You are in:
Are your endpoints compromising compliance?
Ari Tammam, VP Channels at Promisec looks at the legal requirements of compliance with a number of regulatory acts and how this impacts on the entire IT infrastructure...
Regulatory compliance has an influential impact on the entire IT infrastructure, including the endpoints therein. In fact a recent Computer Crime and Security survey by the Computer Security Institute (CSI) found that 50% of companies have increased their level of interest in Information Security because of Acts like Sarbanes-Oxley.
Compliance with various government regulatory acts such as Sarbanes Oxley, HIPAA, BASEL II etc. has now become a legal requirement in many countries and is here to stay. As such companies have been spending more and more of their time and budgets to meet these requirements and maintain their integrity and reputation. Failure to do so has already resulted in fines being levied on the executives of some companies; these may be accompanied by severe prison terms of up to 20 years. Another new standard emerging is SAS 70 (Statement on Auditing Standards No. 70, Service Organisations) which is designed to audit the internal controls of an organisation. Unlike regulatory bodies SAS 70 provides an audit report on whether internal controls in place actually work or not.
In addition to logging events and securing critical systems many regulatory bodies require independent internal controls that are able to monitor activity so that any change or transaction affecting the status quo of a company’s IT systems is identified. Activity that results in a breach of compliance may be caused by a user’s action such as the introduction of malware into the network, disabling a security client or even leaving a workstation unlocked when the user is away from their desk. It is therefore essential to provide a vigilant system in controlling user activity and enforcing the internal controls upon them.
Out of all the respondents to the 2006 CSI/FBI Computer Crime and Security Survey, 63% cited Policy and Regulatory Compliance as the most critical computer security issue after data protection. Identity theft and information leakage came third with viruses and worms coming in fourth.
Addressing the problem
A practical solution to address this problem needs to provide full visibility to user activity and incorrect configurations that may introduce potential threats into an organisations network.
The drivers to budget for a solution like this include:
Endpoints within the corporate network are not normally monitored for activity beyond their initial access to the network.
Users are able to install and use unauthorised applications, more specifically potentially dangerous peer-2-peer applications, devices and services that are forbidden.
Increased number of security breaches originating from within the corporate network
Users have more freedom inside their networks with access to business critical systems
Any one of these issues has the potential to cause a major security breach. Many senior company figures minimise the importance of these threats citing the probability of such a security breach being unlikely. However, the issue today is not just if a security breach will occur but also whether any of these threats will render a company’s information systems non-compliant with regulatory bodies.
Identifying a comprehensive solution
There are many solutions available today that claim to address regulatory compliance in one form or another, however, when it comes to the endpoints within a corporate network, the functionality offered needs to be comprehensive. For a solution to be considered comprehensive in the endpoint compliancy space it has to cover all aspects of activity that may run on those endpoints and be able to remediate problems found.
This should include:
Attachable memory devices;
Modems;
Activated wireless cards or secondary Network Interface Cards (NICs);
Applications;
Processes;
Start-up commands;
Services and even browser toolbars that have the ability to install small pieces of code onto an endpoint.
Without addressing all of these categories, holes will still remain in the endpoint security infrastructure making it easy for an endpoint to fall out of compliance.
Further to the type of threats that the solution needs to identify and eliminate, it needs to be easy to use and by many regulatory standards completely independent to existing security systems. The reason for independence is to eliminate any influence or reliance on other resources for the product to work so that even if other security systems go down this product will still provide information and identify the systems that are unavailable. This should include the availability of security agents deployed on the workstations inspected as well.
A comprehensive solution means that if an anti-virus client, or any other security agent, is disabled the problem can be identified and repaired quickly to minimise the non-compliance of a particular endpoint. Being able to address all of the afore mentioned issues in a timely manner gives a company a much needed endpoint risk management solution to keep its internal network from falling out of compliance. Readers should bear in mind that this type of solution should complement the existing security infrastructure and not necessarily replace or interfere with the operational status quo.
Providing this in depth visibility of user activity to security administrators dramatically increases the level of protection they can provide to their organisations maintaining regulatory compliance across the entire company.
Promisec is exhibiting at Infosecurity Europe 2007. Held on the 24th – 26th April 2007 in the Grand Hall, Olympia. www.infosec.co.uk
