vce vblock systems security compliance n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
VCE Vblock™ Systems Security & Compliance PowerPoint Presentation
Download Presentation
VCE Vblock™ Systems Security & Compliance

Loading in 2 Seconds...

play fullscreen
1 / 35

VCE Vblock™ Systems Security & Compliance - PowerPoint PPT Presentation


  • 119 Views
  • Uploaded on

VCE Vblock™ Systems Security & Compliance . Chris Davis Senior Consultant - Security and Compliance VCE Product Management . SOPs | Controls. Agenda. Regulations and Standards Controls Quick Recap VCE Vblock Systems Security & Compliance. Sampling of Regulations and Standards.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'VCE Vblock™ Systems Security & Compliance' - petra


Download Now An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
vce vblock systems security compliance

VCE Vblock™ Systems Security & Compliance

Chris DavisSenior Consultant - Security and Compliance VCE Product Management

agenda
Agenda
  • Regulations and Standards
  • Controls Quick Recap
  • VCE Vblock Systems Security & Compliance
slide5

Protecting Data.

Source: IT Auditing: Using Controls to Protect Information Assets (McGraw-Hill Professional, 2011)

hundreds of authority sources
Hundreds of Authority Sources

Sarbanes Oxley (PCAOB, SAS 94, AICPA, Sec 17, COSO ERM, A123)

Banking and Finance (Basel II, Gramm Leach Bliley, GLBA, FFIEC)

NASD NSYE (Sec 17)

Healthcare and Life Science (HIPAA, NIST, CMS, FDA)

Energy (FERC, NERC)

Credit Card (PCI DSS, Visa CISP, Amex, MasterCard, BBB)

Federal Security (E Sign, UETA, FISMA, FISCAM, FIPS, Clinger Cohen Act, GAO, DOD, CISWIG, OMB, NCUA, CTPAT, more)

IRS (Rev Proc 97 22, 98 25, 501c3)

Records Management (ISO, DIRKS, Sedona, more)

NIST (800 14, 18, 26, 30, 33, 34, 40, 41, 53, 60, 61, 64)

General (Cobit 3 & 4, NFPA, ISF, ISSA, CERT, IIA, more)

US Federal Privacy (Cable, Telemarketing, SPAM, COPPA, Drivers, Family, Video Privacy, Spector Leahy, more)

US State Laws (all states)

System Configuration (CI Security for Solaris, HP UX, Red Hat, SuSE, AIX, NIST Novell, Apple OS X, Vista, DISA, more)

pci dss
PCI-DSS
  • The PCI Security Standards Council (SSC) was established in 2006 by five global payment brands (American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc. These payment brands require through their Operating Regulations that any merchant or service provider that processes, stores or transmits credit cards must be PCI compliant. Merchants and service providers are required to validate their compliance by assessing their environment against nearly 300 specific test controls outlined in the PCI Data Security Standards (DSS) version 2. Failure to meet PCI requirements could lead to fines, penalties, or inability to process credit cards in addition to potential loss of reputation.
  • VCE Whitepaper: vblock-guide-pci-addendum.pdf (PDF)
  • PCI-DSS Online:https://www.pcisecuritystandards.org
hipaa
HIPAA
  • The Health Insurance Portability and Accountability Act of 1996 (HIPAA; Pub.L. 104-191, 110 Stat. 1936) addresses policies, procedures, and guidelines for protecting the confidentiality, integrity, and availability of protected health information (PHI). The HIPAA Security Rule specifically focuses on the safeguarding of electronic protected health information (EPHI). The EPHI that a covered entity creates, receives, maintains, or transmits must be protected against reasonably anticipated threats, hazards, and impermissible uses and/or disclosures.
  • VCE Whitepaper: Coming Soon! 1Q2014
  • HIPAA Online: http://www.hhs.gov/ocr/privacy/index.html
cjis security policy fbi
CJIS Security Policy (FBI)
  • Law enforcement requires secure, rapid access to data in a variety of situations to stop and reduce crime. The Criminal Justice Information Services (CJIS) Security Policy (CJIS Security Policy) contains information security requirements, guidelines, and agreements for protecting the sources, transmission, storage, and generation of criminal justice information (CJI). The CJIS Security Policy applies to every information system with capabilities for creating, viewing, modifying, transmitting, disseminating, storing, and destroying CJI. The CJIS Security Policy is intended to apply a uniform set of controls across systems to protect CJI at rest or in transit.
  • VCE Whitepaper: VCE_CJIS_Policy_Requirements (PDF)
  • CJIS Online:http://www.fbi.gov/about-us/cjis/cjis-security-policy-resource-center/view
fisma fedramp
FISMA/FedRAMP
  • FISMA is a law that was enacted in 2002 requiring all federal agencies, departments, and their contractors to meet specified guidelines in safeguarding their information systems and assets. The National Institute of Standards and Technology (NIST) helps develops standards and guidelines for FISMA through their Special Publications (SP). NIST is considered a guidance and reference tool for many organizations that use the FISMA framework, whether they are required to use it or use it voluntarily. FedRAMP was enacted in December of 2011 and requires all federal organizations that use a cloud environment to implement the FedRAMP program for cloud security controls.
  • VCE Whitepaper: vblock-systems-guide-FISMA-FedRAMP.pdf (PDF)
  • FISMA Online:http://csrc.nist.gov/publications/PubsSPs.html
  • FedRAMP Online: http://www.fedramp.gov
effectively managed it controls
Effectively Managed IT Controls

Technology can affect every part of the business.

At its best, technology is a competitive advantage.

At its worst, technology is your competitor’s advantage.

Product

Market Relationships

IT Controls:

Detective, protective and reactive measures in place to protect the confidentiality, integrity, and availability of business information and ensure appropriate management of the IT function to meet business objectives.

Inbound Logistics

Operations

Outbound Logistics

Marketing

and Sales

Service

Firm Infrastructure

Margin

HR Management

Procurement

Technology Development

how do you manage it controls
How Do You Manage IT Controls?

Solution Alignment

Controls Defined by GRC; Managed by Tools

  • GRC Tools
  • Governance
  • Risk Management
  • Frameworks
  • Compliance
let s break it down for vce vblock systems and compliance requirements
Let's Break It down For VCE.Vblock Systems and Compliance Requirements

CJIS

ISO27K

{…}

System Security Plan

Technical Controls

Management Controls

Operational Controls

PCI-DSS

HIPAA

FISMA

technical control requirements
Technical Control Requirements

Authorities

Technical Controls

Requirement 6: Develop and maintain secure systems and applications

Component Configuration

Requirement 10: Track and monitor all access to network resources and cardholder data.

Solution Ecosystem

Administrative Controls

Requirement 12: Maintain a policy that addresses information security for all personnel.

Physical Controls

Requirement 9: Restrict physical access to cardholder data.

adding value with vce security and compliance resources
Adding Value with VCE Security and Compliance Resources

Compliance Resources

Component Configuration

Solution Ecosystem

  • NIST Compliance Map
  • Common Authority Source Information
  • Product Applicability Guides addressing PCI-DSS, HIPAA, FISMA/FedRAMP, and CJIS.
  • Compliance Mappings to Component Configuration and Solution Ecosystem
  • TAP Program
  • Secure Administrative Access
  • Trusted Multitenancy
  • Infrastructure Assurance
  • Systems Monitoring
  • Data Protection
  • Encryption
  • Boundary Protection
  • Exploit and Malware Detection
  • Vulnerability Detection
  • Security Guide: Configuration
  • Vendor Hardening Documents
  • Best Practice Resources
  • Third-party Reviewed Basic Hardening
  • Pre-integrated and Validated Converged Infrastructure

Validation

www.VCE.com/security

building compliant virtual systems
Building Compliant Virtual Systems

Product

Ecosystem

Solution Ecosystem

Solution Management

Compliance Regulations

Controls Defined by GRC; Managed by Tools

PCI-DSS

FedRAMP/FISMA

HIPAA-HITECH

CJIS Sec Policy

best practices configuration and engineering principles
Best Practices Configuration and Engineering Principles

Best Practices Configuration

Component Configuration

  • Fully Patched
  • Uniquely Identified Accounts
  • Least Privileged Roles
  • Secure Authentication
  • Enforced Authorization
  • Non-repudiated Accounting/Logs
  • Secure Administrative Communications
  • Disable Unnecessary Services
  • Harden Necessary Services
  • Focused Function
  • Protected Data
technology alliance program
Technology Alliance Program

Solution Ecosystem

www.vce.com/partners

vce differentiation
VCE Differentiation

Life CycleSystemAssurance

You Begin with A

Validated System

ApplicationOptimization

API Enabled,ConvergedManagement

Customer Experience

Integrated Protection

and Workload

Mobility Solutions

Fastest Time to Business

Highest Performance

Pre-engineered,Pre-validated,Pre-tested

Highest Availability

Converged Management

Best-of-breedTechnology

Lowest Risk

Lowest TCO

building trust
BUILDING Trust

TRUST

  • VCE can help establish Trust, by providing a set of offerings (products, solutions and guidance) for use in conjunction with our customers security programs
  • These offerings fall into a simple Trust Framework of the following well known security concepts and objectives
    • CIA (Confidentiality, Integrity, and Availability)
    • III (Infrastructure, Identities, and Information)
    • GRC (Governance, Risk Management, and Compliance)
  • The application of such a Trust Frameworkcan provide the assurance that the infrastructureis trustworthy enough for the deployment of critical information

G R C

CONFIDENTIALITY

INTEGRITY

AVAILABILITY

INFRASTRUCTURE

INFORMATION

IDENTITIES

building systems assurance
Building Systems Assurance

CONTINUOUS MONITORING

RAPID

RESPONSE

Build Context

Analyze Context

VALIDATED SYSTEM

Provisioned Assets

Systems

Configuration

Communications

Identity Access

Third Parties

Service Monitoring

Data Violations

Actionable Events

Data Locations

Advanced Threats

Manage Workflow

Vulnerabilities

GRC Tools

session wrap how can we apply what we discussed today
Session WrapHow can we apply what we discussed today?

OUR APPLICATION

OUR DISCUSSION

VCE Sales Resources

Protecting Data

Multiple Sales Resources

Sampling of Regulations and Standards

  • Configuration Hardening Guides

Control Complexity and Management

  • Solution Guides & TAP Program

VCE Vblock Systems Compliance

  • Compliance Guides

Technical Control Requirements

Getting Additional Help

Component Configuration

www.vce.com/security

Solution Ecosystem

www.vce.com/partners

Security and Compliance Resources

VCE Security Product Management

Solution Context

Chris.Davis@vce.com | 469-879-1223 | www.linkedin.com/christopherdavis

the reference monitor concept
The Reference Monitor Concept

Assurance: The grounds for confidence that the set of intended security controls in an information system are effective in their application.

solution delivery security and alignment three approaches to security
Solution Delivery, Security, and AlignmentThree Approaches to Security

Solution Delivery

Solution Security

Solution Alignment

Technology Assets

Operations Processes

Controls Defined by GRC; Managed by Tools

  • Solution
  • Storage
  • Respond
  • Provision
  • GRC Tools
  • Governance
  • Risk Management
  • Hypervisor
  • Network
  • Monitor
  • Configure
  • Frameworks
  • Compute
  • Validate
  • Compliance
security is multidimensional interrelationships between assets requirements and processes
Security is Multidimensional. Interrelationships between Assets, Requirements, and Processes.

Requirements

Processes

Work Loads

building compliant secure systems
Building Compliant & Secure Systems
  • Component, Infrastructure, and Systems Approach

System Security Plan

PCI-DSS

HIPAA

FISMA

ISO27K

Technical Controls

Physical Controls

Processes, Policies, Operating Procedures for Staff and Equipment.

Physical (e.g. CObIT) or Operational (e.g. FISMA)

Supporting Ecosystem

Identity & Access Management, Vulnerability Detection, Exploit Detection /Malware Prevention, Boundary Protection, Infrastructure Management, Systems Monitoring, Data Protection, Encryption

Administrative Controls

System Configuration

Accounts, Roles, Authentication, Authorization, Accounting/Logs, Secure Communications, Enabled Services, Service Hardening, Patch Management, Alignment

Services Infrastructure