eIQviews » Compliance

Press Release: ComplianceVue Packages for PCI, NERC and HIPAA

eiqbeth — Wed, 09 Sep 2009 18:13:29 +0000

Today eIQ announced new ComplianceVue Packages, a turnkey offering to address compliance reporting requirements based on its SecureVue® security and compliance management platform. The ComplianceVue^TM packages (PCIVue^TM, NERCVue^TM, and HIPAAVue^TM) provide detailed compliance reporting across more than just log data, greatly surpassing the capabilities of competitive products. ComplianceVue packages are available immediately to address PCI-DSS, NERC CIP and HIPAA regulatory requirements.

“eIQnetworks already correlates data from more data sources than any other solution on the market, and for that reason SecureVue is uniquely positioned to identify sophisticated in-progress attacks or vulnerabilities that log-only solutions will miss,” said Vijay Basani, eIQnetworks’ CEO. “With the ComplianceVue packages, eIQ now offers a turnkey solution for comprehensive compliance reporting across a broad range of security data including events, configuration data, vulnerabilities, and network flows, proving again that ‘log data is not enough’ to properly prove adherence to regulatory rules.”

The new ComplianceVue packages include a SecureVue Central Server, and the associated compliance reporting modules and dashboards required to provide necessary documentation for regulatory-driven audits. Reporting is effortless, and section-specific compliance reports are directly linked to appropriate rules and requirements of each supported regulation, best practice, or standard. Interactive dashboards provide real-time views into key compliance metrics, and provide drill-down into underlying data to support comprehensive internal and external auditing needs.

For more details and benefits on the new ComplianceVue package, check out the full press release on the eIQ site: “eIQnetworks Introduces ComplianceVue Packages for PCI, NERC and HIPAA to Streamline Regulatory Compliance Reporting”

Posted in Announcements, Compliance, Product Tagged: Compliance, ComplianceVue, HIPAA, NERC CIP, PCI, Press Releases, SecureVue

eIQcast Episode 17: Exposed Smart Metering and Energy Security Compliance

Mike Rothman — Mon, 06 Jul 2009 14:05:45 +0000

According to published reports, one of the anticipated sessions at the upcoming Black Hat conference will show vulnerabilities within smart metering technologies that certain utilities are deploying to make the electricity grid more intelligent– from energy production through consumption.

The big question is whether the vulnerabilities would put utilities out of compliance with energy industry regulations regarding security.

In the latest episode of eIQcast, Ross Levanto asks eIQnetworks Product Evangelist John Linkous for a review of what we know about the vulnerabilities and the current state of security compliance within the energy industry.

Running time: 10:27

Direct Link: http://eiqcast.podOmatic.com/entry/2009-07-06T06_58_21-07_00

Don’t be like Dick and check out eIQ’s video at logdataisnotenough.com

Posted in eIQcast Tagged: Compliance, NERC, smart meter

Going Beyond Traditional SIEM

Mike Rothman — Wed, 18 Mar 2009 18:17:08 +0000

We recently recorded an audio program with Gartner’s Marc Nicolett to discuss issues related to security and compliance based on what he is seeing out there in the market. To listen, you’ll need to register on the eIQ website.

Here is the description:

Join this exclusive eIQnetworks podcast to hear Gartner’s VP and Distinguished Analyst Mark Nicolett and Mike Rothman, eIQnetworks Senior Vice President of Strategy, discuss the important ways that SIEM can solve enterprise problems today. Mark Nicolett delves into why organizations should consider a holistic approach to security and compliance management to more effectively monitor for potential attacks, anomalies and trends, and how this data helps enterprises enforce compliance mandates spanning laws, regulations, best practices, and internal requirements. Mike Rothman then presents trends he is seeing in the market, which underscore why security and compliance management must transcend traditional SIEM data to include broader visibility into enterprise IT.

Follow this link to check it out: http://www.eiqnetworks.com/news/Gartner_Podcast.shtml

Posted in Announcements Tagged: Compliance, Gartner, Mark Nicolett, SIEM

eIQcast Episode 4: Drilldown on COBIT

Mike Rothman — Tue, 13 Jan 2009 16:44:32 +0000

In this episode, John Linkous and Mike Rothman drill deep into the COSO/COBIT framework. Why do you care? Well a good part of the acceptable practices of little regulations like Sarbanes-Oxley and FISMA are directly related to COBIT. Thus, if you have to worry about those regulations, you should be familiar with COBIT. Check it out.

Running time: 11:42

Direct Link: http://eiqcast.podOmatic.com/entry/2009-01-13T08_32_55-08_00

Photo: “Gold star for me” originally uploaded by Bering

Posted in eIQcast Tagged: COBIT, Compliance, COSO, SOX

Goldman’s IT Survey says… Save Money!

Mike Rothman — Mon, 12 Jan 2009 23:03:09 +0000

Interesting data out of Goldman Sachs today.

Exhibit 26: In terms of ROI benefits, which types of initiatives will your organization fund in 2009?

Projects that will reduce operating expenses including personnel costs 72%
Projects that will drive top line revenue growth 59%
Projects that will meet compliance obligations 46%
Projects that will reduce future capital expenditures 33%
Source: Goldman Sachs IT Spending Survey.

So what does that mean? It means that it’s all about cost containment and that means it’s all about efficiency. Of course, the only way to gain IT-based efficiency is to automate your security and/or compliance activities (probably both).

That’s why a lot of folks (including eIQ) are going to be pretty focused on the ideas of security and compliance automation this year. That’s going to be one of the only ways to get projects funded.

So over the next week, I’ll be doing a series on cost containment here at eIQviews. We’ll focus on areas that are applicable for automation, as well as strategies for communicating these imperatives to senior management (that will eventually need to foot the bill) for any new tools for automation.

Posted in User Issues Tagged: budgets, Compliance, operating expenses

The Great Thing About Standards…

jlinkous — Wed, 22 Oct 2008 12:28:24 +0000

“…is that there are so many of them to choose from”, or at least so goes the old saying. Information security is no exception; the byzantine tangle of best practices, standards, frameworks, and various governmental and industry mandates that are either dedicated to information security or contain security-related requirements shows no sign of abatement or unification anytime soon. Of course, if you’re a person who’s responsible for implementing all that stuff in your environment, you’re probably feeling some pain. Establishing common controls to meet compliance is a well-tested approach to meeting compliance, but where to begin?

Fortunately, some standards and frameworks for managing security are really starting to mature, to the point where they can become a starting point for building risk-driven common controls that easily map to regulations and other compliance drivers. Most of these frameworks and standards have been around for a number of years but through a combination of broad adoption, continuous feedback from adopters, and a mature management and improvement process, they are rapidly becoming a great starting point for building comprehensive information security. Here are three that I believe are well-balanced (addressing both technical and logical controls), risk-based (where the implementation of some or all controls is based on an analysis of risk to systems and data), and can be implemented across any industry:

· PCI Security Council (PCI) Data Security Standard (DSS) 2.0 – Recently released, the 2.0 version of the PCI-DSS standard focuses on a solid combination of static, pre-defined technical controls (e.g., minimum password lengths and complexity requirements), risk-based technical controls (e.g., business continuity infrastructure), and logical controls (e.g., written policies and procedures, and separation of duty). Although designed specifically for securing chain of custody around credit card data, PCI-DSS is rapidly becoming a standard of controls that organizations are applying to different types of data.

· ISACA Control Objectives for Information Technology (COBIT) 4.1 – The COBIT framework has long been a framework for managing information security. With a focus on processes – not just technology – COBIT has become the standard high-level framework used by global auditing firms to audit against compliance with SOX Sections 302/404, J-SOX, and other major financial regulations that address financial controls. Like other frameworks, COBIT is relatively light on technical controls (although there are some specific technical controls defined for applications, such as event auditing and monitoring); instead, the goal of COBIT is to provide a framework for using risk-based decisions to build and maintain a complete IT management program.

· International Standards Organization (IS) 27002:2005 – One of many IT-related best practice documents issued by ISO, ISO27002 (formerly known as ISO17799) is geared toward helping an organization establish risk-based decisions to build and maintain a security program. Unlike COBIT, which is focused on general IT controls, ISO27002 focuses very squarely on information security. Being part of the ISO family, ISO27002 is augmented with additional ISO-delivered guidance to help certain verticals – healthcare and financial services, for example – implement specific controls that are not only ISO27002 compatible, but compatible with other industry-specific laws and guidance.

Posted in Compliance Tagged: best practices, Compliance, controls, frameworks