Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Regulation Zoo: Dealing With Compliance Within The Firewall World

Published byAdele Berry Modified over 9 years ago

Similar presentations

Presentation on theme: "The Regulation Zoo: Dealing With Compliance Within The Firewall World"— Presentation transcript:

1 The Regulation Zoo: Dealing With Compliance Within The Firewall World
Avishai Wool CTO & Co-Founder, AlgoSec

2 Agenda Introduction Relevant Regulations Common Themes Demo

3 The Regulations Zoo Sarbanes Oxley Act (SOX)
Japanese Financial Instruments (JSOX) Euro-SOX – Company Law Directive 8 - Coming soon (?) PCI DSS – Payment Card Industry Data Security Standard ISO27001 FISMA – US federal agencies HIPAA – US Healthcare Industry Basel-II – Banking Confidential

4 Sarbanes Oxley Act (SOX)
Goal: Protect Accuracy of Financial Data Background: Financial scandals (Enron, …) Affects public companies on US stock exchange, multinational corporations Financial data is on computers, … Computers are on networks … Firewalls enforce access to networks  … Firewalls become regulated Confidential

5 Working with SOX Law is very “high-level” (10,000 meter altitude…)
Very hard to act based on it COSO framework : 6 major “Components” More grounded than law (5,000 meter…) CobiT framework: 34 “Control Objectives” Almost something you can work with (2,000 meter…) Confidential

6 SOX “cousins and relatives”
Japan (J-SOX) : “Japanese Financial Instruments Law” Equivalent to SOX + COSO, but in Japanese Seems to accept CobiT framework EU: “Company Law Directive 8” Approved by EU institutes (very high level) Implementation Framework ? Sent to member countries for implementation guidelines Coming soon ? Confidential

7 PCI DSS – Payment Card Industry
Goal: Protect credit card information Background: Credit Card fraud / theft Affects any organization that handle credit cards (in stages, from large down to small) Enforced aggressively by credit card companies Credit card data is on computers, … Computers are on networks … Firewalls enforce access to networks  … Firewalls become regulated Confidential

8 Working with PCI DSS Includes very specific “commandments” for firewalls: Thou shall have a DMZ on your firewall Thou shall NOT allow services other than HTTP, SSL, SSH and VPN through the firewall (without convincing documentation) Thou shall use NAT and avoid routable addresses Thou shall have a connectivity diagram of Firewall Thou shall Assess / Scan your firewalls quarterly Etc etc. Confidential

9 Voluntary compliance – but wide-spread in Europe
ISO 27001 General Standard – for any Information Security Management System (ISMS). Voluntary compliance – but wide-spread in Europe British standard BS 7799  ISO  ISO 27001/2 Moto: Plan / Do / Check / Act [PDCA] Firewalls are clearly part of any ISMS,  … Firewalls become regulated Confidential

10 More Regulations: HIPAA
Goal: Control privacy of personal medical information Affects any US organization in healthcare industry (hospitals, clinics, insurance companies, pharmaceutical) Basel-II Goal: Control banking (and inter-banking) data Affects any bank (that wants to do business with other banks) FISMA Affects US federal agencies Confidential

11 Common Themes – for Firewalls
Control the Risk Control the Changes Control the Infrastructure Compliance Reporting Confidential

12 Control the Risk Define a Security Policy
Or use industry best practices as your policy Review your rule-base for security policy violation Periodic Internal / External audit Software systems Scan (PCI mandates scan by a “QSA”) Avoid high risks PCI, FISMA give specific requirements about risky services Confidential

13 Control the Changes Have a firewall rule change process
Request / Plan / Implement / Validate Track firewall changes At least: Who did What, Where, When Better: also Why Confidential

14 Control the Changes – Cont.
Alerting / Monitoring Set up / syslog / snmp Send alerts when changes are detected Better: integrate with SIM system Audit Keep change records for a long time Confidential

15 Control the Infrastructure
Connectivity Diagram Maintain an up-to-date diagram Firewall Management Avoid Default Passwords Avoid Default Settings Confidential

16 Compliance Reporting Each regulation has its own reporting requirement
Lengthy forms, require a long time to complete Confidential

17 The AlgoSec Firewall Analyzer Live demo – Compliance
Confidential 17

18 Questions? E-mail: yash@eng.tau.ac.il avishai.wool@algosec.com

Download ppt "The Regulation Zoo: Dealing With Compliance Within The Firewall World"

Similar presentations

IT Security Policy Framework

IT Security Policy Framework
Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.

Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.
G R C The Science of Compliance ® ®. Craig Isaacs CEO, Unified Compliance Framework The world's largest and most reviewed legal framework. 2.

G R C The Science of Compliance ® ®. Craig Isaacs CEO, Unified Compliance Framework The world's largest and most reviewed legal framework. 2.
Westbrook Technologies from Document Management’s Role in HIPAA.

Westbrook Technologies from Document Management’s Role in HIPAA.
Navigating Compliance Requirements DCM 6.2 Regs and Codes linford & co llp.

Navigating Compliance Requirements DCM 6.2 Regs and Codes linford & co llp.
Frameworks, Standards and Regulations IT Auditing and Cyber Security Spring 2014 Instructor: Liang Yao (MBA, MS, CIA, CISA, CISSP)

Frameworks, Standards and Regulations IT Auditing and Cyber Security Spring 2014 Instructor: Liang Yao (MBA, MS, CIA, CISA, CISSP)
1 1 Risk Management: How to Comply with Everything July 11, 2013.

1 1 Risk Management: How to Comply with Everything July 11, 2013.
Massachusetts privacy law and your business  Jonathan Gossels, President, SystemExperts Corporation  Moderator: Illena Armstrong  Actual Topic: Intersecting.

Massachusetts privacy law and your business  Jonathan Gossels, President, SystemExperts Corporation  Moderator: Illena Armstrong  Actual Topic: Intersecting.
Chapter 10 Accounting Information Systems and Internal Controls

Chapter 10 Accounting Information Systems and Internal Controls
JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.

JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Control and Accounting Information Systems

Control and Accounting Information Systems
The Financial Modernization Act of 1999, also known as the Gramm-Leach-Bliley Act (GLBA) UNDERSTANDING AND DEVELOPING A STRATEGIC PLAN TO BECOME COMPLIANT.

The Financial Modernization Act of 1999, also known as the Gramm-Leach-Bliley Act (GLBA) UNDERSTANDING AND DEVELOPING A STRATEGIC PLAN TO BECOME COMPLIANT.
FAIR AND ACCURATE CREDIT TRANSACTIONS ACT (FACTA)- RED FLAG RULES University of Washington Red Flag Rules Protecting Against Identity Fraud.

FAIR AND ACCURATE CREDIT TRANSACTIONS ACT (FACTA)- RED FLAG RULES University of Washington Red Flag Rules Protecting Against Identity Fraud.
JARED BIRD Nagios: Providing Value Throughout the Organization.

JARED BIRD Nagios: Providing Value Throughout the Organization.
PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.

PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.
REGULATIONS Dr. Andy Wu BCIS 4630 Fundamentals of IT Security.

REGULATIONS Dr. Andy Wu BCIS 4630 Fundamentals of IT Security.
Brief Synopsis of Computer Security Standards. Tenets of Information Systems Security Confidentiality Integrity Availability Over the years, standards.

Brief Synopsis of Computer Security Standards. Tenets of Information Systems Security Confidentiality Integrity Availability Over the years, standards.
Sarbanes-Oxley Compliance Process Automation

Sarbanes-Oxley Compliance Process Automation
Security Controls – What Works

Security Controls – What Works

Similar presentations

Ads by Google