America One

Agile Development Morphs Q/A

admin — Wed, 23 Jun 2010 02:28:17 +0000

The recession has changed a lot of things about IT, particularly in the demand for Quality Assurance (QA) professionals who have an encyclopedic-like range of skills.

That change is largely due to the increasing adoption of agile software development, which appears to have gained ground during the recession as companies looked to speed up software development, according to a survey by Capgemini US LLC and Hewlett-Packard Co. of 30,000 IT and QA managers and engineers worldwide.

Agile software development methods promise a faster development time, in part, because they rely less on documentation and more on collaboration and multiple incremental iterations.

The adoption of agile development is also changing the skill sets needed by QA professionals. “The notion of a tester as just a tester is gone,” said Charlie Li, vice president of Capgemini’s global testing service. He called the skills change a big shift.

“You need to morph your organizations to have more skill sets,” said Li at an HP software conference here.

Companies are looking for QA professionals with a range of skills and an ability to look at software quality from multiple angles and disciplines, said Li. The survey found that in North America and Europe about 60% of those organizations are using agile development methods. A survey by Forrester Research earlier this year of 1,300 IT professionals found an adoption rate as high as 46%. It deemed agile software development as mainstream.

In the Capgemini survey, Agile development methods were credited with cost savings by 14% of the respondents, while 26% said agile development had improved software quality. But 37% of the users cited time-to-market as the leading improvement from the development method.

Joel Singh, director of quality assurance at Comcast Corp. in Philadelphia, said he’s in “100% agreement” with the report’s conclusions that the role for QA professionals has changed. The skills now needed include an understanding of data quality; networking protocols; databases; and some development knowledge.

In the survey, some 72% said that their testers had several years of business domain experience.

Another interesting finding dealt with cloud adoption. Fully half of respondents said the top reason their companies are deploying into the cloud is for cost reduction; 33% cited increased agility.

SOURCE: COMPUTERWORLD

Social Nets Create Compliance Challenges

admin — Wed, 23 Jun 2010 02:24:54 +0000

Popular social networking sites, such as Facebook, Twitter and LinkedIn, are causing a stir in the financial services community as well as other highly regulated industries as companies seek ways to control how the sites are used to communicate with potential clients and colleagues.

Social networking sites have proved valuable for sales-lead generation, marketing and general broker-client relations, but regulators have been quick to take notice and to offer the same warnings they did more than a decade ago when e-mail and instant messaging (IM) became common.

However, controlling communications on social networking Web sites is far more complex for corporations because they’re attempting to control communications on Web sites that are outside their IT systems and that are almost continuously changing or adding to the number of applications that can be used to network.

“It is a big issue. In fact, I think it’s a bigger issue [than e-mail and IM],” said Ted Ritter, an analyst with Nemertes Research. “For IM and e-mail, you pretty much use standard ports and protocols. You just have to be in the right spot in the network to capture it and monitor it.”

Social networks are more akin to webmail, where there are many different ways to access the sites, which makes it more complicated from a technology standpoint, Ritter said.

“For instance, what do you do about people who have mobile updates to Facebook?” he said. “From an audit standpoint, as auditors become more aware of the issues, they are going to look for controls.”

Ritter said businesses will not only have to monitor social networking communications, but they will have to capture the traffic, audit it and log it.

“The first step organizations needs to take is they need a reality check,” Ritter said. “They need to take ownership of what’s going on in social networking. Just blocking sites doesn’t work. Employees always find a way around it. And letting everything through is too risky.”

Ritter and other industry experts say social networking sites present a far greater oversight problem, even than webmail, because there are so many applications associated with them, including instant messaging tools and gaming applets, such as Farmville or Mafia Wars on Facebook. Simply blocking sites such as Twitter or Facebook with a URL filter isn’t difficult.

“The problem you have is all the tunneling applications that can get around those controls,” said Chris King, director of product marketing for PaloAlto Networks. “Google [the term] ‘circumventing URL filtering,’ and you’ll see what I mean. Some blog sites like Lifehacker.com, and even the Wall Street Journal, publish things like top 10 ways to get around your security controls.”

For example, King said, a company employee could simply install a proxy on a home computer, connect it to a cable modem, and when the employee is at work he can connect to that home IP address and circumvent the corporate filter.

“There’s everything from Proxy.org, to an application called UltraSurf, which is the darling of high school students, to something called Core, which is the darling of spies,” he said. “There’s a whole bunch of applications that make getting around traditional controls easy.”

Regulators Cast a Watchful Eye

Over the past 10 years, the U.S. Securities and Exchange Commission (SEC) and other regulatory bodies have focused more attention on strict enforcement of communications rules. For example, the SEC’s Rule 17a-4 requires the monitoring and capture of electronic communications, and the National Association of Securities Dealers (NASD) Rule 2210 and 3010, also requires firms to monitor and store communications with clients. Neither agency has as yet felt compelled to specify requirements around social networking traffic, but it is implicit that they fall under the same rules as e-mail and IM, Ritter said.

In 2006, the Federal Rules of Civil Procedure (FRCP) established that companies must establish protocols for capturing electronically stored information prior to civil court cases. Electronic discovery of e-mails for civil court cases can run into the millions of dollars, and violations of federal regulatory statutes could lead to penalties that aren’t cheap either. In 2002, the SEC fined five firms a total of $8.25 million for violating 17a-4 and NASD Rule 3110 by not properly monitoring and capturing e-mail traffic.

Most recently, the Financial Industry Regulatory Authority (FINRA), the enforcement arm of the SEC, issued Regulatory Notice 10-06, a document presented in a Q&A format, that provides guidance on the responsibilities of firms to supervise the use of social networking sites. The guidance was issued to ensure that recommendations to clients on social networks are suitable and that their customers are not misled.

Other regulations focused on corporate transparency and consumer privacy will likely also affect controls around social networking communication. Those regulations include the Sarbanes-Oxley Act, HIPAA (the Health Insurance Portability and Accountability Act) and the Gramm-Leach-Bliley Act of 1999.

SOURCE: COMPUTERWORLD

PCI Council Launches Certification Program

admin — Mon, 21 Jun 2010 02:01:35 +0000

The organization responsible for administering the Payment Card Industry Data Security Standard (PCI DSS) has launched a new program to help enterprises conduct self-assessments of their compliance with the standard.

The PCI Security Standards Council LLC, which was set up by Visa, MasterCard, American Express and other credit card companies, today announced a new Internal Security Assessors (ISA) program for merchants and processors covered by the standard.

The security council will train and certify IT security staff to conduct PCI compliance assessments on behalf of their companies. The monthly, three-day long programs will be held throughout the world and are designed to enhance the quality of PCI self-assessments being conducted by merchants and processors, said Bob Russo, general manager of the PCI Security Council.

The PCI standard was created by the major credit card companies and covers all organizations that accept credit and debit-card transactions. The standard specifies several high-level security controls that all companies handling payment card data are required to implement.

Companies, especially large and medium-sized ones, are required to submit periodic updates of their compliance with the requirements

Each credit card company has its own compliance validation requirements, Visa, for instance requires all merchants that process more than 6 million credit and debit card transactions annually to submit to on-site assessments by qualified third-party assessors. Smaller merchants are allowed the option of conducting annual self-assessments for compliance validation.

MasterCard has similar requirements but also says that self-assessments may only be carried by IT staff members who are certified by the PCI Security Standards Council to do PCI compliance audits.

The training program addresses an important need, said Avivah Litan, an analyst with Gartner Inc.

“This is one of the more positive announcements that the security council has made in quite a while,” Litan said, “There is a lot of interest in this kind of training among retailers because they want to be up to speed on how to comply with PCI.”

MasterCard’s requirements that self-assessments only by conducted by qualified PCI auditors has also created an immediate need for the ISA certification program, Litan said.

The training program will allow companies, especially the larger ones, to leverage the talent of their own IT security teams to conduct PCI security assessments, Litan said.

“There are a lot of companies with very talented and skilled security staff. A lot of them are more skilled at assessing compliance than third-party assessors,” she said. The training will also help companies to understand compliance validation requirements much better, she said

Certifications awarded to an individual under the ISA program are company-specific and valid only for a year. Russo said. If an individual who gets trained and certified under the program later leaves the company that sponsored him, the certification is no longer valid, he said.

“We are not looking to put out rogue security assessors here,” Russo said. “This is valid only if you are going to do this internally for the company you are working for. This isn’t to create a freelance workforce” of PCI security assessors Russo said.

SOURCE: COMPUTERWORLD

When the FDA Comes Knocking

admin — Mon, 21 Jun 2010 01:56:31 +0000

The first four months of this year saw the FDA ratcheting up its efforts to protect the American consumer through stricter oversight of the life sciences industry. In both the pharmaceutical and medical device markets, the agency is investing greater time and resources in its review and oversight of individual companies and the industry as a whole, as several high-profile product-related incidents have had significant implications for consumer safety.

The signs thus far point to the agency taking a more systemic rather than reactive approach to regulation to avoid these product safety issues. Although the FDA cannot oversee every organization and each product line, this coordinated approach to quality is a commendable effort that companies in the industry should embrace, as a greater focus on safety will ultimately benefit consumers and businesses alike.

One of the ways we can expect the FDA to tighten its oversight of the industry is to increase the frequency of audits at pharma and med device companies, to make certain that manufacturers’ operations are in compliance with all associated regulatory requirements. Although audits are nothing new to many in the industry, the anticipated up-tick in these audits as the agency finds new and more efficient ways to perform them will likely catch many companies off guard. This will include a spike in the number of on-site audits performed with little prior notice and may also extend to include remote audits in which companies will submit data electronically.

Either way, it’s more important than ever that pharma and med device companies prepare for these changes by proactively aligning their quality operations to ensure compliance across the enterprise. When preparing for an audit, the use of an enterprise-wide approach to quality and compliance management will help companies eliminate the potential for lost information by securely managing all information in a centralized, scalable, and reliable system. Ultimately, this will make it easier to comply when the FDA does perform an audit — either on-site or remotely — while companies that fail to do so run the risk of missing deadlines, accruing hefty fines, and, most severely, being ordered to halt production of new products.

THE ROLE OF THE AUDIT

The purpose of an audit is to monitor critical processes, identify gaps, and stimulate companies to improve quality. Most companies have multiple auditing groups that perform many types of audits, and these groups often have a variety of systems in place to manage audits, few of which are integrated as part of the broader enterprise quality, compliance, and risk system. As good as these siloed audit management tools are for making the audit process more efficient, failure to integrate with broader enterprise systems results in additional costs and missed opportunities to improve quality and to reduce risk.

Doing so, however, can improve efficiency while reducing change control closure time by automating workflows and implementing parallel review and approval processes. Integrating audit management as part of a broader quality and compliance management initiative can help pharma and med device companies streamline quality processes, consolidate redundant systems, and reduce manual operations — all in the interest of ensuring greater consumer safety.

Signs now point to the life sciences industry experiencing significantly greater scrutiny from the FDA in the coming months, but the increased frequency of audits can only have adverse effects if companies let it. Pharma and device companies can prepare for the impending uptick in audits by proactively leveraging an enterprise-wide approach to audit management, integrated with their quality and compliance management system for centralization and reconciliation of required audit data.

Using this approach will reap benefits far beyond simply ensuring compliance with unforeseen audits — it will also help to minimize risk, streamline quality processes, and reduce safety issues, enabling companies to maintain and protect brand integrity by ensuring the production of higher quality products.

SOURCE: LIFE SCIENCES LEADER

Active Directory Reporter

admin — Sun, 20 Jun 2010 17:17:48 +0000

Active Directory change auditing is an important procedure for tracking unauthorized changes and errors to AD and Group Policy configurations. One single change can put your organization at risk, introducing security breaches and compliance issues. Built-in Active Directory auditing lacks many important features and doesn’t have reporting capabilities. Careful analysis of multi-megabyte Security logs can take enormous resources and still never paint the whole picture.

GET A QUOTE. DOWNLOAD A FREE EVALUATION.

NetWrix Active Directory Change Reporter (ADCR) tracks and reports changes made to Active Directory, Group Policy, and Exchange and delivers detailed information on a daily basis. Report include the Who, What, When, and Where – for all changes, including “before” and “after” values for each and every setting. This audit report lists changes made to AD and Exchange configurations, Group Policy objects and setting modifications, AD schema and many more.

Generated data can be used to:

Monitor and audit day-to-day administrative activities
Prepare compliance reports for your SOX, GLBA and HIPAA auditors

The Active Directory Change Reporter tracks all changes in Active Directory, including both user and administrative activity, and e-mails daily audit reports to AD administrators detailing every Active Directory and Group Policy change. Collected audit data is archived and can be stored for years (*), so you can build summary of changes made to Active Directory and Group Policy during any period and drill down to detailed information as necessary. This AD audit archiving function allows organizations to analyze any policy violations, adhere to security best practices and maintain established internal policies.

ADCR is licensed by the number of enabled AD users.

GET A QUOTE. DOWNLOAD A FREE EVALUATION.

Password Manager

admin — Sun, 20 Jun 2010 17:17:15 +0000

Password Manager gives end users the ability to securely manage their passwords and resolve account lockout incidents in a self-service fashion without involvement of helpdesk personnel. This allows you to implement strong password policies in Active Directory environments, to meet regulatory compliance requirements and address identity management challenges.

GET A QUOTE. DOWNLOAD A FREE EVALUATION.

Password management is the most common IT support issue, accounting for most of the help desk workload in many organizations. Password complexity and expiration policy requirements lead to frequently forgotten passwords and account lockouts, increasing the overall administrative burden.

Password Manager (PRM) is a simple and cost-effective solution that allows users to reset forgotten passwords, troubleshoot account lockouts and unlock their accounts manually, through a convenient, web-based, self-service portal and integration with the standard Windows logon procedure.

The product uses the question-and-answer security system for user authentication. First, users enroll by creating their profiles. Once the profile is established, the user can manage the password and account manually by simply supplying the answers from profile.

All account operations are logged for regulatory compliance and easy access by IT personnel interested in monitoring password management activity

PRM is licensed by the number of managed users who will be enabled to perform self-service password resets.

GET A QUOTE. DOWNLOAD A FREE EVALUATION.

HIPAA Compliance

admin — Sun, 13 Jun 2010 19:57:05 +0000

The Health Insurance Portability and Accountability Act (HIPAA) is a set of standards created by Congress that aim to safeguard protected health information (PHI) by regulating healthcare providers. From an IT department’s standpoint, a typical HIPAA/HITECH implementation is based on the following core principles aimed to provide transparency and accountability (auditability) of regulated data and systems:

GET A QUOTE. DOWNLOAD A FREE EVALUATION.

HIPAA SECTION	NETWRIX SOLUTION
§ 164.308: Administrative Safeguards
R: 164.308(a)(1)(ii)(D) Information system activity review: Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.	Extensive auditing and report ing on both administrative and user activity in Active Directory, Group Policy, Exchange, the file servers, virtual envi ronments (VMware, Microsoft), SQL Servers. Detection of who did what, when, and where with advanced rollback capabilities of unauthorized actions. Centralized consolidation and archival or audit trials with web-based reporting using predefined and custom-built reports covering all major types of activities: logins, logoffs, user account operations, file access on servers, workstations, both successful and failed.
A: 164.308(a)(3)(ii)(C) Termination procedures: Implement procedures for terminating access to electronic protected health information when the employment of a workforce member ends.	Auditing of disabled accounts, automated de-provisioning of inactive user accounts. Automated disabling and removal with full reporting.
R: 164.308(a)(4)(ii)(A) Isolating health care clearinghouse functions: If a healthcare clearinghouse is part of a larger organization, the clearinghouse must implement policies and procedures that protect the electronic protected health information of the clearinghouse from unauthorized access by the larger organization.	Auditing of all types of changes and access to critical data and security-related settings in Active Directory, file servers, virtual machines, databases, to make sure that no members of larger organization change or access data of its child organization. Prevention of external media usage.
A: 164.308(a)(4)(ii)(C) Access establishment and modification: Implement policies and procedures that, based upon the entity’s access authorization policies, establish, document, review, and modi fy a user’s right of access to a workstation, transaction, program, or process.	Complete auditing and automated change documentation for all types of access rights, privileges, and policies that control access to workstations, programs, transactions, and other systems.
A: 164.308(a)(5)(ii)(C) Log-in Monitoring: Procedures for monitoring log-in attempts and reporting discrepancies.	Centralized consolidation and easy to use reporting of all successful and failed logon/logoff activities with extensive filtering capabilities.
A: 164.308(a)(5)(ii)(D) Password Management: Procedures for creating, changing, and safeguarding passwords.	Auditing of all password changes. Workflow-based control of privileged account use. Self-service password management for end users with customizable password security settings and secure access based on user identity veri fication. Prevention of excessive help desk calls related to secure password policies.
R: 164.308(a)(6)(ii) Response and Reporting: Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity; and document security incidents and their outcomes.	Auditing of all administrative and user activities with configurable alerts and reporting that documents all security incidents and helps with early detection and prevention of further security incidents.
R: 164.308(a)(7)(ii)(B) Disaster recovery plan: Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence.	Quick rollback of unauthorized and accidental changes to Active Directory objects, including restore of deleted objects. File versioning and restore capabilities based on Volume Shadow Copy services.
§ 164.312: Technical Safeguards
R: 164.312(a)(2)(i) Unique user identification: Assign a unique name and/or number for identi fying and tracking user identity.	In addition to standard AD user authentication, shared accounts used for administration and applications are audited and associated with individual user identities through password check out concept.
R: 164.312(b) Audit Controls: Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.	Auditing, archiving, and reporting of access to the protected health information, auditing of privileged access, changes to security-related settings, and all other signi ficant security events, intrusions, and anomalies.
R: 164.312(d) Person or entity authentication: Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.	In addition to standard AD authentication, all users can be verified using question/answer (challenge/response) system to verify their identity when they forget their passwords (e.g. veri fy user’s badge ID and/or mother’s maiden name). This ensures that all password reset requests are authorized and cannot be initiated by malicious person acting on behal f of someone else.
§ 164.528 Accounting of disclosures of protected health information.
R: 164.528(a) Right to an accounting of disclosures of protected health information: An individual has a right to receive an accounting of disclosures of protected health information made by a covered entity in the six years prior to the date on which the accounting is requested.	Holding records of all activities for 6 years and more to be able to fully reconstruct all activities and access attempts to protected health information upon request.

GET A QUOTE. DOWNLOAD A FREE EVALUATION.

SOX Compliance

admin — Sun, 13 Jun 2010 19:49:46 +0000

All public companies in the U.S. are subject to Sarbanes Oxley (SOX) compliance without exceptions. SOX compliance requirements also apply overseas operations of U.S. public companies and international companies listed on U.S. exchanges. Failure to comply with SOX can result in fines of up to 5 million dollars and up to 20 years of imprisonment of C-level executives accountable for SOX implementation. Other countries have similar laws, for example, Canada enacted a regulation known as Bill 198, Japan established aptly named J-SOX, and both are very similar to the “American” SOX in many parts.

GET A QUOTE. DOWNLOAD A FREE EVALUATION.

SOX requires public companies to adopt Internal Controls over Financial Reporting (ICFR), and these controls of course include IT controls that affect financial reporting operations. The Act includes two sections that affect IT departments: Section 302 (15 U.S.C. § 7241: “Corporate Responsibility for Financial Reports”) and 404 (15 U.S.C. § 7262: “Management Assessment of Internal Controls”) of SOX. SOX defines three major requirements: establishing of controls, ongoing evaluation of controls (monitoring and testing), and disclosure (“auditability”) of control effectiveness (including defects and weaknesses that can result in fraud). Manual implementation of these requirements can result in increased operational costs, while automation usually results in much lower compliance costs, increased efficiency, and other benefits.

The Sarbanes-Oxley Act does not provide any recommendations for implementation of SOX and this why several organizations created different standards of IT controls implementation. The most widely recognized IT-specific standards are COSO “Internal Control – Integrated Framework” endorsed by SEC and COBIT (Control Objectives for Information and Related Technology) created by ISACA (www.isaca.org).

NetWrix SOX Compliance Suite covers many requirements of both frameworks to sustain compliance and pass compliance audits. In general, this automated compliance solution helps to maintain established controls by tracking and reporting all changes in IT infrastructure for auditing purposes and implementing secure identity management practices to ensure system security.

GET A QUOTE. DOWNLOAD A FREE EVALUATION.

GLBA Compliance

admin — Sun, 13 Jun 2010 19:41:32 +0000

Gramm-Leach-Bliley Act (GLBA) of 1999 was enacted to improve financial industry though removal of regulations that prevented merger of different type of financial institutions (e.g. banks and insurance companies) with the goal to open up competition between companies and modernize financial services industry.

GET A QUOTE. REQUEST A FREE EVALUATION.

Information is one of a financial institution’s most important assets. Protection of information assets is necessary to establish and maintain trust between the financial institution and its customers, maintain compliance with the law, and protect the reputation of the institution.

GLBA REQUIREMENT	NETWRIX SOLUTION
ACCESS CONTROL: Access rights (Tier I: Objectives 4 and 7, Tier II: Section A)
Reviewing periodically user’s access rights at an appropriate frequency based on the risk to the application or system: A monitoring process to oversee and manage the access rights granted to each user on the system (p. 23).	Extensive auditing and report ing of changes to users accounts, security and distribution groups, policies, permissions, and other objects that control access to information in Active Directory, Group Policy, Exchange, file servers, virtual environments (VMware, Microsoft ), and SQL Servers. Detection of who did what, when, and where with advanced rollback capabilities of unauthorized actions.
Logging and auditing the use of privileged access (p. 24).	Cent ralized consolidation and archival or audit trials with web-based reporting using predefined and custom-built reports covering all major types of privileged access, both successful and failed: logins, logoffs, access to mailboxes, user account operations, file access.
Reviewing privileged access rights at appropriate intervals and regularly reviewing privilege access allocations (p. 24).	Complete auditing of all changes to access rights and privileges with archiving feature that allows to review all changes at any time for request time frame.
Prohibiting shared privileged access by multiple users (p. 24).	Privileged account management system to ensure that every access attempt under a shared account is assign to an individual account and properly audited.
ACCESS CONTROL: Authentication (Tier I: Objective 4, Tier II: Section A)
The user should select them without any ssistance from any other user, such as the help desk.	Web-based sel f-service password management system that operates without intervention of human personnel to prevent sharing of passwords during password resets, while enforcing full compliance with required password policies (such as password strength, prevention of reuse, etc).
Authentication systems should force changes to shared secrets on a schedule commensurate with risk.	Complimentary to the built-in password expiration mechanism in Active Directory, NetWrix solution minimizes administrative burden related to expired passwords for users who are never prompted to change their password by the system (e.g. remote users, VPN clients, non-Windows clients).
Prevention of attacks that target a specific account and submits passwords until the correct password is discovered.	Complimentary to the built-in account lockout mechanism in Active Directory, NetWrix solution helps to reduce the effects of false positives by proactive monitoring and resolution of account lockout incidents.
A policy that forbids the same or similar password on particular network devices.	Privileged account management system that automatically generates random passwords and assigns different passwords to different systems on a scheduled basis.
ACCESS CONTROL: Network Access (Tier I: Objective 4, Tier II: Section B)
Cross-domain network access monitoring to detect security incidents and unauthorized activity.	Not provided, a hardware or softwarebased firewall must be used to separate and audit clearly defined network segments called domains (e.g. DMZ and internal network). Network domains are not Active Directory domain per the Handbook (some vendors mistakenly confuse these concepts).
ACCESS CONTROL: Operating system access (Tier I: Objective 4, Tier II: Section C)
Restricting and monitoring privileged access.	Auditing of all types of access to critical data and security-related settings in Active Di rectory, file servers, virtual machines, databases, to make sure no change falls under the radar.
Logging and monitoring user or program access to sensitive resources and alerting on security events.	Cent ralized consolidation and easy to use reporting of security event with extensive filtering capabilities and user-friendly reports. Ability to subscribe to reports generated on schedule.
Update operating systems with security patches and using appropriate change control mechanisms.	Complimentary to a patch management system such as WSUS, NetWrix provides a tool to report on patch compliance for a defined set of patches and updates. This tool can be used to veri fy patch deployment status on multiple systems in bulk.
Log user or program access to sensitive system resources including files, programs, processes, or operating system parameters.	Audit trail archiving and consolidation to track access to files and programs. Monitoring of user activities related to changes to system parameters.
Filter logs for potential security events and provide adequate reporting and alerting capabilities.	Extensive event log collection system with filtering, reporting, and real -time alerting capabilities to ensure that critical security events never happen unnoticed.
Lock or remove external drives from system consoles or terminals residing outside physically secure locations.	Easy to configure policy-based blocking of external peripheral devices that requires no routine management tasks.
Monitor operating system access by user, terminal, date, and time of access.	Auditing of access to all types of systems with reporting of who did what and when.
ACCESS CONTROL: Application access (Tier I: Objective 4, Tier II: Section G)
Monitoring access rights to ensure they are the minimum required for the user’s current business needs.	Monitoring of security group membership, privileges, and access rights to ensure that no excessive rights are given and no rights are given proper without authorization.
Logging access and security events.	Auditing of all administrative and user activities with configurable alerts and reporting that documents all security incidents and helps with early detection and prevention of further security incidents.
Using software that enables rapid analysis of user activities.	Real -time alerting and schedule reporting of different types of user activities, such as logons, changes to files and permissions, changes to system configurations.
Maintaining consistent processes for promptly removing access to departing employees.	Routine detection of inactive user accounts and automatic deactivation based specified thresholds to ensure that no account remain active for terminated and reassigned employees.
ACCESS CONTROL: Remote access (Tier I: Objective 4)
Tightly controlling remote access rights through management approvals and subsequent audits. Regularly review remote access approvals and rescind those that no longer have a compelling business justification.	Auditing of dial-in and VPN access on user accounts. Predefined reports that show newly granted remote access rights to users. Ability to review all remote access permissions granted within speci fic timeframe.
Logging and monitoring all remote access communications. Log and monitor the date, time, user, user location, duration, and purpose for all remote access.	Auditing of logins, remote desktop connections, and other types of remote access with full information on who logged in and when, source IP address, etc.
SECURITY MONITORING (Tier I, Objective 6, Tier II: Section M)
Analyzing the results of monitoring to accurately and quickly identify, classify, escalate, report, and guide responses to security events.	Web-based reporting system with predefined reports and ability to create custom reports for specific analysis needs.
Monitoring network and host activity to identi fy policy violations and anomalous behavior.	Complete auditing of user and administrative activities, including logons, access to data and configuration.
Monitoring host and network condition to identi fy unauthorized configuration and other conditions which increase the risk of intrusion or other security events.	Complete auditing of changes in server configurations, Active Di rectory, Group Policy to detect unauthorized or accidental changes that might open security holes and other possibilities for attacks.

GET A QUOTE. REQUEST A FREE EVALUATION.

PCI Compliance

admin — Sun, 13 Jun 2010 19:30:36 +0000

The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that all companies that process, store or transmit credit card information maintain a secure environment: Essentially any merchant that has a Merchant ID (MID).

PCI applies to all organizations or merchants, regardless of size or number of transactions, that accepts, transmits or stores any cardholder data. Said another way, if any customer of that organization ever pays the merchant directly using a credit card or debit card, then the PCI DSS requirements apply.

GET A QUOTE. REQUEST A FREE EVALUATION.

PCI REQUIREMENT	NETWRIX SOLUTION
7. Restrict access to cardholder data by business need-to-know
7.1 Limit access to system components and cardholder data to only those individuals whose job requires such access.	Auditing functionality to monitor all security-related changes in Active Directory, Group Policy, Exchange, file servers, SQL Servers, virtualization environments. Audited use of high-privileged system accounts.
7.2 Establish a mechanism for systems with multiple users that restricts access based on a user´s need to know and is set to “deny all” unless specifically allowed.	Monitoring of file and folders and their permissions, Active Directory and Group Policy objects, SQL Server security for early detection of unauthorized changes to security access settings (e.g. granting of new permissions).
8. Assign a unique ID to each person with computer access
8.1 Assign all users with a unique user name before allowing them to access system components or cardholder data.	Complete auditing of user logons to analyze violations and prevent usage of the same ID by multiple persons (e.g. from different computers).
8.5.1 Control addition, deletion, and modification of user IDs, credentials and other identifier objects.	Full auditing of user account creations, deletions, password resets, and modifications to all user account attributes: in Active Directory and SQL Server.
8.5.2 Verify user identity before performing password resets.	Web-based challenge-response system based on verification question/answer pairs selected by users upon enrollment, with full control over the number of required verification answers. The same data can be used by help desk personnel to assist with password resets on the phone.
8.5.3 Set first-time passwords to a unique value for each user and change immediately after the first use.	Auditing of all newly created user accounts and their initial attributes (including “must change at next logon”) to prevent violations.
8.5.4 Immediately revoke access for any terminated users.	Auditing of disabled accounts, automated de-provisioning of inactive user accounts.
8.5.5 Remove or disable inactive user accounts at least every 90 days.	Automated disabling and removal with full reporting.
8.5.6 Enable accounts used by vendors for remote maintenance only during the time period needed.	Auditing of account creation, enabling, disabling, and deletion, with time stamps to analyze their lifetime.
8.5.7 Communicate password procedures and policies to all users who have access to cardholder data.	Automatic customizable reminders for expiring passwords, redirection to password requirements document if user enters “weak” password during reset.
8.5.8 Do not use group, shared, or generic accounts and passwords.	Full auditing of account use (find all actions done under a shared account and help eliminate its usage) and delegated access with account checkout/check-in concept.
8.5.9 Change user passwords at least every 90 days.	Audits changes to password policy settings in Active Directory, automatically reminds users about impending password expirations, provides easy way to change passwords to minimize the number of help desk calls.
8.5.10 – 8.5.12 Password complexity requirements (Require a minimum password length of at least seven characters, Use passwords containing both numeric and alphabetic characters, Do not allow an individual to submit a new password that is the same as any of the last four passwords he or she has used).	Audits changes to password policies in Active Directory, implements selfservice password reset functionality to help users with forgotten passwords without involvement of help desk personnel.
8.5.13 Limit repeated access attempts by locking out the user ID after not more than six attempts.	Complements the built-in AD mechanism with extensive account lockout troubleshooting capabilities to resolve false positives and prevent user frustration and system downtime. Auditing of account unlock and password reset operations to monitor unauthorized access.
8.5.14 Set the lockout duration to thirty minutes or until administrator enables the user ID.	Auditing of account lockout policy changes to prevent non-compliant policy changes.
8.5.16 Authenticate all access to any database containing cardholder data. This includes access by applications, administrators, and all other users.	Auditing of changes to database logins and roles, SQL server security settings.
10. Track and monitor all access to network resources and cardholder data
10.1 Establish a process for linking all access to system components (especially those done with administrative privileges such as root) to each individual user.	Full features auditing and reporting of all administrative activity within Active Directory, Group Policy, file servers, virtualization environments, SQL Server, etc. Detection of who changed what, when, and where.
10.2 Implement automated audit trails to reconstruct the required events.	Complete audit trail processing capabilities for servers and workstations, both user-initiated and administrative activity.
10.3 Record at least the following audit trail entries for all system components for each event: User identification, Type of event, Date and time, Success or failure indication, Origination of event, Identity or name of affected data, system component, or resource.	Full information of every change: who changed what, when, where, in Active Directory, File Server, virtual machines, SQL Servers.
10.5 Secure audit trails so they cannot be altered.	Securable file-based storage with optional SQL Server storage. Fullfeatured role based access to all reports. Centralized collection, archiving, and consolidation of event logs to secure file-based storage.
10.6 Review logs for all system components at least daily.	Full-featured web-based reporting functionality with predefined reports and ability to create custom reports on any type of collected data. Out-ofthe box reports scheduled daily and sent via e-mail for review.
10.7 Retain audit trail history for at least one year, with a minimum of three months immediately available for analysis.	Unlimited storage capabilities with efficient storage use to store up to 8 years of past audit trails and history of changes to system components and security settings. Full-featured web-based reporting for immediate access to all required data.

GET A QUOTE. REQUEST A FREE EVALUATION.