|
Compliance with regulatory requirements is one of the key
IT security policy drivers for network managers in the financial,
insurance, healthcare, and government sectors, as well
as all publicly-traded companies. A comprehensive Network Access
Control (NAC) strategy can ease this
pressure by helping to ensure compliance while minimizing operational
and cost impacts.
Government regulations such as HIPAA, SOX, and GLBA require
changes to many network
security policies and procedures. In addition to ensuring
they understand the requirements,
network administrators need to be concerned not just about
complying, but also about
documenting compliance.
From the network perspective, compliance with these regulations
consists of the following
requirements:
-
Policies: Documented security policies to prevent intrusion
and protect private information
-
Authentication: Verification that no one is accessing data
without authorization
-
Access Control: Ensuring that only those with the proper
privileges are accessing systems
and data
-
Remediation: Timely notification of, and rapid response
to, security incidents
-
Audit: Documentation regarding the use of systems, applications,
and data
A comprehensive NAC strategy – one that addresses both
pre- and post-admission issues and
covers policy, endpoint compliance, and identity – can
help organizations effectively and efficiently address regulatory
compliance needs by automating these processes and providing the
appropriate audit and documentation information.
|
Regulatory Requirement
|
NAC Capabilities
|
| Policies |
• Identity management, endpoint compliance and
isolation
policies are embedded in the NAC system |
| Authentication |
• Registration
• Authentication
• Role-based rules
• Location-based rules |
| Access Control |
• Role-based rules
• Location-based rules |
| Remediation |
• Captive gateway
• Alarms and notifications
• Automatic remediation
• Self-remediation |
| Audit |
• Documentation
• Machine connection location
• Machine connection and disconnect time
• User login/logoff location
• Physical address and logical address correlation |
Financial Services
With fears of identity theft on the rise,
and greater concern about the integrity of online transactions,
companies in the financial services industry – credit
card companies, banks, lenders, brokerages, etc. – must
protect the integrity of customers’ financial information.
Regulations such as GLBA and the PCI Data
Security Standard require organizations to take all necessary
precautions to safeguard this data, including identifying threats,
implementing procedures to guard against those threats, managing
data access, and continually monitoring the effectiveness of
the organization’s policies and safeguards.
As all of this data typically resides in the corporate network,
NAC policies and procedures such
as user authentication, role-based access to network resources,
endpoint compliance, and
proactive isolation of non-compliant or compromised machines,
are key to compliance.
GLBA
|
The Gramm-Leach Bliley Act (GLBA),
also known as the Financial Modernization Act of
1999, protects consumers’ personal financial
information, and affects financial institutions
and credit reporting agencies, as well as credit
counseling services, lenders, brokerages, and tax
preparers.
|
|
The Financial Privacy Rule of the
Act governs the collection and disclosure of customers’ financial
information, while the Safeguards Rule requires affected
organizations to design, implement, and maintain safeguards
to protect this information. Included among these safeguards
are Information Security policies, which must be documented
and enforced.
|
PCI Data Security Standard
|
With consumers
now making purchases over the phone, the Internet,
via mail, or in person, security is a key concern
for the credit card and retail industries. The Payment
Card Industry (PCI) Data Security Standard protects
cardholder data by ensuring that merchants, service
providers, and even cardholders who use the internet
to access their account data, maintain the highest
IT security standards.
|
|
The PCI Data Security
Standard requires that merchants and service providers:
-
Build and maintain a secure network
-
Protect cardholder data
-
Maintain a vulnerability management program
-
Implement effective access control measures
-
Regularly monitor and test networks
-
Maintain an information security policy
NAC policies and controls are central to the effective
management of these issues.
|
Insurance
Insurance firms are governed by numerous regulations such as
HIPAA, Sarbanes-Oxley, and GLBA, and as such, must guard customers’ private
healthcare and financial information. To comply, they must
demonstrate robust network security policies and proactive
approaches to stopping hackers and neutralizing worms or other
threats that could compromise data. Among the responsibilities
these organizations face are:
-
Identifying security risks to sensitive customer information
-
Assessing existing safeguards and implementing new ones
as required
-
Monitoring the effectiveness of security safeguards
-
Continually improving network security
GLBA
|
The Gramm-Leach Bliley Act (GLBA),
also known as the Financial Modernization Act of
1999, protects consumers’ personal financial
information, and affects financial institutions
and credit reporting agencies, as well as credit
counseling services, lenders, brokerages, and tax
preparers.
|
|
The
Financial Privacy Rule of the Act governs the collection
and disclosure of customers’ financial information,
while the Safeguards Rule requires affected organizations
to design, implement, and maintain safeguards to protect
this information. Included among these safeguards are
Information Security policies, which must be documented
and enforced.
|
A comprehensive NAC solution ensures data integrity by ensuring
that only authorized users
access data, and by preventing malware attacks or other security
breaches that can
compromise this data. Unauthorized users are not only blocked
from accessing data, but may
be blocked from accessing the network entirely. It can also
provide an audit of all network
activities, ensuring that organizations can demonstrate compliance.
Connection logs
documenting attempted unauthorized access can be used to identify
the vulnerable areas
(buildings, floors, rooms, etc.) that can then be monitored
more closely.
Healthcare
Hospitals, doctor’s offices, public health organizations,
and any other organization that deals with medical records
and health information must ensure the integrity of electronic
health data. With increased use of electronic health transactions – from
telemedicine to doctors logging into hospital systems remotely – regulations
such as HIPAA require stringent network controls. In fact,
HIPAA requires that companies appoint an Information Security
Official (ISO) to be in charge of HIPAA compliance within the
organization.
HIPAA requires
every regulated organization to document its compliance with
54 standards governing how it handles electronic Protected
Health Information (ePHI).
HIPAA
|
Designed to protect the integrity
and confidentiality of patient health information,
The Health Insurance Portability and Accountability
Act (HIPAA) requires not only control over who
is accessing confidential data, but also requires
organizations to actively reduce security risks
and conduct a thorough risk analysis of their systems.
|
|
HIPAA affects health plans, doctors,
hospitals, and other healthcare providers and provides
patients with access to their medical records and more
control over how their personal health information is
used and disclosed. Under HIPAA, organizations engaged
in the business of healthcare must provide patients with
the following, among other requirements:
-
Access to medical records
-
Notice of privacy practices
-
Limits on use of personal medical information
-
Confidential communications
|
A NAC solution can ensure that only authorized users and devices
can access information, and
that those devices are compliant, thus ensuring network integrity.
It can also provide the
documentation and data necessary to outline security policies
and assess risk.
Government
Government agencies – at the local, state, and federal
level – must secure networks in the face of growing regulations,
such as FISMA, with shrinking IT budgets. With homeland security
concerns, recently publicized examples of VA and Social Security
data being compromised, Network Access Control NAC Director
and an expanding regulatory environment, government organizations
must maintain and document a broad range of network security
processes.
Network administrators in the government
environment are tasked with maintaining large stores
of information – typically accessed by large groups of
people – while still ensuring security.
These policies are driven by regulatory concerns on the one
hand, and the need for quick and reliable access to the information
on the other hand. A robust NAC solution can help balance IT
realities with the regulatory requirements government network
administrators face.
FISMA
|
The Federal Information Security
Management Act of 2002 (FISMA) is focused on bolstering
network security within government agencies and
affiliated third parties, such as government contractors.
|
|
The Act
imposes a mandatory set of information technology processes
that all government agencies and contractors must follow,
including network security policies. Among FISMA’s
provisions is continuous monitoring of security controls
to ensure compliance and network integrity.
|
NAC solutions help government network administrators to
automate the network security process, ensure compliance with
published and mandated policies, and log all network activities
to document compliance. By ensuring that all policies are enforced – and
that each user and machine accessing the network is recognized
and provided appropriate access– government agencies
can ensure that they are in compliance with FISMA standards,
while maintaining network performance.
Publicly Held Companies
All publicly traded companies in the US are affected by Sarbanes-Oxley,
considered by some to be the most sweeping change to US securities
law since the 1930s. Passed in response to accounting scandals,
Sarbanes-Oxley (SOX) requires all companies who come under
the jurisdiction of the Securities and Exchange Commission
to closely regulate their accounting practices.
Financial controls are largely driven by
IT systems and as such, network administrators have a
high degree of responsibility in ensuring SOX compliance. They
must ensure data integrity, provide proactive approaches to
risks, and effectively monitor and manage who is accessing data
and applications.
Sarbanes-Oxley and SAS 70
|
The Sarbanes-Oxley (SOX) Act
of 2002 affects all publicly traded companies in
the United States under the jurisdiction of the
Securities and Exchange Commission. Designed to
restore investor confidence and safeguard against
abuses following well-publicized bankruptcies,
SOX requires the formation of a Public Company
Accounting Oversight Board and specifies certification
of financial results as well as an assertion of
internal controls.
|
|
This assertion of internal controls – outlined
in Section 404 of SOX – requires management to
document all controls that are significant to the financial
reporting process – including many aspects of NAC,
such as identity management, timely reporting and remediation
of security breaches, and usage policy enforcement actions.
The SAS 70 auditing standard (full name – Statement
on Auditing Standards, No. 70, Service Organizations)
is designed to certify the quality of information security
controls, among other processes.
|
|
