1 / 35

VCE Vblock™ Systems Security & Compliance

VCE Vblock™ Systems Security & Compliance . Chris Davis Senior Consultant - Security and Compliance VCE Product Management . SOPs | Controls. Agenda. Regulations and Standards Controls Quick Recap VCE Vblock Systems Security & Compliance. Sampling of Regulations and Standards.

petra
Download Presentation

VCE Vblock™ Systems Security & Compliance

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. VCE Vblock™ Systems Security & Compliance Chris DavisSenior Consultant - Security and Compliance VCE Product Management

  2. SOPs | Controls

  3. Agenda • Regulations and Standards • Controls Quick Recap • VCE Vblock Systems Security & Compliance

  4. Sampling of Regulations and Standards

  5. Protecting Data. Source: IT Auditing: Using Controls to Protect Information Assets (McGraw-Hill Professional, 2011)

  6. Hundreds of Authority Sources Sarbanes Oxley (PCAOB, SAS 94, AICPA, Sec 17, COSO ERM, A123) Banking and Finance (Basel II, Gramm Leach Bliley, GLBA, FFIEC) NASD NSYE (Sec 17) Healthcare and Life Science (HIPAA, NIST, CMS, FDA) Energy (FERC, NERC) Credit Card (PCI DSS, Visa CISP, Amex, MasterCard, BBB) Federal Security (E Sign, UETA, FISMA, FISCAM, FIPS, Clinger Cohen Act, GAO, DOD, CISWIG, OMB, NCUA, CTPAT, more) IRS (Rev Proc 97 22, 98 25, 501c3) Records Management (ISO, DIRKS, Sedona, more) NIST (800 14, 18, 26, 30, 33, 34, 40, 41, 53, 60, 61, 64) General (Cobit 3 & 4, NFPA, ISF, ISSA, CERT, IIA, more) US Federal Privacy (Cable, Telemarketing, SPAM, COPPA, Drivers, Family, Video Privacy, Spector Leahy, more) US State Laws (all states) System Configuration (CI Security for Solaris, HP UX, Red Hat, SuSE, AIX, NIST Novell, Apple OS X, Vista, DISA, more)

  7. PCI-DSS • The PCI Security Standards Council (SSC) was established in 2006 by five global payment brands (American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc. These payment brands require through their Operating Regulations that any merchant or service provider that processes, stores or transmits credit cards must be PCI compliant. Merchants and service providers are required to validate their compliance by assessing their environment against nearly 300 specific test controls outlined in the PCI Data Security Standards (DSS) version 2. Failure to meet PCI requirements could lead to fines, penalties, or inability to process credit cards in addition to potential loss of reputation. • VCE Whitepaper: vblock-guide-pci-addendum.pdf (PDF) • PCI-DSS Online:https://www.pcisecuritystandards.org

  8. HIPAA • The Health Insurance Portability and Accountability Act of 1996 (HIPAA; Pub.L. 104-191, 110 Stat. 1936) addresses policies, procedures, and guidelines for protecting the confidentiality, integrity, and availability of protected health information (PHI). The HIPAA Security Rule specifically focuses on the safeguarding of electronic protected health information (EPHI). The EPHI that a covered entity creates, receives, maintains, or transmits must be protected against reasonably anticipated threats, hazards, and impermissible uses and/or disclosures. • VCE Whitepaper: Coming Soon! 1Q2014 • HIPAA Online: http://www.hhs.gov/ocr/privacy/index.html

  9. CJIS Security Policy (FBI) • Law enforcement requires secure, rapid access to data in a variety of situations to stop and reduce crime. The Criminal Justice Information Services (CJIS) Security Policy (CJIS Security Policy) contains information security requirements, guidelines, and agreements for protecting the sources, transmission, storage, and generation of criminal justice information (CJI). The CJIS Security Policy applies to every information system with capabilities for creating, viewing, modifying, transmitting, disseminating, storing, and destroying CJI. The CJIS Security Policy is intended to apply a uniform set of controls across systems to protect CJI at rest or in transit. • VCE Whitepaper: VCE_CJIS_Policy_Requirements (PDF) • CJIS Online:http://www.fbi.gov/about-us/cjis/cjis-security-policy-resource-center/view

  10. FISMA/FedRAMP • FISMA is a law that was enacted in 2002 requiring all federal agencies, departments, and their contractors to meet specified guidelines in safeguarding their information systems and assets. The National Institute of Standards and Technology (NIST) helps develops standards and guidelines for FISMA through their Special Publications (SP). NIST is considered a guidance and reference tool for many organizations that use the FISMA framework, whether they are required to use it or use it voluntarily. FedRAMP was enacted in December of 2011 and requires all federal organizations that use a cloud environment to implement the FedRAMP program for cloud security controls. • VCE Whitepaper: vblock-systems-guide-FISMA-FedRAMP.pdf (PDF) • FISMA Online:http://csrc.nist.gov/publications/PubsSPs.html • FedRAMP Online: http://www.fedramp.gov

  11. Controls Quick Recap

  12. Information Security Controls

  13. Complexity. Macro View.

  14. Management Nightmare. Micro View.

  15. Effectively Managed IT Controls Technology can affect every part of the business. At its best, technology is a competitive advantage. At its worst, technology is your competitor’s advantage. Product Market Relationships IT Controls: Detective, protective and reactive measures in place to protect the confidentiality, integrity, and availability of business information and ensure appropriate management of the IT function to meet business objectives. Inbound Logistics Operations Outbound Logistics Marketing and Sales Service Firm Infrastructure Margin HR Management Procurement Technology Development

  16. How Do You Manage IT Controls? Solution Alignment Controls Defined by GRC; Managed by Tools • GRC Tools • Governance • Risk Management • Frameworks • Compliance

  17. VCE Vblock™ Systems Security & Compliance

  18. Let's Break It down For VCE.Vblock Systems and Compliance Requirements CJIS ISO27K {…} System Security Plan Technical Controls Management Controls Operational Controls PCI-DSS HIPAA FISMA

  19. Technical Control Requirements Authorities Technical Controls Requirement 6: Develop and maintain secure systems and applications Component Configuration Requirement 10: Track and monitor all access to network resources and cardholder data. Solution Ecosystem Administrative Controls Requirement 12: Maintain a policy that addresses information security for all personnel. Physical Controls Requirement 9: Restrict physical access to cardholder data.

  20. Adding Value with VCE Security and Compliance Resources Compliance Resources Component Configuration Solution Ecosystem • NIST Compliance Map • Common Authority Source Information • Product Applicability Guides addressing PCI-DSS, HIPAA, FISMA/FedRAMP, and CJIS. • Compliance Mappings to Component Configuration and Solution Ecosystem • TAP Program • Secure Administrative Access • Trusted Multitenancy • Infrastructure Assurance • Systems Monitoring • Data Protection • Encryption • Boundary Protection • Exploit and Malware Detection • Vulnerability Detection • Security Guide: Configuration • Vendor Hardening Documents • Best Practice Resources • Third-party Reviewed Basic Hardening • Pre-integrated and Validated Converged Infrastructure Validation www.VCE.com/security

  21. Building Compliant Virtual Systems Product Ecosystem Solution Ecosystem Solution Management Compliance Regulations Controls Defined by GRC; Managed by Tools PCI-DSS FedRAMP/FISMA HIPAA-HITECH CJIS Sec Policy

  22. Best Practices Configuration and Engineering Principles Best Practices Configuration Component Configuration • Fully Patched • Uniquely Identified Accounts • Least Privileged Roles • Secure Authentication • Enforced Authorization • Non-repudiated Accounting/Logs • Secure Administrative Communications • Disable Unnecessary Services • Harden Necessary Services • Focused Function • Protected Data

  23. Solution Ecosystem

  24. Technology Alliance Program Solution Ecosystem www.vce.com/partners

  25. VCE Differentiation Life CycleSystemAssurance You Begin with A Validated System ApplicationOptimization API Enabled,ConvergedManagement Customer Experience Integrated Protection and Workload Mobility Solutions Fastest Time to Business Highest Performance Pre-engineered,Pre-validated,Pre-tested Highest Availability Converged Management Best-of-breedTechnology Lowest Risk Lowest TCO

  26. BUILDING Trust TRUST • VCE can help establish Trust, by providing a set of offerings (products, solutions and guidance) for use in conjunction with our customers security programs • These offerings fall into a simple Trust Framework of the following well known security concepts and objectives • CIA (Confidentiality, Integrity, and Availability) • III (Infrastructure, Identities, and Information) • GRC (Governance, Risk Management, and Compliance) • The application of such a Trust Frameworkcan provide the assurance that the infrastructureis trustworthy enough for the deployment of critical information G R C CONFIDENTIALITY INTEGRITY AVAILABILITY INFRASTRUCTURE INFORMATION IDENTITIES

  27. Building Systems Assurance CONTINUOUS MONITORING RAPID RESPONSE Build Context Analyze Context VALIDATED SYSTEM Provisioned Assets Systems Configuration Communications Identity Access Third Parties Service Monitoring Data Violations Actionable Events Data Locations Advanced Threats Manage Workflow Vulnerabilities GRC Tools

  28. Session WrapHow can we apply what we discussed today? OUR APPLICATION OUR DISCUSSION VCE Sales Resources Protecting Data Multiple Sales Resources Sampling of Regulations and Standards • Configuration Hardening Guides Control Complexity and Management • Solution Guides & TAP Program VCE Vblock Systems Compliance • Compliance Guides Technical Control Requirements Getting Additional Help Component Configuration www.vce.com/security Solution Ecosystem www.vce.com/partners Security and Compliance Resources VCE Security Product Management Solution Context Chris.Davis@vce.com | 469-879-1223 | www.linkedin.com/christopherdavis

  29. The Reference Monitor Concept Assurance: The grounds for confidence that the set of intended security controls in an information system are effective in their application.

  30. Solution Delivery, Security, and AlignmentThree Approaches to Security Solution Delivery Solution Security Solution Alignment Technology Assets Operations Processes Controls Defined by GRC; Managed by Tools • Solution • Storage • Respond • Provision • GRC Tools • Governance • Risk Management • Hypervisor • Network • Monitor • Configure • Frameworks • Compute • Validate • Compliance

  31. Security is Multidimensional. Interrelationships between Assets, Requirements, and Processes. Requirements Processes Work Loads

  32. Building Compliant & Secure Systems • Component, Infrastructure, and Systems Approach System Security Plan … PCI-DSS HIPAA FISMA ISO27K Technical Controls Physical Controls Processes, Policies, Operating Procedures for Staff and Equipment. Physical (e.g. CObIT) or Operational (e.g. FISMA) Supporting Ecosystem Identity & Access Management, Vulnerability Detection, Exploit Detection /Malware Prevention, Boundary Protection, Infrastructure Management, Systems Monitoring, Data Protection, Encryption Administrative Controls System Configuration Accounts, Roles, Authentication, Authorization, Accounting/Logs, Secure Communications, Enabled Services, Service Hardening, Patch Management, Alignment Services Infrastructure

  33. Everything should be made as simple as possible – but not simpler.   --Albert Einstein

More Related