Imperva Blog|Login|中文Deutsch日本語
Additional Regulations

Additional Regulations Impacting IT Organizations

Today, more than ever, organizations are challenged by the growing number of regulations and privacy acts. The momentum spans all verticals and geographies. Many organizations need to comply with more than one regulation, and are struggling with the increased complexity of technical implementations. Imperva solutions help organizations implement regulatory requirements across multiple regulations and streamline compliance efforts.


Financial Regulations

Basel II
Basel II requires banks to improve their risk measurement and management systems. The banks are required to manage the location of data, access to sensitive data and tracking usage of data. Imperva Data Risk Management solutions locate sensitive data, assess vulnerabilities and configurations, manage user access rights to sensitive databases and files and audits actual data usage.

Gramm-Leach-Bliley Act (GLBA)
The GLBA Safeguards Rule requires all financial institutions to protect customer information. Imperva data security solutions protect customer information from breach attempts, leakage and theft, block unauthorized access and attacks targeting customer data, provide a complete audit trail to support forensic investigations and enable data risk management.

Technology Risk Management Guidelines (MAS TRM)
The Monetary Authority of Singapore (MAS) issued the Technology Risk Management (TRM) guidance and legally binding Notices requiring financial institutions to adopt risk management principles and security practices for managing and controlling technology risks. Financial institutions are expected to implement systems, procedures, and processes to mitigate the risk of external and internal threats. To learn more, click here.

Healthcare/Insurance/Pharmaceutical

NAIC Model Audit Rule (MAR)
NAIC revisions to the Model Audit Rule require insurance companies to implement similar controls as provisioned by the Sarbanes-Oxley Act. Imperva audit and security solutions enable insurance companies to certify the integrity of their financial records by auditing privileged activity and changes that impact regulated data, and automating compliance reporting processes.

21 CFR Part 11 (FDA)
The 21 CFR Part 11 regulation requires FDA regulated industries to implement controls over electronic medical records and systems processing electronic records. Imperva data security solutions provide the required controls including audits, system validations and audit trails for systems involved in processing regulated electronic data.

State and Local Government

Ohio Revised Code 1347 section 15 (ORC 1347.15)
The ORC1347.15 requires protection of personal information. State of Ohio agencies are relying on Imperva data security suite as it provides unique ability to monitor and protect privileged information by providing a complete audit trail of user activities through web, file and database activity auditing.

California SB 1386
The SB1386 is a California law regulating the privacy of personal information. It requires anyone who conducts business in California to disclose security breaches to residents whose unencrypted data has been disclosed. Imperva real-time notifications can protect unencrypted data from wrongful access and block data breach attempts.

Massachusetts Data Privacy Law (Mass 201 CMR 17)
The Massachusetts Data Privacy Law requires implementation of technical controls aimed at preventing breach of personal information. Imperva data breach prevention solutions protect personal information from breach attempts, leakage and theft, block unauthorized access and provide a complete audit trail of information usage.

Privacy

EU Data Breach Notification Law
The European Parliament directive 2009/136/EC is concerned with protection of privacy of personal data. The new provision requires telecom and ISPs to immediately notify about security breaches such as the theft of customer personal identifiable information(PII). Imperva data security solutions provide real-time alerts and protect against data breach attacks directed at web portals, databases and files.

Federal

Federal Information Security Management Act (FISMA)
The FISMA act requires federal agencies to implement an information security program to ensure the integrity, confidentiality and availability of information and information systems. Imperva solutions protect regulated information and applications from unauthorized access, usage, disclosure, modification, and destruction. (Read More...)

The International Traffic in Arms Regulations (ITAR)
Export Administration Regulations (EAR)

ITAR and EAR require that all information and material related to ITAR controlled technology is accessed only by authorized personnel. Imperva Access and User Rights Management solutions enforce access controls to ITAR-related information in files and databases, and manage user rights over regulated data.

IRS 1075
IRS 1075 provides tax information security guidelines for federal, state and local agencies. It requires that personal and financial information in IRS systems is protected against unauthorized use, inspection or disclosure. Imperva data security solutions address multiple sections of the guideline, including audit and security guidelines ensuring that access to FTI (federal tax information) is limited to those individuals who are authorized to access and have a need to know.

DISA STIG
The Defense Information Systems Agency (DISA) provides federal organizations with Security Technical Implementation Guides (STIG) for improving and maintaining the security of Database Management Systems. Imperva provides out of the box policies to support the implementation of the DISA-STIG requirements for database security.

The Australian Government Information Security Manual (ISM)
Published by the Defence Signals Directorate (DSD), ISM provides Australian government agencies with a set of detailed controls that can be implemented to mitigate risks to their information and systems. The manual is the standard which governs the security of government Information and communications technology (ICT) systems and it is an important part of the Australian Government’s strategy to enhance its information security capability.

Energy

North American Electric Reliability Corporation (NERC)
NERC's mission is to ensure reliability of the North American power systems. The Critical Infrastructure Protection (CIP) requirements specify minimum security requirements for protecting assets that are critical to the operation of electrical utility systems. Imperva security solutions automate NERC CIP Compliance and secure critical infrastructure. (Read More...)

Federal Energy Regulatory Commission Regulations (FERC)
Electricity, natural gas, and oil companies are required to implement preventive measures to comply with FERC regulatory requirements. Imperva access and user rights management solutions prevent unauthorized access to regulated data and improve controls to prevent data breach attacks.

Service Providers

Statement on Auditing Standards (SAS) 70
SAS 70 provides assessment guidance to auditors assessing service organizations. The guidance is based on the COSO model of controls also adopted by Sarbanes-Oxley. Imperva assessment and data risk management solutions enable auditors to conduct risk assessments, validate configurations, audit changes that impact regulated data and streamline compliance reports.

Educational Institutes

Family Educational Rights and Privacy Act (FERPA)
In April 2011 the U.S. Department of Education announced a series of initiatives to safeguard student privacy. Educational agencies and institutions must provide students with access to their education records, but should not release student records or share them with other agencies without the student’s consent. Controls are required to ensure that only authorized personnel can access student records, and all access is audited. (Read More...)

Database Security
Product NameCapabilities
SecureSphere Database Activity Monitoring
or
SecureSphere Database Firewall
  • Audit and report on all access and changes to regulated data stored in databases as required by PCI DSS section 10, SOX, HIPAA, Basel II, NAIC Model Audit Rule (MAR), IRS 1075, 21 CFR Part 11, OCR 1347.15 and Mass 201 CMR 17
  • Real-Time alerts and optional blocking1 of unauthorized access to regulated data as required by GLBA, EU Data Breach Notification Law, ITAR, EAR, NERC and FERC
SecureSphere Discovery and Assessment Server2
  • Assess database configurations, remove default passwords and security parameters, identify missing patches and manage vulnerabilities that expose regulated data to risk of a data breach as required by PCI DSS 2 and 6.1, SOX, 21 CFR Part 11, IRS 1075, DISA-STIG, NERC, FERC and SAS 70
  • Discover sensitive data that should be removed from databases as required by PCI DSS section 3.2
  • Manage risk to regulated data through discovery, classification and vulnerability analysis as required by SOX, Basel II, GLBA, NIAC MAR, FISMA, ITAR, EAR, NERC, FERC and SAS 70
User Rights Management for Databases
  • Implement access controls to limit user rights based on need to know, and identify users with excessive rights, as required by PCI DSS section 7 and 8.5.5, SOX , HIPAA, FISMA, ITAR, IRS 1075, EAR, NERC and FERC
File Security
Product NameCapabilities
SecureSphere File Activity Monitoring
or
SecureSphere File Firewall
  • Audit and report on all access and changes to regulated data stored in documents and spreadsheets as required by PCI DSS section 10, SOX, HIPAA, Basel II, NAIC Model Audit Rule (MAR), 21 CFR Part 11, IRS 1075, OCR 1347.15 and Mass 201 CMR 17
  • Real-Time alerts and optional blocking3 of unauthorized access to regulated data as required by GLBA, EU Data Breach Notification Law, ITAR, EAR, NERC and FERC
User Rights Management for Files
  • Implement access controls to limit user rights based on need to know, and identify users with excessive rights, as required by PCI DSS section 7 and 8.5.5, SOX , HIPAA, FISMA, ITAR, IRS 1075, EAR, NERC and FERC
Web Application Security
Product NameCapabilities
SecureSphere Web Application Firewall
  • Continuously protects web applications against threats as required by PCI DSS section 6.6
  • Provides an audit trail of web activity and integrates with DAM and FAM to provide a complete audit trail of user activity across web, files and databases as recommended by OCR 1347.15 and Mass 201 CMR 17

1Blocking accesses to sensitive data in databases requires SecureSphere DBF
2SecureSphere Discovery and Assessment Server is included with SecureSphere DAM and DBF
3Blocking accesses to sensitive data in databases requires SecureSphere DBF



Datasheets
White Papers
Multimedia
Quote
Enterprises are increasingly evaluating DAM technologies, in response to compliance and security management requirements. These technologies have the capability to address privileged user management, breach detection, and fraud detection.

Gartner, Inc.
"Database Activity Monitoring Market Overview" by Jeffrey Wheatman, Mark Nicolett, 03-Feb-2009