Policy, Standards, Regulations & Compliance
Re: Compliance Product Recomendation Jul 27 2007 05:46PM
doug simpson bz (1 replies)
RE: Compliance Product Recommendation Jul 28 2007 02:10PM
Mark Curphey (mark curphey com) (1 replies)

Thanks for your answer. I am not trying to start a flame war here or be controversial but I think the number is likely to be a lot less. A lot less. Closer to 25% IMHO. That number of course is gut feeling much as yours which is why I would love to see a good vendor neutral study looking at the various standards and the options available or techniques to analyze them.

This would be a great ISM project BTW ;-) How can you check for various parts of a standard and what can be automated.

Take # 1 FW's as an example. Best practice (over hyped term) would suggest someone reviews the logs and approves rule changes for a limited period of time. The solutions I have seen donâ??t touch on this.

Take # 4 as an example. It essentially requires a code review or network monitoring on every channel to be done effectively.

I guess it very much depends on the levels of assurance required by the governing bodies.

The point is much as I blogged about yesterday.


Information security is a complex beast that requires whole solutions. From what I can see the current compliance tools are very focused on the technology piece of the equation and then very much the OS and network level. That in itself of course is not bad, a step in the right direction etc. Again I think a good vendor neutral study looking at the issue in detail would be very powerful for everyone.

Side note: This is similar to a trend we had back in the day about application security tools. Vendors claimed they could automatically find most issues. Good technicians knew it was bull-secretion. Folks built some test benches and sure enough its now fairly widely accepted that automated scanning tools scan only find a portion of issues. The difference here is IMHO more stark in that the management standards require process and human activity. This is hard to audit effectively, unlike say an OS or an application. Donâ??t get me wrong I think automated tools are a great piece of the puzzle but a piece and a smaller piece than some marketing may claim.


-----Original Message-----
From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On Behalf Of doug (at) simpson (dot) bz [email concealed]
Sent: Friday, July 27, 2007 7:46 PM
To: Mark Curphey; doug (at) simpson (dot) bz [email concealed]; aversetoriskman (at) hushmail (dot) com [email concealed]; psrc (at) securityfocus (dot) com [email concealed]
Subject: Re: Compliance Product Recomendation

Good question and I should add that there is no "silver bullet" for compliance.
PCI is a good example for what Mark is asking ...

Here are the 12 major parts to PCI (of course there are greater details under each one)

Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications
Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data
Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes
Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security

Just by looking at this list we can knock off #s 9, 11 and 12. I do not know of a software solution that can check "physical access" or "review your policies". So I would like to say that automated solutions may be able to take care of 75% of your PCI issues but when you dive into each of these products you will discover that number will drop to 70% maybe 65%.
This is if you are concerned about all these points. Oh and let's not forget about pen testing from an outside indepent source.

I separate out PCI from your other compliancies because they have provided you with a detailed list (I will not comment good/bad). Where as compliancies like HIPAA and SOX and GLBA are more general and can be interpreted differently by each company and auditor. Just remember "state what you do (per a compliancy) and prove it" The prove it part if where the automation comes in but you need to create the policy.
I think the policy or "stating what you do" is the hardest part for a company. These software solutions may help you but you still need to make the decisions. I am dealing with a Hospital where the higher ups have not approved what I consider very basic policies.

So I will end my ramblings by saying have your policies in place then go after software like those below.


-----Original Message-----
From: Mark Curphey [mailto:mark (at) curphey (dot) com [email concealed]]
Sent: Friday, July 27, 2007 11:45 AM
To: doug (at) simpson (dot) bz [email concealed], aversetoriskman (at) hushmail (dot) com [email concealed], psrc (at) securityfocus (dot) com [email concealed]
Subject: RE: Compliance Product Recomendation


Which parts of a standards or regulation (or maybe rephrased what percentage) do you think automated tools analyze? Maybe PCI as an example?

-----Original Message-----
From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On Behalf Of doug (at) simpson (dot) bz [email concealed]
Sent: Friday, July 27, 2007 4:48 PM
To: aversetoriskman (at) hushmail (dot) com [email concealed]; psrc (at) securityfocus (dot) com [email concealed]
Subject: Re: Compliance Product Recomendation

I can give you a few but I must couch it with the following. I am a Sales Engineer. I work for Altiris/Symantec and I worked for Ecora.

Security Expressions (from Altiris) - looks at your systems (OS agnostic) from a policy stand point. You can choose a PCI policy or a CIS polciy or a HIPAA policy and then run these policies against your systems to find out if they are out of whack per that policy. It can remediate.

Auditor from Ecora Software - many different modules. It comes at things a bit different then SE. It will collect almost every config and then you decide what report/policy to run against the info collected. There are PCI, SOX, etc reports.

TripWire has a come out with a solution but I do not know it well enough to tell you about it.

ConfigureSoft which is more along the lines of configuration management has reports per compliancies.

Qualys - I just found out that they are coming out with polcies per compliance. Qualys usually is lumped in with Scanners like Nessus. The cool thing about Qualys is that you can do it over the internet. You do not have to purchase their appliance.

This is a small list but it gives you a good place to start your research. I hope it helps.


-----Original Message-----
From: aversetoriskman (at) hushmail (dot) com [email concealed] [mailto:aversetoriskman (at) hushmail (dot) com [email concealed]]
Sent: Friday, July 27, 2007 08:46 AM
To: psrc (at) securityfocus (dot) com [email concealed]
Subject: Compliance Product Recomendation

I work for a large financial services company in the mid-west and
am new to compliance and risk management. I have been tasked with
identifying a range of products I should budget for next year to
solve the security compliance needs in my company. I think these
include PCI, HIPAA and GLBA as well as SOX.

Can anyone recomend any products and or approaches to evaluating
tools? Its seems there are lots on the market, many of which seem
to magically help me assess compliance so I am a little sceptical.

Thanks in advance.

Click for military loan, fast & no lender fee, approval today

[ reply ]
RE: Compliance Product Recommendation Jul 28 2007 02:31PM
ljknews (ljknews mac com) (1 replies)
RE: Compliance Product Recommendation Jul 28 2007 02:42PM
Mark Curphey (mark curphey com) (1 replies)
RE: Compliance Product Recommendation Jul 28 2007 05:04PM
ljknews (ljknews mac com)


Privacy Statement
Copyright 2010, SecurityFocus