Regulatory and Policy Compliance that Requires Security Management Software

Say Goodbye to Non-Compliance

Organizations of all sizes face a myriad of evolving regulations governing personal and confidential information protection as well as proper internal controls. These standards require different security measures and processes to be in place around data protection and system integrity, and also require detailed audit trails that prove regulatory or policy compliance. While enterprises face mounting threats from external and inside forces, policies must be established and enforced throughout the organization, in order to maintain system integrity and confidentiality of intellectual property, personal medical records, classified data, or financial information.

Lumension’s Security Management Software Helps Organizations Comply with Regulations and Policies

Lumension’s security management software is designed to protect the integrity, confidentiality and availability of sensitive data throughout the network in alignment with internal company policies as well as with regulations. Lumension Security solutions provide visibility into an organization’s security practices and delivers policy-based endpoint controls to effectively comply with security regulations:

Discover assets through network and agent-based security assessments
Develop endpoint security policies and mandatory baselines
Assess and remediate vulnerabilities and configuration issues
Enforce application and device use policies at the endpoint
Audit security policies through detailed and actionable reporting

Lumension security management solutions have achieved the rigorous international standards of Common Criteria EAL2 certification from the Common Criteria Evaluation and Validation Scheme (CCEVS) Validation Body.

Regulations that Lumension security management solutions address include the following:

Financial Services Regulations that Require Security Management Software

Basel II - Global
Basel II establishes minimum capital requirements for banking organizations to reduce operational risks.
Gramm-Leach-Bliley Act (GLBA) - US
GLBA seeks to protect the personal information of consumers stored in financial institutions by requiring all financial institutions to implement and maintain security measures to protect customer information and prevent unauthorized access and use of customer records.
Payment Card Industry (PCI) Security Standard - Global
PCI Security Standard seeks to ensure consistency of security standards for credit card issuers, and to assure cardholders that their account information is secure, regardless of where the card was used for payment.

Government/Public Sector Regulations that Require Security Management Software

Federal Information Security Management Act (FISMA) - US
The Federal Information Security Management Act was established to bolster computer and network security within the Federal Government and affiliated parties (such as government contractors) by mandating yearly audits.
Office of Management and Budget (OMB) M-06-16 Mandate - US
OMB M-06-16 Mandate requires agencies to establish safeguards for sensitive agency data on laptops and workstations.

Cross-Industry Regulations that Require Security Management Software

Sarbanes-Oxley Act (SOX) - US
SOX was developed in 2002 to protect investors by improving the accuracy and reliability of corporate disclosure.
BS ISO/IEC 27001:2005 Compliance - UK
The BS ISO/IEC 27001:2005 standard provides a comprehensive set of controls comprising best practices in information security, intended to serve as a single reference point for identifying the range of controls needed for most situations where information systems are used in industry and commerce, and to be used by large, medium and small profit and non-profit organizations.
Data Protection Act (DPA) - UK
The Data Protection Act was implemented in 1998 with the purpose of safeguarding the fundamental rights of individuals with regard to the processing of personal data and the free movement of such data.

Say Goodbye to Failed Audits

PCI Data Security Standard

The continuation of massive credit card data breaches at many high profile organizations, prompted the development of the Payment Card Industry Data Security Standard (PCI DSS), which standardizes how credit card data should be protected. Under the PCI DSS, a business or organization should be able to assure their customers that its credit card data/account information and transaction information is safe from hackers or any malicious system intrusion, whether from those outside the organization or from within:

65 percent of financial services institutions worldwide experienced repeated external breaches within the past 12 months¹
30 percent of these global institutions suffered repeated internal breaches during the same timeframe¹

To achieve compliance with the PCI Security Standard, vendors and service providers must adhere to six major categories of requirements, with a total of twelve PCI-required controls, covering access management, network security, incident response, network monitoring and testing and information security policies.

Lumension’s Security Management Solutions Help Credit Card Issuers and Processors Comply with PCI

Lumension’s endpoint security solutions enable credit card issuers and processors to ensure the confidentiality of customers’ financial records and to ensure a stable and secure network environment. Lumension Security solutions include:

PatchLink Security Configuration Management - Out-of-the-box regulatory and standards-based assessment to ensure endpoints are properly configured.
PatchLink Update - Proactive management of threats through automated collection, analysis, and delivery of patches (all major operating systems and applications) across heterogeneous networks.
PatchLink Scan - Complete network-based scanning solution enables assessment and analysis of threats impacting all network devices.
Sanctuary Application Control - Policy-based enforcement of application use to secure your endpoints from malware, spyware and unwanted or unlicensed software.
Sanctuary Device Control - Policy-based enforcement of removable device use to control the flow of inbound and outbound data from your endpoints.

Lumension proactively addresses PCI standards by continuously monitoring and assessing enterprise networks for software and configuration vulnerabilities, rapidly patching and remediating vulnerabilities and applying user access control policies across applications and removable devices.

PCI DSS

Build and maintain a secure network
Requirement 1: Install and maintain a firewall configuration to protect data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data
Requirement 3: Protect stored data
Requirement 4: Encrypt transmission of cardholder data and sensitive information across public networks

Maintain a vulnerability management program
Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications

Implement strong access control measures
Requirement 7: Restrict access to data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data

Regularly Monitor and Test Networks
Requirement 10: Restrict access to data by business need-to-know
Requirement 11: Assign a unique ID to each person with computer access

Maintain an Information Security Policy
Requirement 12: Restrict physical access to cardholder data

The Cost of Non-Compliance

Non-compliance with PCI can result in financial penalties levied against any vendor or service provider or even the denial of the ability of the merchant to accept or process credit card transactions. Costs also include:

Monthly fines for noncompliance range from $5,000-$25,000
Lost business - if acquirer refuses to process card payments for a merchant after data breach occurs
Damaged reputation – consumers prefer to conduct business with company whose reputation is untarnished and never experienced data breach