Compliance and Pentesting
One of the subjects I get asked time-and-time again about is compliance standards for certain industries and how securing their data comes into play. It’s pretty important to know which compliance standards affect you and why! So, here is a quick list of some of the compliance regulations which center around Information Security:
FISMA (Federal Information Security Management Act) of 2002
FISMA requires federal agencies to develop, document, and implement programs to provide information security that are in the best interests of the United States. The same stipulations are passed on to government contractors and 3rd parties.
Many of the Information Security / Computer System standards & guidelines for hardening and securing systems are created by NIST and are publicly available for most major Operating Systems. FISMA sets up a framework that companies need to follow to be in compliance and Kernel can help!
HIPAA (Health Insurance Portability & Accountability Act)
HIPAA was created to protect health information through security safeguards while providing access to that same information to the parties that need it, such as healthcare providers, insurance companies, etc.). The information that HIPAA is meant to protect is called e-PHI, or ‘electronic protected health information’. Specifically, the HIPAA ‘Security Rule’ requires the following from those that use/store/maintain e-PHI:
- CIA (Confidentiality, Integrity, & Availability) of all e-PHI that is created, received, maintained, or transmitted.
- Identify & protect against reasonability anticipated threats to the security and/or integrity of e-PHI.
- Protect against ‘reasonably’ anticipated impermissible uses of information disclosure.
- Ensure compliance
Some of the +’s for the Pentest Industry are:
- Risk Analysis must be performed on a regular basis
- Risk Analysis must be performed after any significant network systems changes such as upgrades, replacement, installations.
PCI-DSS (Payment Card Industry Data Security Standard)
PCI has become a pretty popular standard in the news considering the likes of the latest Target breach (and others!). This is a standard that the Credit Card merchants (Visa, Mastercard, AMEX, etc.) created to protect credit card data. Believe it or not, PCI standards really apply to anyone that does something with a credit card, from a gas station with a credit card swiping machine, to, well… Target sized companies!
PCI-DSS sets forth some standards:
- Build & Maintain a Secure Network
- Protect Cardholder Data
- Maintain a Vulnerability Management Program
- Implement strong access control measures
- Regularly monitor & test networks
- Maintain an Information Security Policy
There have also been some additions that many companies aren’t aware of:
- Penetration Testing – A pen test should be performed at least ONCE annually and anytime there is a significant change or upgrade to the network or systems.
- Code Review & Application Firewalls – Just like it sounds, mainly setup for companies to go through a legit code audit to avoid the pitfalls of a web application attack such as SQL injection, XSS, etc.
- Wireless Security – Securing your wireless networks to transmit cardholder data.
The biggest thing to note is that the PCI industry actually imposes some pretty hefty fines if you claim to be PCI compliant but aren’t … say, a breach happens. For those SMBs out there, the fine is set at $15,000 per incident! So, if two customer credit card records are stolen, then you’re looking at a hefty $30,000 fine! Of course, getting compliant isn’t always the easiest task and Kernel can help!
Of course, these are only a few standards that affect certain industries. There are others like GLB, SOX, etc. that affect other industries as well. Securing data is incredibly important regardless of the industry your company is in because, like it or not, your company can easily be on the hook if a data breach happens, so be prepared and reach out to Kernel for the assistance you need to be as secure as possible in this ever-so-dangerous world of threats!