Regulatory & Industry Compliance

Many organizations continue to struggle with regulatory compliance requirements such as PCI DSS, SOX, HIPAA and others. Industry regulations, federal regulations and privacy acts require implementation of audit and security controls to protect regulated data. The implementation of these controls presents a complex IT challenge and is a costly barrier to achieving compliance. The primary controls are:

• Sensitive data access auditing
• Privileged user monitoring
• Development and maintenance of secure Web applications

An efficient implementation of these controls requires taking into consideration the network topology, application requirements and the specific aspects of data platforms like databases and file systems.

Key Drivers

Sensitive Data Access Auditing

Regulations requiring auditing of user access to sensitive data demand that an audit trail detailing data access events be available to support data breach investigations. Different regulations require auditing different events, for example:

• PCI DSS which is focused on protecting card-holder information from theft or leakage requires auditing of all 'read' access to card-holder information, but does not require auditing data change events
• SOX which is concerned with the integrity of the public companies financial data requires auditing of all changes to regulated data, but does not require auditing of data 'read' events

Efficient audit solutions provide granular audit policies, automate the audit process, centrally manage audits across heterogeneous data systems, and scale to meet deployment requirements.

Privileged User Monitoring

Privileged user monitoring poses a specific audit and security challenge as these users require unrestricted access to perform their job. Most often, privileged activity is performed directly on data systems, thus it is not visible outside of the system itself. One of the biggest concerns around privileged user monitoring is separation of duties: privileged users should not have rights over the monitoring solution as they may use these rights to conceal irregular activities.

Development and Maintenance of Secure Web Applications

PCI DSS requirement 6 focuses on the establishment of controls that minimize the exposure to security vulnerabilities in systems and software. It specifies requirements for software patching, vulnerability identification, secure software development, change controls, and attack protection. While some of the requirements are relatively straightforward and easy to implement, the Web application, database and file security requirements present significant technical and business challenges.

Related Products:

Database Security
Product Name:	Capabilities:
SecureSphere Database Activity Monitoring or SecureSphere Database Firewall	Compliance with database audit and security requirements mandated by: PCI DSS SOX HIPAA Other regulations Audit all access to sensitive data Monitor all privileged users and privileged activities Maintain secure databases through vulnerability management, virtual patching and blocking database attacks
SecureSphere Discovery and Assessment Server	Discover newly created databases and database objects in scope for audit and security projects Maintain secure databases through vulnerability and patch management
User Rights Management for Databases	Address PCI 7 and 8.5 which require management of user access rights based on business need to know

File Security
Product Name:	Capabilities:
SecureSphere File Activity Monitoring or SecureSphere File Firewall	Compliance with database audit and security requirements mandated by: PCI DSS SOX HIPAA Other regulations Audit all access to sensitive data Maintain secure files by blocking unauthorized access
User Rights Management for Files	Address PCI 7 and 8.5 which require management of user access rights based on business need to know

Web Security
Product Name:	Capabilities:
SecureSphere Web Application Firewall	Maintenance of Secure Applications (PCI requirement 6)