NetVision Company Blog

A Discussion on Effective Audit of User Access

Ponemon on the role of GRC

Tags: , , ,

Ponemon released a new study on the role of Governance, Risk Management, and Compliance in organizations. And there are some interesting findings:

  • 63% indicated that their GRC effort began in IT (not Legal or Finance)
  • 44% of on-going GRC activity is in IT
  • 76% characterize privacy as ‘very important’ in IT as opposed to 37% for Finance
  • Top barrier to meeting GRC goals: lack of resources
  • Primary focus area of GRC: risk management (not compliance or governance)
  • Regulation most difficult to comply with: PCI-DSS (arguably one of the more specific of the regulations in terms of requirements)

These data points validate what we’ve been saying to our customers in a number of ways. We focus on managing risk more so than regulatory response and we’ve created a solution that is designed to address the ‘lack of resources’ issue. It’s also interesting how IT-centric the overall GRC programs are based on the responses. Give it a read for yourself and let us know what you think.

Verizon Data Breach Report 2011

Tags: , , ,

The 2011 Verizon Data Breach Investigations Report was released recently and there are a number of interesting findings. At a glance, these quick stats caught my eye on page 3:

  • 83% of the attacks were crimes of opportunity
  • 92% of the attacks were not highly difficult
  • 76% of all data was compromised from servers
  • 96% were avoidable through simple or intermediate controls

And of course, the mitigation recommendation on the same page:

“Audit user accounts and monitor privileged activity.”

One puzzling number was that only 17% of breaches were reported to be completed by insiders. I find that strange because greater than 80% were crimes of opportunity, not difficult, and easily avoidable. Those attributes would typically point to insiders who have the most opportunity.

Another interesting point:

“For the second year in a row, it is regular employees and end-users—not highly trusted ones—who are behind the majority of data compromises. This is a good time to remember that users need not be super users to make off with sensitive and/or valuable data.”

Have a read for yourself if you’re interested in more data on breaches and breach activity across the market. As always, I’d recommend to take this report in the context of all other similar reports, news articles, common sense, and your own experience.

Answers, Not Data: The Key to Access Security

Tags: , , , ,

NetVision has heard from its customers loud and clear that the holy grail of compliance reporting is enabling actual answers rather than just piles of data.  In this SC Magazine article, titled Answers, Not Data: The Key to Access Security, NetVision CEO David Rowe explains how next generation compliance solutions will be focused on answers and continuous audit rather than periodic audits that generate confusing or obfuscated data sets.

HIPAA: Windows Security and Active Directory

Tags: , , ,

In a new paper for NetVision customers titled Active HIPAA Response, we break down the security and privacy requirements found within the HIPAA regulation text and map NetVision policies and reports to those requirements. While organizations need to perform discovery of Protected Health Information (PHI), NetVision’s HIPAA compliance pack provides quick setup of compliance reporting related to Windows file system and Active Directory for complete coverage of Microsoft networking platforms.  The HIPAA package is also available for Novell networking environments.  NetVision isn’t claiming to make anyone compliant with a set of canned reports.  But, if you’re concerned about HIPAA requirements, the HIPAA compliance pack automates the creation of a set of reports that map to the areas within HIPAA for which NetVision can help.  Let us know if you’d like more information!

Continuous Audit

Tags: , ,

In this article from CFO magazine, the author discusses the value of Continuous Audit.  He tells the story of Harrah’s Entertainment and their 24×7 approach to audit.  One interesting quote:

Increasingly, though, individual practitioners see the cutting edge as auditing 100% of data relating to transactions, processes, policies, or whatever else is to be audited, rather than reviewing small samplings at longer intervals, as many organizations still do

You might be thinking easier said than done.  But getting back to the original point, with Continuous Audit, 100% sample is actually easily accomplished because every relevant event can be parsed through a policy filter and flagged when appropriate.

NetVision has recognized the value of Continuous Audit for more than a decade.  We believe there are two sides to an effective audit program – (1) current state assessment and (2) real-time monitoring.  And we hear from our customers that (like Harrah’s) they see real value in including real-time monitoring.  Putting Continuous Audit in place makes compliance audits move quicker and cost less.  …not to mention the obvious benefits to security.

PCI Compliance for Active Directory

Tags: , , ,

Are you focused on Active Directory? And being asked to provide your end of a PCI audit? Figuring out how AD relates to PCI-DSS (Payment Card Industry Data Security Standards) can be quite complicated. If you’re interested in getting help or learning more, go to:

PCI Compliance for Active Directory Administrators

The Cost of Compliance

Tags: ,

Everybody is talking about the cost of non-compliance. But what about the enormous cost of achieving compliance? For many, that cost seems to make the assurance of being compliant seem hardly worthwhile (think insurance). You wouldn’t pay $20,000/yr. for homeowners insurance that covers up to $100k/yr. …especially when the threat of catastophe seems unlikely.

The bottom line – there are better ways to approach the problem. If you’re laying out every regulation and trying to map some control in your environment to each of the requirements, you’re probably paying way too much in both cost and effort. Simplify by taking a multi-regulatory approach. And (of course) leverage pragmatic solutions that cut costs to acheive the same goal. Spending what amounts to some large percentage of the potential threat cost is not your only option! That’s the idea behind SIMON.

© 2009 NetVision Company Blog. All Rights Reserved.

This blog is powered by Wordpress and Magatheme by Bryan Helmig.