Large organizations will be familiar with the importance of complying with regulations such as FISMA, GLBA, HIPAA, PCI, SOX, and, in the EU, GPDR, which will come into effect in 2018. Let’s look at what they cover:
The Federal Information Security Management Act requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source. Agency program officials, chief information officers, and inspectors general (IGs) must conduct annual reviews of the agency’s information security program and report the results to Office of Management and Budget (OMB).
FISMA defines a framework for managing information security that must be followed for all information systems used or operated by a US federal government agency in the executive or legislative branches, or by a contractor or other organization on behalf of a federal agency in those branches. Continuous monitoring activities include configuration management and control of information system components, security impact analyses of changes to the system, ongoing assessment of security controls, and status reporting. The organization establishes the selection criteria and subsequently selects a subset of the security controls employed within the information system for assessment. The organization also establishes the schedule for control monitoring to ensure adequate coverage is achieved. This is where VitalSigns SIEM Agent for z/OS is so important. It takes messages and events from the z/OS mainframe and passes them to a central enterprise SIEM (Security Information and Event Management), where administrators can monitor specific information to ensure the necessary levels of security of their information and information systems.
The Gramm–Leach–Bliley Act (also known as the Financial Services Modernization Act) allowed banks, securities companies, and insurance companies to act as investment banks, commercial banks, and insurance companies. The Financial Privacy Rule governs the collection and disclosure of customers’ personal financial information by financial institutions. It also applies to companies receiving this information. The Safeguards Rule requires all financial institutions to design, implement and maintain safeguards to protect customer information. Companies need a way to prove that they are compliant and VitalSigns SIEM Agent for z/OS can do that by collecting mainframe events and messages and storing them in a central SIEM. Here, up-to-date information can be used to immediately flag any issues with customer data collection and disclosure.
The Health Insurance Portability and Accountability Act consists of five Titles:
- Title I protects health insurance coverage for workers and their families when they change or lose their jobs.
- Title II of HIPAA requires the establishment of national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers.
- Title III sets guidelines for pre-tax medical spending accounts.
- Title IV sets guidelines for group health plans.
- Title V governs company-owned life insurance policies.
There are financial penalties for violating HIPAA rules. Again VitalSigns SIEM Agent for z/OS can help organizations to remain compliant by passing messages and events in real-time from mainframe systems and subsystems to a central SIEM. It’s here that administrators can define specific parameters that they need to be compliant with the five Titles and monitor in depth mainframe events.
The Payment Card Industry Data Security Standard (PCI DSS) applies to organizations that handle credit cards. The thinking behind it was to create an additional level of protection for card issuers by ensuring that merchants meet minimum levels of security when they store, process, and transmit cardholder data. The PCI DSS specifies twelve requirements for compliance, which are organized into six logically-related groups or ‘control objectives’. VSA intercepts messages and events from z/OS and forwards them immediately to the central enterprise SIEM, where administrators can define specific parameters to monitor events in depth and ensure their merchants remains compliant with the standards.