your partner in compliance.
Sentinel can play an essential role in the ever-changing world of network security compliance. Here are a few examples of current laws and guidelines in place, and how the Sentinel can help you comply.
city, county, and state government
The Center for Internet Security – managers of the MS-ISAC – have published a “prioritized set of actions” to protect “organizations and data from known cyber attack vectors.” (Their words.) Through a combination of our managed threat protection and vulnerability assessment tools, Sentinel can play a significant role in fulfilling several of the controls, including:
- Control #3: Continuous Vulnerability Management
- Control #8: Malware Defenses
- Control #9: Limitation and Control of Network Ports, Protocols and Services
- Control #11: Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
- Control #12: Boundary Defense
- Control #13: Data Protection
Learn more about CIS controls at https://www.cisecurity.org/controls/
NIST CSF and FISMA
The Federal Information Security Management Act (FISMA) requires every federal agency to implement an information security strategy that protects that agency’s “operations and assets”. In turn, the National Institute of Standards and Technology (NIST) has created the standards and guidelines that agencies must follow. Sentinel’s Network Cloaking and reporting functions play an important role in meeting several of the NIST Minimum Security Requirements. Here are a few examples:
- Access Control. Organizations must limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems) and to the types of transactions and functions that authorized users are permitted to exercise.
- Audit and Accountability. Organizations must: (i) create, protect, and retain information system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity; and (ii) ensure that the actions of individual information system users can be uniquely traced to those users so they can be held accountable for their actions.
- Incident Response. Organizations must: (i) establish an operational incident handling capability for organizational information systems that includes adequate preparation, detection, analysis, containment, recovery, and user response activities; and (ii) track, document, and report incidents to appropriate organizational officials and/or authorities.
More on NIST CSF at https://www.nist.gov/cyberframework
The Health Insurance Portability and Accountability Act (HIPAA) contains specific guidelines to protect the privacy of individuals’ health information and sets national standards for the security of electronic health records. Sentinel helps organizations comply with HIPAA’s ‘Security Management Process’ and ‘Security Incident Procedures’ as a solution to prevent and detect security violations and provide reporting for security incidents.
More about HIPPA at https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html
credit card processing
As an important piece in the network security puzzle, Sentinel’s managed Intrusion Prevention System helps organizations comply with PCI requirements by protecting stored credit cardholder data, keeping our signature database up to date, and providing reporting to aid in regular testing of security systems and processes. Our Internal Intelligence device also lets organizations find infected machines inside their LAN, providing them with a way to monitor the effectiveness of their anti-virus software.
Read more at the PCI Security Standards Council website: https://www.pcisecuritystandards.org/pci_security/
The Gramm-Leach-Bliley Act (GLBA) is a federal law that applies to financial institutions. GLBA regulations require financial institutions to protect customers’ confidentiality, anticipate threats, and protect against unauthorized access to customer information. The Federal Financial Institutions Examination Council (FFIEC) is charged with providing specific guidelines for GLBA compliance.
Sentinel Outpost’s Network Cloaking and reporting functions satisfy several of these guidelines, for example (their words, not ours):
- Protect against the risk of malicious code by implementing appropriate controls at the host and network level to prevent and detect malicious code
- IDS and IPS monitoring of incoming and outgoing network traffic, including signature and anomaly-based traffic monitors
- Filtering to protect against attacks such as cross-site scripting and SQL injection
- Monitoring network and host activity to identify policy violations and anomalous behavior
- Analyzing the results of monitoring to accurately and quickly identify, classify, escalate, report, and guide responses to security events.
Straight from the Federal Trade Commission:
publicly traded companies
The Sarbanes-Oxley Act (SOX) sets new or enhanced standards for all public company boards, management and public accounting firms. The bill was a reaction to the many corporate financial scandals of the late 1990s and early 2000s, such as Enron, Tyco International, and WorldCom. SOX requires the management of a publicly traded company to demonstrate that it has the proper internal controls in place to protect the organization’s financial information, including the prevention and detection of network security breaches. Of course, this is exactly what Sentinel’s systems are designed to do.
Nothing better to do? Want to read the whole bill? Here it is:
We help our customers prevent and detect data breaches and actively monitor the security of their networks, allowing them to respond quickly to issues and providing them the support they need. Utilizing threat protection and network visibility technologies like Network Cloaking, Active Threat Intelligence, and vulnerability scanning externally and internally – in addition to simple, easy to understand reporting – Sentinel provides protection and support for all types of compliance requirements, including GDPR.
Learn more from this CSO Online article:
Yes, compliance is … well, boring, and tricky. We can work with you to figure out how we fit in, and what else you may need. Don’t be afraid to lean on us for help.