Download as PDF, PPTX
Uploaded byPrecisely
Accelerating Regulatory Compliance for IBM i Systems
The document discusses the increasing complexity of regulatory compliance for IBM I systems, highlighting key regulations such as SOX, PCI DSS, and HIPAA that organizations must adhere to. It emphasizes the necessity of compliance auditing and security assessments to protect network integrity and manage vulnerabilities effectively. The document also outlines the challenges organizations face in meeting these requirements and suggests potential solutions, including the use of third-party services for enhanced security management.
More Related Content
Similar to Accelerating Regulatory Compliance for IBM i Systems
Accelerating Regulatory Compliance for IBM i Systems
- 1. Accelerating Regulatory Compliance forIBM i Systems Richard Marko Director, Technical Services – Security Products 1
- 2. Agenda 1 Statistics 2 Regulations 3Challenges 4 Risk Assessment 5 Solutions 6 Tradeoffs
- 3. Compliance Requirements AreWidespread Sarbanes-Oxley (SOX), JSOX PCI DSS (Payment Card Industry Data Security Standard) HIPAA (Health Insurance Portability and Accountability Act) NIST 800-53 (National Institute of Standards Security and Privacy Controls) STIG (Security Technical Implementation Guidelines) HITECH (Health Information Technology for Economic and Clinical Health) GLBA (Gramm-Leach-Bliley Act) FISMA (Federal Information Security Management Act) FERPA (Family Educational Rights & Privacy Act) None Don’t know Other (please specify) 0% 10% 20% 30% 40% What regulations must your organization adhere to? • Organizations are subject to a variety of regulations • Some are subject to multiple regulations • GDPR (not part of this 2017 survey) is now a global concern • NYS 23 NYCRR 500 (also not part of the 2017 survey) growing concern • New “regulations” are being introduced, i.e: NF525 related to cash machines & POS in France Source: Syncsort’s 2018 State of Security Survey 3
- 4. For the majorityof IBM Power users (52%), the trend toward security investments in the coming year will focus on compliance auditing and reporting. Compliance standards such as NIST 800-53, PCI DSS, FISMA, GLBA, SOX, STIG and HIPAA require organizations to secure their networks, harden servers and desktop computers for their confidential enterprise assets, and provide network compliance reports to auditors when demanded. 4 Compliance Auditing and Reporting Insight
- 5. Growing Regulatory Complexity Source:Syncsort’s 2018 State of Resilience Report What security challenges does your IT organization anticipate in the coming year? Adoption of cloud services Increase in sophistication of attacks Ransomware Increased network complexity Insufficient IT security budget Increase in number of attacks Growing complexity of regulations Data becoming increasingly distributed Threats attributed to mobile device adoption Inadequate end-user security training Insufficient security staffing Inadequate IT security staff training Inadequate security reporting/auditing/forensics tools Lack of management support for security efforts Growth of non-sanctioned IT (Shadow IT) None I don’t know Other (please specify) 0% 10% 20% 30% 40% 50% 28% of respondents said that they anticipate increased regulatory complexity as a security challenge this coming year. 5
- 6. Regulations Sarbanes–Oxley Act Enacted July30, 2002 United States federal law Sets requirements for U.S. public companies. Certain provisions apply to private companies Requires corporates to assess the effectiveness of internal controls and report this assessment annually to the SEC. Any review of internal controls would not be complete with out addressing controls around information security including • Security Policy • Security Standards • Access and Authentication • Network Security • Monitoring • Segregation of Duties Payment Card Industry Data Security Standard (PCI DSS) V1 released on December 15, 2004 Information security standard for organizations that handle branded credit cards from the major card schemes. Created to increase controls around cardholder data to reduce credit card fraud. Validation of compliance is required annually Requires security practices including • Firewalls • Password security • Cardholder data protection • Encryption of data in motion • Monitoring of network and data access • Regular security testing 6 Health Insurance Portability and Accountability Act Originally enacted August 21, 1996 Establishes national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers. Requires security practices such as • Access control • Electronic healthcare information protection • Protection of data in motion • Monitoring of system access • Policies for reporting breaches
- 7. Regulations 7 General Data Protection Regulation(GDPR) Enforcement date: 25 May 2018 Regulation in European Union law on data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA) Applies to all organizations doing business with EU citizens Aims primarily to provide protection and control over their personal data to citizens and residents, including • Access control • Sensitive data protection • Restricted user privileges • System activity logging • Risk assessments New York Dept. of Financial Services Cybersecurity Regulation NYS 23 NYCRR 500 Enforcement date: February 15, 2018 Requires banks, insurance companies, and other financial services institutions to establish and maintain a cybersecurity program designed to protect consumers Ensures the safety and soundness of New York State's financial services industry. Requirements protect the confidentiality, integrity and availability of information systems, including • Risk assessments • Restricted user privileges • Automatic logouts • Antivirus • Multi-factor authentication • System activity logging
- 8. Challenges For Companies toComply to Regulations: • Lack of knowledge • Don’t have the technology • Lack of resources • Retaining knowledgeable employees • Keeping up to date with regulations • Having what the auditors want • Maintaining and enhancing a current system • Too many systems/LPARs to handle Areas of Concern: • Access control • User profile management • Elevated authority management • Sensitive data protection • Policy compliance management • System activity logging • Security violation detection and alerting • Security risk assessment 8
- 9. Compliance Areas Sarbanes- Oxley (SOX) PCIDSS HIPAA GDPR NYS – 23 NYCRR 500 Vulnerability Assessments Audit Trails Limited User Access Multi-Factor Authentication Encryption Alerting / Reporting 9
- 10. Why do youneed a risk assessment? • Urgency for cyber risk/vulnerability assessment is growing rapidly • Risk assessment becoming an essential component of many regulatory compliance requirements • An assessment tool/service is considered essential to ensure corporate sustainability What should an assessment provide? • Checks of system definitions and settings • Explanation of what they mean • Recommended changes if necessary. Assessment results should be sufficiently detailed to give guidance to the technical staff responsible for system security while providing a management overview for non-technical administrators and managers. 10 Security Risk Assessment
- 11. Solutions IBM i isa great system, but security auditing is NOT turned on by default and some things need to be developed or purchased. Compliance Acceleration • Jump-start to Compliance • Cross-Reference to Regulation • Alerts, Reports, and Templates • Professional Services Data Privacy Solutions • Encryption • Field • File • Tape • IFS • Save File • Tokenization • Anonymization Multi-Factor Authentication • Strengthens Password Security • IBM i Logon Integration • Voice and Mobile Authentication HA/DR Solution • Scalable real-time replication • Comprehensive protection from downtime and data loss Cross Platform Compliance • What about your other platforms? • Windows • AIX • Linux • SQL Server • Oracle 11 Access Management • Network Access • Socket – IP and Port • Exit Point • File • Commands • User Management • Object Level Security
- 12. Tradeoffs Doing It YourselfIn-House • Resources may be stretched and pulled off project • May need to bring in consultants or hire new employee because of lack of knowledge • Need to stay on top of changes to the regulations • Knowledgeable resource may leave or retire Using 3rd party solutions • Frees up your resources for more important projects • Provides separation of duties • Leverages experts in the field • Vendor is in the business of releasing updated software • Vendors stays informed on modifications to regulations 12
- 13. Syncsort can help withall your compliance, security or SIEM integration needs! Elevated Authority Management Secure Data Transfer Enhanced Password Management System & Database Auditing Access Control Security Risk Assessment SIEM Integration Alerts and Reports Sensitive Data Protection Compliance Acceleration Job Log Analysis Network Security Password Self-Service Supervised 4-Eyes Operations Log Forwarding Secure Data Consolidation & Distribution Learn more at www.syncsort.com/en/assure 13
- 14. Protect your mission-criticaldata with the highest levels of availability and security with Syncsort’s exclusive Managed Resilience offerings. Let the experts of the Syncsort Global Services team handle all of the monitoring, optimization, software updates and testing of your high availability and security solutions so that staff can focus on other IT priorities. • Reduce the chances of a security breach, an unplanned outage or a compliance violation • Free your IT staff to work on other important projects • Benefit from the vast experience of Syncsort experts • Enjoy the latest availability and security features through automated software updates 14 Managed Services
- 15.