Exceptional Technology Solutions, LLC

Tyler Chamber of Commerce Technology Committee

The State of

Security and Compliance

Social Media

SPAM – Spyware - MalwareSocial Engineering

• Federal Bureau of Investigation – Criminal Justice Information Systems

• Health Insurance Portability and Accountability Act

• Payment Card Industry - Data Security Standard

• The Sarbanes-Oxley Act of 2002

What is PCI-DSS

• PCI DSS applies to organizations that “store, process or transmitcardholder data” for credit cards. One of the requirements of PCI DSS is to“track…all access to network resources and cardholder data”.

PCI DSS 2.0 RequirementsPenalties: Fines, loss of credit card processing and level 1 merchant requirements

• 5.1.1 - Monitor zero day attacks not covered by antivirus

• 6.5 - Identify newly discovered security vulnerabilities

• 11.2 - Perform network vulnerability scans quarterly by ASV

• 11.4 - Maintain IDS/IPS to monitor and alert personnel; keep engines up to date

• 10.2 - Automated audit trails

• 10.3 - Capture audit trails

• 10.5 - Secure Logs

• 10.6 - Review logs at least daily

• 10.7 - Maintain logs online for three months

• 10.7 - Retain audit trail for at least one year

• 6.6 - Install a web application firewall

HIPAA

• HIPAA includes security standards for certain health information. NIST SP800-66, An Introductory Resource Guide for Implementing the HealthInsurance Portability and Accountability Act (HIPAA) Security Rule, listsHIPAA-related log management needs. For example, Section 4.1 of NIST SP800-66 describes the need to perform regular reviews of audit logs andaccess reports. Also, Section 4.22 specifies that documentation of actions andactivities need to be retained for at least six years.

• 164.308 (a)(1)(ii)(A): Risk Analysis—Conducts vulnerability assessment

• 164.308 (a))1)(ii)(B): Risk Management—Implements security measures to reduce risk of security breaches

• 164.308 (a)(5)(ii)(B): Protection from Malicious Software—Procedures to guard against malicious software host/network IPS

• 164.308(a)(6)(iii): Response & Reporting—Mitigates and documents security incidents

• 164.308 (a)(1)(ii)(D): Information System Activity Review—Procedures to review system activity

• 164.308 (a)(6)(i): Log-in Monitoring—Procedures and monitoring log for log-in attempts on host IDS

• 164.312 (b): Audit Controls—Procedures and mechanisms for monitoring system activity

• 164.308 (a)(1): Security management process—Implement policies and procedures to prevent, detect, contain and correct security violations

• 164.308 (a)(6): Incident Procedures (R)— Implement policies and procedures to address security incidents

Sarbanes-Oxley

• Although SOX applies primarily to financial and accounting practices, italso encompasses the information technology (IT) functions that supportthese practices. SOX can be supported by reviewing logs regularly to lookfor signs of security violations, including exploitation, as well asretaining logs and records of log reviews for future review by auditors.

• DS5.3 Identity Management

• DS5.4 User Account Management

• DS5.5 Security Testing, Surveillance and Monitoring

• DS5.6 Security Incident Definition

• DS5.7 Protection of Security Technology

• DS5.9 Malicious Software Prevention, Detection and Correction

• DS5.10 Network Security

• DS5.11 Exchange of Sensitive Data

• ME1 Monitor and Evaluate IT Performance

• ME1.4 Performance Assessment

• ME1.5 Board and Executive Reporting

• ME1.6 Remedial Actions

• Since July 2010 ETS has been approved to work with

Police Departments, Fire Departments, EMT and 911

Data Centers through the Texas Department of

Public Safety and the Federal Bureau of

Investigation. All of our managers, technicians and

engineers are required to be approved by

TLETS/CJIS before we allow them to work on any of

our clients.

What is CJIS/TLETS

• TLETS provides intrastate interconnectivity for criminal justiceagencies to a variety of local, state, and federal data base systems.Additionally, TLETS’ link with Nlets, the International Justice andPublic Safety Network, facilitates exchange between criminaljustice agencies across the state of Texas to their counterparts inother states. The link with Nlets allows DPS to provide criticalinformation to the national criminal justice community and allowsTLETS operators to obtain information from a variety of data baseservices from other states, Canada, Interpol, and privatecompanies.

The CJIS Addendum requirements are outlined in a 46 page addendum published by the FBI and collaboratively though the Texas Department of Public Safety TLETS agency. The Addendum outlines every aspect of IT security:

• User security and access

• Logging

• Hardware management

• Software management

• Mobility

• BYOD

• Mobile data terminals

• Firewall and Workstation Security and updates… And Many more.

Comparing Compliances

11 9 11

128

0

20

40

60

80

100

120

140

PCI - DSS HIPAA Sarbanes-Oxley TLETS/CJIS

COMPLIANCE POINT COMPARISON

Compliance Points

How to get compliant.• Attaining and Maintaining any of the compliances we have talked

about today can be a daunting, scary proposition.

• Especially with the constant threat of the government handing out charges, fines and in some cases the threat of the loss of your business.

• Here are a few suggestions to help you get started.

How to get Compliant

Work with an Industry Consultant. The

task of getting and staying compliant can

be a long, difficult and expensive road.

Consultants are going to be able to tell you

what you need, when you need it and what

you can safely disregard. Good consultant

services are going to stand by you if and

when you have an audit to assist you in

getting through audit and take care of any

failure points the audit may draw out.

1

• Partner with a good, well respected Authorized Scanning Vendor.

• ETS Partners with AlertLogic because they are located in Texas, they have one ofthe best reputations in the industry and they have a broad transparent base ofservices that cover all the major compliances that are out today.

How to get Compliant

• Install a really good firewall. This will not be cheap. If you would buy it to put itin your house, you need to leave it there.

• A good firewall with provide, Gateway AV, Spam-handling, IntrusionPrevention, Zero Day Protection, Multi-Layer Packet Scanning. Compliancewith one of the major national compliance standard. Watchguard is ourpreferred firewall and it is FIPS-140-2 compliant as well as CIPA compliant.

How to get Compliant

How to get Compliant

• Get good solid, backup, offsite backup. The more secure the better. Theencryption on the backup should be no less that 128bit AES encryption.

• Make sure that you can access your backups realtime.

• Make sure the backup company practices their recoveries.

• Make sure the transmission from your site to the backup site is encrypted atleast 128 bit AES encrypted.

• Discuss a Disaster and Recovery plan with your backup provider and get it inwriting to ensure that everyone is on the same sheet of paper when theinevitable happens.

• GET GOOD ANTI-VIRUS… If it has the word FREE anywhere in it your are most likely violating the EULA by using it in a business environment.

• Free Anti-virus has it’s place. Not it a secure audited business network.

• Make sure you set your patches and updates to run when new software comes out so you always have the latest security updates. If you have a good IT Company or person they should be making sure that is done for your. Ask for proof it is being done.

• Anti-Virus is like a FLU shot. It is your best defense against having a sick computer.

How to get Compliant

To Wrap Up…• ETS is a Premier East Texas Based IT Solutions Company that

specializes in Managed Services, Cloud Services and Advanced Professional Services.

• At ETS we do not sell products… We partner with our clients to provide the best solutions, from hardware to the software to the financial services and everywhere in between. Because a solution is not a solution unless it’s a total fit.

• ETS has a very robust security and compliance offering with various best of breed partners to further strengthen our efforts to keep your business secure and compliant.

Any Questions?

Exceptional Technology

Solutions, LLC419 Rice Road

Tyler, Texas 75703

903 509 0008 Local

877 281 0008 Toll Free

http://www.etstexas.com