Regulatory Requirements

Regulations such as GLBA require organizations to take all necessary precautions to safeguard this data, including identifying threats, implementing procedures to guard against those threats, managing data access, and continually monitoring the effectiveness of the organization’s policies and safeguards.

As all of this data typically resides in the corporate network, NAC policies and procedures such as user authentication, role-based access to network resources, endpoint compliance, and proactive isolation of non-compliant or compromised machines, are key to compliance.

GLBA The Gramm-Leach Bliley Act (GLBA), also known as the Financial Modernization Act of 1999, protects consumers’ personal financial information, and affects financial institutions and credit reporting agencies, as well as credit counseling services, lenders, brokerages, and tax preparers. Whitepaper GLBA Requirements   Mapping - NAC Director   The Financial Privacy Rule of the Act governs the collection and disclosure of customers’ financial information, while the Safeguards Rule requires affected organizations to design, implement, and maintain safeguards to protect this information. Included among these safeguards are Information Security policies, which must be documented and enforced.

To comply, they must demonstrate robust network security policies and proactive approaches to stopping hackers and neutralizing worms or other threats that could compromise data. Among the responsibilities these organizations face are:

• Identifying security risks to sensitive customer information
• Assessing existing safeguards and implementing new ones as required
• Monitoring the effectiveness of security safeguards
• Continually improving network security

GLBA The Gramm-Leach Bliley Act (GLBA), also known as the Financial Modernization Act of 1999, protects consumers’ personal financial information, and affects financial institutions and credit reporting agencies, as well as credit counseling services, lenders, brokerages, and tax preparers. Whitepaper GLBA Requirements   Mapping - NAC Director   The Financial Privacy Rule of the Act governs the collection and disclosure of customers’ financial information, while the Safeguards Rule requires affected organizations to design, implement, and maintain safeguards to protect this information. Included among these safeguards are Information Security policies, which must be documented and enforced.

A comprehensive NAC solution ensures data integrity by ensuring that only authorized users access data, and by preventing malware attacks or other security breaches that can compromise this data. Unauthorized users are not only blocked from accessing data, but may be blocked from accessing the network entirely. It can also provide an audit of all network activities, ensuring that organizations can demonstrate compliance. Connection logs documenting attempted unauthorized access can be used to identify the vulnerable areas (buildings, floors, rooms, etc.) that can then be monitored more closely.

HIPAA Designed to protect the integrity and confidentiality of patient health information, The Health Insurance Portability and Accountability Act (HIPAA) requires not only control over who is accessing confidential data, but also requires organizations to actively reduce security risks and conduct a thorough risk analysis of their systems. Whitepaper HIPAA Requirements   Mapping - NAC Director   HIPAA affects health plans, doctors, hospitals, and other healthcare providers and provides patients with access to their medical records and more control over how their personal health information is used and disclosed. Under HIPAA, organizations engaged in the business of healthcare must provide patients with the following, among other requirements: Access to medical records Notice of privacy practices Limits on use of personal medical information Confidential communications

A NAC solution can ensure that only authorized users and devices can access information, and that those devices are compliant, thus ensuring network integrity. It can also provide the documentation and data necessary to outline security policies and assess risk.

Network administrators in the government environment are tasked with maintaining large stores of information – typically accessed by large groups of people – while still ensuring security. These policies are driven by regulatory concerns on the one hand, and the need for quick and reliable access to the information on the other hand. A robust NAC solution can help balance IT realities with the regulatory requirements government network administrators face.

FISMA The Federal Information Security Management Act of 2002 (FISMA) is focused on bolstering network security within government agencies and affiliated third parties, such as government contractors. Whitepaper Simplifying Regulatory   Compliance   The Act imposes a mandatory set of information technology processes that all government agencies and contractors must follow, including network security policies. Among FISMA’s provisions is continuous monitoring of security controls to ensure compliance and network integrity.

NAC solutions help government network administrators to automate the network security process, ensure compliance with published and mandated policies, and log all network activities to document compliance. By ensuring that all policies are enforced – and that each user and machine accessing the network is recognized and provided appropriate access– government agencies can ensure that they are in compliance with FISMA standards, while maintaining network performance.

Financial controls are largely driven by IT systems and as such, network administrators have a high degree of responsibility in ensuring SOX compliance. They must ensure data integrity, provide proactive approaches to risks, and effectively monitor and manage who is accessing data and applications.

Sarbanes-Oxley and SAS 70 The Sarbanes-Oxley (SOX) Act of 2002 affects all publicly traded companies in the United States under the jurisdiction of the Securities and Exchange Commission. Designed to restore investor confidence and safeguard against abuses following well-publicized bankruptcies, SOX requires the formation of a Public Company Accounting Oversight Board and specifies certification of financial results as well as an assertion of internal controls. Whitepaper Simplifying Regulatory   Compliance   This assertion of internal controls – outlined in Section 404 of SOX – requires management to document all controls that are significant to the financial reporting process – including many aspects of NAC, such as identity management, timely reporting and remediation of security breaches, and usage policy enforcement actions. The SAS 70 auditing standard (full name – Statement on Auditing Standards, No. 70, Service Organizations) is designed to certify the quality of information security controls, among other processes.