The Regulation Zoo: Dealing With Compliance Within The Firewall World

Slides:



Advertisements
Similar presentations
IT Security Policy Framework
Advertisements

Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.
G R C The Science of Compliance ® ®. Craig Isaacs CEO, Unified Compliance Framework The world's largest and most reviewed legal framework. 2.
Westbrook Technologies from Document Management’s Role in HIPAA.
Navigating Compliance Requirements DCM 6.2 Regs and Codes linford & co llp.
Frameworks, Standards and Regulations IT Auditing and Cyber Security Spring 2014 Instructor: Liang Yao (MBA, MS, CIA, CISA, CISSP)
1 1 Risk Management: How to Comply with Everything July 11, 2013.
Massachusetts privacy law and your business  Jonathan Gossels, President, SystemExperts Corporation  Moderator: Illena Armstrong  Actual Topic: Intersecting.
Chapter 10 Accounting Information Systems and Internal Controls
JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Control and Accounting Information Systems
The Financial Modernization Act of 1999, also known as the Gramm-Leach-Bliley Act (GLBA) UNDERSTANDING AND DEVELOPING A STRATEGIC PLAN TO BECOME COMPLIANT.
FAIR AND ACCURATE CREDIT TRANSACTIONS ACT (FACTA)- RED FLAG RULES University of Washington Red Flag Rules Protecting Against Identity Fraud.
JARED BIRD Nagios: Providing Value Throughout the Organization.
PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.
REGULATIONS Dr. Andy Wu BCIS 4630 Fundamentals of IT Security.
Brief Synopsis of Computer Security Standards. Tenets of Information Systems Security Confidentiality Integrity Availability Over the years, standards.
Sarbanes-Oxley Compliance Process Automation
Security Controls – What Works
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
IT Legislation & Regulation CS5493. Information has become a valued asset for commerce and governments. … as a result of its value, information is a target.
© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.
Payment Card Industry (PCI) Data Security Standard
E-business Security Dana Vasiloaica Institute of Technology Sligo 22 April 2006.
BUSINESS & HUMAN RIGHTS UniCredit on its sustainability path: understanding and managing the financial sector’s responsibilities in terms of human rights”
An Introduction to PCI Compliance. Data Breach Trends About PCI-SSC 12 Requirements of PCI-DSS Establishing Your Validation Level PCI Basics Benefits.
Information Security Framework & Standards
INFORMATION SECURITY REGULATION COMPLIANCE By Insert name dd/mm/yyyy senior leadership training on the primary regulatory requirements,
Teresa Macklin Information Security Officer 27 May, 2009 Campus-wide Information Security Activities.
PCI requirements in business language What can happen with the cardholder data?
Evolving IT Framework Standards (Compliance and IT)
GRC - Governance, Risk MANAGEMENT, and Compliance
Vijay V Vijayakumar.  SOX Act  Difference between IT Management and IT Governance  Internal Controls  Frameworks for Implementing SOX  COSO - Committee.
FTC RED FLAG RULE As many as nine million Americans have their identities stolen each year. Identity thieves may drain their accounts, damage their credit,
STORAGE MANAGEMENT/ EXECUTIVE: Managing a Compliant Infrastructure Processes and Procedures Mike Casey Principal Analyst Contoural Inc.
Introduction To Plastic Card Industry (PCI) Data Security Standards (DSS) April 28,2012 Cathy Pettis, SVP ICUL Service Corporation.
AlgoSec Inc.1 Firewall Configuration Errors Revisited Avishai Wool CTO & Co-Founder, AlgoSec and Prof., Tel Aviv University.
Policy Review (Top-Down Methodology) Lesson 7. Policies From the Peltier Text, p. 81 “The cornerstones of effective information security programs are.
Risk Management. IT Controls Risk management process Risk management process IT controls IT controls IT Governance Frameworks IT Governance Frameworks.
© 2013 The McGraw-Hill Companies, Inc. All rights reserved. Ch 8 Privacy Law and HIPAA.
Technology Supervision Branch Interagency Identity Theft Red Flags Regulation Bank Compliance Association of CT Bristol, CT September 3, 2008.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
Data Security & Privacy: Fundamental Risk Mitigation Tactics 360° of IT Compliance Anthony Perkins, Shareholder Business Law Practice Group Data Security.
Information Security Framework Regulatory Compliance and Reporting Auditing and Validation Metrics Definition and Collection Reporting (management, regulatory,
BUSINESS CLARITY ™ PCI – The Pathway to Compliance.
The University of Toledo Finance and Audit Committee Meeting “Internal Audit and Compliance Update” September 21, 2015.
Dino Tsibouris & Mehmet Munur Privacy and Information Security Laws and Updates.
HIPAA Compliance Case Study: Establishing and Implementing a Program to Audit HIPAA Compliance Drew Hunt Network Security Analyst Valley Medical Center.
Legal, Regulations, Investigations, and Compliance Chapter 9 Part 2 Pages 1006 to 1022.
Deck 5 Accounting Information Systems Romney and Steinbart Linda Batch February 2012.
The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle branded credit.
Lecture 5 Control and AIS Copyright © 2012 Pearson Education 7-1.
Presenter Gene Geiger, A-LIGN Partner -HITRUST Practitioner -CPA -CISSP -CCSK -QSA -PCIP -ISO 27K LA.
An Information Security Management System
Performing Risk Analysis and Testing: Outsource or In-house
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance
What Is ISO ISO 27001, titled "Information Security Management - Specification With Guidance for Use", is the replacement for BS It is intended.
Regulatory Compliance
Internet Payment.
IS4680 Security Auditing for Compliance
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance
IS4680 Security Auditing for Compliance
CIT 485: Advanced Cybersecurity
Drew Hunt Network Security Analyst Valley Medical Center
HIPAA Compliance Services CTG HealthCare Solutions, Inc.
Introduction to the PACS Security
Presentation transcript:

The Regulation Zoo: Dealing With Compliance Within The Firewall World Avishai Wool CTO & Co-Founder, AlgoSec

Agenda Introduction Relevant Regulations Common Themes Demo

The Regulations Zoo Sarbanes Oxley Act (SOX) Japanese Financial Instruments (JSOX) Euro-SOX – Company Law Directive 8 - Coming soon (?) PCI DSS – Payment Card Industry Data Security Standard ISO27001 FISMA – US federal agencies HIPAA – US Healthcare Industry Basel-II – Banking Confidential

Sarbanes Oxley Act (SOX) Goal: Protect Accuracy of Financial Data Background: Financial scandals (Enron, …) Affects public companies on US stock exchange, multinational corporations Financial data is on computers, … Computers are on networks … Firewalls enforce access to networks  … Firewalls become regulated Confidential

Working with SOX Law is very “high-level” (10,000 meter altitude…) Very hard to act based on it COSO framework : 6 major “Components” More grounded than law (5,000 meter…) CobiT framework: 34 “Control Objectives” Almost something you can work with (2,000 meter…) Confidential

SOX “cousins and relatives” Japan (J-SOX) : “Japanese Financial Instruments Law” Equivalent to SOX + COSO, but in Japanese Seems to accept CobiT framework EU: “Company Law Directive 8” Approved by EU institutes (very high level) Implementation Framework ? Sent to member countries for implementation guidelines Coming soon ? Confidential

PCI DSS – Payment Card Industry Goal: Protect credit card information Background: Credit Card fraud / theft Affects any organization that handle credit cards (in stages, from large down to small) Enforced aggressively by credit card companies Credit card data is on computers, … Computers are on networks … Firewalls enforce access to networks  … Firewalls become regulated Confidential

Working with PCI DSS Includes very specific “commandments” for firewalls: Thou shall have a DMZ on your firewall Thou shall NOT allow services other than HTTP, SSL, SSH and VPN through the firewall (without convincing documentation) Thou shall use NAT and avoid routable addresses Thou shall have a connectivity diagram of Firewall Thou shall Assess / Scan your firewalls quarterly Etc etc. Confidential

Voluntary compliance – but wide-spread in Europe ISO 27001 General Standard – for any Information Security Management System (ISMS). Voluntary compliance – but wide-spread in Europe British standard BS 7799  ISO 17799  ISO 27001/2 Moto: Plan / Do / Check / Act [PDCA] Firewalls are clearly part of any ISMS,  … Firewalls become regulated Confidential

More Regulations: HIPAA Goal: Control privacy of personal medical information Affects any US organization in healthcare industry (hospitals, clinics, insurance companies, pharmaceutical) Basel-II Goal: Control banking (and inter-banking) data Affects any bank (that wants to do business with other banks) FISMA Affects US federal agencies Confidential

Common Themes – for Firewalls Control the Risk Control the Changes Control the Infrastructure Compliance Reporting Confidential

Control the Risk Define a Security Policy Or use industry best practices as your policy Review your rule-base for security policy violation Periodic Internal / External audit Software systems Scan (PCI mandates scan by a “QSA”) Avoid high risks PCI, FISMA give specific requirements about risky services Confidential

Control the Changes Have a firewall rule change process Request / Plan / Implement / Validate Track firewall changes At least: Who did What, Where, When Better: also Why Confidential

Control the Changes – Cont. Alerting / Monitoring Set up e-mail / syslog / snmp Send alerts when changes are detected Better: integrate with SIM system Audit Keep change records for a long time Confidential

Control the Infrastructure Connectivity Diagram Maintain an up-to-date diagram Firewall Management Avoid Default Passwords Avoid Default Settings Confidential

Compliance Reporting Each regulation has its own reporting requirement Lengthy forms, require a long time to complete Confidential

The AlgoSec Firewall Analyzer Live demo – Compliance Confidential 17

Questions? E-mail: yash@eng.tau.ac.il avishai.wool@algosec.com http://www.algosec.com

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.