What do all government, and industry compliance standards and best practices have in common? They all require the definition and implementation of policies and controls to protect information and systems while demonstrating verifiable evidence that those policies and controls are enforced. Scrutinizer allows companies to provide demonstrable evidence of IT compliance with internal governance policies, external regulations, and industry best practices like: HIPAA, FIPS, NERC, SCADA, SOX, COBIT, PCI and NPPI.
HIPAA requires that proper controls are put in place to ensure that healthcare transactions and administrative information systems protect individually identifiable electronic health information. HIPAA non-compliance can result in civil liability and damage to your reputation.
Federal Agencies are under immense pressure to maintain secure, reliable networks in light of increasingly sophisticated cyber attacks. The Federal Information Security Management Act (FISMA) and NIST Special Publications 800-153 and 800-137 provide a comprehensive framework for ensuring the effectiveness of information security controls over resources that support federal operations and assets.
Federal Information Processing Standards (FIPS) are U.S. computer security standards developed to protect information transmitted by government agencies and contractors. Plixer's Network Behavior Analysis, Flow Analytics and IP Host reputation capabilities enable government entities preserve the confidentiality and integrity of data collected and analyzed.
The North American Electric Reliability Corporation (NERC) has developed mandatory Critical Infrastructure Protection (CIP) Cyber Security Standards to protect the Critical Cyber Assets that control or affect the reliability of North American bulk electric systems. Approved by the Federal Energy Regulatory Commission (FERC), compliance with these standards is mandatory for all organizations involved with the country's bulk electrical network. Plixer provides continuous network visibility enabling utilities to demonstrate network-wide compliance.
SCADA compliance requires that proper controls are put in place to minimize risks associated with industrial control systems, which monitor and control processes for delivering critical resources such as electric power, water, oil and gas. It is recognized that a breakdown of SCADA monitoring and control capabilities could cause large-scale blackouts and also affect other critical infrastructure such as oil and natural gas production, refinery operations, water treatment, wastewater collection and pipeline transport systems.
PCI and NPPI
Retailer and financial services companies are deeply concerned about PCI compliance (Payment Card Industry). The PCI Data Security Standard (PCI DSS), is a set of prescriptive data security specification to ensure the safe handling of cardholder information at every stage. The PCI-DSS provides an actionable framework for developing a robust payment card data security process -- including prevention, detection and appropriate reaction to security incidents.
SOX (Sarbanes-Oxley Act)
Like all other industry standards and government regulations, SOX requires the definition and enforcement of policies ensure financial systems, data and records are secure to prevent fraud and theft. CEO’s and CFO’s are required to certify reports to SEC must report on their assessment of the effectiveness of internal controls and procedures for financial reporting. Specifically,management must:
- Accept responsibility for the effectiveness of its internal controls
- Evaluate the effectiveness using suitable control criteria
- Support this evaluation with sufficient evidence
- Present a written assertion about their effectiveness
With Plixer Scrutinizer NetFlow & sFlow traffic analysis and IPFIX reporting, helps publicly-held corporations ready themselves for the Sarbanes-Oxley Act through industry’s deepest levels of visibility, accountability and measurability required for ensuring and maintaining compliance with these government regulations.
- Verify and demonstrate the effectiveness of internal controls over critical network infrastructure connecting customers, suppliers, and partners.
- Ensure and optimize network and application performance, availability and internal security.
- Leverage user accountability for security and network risk visibility.
- Understand and protect the transmission all financial information that drives the business
- Measure and prioritize risks
Some regulatory standards do not explicitly detail how to achieve compliance, however many organizations turn to Best Practice frameworks like “COSO” (Committee of Sponsoring Organizations of the Treadway Commission) which is recognized by the Security and Exchange Commission (SEC) as the official framework for establishing internal controls over financial reporting. COBIT (Control Objectives for Information and related Technology) provides the IT-specific aspect of COSO’s control framework and is supported by Plixer. Our solution delivers the deepest levels of visibility, accountability and measurability required for ensuring and maintaining compliance with these COBIT recommendations.
- Ensure Infrastructure Resource Protection and Availability
- Capacity and Performance of IT Resources
- Security Testing, Surveillance and Monitoring
- Malicious Software Prevention, Detection and Correction
- Network Security
- Cost Modeling and Charging
With Plixer Scrutinizer NetFlow & sFlow traffic analysis and IPFIX reporting, you will have the industry's deepest levels of visibility, accountability and measurability required for ensuring and maintaining compliance with these industry standards.
- Identify connections to and from the SCADA network
- Track and account for healthcare employee network activity
- Recognize unauthorized host access enabling rapid response for electronic protected health information (EPHI) access, alteration and/or destruction
- Detect malicious and suspicious network activity
- Leverage third party integrations for threat mitigation to remediate security policy violations
- Profile hosts for violations of security policies
- Continuously monitor hosts and network activity to identify intrusions
- Ensure and optimize SCADA network and application performance, availability and internal security
- Leverage user accountability for security and network risk visibility
- Measure and prioritize risks
- Conduct forensic analysis for security incidents
Scrutinizer allows administrators to quickly confirm the source of the problem by narrowing down the issue to the client, server or network. In some cases, this is done by breaking down the environment into groups. The user interface allows 'locking' policies to be configured which state which groups can communicate with one another. If rules are violated, an alarm is raised and full audits can be run to report on all end systems involved. Given ample disk space, Scrutinizer can save all raw flows from all flow exporting devices for decades.
“Situational awareness is needed by government and commercial security organizations for effective threat discovery and risk mitigation. Technology and process integration are required, or investments will be wasted…”
John Pescatore - Gartner