Maintaining compliance can be a challenge with limited budgets and resources. Challenges by compliance and IT professionals include resource shortages, personal liability, and regulatory change.
In a world where the costs and efforts required to maintain full compliance are soaring rapidly, tools that simplify your efforts are a necessity. Real-time file integrity monitoring is a powerful compliance tool in today's challenging regulatory environment.
In this blog, we provide insight on how file integrity monitoring software fits into seven common regulatory requirements and how it can help with fatigue and strained budgets.
1. PCI DSS
The Payment Card Industry Digital Security Standards (PCI DSS) council has worked since 2004 to regulate security activities of "anyone associated with payment cards." If an organization "works with or is associated with cards", it is required to comply with a designated level (there are 4 levels) of PCI requirements. This commonly includes merchants, financial institutions, point-of-sale vendors, and developers.
The 12 requirements of PCI version 3.2 include but are not limited to training, installation of a firewall, testing, policy, and access governance.
Specifically, two sections of PCI address the need for file integrity monitoring software:
- 10.5.5: Use file integrity monitoring or change-detection software to ensure log data cannot be changed without the generation of an alert.
- 11.5: Deploy a change-detection monitoring (such as file integrity monitoring) to perform critical file comparisons at least once per week, and alert personnel to the unauthorized modification of critical system files, configuration files, or content files.
To get a more in-depth review of the PCI guidelines, we recommend The PCI Compliance Checklist.
As the critical infrastructure preparedness guidelines of the North American Electric Reliability Corporation, NERC-CIP was established to ensure reliability in energy delivery. These guidelines act as a framework assisting in the protection of critical infrastructure assets. As new technologies emerge, utility providers increasingly adopt technologies to control the grid and important aspects of energy delivery. Preventing unauthorized access and negative changes are many times at the top of the list.
File integrity monitoring is addressed in NERC-CIP 007, which seeks to manage system security by specifying select technical, operational, and procedural requirements..." against compromise that could lead to misoperation or instability." The documentation of system ports/services and detection, alerts, and reports on status changes is required. Configuration change management regarding procedures and documentation are emphasized with requirements of NERC-CIP 010-2. An in-depth brief on the technical aspects of NERC-CIP compliance can be found here.
Since 2002, the Federal Information Security Management Act (FISMA) has required federal agencies to implement programs agency-wide for infosec, and this includes government contractors. The security program must be reviewed annually and reported to the Federal Office of Management and Budget (OMB).
NIST 800-171 discusses the necessity of ensuring the integrity and availability of U.S. Federal Government Data via a comprehensive IT security program.
NIST 800-53 Revision 4 provides in-depth insight for agencies into responsibilities, risk management, and how to select security control baselines. However, the ultimate selection of specific controls falls within the hands of agencies, based on criteria outlined in NIST 800-53 Rev 4.
The right file integrity monitoring solution can aid agencies in achieving compliance with FISMA System Integrity, Configuration Management, audit categories, and assists with mappings between NIST 800-171 and 800-53.
For more on how FIM software can help with the requirements of the FISMA framework, we recommend CimTrak's Support of FISMA Controls
The Sarbanes-Oxley Act, also known as SOX, is a federal law setting accountability requirements for U.S. public company boards, management, and public accounting firms.
With 11 sections total in SOX, many organizations focus on Section 404, which is abbreviated as ICFR. This section requires reporting on the adequacy of internal control over financial reporting.
Section 404 requirements include, but are not limited to:
- Performing fraud risk assessment
- Evaluating entity-level controls,
- Preventing management override of controls.
Similar to FISMA, SOX does not explicitly state the types of controls or methods organizations/businesses should use for compliance. Due to this, the COBIT framework was established for compliance. Standard of COBIT aided with the use of file integrity monitoring include:
- acquisition and implementation
- delivery and support
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) addresses safeguards to ensure the "confidentiality, integrity, and availability of protected health information." The Security Rule of HIPAA mentions five types of technical safeguards, which include authentication, documentation, intrusion protection, and data integrity protection.
The Health Insurance Portability and Accountability Act (HIPAA) focuses on safeguards with the intent of ensuring the "confidentiality, integrity, and availability of protected health information (PHI)".
The Security Rule of HIPAA mentioned 5 types of technical safeguards which includes:
- technical safeguard
- data integrity protection
An in-depth insight into how to achieve compliance with technical safeguards standards of HIPAA can be found in NIST Special Publication 800-66. A File integrity monitoring tool allows businesses/organizations to not only achieve but also maintain compliance with HIPAA best practices, including the continuous evaluation of access controls and data security.
To learn more, download Meeting HIPAA Requirements.
The Gramm-Leach-Bliley Act (GLBA) of 2003 requires the disclosure of information sharing practices and safeguarding of sensitive data from institutions offering financial products or services. Under the GLBA, the "Safeguards Rule" specifically requires institutions to:
- Protect against any anticipated threats or hazards to the security or integrity of such information
- Ensure the security and confidentiality of customer information
- Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer.
Per GLBA Safeguards Rule text, elements of a security program should include:
§314.4 -3: Detecting, preventing, and responding to attacks, intrusions, or other systems failures.
§314.4 (c) Design and implement information safeguards to control the risks you identify...or otherwise monitor.
File integrity monitoring fits into compliance with GLBA safeguards rule by providing a tool for monitoring configurations and host security, security assessment, and providing strong audit trails.
To learn more, please see Meeting FFIEC Requirements.
The General Data Protection Regulation (GDPR) applies to all companies processing the personal data of data subjects who reside within the EU. The GDPR protects the rights and freedom of data subjects which includes defining the process/steps data holders must take to protect data. File Integrity Monitoring can be used to help become compliant with these GDPR required Articles:
- Article 25: Data Protection by Design and Default
- Article 32: Security of processing
- Article 39: Tasks of the Data Protection Officer(DPO)
- Article 57: Tasks
- Article 59: Activity Reports
Support Compliance Objectives
Achieving compliance can be difficult, but maintaining compliance standards 24/7/365 is far more challenging. As organizations' networks and infrastructure become increasingly complex, real-time integrity monitoring alerts have the power to inform your administrators as you move out of compliance.
To learn more download the Definitive Guide to File Integrity Monitoring today.
August 29, 2018