Additional Regulations Impacting IT
Basel II requires banks to improve their risk measurement and management systems. The banks are required to manage the location of data, access to sensitive data and tracking usage of data. Imperva Data Risk Management solutions locate sensitive data, assess vulnerabilities and configurations, manage user access rights to sensitive databases and files and audits actual data usage.
Gramm-Leach-Bliley Act (GLBA)
The GLBA Safeguards Rule requires all financial institutions to protect customer information. Imperva data security solutions protect customer information from breach attempts, leakage and theft, block unauthorized access and attacks targeting customer data, provide a complete audit trail to support forensic investigations and enable data risk management.
Technology Risk Management Guidelines (MAS TRM)
The Monetary Authority of Singapore (MAS) issued the Technology Risk Management (TRM) guidance and legally binding Notices requiring financial institutions to adopt risk management principles and security practices for managing and controlling technology risks. Financial institutions are expected to implement systems, procedures, and processes to mitigate the risk of external and internal threats. To learn more, click here.
NAIC Model Audit Rule (MAR)
NAIC revisions to the Model Audit Rule require insurance companies to implement similar controls as provisioned by the Sarbanes-Oxley Act. Imperva audit and security solutions enable insurance companies to certify the integrity of their financial records by auditing privileged activity and changes that impact regulated data, and automating compliance reporting processes.
21 CFR Part 11 (FDA)
The 21 CFR Part 11 regulation requires FDA regulated industries to implement controls over electronic medical records and systems processing electronic records. Imperva data security solutions provide the required controls including audits, system validations and audit trails for systems involved in processing regulated electronic data.
State and Local Government
Ohio Revised Code 1347 section 15 (ORC 1347.15)
The ORC1347.15 requires protection of personal information. State of Ohio agencies are relying on Imperva data security suite as it provides unique ability to monitor and protect privileged information by providing a complete audit trail of user activities through web, file and database activity auditing.
California SB 1386
The SB1386 is a California law regulating the privacy of personal information. It requires anyone who conducts business in California to disclose security breaches to residents whose unencrypted data has been disclosed. Imperva real-time notifications can protect unencrypted data from wrongful access and block data breach attempts.
Massachusetts Data Privacy Law (Mass 201 CMR 17)
The Massachusetts Data Privacy Law requires implementation of technical controls aimed at preventing breach of personal information. Imperva data breach prevention solutions protect personal information from breach attempts, leakage and theft, block unauthorized access and provide a complete audit trail of information usage.
EU Data Breach Notification Law
The European Parliament directive 2009/136/EC is concerned with protection of privacy of personal data. The new provision requires telecom and ISPs to immediately notify about security breaches such as the theft of customer personal identifiable information(PII). Imperva data security solutions provide real-time alerts and protect against data breach attacks directed at web portals, databases and files.
Federal Information Security Management Act (FISMA)
The FISMA act requires federal agencies to implement an information security program to ensure the integrity, confidentiality and availability of information and information systems. Imperva solutions protect regulated information and applications from unauthorized access, usage, disclosure, modification, and destruction. (Read More…)
The International Traffic in Arms Regulations (ITAR)
Export Administration Regulations (EAR)
ITAR and EAR require that all information and material related to ITAR controlled technology is accessed only by authorized personnel. Imperva Access and User Rights Management solutions enforce access controls to ITAR-related information in files and databases, and manage user rights over regulated data.
IRS 1075 provides tax information security guidelines for federal, state and local agencies. It requires that personal and financial information in IRS systems is protected against unauthorized use, inspection or disclosure. Imperva data security solutions address multiple sections of the guideline, including audit and security guidelines ensuring that access to FTI (federal tax information) is limited to those individuals who are authorized to access and have a need to know.
The Defense Information Systems Agency (DISA) provides federal organizations with Security Technical Implementation Guides (STIG) for improving and maintaining the security of Database Management Systems. Imperva provides out of the box policies to support the implementation of the DISA-STIG requirements for database security.
The Australian Government Information Security Manual (ISM)
Published by the Defence Signals Directorate (DSD), ISM provides Australian government agencies with a set of detailed controls that can be implemented to mitigate risks to their information and systems. The manual is the standard which governs the security of government Information and communications technology (ICT) systems and it is an important part of the Australian Government’s strategy to enhance its information security capability.
North American Electric Reliability Corporation (NERC)
NERC’s mission is to ensure reliability of the North American power systems. The Critical Infrastructure Protection (CIP) requirements specify minimum security requirements for protecting assets that are critical to the operation of electrical utility systems. Imperva security solutions automate NERC CIP Compliance and secure critical infrastructure. (Read More…)
Federal Energy Regulatory Commission Regulations (FERC)
Electricity, natural gas, and oil companies are required to implement preventive measures to comply with FERC regulatory requirements. Imperva access and user rights management solutions prevent unauthorized access to regulated data and improve controls to prevent data breach attacks.
Statement on Auditing Standards (SAS) 70
SAS 70 provides assessment guidance to auditors assessing service organizations. The guidance is based on the COSO model of controls also adopted by Sarbanes-Oxley. Imperva assessment and data risk management solutions enable auditors to conduct risk assessments, validate configurations, audit changes that impact regulated data and streamline compliance reports.
Family Educational Rights and Privacy Act (FERPA)
In April 2011 the U.S. Department of Education announced a series of initiatives to safeguard student privacy. Educational agencies and institutions must provide students with access to their education records, but should not release student records or share them with other agencies without the student’s consent. Controls are required to ensure that only authorized personnel can access student records, and all access is audited. Read the whitepaper to learn more.
SecureSphere Database Activity Monitoring
- Audit and report on all access and changes to regulated data stored in databases as required by PCI DSS section 10, SOX, HIPAA, Basel II, NAIC Model Audit Rule (MAR), IRS 1075, 21 CFR Part 11, OCR 1347.15 and Mass 201 CMR 17
- Real-Time alerts and optional blocking1 of unauthorized access to regulated data as required by GLBA, EU Data Breach Notification Law, ITAR, EAR, NERC and FERC
SecureSphere Discovery and Assessment Server2
- Assess database configurations, remove default passwords and security parameters, identify missing patches and manage vulnerabilities that expose regulated data to risk of a data breach as required by PCI DSS 2 and 6.1, SOX, 21 CFR Part 11, IRS 1075, DISA-STIG, NERC, FERC and SAS 70
- Discover sensitive data that should be removed from databases as required by PCI DSS section 3.2
- Manage risk to regulated data through discovery, classification and vulnerability analysis as required by SOX, Basel II, GLBA, NIAC MAR, FISMA, ITAR, EAR, NERC, FERC and SAS 70
User Rights Management for Databases
Implement access controls to limit user rights based on need to know, and identify users with excessive rights, as required by PCI DSS section 7 and 8.5.5, SOX , HIPAA, FISMA, ITAR, IRS 1075, EAR, NERC and FERCRead on ›
SecureSphere File Activity Monitoring
- Audit and report on all access and changes to regulated data stored in documents and spreadsheets as required by PCI DSS section 10, SOX, HIPAA, Basel II, NAIC Model Audit Rule (MAR), 21 CFR Part 11, IRS 1075, OCR 1347.15 and Mass 201 CMR 17
- Real-Time alerts and optional blocking3 of unauthorized access to regulated data as required by GLBA, EU Data Breach Notification Law, ITAR, EAR, NERC and FERC
SecureSphere Web Application Firewall
- Continuously protects web applications against threats as required by PCI DSS section 6.6
- Provides an audit trail of web activity and integrates with DAM and FAM to provide a complete audit trail of user activity across web, files and databases as recommended by OCR 1347.15 and Mass 201 CMR 17
1Blocking accesses to sensitive data in databases requires SecureSphere DBF
2SecureSphere Discovery and Assessment Server is included with SecureSphere DAM and DBF
3Blocking accesses to sensitive data in databases requires SecureSphere DBF
Why choose Imperva for regulatory compliance needs?
I personally would recommend Imperva to other financial institutions. It brings world-class support, best-of-breed technology, and truly a solution that I think is cutting edge to a high-risk environment.Ross Bobenmoyer VP of Information Security, Republic Bank