pci compliance for dummies

Kevin Faulkner Lawrence Miller

• Reduce the cost and complexity of security compliance

• Solve the toughest regulatory compliance challenges

• Maximize the real security value of your investments

Learn to:

Conquering Compliance

Trend Micro Special EditionCompliments of

Open the book and find:

• Valuable guidance that applies to most regulations around the world

• PCI strategies for success

• HIPAA compliance demystified

• An overview of Trend Micro compliance solutions

ISBN: 978-0-470-76719-1Not for resale

Go to Dummies.com®

for videos, step-by-step photos, how-to articles, or to shop!

PCI, HIPAA, GLBA, SOX, and many other regulations around the world are now part of our business lexicon, and regulatory compliance has become a focus of corporate boards and senior management. This book explores the security challenges of regulatory compliance and gives you a holistic, cost-effective strategy to achieve compliance across regulations — while getting the best protection for your organization and your valuable data.

• Discover the core compliance controls — secure once and achieve compliance with many of the regulations that apply to your business

• Solve the tough compliance challenges — use these tips to choose solutions to get the job done while simplifying your efforts

• Take a closer look at PCI and HIPAA — see how applying these strategies will deliver cost-effective compliance with major regulations

• Understand the compliance mandate and its limits — ensure that you’re not just compliant, but that your data and reputation are fully protected

A better way to minimizethe cost and complexity of security compliance

A BETTER WAY.

Security compliance is costly, complex, ever changing – and still not enough to protect your company reputation.

Trend Micro Enterprise Security offers you a better way to stay both compliant and secure with solutions that address a broad range of controls, solve tough compliance challenges, and deliver maximum protection at minimal cost. That’s compliance without compromise.

To learn more, call 1.877.21.TREND or go to www.trendmicro.com/compliance

Trend Micro Incorporated, a global leader in Internet content security and threat management, aims to create a world safe for the exchange of digital information for businesses and consumers. A pioneer in server-based antivirus with over 20 years experience, Trend delivers top-ranked security that fits customer needs, stops new threats faster, and protects data in physical, virtualized, and cloud environments.

Trend Micro Enterprise Security is a tightly integrated offering of content security products, services, and solutions powered by the Smart Protection Network. Together they keep customers both compliant and secure by addressing a broad range of compliance controls, solving tough compliance challenges, and delivering maximum protection with minimal complexity.

These materials are the copyright of Wiley Publishing, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited.


FOR

DUMmIES‰

TREND MICRO SPECIAL EDITION

by Kevin Faulknerand Lawrence Miller

01_767191-ffirs.indd i01_767191-ffirs.indd i 6/28/10 1:48 PM6/28/10 1:48 PM


Conquering Compliance For Dummies®, Trend Micro Special Edition

Published byWiley Publishing, Inc.111 River StreetHoboken, NJ 07030-5774www.wiley.com

Copyright © 2010 by Wiley Publishing, Inc., Indianapolis, Indiana

Published by Wiley Publishing, Inc., Indianapolis, Indiana

No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without the prior written permission of the Publisher. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions.

Trademarks: Wiley, the Wiley Publishing logo, For Dummies, the Dummies Man logo, A Reference for the Rest of Us!, The Dummies Way, Dummies Daily, The Fun and Easy Way, Dummies.com and related trade dress are trademarks or registered trademarks of Wiley Publishing, Inc., in the United States and other countries, and may not be used without written permission. Trend Micro, OfficeScan, Trend Micro Smart Protection Network are registered trademarks of Trend Micro Inc and may not be used without permission. All other trademarks are the property of their respective owners. Wiley Publishing, Inc., is not associated with any product or vendor mentioned in this book. Portions of Appendix B are provided courtesy of PCI Security Standards Council, LLC (“PCI SSC”) and/or its licensors. © 2007-2010 PCI Security Standards Council, LLC. All rights reserved. Neither PCI SSC nor its licensors endorses this product, its provider or the methods, procedures, state-ments, views, opinions or advice contained herein. All references to documents, materials or por-tions thereof provided by PCI SSC (the “PCI Materials”) should be read as qualified by the actual PCI Materials, which are subject to change. For current versions or questions regarding the PCI Materials, please contact PCI SSC through its web site at www.pcisecuritystandards.org.

LIMIT OF LIABILITY/DISCLAIMER OF WARRANTY: THE PUBLISHER, TREND MICRO, AND THE AUTHOR MAKE NO REPRESENTATIONS OR WARRANTIES WITH RESPECT TO THE ACCURACY OR COMPLETENESS OF THE CONTENTS OF THIS WORK AND SPECIFICALLY DISCLAIM ALL WARRANTIES, INCLUDING WITHOUT LIMITATION WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE. NO WARRANTY MAY BE CREATED OR EXTENDED BY SALES OR PROMOTIONAL MATERIALS. THE ADVICE AND STRATEGIES CONTAINED HEREIN MAY NOT BE SUITABLE FOR EVERY SITUATION. THIS WORK IS SOLD WITH THE UNDERSTANDING THAT THE PUBLISHER AND TREND MICRO ARE NOT ENGAGED IN RENDERING LEGAL, ACCOUNTING, OR OTHER PROFESSIONAL SERVICES. IF PROFESSIONAL ASSISTANCE IS REQUIRED, THE SERVICES OF A COMPETENT PROFESSIONAL PERSON SHOULD BE SOUGHT. NEITHER THE PUBLISHER, TREND MICRO, NOR THE AUTHOR SHALL BE LIABLE FOR DAMAGES ARISING HEREFROM. THE FACT THAT AN ORGANIZATION OR WEBSITE IS REFERRED TO IN THIS WORK AS A CITATION AND/OR A POTENTIAL SOURCE OF FURTHER INFORMATION DOES NOT MEAN THAT THE AUTHOR, THE PUBLISHER, OR TREND MICRO ENDORSES THE INFORMATION THE ORGANIZATION OR WEBSITE MAY PROVIDE OR RECOMMENDATIONS IT MAY MAKE. FURTHER, READERS SHOULD BE AWARE THAT INTERNET WEBSITES LISTED IN THIS WORK MAY HAVE CHANGED OR DISAPPEARED BETWEEN WHEN THIS WORK WAS WRITTEN AND WHEN IT IS READ.

For general information on our other products and services, please contact our Business Development Department in the U.S. at 317-572-3205. For details on how to create a custom For Dummies book for your business or organization, contact [email protected]. For information about licensing the For Dummies brand for products or services, contact BrandedRights&[email protected].

ISBN: 978-0-470-76719-1

Manufactured in the United States of America

10 9 8 7 6 5 4 3 2 1

01_767191-ffirs.indd ii01_767191-ffirs.indd ii 6/28/10 1:48 PM6/28/10 1:48 PM


www.wiley.com

http://www.wiley.com/go/permissions

Introduction

In the not-too-distant past, information security and compli-ance for most organizations was the exclusive dominion

of a small security staff with little or no support (or budget), engaged in a tug-of-war with users that constantly sought creative new ways to circumvent seemingly needless security measures that hindered productivity.

But now that PCI, HIPAA, SOX, and a plethora of European and other privacy regulations have become a part of our modern lexicon, information security and regulatory compli-ance have become the focus of many corporate boards and senior managers — and the subject of this book!

About This BookThis book explains the challenges of regulatory compliance and how to address these challenges using a holistic, cost-effective approach that not only helps you achieve compli-ance across all applicable regulations but also to get real security for your organization and your valuable data.

We show you how to achieve and maintain compliance by:

✓ Focusing on core cross-regulation controls

✓ Conquering the toughest compliance challenges

✓ Maximizing your protection and minimizing your costs

Simply stated, that’s compliance without compromise!

The contents of this custom book were provided by and pub-lished specifically for Trend Micro.

02_767191-intro.indd 102_767191-intro.indd 1 6/28/10 1:49 PM6/28/10 1:49 PM


Conquering Compliance For Dummies 2

Foolish AssumptionsWe assume that you’re reading this book because you’re responsible for ensuring that your organization complies with a myriad of government and industry regulations — and you need some help. You may be a corporate officer, executive, or other senior manager, or you may be an IT security manager, network engineer, or system administrator.

We assume that you have at least a basic understanding of the key security and privacy regulations that are relevant to your industry, the technology challenges of compliance, and a desire to make your compliance programs simpler and more cost-effective.

How This Book Is OrganizedThis book consists of six short chapters, summarized below.

Chapter 1: Understanding the Compliance MandateWe start by exploring the regulatory landscape and clarifying the differences between security and compliance.

Chapter 2: Targeting Core Compliance ControlsIn this chapter, we present a comprehensive, secure-once approach to achieving cross-regulatory compliance by identi-fying common technical controls and themes.

Chapter 3: Addressing Compliance ChallengesIn this chapter, we discuss how to deal with specific compli-ance challenges, including evolving technology trends such as virtualization, teleworking, and cloud computing.



Introduction 3

Chapter 4: Charging Through PCI DSSChapter 4 focuses on the Payment Card Industry Data Security Standard (PCI DSS), showing you how to cost effectively safe-guard your business infrastructure and cardholder data — achieving both security and compliance.

Chapter 5: Examining HIPAA and Healthcare ComplianceNext, we take a closer look at U.S. HIPAA and other regulatory and privacy challenges facing the healthcare industry.

Chapter 6: Ten Reasons to Use Trend Micro Enterprise SecurityFinally, in true For Dummies form, we conclude with a list of great reasons to use Trend Micro Enterprise Security solu-tions to help you achieve compliance without compromise!

Icons Used in This BookThroughout this book, we occasionally use icons to call attention to important information that is particularly worth noting. Here’s what to look for and what to expect:

This icon points out information that may well be worth com-mitting to memory.

This icon explains material of a technical nature and may be of more interest to a tech-savvy reader.

This icon points out potential pitfalls and easily confused or difficult-to-understand terms and concepts.



Conquering Compliance For Dummies 4 This icon points out helpful suggestions and useful nuggets of

information that may just save you some time and headaches.

Where to Go from HereEach chapter in this book is written to stand on its own. You don’t necessarily need to start at the beginning to follow a sto-ryline! Chapters 2 and 3 give you the insights you need to effec-tively tackle most any regulation worldwide, while chapters 4 and 5 target the specific requirements of PCI and HIPAA. So jump right in wherever it makes the most sense for you.

At a minimum, we recommend reading Chapters 2 and 3 to gain insights into solving cross-regulation compliance chal-lenges. Finally, Chapter 6 will show you how Trend Micro Enterprise Security solutions can help you rapidly implement the cost effective, no-compromise strategies of this book.

Or, you could just turn the page and start at the beginning!



Chapter 1

Understanding the Compliance Mandate

In This Chapter▶ Navigating the regulatory landscape

▶ Achieving both compliance and security

With more than 400 regulations and over 10,000 overlapping controls in 38 countries, compliance

has become a challenging and complex mandate for organiza-tions everywhere.

Furthermore, the rapid pace and constantly evolving nature of technology and strategic business and IT initiatives makes attain-ing and maintaining regulatory compliance still more difficult.

And finally, regulations typically lack detail, are subject to interpretation, and provide only minimum baseline security requirements. Thus, organizations can get compliance right, but still not be truly secure.

In this chapter, we explore the vast expanse (and expense) of the regulatory compliance landscape and its associated challenges.

The Compliance MazeDriven by the need to protect the private data (such as per-sonally identifiable information, financial data, and health records) of individual citizens from cybercriminals and iden-tity thieves, governments throughout the world and at every

03_767191-ch01.indd 503_767191-ch01.indd 5 6/28/10 1:49 PM6/28/10 1:49 PM


Conquering Compliance For Dummies 6level have caught the regulatory bug. Information security best practices are rapidly being codified with legal mandates that seek to ensure that corporate governance, internal con-trols, business processes, and operations of organizations in various industries are safe, sound, and secure.

These regulations often require specific controls, corporate compliance programs, audits, and public disclosures, and levy stiff penalties for noncompliance. Some of the more significant information and data security regulations include:

✓ PCI DSS: Payment Card Industry Data Security Standard. A worldwide industry mandate that establishes informa-tion security requirements for organizations that process payment card transactions (such as credit and debit cards). See Chapter 4 for more on PCI DSS.

✓ EU Data Protection Directive: The EU directive and vari-ous country-specific acts protect individual information of a private or sensitive nature.

✓ FISMA: Federal Information Security Management Act. Applicable to U.S. Government agencies and contractors.

✓ GLBA: Gramm-Leach-Bliley Act. Standards required of financial institutions relating to administrative, techni-cal, and physical safeguards for customer records and information.

✓ HIPAA: Healthcare Insurance Portability and Accountability Act. Security and Privacy Rules apply to “covered entities” and their business associates in the healthcare industry. See Chapter 5 for more on HIPAA.

✓ HITECH: Health Information Technology for Economic and Clinical Health Act. Provides funding for electronic health records (EHR) and safe harbor from disclosure requirements for breached data that is encrypted, among other things. See Chapter 5 for more on HITECH.

✓ SOX: Sarbanes-Oxley. Publicly traded companies must implement a framework of computer controls. Several mandates can’t be accomplished without prudent use of technology and information security.

✓ J-SOX: Formally, the Financial Instruments and Exchange Law, J-SOX is the Japanese implementation of internal controls similar to U.S. SOX.



Chapter 1: Understanding the Compliance Mandate 7 ✓ EuroSox: Comprised of two EU statutes, formally known

as the Statutory Audit and the Company Reporting Directives. Requires EU member states to implement internal controls similar to U.S. SOX by 2010.

✓ MITS: Management of Information Technology Security (Canada). Monitoring, lifecycle management, technical and operational safeguards for risk mitigation, applicable to Canadian government agencies.

Compliance and Security Aren’t One and the Same

Being compliant doesn’t necessarily mean being safe and secure. Even the most stringent regulations define only a mini-mum baseline for good security. So it is certainly possible, if not even probable, that an organization can be fully compli-ant with all applicable legal requirements and standards for its industry, yet still be vulnerable to security breaches and incidents.

Regulations and standards mandate information security best practices and governance, reassure the public at large, and set forth penalties (including fines, disclosures) for noncom-pliance. In other words, when a noncompliant organization suffers a major security breach, security regulations ensure that there will be repercussions

Regulatory compliance also, at least in theory, serves a more benign purpose. Disclosure laws, in addition to “shaming” an organization into compliance, are intended to give a timely warning to individuals whose private information may have been compromised. That way, the individuals may take proac-tive steps to avoid being victimized by identity theft.

Finally, regulations help to clarify the standards of due care and due diligence. Due care and due diligence are related, but distinctly different:

✓ Due care: In the practice of information security, due care relates to the steps that individuals or organizations take to perform their duties and implement security best practices and regulations.



Conquering Compliance For Dummies 8 ✓ Due diligence: In the context of information security, due

diligence commonly refers to risk identification and risk management practices.

An organization or individual that fails to exercise due care and due diligence in the performance of their duties can be found criminally negligible and personally liable.

So what is the state of enterprise security today? Trend Micro’s onsite security threat assessments of hundreds of enterprises throughout the world have shown that 100 per-cent are infiltrated by active malware — over 50 percent with data stealing malware and 77 percent with bots (see Figure 1-1). Organizations need to be aware that basic compliance controls aren’t sufficient to protect against a serious security data breach.

Threats found in enterprises

100% Active malware

77% Bots

56% Data stealers

42% Worms

Figure 1-1: Threats found in enterprises.

And without a comprehensive security strategy and a strong understanding of regulatory issues affecting them, many organi-zations risk spending needlessly, while chasing redundant — or worse, conflicting — administrative, technical, or operational controls, in the quest for compliance.



Chapter 2

Targeting Core Compliance Controls

In This Chapter▶ Getting an overview of the controls common to most regulations

▶ Covering all the controls in more depth

By focusing on the core compliance controls common to most regulations you will help reduce cost and dupli-

cation of effort. If you properly secure once, you can meet a majority of individual compliance regulations without further effort. And when implemented appropriately, these controls put you well down the road toward a strong security posture.

Developing and implementing clear policies and processes, and selecting the right technology solutions that support a broad range of common security mandates will help organiza-tions succeed in their quest to achieve cost-effective security and compliance.

Addressing Core ControlsFor the most part, information security and privacy regula-tions are based on well-established information security best practices. Because many of these best practices are common across regulations, focusing your efforts on these core con-trols, and adopting a technology infrastructure that meets the intent of the various compliance mandates, will allow you to build a strong security foundation while simultaneously satis-fying many of the compliance requirements applicable to your



Conquering Compliance For Dummies 10organization. These core compliance controls are identified and described in the following sections.

The core compliance controls are directly specified or implied by a broad range of regulatory and IT standards across the globe. The core security compliance controls and a few exam-ples of applicable regulations are listed in Figure 2-1.

Core SecurityCompliance Controls

• IT Risk Assessment

• Vulnerablilty & Patch Mgt

• IT Policy Adherence

• Incident Response

• Sensitive Data Protection

• Firewall, IDS/IPS

• Anti-virus/Anti-malware

• Anti-spam/Anti-phishing

• Logging & Reporting

Privacy Laws

• EU Data Protection Directive• Australia Priv. Act• Canado PAPEDA

Financial FraudProtection

• SOX• J-SOX

GovernmentIT Security

• US FISMA; NIST• Canada MITS

Credit CardSecurity

HealthcareData Privacy

• US HIPAA• US HITECH Act

• PCI DSS

FinanacialData Privacy

• US GLBA

IT Frameworks

• COBIT; COSO• ITIL; ISO

Other Regulation & Standards

US NERC, FERC; UK,German,Swiss Data Protection; Sys Trust; USAe 3402

Figure 2-1: Core security compliance controls and examples of regulations.

See Appendixes A and B to learn how the core controls specifically apply to HIPAA and PCI.

IT Risk AssessmentMaintaining an ongoing security risk assessment program helps an organization identify relevant assets that must be protected, and what threats and vulnerabilities they must be protected against.

A risk assessment is a critical early (and ongoing) step in the IT risk management process. A risk assessment identifies three specific elements of risk:

✓ Assets. This includes an inventory and valuation of all organizational information assets including systems, devices, applications, data, and processes.

✓ Threats. This includes an analysis to determine actual threats, possible consequences, likelihood of occurrence, and probable frequency.



Chapter 2: Targeting Core Compliance Controls 11 ✓ Vulnerabilities. This includes a vulnerability assessment

to determine weaknesses and to establish a baseline for determining appropriate and necessary safeguards.

Don’t confuse vulnerability assessments with vulnerability management (discussed later in this chapter). They are distinctly different concepts.

Vulnerability and Patch Management

Effective vulnerability management requires periodic and frequent (automated) scans of all systems, applications, and network devices to identify, prioritize, mitigate, and patch security vulnerabilities that may be exploited.

A vulnerability in information security is defined as the absence or weakness of a safeguard in an information asset that makes a threat potentially more harmful or costly, more likely to occur, or likely to occur more frequently.

Vulnerabilities can exist for a number of reasons, including

✓ Programming/development bugs or flaws

✓ Improper system or device configurations

✓ Human errors

Additionally, new vulnerabilities are discovered, literally every day, because

✓ Flaws and weaknesses are discovered in both new and legacy information assets

✓ New flaws and weaknesses are created by changes to existing information assets, such as configuration changes, software updates, and patches

Patch management must be performed regularly to ensure applications, databases, and systems are updated with the latest security patches provided by the product vendors.



Conquering Compliance For Dummies 12Virtual patching or shielding refers to using rules defined in IDS/IPS agents to stop known vulnerabilities from being exploited. Virtual patching is an excellent security practice that provides protection until patches can be deployed. It may also be accepted as a compensating control for systems that are difficult or impossible to patch in a timely manner.

Effective patch management requires awareness of new vul-nerabilities and security patches, risk analysis, optional vir-tual patching, and the testing, deployment, and verification of final patches.

IT Policy AdherenceAssuring endpoint and server compliance with OS configura-tion and application access control policies increases security and allows organizations to clearly document compliance with security regulations and company policies.

A formal, written security policy — along with supporting standards, guidelines, and procedures — forms the basis for the organization’s information security program.

Incident ResponseA well-written incident response plan helps ensure that prop-erly trained personnel can quickly and effectively respond to a security incident in order to minimize the potential damage and return the business to normal operation.

An incident response plan should include detailed procedures and technologies that will be used to rapidly address all foreseeable incidents.

Sensitive Data ProtectionOrganizations must locate, identify, classify, and protect regu-lated data, whether it is being stored (at rest), processed (in use), or transmitted (in motion).



Chapter 2: Targeting Core Compliance Controls 13Data loss prevention (DLP) is critical to stopping accidental and malicious data leaks. A robust DLP solution helps you:

✓ Discover, monitor, block, and encrypt sensitive data.

✓ Control removable media and I/O devices such as USB drives, CD/DVD, Bluetooth, and external drives.

Encryption has almost universally become the accepted standard for protecting the confidentiality of sensitive data. Encryption solutions can be hardware- or software-based, and can encrypt sensitive files on an entire disk (full-disk encryp-tion) or on an individual file or folder level (file-based encryp-tion). Under many laws and regulations, an organization that suffers a data loss incident may be able to avoid any public disclosure requirements or penalties if the data was properly encrypted.

Firewalls and Intrusion Detection/Prevention (IDS/IPS)

Firewall and IDS/IPS protection is generally required for systems that process or house regulated data.

These systems have traditionally been deployed at the corporate perimeter. However with increasingly mobile employees and the advent of virtualization, host-based (or endpoint) firewalls and intrusion detection/prevention systems are becoming increasingly necessary.

Anti-Virus and Anti-MalwareSince the early days of computing, anti-virus software has been, and remains, a basic and vital component of security.

Anti-malware protects systems and data from viruses, as well as Trojans, worms, spyware, and other threats. Anti-malware can be signature-based and/or behavior-based. However, many non-standard, critical, and legacy devices may not be compat-ible with traditional anti-malware software that is typically installed directly on a system or device. Instead, network-based anti-malware solutions may be necessary.




Anti-Spam and Anti-PhishingProtection from e-mail and blended e-mail/Web threats is vital to the security of employee devices and blocking the entry of malware to corporate infrastructure.

Spam and phishing have evolved from the preferred method for directly spreading malware to become the preferred way to lure users to malicious Web sites where data-stealing mal-ware can be unwittingly downloaded. State-of-the-art e-mail protection solutions now include Web site reputation capa-bilities to help protect users from these dangerous embedded e-mail links.

Logging and ReportingOrganizations must ensure that secure log files are created and maintained on all systems and devices in order to identify and respond to security incidents and enforce policy compli-ance. Detailed reporting capabilities are needed to demon-strate compliance to management, auditors, and customers.

Log files are only valuable when someone is monitoring them for unusual or suspicious activity. Additionally, active moni-toring may also be required to ensure compliance. Automated log collection and analysis tools are required to make these tasks efficient and effective.



Chapter 3

Addressing Compliance Challenges

In This Chapter▶ Tackling the toughest operating environments

▶ Securing virtual and cloud infrastructures

▶ Automating visibility and risk management

Your organization’s unique operating environment, busi-ness and IT initiatives, and everyday constraints create

tough challenges for your security and compliance posture that include:

✓ Risk visibility and control

✓ Server and desktop virtualization

✓ Public cloud computing

✓ Web sites and portals

✓ Non-standard and legacy systems

✓ Distributed locations

✓ Worker mobility

✓ Mitigating information risk




Evolving TechnologyTechnology evolves quickly, but regulations don’t. Current trends include server and desktop virtualization and public cloud computing, which enable your organization to rapidly adapt to new business requirements with minimal IT infra-structure and investment. What are the risks? How can you remain compliant?

Server and desktop virtualizationVirtualization is one of the hottest trends in enterprise IT today. Server virtualization provides significant direct cost savings in terms of server hardware and operating expenses, and allows companies to embrace the efficiencies of a private cloud IT model. Desktop virtualization is also a rapidly grow-ing trend due to its ability to significantly reduce PC costs, management complexity, and enterprise risk.

According to IDC, virtualization is now the default approach at most enterprise IT organizations, and Gartner projects that the number of virtual machines will grow ten times by 2012.

But the complexity and fluidity of virtualized environments pose special security and compliance challenges, rendering perimeter-based firewalls, intrusion detection and prevention systems (IDS/IPS), as well as traditional anti-malware protec-tion insufficient to prevent attacks on virtual machines.

According to Information Week, 88 percent of North American enterprises don’t have a virtualization security strategy in place — leaving them both at risk and noncompliant.

Some specific security and compliance challenges associated with virtual server and desktop environments include:

✓ Inter-VM traffic. Traditional network IPS systems are blind to potentially malicious inter-VM traffic.

✓ VM mobility. Virtual machine migration provides flexibil-ity and resilience, but creates configuration and update difficulties for traditional perimeter security.

✓ Dormant VMs. Dormant VMs can’t run scanning agents, download signatures, or install patches, yet they’re still



Chapter 3: Addressing Compliance Challenges 17vulnerable to tampering and open to immediate attack upon reactivation.

✓ Resource contention and full system scans. Standard anti-malware solutions aren’t VM-aware and thus simultaneous scanning can cause severe performance degradation.

The best answer is system self-defense. Look for host-based virtualization-aware solutions that can secure both physical and virtual servers and endpoints with the same levels of pro-tection, integrity monitoring, compliance controls, and perfor-mance. A solution should include the following capabilities:

✓ Protection from both conventional and new virtual threats

✓ Optimized for virtualization system performance

✓ Integrated with VMware and/or Citrix management

✓ Software-based, single agent/appliance deployment

Cloud computingWhile most organizations are already experiencing the sav-ings of virtualization and private cloud computing, industry experts predict that many enterprises will also eventually adopt public cloud computing (that is, making use of pub-licly shared general purpose server and storage services) to further enable business agility and IT savings. However, in addition to all the security threats inherent in virtualization, public cloud computing poses unique security and compli-ance challenges to systems and data, including:

✓ Compliance framework and risk responsibility. Cloud computing creates unique compliance challenges. Service providers know this and, for the most part, simply pass liability for compliance on to you, the customer.

✓ Multi-tenancy. VMs for different customers with varying security policies may coexist with your VMs.

✓ Data protection. Encryption of application and system data is vital in a publicly shared environment.

✓ Lack of security visibility. Your virtual infrastructure is remotely located and thus real-time visibility and control are of concern.




You’re ultimately on your own for compliance and risk man-agement in the public cloud. To protect your total computing environment, choose specialized solutions that include:

✓ Dedicated virtualization host protection

✓ Volume-level data encryption to protect data at all times

✓ Strong remote management for systems security and encryption key management

Business InnovationsInnovations such as mobile technology and Web sites with dynamic content and powerful capabilities are challenging tra-ditional perimeter-based security and compliance solutions.

Web sites and portalsYour Web site’s public exposure and ever-changing content make it extremely attractive to cybercriminals attempting to steal private customer information or sensitive company data. And although it is less of a motive for hackers today, a com-promised or defaced Web site can still do major harm to an organization’s reputation.

Web sites and external portals need the same host protec-tion and vulnerability management as any mission-critical server, plus specific application vulnerability scanning, virtual application patching, and perhaps approved PCI scanning to ensure protection of your data, and more importantly, your reputation.

Worker mobilityToday’s workforce is more mobile than ever with laptop PCs, smartphones, and other portable devices enabling work from practically anywhere, at any time.

Teleworking creates new security and compliance challenges, because remote employees working outside the corporate perimeter must be as protected as any office worker. Remote access security, personal use of devices, and the potential



Chapter 3: Addressing Compliance Challenges 19for data leakage must be addressed. Smartphones and wire-less devices (such as Blackberries and iPhones) are capable of carrying as much (sensitive) data as a laptop PC, and are far more susceptible to loss or theft. How can you effectively manage compliance in your mobile workforce?

Only a cloud-enabled endpoint security solution can pro-tect a full range of devices from Web, e-mail, and file threats wherever they roam. You’ll also want to investigate endpoint encryption and DLP — they’re becoming essential as these devices increasingly store protected data.

Implementation DifficultiesApplying security and compliance controls to a highly distrib-uted store/branch environment or to non-standard systems can be difficult and cost-prohibitive. And implementing risk man-agement and data protection solutions that truly fit your par-ticular needs requires a clear strategy and strong processes.

Risk visibility and controlEveryone’s familiar with the constant drumbeat of software vulnerabilities and subsequent exploits, and it’s critical that you be able to rapidly and reliably discover and mitigate them. How can you automate this process? How do you protect sys-tems when patches aren’t yet available? How do you ensure employees follow your organization’s IT security policies?

But managing security risks isn’t just about vulnerability and policy management. Even the best vulnerability management and security defenses can be penetrated by zero-day and tar-geted threats. And once they’re in, they’re difficult to detect with standard security tools.

An end-to-end vulnerability management strategy involves multiple products and procedures to rigorously discover, shield, and successfully patch systems on a continual basis. The best place to start is with a vulnerability management platform that offers scanning plus overall process manage-ment. Consider addressing your risk visibility challenges with a threat management solution that offers continual network-level infiltration discovery and remediation.




Silgan Containers dramatically improves risk visibility and incident response

With more than 38 manufacturing plants, Silgan Containers (www.silgancontainers.com) is the largest manufacturer of metal food containers in its markets. Its custom-ers include many of the biggest names in the food industry, and the company’s continued success depends on its uninterrupted supply lines.

Although Silgan has a robust, multi-layered security solution protecting the company’s infrastructure, infec-tions still occurred and IT had to devote significant resources to mon-itoring security status and ensuring that employees were not breaking security policies. Clean-up efforts consumed valuable IT time and IT lacked the overall risk visibility and control it desired.

“We deployed the Trend Micro Threat Discovery Appliance to gain insights into the state of our security,” explained Michael Draeger, in charge of network and computer security for all Silgan Containers sites. “Before we had this solution, we had no way to really see where our vulnerabili-ties were. As an extra layer on top of our existing security solutions, Trend Micro Threat Management Services tells me exactly what’s happening on the network.”

As a result, IT has gained more con-trol of security. The increased visibil-ity provided by Threat Management Services reports has helped them strengthen overall security and more effectively enforce company poli-cies. Automatic remediation speeds incident response actions while saving time for IT.

“With Threat Management Services, infections are being caught and cleaned up without taking hours of my time,” said Draeger. “With the overwatch provided by Threat Management Services, we now have a stronger level of confidence that we have ultimate protection of cor-porate assets . . . I gain the visibility and control over my security posture that I’ve never had before.”

The key benefits of the Trend Micro solution include:

✓ Continuous risk assessment: Detailed daily threat discovery reports and analysis expose active threats and malicious activity.

✓ Incident response: Automated detection and remediation cuts management costs by 50 percent.

✓ Management reporting: Security posture and policy adherence evaluation and guidance.



Chapter 3: Addressing Compliance Challenges 21

Non-standard systems and devicesMany businesses depend on a range of legacy or proprietary systems, dedicated devices, and sensitive servers that can’t be directly secured by traditional anti-malware and security solutions. And even when third-party security software is sup-ported, running it on these systems may not be desirable.

For example, MRI scanners, X-ray machines, and other patient care devices used in the healthcare industry are typi-cally closed, proprietary systems. Similarly, within the retail industry, point-of-sale (POS) systems and inventory control systems often operate on proprietary or legacy systems and software.

Bring your non-standard and sensitive systems into com-pliance with a network-based solution that can provide a non-intrusive, agentless anti-virus compensating control by detecting active infiltrations and providing an immediate alert and remediation assistance.

Mitigating Information RiskEncryption of e-mails containing protected data is a core requirement, but PKI-based (public key infrastructure based) encryption is notoriously complex and burdensome to administer and use. Data Loss Prevention (DLP) can play an important role in regulatory and policy compliance and over-all information risk assessment via sensitive data discovery, monitoring, and blocking. But organizational and protection needs vary widely. For some, full endpoint protection is a necessity, for others, a network solution is sufficient, and for yet others a less-robust “DLP lite” is desired.

Regulations focus primarily on custodial data — the private data that corporations keep on their customers. And although protecting this data is the whole point of compliance, analysts estimate that the value of this data is less than half that of the corporate IP data not covered by compliance. So a com-pliance-dominated data protection program may be leaving much of your valuable data at unwarranted risk.




Integrate DLP into your data protection strategy with a solu-tion that offers the flexibility of deployment and protection levels that best suit your needs. Consider identity-based encryption as an equally powerful, but more effective encryp-tion alternative to PKI solutions.

Distributed LocationsIndustries such as hospitality, food service, retail, and, increasingly, healthcare are dependent on extremely distrib-uted branch/store environments. Each location typically has a simple flat, mixed-used network, POS, and other specialty devices, and limited, if any, local IT staffing. These challenges multiplied by hundreds or thousands of sites make security and compliance especially difficult and costly.

Investigate host-based software solutions that provide fire-wall, IPS, integrity monitoring, and other protections to criti-cal host systems without the cost and ongoing management complexity of perimeter security devices.



Chapter 4

Charging Through PCI DSSIn This Chapter▶ Getting the basics of PCI DSS

▶ Identifying and addressing PCI compliance challenges

The Payment Card Industry Data Security Standard (PCI DSS or simply, PCI) is a worldwide industry initiative that spec-

ifies and enforces security standards to protect sensitive card-holder data from theft. PCI was created by the major payment card brands to protect themselves (and consumers) from the theft and fraudulent use of the primary account number (PAN) and sensitive authentication data that allows us all to confi-dently spend our money.

In this chapter, we explore PCI compliance requirements, challenges, and solutions.

Understanding PCI Requirements

PCI applies to any business that transmits, processes, or stores credit card transactions — regardless of whether a business processes thousands of transactions a day, or a single transaction a year. Compliance is mandated and enforced by the payment card brands (American Express, MasterCard, Visa, and others) and each manages its own com-pliance program.

Merchants and processors are categorized into levels by the number of yearly transactions they manage (see Table 4-1). And while all levels must comply with the requirements, only



Conquering Compliance For Dummies 24level 1 and 2 merchants must undergo a yearly on-site audit by a Qualified Security Assessor (QSA).

Table 4-1 Merchant Categories for PCI

PCI Level Transactions Per Year

OnsiteAudit

Self-Assessment

Network Scan

1 > 6M Annually Quarterly

2 1M – 6M Annually* Quarterly

3 20K – 1M Annually Quarterly

4 < 20K Annually Quarterly * Master Card merchants only, at the time of this writing

PCI version 1.2 consists of six core principles, supported by 12 accompanying requirements, and more than 200 specific controls for compliance. Compared to most security regula-tions, PCI is both broader in scope and more precise in speci-fication detail. Although it is far from being a full blueprint for enterprise security, it is credited with raising the security standards and awareness of many organizations around the world.

PCI is a living specification that is expanded and amended on a regular basis by a cross-industry working group. PCI audit standards are also periodically evolving to better encompass new technologies and to tighten enforcement criteria.

Penalties for noncompliance are levied by the payment card brands and are some of the toughest among security regula-tions. These currently include:

✓ Fines up to $25,000 per month for minor violations.

✓ Fines up to $500,000 for violations that result in actual lost or stolen financial data.

✓ Loss of card processing authorization, making it almost impossible for many businesses to function.

See Appendix B for a mapping of core controls to PCI requirements.



Chapter 4: Charging Through PCI DSS 25

Handling Top PCI ChallengesAchieving and maintaining PCI compliance in a dynamic busi-ness and technology environment is no simple task. Building a security compliance solution strategy to handle the core controls (see Chapter 2) is essential, but you will also need to solve many tough compliance challenges that are covered in Chapter 3 and the following sections.

Virtualization The topics of virtualization and cloud computing aren’t spe-cifically addressed by the current PCI requirements, leaving appropriate judgments to QSAs and their clients. But the complexity and dynamic nature of virtualized environments clearly pose security and compliance challenges beyond the protection capabilities of perimeter-based firewalls, intrusion detection and prevention systems (IDS/IPS), as well as tradi-tional anti-malware protection. How do you virtualize your systems with confidence?

Look for a virtualization-aware solution that can secure against new virtualization threats but can also provide both physical and virtual servers with the same levels of protection, integrity monitoring, PCI compliance controls, and performance.

Risk visibility and controlThe broad topic of risk management is addressed in several ways by the PCI standard. PCI recognizes the importance of vulnerability management — specifying requirements for continual scanning and timely patch deployment. It also rec-ognizes the need for policy compliance and regular security assessments. But automating the execution of these error-prone and costly processes requires a sound strategy and a special set of technology solutions.

An end-to-end vulnerability management strategy involves multiple products and procedures to rigorously discover, shield, and successfully patch systems on a continual basis.



Conquering Compliance For Dummies 26The best place to start is with a vulnerability management platform that offers scanning plus overall process manage-ment. Consider that virtual patching can be used as a best practice and compensating control to close your window of exposure to vulnerabilities, protect “unpatchable” systems, and eliminate costly ad-hoc and emergency patching.

E-commerce Web sites Despite their importance to e-commerce and your company’s reputation, Web sites remain extremely vulnerable to attack and hijacking, putting both individual customers and your entire database at risk.

PCI sets specific baseline scanning requirements for Web site security, but how can you be certain you’ve got the best pro-tection against sophisticated SQL injection attacks and other threats used to exploit your ever-changing Web content?

Your Web site needs much more than PCI scanning to be pro-tected. You’ll want the same host protection and vulnerability management as any mission-critical server, plus specific Web application vulnerability scanning to ensure protection of your dynamic Web content.

Distributed locationsNetwork-based perimeter security is cost-prohibitive for any widely dispersed business such as retail, hospitality, and increasingly, healthcare. These distributed locations typi-cally have flat, multi-use networks, specialty POS and other devices, and little or no local IT management. How can you protect in-scope systems at distributed locations in a cost effective manner?

Investigate host-based software solutions that provide firewall, IPS, integrity management, virtual patching, and other protections to critical host systems without the cost and ongoing management complexity of perimeter security devices and multiple agent solutions.



Chapter 4: Charging Through PCI DSS 27

Noodles & Company – Beyond PCINoodles & Company (www.noodles.com) has more than 230 restaurants in 18 states. The company is committed to employing the best possible security technol-ogy for protecting customers’ credit card information. In fact, Noodles & Company doesn’t just want to meet PCI requirements — they want to exceed them. “We like to think of PCI as a baseline — we are looking to pass, and also pass with flying colors,” said Nick Fields, a senior IT systems administrator at Noodles & Company. “We feel we are ahead of a lot of the industry, and we want to stay there.”

As the company has grown, soft-ware solutions became a more cost-effective alternative to hardware

firewall appliances at each restau-rant. “We chose Trend Micro Deep Security because it helps us address the major PCI compliance require-ments with features like file integrity monitoring. It helps us do all we pos-sibly can to safeguard credit card data.”


✓ PCI compliance and more: Trend Micro Deep Security helps Noodles achieve compliance and meet their demanding secu-rity goals.

✓ Best TCO for distributed loca-tions: Deep Security provides a more cost-effective solution com-pared to hardware appliances.






Chapter 5

Examining HIPAA and Healthcare Compliance

In This Chapter▶ Covering the basics of HIPAA, HITECH, and more

▶ Protecting ePHI data, mobile devices, medical equipment, and more

Healthcare systems throughout the world are in a time of great transition. In the U.S., for example, government

mandates for electronic medical records/electronic health records (EMR/EHR) systems are linked to increasing privacy and security regulations for electronic Protected Health Information (ePHI). Around the globe, technology advances are causing a growing privacy focus among government regu-lators. Targeting the core controls (see Chapter 2) will help healthcare organizations comply with the regulations they face, but they also must solve many tough compliance chal-lenges (see Chapter 3) that we cover in this chapter.

The terms electronic medical record (EMR) and electronic health record (EHR) are increasingly used interchangeably. Technically, an EMR is the health-related information about an individual within a single care provider organization, whereas an EHR is the aggregate health-related information about an individual across multiple organizations. For simplic-ity, we refer to both as an EHR.

Although EHR systems may ultimately lead to more efficient and effective patient care, they also increase the threat of cybercrime and large-scale breaches of ePHI. Moreover, increased reliance on IT and EHR systems means that a



Conquering Compliance For Dummies 30security risk or vulnerability has the potential to be life-threatening. Compliance with security regulations will guide healthcare providers of all types to mitigate their risk, but maximizing protection of these complex operations requires a broader strategy.

Healthcare organizations throughout the world are facing sim-ilar security and compliance challenges as those outlined in this chapter. Addressing core controls is an effective strategy to meet these and other regulations that may apply.

In this chapter, we take a closer look at healthcare regulations and compliance issues. See Appendix A for details on how the core controls map to HIPAA and HITECH requirements.

Regulatory Compliance in the Healthcare Industry

For more than a decade, patient data privacy and security regulations have slowly evolved. But new, stricter privacy requirements, mandates for EHR modernization, and govern-ment funding are now driving the industry forward and sig-nificant investments are being made to modernize and secure their operations.

Protecting ePHI with HIPAAThe U.S. Health Insurance Portability and Accountability Act (HIPAA) of 1996 states that “covered entities” are required to employ safeguards that “ensure the confidentiality, integrity, and availability of all ePHI” under their control.

HIPAA compliance applies to covered entities (including health insurers, healthcare clearinghouses, and healthcare providers), as well as their business associates.

The HIPAA Privacy Rule consists primarily of administrative and physical controls and the HIPAA Security Rule consists of technical controls.



Chapter 5: Examining HIPAA and Healthcare Compliance 31

Mercy Memorial Hospital System maximizes compliance and

business continuityFounded in 1929, Mercy Memorial Hospital System (www.mercymemorial.org) today includes a central 238-bed, full-service commu-nity hospital complex and 28 remote locations and offices. Although HIPAA compliance and the protec-tion of patient information on its 200 servers and 900 desktop computers is a must for the healthcare provider, business continuity is also an over-arching priority.

“We must go beyond simply meeting compliance requirements, and also integrate best practices for security within our business operations,” said Eric Mynster, ITS operations man-ager for the organization. “We need to do everything we can to block threats to security and productivity.”

Risk assessment and prioritization is an ongoing activity within the orga-nization, and IT wanted a security solution that could help with efforts to maintain a proactive stance for compliance and overall security. “We were looking at many individual secu-rity products — individual anti-virus, e-mail filters, spam solutions, and URL filtering — but Trend Micro offered us the value of a complete package,” said Mynster. “Trend Micro Enterprise Security was extremely competitive and covered all of our needs.”

The tightly integrated offering of con-tent security products, services, and

solutions are powered by the Trend Micro Smart Protection Network infrastructure. Together they help keep Mercy Memorial both com-pliant and secure by addressing a broad range of compliance controls, enabling business innovation, and delivering maximum protection with minimal complexity.

Deploying Trend Micro Enterprise Security minimized IT time spent managing security, increased the up-time for Web protection, and maximized the value obtained from the existing virtual environment. “The Trend Micro solutions have done a good job of safeguarding patient data as well as maximizing our employees’ productivity,” says Mynster.


✓ Meeting compliance require-ments: Trend Micro helps Mercy Hospital achieve and exceed healthcare compliance controls.

✓ Minimized risks: Trend Micro Enterprise Security defense-in-depth provides maximum threat protection.

✓ Alignment with virtualization: With VMware Ready certifica-tion, Trend Micro solutions inte-grate into today’s virtual server environments.




Implementing the HIPAA Security Rule with NISTIn 2008, the U.S. National Institutes of Standards and Technology (NIST) authored SP 800-66 Rev. 1, as a framework for federal agencies to achieve HIPAA compliance.

NIST publications are considered trusted resources for technology implementation guidance. As a result, many non-government agencies can also benefit from the technical specifications highlighted in this guide.

NIST SP 800-66 is freely available for download (along with many other great IT security resources) at http://csrc.nist.gov/publications/PubsSPs.html.

Stimulating modernization and compliance with HITECHTitle XIII of the American Recovery and Reinvestment Act (ARRA) of 2009, also known as the Health Information Technology for Economic and Clinical Health Act (HITECH Act), further reinforces the existing 2014 EHR implementation mandate and provides the necessary incentives to accelerate EHR adoption and clarify key HIPAA security requirements. Key provisions of the Act include:

✓ Funding: Most significant in the Act is actual funding support for EHR conversion via ARRA funds.

✓ Risk assessments: Risk assessments can be both proactive and reactive. The Act specifically identifies risk assess-ments as necessary in determining, after the fact, whether an incident is indeed a breach of unsecured ePHI.

✓ Breach notification requirements: The Act specifies disclosure requirements for ePHI that is “not secured through technology or methodology.” Not only do the disclosure requirements subject the breached organiza-tion to public scrutiny, but the costs associated with notifying affected individuals can also be significant.



Chapter 5: Examining HIPAA and Healthcare Compliance 33 ✓ Safe Harbor through encryption: The Act defines

secured ePHI as data that is either encrypted or destroyed. It goes further to state that if secured ePHI is involved in a data breach, notification requirements do not apply. This is a significant directive, specifically pre-scribing encryption as both a preferred means to enforce confidentiality and as a relief from breach notification requirements.

HIPAA and HITECH compliance may be top of mind, but most large U.S. healthcare organization are also probably subject to a number of other regulations, administrative requirements, and auditing standards, such as the following:

✓ PCI (discussed later in this chapter and in Chapter 4)

✓ U.S. Federal Trade Commission (FTC)

✓ U.S. Department of Health and Human Services (HHS)

✓ Centers for Medicare and Medicaid Services (CMS)

✓ Office of the National Coordinator (ONC)

✓ Joint Commission

✓ Certification Commission for Health Information Technology (CCHIT)

✓ Healthcare Information Technology Standards Panel (HITSP)

✓ Healthcare Information and Management Systems Society (HIMSS)

✓ Electronic Healthcare Network Accreditation Commission (EHNAC)

✓ Genetic Information Nondiscrimination Act (GINA)

✓ Various state data breach laws

✓ International Organization for Standardization (ISO)

✓ Statement on Auditing Standard 70 (SAS70)

Implementing strong core controls is the key to meeting these various requirements with minimal effort. Take a look at Appendix A to see how the core controls map to HIPAA, HITECH, and NIST.




Enabling access to electronic healthcare applications and data at BIDPO

In a joint project with its affili-ated medical center, Beth Israel Deaconess Physician Organization (BIDPO) (http://bidpo.org) set out to provide a secure, robust, and cost-effective EHR infrastruc-ture for its 200 to 300 independent physicians at 173 locations in east-ern Massachusetts. Utilization of this system allows BIDPO members to meet all the Meaningful Use cri-teria specified for reimbursement by ARRA.

The project priorities included server virtualization, a SaaS deployment model, and a defense-in-depth secu-rity architecture to protect patient data. “We created a multilayer security protocol, including various perimeter devices, from firewalls to network-based intrusion detection systems,” said Bill Gillis, eHealth technical director at the medical center. “Our most important secu-rity layer is the Trend Micro Deep Security software.”

Deep Security provides compre-hensive host security for the orga-nization’s virtualized servers, EHR applications, and patient data, giving BIDPO confidence that they are HIPAA compliant — and that their public reputations are safe.

“We needed this project to be as secure as possible, so we did what-ever we could do to get this locked down,” said Gillis. “We had to make sure we had no ‘Globe-able Events,’ meaning that we’re not going to have a security breach that will appear on the front page of the Boston Globe. We needed a partner that could help us mitigate any risk.”

The Trend Micro security solu-tions are also helping IT comply with other regulations that apply to their business, such as HITECH, Massachusetts Data Encryption Law 201 CMR 17.00, and ARRA.


✓ EHR innovation: Trend Micro solutions secure BIDPO’s inno-vative applications and deploy-ment model.

✓ Virtualization security and com-pliance: Deep Security provides unique dedicated virtualization protection.

✓ Minimized vulnerabilities: Deep Security shields critical systems and applications from vulner-abilities until patches can be deployed.



Chapter 5: Examining HIPAA and Healthcare Compliance 35

Enforcing PCI DSSHealthcare institutions that accept credit card payments must also comply with the Payment Card Industry Data Security Standard (PCI DSS). Health insurance premiums, medical services, and even hospital gift shop purchases are examples of transactions where the security of cardholder data is required. Healthcare institutions are well advised to design and implement a security framework that addresses both HIPAA and PCI DSS. See Chapter 4 for more on PCI DSS.

Healthcare Security and Compliance Challenges —and Solutions

Maintaining regulatory compliance and maximizing security effectiveness is especially demanding in today’s rapidly evolv-ing healthcare industry. Understanding these challenges will help you select and implement solutions to secure your criti-cal systems and data, and meet increasingly stringent regula-tory requirements.

The following challenges are especially critical. (See Chapter 3 for additional information on these and other challenges facing healthcare organizations.)

Protecting patient dataAlthough perimeter and content security provide important safeguards, HIPAA and HITECH make it clear that encryption is the only acceptable way to protect ePHI and avoid costly disclosures. Effective encryption deployment also requires a data loss prevention (DLP) solution to discover where ePHI is stored and ensure its encryption when transmitted. However, most encryption and DLP solutions suffer major drawbacks that impede their success and widespread adoption.




Integrate DLP into your data protection strategy with a solu-tion that offers the flexibility of deployment and protection levels that best suit your needs. Consider identity-based encryption as an equally powerful, but more effective, encryp-tion alternative to PKI solutions.

Securing laptops and mobile devicesPortable laptops, PDAs, and other mobile devices are quickly becoming mainstays in healthcare, and essential to the daily tasks of nurses, physicians, and other healthcare professionals. These devices are at extreme risk for attack and ePHI loss, but can’t be adequately protected by network-based solutions.

Only a cloud-enabled endpoint security solution can pro-tect a full range of devices from Web, e-mail, and file threats wherever they roam. You’ll also want to investigate endpoint encryption and DLP — they’re becoming essential as these devices increasingly store protected data.

Securing critical medical devicesComputerized medical devices for patient evaluation and diag-nosis are increasingly a common part of the hospital network and so are at risk for compromise and failure due to malware infections or external attacks. Though protection is required by regulation, these systems can be prohibitive or impossible to secure with standard endpoint protection products.

Bring non-standard and sensitive systems such as MRI scan-ners, X-ray machines, and other patient care devices into compliance with a network-based solution that can detect active infiltrations and provide an immediate alert and reme-diation assistance.



Chapter 6

Top Ten Reasons to Use Trend Micro

Enterprise SecurityIn This Chapter▶ Seeing how Trend Micro addresses the core controls and solves

tough compliance challenges

▶ Achieving compliance without security compromise

Security compliance is costly, complex, ever changing — and still not enough to protect your company’s sensitive

data. Trend Micro Enterprise Security offers you a better way to stay both compliant and secure with solutions that address a broad range of controls, solve tough compliance challenges, and deliver maximum protection at minimal cost. That’s com-pliance without compromise!

Trend Micro Enterprise Security products and services are powered by the Smart Protection Network — a next-generation cloud-client infrastructure that combines cloud-based reputation technology, feedback loops, and the exper-tise of TrendLabs researchers to deliver real-time protection and greatly simplify security management.

Targeting Core Compliance ControlsTrend Micro products can help you address the core compli-ance controls that apply directly to most security regulations. With Trend Micro you can secure your organization and



Conquering Compliance For Dummies 38achieve compliance across a wide range of controls and regu-lations (see Figure 6-1).

Core SecurityCompliance Controls

• IT Risk Assessment• Vulnerablilty & Patch Mgt• IT Policy Adherence• Incident Response• Sensitive Data Protection• Firewall, IDS/IPS• Anti-virus/Anti-malware• Anti-spam/Anti-phishing• Logging & Reporting

Max

imum

Pro

tection. M

inimum Complexity.

Data

Cen

ter

Secu

rity

Data ProtectionSolutio

ns

and Service

s

MessagingSecurity

Web Security

Security

En

dpoint

TREND MICROSMART

PROTECTIONNETWORK

Figure 6-1: Trend Micro Enterprise Security Solutions.

Solving Tough Compliance Challenges

Trend Micro products offer unique solutions that help you solve tough challenges that arise from applying compliance controls within your particular operating environment, evolv-ing business and IT initiatives, and limited security budget.

Risk visibility and controlTrend Micro vulnerability and threat management solutions offer you greater risk visibility and remediation control over active security threats, software and systems vulnerabilities, changing Web content, and IT policy compliance.

Server/desktop virtualizationTrend Micro server and endpoint solutions provide advanced virtualization-aware software that secures virtualized desktops and servers with best-in-class protection, optimized performance, and critical compliance controls.



Chapter 6: Top Ten Reasons to Use Trend Micro Enterprise Security 39

Public cloud computing Trend Micro provides the secure virtual server and volume-level data encryption solutions that can allow you to confidently incorporate the public cloud into your data center strategy.

Web sites and portalsTrend Micro Enterprise Security keeps your Web site and company reputation secure with Web site application scan-ning, PCI scanning, best-in-class server protection, and com-prehensive vulnerability management.

Non-standard systemsTrend Micro’s unique network-based Threat Management Services discover any active infiltration, allowing you to achieve compliance and noninvasive protection for any end-point or server, including legacy or proprietary devices.

Distributed locationsTrend Micro Deep Security provides firewall, IPS, virtual patch-ing, integrity monitoring, and other core controls directly to criti-cal systems — eliminating the cost and management complexity of perimeter security devices at each location.

Worker mobilityTrend Micro OfficeScan and the Smart Protection Network keep wireless and mobile devices of all kinds protected from Web, e-mail, and other threats both on and off the corporate network.

Mitigating information riskTrend Micro secures sensitive data with endpoint and network DLP, identity-based endpoint and e-mail gateway encryption, and content filtering solutions that emphasize security, management simplicity, and employee ease-of-use.




Compliance without Security Compromise

You can employ various strategies to achieve compliance with applicable regulations. But will your strategy provide the best, or even adequate, protection of your data and reputa-tion? Compliance-driven organizations may use a patchwork of products that allow them to mark off boxes on a compli-ance checklist, but don’t necessarily offer best-in-class protec-tion levels or completeness of coverage.

For security-driven organizations that want to truly protect their sensitive data and comply with regulatory requirements, Trend Micro Enterprise Security solutions and the Smart Protection Network help you achieve both compliance and security — without compromise.

Real-world tests by NSS Labs (see Figure 6-2) confirm that Trend Micro offers highly rated protection against malware and other threats.

100%

90%

80%

70%

60% 70%

Panda

80% 90% 100%

ESET

Symantec

AVG

Sophos

F-Secure

Mean Block Rate for Socially Engineered Malware

NormanMcAfee

Kaspersky

Trend Micro

Block onDownload

Block onDownload/Execution

Average

Source: NSS Labs Reports

Figure 6-2: Trend Micro provides maximum protection against malware threats.



Appendix A

Core Compliance Controls – Healthcare Regulation Mapping

Core Control Applicable U.S. Healthcare Regulations & Guidelines – HIPAA, HITECH, NIST

IT Risk Assessment

HIPAA § 164.308 (a)(1) Security Management Process (Includes required risk analysis and risk management)

HITECH Breach Notification for Unsecured Protected Health Information

Vulnerability & Patch Management


IT Policy Adherence

HIPAA § 164.308 (a)(6) Policies and procedures to address security incidents

Incident Response


HITECH § 13402 Notification in Case of Breach

09_767191-bapp01.indd 4109_767191-bapp01.indd 41 6/28/10 1:50 PM6/28/10 1:50 PM




Sensitive Data Protection



HITECH § 13402 Notification in Case of Breach

HIPAA §164.404 Notification to Individuals (Description of type of unsecured ePHI involved in the breach)

NIST Publication 800-66 (Guidelines for Implementing HIPAA Security Rules)

HIPAA § 164.310(d)(1) Device and Media Controls

HIPAA § 164.514(d) Minimum necessary uses and disclosures of PHI

HITECH Exemption from breach notification if PHI is secured using encryption

HIPAA 45 CFR parts 160 and 164 (Interim Rule) Encryption and destruction for rendering ePHI unus-able, unreadable, or undecipherable to unauthorized individuals

HIPAA 45 CFR parts 160 and 164 (Interim Rule) Keep encryption keys on a separate device from the data that they encrypt or decrypt

HIPAA § 164.308(b)(1) Business associate will appropriately safeguard information

HIPAA § 164.312(e)(1) Transmission Security (Guard against unauthorized access to transmit-ted ePHI)

HIPAA § 164.306(a)(1) Protect ePHI: Facilities must protect the confidentiality, availability, and integ-rity of all ePHI created, received, maintained, and transmitted

HIPAA § 164.308 (a)(6) Policies and procedures to address security incidents



Appendix A: Core Compliance Controls — Healthcare Regulation Mapping 43


Firewall & IDS/IPS


HIPAA § 164.312(a)(1) Access Control (Allow access only to those persons or software pro-grams that have been granted access rights)

NIST Publication 800-66: 4.14 Access Control for HIPAA §164.312(a)(1)) (Have all applications/systems with ePHI been identified?, Where is ePHI currently housed?)

HIPAA § 164.312(c)(1) Integrity (Protect ePHI from improper alteration or destruction)

Anti-virus & Anti-malware

HIPAA § 164.308 (a)(5)(ii)(B) (Protection from mali-cious software. Procedures for guarding against, detecting, and reporting malicious software)


Anti-spam & Anti-phishing

HIPAA § 164.308 (a)(5)(ii)(B) (Protection from mali-cious software. Procedures for guarding against, detecting, and reporting malicious software)


Logging & Reporting








Appendix B

Core Compliance Controls – PCI Mapping

Core Control Category

Applicable PCI Requirements

IT Risk Assessment

PCI Req. 12.1.2 Includes an annual process that identifies threats and vulnerabilities, and results in a formal risk assessment.

Vulnerability & Patch Management

PCI Req. 6.1 Ensure that all system components and software have the latest vendor-supplied security patches installed.

PCI Req. 12.1.2 Includes an annual process that identifies threats and vulnerabilities, and results in a formal risk assessment.

PCI Req. 11.2 Run internal and external network vul-nerability scans.

IT Policy Compliance

PCI Req. 2.2 Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system harden-ing standards.

PCI Req. 3.1 Keep cardholder data storage to a mini-mum. Develop a data retention and disposal policy.

PCI Req. 12.3 Develop usage policies for critical employee-facing technologies.

(continued)




Core Control Category

Applicable PCI Requirements

Intrusion/ Incident Response

Category 12 of PCI DSS is devoted to incident response.

For example, PCI Req. 12.5.3 Establish, document, and distribute security incident response and esca-lation procedures to ensure timely and effective handling of all situations.

Sensitive Data Protection

PCI Req. 3.1 Keep cardholder data storage to a mini-mum. Develop a data retention and disposal policy.

PCI Req. 4: Encrypt transmission of cardholder data across open, public networks.

Firewall; IDS/IPS

PCI Req. 1.1 Establish firewall configuration standards.

PCI Req. 1.4 Prohibit direct public access between external networks and any system component that stores cardholder data.

Anti-virus, Anti-malware, Anti-spam, and Anti-phishing

PCI Req. 5: Use and regularly update anti-virus soft-ware or programs.

PCI Req. 5.2 Ensure that all anti-virus mechanisms are current, actively running, and capable of gener-ating audit logs.

Logging & Reporting

PCI Req. 1.4 Prohibit direct public access between external networks and any system component that stores cardholder data (for example, databases, logs, trace files).

PCI Req. 5.2 Ensure that all anti-virus mechanisms are current, actively running, and capable of gener-ating audit logs.

PCI Req. 6.3 Develop software applications in accordance with PCI DSS (for example, secure authentication and logging).

PCI Req. 10: Track and monitor all access to net-work resources and cardholder data.

PCI Req. 12.2 Develop daily operational security procedures that are consistent with requirements in this specification (for example, user account main-tenance procedures, and log review procedures).

Source: PCI DDS, effective as of 2010. Subject to change.



A BETTER WAY.

Security compliance is costly, complex, ever changing – and still not enough to protect your company reputation.

Trend Micro Enterprise Security offers you a better way to stay both compliant and secure with solutions that address a broad range of controls, solve tough compliance challenges, and deliver maximum protection at minimal cost. That’s compliance without compromise.

To learn more, call 1.877.21.TREND or go to www.trendmicro.com/compliance

Trend Micro Incorporated, a global leader in Internet content security and threat management, aims to create a world safe for the exchange of digital information for businesses and consumers. A pioneer in server-based antivirus with over 20 years experience, Trend delivers top-ranked security that fits customer needs, stops new threats faster, and protects data in physical, virtualized, and cloud environments.

Trend Micro Enterprise Security is a tightly integrated offering of content security products, services, and solutions powered by the Smart Protection Network. Together they keep customers both compliant and secure by addressing a broad range of compliance controls, solving tough compliance challenges, and delivering maximum protection with minimal complexity.


Kevin Faulkner Lawrence Miller

• Reduce the cost and complexity of security compliance

• Solve the toughest regulatory compliance challenges

• Maximize the real security value of your investments

Learn to:


Trend Micro Special EditionCompliments of

Open the book and find:

• Valuable guidance that applies to most regulations around the world

• PCI strategies for success

• HIPAA compliance demystified

• An overview of Trend Micro compliance solutions

ISBN: 978-0-470-76719-1Not for resale

Go to Dummies.com®

for videos, step-by-step photos, how-to articles, or to shop!

PCI, HIPAA, GLBA, SOX, and many other regulations around the world are now part of our business lexicon, and regulatory compliance has become a focus of corporate boards and senior management. This book explores the security challenges of regulatory compliance and gives you a holistic, cost-effective strategy to achieve compliance across regulations — while getting the best protection for your organization and your valuable data.

• Discover the core compliance controls — secure once and achieve compliance with many of the regulations that apply to your business

• Solve the tough compliance challenges — use these tips to choose solutions to get the job done while simplifying your efforts

• Take a closer look at PCI and HIPAA — see how applying these strategies will deliver cost-effective compliance with major regulations

• Understand the compliance mandate and its limits — ensure that you’re not just compliant, but that your data and reputation are fully protected

A better way to minimizethe cost and complexity of security compliance

Documents

pci compliance for dummies