1 / 18

The Regulation Zoo: Dealing With Compliance Within The Firewall World

The Regulation Zoo: Dealing With Compliance Within The Firewall World. Avishai Wool CTO & Co-Founder, AlgoSec. Agenda. Introduction Relevant Regulations Common Themes Demo. The Regulations Zoo. Sarbanes Oxley Act (SOX) Japanese Financial Instruments (JSOX)

justine-gilmore
Download Presentation

The Regulation Zoo: Dealing With Compliance Within The Firewall World

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Regulation Zoo: Dealing With Compliance Within The Firewall World Avishai Wool CTO & Co-Founder, AlgoSec

  2. Agenda • Introduction • Relevant Regulations • Common Themes • Demo

  3. The Regulations Zoo • Sarbanes Oxley Act (SOX) • Japanese Financial Instruments (JSOX) • Euro-SOX – Company Law Directive 8 - Coming soon (?) • PCI DSS – Payment Card Industry Data Security Standard • ISO27001 • FISMA – US federal agencies • HIPAA – US Healthcare Industry • Basel-II – Banking Confidential

  4. Sarbanes Oxley Act (SOX) • Goal: Protect Accuracy of Financial Data • Background: Financial scandals (Enron, …) • Affects public companies on US stock exchange, multinational corporations • Financial data is on computers, • … Computers are on networks • … Firewalls enforce access to networks  … Firewalls become regulated Confidential

  5. Working with SOX • Law is very “high-level” (10,000 meter altitude…) • Very hard to act based on it • COSO framework : 6 major “Components” • More grounded than law (5,000 meter…) • CobiT framework: 34 “Control Objectives” • Almost something you can work with (2,000 meter…) Confidential

  6. SOX “cousins and relatives” • Japan (J-SOX) : “Japanese Financial Instruments Law” • Equivalent to SOX + COSO, but in Japanese • Seems to accept CobiT framework • EU: “Company Law Directive 8” • Approved by EU institutes (very high level) • Implementation Framework ? • Sent to member countries for implementation guidelines • Coming soon ? Confidential

  7. PCI DSS – Payment Card Industry • Goal: Protect credit card information • Background: Credit Card fraud / theft • Affects any organization that handle credit cards (in stages, from large down to small) • Enforced aggressively by credit card companies • Credit card data is on computers, • … Computers are on networks • … Firewalls enforce access to networks  … Firewalls become regulated Confidential

  8. Working with PCI DSS Includes very specific “commandments” for firewalls: • Thou shall have a DMZ on your firewall • Thou shall NOT allow services other than HTTP, SSL, SSH and VPN through the firewall (without convincing documentation) • Thou shall use NAT and avoid routable addresses • Thou shall have a connectivity diagram of Firewall • Thou shall Assess / Scan your firewalls quarterly Etc etc. Confidential

  9. ISO 27001 • General Standard – for any Information Security Management System (ISMS). • Voluntary compliance – but wide-spread in Europe • British standard BS 7799  ISO 17799  ISO 27001/2 • Moto: Plan / Do / Check / Act [PDCA] • Firewalls are clearly part of any ISMS,  … Firewalls become regulated Confidential

  10. More Regulations: • HIPAA • Goal: Control privacy of personal medical information • Affects any US organization in healthcare industry (hospitals, clinics, insurance companies, pharmaceutical) • Basel-II • Goal: Control banking (and inter-banking) data • Affects any bank (that wants to do business with other banks) • FISMA • Affects US federal agencies Confidential

  11. Common Themes – for Firewalls • Control the Risk • Control the Changes • Control the Infrastructure • Compliance Reporting Confidential

  12. Control the Risk • Define a Security Policy • Or use industry best practices as your policy • Review your rule-base for security policy violation • Periodic • Internal / External audit • Software systems • Scan (PCI mandates scan by a “QSA”) • Avoid high risks • PCI, FISMA give specific requirements about risky services Confidential

  13. Control the Changes • Have a firewall rule change process • Request / Plan / Implement / Validate • Track firewall changes • At least: Who did What, Where, When • Better: also Why Confidential

  14. Control the Changes – Cont. • Alerting / Monitoring • Set up e-mail / syslog / snmp • Send alerts when changes are detected • Better: integrate with SIM system • Audit • Keep change records for a long time Confidential

  15. Control the Infrastructure • Connectivity Diagram • Maintain an up-to-date diagram • Firewall Management • Avoid Default Passwords • Avoid Default Settings Confidential

  16. Compliance Reporting • Each regulation has its own reporting requirement • Lengthy forms, require a long time to complete Confidential

  17. The AlgoSec Firewall AnalyzerLive demo – Compliance Confidential

  18. Questions? • E-mail: • yash@eng.tau.ac.il • avishai.wool@algosec.com • http://www.algosec.com

More Related