Maintaining compliance can be a drain on limited resources and budgets. A new wealth of compliance requirements impacting organizations in many industries has resulted in what Thompson Reuters refers to as "compliance fatigue."
Some of the most commonly-reported challenges by IT and compliance professionals include regulatory change, personal liability, and resource shortages. In a world where the costs and efforts required to maintain full compliance are soaring rapidly, tools that simplify your efforts are a necessity.
In this blog, you'll gain insight into where file integrity monitoring software fits into six common regulatory requirements and how it can ease fatigue and strained budgets.
1. PCI
Since 2004, the Payment Card Industry Digital Security Standards (PCI-DSS) council has worked to regulate the security activities of "anyone associated with payment cards." Any business entity that "works with or is associated with cards" is required to comply with a designated level of PCI requirements, which commonly includes merchants, financial institutions, point-of-sale vendors, and developers.
The 12 requirements of PCI version 3.1 include but are not limited to, the installation of a firewall, training, policy, testing, and access governance.
Two sections of PCI specifically address the need for file integrity monitoring software:
- 10.5.5: Use file integrity monitoring or change-detection software to ensure log data cannot be changed without the generation of an alert.
- 11.5: Deploy a change-detection monitoring (such as file integrity monitoring) to perform critical file comparisons at least once per week, and alert personnel to the unauthorized modification of critical system files, configuration files, or content files.
To learn more about the PCI guidelines in depth, we recommend The 2016 PCI Compliance Checklist.
2. NERC-CIP
NERC-CIP is the critical infrastructure preparedness guidelines of the North American Electric Reliability Corporation, a non-profit established to ensure reliability in energy delivery. As utility providers have increasingly adopted technologies to control the grid and other aspects of energy delivery, these guidelines act as a framework to assist in the protection of critical infrastructure assets. This includes attention to preventing unauthorized access and negative changes.
File integrity monitoring is addressed in NERC-CIP 007, which seeks to manage system security by specifying select technical, operational, and procedural requirements..." against compromise that could lead to misoperation or instability." This requires the documentation of all system ports and services and detection, alerts, and reports on status changes.
An in-depth brief on the technical aspects of NERC-SIP compliance can be found here.
3. FISMA
The Federal Information Security Management Act of 2002 (FISMA) requires federal agencies to implement agency-wide programs for information security, including government contractors. This includes an annual security program review and reporting to the Federal Office of Management and Budget (OMB).
NIST 800-53 Revision 4 provides in-depth insight for agencies into responsibilities, risk management, and how to select security control baselines. However, the ultimate selection of specific controls falls within the hands of agencies, based on criteria outlined in NIST 800-53 Rev 4.
MAC-1 and MAC-2 speak to the importance of "high integrity." The right file integrity monitoring solution can aid agencies in achieving compliance with FISMA System Integrity, Configuration Management, and Audit categories.
For more on how File Integrity Monitoring can fit into the FISMA framework, we recommend CimTrak's Support of FISMA Controls
4. SOX
The Sarbanes-Oxley Act of 2002, also known as SOX or the Public Company Accounting Reform and Investor Protection Act, is a federal law that sets forth accountability requirements for U.S. public company boards, management, and public accounting firms.
SOX has 11 sections in total. Section 404, which is abbreviated as ICFR, requires reporting on the adequacy of internal control over financial reporting.
Section 404 requirements include, but are not limited to:
- Evaluating entity-level controls,
- Performing fraud risk assessment, and
- Preventing management override of controls.
Much like FISMA, SOX does not dictate the types of controls or methods organizations must use to achieve compliance. This has led to the development of the COBIT framework for compliance. COBIT standards for acquisition and implementation, delivery and support, and monitoring can be aided by file integrity monitoring.
5. HIPAA
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) addresses safeguards to ensure the "confidentiality, integrity, and availability of protected health information." The Security Rule of HIPAA mentions five types of technical safeguards, which include authentication, documentation, intrusion protection, and data integrity protection.
NIST Special Publication 800-66 offers the most in-depth insight into how to achieve compliance with the technical safeguard standards of HIPAA. File integrity monitoring can allow organizations to achieve and maintain compliance with HIPAA technical safeguard best practices, which include audit protection, continual evaluation of data security, and access controls.
To learn more, download Meeting HIPAA Requirements with CimTrak.
6. GLBA
Since 2003, the Gramm-Leach-Bliley Act (GLBA) requires institutions that offer financial products or services to disclose information-sharing practices and safeguard sensitive data. Under the GLBA, the "Safeguards Rule" specifically requires institutions to:
1. Ensure the security and confidentiality of customer information;
2. Protect against any anticipated threats or hazards to the security or integrity of such information; and
3. Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer.
Per GLBA Safeguards Rule text, elements of a security program should include:
- §314.4 -3: Detecting, preventing, and responding to attacks, intrusions, or other systems failures.
- §314.4 (c) Design and implement information safeguards to control the risks you identify...or otherwise monitor.
File integrity monitoring can fit into compliance with GLBA safeguards rule by providing a tool for security assessment, monitoring configurations, and host security, and providing strong audit trails.
To learn more, please see Meeting FFIEC Requirements with CimTrak.
How File Integrity Monitoring Software Supports Compliance Objectives
Achieving compliance is difficult, but maintaining compliance standards 24/7/365 is far more challenging. Real-time file integrity monitoring is a powerful compliance tool in today's challenging regulatory environment. As organizations' networks and infrastructure become increasingly complex, real-time integrity monitoring alerts have the power to inform your administrators as you move out of compliance.
To see how Cimcor can support your organization's unique requirements and objectives, sign up for a free, customized demo today!
