Chapter 3
Supporting Corporate Governance Requirements
The days when industry could be relied upon to govern itself are gone. In light of recent scandals
and an increasing focus on public welfare, governments are passing laws and regulations that
define how specific industries must treat the data entrusted to them. Usually, simply following
industry best practices will bring you into compliance with these regulations and requirements.
There are network security industry best practices that we explored earlier in this chapter.
Broadly speaking, network devices don't meet these best practices on their own. However, a
third-party change-management solution can provide everything you need:
· An inventory of device resources (identification)
· Records permitting the review of devices' configurations (assessment)
· Centralized management of device security (prevention)
· Notifications of unauthorized changes (detection)
· Records of unauthorized changes (response)
· The ability to roll back unauthorized changes by using an authorized configuration
(recovery)
· Simplified role-based security that ensures that administrators have only the required
access to device's configurations (training and prevention)
· The ability to support periodic auditing and testing procedures (testing)
In the next few sections, we'll explore three of the major regulations affecting industries in the
United States, and how proper network configuration management can play a vital role in
complying with these regulations.
HIPAA
HIPAA is an enormous piece of legislation designed to improve the portability of healthcare as
well as tighten controls over who has access to patients' private information. The act affects any
device, system, or component that stores, handles, or transmits certain private patient
information. Because devices such as routers, firewalls, and switches can transmit this
information on the network, they can fall under HIPAA's regulations.
For example, one of HIPAA's requirements is that patients be able to request not only their
records but also an accounting of who their records have been disclosed to. A router or firewall
doesn't keep a list of transmission recipients; however, to be certain that your organization meets
the HIPAA requirements, you must ensure that your devices won't transmit information to
undisclosed parties. Requests for access to patient files, permissions granted to users, and any
other configuration that could result in access to patient data must be constantly reviewed--
including the configuration of your network devices. By showing a complete history of device
configurations, you can prove that only authorized users were able to receive data from those
devices; if you're unable to show an audit trail of a device's configuration, you could face
allegations--which would be difficult to defend against--that the devices were modified to
transmit confidential data to unauthorized persons.
61
Summary :
However, a third-party change-management solution can provide everything you need: · An inventory of device resources (identification) · Records permitting the review of devices' configurations (assessment) · Centralized management of device security (prevention) · Notifications of unauthorized changes (detection) · Records of unauthorized changes (response) · The ability to roll back unauthorized changes by using an authorized configuration (recovery) · Simplified role-based security that ensures that administrators have only the required access to device's configurations (training and prevention) · The ability to support periodic auditing and testing procedures (testing) In the next few sections, we'll explore three of the major regulations affecting industries in the United States, and how proper network configuration management can play a vital role in complying with these regulations.
Tags :
deices,regulations,network,configuration,information,access,data,unauthorized,deice,requirements,records,industry,practices