Meeting Compliance Regulations with SIEM and Logging

SIEM and log management provide security to your organization; these tools allow your security analysts to track events such as potential and successful breaches of your system and react accordingly.

Usually, it doesn’t matter how you ensure your organizational safety-as long as you do. However, if your organization is in the health, financial, or educational industry, there are certain conditions you must meet in order to do business with a particular clients or in a particular market – this is called IT compliance.

Since IT compliance implies detecting and reporting threats, having a combination of SIEM and a log management solution at your disposal is the first step to conducting your business according to rules and regulations. The automated report feature (which we talked about in our “Must have features for your log management” post) is used most  for generating compliance reports. Don’t forget that your organization will have to store data for a certain amount of time to meet these requirements as well.

WHAT IS THE MINIMUM I MUST DO FOR COMPLIANCE?

To be compliant with most regulations, you would at least have to:

  1. Log all relevant events
  2. Define the coverage scope
  3. Define which events are considered a threat
  4. Have a detailed process for handling threats, including timeframes
  5. Document the timing of the events as well as what has occured
  6. Document the location of event logs and follow up records
  7. Document how long your company keeps the event logs and tickets

Keep in mind that all regulations require you to log all events and review them in a timely manner. If any issues arise, resolve them and document that the threat is no longer an issue.

REGULATIONS THAT REQUIRE ORGANIZATIONAL IT COMPLIANCE

Depending on the country in which your organization is based(US or non-US), there are several regulation acts that require compliance reports:

SOX

The Sarbanes-Oxley (SOX) Act will be of interest to publicly held and accounting organizations. Signed into law in 2002, this act has a goal of accounting and disclosure act implementation to increase transparency in financial reporting and corporate governance, as well as to formalize the system of internal checks and balances. If your organization is publicly traded, this is the one regulation to look out for. To be compliant with the SOX act, auditors will conduct the check of your organization’s internal controls around:

  • Access
  • IT security
  • Change management
  • Backup procedures

To find out more about Sarbanes-Oxley Act compliance, click here.

FISMA

The Federal Information Security Modernization Act (FISMA) cybersecurity practices demand that “any federal agency document and implement controls of information technology systems which are in support to their assets and operations.” According to National Institute of Standards and Technology (NIST), there are 9 steps for FISMA compliance:

  1. Categorize the information that should be protected
  2. Select minimum base controls
  3. Refine controls using risk-assessment procedures
  4. Document the controls in the system security plan
  5. Implement security controls in the appropriate information systems
  6. Once implemented, assess the effectiveness of the security controls
  7. Determine the agency-level risk to the mission or business case
  8. Authorize the information system for processing
  9. Monitor the security controls on a continuous basis

To find out more details about the latest FISMA requirements, click here.

PCI DSS

The Payment Card Industry Data Security Standard (PCI DSS) consists of a number of security standards that ensure a secure environment for companies that accept, process, store, or transmit credit card information. That being said, all organizations that have any dealings with credit cards as means of payment must be compliant with PCI DSS.

To become compliant, small to medium businesses should:

  • Complete the self-assessment questionnaire (SAQ)
  • Complete and obtain evidence of a passing vulnerability scan with a PCI SSC Approved Scanning Vendor (ASV).
  • Complete the relevant attestation of compliance
  • Submit the SAQ, evidence of a passing scan (if applicable), and the Attestation of compliance to your acquirer

To find out more details about PCI DSS compliance, click here.

HIPAA

The Health Insurance and Portability Accountability Act (HIPAA) protects the privacy of individually identifiable health information, otherwise known as protected health information (PHI). HIPAA applies to health care providers, health care clearinghouses, health plans, or any organizations that transmit health information in electronic form. According to the act, entities covered by it must :

  • Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit
  • Identify and protect against reasonably anticipated threats to the security or integrity of the information
  • Protect against reasonably anticipated, impermissible uses or disclosures
  • Ensure compliance by their workforce

On top of this, there are two main rules of HIPAA known as the Security rule and Privacy rule – both applicable to organizations that store medical data electronically. If you wish to learn more about HIPAA, click here.

FERPA

The Family Educational and Rights Privacy Act protects the privacy of students’ records, which can be placed into three categories: educational information, directory information, and personally identifiable information (PII). As far as IT compliance is concerned, there are several ways you can ensure that your organization is on the right track:

  • Ensure you have data encryption.
  • Ensure that you have compliance-monitoring mechanisms.
  • Ensure that your information security plan is properly assessed and up to date,
  • Ensure that you have a data breach policy set in place.

Achieving FERPA compliance is not too difficult, and could be achieved through implementation of a SIEM and log management tool. If you need to know more about FERPA, click here.

ISO 27001

ISO 27001 is a framework that is based on a “Plan-Do-Check-Act” four-stage process for the information security controls. The ISO 27001 guidelines clearly state that log collecting, log management, and log analysis are complementary with this framework and a requirement for ISO compliance. Essentially, to fulfill the requirements, organizations must provide confidentiality, integrity, and availability concepts when it comes to information assets. Since ISO 27001 compliance is quite comprehensive, the best way to find out all the details is to visit their website.

CONCLUSION

Implementing a combination of a SIEM system and log management solution will not make your organization become IT compliant with any of the acts and regulations given above. However, they are an integral part of the setting up your environment for compliance. Analyze your situation and determine what is best for your organization. Remember, without a properly secured IT ecosystem, you risk losing certain markets as well as clients.

Get the Monthly Tech Blog Roundup

Subscribe to the latest in log management, security, and all things Graylog blog delivered to your inbox once a month.