SOX News

netForensics Integrates Security Audit Framework into SIM Platform

(July 15, 2008)-- netForensics, a "visionary" leader in the Information Security Management market, announced new functionality in its flagship Security Information Management (SIM) application that provides unprecedented guidance for managing and reporting on critical IT security issues, as well as compliance with regulatory requirements and standards. The integration of the new security audit framework into its nFX SIM One product enables netForensics to deliver the market's most comprehensive solution for managing and reporting on IT security and third-party compliance requirements.

Modules that address specific regulations, such as PCI, Sarbanes-Oxley, HIPAA and FISMA, easily plug into the framework for quick deployment and rapid time to value. The first module delivered as part of the release of the new security audit framework helps retail organizations manage themselves against the Payment Card Industry (PCI) Data Security Standard.

The new audit framework and out-of-the-box modules seamlessly integrate into nFX SIM One through a new web-based interface. Other information security management and log management vendors enable their users to report on the data that is collected, but put the onus on the end user to "connect the dots" for interpreting, taking action against and reporting on this information. The netForensics solution provides end users with a detailed checklist and reports that they can provide to an auditor explaining exactly how affected devices are configured and what is being reported on.

Guidance is provided that tells the user what affected devices they should be concerned with, how to group them for compliance monitoring within the SIM application, and what data to monitor based on the specific sections of the various regulations and standards. Through the new framework, the modules include:
-- Knowledge-base guidance that details what an affected customer must monitor and report on
-- Detailed, step-by-step instructions for configuring, aligning, and monitoring devices and other resources affected by the relevant regulation or standard
-- Advanced correlation rules and report templates needed to speed deployment

The PCI compliance module decreases the time and resources needed to spend on meeting PCI compliance requirements, gathers information for self-assessments from an auditor's perspective, and provides third-party auditors information needed to evaluate organizational compliance. Within the PCI Data Security Standard, there are 12 sections and over 100 subsections that make up the requirements. The netForensics PCI Security Audit Framework module covers the following requirements:
-- 1.1.1 - A formal process for approving and testing all external network connections and changes to the firewall configuration
-- 1.1.3 - Requirements for a firewall at each Internet connection and between any demilitarized zone (DMZ) and the internal network zone
-- 1.1.4 - Description of groups, roles, and responsibilities for logical management of network components
-- 1.3.7 - Denying all other inbound and outbound traffic not specifically allowed
-- 3.4 - Render account numbers, at minimum, unreadable anywhere it is stored (including data on portable digital media, backup media, in logs, and data received from or stored by wireless networks) by using any of the following approaches:

-- Strong one-way hash functions (hashed indexes)
-- Truncation
-- Index tokens and pads (pads must be securely stored)
Strong cryptography with associated key management
-- processes and procedures
-- 10.1 - Establish a process for linking all access to system components (especially access done with administrative privileges such as root) to each individual user
-- 10.2.1 - All individual user accesses to cardholder data.

"The netForensics PCI Security Audit Framework module tells users what the auditor is looking for. Unlike our competitors we have certified auditors on staff, not consultants mapping COBIT or other standards generically," said Tracy Hulver, Vice President of Marketing and Products at netForensics. "Compliance is education, not just a blind shot in the dark attempt at success. Other vendors don't truly understand what the auditor is looking for and instead provide a generic offering that typically fails under the scrutiny of a seasoned IT auditor."

netForensics will launch additional compliance modules over the next several months, including those that will support Sarbanes-Oxley (SOX), Gramm-Leach-Bliley Act (GLBA), and the Federal Information Security Management Act (FISMA). For more information, visit: http://www.netforensics.com/.

Share or bookmarklet this web page at: