ISDecisions.com

Language: EN | FR | 中文版

The Insider Threat Security Manifesto Beating the threat from within

Network management and compliance

In addition to the considerable motive most organisations have to address insider threats themselves, many work under industry regulations that either directly specify how it should be addressed, or are closely related to the issue.

Examples of these include:

Sarbanes-Oxley (SOX)

The US Senate’s 2002 act is federal law relating to standards for public company boards and accounting firms. It closely relates to insider threats in its strict terms around the reporting it requires, and how unauthorised users must not be able to modify these reports, as well as granular requirements for internal controls of financial reports.

Payment Card Industry Data Security Standard (PCI DSS)

A set of requirements laid out by the PCI Security Standards Council, which is made up of the world’s main payment card brands, PCI DSS applies to any business taking card payments. It relates to the protection of cardholder data, and has specific IT security requirements for firewalls around that data, password protection, network access restriction at a user-level as well as access tracking and monitoring.

Health Insurance Portability and Accountability Act (HIPAA)

Another US regulation, HIPAA relates to health insurance and the privacy and security of health data.

Federal Information Security Management Act (FISMA)

FISMA has very specific requirements around the security of inventory information, as well as categorising, security control and continuous monitoring, for any federal agencies in the US.

We’ve revealed that many IT professionals seem to be confused about what their network management solution enables them to do in terms of user restrictions and monitoring. However, presumably when working in an industry that is subject to legal regulations, IT pros are more aware of whether they are compliant.