Vulnerability Assessment & Management
What’s new about compliance?
More information is processed and stored digitally across all industries. From banking to healthcare, consumers and businesses are becoming more dependent on digital systems.
All too often, the defenses to protect these systems are insufficient, giving hackers and malicious malware access to private information and data. To protect consumer data, several national regulatory bodies have established mandatory regulations for different industries to enforce certain standards of information security.
Why does compliance matter?
Compliance protects consumers. It helps them feel more comfortable that their personal information and data are safe. For business, compliance forces them to take security and privacy seriously, especially with the threat of hefty penalties and fines should network and data security systems be lacking.
Businesses found in violation of the North American Electrical Reliability Corporation’s (NERC) compliance mandate can be fined as much as $1 million per day until they are NERC Compliant.
What kind of companies are subject to compliance models?
- Financial institutions
- Businesses that process, transmit, or store credit or debit card data
- Organizations that use or store any kind of Protected Health Information (PHI), such as patient records
- Power and electrical utility industries
Types of compliance:
- Every business that processes, transmits, or stores credit or debit card data is subject to Payment Card Industry Data Security Standard (PCI DSS) Compliance.
- Under Section 501(b) of the Gramm-Leach-Bliley Act (GLBA) of 1999, the FDIC applies a rigorous examination process to determine that financial institutions properly safeguard the security, confidentiality, and integrity of customer data. The administrative, technical, and physical safeguards vary depending on the institution’s size, but all systems must be integrated and secure.
- The Federal Financial Institutions Examination Council (FFIEC) online banking standards require online data encryption and Multifactor Authentication.
- The National Credit Union Administration provides compliance guidelines that require credit unions to design and implement information security programs to address vulnerability issues.
HIPAA and HITECH
- Organizations dealing with PHI are subject to rigorous data security requirements under the HIPAA and
HITECH Acts. HITECH dictates not only the quality of in-house systems, but those of third-party associates as well.
NERC and Critical Infrastructure Protection (CIP)
- In addition to the guidelines laid out by NERC, electric utility companies are now required to follow CIP.
- Public companies must meet the standards of 2002 Sarbanes–Oxley Act, which dictates everything from auditor regulations to financial disclosure. To be SOX Compliant, companies must have a complete, integrated, moment-to-moment picture of what data security systems are in place and how they affect current business practices.
How is compliance accomplished?
- Comprehensive auditing of hardware, software, and network systems
- Risk and vulnerability assessment
- Penetration testing
- Detailed reporting of permissions, configuration settings, and file and folder access
- Establishment of internal control systems, using regulatory IT frameworks and assessment methodologies such as COSO and COBIT
- Ongoing monitoring of user and file access and log management