Meeting Regulatory Audit Requirements with Opmantek

Meeting Regulatory Audit Requirements with Opmantek

Getting Compliant: How to Meet Regulatory Audit Requirements Using Opmantek’s Products

It’s a spaghetti string of acronyms, SOX, SSAE, PCI-DSS, HIPPA. To the uninitiated, they seem like gibberish, to those dealing with Federal or industry regulatory requirements they can be a sea of difficult to understand and potentially impossible to apply requirements that could mean the difference between a profitable year and (potentially) huge fines or even unemployment. Today I’d like to address each of these in detail, discuss from an IT standpoint what needs to be done to meet each, and then discuss which of Opmantek’s products help address those requirements.  Fear not, we’re in this together, so buckle-in and make sure your helmet is snug as we dive into Regulatory Audit Requirements.

 

Who Do These Regulations Apply To?

First off let’s break down the main regulations you might run into. Depending on your country and industry your business might be affected by one or more of these in addition to other regulations not covered here.

 

PCI-DSS – The Payment Card Industry Data Security Standard (PCI-DSS) is an information security standard for organizations that handle credit cards from the major vendors (i.e. MasterCard, VISA, Discover, American Express, etc.). Simply put, if your business handles credit card information in any way – maybe through an online shopping cart or by taking cards over the phone and hand processing them – you have exposure under PCI-DSS.

 

HIPAA – The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is US legislation that provides data privacy and security provisions for safeguarding medical information. It’s important to note that this regulation extends beyond just hospitals and doctor’s offices and includes anyone who handles information related to an individual’s healthcare. This would include businesses providing billing and collection services, healthcare records storage, and anything to do with the maintenance or upkeep of an individual’s healthcare record (physical or electronic). If your business handles any material that includes healthcare information that could potentially identify an individual you have exposure under HIPAA.

 

SSAE-16 – The Statement on Standards and Attestation Engagements (SSAE) No. 16 (previously the SAS-70 and soon to become the SSAE-18) is an audit standard created by the American Institute of Certified Public Accountants’ (AICPA). The SSAE-16 is designed to ensure a service organization has the appropriate processes and IT controls in place to assure the safety and security of their client’s information and the quality of the services they perform for them.  The SOC-1 exam primarily focuses on internal controls over financial reporting (ICFR) but has expanded over the years to often include testing process documentation. The SOC-2 report expands on the SOC-1 to include not only the review of processes and controls but the testing of those controls over the reporting period (generally a year). Generally speaking, if your business performs outsourced service that affects the financial statements of another company you have exposure under the SSAE-16 SOC-1 and if you’re handling payroll, loan servicing, data center/co-location/network monitoring, software as a service (SaaS), or medical claims processing (including statement printing and online payment solutions) you would also have exposure under SOC-2.

 

SOC – The Sarbanes-Oxley Act of 2002 (SOX), also known as the “Public Company Accounting Reform and Investor Protection Act”, is a US Federal law that sets requirements for all U.S. public company boards, management, and public accounting firms for financial reporting, disclosures, and records keeping. It is important to note that while the bulk of SOX focuses on public companies, there are provisions in the Act that also apply to privately held companies. Generally speaking, if you are a public company you are covered by the Act.

 

 

What do These Regulations Mean to You?

So, once you’ve determined which regulations your business needs to adhere to what are the specific activities you need to take to meet those requirements?

 

Below is a short list of the things needed to be in place in order to demonstrate compliance with these regulations. It’s important to note these are only the activities that can be monitored and recorded electronically. Each of these compliance requirements includes additional process documentation, i.e. detail a D&R plan, maintain a ledger, document on an offsite backup process and restore procedure, etc. which is not listed below.

 

PCI-DSS

This list focuses on small to medium-sized merchants processing credit cards, but not storing credit card data. This list gets much longer if your company processes large numbers of credit card transactions, processes transactions over certain amounts, acts as a clearinghouse or cc processor, or stores any credit card information.

  • Collect event logs from all relevant devices (firewalls, routers, and servers) within the PCI-DSS zone, or entire network if card processing is not segmented, and alert/report on “unusual” activity.
  • Collect device configurations and alert/report on changes to all relevant devices (firewalls, routers, and servers) within the PCI-DSS zone, or entire network if card processing is not segmented.
  • Confirm any/all DBs that store card data are encrypted at the drive or DB level; credit card data should be encrypted both at rest and while in motion.

 

HIPAA

  • Collect event logs from all servers/workstations that store healthcare information or records and any networking equipment this information passes through, and alert/report on “unusual” activity.
  • Confirm any/all DBs that healthcare data are stored on are encrypted at the drive or DB level; healthcare information should be encrypted both at rest and while in motion.

 

SSAE-16 SOC1/2

This list covers most service provider requirements. However, companies that host or develop software would have additional requirements.

  • Provide for NMS/NPM of network devices and servers, this may include processing of event logs; alert on out of performance issues; demonstrate escalation process; log all NMS/NPM setting changes for audit purposes.
  • Collect device configurations; alert on unauthorized configuration changes; demonstrate escalation process.
  • Ensure all servers/workstations are being patched at the OS-level and for each critical application.
  • Ensure all servers/workstations are running antivirus with the most recent antivirus updates.
  • Check password criteria (length, complexity, and short and long expiration); this should be managed centrally through AD/MS-LDAP.
  • Check to ensure there are no local admin accounts, all guest accounts are disabled, and any local named accounts meet password requirements.
  • Report on user account access, all users have limited access (<Admin) and for those that need Admin, they have both a regular account and a separate Admin account.

 

Sarbanes-Oxley (SOX) (SOX Section-404)

The SOX Act focuses on financial reporting and accountability, but Section-404 covers requirements from an IT perspective. Generally, the SSAE-16 SOC-2 requirements listed above will often fulfil SOX Section-404.

  • Provide for NMS/NPM of network devices and servers, this may include processing of event logs; alert on out of performance issues; demonstrate escalation process; log all NMS/NPM setting changes for audit purposes.
  • Collect device configurations; alert on unauthorized configuration changes; demonstrate escalation process.
  • Ensure all servers/workstations are being patched at the OS-level and for each critical application.
  • Ensure all servers/workstations are running antivirus with the most recent antivirus updates.
  • Check password criteria (length, complexity, and short and long expiration); this should be managed centrally through AD/MS-LDAP.
  • Check to ensure there are no local admin accounts, all guest accounts are disabled, and any local named accounts meet password requirements.
  • Report on user account access, all users have limited access (<Admin) and for those that need Admin, they have both a regular account and a separate Admin account.

 

 

How Do You Do It?

OK, good.

So, you’ve made it this far and figured out which regulations apply to your company and you have a list of the activities you need to monitor. But, how do you actually do it?

 

List of Devices – In almost every regulation you’ll need to provide a list of all your equipment – workstations and servers. This can easily be handled through Open-AudIT, which provides automated methods for discovering and auditing all the devices on your network, including reporting on local user accounts and user groups, and antivirus installs. This also includes scheduled reporting that can provide all relevant information the morning that you need it.

 

Topology Diagrams – You should have a detailed topology diagram available that’s always up-to-date. This can be done using a combination of NMIS to gather Layer 2 and 3 connectivity information and opCharts to create the topology diagrams.

 

Performance and Fault Monitoring – Opmantek’s NMIS can provide very robust performance and fault monitoring capabilities, as well as handle event escalation and notifications.

 

Syslog and Application Log Monitoring – You can expand on NMIS’ Performance and Fault monitoring by adding opEvents, which can parse Syslog and application logs, generate notifications, and even perform event remediation.

 

Device Configuration Change Monitoring – Beyond the basic reporting of performance and fault issues comes the need to monitor devices for unauthorized or improper configuration changes. opConfig can collect device configurations, raise events for changes, and even help you centrally manage your network devices.

 

 

Next Steps

Well, here we are at the end. We’ve covered the main regulations, provided a list of what needs to be done, and even gone over each of Opmantek’s products and how they can help you address those requirements. Where you go from here is up to you.

 

If you still have questions, please reach out. We’re here to help you navigate these regulatory requirements by delivering solutions that make your life easier and help you sleep a more soundly.

 

Best,

 

Mark H

Charlotte, NC

Auditing Web Servers with Open-AudIT

Auditing Web Servers with Open-AudIT

Do you know how many websites are running in your organisation?

You might be surprised to see the number, not only of actual web servers – but also the number of sites those web servers are serving.

Open-AudIT has a built-in query to easily show you the websites (even those not running) in your organisation.

Information is presented in an easily readable table format that is exportable to CSV (Excel), HTML, XML and JSON formats.

For each website you will see – the name, OS and environment of the computer running it, the web server name and the sites name, description, status, instance log status, log format, log rotation policy and directory.

To enable the query go to menu -> Admin -> Queries -> Activate Query. You will see a list of available queries. Click the ‘tick’ icon on the right side to activate the “Web Sites” query and make it appear in your menu’s.

Audit Servers - 700
NOTE – Open-AudIT currently retrieves the most information from IIS based servers, but Apache servers on Linux are also catered for. Watch this space!
Press Release

Press Release

Gartner lists Opmantek in 2016 Market Guide for Network Automation


GOLD COAST, Wednesday 27th January 2016 – Opmantek (ASSOB:OMK) a multi award winning provider of IT infrastructure management and Audit solutions, today announced that it has been identified as a representative vendor in the Gartner “Market Guide for Network Automation” report.

Network Automation tools have been steadily growing in popularity as network architecture continues to grow and become more complex. According to Gartner “Increased agility in the network domain is a top priority for I&O Organizations and network teams”.

The report focuses on two of Opmantek’s commercial software modules, Open-AudIT Enterprise and opConfig, which enable businesses to lower costs and reduce human error by increasing process and configuration agility, while ensuring compliance to relevant policies and regulations set by the business. The report found that “There continues to be a significant mandate from the business for networks to adhere to corporate and government compliance, auditing standards and regulations”.

Opmantek CEO, Danny Maher said “Opmantek has been gaining traction in our focus areas of network and operational automation and event management. We believe being named by Gartner as a representative vendor reflects our continued global growth and momentum in this space”

1Gartner, Market Guide for Network Automation, Vivek Bhalla, Sanjit Ganguli, 14 January 2016


Gartner Disclaimer:

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.


About Opmantek:

Opmantek is a multi award winning Software Company operating in the field of IT Infrastructure Management and Audit. Every six minutes somewhere in the world, a new organization implements an Opmantek product.
Opmantek software helps IT teams detect faults, review current and historical network performance, and predict where future failures are likely to occur.
Used by more than 80,000 organizations in 130 countries, Opmantek software manages some of the world’s most complex IT environments including some of the world’s largest telecommunications carriers, managed service providers and banks.
Opmantek is a public company with corporate headquarters in Australia and listed on the Australian Small Scale Offerings Board (ASSOB:OMK)

Baselines in Open-AudIT

Baselines in Open-AudIT

Our new major feature for 1.10 is the beginning of our Baselines feature. This is not finished as yet (in 1.10), but we wanted it out there for feedback. Baselines in Open-AudIT Enterprise allow you to take the details of one machine (say it’s software list) and use that as a basis for comparison against another machine or group of machines.

Being able to determine which machines are configured the same is a major part of systems administration and auditing – and now reporting on that will be made simple and automated. Once you define your baseline it will automatically run against a set of devices on a predetermined schedule. The output of these executed baselines will be available for web viewing, importing into a third party system or even as a printed report.

For example – you might create a baseline from a device running Centos 6 which acts as one of your apache servers in a cluster. You know this particular server is configured just the way you want it but you’re unsure if other servers in the cluster are configured exactly the same. Baselines enables you to determine this.

So you can say “Take the software installed on device X and tell me where it’s different on all the machines in the Web Servers group.”

You get a nice GUI interface showing which machines did or did not meet the expected software install state. You can also apply this to users and netstat ports. Other tables will be introduced in the future.

Our initial release (in 1.10) is functional but not yet complete. You can create a baseline, run it against a group of devices and view the results in a web browser. We plan to add scheduled execution, more tables for comparison (currently only software, netstat ports and users are enabled), in place baseline and policy editing, archiving of results, exporting of results and more.

A sample baseline definition screen is below. In this example we show a baseline consisting of software policies targeted at Centos 6 devices.

Baseline Edit - 700
Once this has been run against our target group we have a result which is below.
Baseline Result - 700
From our result page we can inspect individual devices or individual policies for compliance.

Once we have completed the implementation of Baselines in Open-AudIT you will see how powerful this feature can be for reporting items like compliance, ensuring device consistency and more. Stay tuned for more Baselines in our next Open-AudIT release!

Terms:

Baseline – the overarching document that contains the baseline definition and the individual policy tests.

Policies – The individual tests contained within a Baseline. Each test is for a specific item. An example would be testing for SSH version 1.2.3.