Policy, Standards, Regulations & Compliance
Re: Compliance Product Recomendation Jul 27 2007 05:46PM
doug simpson bz (1 replies)
Good question and I should add that there is no "silver bullet" for compliance.
PCI is a good example for what Mark is asking ...

Here are the 12 major parts to PCI (of course there are greater details under each one)

Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications
Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data
Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes
Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security

Just by looking at this list we can knock off #s 9, 11 and 12. I do not know of a software solution that can check "physical access" or "review your policies". So I would like to say that automated solutions may be able to take care of 75% of your PCI issues but when you dive into each of these products you will discover that number will drop to 70% maybe 65%.
This is if you are concerned about all these points. Oh and let's not forget about pen testing from an outside indepent source.

I separate out PCI from your other compliancies because they have provided you with a detailed list (I will not comment good/bad). Where as compliancies like HIPAA and SOX and GLBA are more general and can be interpreted differently by each company and auditor. Just remember "state what you do (per a compliancy) and prove it" The prove it part if where the automation comes in but you need to create the policy.
I think the policy or "stating what you do" is the hardest part for a company. These software solutions may help you but you still need to make the decisions. I am dealing with a Hospital where the higher ups have not approved what I consider very basic policies.

So I will end my ramblings by saying have your policies in place then go after software like those below.


-----Original Message-----
From: Mark Curphey [mailto:mark (at) curphey (dot) com [email concealed]]
Sent: Friday, July 27, 2007 11:45 AM
To: doug (at) simpson (dot) bz [email concealed], aversetoriskman (at) hushmail (dot) com [email concealed], psrc (at) securityfocus (dot) com [email concealed]
Subject: RE: Compliance Product Recomendation


Which parts of a standards or regulation (or maybe rephrased what percentage) do you think automated tools analyze? Maybe PCI as an example?

-----Original Message-----
From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On Behalf Of doug (at) simpson (dot) bz [email concealed]
Sent: Friday, July 27, 2007 4:48 PM
To: aversetoriskman (at) hushmail (dot) com [email concealed]; psrc (at) securityfocus (dot) com [email concealed]
Subject: Re: Compliance Product Recomendation

I can give you a few but I must couch it with the following. I am a Sales Engineer. I work for Altiris/Symantec and I worked for Ecora.

Security Expressions (from Altiris) - looks at your systems (OS agnostic) from a policy stand point. You can choose a PCI policy or a CIS polciy or a HIPAA policy and then run these policies against your systems to find out if they are out of whack per that policy. It can remediate.

Auditor from Ecora Software - many different modules. It comes at things a bit different then SE. It will collect almost every config and then you decide what report/policy to run against the info collected. There are PCI, SOX, etc reports.

TripWire has a come out with a solution but I do not know it well enough to tell you about it.

ConfigureSoft which is more along the lines of configuration management has reports per compliancies.

Qualys - I just found out that they are coming out with polcies per compliance. Qualys usually is lumped in with Scanners like Nessus. The cool thing about Qualys is that you can do it over the internet. You do not have to purchase their appliance.

This is a small list but it gives you a good place to start your research. I hope it helps.


-----Original Message-----
From: aversetoriskman (at) hushmail (dot) com [email concealed] [mailto:aversetoriskman (at) hushmail (dot) com [email concealed]]
Sent: Friday, July 27, 2007 08:46 AM
To: psrc (at) securityfocus (dot) com [email concealed]
Subject: Compliance Product Recomendation

I work for a large financial services company in the mid-west and
am new to compliance and risk management. I have been tasked with
identifying a range of products I should budget for next year to
solve the security compliance needs in my company. I think these
include PCI, HIPAA and GLBA as well as SOX.

Can anyone recomend any products and or approaches to evaluating
tools? Its seems there are lots on the market, many of which seem
to magically help me assess compliance so I am a little sceptical.

Thanks in advance.

Click for military loan, fast & no lender fee, approval today

[ reply ]
RE: Compliance Product Recommendation Jul 28 2007 02:10PM
Mark Curphey (mark curphey com) (1 replies)
RE: Compliance Product Recommendation Jul 28 2007 02:31PM
ljknews (ljknews mac com) (1 replies)
RE: Compliance Product Recommendation Jul 28 2007 02:42PM
Mark Curphey (mark curphey com) (1 replies)
RE: Compliance Product Recommendation Jul 28 2007 05:04PM
ljknews (ljknews mac com)


Privacy Statement
Copyright 2010, SecurityFocus