25. Chapter 3: Addressing Compliance Challenges 21
Non-standard systems and devices
Many businesses depend on a range of legacy or proprietary
systems, dedicated devices, and sensitive servers that can’t
be directly secured by traditional anti-malware and security
solutions. And even when third-party security software is sup-
ported, running it on these systems may not be desirable.
For example, MRI scanners, X-ray machines, and other
patient care devices used in the healthcare industry are typi-
cally closed, proprietary systems. Similarly, within the retail
industry, point-of-sale (POS) systems and inventory control
systems often operate on proprietary or legacy systems and
software.
Bring your non-standard and sensitive systems into com-
pliance with a network-based solution that can provide a
non-intrusive, agentless anti-virus compensating control by
detecting active infiltrations and providing an immediate alert
and remediation assistance.
Mitigating Information Risk
Encryption of e-mails containing protected data is a core
requirement, but PKI-based (public key infrastructure based)
encryption is notoriously complex and burdensome to
administer and use. Data Loss Prevention (DLP) can play an
important role in regulatory and policy compliance and over-
all information risk assessment via sensitive data discovery,
monitoring, and blocking. But organizational and protection
needs vary widely. For some, full endpoint protection is a
necessity, for others, a network solution is sufficient, and for
yet others a less-robust “DLP lite” is desired.
Regulations focus primarily on custodial data — the private
data that corporations keep on their customers. And although
protecting this data is the whole point of compliance, analysts
estimate that the value of this data is less than half that of
the corporate IP data not covered by compliance. So a com-
pliance-dominated data protection program may be leaving
much of your valuable data at unwarranted risk.
These materials are the copyright of Wiley Publishing, Inc. and any
dissemination, distribution, or unauthorized use is strictly prohibited.
26. 22 Conquering Compliance For Dummies
Integrate DLP into your data protection strategy with a solu-
tion that offers the flexibility of deployment and protection
levels that best suit your needs. Consider identity-based
encryption as an equally powerful, but more effective encryp-
tion alternative to PKI solutions.
Distributed Locations
Industries such as hospitality, food service, retail, and,
increasingly, healthcare are dependent on extremely distrib-
uted branch/store environments. Each location typically has
a simple flat, mixed-used network, POS, and other specialty
devices, and limited, if any, local IT staffing. These challenges
multiplied by hundreds or thousands of sites make security
and compliance especially difficult and costly.
Investigate host-based software solutions that provide fire-
wall, IPS, integrity monitoring, and other protections to criti-
cal host systems without the cost and ongoing management
complexity of perimeter security devices.
These materials are the copyright of Wiley Publishing, Inc. and any
dissemination, distribution, or unauthorized use is strictly prohibited.
27. Chapter 4
Charging Through PCI DSS
In This Chapter
▶ Getting the basics of PCI DSS
▶ Identifying and addressing PCI compliance challenges
T he Payment Card Industry Data Security Standard (PCI DSS
or simply, PCI) is a worldwide industry initiative that spec-
ifies and enforces security standards to protect sensitive card-
holder data from theft. PCI was created by the major payment
card brands to protect themselves (and consumers) from the
theft and fraudulent use of the primary account number (PAN)
and sensitive authentication data that allows us all to confi-
dently spend our money.
In this chapter, we explore PCI compliance requirements,
challenges, and solutions.
Understanding PCI
Requirements
PCI applies to any business that transmits, processes, or
stores credit card transactions — regardless of whether
a business processes thousands of transactions a day, or
a single transaction a year. Compliance is mandated and
enforced by the payment card brands (American Express,
MasterCard, Visa, and others) and each manages its own com-
pliance program.
Merchants and processors are categorized into levels by the
number of yearly transactions they manage (see Table 4-1).
And while all levels must comply with the requirements, only
These materials are the copyright of Wiley Publishing, Inc. and any
dissemination, distribution, or unauthorized use is strictly prohibited.
28. 24 Conquering Compliance For Dummies
level 1 and 2 merchants must undergo a yearly on-site audit
by a Qualified Security Assessor (QSA).
Table 4-1 Merchant Categories for PCI
PCI Level Transactions Onsite Self- Network
Per Year Audit Assessment Scan
1 > 6M Annually Quarterly
2 1M – 6M Annually* Quarterly
3 20K – 1M Annually Quarterly
4 < 20K Annually Quarterly
* Master Card merchants only, at the time of this writing
PCI version 1.2 consists of six core principles, supported by
12 accompanying requirements, and more than 200 specific
controls for compliance. Compared to most security regula-
tions, PCI is both broader in scope and more precise in speci-
fication detail. Although it is far from being a full blueprint
for enterprise security, it is credited with raising the security
standards and awareness of many organizations around the
world.
PCI is a living specification that is expanded and amended on
a regular basis by a cross-industry working group. PCI audit
standards are also periodically evolving to better encompass
new technologies and to tighten enforcement criteria.
Penalties for noncompliance are levied by the payment card
brands and are some of the toughest among security regula-
tions. These currently include:
✓ Fines up to $25,000 per month for minor violations.
✓ Fines up to $500,000 for violations that result in actual
lost or stolen financial data.
✓ Loss of card processing authorization, making it almost
impossible for many businesses to function.
See Appendix B for a mapping of core controls to PCI
requirements.
These materials are the copyright of Wiley Publishing, Inc. and any
dissemination, distribution, or unauthorized use is strictly prohibited.
29. Chapter 4: Charging Through PCI DSS 25
Handling Top PCI Challenges
Achieving and maintaining PCI compliance in a dynamic busi-
ness and technology environment is no simple task. Building
a security compliance solution strategy to handle the core
controls (see Chapter 2) is essential, but you will also need to
solve many tough compliance challenges that are covered in
Chapter 3 and the following sections.
Virtualization
The topics of virtualization and cloud computing aren’t spe-
cifically addressed by the current PCI requirements, leaving
appropriate judgments to QSAs and their clients. But the
complexity and dynamic nature of virtualized environments
clearly pose security and compliance challenges beyond the
protection capabilities of perimeter-based firewalls, intrusion
detection and prevention systems (IDS/IPS), as well as tradi-
tional anti-malware protection. How do you virtualize your
systems with confidence?
Look for a virtualization-aware solution that can secure against
new virtualization threats but can also provide both physical
and virtual servers with the same levels of protection, integrity
monitoring, PCI compliance controls, and performance.
Risk visibility and control
The broad topic of risk management is addressed in several
ways by the PCI standard. PCI recognizes the importance
of vulnerability management — specifying requirements for
continual scanning and timely patch deployment. It also rec-
ognizes the need for policy compliance and regular security
assessments. But automating the execution of these error-
prone and costly processes requires a sound strategy and a
special set of technology solutions.
An end-to-end vulnerability management strategy involves
multiple products and procedures to rigorously discover,
shield, and successfully patch systems on a continual basis.
These materials are the copyright of Wiley Publishing, Inc. and any
dissemination, distribution, or unauthorized use is strictly prohibited.
30. 26 Conquering Compliance For Dummies
The best place to start is with a vulnerability management
platform that offers scanning plus overall process manage-
ment. Consider that virtual patching can be used as a best
practice and compensating control to close your window of
exposure to vulnerabilities, protect “unpatchable” systems,
and eliminate costly ad-hoc and emergency patching.
E-commerce Web sites
Despite their importance to e-commerce and your company’s
reputation, Web sites remain extremely vulnerable to attack
and hijacking, putting both individual customers and your
entire database at risk.
PCI sets specific baseline scanning requirements for Web site
security, but how can you be certain you’ve got the best pro-
tection against sophisticated SQL injection attacks and other
threats used to exploit your ever-changing Web content?
Your Web site needs much more than PCI scanning to be pro-
tected. You’ll want the same host protection and vulnerability
management as any mission-critical server, plus specific Web
application vulnerability scanning to ensure protection of
your dynamic Web content.
Distributed locations
Network-based perimeter security is cost-prohibitive for any
widely dispersed business such as retail, hospitality, and
increasingly, healthcare. These distributed locations typi-
cally have flat, multi-use networks, specialty POS and other
devices, and little or no local IT management. How can you
protect in-scope systems at distributed locations in a cost
effective manner?
Investigate host-based software solutions that provide
firewall, IPS, integrity management, virtual patching, and
other protections to critical host systems without the cost
and ongoing management complexity of perimeter security
devices and multiple agent solutions.
These materials are the copyright of Wiley Publishing, Inc. and any
dissemination, distribution, or unauthorized use is strictly prohibited.
31. Chapter 4: Charging Through PCI DSS 27
Noodles & Company – Beyond PCI
Noodles & Company (w w w . firewall appliances at each restau-
noodles.com) has more than rant. “We chose Trend Micro Deep
230 restaurants in 18 states. The Security because it helps us address
company is committed to employing the major PCI compliance require-
the best possible security technol- ments with features like file integrity
ogy for protecting customers’ credit monitoring. It helps us do all we pos-
card information. In fact, Noodles & sibly can to safeguard credit card
Company doesn’t just want to meet data.”
PCI requirements — they want to
The key benefits of the Trend Micro
exceed them. “We like to think of
solution include:
PCI as a baseline — we are looking
to pass, and also pass with flying ✓ PCI compliance and more: Trend
colors,” said Nick Fields, a senior IT Micro Deep Security helps
systems administrator at Noodles & Noodles achieve compliance
Company. “We feel we are ahead of and meet their demanding secu-
a lot of the industry, and we want to rity goals.
stay there.”
✓ Best TCO for distributed loca-
As the company has grown, soft- tions: Deep Security provides a
ware solutions became a more cost- more cost-effective solution com-
effective alternative to hardware pared to hardware appliances.
These materials are the copyright of Wiley Publishing, Inc. and any
dissemination, distribution, or unauthorized use is strictly prohibited.
32. 28 Conquering Compliance For Dummies
These materials are the copyright of Wiley Publishing, Inc. and any
dissemination, distribution, or unauthorized use is strictly prohibited.
33. Chapter 5
Examining HIPAA and
Healthcare Compliance
In This Chapter
▶ Covering the basics of HIPAA, HITECH, and more
▶ Protecting ePHI data, mobile devices, medical equipment, and more
H ealthcare systems throughout the world are in a time
of great transition. In the U.S., for example, government
mandates for electronic medical records/electronic health
records (EMR/EHR) systems are linked to increasing privacy
and security regulations for electronic Protected Health
Information (ePHI). Around the globe, technology advances
are causing a growing privacy focus among government regu-
lators. Targeting the core controls (see Chapter 2) will help
healthcare organizations comply with the regulations they
face, but they also must solve many tough compliance chal-
lenges (see Chapter 3) that we cover in this chapter.
The terms electronic medical record (EMR) and electronic
health record (EHR) are increasingly used interchangeably.
Technically, an EMR is the health-related information about
an individual within a single care provider organization,
whereas an EHR is the aggregate health-related information
about an individual across multiple organizations. For simplic-
ity, we refer to both as an EHR.
Although EHR systems may ultimately lead to more efficient
and effective patient care, they also increase the threat of
cybercrime and large-scale breaches of ePHI. Moreover,
increased reliance on IT and EHR systems means that a
These materials are the copyright of Wiley Publishing, Inc. and any
dissemination, distribution, or unauthorized use is strictly prohibited.
34. 30 Conquering Compliance For Dummies
security risk or vulnerability has the potential to be life-
threatening. Compliance with security regulations will guide
healthcare providers of all types to mitigate their risk, but
maximizing protection of these complex operations requires a
broader strategy.
Healthcare organizations throughout the world are facing sim-
ilar security and compliance challenges as those outlined in
this chapter. Addressing core controls is an effective strategy
to meet these and other regulations that may apply.
In this chapter, we take a closer look at healthcare regulations
and compliance issues. See Appendix A for details on how the
core controls map to HIPAA and HITECH requirements.
Regulatory Compliance in the
Healthcare Industry
For more than a decade, patient data privacy and security
regulations have slowly evolved. But new, stricter privacy
requirements, mandates for EHR modernization, and govern-
ment funding are now driving the industry forward and sig-
nificant investments are being made to modernize and secure
their operations.
Protecting ePHI with HIPAA
The U.S. Health Insurance Portability and Accountability Act
(HIPAA) of 1996 states that “covered entities” are required to
employ safeguards that “ensure the confidentiality, integrity,
and availability of all ePHI” under their control.
HIPAA compliance applies to covered entities (including
health insurers, healthcare clearinghouses, and healthcare
providers), as well as their business associates.
The HIPAA Privacy Rule consists primarily of administrative
and physical controls and the HIPAA Security Rule consists of
technical controls.
These materials are the copyright of Wiley Publishing, Inc. and any
dissemination, distribution, or unauthorized use is strictly prohibited.
35. Chapter 5: Examining HIPAA and Healthcare Compliance 31
Mercy Memorial Hospital System
maximizes compliance and
business continuity
Founded in 1929, Mercy Memorial solutions are powered by the Trend
Hospital System (www.mercy Micro Smart Protection Network
memorial.org) today includes a infrastructure. Together they help
central 238-bed, full-service commu- keep Mercy Memorial both com-
nity hospital complex and 28 remote pliant and secure by addressing a
locations and offices. Although broad range of compliance controls,
HIPAA compliance and the protec- enabling business innovation, and
tion of patient information on its 200 delivering maximum protection with
servers and 900 desktop computers minimal complexity.
is a must for the healthcare provider,
Deploying Trend Micro Enterprise
business continuity is also an over-
Security minimized IT time spent
arching priority.
managing security, increased the
“We must go beyond simply meeting up-time for Web protection, and
compliance requirements, and also maximized the value obtained from
integrate best practices for security the existing virtual environment. “The
within our business operations,” said Trend Micro solutions have done a
Eric Mynster, ITS operations man- good job of safeguarding patient data
ager for the organization. “We need as well as maximizing our employees’
to do everything we can to block productivity,” says Mynster.
threats to security and productivity.”
The key benefits of the Trend Micro
Risk assessment and prioritization is solution include:
an ongoing activity within the orga-
✓ Meeting compliance require-
nization, and IT wanted a security
ments: Trend Micro helps Mercy
solution that could help with efforts
Hospital achieve and exceed
to maintain a proactive stance for
healthcare compliance controls.
compliance and overall security. “We
were looking at many individual secu- ✓ Minimized risks: Trend Micro
rity products — individual anti-virus, Enterprise Security defense-in-
e-mail filters, spam solutions, and URL depth provides maximum threat
filtering — but Trend Micro offered protection.
us the value of a complete package,”
✓ Alignment with virtualization:
said Mynster. “Trend Micro Enterprise
With VMware Ready certifica-
Security was extremely competitive
tion, Trend Micro solutions inte-
and covered all of our needs.”
grate into today’s virtual server
The tightly integrated offering of con- environments.
tent security products, services, and
These materials are the copyright of Wiley Publishing, Inc. and any
dissemination, distribution, or unauthorized use is strictly prohibited.
36. 32 Conquering Compliance For Dummies
Implementing the HIPAA Security
Rule with NIST
In 2008, the U.S. National Institutes of Standards and
Technology (NIST) authored SP 800-66 Rev. 1, as a framework
for federal agencies to achieve HIPAA compliance.
NIST publications are considered trusted resources for
technology implementation guidance. As a result, many non-
government agencies can also benefit from the technical
specifications highlighted in this guide.
NIST SP 800-66 is freely available for download (along with
many other great IT security resources) at http://csrc.
nist.gov/publications/PubsSPs.html.
Stimulating modernization and
compliance with HITECH
Title XIII of the American Recovery and Reinvestment Act
(ARRA) of 2009, also known as the Health Information
Technology for Economic and Clinical Health Act (HITECH
Act), further reinforces the existing 2014 EHR implementation
mandate and provides the necessary incentives to accelerate
EHR adoption and clarify key HIPAA security requirements.
Key provisions of the Act include:
✓ Funding: Most significant in the Act is actual funding
support for EHR conversion via ARRA funds.
✓ Risk assessments: Risk assessments can be both proactive
and reactive. The Act specifically identifies risk assess-
ments as necessary in determining, after the fact, whether
an incident is indeed a breach of unsecured ePHI.
✓ Breach notification requirements: The Act specifies
disclosure requirements for ePHI that is “not secured
through technology or methodology.” Not only do the
disclosure requirements subject the breached organiza-
tion to public scrutiny, but the costs associated with
notifying affected individuals can also be significant.
These materials are the copyright of Wiley Publishing, Inc. and any
dissemination, distribution, or unauthorized use is strictly prohibited.
37. Chapter 5: Examining HIPAA and Healthcare Compliance 33
✓ Safe Harbor through encryption: The Act defines
secured ePHI as data that is either encrypted or
destroyed. It goes further to state that if secured ePHI
is involved in a data breach, notification requirements do
not apply. This is a significant directive, specifically pre-
scribing encryption as both a preferred means to enforce
confidentiality and as a relief from breach notification
requirements.
HIPAA and HITECH compliance may be top of mind, but most
large U.S. healthcare organization are also probably subject to
a number of other regulations, administrative requirements,
and auditing standards, such as the following:
✓ PCI (discussed later in this chapter and in Chapter 4)
✓ U.S. Federal Trade Commission (FTC)
✓ U.S. Department of Health and Human Services (HHS)
✓ Centers for Medicare and Medicaid Services (CMS)
✓ Office of the National Coordinator (ONC)
✓ Joint Commission
✓ Certification Commission for Health Information
Technology (CCHIT)
✓ Healthcare Information Technology Standards Panel
(HITSP)
✓ Healthcare Information and Management Systems Society
(HIMSS)
✓ Electronic Healthcare Network Accreditation
Commission (EHNAC)
✓ Genetic Information Nondiscrimination Act (GINA)
✓ Various state data breach laws
✓ International Organization for Standardization (ISO)
✓ Statement on Auditing Standard 70 (SAS70)
Implementing strong core controls is the key to meeting
these various requirements with minimal effort. Take a look
at Appendix A to see how the core controls map to HIPAA,
HITECH, and NIST.
These materials are the copyright of Wiley Publishing, Inc. and any
dissemination, distribution, or unauthorized use is strictly prohibited.
38. 34 Conquering Compliance For Dummies
Enabling access to electronic healthcare
applications and data at BIDPO
In a joint project with its affili- “We needed this project to be as
ated medical center, Beth Israel secure as possible, so we did what-
Deaconess Physician Organization ever we could do to get this locked
(BIDPO) (http://bidpo.org) down,” said Gillis. “We had to make
set out to provide a secure, robust, sure we had no ‘Globe-able Events,’
and cost-effective EHR infrastruc- meaning that we’re not going to have
ture for its 200 to 300 independent a security breach that will appear on
physicians at 173 locations in east- the front page of the Boston Globe.
ern Massachusetts. Utilization of We needed a partner that could help
this system allows BIDPO members us mitigate any risk.”
to meet all the Meaningful Use cri-
The Trend Micro security solu-
teria specified for reimbursement by
tions are also helping IT comply
ARRA.
with other regulations that apply
The project priorities included server to their business, such as HITECH,
virtualization, a SaaS deployment Massachusetts Data Encryption Law
model, and a defense-in-depth secu- 201 CMR 17.00, and ARRA.
rity architecture to protect patient
The key benefits of the Trend Micro
data. “We created a multilayer
solution include:
security protocol, including various
perimeter devices, from firewalls to ✓ EHR innovation: Trend Micro
network-based intrusion detection solutions secure BIDPO’s inno-
systems,” said Bill Gillis, eHealth vative applications and deploy-
technical director at the medical ment model.
center. “Our most important secu-
✓ Virtualization security and com-
rity layer is the Trend Micro Deep
pliance: Deep Security provides
Security software.”
unique dedicated virtualization
Deep Security provides compre- protection.
hensive host security for the orga-
✓ Minimized vulnerabilities: Deep
nization’s virtualized servers, EHR
Security shields critical systems
applications, and patient data, giving
and applications from vulner-
BIDPO confidence that they are
abilities until patches can be
HIPAA compliant — and that their
deployed.
public reputations are safe.
These materials are the copyright of Wiley Publishing, Inc. and any
dissemination, distribution, or unauthorized use is strictly prohibited.
39. Chapter 5: Examining HIPAA and Healthcare Compliance 35
Enforcing PCI DSS
Healthcare institutions that accept credit card payments must
also comply with the Payment Card Industry Data Security
Standard (PCI DSS). Health insurance premiums, medical
services, and even hospital gift shop purchases are examples
of transactions where the security of cardholder data is
required. Healthcare institutions are well advised to design
and implement a security framework that addresses both
HIPAA and PCI DSS. See Chapter 4 for more on PCI DSS.
Healthcare Security and
Compliance Challenges —
and Solutions
Maintaining regulatory compliance and maximizing security
effectiveness is especially demanding in today’s rapidly evolv-
ing healthcare industry. Understanding these challenges will
help you select and implement solutions to secure your criti-
cal systems and data, and meet increasingly stringent regula-
tory requirements.
The following challenges are especially critical. (See Chapter 3
for additional information on these and other challenges facing
healthcare organizations.)
Protecting patient data
Although perimeter and content security provide important
safeguards, HIPAA and HITECH make it clear that encryption
is the only acceptable way to protect ePHI and avoid costly
disclosures. Effective encryption deployment also requires a
data loss prevention (DLP) solution to discover where ePHI is
stored and ensure its encryption when transmitted. However,
most encryption and DLP solutions suffer major drawbacks
that impede their success and widespread adoption.
These materials are the copyright of Wiley Publishing, Inc. and any
dissemination, distribution, or unauthorized use is strictly prohibited.
40. 36 Conquering Compliance For Dummies
Integrate DLP into your data protection strategy with a solu-
tion that offers the flexibility of deployment and protection
levels that best suit your needs. Consider identity-based
encryption as an equally powerful, but more effective, encryp-
tion alternative to PKI solutions.
Securing laptops and
mobile devices
Portable laptops, PDAs, and other mobile devices are quickly
becoming mainstays in healthcare, and essential to the daily
tasks of nurses, physicians, and other healthcare professionals.
These devices are at extreme risk for attack and ePHI loss, but
can’t be adequately protected by network-based solutions.
Only a cloud-enabled endpoint security solution can pro-
tect a full range of devices from Web, e-mail, and file threats
wherever they roam. You’ll also want to investigate endpoint
encryption and DLP — they’re becoming essential as these
devices increasingly store protected data.
Securing critical medical devices
Computerized medical devices for patient evaluation and diag-
nosis are increasingly a common part of the hospital network
and so are at risk for compromise and failure due to malware
infections or external attacks. Though protection is required
by regulation, these systems can be prohibitive or impossible
to secure with standard endpoint protection products.
Bring non-standard and sensitive systems such as MRI scan-
ners, X-ray machines, and other patient care devices into
compliance with a network-based solution that can detect
active infiltrations and provide an immediate alert and reme-
diation assistance.
These materials are the copyright of Wiley Publishing, Inc. and any
dissemination, distribution, or unauthorized use is strictly prohibited.
41. Chapter 6
Top Ten Reasons to
Use Trend Micro
Enterprise Security
In This Chapter
▶ Seeing how Trend Micro addresses the core controls and solves
tough compliance challenges
▶ Achieving compliance without security compromise
S ecurity compliance is costly, complex, ever changing —
and still not enough to protect your company’s sensitive
data. Trend Micro Enterprise Security offers you a better way
to stay both compliant and secure with solutions that address
a broad range of controls, solve tough compliance challenges,
and deliver maximum protection at minimal cost. That’s com-
pliance without compromise!
Trend Micro Enterprise Security products and services
are powered by the Smart Protection Network — a next-
generation cloud-client infrastructure that combines cloud-
based reputation technology, feedback loops, and the exper-
tise of TrendLabs researchers to deliver real-time protection
and greatly simplify security management.
Targeting Core Compliance Controls
Trend Micro products can help you address the core compli-
ance controls that apply directly to most security regulations.
With Trend Micro you can secure your organization and
These materials are the copyright of Wiley Publishing, Inc. and any
dissemination, distribution, or unauthorized use is strictly prohibited.
42. 38 Conquering Compliance For Dummies
achieve compliance across a wide range of controls and regu-
lations (see Figure 6-1).
omplexity.
um C
inim
.M
ion Web Securit
ct t
o in y y
dp urit
te
Core Security
ro
c
En
mP
Meecurity
Se
Compliance Controls
S
u
ssaging
Maxim
• IT Risk Assessment TREND MICRO
ta Center
• Vulnerablilty & Patch Mgt SMART
Da ecurity
• IT Policy Adherence PROTECTION
NETWORK
• Incident Response
• Sensitive Data Protection
S
vic ns
es
i
lut
o
• Firewall, IDS/IPS
• Anti-virus/Anti-malware Da So Ser
• Anti-spam/Anti-phishing ta P
rotection an d
• Logging & Reporting
Figure 6-1: Trend Micro Enterprise Security Solutions.
Solving Tough Compliance
Challenges
Trend Micro products offer unique solutions that help you
solve tough challenges that arise from applying compliance
controls within your particular operating environment, evolv-
ing business and IT initiatives, and limited security budget.
Risk visibility and control
Trend Micro vulnerability and threat management solutions
offer you greater risk visibility and remediation control over
active security threats, software and systems vulnerabilities,
changing Web content, and IT policy compliance.
Server/desktop virtualization
Trend Micro server and endpoint solutions provide advanced
virtualization-aware software that secures virtualized
desktops and servers with best-in-class protection, optimized
performance, and critical compliance controls.
These materials are the copyright of Wiley Publishing, Inc. and any
dissemination, distribution, or unauthorized use is strictly prohibited.
43. Chapter 6: Top Ten Reasons to Use Trend Micro Enterprise Security 39
Public cloud computing
Trend Micro provides the secure virtual server and volume-
level data encryption solutions that can allow you to confidently
incorporate the public cloud into your data center strategy.
Web sites and portals
Trend Micro Enterprise Security keeps your Web site and
company reputation secure with Web site application scan-
ning, PCI scanning, best-in-class server protection, and com-
prehensive vulnerability management.
Non-standard systems
Trend Micro’s unique network-based Threat Management
Services discover any active infiltration, allowing you to
achieve compliance and noninvasive protection for any end-
point or server, including legacy or proprietary devices.
Distributed locations
Trend Micro Deep Security provides firewall, IPS, virtual patch-
ing, integrity monitoring, and other core controls directly to criti-
cal systems — eliminating the cost and management complexity
of perimeter security devices at each location.
Worker mobility
Trend Micro OfficeScan and the Smart Protection Network
keep wireless and mobile devices of all kinds protected from
Web, e-mail, and other threats both on and off the corporate
network.
Mitigating information risk
Trend Micro secures sensitive data with endpoint and
network DLP, identity-based endpoint and e-mail gateway
encryption, and content filtering solutions that emphasize
security, management simplicity, and employee ease-of-use.
These materials are the copyright of Wiley Publishing, Inc. and any
dissemination, distribution, or unauthorized use is strictly prohibited.
44. 40 Conquering Compliance For Dummies
Compliance without Security
Compromise
You can employ various strategies to achieve compliance
with applicable regulations. But will your strategy provide the
best, or even adequate, protection of your data and reputa-
tion? Compliance-driven organizations may use a patchwork
of products that allow them to mark off boxes on a compli-
ance checklist, but don’t necessarily offer best-in-class protec-
tion levels or completeness of coverage.
For security-driven organizations that want to truly protect
their sensitive data and comply with regulatory requirements,
Trend Micro Enterprise Security solutions and the Smart
Protection Network help you achieve both compliance and
security — without compromise.
Real-world tests by NSS Labs (see Figure 6-2) confirm that
Trend Micro offers highly rated protection against malware
and other threats.
Mean Block Rate for Socially Engineered Malware
100% Block on
Download/
Execution Trend Micro
Kaspersky
90% Symantec
McAfee
Norman
F-Secure
80% Average
Panda
ESET
70% AVG
Block on
Sophos Download
60% 80% 90% 100%
70%
Source: NSS Labs Reports
Figure 6-2: Trend Micro provides maximum protection against malware threats.
These materials are the copyright of Wiley Publishing, Inc. and any
dissemination, distribution, or unauthorized use is strictly prohibited.
45. Appendix A
Core Compliance
Controls – Healthcare
Regulation Mapping
Core Control Applicable U.S. Healthcare Regulations &
Guidelines – HIPAA, HITECH, NIST
IT Risk HIPAA § 164.308 (a)(1) Security Management
Assessment Process (Includes required risk analysis and risk
management)
HITECH Breach Notification for Unsecured
Protected Health Information
Vulnerability HIPAA § 164.308 (a)(1) Security Management
& Patch Process (Includes required risk analysis and risk
Management management)
IT Policy HIPAA § 164.308 (a)(6) Policies and procedures to
Adherence address security incidents
Incident HITECH Breach Notification for Unsecured
Response Protected Health Information
HITECH § 13402 Notification in Case of Breach
These materials are the copyright of Wiley Publishing, Inc. and any
dissemination, distribution, or unauthorized use is strictly prohibited.
46. 42 Conquering Compliance For Dummies
Core Control Applicable U.S. Healthcare Regulations &
Guidelines – HIPAA, HITECH, NIST
Sensitive Data HIPAA § 164.308 (a)(1) Security Management
Protection Process (Includes required risk analysis and risk
management)
HITECH Breach Notification for Unsecured
Protected Health Information
HITECH § 13402 Notification in Case of Breach
HIPAA §164.404 Notification to Individuals
(Description of type of unsecured ePHI involved in
the breach)
NIST Publication 800-66 (Guidelines for
Implementing HIPAA Security Rules)
HIPAA § 164.310(d)(1) Device and Media Controls
HIPAA § 164.514(d) Minimum necessary uses and
disclosures of PHI
HITECH Exemption from breach notification if PHI
is secured using encryption
HIPAA 45 CFR parts 160 and 164 (Interim Rule)
Encryption and destruction for rendering ePHI unus-
able, unreadable, or undecipherable to unauthorized
individuals
HIPAA 45 CFR parts 160 and 164 (Interim Rule)
Keep encryption keys on a separate device from
the data that they encrypt or decrypt
HIPAA § 164.308(b)(1) Business associate will
appropriately safeguard information
HIPAA § 164.312(e)(1) Transmission Security
(Guard against unauthorized access to transmit-
ted ePHI)
HIPAA § 164.306(a)(1) Protect ePHI: Facilities must
protect the confidentiality, availability, and integ-
rity of all ePHI created, received, maintained, and
transmitted
HIPAA § 164.308 (a)(6) Policies and procedures to
address security incidents
These materials are the copyright of Wiley Publishing, Inc. and any
dissemination, distribution, or unauthorized use is strictly prohibited.
47. Appendix A: Core Compliance Controls — Healthcare Regulation Mapping 43
Core Control Applicable U.S. Healthcare Regulations &
Guidelines – HIPAA, HITECH, NIST
Firewall & IDS/ HIPAA § 164.308 (a)(1) Security Management
IPS Process (Includes required risk analysis and risk
management)
HIPAA § 164.312(a)(1) Access Control (Allow
access only to those persons or software pro-
grams that have been granted access rights)
NIST Publication 800-66: 4.14 Access Control for
HIPAA §164.312(a)(1)) (Have all applications/
systems with ePHI been identified?, Where is
ePHI currently housed?)
HIPAA § 164.312(c)(1) Integrity (Protect ePHI from
improper alteration or destruction)
Anti-virus & HIPAA § 164.308 (a)(5)(ii)(B) (Protection from mali-
Anti-malware cious software. Procedures for guarding against,
detecting, and reporting malicious software)
HIPAA § 164.308 (a)(1) Security Management
Process (Includes required risk analysis and risk
management)
Anti-spam & HIPAA § 164.308 (a)(5)(ii)(B) (Protection from mali-
Anti-phishing cious software. Procedures for guarding against,
detecting, and reporting malicious software)
HIPAA § 164.308 (a)(1) Security Management
Process (Includes required risk analysis and risk
management)
Logging & HIPAA § 164.308 (a)(1) Security Management
Reporting Process (Includes required risk analysis and risk
management)
HITECH Breach Notification for Unsecured
Protected Health Information
These materials are the copyright of Wiley Publishing, Inc. and any
dissemination, distribution, or unauthorized use is strictly prohibited.
48. 44 Conquering Compliance For Dummies
These materials are the copyright of Wiley Publishing, Inc. and any
dissemination, distribution, or unauthorized use is strictly prohibited.