How important is File Integrity Monitoring? This is a difficult question because depending on the status of your network you may have very different answers. If you have a perfectly functioning network, you may say it is important, but not critical. However, if you have a device that is not working correctly or even a suspected privacy leak, this becomes critical. For both cases, the answer should be critical, prevention is always better than cure. Every week there is a new report about a database that was compromised or a cryptocurrency miner that was installed unbeknown to anyone. One step in the prevention of these events is to monitor files and folders that are critical to operations, directories such as C:\Windows\System32 or C:\Windows\Program Files on Windows or /bin/ or /etc/ on Linux. Open-AudIT Enterprise can automatically detect configuration changes in files or folders, this is a query that ships with the software. With every query for Open-AudIT Enterprise users, this can be scheduled, you could have this run weekly, daily, hourly or even every 10 minutes if you need to. The process is straightforward to initialize and if it is ever needed, you will look like a god for thinking of it in advance. This is just scratching the surface, for more information, a setup guide or to test this for yourself, follow the links below.

Getting Compliant: How to Meet Regulatory Audit Requirements Using Opmantek’s Products

It’s a spaghetti string of acronyms, SOX, SSAE, PCI-DSS, HIPPA. To the uninitiated, they seem like gibberish, to those dealing with Federal or industry regulatory requirements they can be a sea of difficult to understand and potentially impossible to apply requirements that could mean the difference between a profitable year and (potentially) huge fines or even unemployment. Today I’d like to address each of these in detail, discuss from an IT standpoint what needs to be done to meet each, and then discuss which of Opmantek’s products help address those requirements.  Fear not, we’re in this together, so buckle-in and make sure your helmet is snug as we dive into Regulatory Audit Requirements.

Who Do These Regulations Apply To?

First off let’s break down the main regulations you might run into. Depending on your country and industry your business might be affected by one or more of these in addition to other regulations not covered here.

PCI-DSS – The Payment Card Industry Data Security Standard (PCI-DSS) is an information security standard for organizations that handle credit cards from the major vendors (i.e. MasterCard, VISA, Discover, American Express, etc.). Simply put, if your business handles credit card information in any way – maybe through an online shopping cart or by taking cards over the phone and hand processing them – you have exposure under PCI-DSS.

HIPAA – The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is US legislation that provides data privacy and security provisions for safeguarding medical information. It’s important to note that this regulation extends beyond just hospitals and doctor’s offices and includes anyone who handles information related to an individual’s healthcare. This would include businesses providing billing and collection services, healthcare records storage, and anything to do with the maintenance or upkeep of an individual’s healthcare record (physical or electronic). If your business handles any material that includes healthcare information that could potentially identify an individual you have exposure under HIPAA.

SSAE-16 – The Statement on Standards and Attestation Engagements (SSAE) No. 16 (previously the SAS-70 and soon to become the SSAE-18) is an audit standard created by the American Institute of Certified Public Accountants’ (AICPA). The SSAE-16 is designed to ensure a service organization has the appropriate processes and IT controls in place to assure the safety and security of their client’s information and the quality of the services they perform for them.  The SOC-1 exam primarily focuses on internal controls over financial reporting (ICFR) but has expanded over the years to often include testing process documentation. The SOC-2 report expands on the SOC-1 to include not only the review of processes and controls but the testing of those controls over the reporting period (generally a year). Generally speaking, if your business performs outsourced service that affects the financial statements of another company you have exposure under the SSAE-16 SOC-1 and if you’re handling payroll, loan servicing, data center/co-location/network monitoring, software as a service (SaaS), or medical claims processing (including statement printing and online payment solutions) you would also have exposure under SOC-2.

SOC – The Sarbanes-Oxley Act of 2002 (SOX), also known as the “Public Company Accounting Reform and Investor Protection Act”, is a US Federal law that sets requirements for all U.S. public company boards, management, and public accounting firms for financial reporting, disclosures, and records keeping. It is important to note that while the bulk of SOX focuses on public companies, there are provisions in the Act that also apply to privately held companies. Generally speaking, if you are a public company you are covered by the Act.

What do These Regulations Mean to You?

So, once you’ve determined which regulations your business needs to adhere to what are the specific activities you need to take to meet those requirements?

Below is a short list of the things needed to be in place in order to demonstrate compliance with these regulations. It’s important to note these are only the activities that can be monitored and recorded electronically. Each of these compliance requirements includes additional process documentation, i.e. detail a D&R plan, maintain a ledger, document on an offsite backup process and restore procedure, etc. which is not listed below.

PCI-DSS

This list focuses on small to medium-sized merchants processing credit cards, but not storing credit card data. This list gets much longer if your company processes large numbers of credit card transactions, processes transactions over certain amounts, acts as a clearinghouse or cc processor, or stores any credit card information.

• Collect event logs from all relevant devices (firewalls, routers, and servers) within the PCI-DSS zone, or entire network if card processing is not segmented, and alert/report on “unusual” activity.
• Collect device configurations and alert/report on changes to all relevant devices (firewalls, routers, and servers) within the PCI-DSS zone, or entire network if card processing is not segmented.
• Confirm any/all DBs that store card data are encrypted at the drive or DB level; credit card data should be encrypted both at rest and while in motion.

HIPAA

• Collect event logs from all servers/workstations that store healthcare information or records and any networking equipment this information passes through, and alert/report on “unusual” activity.
• Confirm any/all DBs that healthcare data are stored on are encrypted at the drive or DB level; healthcare information should be encrypted both at rest and while in motion.

SSAE-16 SOC1/2

This list covers most service provider requirements. However, companies that host or develop software would have additional requirements.

• Provide for NMS/NPM of network devices and servers, this may include processing of event logs; alert on out of performance issues; demonstrate escalation process; log all NMS/NPM setting changes for audit purposes.
• Collect device configurations; alert on unauthorized configuration changes; demonstrate escalation process.
• Ensure all servers/workstations are being patched at the OS-level and for each critical application.
• Ensure all servers/workstations are running antivirus with the most recent antivirus updates.
• Check password criteria (length, complexity, and short and long expiration); this should be managed centrally through AD/MS-LDAP.
• Check to ensure there are no local admin accounts, all guest accounts are disabled, and any local named accounts meet password requirements.
• Report on user account access, all users have limited access (<Admin) and for those that need Admin, they have both a regular account and a separate Admin account.

Sarbanes-Oxley (SOX) (SOX Section-404)

The SOX Act focuses on financial reporting and accountability, but Section-404 covers requirements from an IT perspective. Generally, the SSAE-16 SOC-2 requirements listed above will often fulfil SOX Section-404.

• Provide for NMS/NPM of network devices and servers, this may include processing of event logs; alert on out of performance issues; demonstrate escalation process; log all NMS/NPM setting changes for audit purposes.
• Collect device configurations; alert on unauthorized configuration changes; demonstrate escalation process.
• Ensure all servers/workstations are being patched at the OS-level and for each critical application.
• Ensure all servers/workstations are running antivirus with the most recent antivirus updates.
• Check password criteria (length, complexity, and short and long expiration); this should be managed centrally through AD/MS-LDAP.
• Check to ensure there are no local admin accounts, all guest accounts are disabled, and any local named accounts meet password requirements.
• Report on user account access, all users have limited access (<Admin) and for those that need Admin, they have both a regular account and a separate Admin account.

How Do You Do It?

OK, good.

So, you’ve made it this far and figured out which regulations apply to your company and you have a list of the activities you need to monitor. But, how do you actually do it?

List of Devices – In almost every regulation you’ll need to provide a list of all your equipment – workstations and servers. This can easily be handled through Open-AudIT, which provides automated methods for discovering and auditing all the devices on your network, including reporting on local user accounts and user groups, and antivirus installs. This also includes scheduled reporting that can provide all relevant information the morning that you need it.

Topology Diagrams – You should have a detailed topology diagram available that’s always up-to-date. This can be done using a combination of NMIS to gather Layer 2 and 3 connectivity information and opCharts to create the topology diagrams.

Performance and Fault Monitoring – Opmantek’s NMIS can provide very robust performance and fault monitoring capabilities, as well as handle event escalation and notifications.

Syslog and Application Log Monitoring – You can expand on NMIS’ Performance and Fault monitoring by adding opEvents, which can parse Syslog and application logs, generate notifications, and even perform event remediation.

Device Configuration Change Monitoring – Beyond the basic reporting of performance and fault issues comes the need to monitor devices for unauthorized or improper configuration changes. opConfig can collect device configurations, raise events for changes, and even help you centrally manage your network devices.

Next Steps

Well, here we are at the end. We’ve covered the main regulations, provided a list of what needs to be done, and even gone over each of Opmantek’s products and how they can help you address those requirements. Where you go from here is up to you.

If you still have questions, please reach out. We’re here to help you navigate these regulatory requirements by delivering solutions that make your life easier and help you sleep a more soundly.

Best,

Mark H

Charlotte, NC

Investing time into automation can be extremely beneficial for you to achieve increased results, with less effort over time. Gartner has suggested that any manual task that is done more than four times a year should be automated. That may be on the extreme end because there are certain pitfalls that need to be avoided. The below image shows how people can spend too much time optimising and reviewing without actually saving any time.

Although this is a perfectly valid scenario, that occurs frequently, it shouldn’t scare you off automation. Here at Opmantek, we believe we have the tools to make Network Automation easy for you. There are too many individual ways to outline in one post, so this post will look at a single part and how it can make your life easier.

Open-AudIT’s Scheduled Reporting

Through Open-AudIT you gain a lot of insight into your network, the devices attached, as well as the software that is running on the devices. There is a lot of information that is collected, the difficult part is deciding what information is valuable to your organization. For example, a business may be interested in the new devices that are connected to their network or new software that has been installed recently. This information can be collected automatically and at specific times, wrapped up in a nice bow and then emailed to you.

Once you have Open-AudIT installed and have a device discovered you can create a scheduled report on that information. To create a report the first step is ensuring that the correct email details are in place. Navigate to ‘Admin’ in the menu bar on the top right, then ‘Configuration’ and finally ‘Email’ and you will have the email configuration screen loaded. Ensure all the details are correct and send a test email to yourself to make sure it is working.

Now we get to the fun stuff, that will make your life easier, while everyone thinks you are working double time. Open-AudIT uses ‘Tasks’ as the title for its automation, a task list can be found in ‘Admin’ and then ‘Tasks’, then ‘List Tasks.’ From this screen, you can set up the following types of tasks, Baseline, Discovery, Report, Query, Summary or Collector. In our previous post we did a single device discovery and had some success, let’s do that again but we will schedule it for Monday morning.

Click on ‘Create’ on the top right and you will have all the options for scheduling available to you, essentially this is the same as a manual process, just adding in the time element. Enter a nice test name (this can always be edited later) and for type, we want a report. This will add an additional menu item and we want the report titled ‘Devices Discovered in the Last 7 Days.’ See below for what it should look like. I have created this task to run every Monday morning at 8:50 am, this is perfect coffee drinking reading material.

If you configure this correctly, come Monday you will have a nice CSV report to look at, with one entry for our discovered device. However, in the future, this could be scaled to your organisational size, and before you even start your day, automation has completed a job for you. This demonstration is for one of the fantastic features inside Open-AudIT, there is more that is available too. Open-AudIT has a 20 device trial license for you to test out the features. If you would like a larger trial license don’t hesitate to contact us or even request a demo, we can help you get more wins every day.