Bradford Networks
 

 

 

 

 

 

 

 

Contact Us

REGULATORY COMPLIANCE

Compliance with regulatory requirements is one of the key IT security policy drivers for network managers in the financial, insurance, healthcare, and government sectors, as well as all publicly-traded companies. A comprehensive Network Access Control (NAC) strategy can ease this pressure by helping to ensure compliance while minimizing operational and cost impacts.

Government regulations such as HIPAA, SOX, and GLBA require changes to many network security policies and procedures. In addition to ensuring they understand the requirements, network administrators need to be concerned not just about complying, but also about documenting compliance. From the network perspective, compliance with these regulations consists of the following requirements:

  1. Policies: Documented security policies to prevent intrusion and protect private information
  2. Authentication: Verification that no one is accessing data without authorization
  3. Access Control: Ensuring that only those with the proper privileges are accessing systems and data
  4. Remediation: Timely notification of, and rapid response to, security incidents
  5. Audit: Documentation regarding the use of systems, applications, and data A comprehensive NAC strategy – one that addresses both pre- and post-admission issues and covers policy, endpoint compliance, and identity – can help organizations effectively and efficiently address regulatory compliance needs by automating these processes and providing the appropriate audit and documentation information.
Regulatory Requirement NAC Capabilities
Policies • Identity management, endpoint compliance and isolation policies are    embedded in the NAC system
Authentication • Registration
• Authentication
• Role-based rules
• Location-based rules
Access Control • Role-based rules
• Location-based rules
Remediation • Captive gateway
• Alarms and notifications
• Automatic remediation
• Self-remediation
Audit • Documentation
• Machine connection location
• Machine connection and disconnect time
• User login/logoff location
• Physical address and logical address correlation

Financial Services

With fears of identity theft on the rise, and greater concern about the integrity of online transactions, companies in the financial services industry – credit card companies, banks, lenders, brokerages, etc. – must protect the integrity of customers’ financial information.

Regulations such as GLBA and the PCI Data Security Standard require organizations to take all necessary precautions to safeguard this data, including identifying threats, implementing procedures to guard against those threats, managing data access, and continually monitoring the effectiveness of the organization’s policies and safeguards.

As all of this data typically resides in the corporate network, NAC policies and procedures such as user authentication, role-based access to network resources, endpoint compliance, and proactive isolation of non-compliant or compromised machines, are key to compliance.

GLBA

The Gramm-Leach Bliley Act (GLBA), also known as the Financial Modernization Act of 1999, protects consumers’ personal financial information, and affects financial institutions and credit reporting agencies, as well as credit counseling services, lenders, brokerages, and tax preparers.

Whitepaper

The Financial Privacy Rule of the Act governs the collection and disclosure of customers’ financial information, while the Safeguards Rule requires affected organizations to design, implement, and maintain safeguards to protect this information. Included among these safeguards are Information Security policies, which must be documented and enforced.


PCI Data Security Standard

With consumers now making purchases over the phone, the Internet, via mail, or in person, security is a key concern for the credit card and retail industries. The Payment Card Industry (PCI) Data Security Standard protects cardholder data by ensuring that merchants, service providers, and even cardholders who use the internet to access their account data, maintain the highest IT security standards.
Whitepaper

The PCI Data Security Standard requires that merchants and service providers:

  • Build and maintain a secure network
  • Protect cardholder data
  • Maintain a vulnerability management program
  • Implement effective access control measures
  • Regularly monitor and test networks
  • Maintain an information security policy

NAC policies and controls are central to the effective management of these issues.

Insurance

Insurance firms are governed by numerous regulations such as HIPAA, Sarbanes-Oxley, and GLBA, and as such, must guard customers’ private healthcare and financial information. To comply, they must demonstrate robust network security policies and proactive approaches to stopping hackers and neutralizing worms or other threats that could compromise data. Among the responsibilities these organizations face are:
  • Identifying security risks to sensitive customer information
  • Assessing existing safeguards and implementing new ones as required
  • Monitoring the effectiveness of security safeguards
  • Continually improving network security

GLBA

The Gramm-Leach Bliley Act (GLBA), also known as the Financial Modernization Act of 1999, protects consumers’ personal financial information, and affects financial institutions and credit reporting agencies, as well as credit counseling services, lenders, brokerages, and tax preparers.

Whitepaper

The Financial Privacy Rule of the Act governs the collection and disclosure of customers’ financial information, while the Safeguards Rule requires affected organizations to design, implement, and maintain safeguards to protect this information. Included among these safeguards are Information Security policies, which must be documented and enforced.

A comprehensive NAC solution ensures data integrity by ensuring that only authorized users access data, and by preventing malware attacks or other security breaches that can compromise this data. Unauthorized users are not only blocked from accessing data, but may be blocked from accessing the network entirely. It can also provide an audit of all network activities, ensuring that organizations can demonstrate compliance. Connection logs documenting attempted unauthorized access can be used to identify the vulnerable areas (buildings, floors, rooms, etc.) that can then be monitored more closely.

Healthcare

Hospitals, doctor’s offices, public health organizations, and any other organization that deals with medical records and health information must ensure the integrity of electronic health data. With increased use of electronic health transactions – from telemedicine to doctors logging into hospital systems remotely – regulations such as HIPAA require stringent network controls. In fact, HIPAA requires that companies appoint an Information Security Official (ISO) to be in charge of HIPAA compliance within the organization.

HIPAA requires every regulated organization to document its compliance with 54 standards governing how it handles electronic Protected Health Information (ePHI).

HIPAA

Designed to protect the integrity and confidentiality of patient health information, The Health Insurance Portability and Accountability Act (HIPAA) requires not only control over who is accessing confidential data, but also requires organizations to actively reduce security risks and conduct a thorough risk analysis of their systems.

Whitepaper

HIPAA affects health plans, doctors, hospitals, and other healthcare providers and provides patients with access to their medical records and more control over how their personal health information is used and disclosed. Under HIPAA, organizations engaged in the business of healthcare must provide patients with the following, among other requirements:

  • Access to medical records
  • Notice of privacy practices
  • Limits on use of personal medical information
  • Confidential communications

A NAC solution can ensure that only authorized users and devices can access information, and that those devices are compliant, thus ensuring network integrity. It can also provide the documentation and data necessary to outline security policies and assess risk.

Government

Government agencies – at the local, state, and federal level – must secure networks in the face of growing regulations, such as FISMA, with shrinking IT budgets. With homeland security concerns, recently publicized examples of VA and Social Security data being compromised, Network Access Control NAC Director and an expanding regulatory environment, government organizations must maintain and document a broad range of network security processes.

Network administrators in the government environment are tasked with maintaining large stores of information – typically accessed by large groups of people – while still ensuring security. These policies are driven by regulatory concerns on the one hand, and the need for quick and reliable access to the information on the other hand. A robust NAC solution can help balance IT realities with the regulatory requirements government network administrators face.

FISMA

The Federal Information Security Management Act of 2002 (FISMA) is focused on bolstering network security within government agencies and affiliated third parties, such as government contractors.

Whitepaper

The Act imposes a mandatory set of information technology processes that all government agencies and contractors must follow, including network security policies. Among FISMA’s provisions is continuous monitoring of security controls to ensure compliance and network integrity.

NAC solutions help government network administrators to automate the network security process, ensure compliance with published and mandated policies, and log all network activities to document compliance. By ensuring that all policies are enforced – and that each user and machine accessing the network is recognized and provided appropriate access– government agencies can ensure that they are in compliance with FISMA standards, while maintaining network performance.

Publicly Held Companies

All publicly traded companies in the US are affected by Sarbanes-Oxley, considered by some to be the most sweeping change to US securities law since the 1930s. Passed in response to accounting scandals, Sarbanes-Oxley (SOX) requires all companies who come under the jurisdiction of the Securities and Exchange Commission to closely regulate their accounting practices.

Financial controls are largely driven by IT systems and as such, network administrators have a high degree of responsibility in ensuring SOX compliance. They must ensure data integrity, provide proactive approaches to risks, and effectively monitor and manage who is accessing data and applications.

Sarbanes-Oxley and SAS 70

The Sarbanes-Oxley (SOX) Act of 2002 affects all publicly traded companies in the United States under the jurisdiction of the Securities and Exchange Commission. Designed to restore investor confidence and safeguard against abuses following well-publicized bankruptcies, SOX requires the formation of a Public Company Accounting Oversight Board and specifies certification of financial results as well as an assertion of internal controls.

Whitepaper

This assertion of internal controls – outlined in Section 404 of SOX – requires management to document all controls that are significant to the financial reporting process – including many aspects of NAC, such as identity management, timely reporting and remediation of security breaches, and usage policy enforcement actions. The SAS 70 auditing standard (full name – Statement on Auditing Standards, No. 70, Service Organizations) is designed to certify the quality of information security controls, among other processes.

home | about us | products | solutions | news & events | partners | support | contact us
© 1999-2008 Bradford Networks. All rights reserved.        Privacy Statement
GLBA HIPAA PCI