Compliance with Regulatory Acts and Best Practices in Security

In our constantly expanding realm of electronic processing, previously unimagined volumes of sensitive data is processed by a host of entities whose responsibilities include guarding the proprietary nature of that information. Technological advances have similarly created circumstances, intentional or otherwise, where unauthorized access to this information is attempted.

Government and regulatory bodies are now mandating that corporations protect the confidentiality, integrity and availability of the sensitive information. This has placed a burden on organizations as they attempt to conform to specific regulatory acts.

Although the individual acts pertain to certain industries, such as HIPAA (Health Insurance Portability and Accountability Act) a number of corporations must comply with multiple regulatory acts.

Regulatory Acts

Most business sectors have introduced regulatory acts or security standards to which organizations within each sector must prove compliance. In some cases, a company must prove compliance with multiple regulatory acts. A critical part of each is being able to identify “who did what, when, where and why” with business information. While each component of a robust information infrastructure contributes pieces of audit information, timely analysis depends upon collecting all of the information into a cohesive whole, automating the majority of the simple analysis and assisting the security professional in addressing activities that are important, urgent or deal with unusual situations. While most of the regulatory acts are very similar, there are some areas that are emphasized.

Payment Card Industry Data Security Standard (PCI DSS)
The growing use of credit cards creates opportunity for unauthorized use of personal information, demanding that it be protected very well. Appropriate security techniques can shield organizations harboring cardholder data, the PCI specification requires management of audit data to ensure on-going security best practices as well as aid in forensic analysis in case of a security breach.

The SNARE System provides SNARE Agents for hosts containing cardholder data, increasing the pertinence of IT Audit data and removing it from the host quickly. SNARE Server provides superior data management, delivering pertinent security objective reports and tools for deep forensic analysis, allowing rapid analysis and resolution for security incidents. The SNARE System is a powerful and cost effective security tool for any company that must comply with the requirements of PCI.

The SNARE System for PCI DSS

Health Information Portability and Access Act (HIPAA)
Electronic health information integrity in use and in transit is protected by adherence to the requirements of HIPAA. SNARE Agents are critical to identifying access and transport of electronic health records, refining the host system IT Audit data to improve the pertinence and removing it from the host system in real time. SNARE Server then manages the IT Audit data through generation of security objective reports, refinement of presentation and then into a secure, industry-standard archive.

The SNARE System for HIPAA

National Industrial Security Program Operating Manual (NISPOM)
NISP highlights the protection of classified data in information systems in chapter 8 of the Operating Manual. In support of NISPOM chapter 8, SNARE Agents allow the fast and efficient collection of audit data from host systems. Optional enhanced SNARE Agent technology addresses the stringent demands of Defense Security Services that the integrity of audit data be held to a higher standard. SNARE Server then provides security objective reporting that enables the Information Systems Security Officer to meet and exceed the operational requirements for Information Assurance. The SNARE System capabilities of managing the IT Audit data from creation to secure archive ensure that the ISS Manager’s information assurance responsibilities to NISP are addressed quickly, efficiently and cost effectively.

Sarbanes-Oxley (SOX)
SNARE excels at refining the monitoring at each host system, improving the ability to identify inappropriate file/directory access and increasing the relevance of the data supplied to SNARE Server. With the audit data quickly removed from the monitored system, SNARE Server provides security objective reporting in support of Sarbanes-Oxley compliance. During forensic analysis, the features and tools of SNARE Server enable rapid analysis of the situation with specific event data available.

Gramm-Leach-Bliley Act (GLBA)
GLBA was implemented in order to ensure that financial institutions under the umbrella of the FTC adhere to standards relating to administrative, technical, and physical safeguards for customer information. The IT Audit information generated by each part of a comprehensive information systems infrastructure supports this compliance.

SNARE Agents bring consistency and efficiency to the collection of this IT Audit data. When collected from the SNARE Agents and the network infrastructure, SNARE Server automates the analysis, data management and archiving using industry standards in support of compliance with GLBA. With the SNARE System in place, compliance with GLBA will be made more efficient and cost-effective.

Federal Information Security Management Act FISMA)
FISMA requires each US federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.

SNARE Agents are critical to identifying access and transport of electronic information, refining the host system IT Audit data to improve the pertinence and removing it from the host system in real time. SNARE Server then manages the IT Audit data through generation of security objective reports, refinement of presentation and then into a secure archive.

Management of Information Technology Security (MITS)
This Canadian Government standard defines baseline security requirements that federal departments must fulfill to ensure the security of information and information technology (IT) assets under their control.

The Canadian Government Security Policy states requirements for protecting government assets, including information, and directs the federal departments and agencies to which it applies to have an IT security strategy and requires that departments protect information throughout its life cycle.

SNARE Agents are critical to identifying access and transport of electronic information, refining the host system IT Audit data to improve the pertinence and removing it from the host system in real time. SNARE Server then manages the IT Audit data through generation of security objective reports, refinement of presentation and then into a secure archive.