Press Release: ComplianceVue Packages for PCI, NERC and HIPAA
September 9, 2009
Today eIQ announced new ComplianceVue Packages, a turnkey offering to address compliance reporting requirements based on its SecureVue® security and compliance management platform. The ComplianceVueTM packages (PCIVueTM, NERCVueTM, and HIPAAVueTM) provide detailed compliance reporting across more than just log data, greatly surpassing the capabilities of competitive products. ComplianceVue packages are available immediately to address PCI-DSS, NERC CIP and HIPAA regulatory requirements.
“eIQnetworks already correlates data from more data sources than any other solution on the market, and for that reason SecureVue is uniquely positioned to identify sophisticated in-progress attacks or vulnerabilities that log-only solutions will miss,” said Vijay Basani, eIQnetworks’ CEO. “With the ComplianceVue packages, eIQ now offers a turnkey solution for comprehensive compliance reporting across a broad range of security data including events, configuration data, vulnerabilities, and network flows, proving again that ‘log data is not enough’ to properly prove adherence to regulatory rules.”
The new ComplianceVue packages include a SecureVue Central Server, and the associated compliance reporting modules and dashboards required to provide necessary documentation for regulatory-driven audits. Reporting is effortless, and section-specific compliance reports are directly linked to appropriate rules and requirements of each supported regulation, best practice, or standard. Interactive dashboards provide real-time views into key compliance metrics, and provide drill-down into underlying data to support comprehensive internal and external auditing needs.
For more details and benefits on the new ComplianceVue package, check out the full press release on the eIQ site: “eIQnetworks Introduces ComplianceVue Packages for PCI, NERC and HIPAA to Streamline Regulatory Compliance Reporting”
According to published reports, one of the anticipated sessions at the upcoming Black Hat conference will show vulnerabilities within smart metering technologies that certain utilities are deploying to make the electricity grid more intelligent– from energy production through consumption.
The big question is whether the vulnerabilities would put utilities out of compliance with energy industry regulations regarding security.
In the latest episode of eIQcast, Ross Levanto asks eIQnetworks Product Evangelist John Linkous for a review of what we know about the vulnerabilities and the current state of security compliance within the energy industry.
Running time: 10:27
Direct Link: http://eiqcast.podOmatic.com/entry/2009-07-06T06_58_21-07_00
Don’t be like Dick and check out eIQ’s video at logdataisnotenough.com
Going Beyond Traditional SIEM
March 18, 2009
We recently recorded an audio program with Gartner’s Marc Nicolett to discuss issues related to security and compliance based on what he is seeing out there in the market. To listen, you’ll need to register on the eIQ website.
Here is the description:
Join this exclusive eIQnetworks podcast to hear Gartner’s VP and
Distinguished Analyst Mark Nicolett and Mike Rothman, eIQnetworks Senior Vice President of Strategy, discuss the important ways that SIEM can solve enterprise problems today. Mark Nicolett delves into why organizations should consider a holistic approach to security and compliance management to more effectively monitor for potential attacks, anomalies and trends, and how this data helps enterprises enforce compliance mandates spanning laws, regulations, best practices, and internal requirements. Mike Rothman then presents trends he is seeing in the market, which underscore why security and compliance management must transcend traditional SIEM data to include broader visibility into enterprise IT.
Follow this link to check it out: http://www.eiqnetworks.com/news/Gartner_Podcast.shtml
eIQcast Episode 4: Drilldown on COBIT
January 13, 2009
In this episode, John Linkous and Mike Rothman drill deep into the COSO/COBIT framework. Why do you care? Well a good part of the acceptable practices of little regulations like Sarbanes-Oxley and FISMA are directly related to COBIT. Thus, if you have to worry about those regulations, you should be familiar with COBIT. Check it out.
Running time: 11:42
Direct Link: http://eiqcast.podOmatic.com/entry/2009-01-13T08_32_55-08_00
Photo: “Gold star for me” originally uploaded by Bering
The Great Thing About Standards…
October 22, 2008
“…is that there are so many of them to choose from”, or at least so goes the old saying. Information security is no exception; the byzantine tangle of best practices, standards, frameworks, and various governmental and industry mandates that are either dedicated to information security or contain security-related requirements shows no sign of abatement or unification anytime soon. Of course, if you’re a person who’s responsible for implementing all that stuff in your environment, you’re probably feeling some pain. Establishing common controls to meet compliance is a well-tested approach to meeting compliance, but where to begin?
Fortunately, some standards and frameworks for managing security are really starting to mature, to the point where they can become a starting point for building risk-driven common controls that easily map to regulations and other compliance drivers. Most of these frameworks and standards have been around for a number of years but through a combination of broad adoption, continuous feedback from adopters, and a mature management and improvement process, they are rapidly becoming a great starting point for building comprehensive information security. Here are three that I believe are well-balanced (addressing both technical and logical controls), risk-based (where the implementation of some or all controls is based on an analysis of risk to systems and data), and can be implemented across any industry:
· PCI Security Council (PCI) Data Security Standard (DSS) 2.0 – Recently released, the 2.0 version of the PCI-DSS standard focuses on a solid combination of static, pre-defined technical controls (e.g., minimum password lengths and complexity requirements), risk-based technical controls (e.g., business continuity infrastructure), and logical controls (e.g., written policies and procedures, and separation of duty). Although designed specifically for securing chain of custody around credit card data, PCI-DSS is rapidly becoming a standard of controls that organizations are applying to different types of data.
· ISACA Control Objectives for Information Technology (COBIT) 4.1 – The COBIT framework has long been a framework for managing information security. With a focus on processes – not just technology – COBIT has become the standard high-level framework used by global auditing firms to audit against compliance with SOX Sections 302/404, J-SOX, and other major financial regulations that address financial controls. Like other frameworks, COBIT is relatively light on technical controls (although there are some specific technical controls defined for applications, such as event auditing and monitoring); instead, the goal of COBIT is to provide a framework for using risk-based decisions to build and maintain a complete IT management program.
· International Standards Organization (IS) 27002:2005 – One of many IT-related best practice documents issued by ISO, ISO27002 (formerly known as ISO17799) is geared toward helping an organization establish risk-based decisions to build and maintain a security program. Unlike COBIT, which is focused on general IT controls, ISO27002 focuses very squarely on information security. Being part of the ISO family, ISO27002 is augmented with additional ISO-delivered guidance to help certain verticals – healthcare and financial services, for example – implement specific controls that are not only ISO27002 compatible, but compatible with other industry-specific laws and guidance.
