380 likes | 605 Views
VCE Vblock™ Systems Security & Compliance . Chris Davis Senior Consultant - Security and Compliance VCE Product Management . SOPs | Controls. Agenda. Regulations and Standards Controls Quick Recap VCE Vblock Systems Security & Compliance. Sampling of Regulations and Standards.
E N D
VCE Vblock™ Systems Security & Compliance Chris DavisSenior Consultant - Security and Compliance VCE Product Management
Agenda • Regulations and Standards • Controls Quick Recap • VCE Vblock Systems Security & Compliance
Protecting Data. Source: IT Auditing: Using Controls to Protect Information Assets (McGraw-Hill Professional, 2011)
Hundreds of Authority Sources Sarbanes Oxley (PCAOB, SAS 94, AICPA, Sec 17, COSO ERM, A123) Banking and Finance (Basel II, Gramm Leach Bliley, GLBA, FFIEC) NASD NSYE (Sec 17) Healthcare and Life Science (HIPAA, NIST, CMS, FDA) Energy (FERC, NERC) Credit Card (PCI DSS, Visa CISP, Amex, MasterCard, BBB) Federal Security (E Sign, UETA, FISMA, FISCAM, FIPS, Clinger Cohen Act, GAO, DOD, CISWIG, OMB, NCUA, CTPAT, more) IRS (Rev Proc 97 22, 98 25, 501c3) Records Management (ISO, DIRKS, Sedona, more) NIST (800 14, 18, 26, 30, 33, 34, 40, 41, 53, 60, 61, 64) General (Cobit 3 & 4, NFPA, ISF, ISSA, CERT, IIA, more) US Federal Privacy (Cable, Telemarketing, SPAM, COPPA, Drivers, Family, Video Privacy, Spector Leahy, more) US State Laws (all states) System Configuration (CI Security for Solaris, HP UX, Red Hat, SuSE, AIX, NIST Novell, Apple OS X, Vista, DISA, more)
PCI-DSS • The PCI Security Standards Council (SSC) was established in 2006 by five global payment brands (American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc. These payment brands require through their Operating Regulations that any merchant or service provider that processes, stores or transmits credit cards must be PCI compliant. Merchants and service providers are required to validate their compliance by assessing their environment against nearly 300 specific test controls outlined in the PCI Data Security Standards (DSS) version 2. Failure to meet PCI requirements could lead to fines, penalties, or inability to process credit cards in addition to potential loss of reputation. • VCE Whitepaper: vblock-guide-pci-addendum.pdf (PDF) • PCI-DSS Online:https://www.pcisecuritystandards.org
HIPAA • The Health Insurance Portability and Accountability Act of 1996 (HIPAA; Pub.L. 104-191, 110 Stat. 1936) addresses policies, procedures, and guidelines for protecting the confidentiality, integrity, and availability of protected health information (PHI). The HIPAA Security Rule specifically focuses on the safeguarding of electronic protected health information (EPHI). The EPHI that a covered entity creates, receives, maintains, or transmits must be protected against reasonably anticipated threats, hazards, and impermissible uses and/or disclosures. • VCE Whitepaper: Coming Soon! 1Q2014 • HIPAA Online: http://www.hhs.gov/ocr/privacy/index.html
CJIS Security Policy (FBI) • Law enforcement requires secure, rapid access to data in a variety of situations to stop and reduce crime. The Criminal Justice Information Services (CJIS) Security Policy (CJIS Security Policy) contains information security requirements, guidelines, and agreements for protecting the sources, transmission, storage, and generation of criminal justice information (CJI). The CJIS Security Policy applies to every information system with capabilities for creating, viewing, modifying, transmitting, disseminating, storing, and destroying CJI. The CJIS Security Policy is intended to apply a uniform set of controls across systems to protect CJI at rest or in transit. • VCE Whitepaper: VCE_CJIS_Policy_Requirements (PDF) • CJIS Online:http://www.fbi.gov/about-us/cjis/cjis-security-policy-resource-center/view
FISMA/FedRAMP • FISMA is a law that was enacted in 2002 requiring all federal agencies, departments, and their contractors to meet specified guidelines in safeguarding their information systems and assets. The National Institute of Standards and Technology (NIST) helps develops standards and guidelines for FISMA through their Special Publications (SP). NIST is considered a guidance and reference tool for many organizations that use the FISMA framework, whether they are required to use it or use it voluntarily. FedRAMP was enacted in December of 2011 and requires all federal organizations that use a cloud environment to implement the FedRAMP program for cloud security controls. • VCE Whitepaper: vblock-systems-guide-FISMA-FedRAMP.pdf (PDF) • FISMA Online:http://csrc.nist.gov/publications/PubsSPs.html • FedRAMP Online: http://www.fedramp.gov
Effectively Managed IT Controls Technology can affect every part of the business. At its best, technology is a competitive advantage. At its worst, technology is your competitor’s advantage. Product Market Relationships IT Controls: Detective, protective and reactive measures in place to protect the confidentiality, integrity, and availability of business information and ensure appropriate management of the IT function to meet business objectives. Inbound Logistics Operations Outbound Logistics Marketing and Sales Service Firm Infrastructure Margin HR Management Procurement Technology Development
How Do You Manage IT Controls? Solution Alignment Controls Defined by GRC; Managed by Tools • GRC Tools • Governance • Risk Management • Frameworks • Compliance
Let's Break It down For VCE.Vblock Systems and Compliance Requirements CJIS ISO27K {…} System Security Plan Technical Controls Management Controls Operational Controls PCI-DSS HIPAA FISMA
Technical Control Requirements Authorities Technical Controls Requirement 6: Develop and maintain secure systems and applications Component Configuration Requirement 10: Track and monitor all access to network resources and cardholder data. Solution Ecosystem Administrative Controls Requirement 12: Maintain a policy that addresses information security for all personnel. Physical Controls Requirement 9: Restrict physical access to cardholder data.
Adding Value with VCE Security and Compliance Resources Compliance Resources Component Configuration Solution Ecosystem • NIST Compliance Map • Common Authority Source Information • Product Applicability Guides addressing PCI-DSS, HIPAA, FISMA/FedRAMP, and CJIS. • Compliance Mappings to Component Configuration and Solution Ecosystem • TAP Program • Secure Administrative Access • Trusted Multitenancy • Infrastructure Assurance • Systems Monitoring • Data Protection • Encryption • Boundary Protection • Exploit and Malware Detection • Vulnerability Detection • Security Guide: Configuration • Vendor Hardening Documents • Best Practice Resources • Third-party Reviewed Basic Hardening • Pre-integrated and Validated Converged Infrastructure Validation www.VCE.com/security
Building Compliant Virtual Systems Product Ecosystem Solution Ecosystem Solution Management Compliance Regulations Controls Defined by GRC; Managed by Tools PCI-DSS FedRAMP/FISMA HIPAA-HITECH CJIS Sec Policy
Best Practices Configuration and Engineering Principles Best Practices Configuration Component Configuration • Fully Patched • Uniquely Identified Accounts • Least Privileged Roles • Secure Authentication • Enforced Authorization • Non-repudiated Accounting/Logs • Secure Administrative Communications • Disable Unnecessary Services • Harden Necessary Services • Focused Function • Protected Data
Technology Alliance Program Solution Ecosystem www.vce.com/partners
VCE Differentiation Life CycleSystemAssurance You Begin with A Validated System ApplicationOptimization API Enabled,ConvergedManagement Customer Experience Integrated Protection and Workload Mobility Solutions Fastest Time to Business Highest Performance Pre-engineered,Pre-validated,Pre-tested Highest Availability Converged Management Best-of-breedTechnology Lowest Risk Lowest TCO
BUILDING Trust TRUST • VCE can help establish Trust, by providing a set of offerings (products, solutions and guidance) for use in conjunction with our customers security programs • These offerings fall into a simple Trust Framework of the following well known security concepts and objectives • CIA (Confidentiality, Integrity, and Availability) • III (Infrastructure, Identities, and Information) • GRC (Governance, Risk Management, and Compliance) • The application of such a Trust Frameworkcan provide the assurance that the infrastructureis trustworthy enough for the deployment of critical information G R C CONFIDENTIALITY INTEGRITY AVAILABILITY INFRASTRUCTURE INFORMATION IDENTITIES
Building Systems Assurance CONTINUOUS MONITORING RAPID RESPONSE Build Context Analyze Context VALIDATED SYSTEM Provisioned Assets Systems Configuration Communications Identity Access Third Parties Service Monitoring Data Violations Actionable Events Data Locations Advanced Threats Manage Workflow Vulnerabilities GRC Tools
Session WrapHow can we apply what we discussed today? OUR APPLICATION OUR DISCUSSION VCE Sales Resources Protecting Data Multiple Sales Resources Sampling of Regulations and Standards • Configuration Hardening Guides Control Complexity and Management • Solution Guides & TAP Program VCE Vblock Systems Compliance • Compliance Guides Technical Control Requirements Getting Additional Help Component Configuration www.vce.com/security Solution Ecosystem www.vce.com/partners Security and Compliance Resources VCE Security Product Management Solution Context Chris.Davis@vce.com | 469-879-1223 | www.linkedin.com/christopherdavis
The Reference Monitor Concept Assurance: The grounds for confidence that the set of intended security controls in an information system are effective in their application.
Solution Delivery, Security, and AlignmentThree Approaches to Security Solution Delivery Solution Security Solution Alignment Technology Assets Operations Processes Controls Defined by GRC; Managed by Tools • Solution • Storage • Respond • Provision • GRC Tools • Governance • Risk Management • Hypervisor • Network • Monitor • Configure • Frameworks • Compute • Validate • Compliance
Security is Multidimensional. Interrelationships between Assets, Requirements, and Processes. Requirements Processes Work Loads
Building Compliant & Secure Systems • Component, Infrastructure, and Systems Approach System Security Plan … PCI-DSS HIPAA FISMA ISO27K Technical Controls Physical Controls Processes, Policies, Operating Procedures for Staff and Equipment. Physical (e.g. CObIT) or Operational (e.g. FISMA) Supporting Ecosystem Identity & Access Management, Vulnerability Detection, Exploit Detection /Malware Prevention, Boundary Protection, Infrastructure Management, Systems Monitoring, Data Protection, Encryption Administrative Controls System Configuration Accounts, Roles, Authentication, Authorization, Accounting/Logs, Secure Communications, Enabled Services, Service Hardening, Patch Management, Alignment Services Infrastructure
Everything should be made as simple as possible – but not simpler. --Albert Einstein