Getting Compliant: How to Meet Regulatory Audit Requirements Using Opmantek’s Products

It’s a spaghetti string of acronyms, SOX, SSAE, PCI-DSS, HIPPA. To the uninitiated, they seem like gibberish, to those dealing with Federal or industry regulatory requirements they can be a sea of difficult to understand and potentially impossible to apply requirements that could mean the difference between a profitable year and (potentially) huge fines or even unemployment. Today I’d like to address each of these in detail, discuss from an IT standpoint what needs to be done to meet each, and then discuss which of Opmantek’s products help address those requirements.  Fear not, we’re in this together, so buckle-in and make sure your helmet is snug as we dive into Regulatory Audit Requirements.

Who Do These Regulations Apply To?

First off let’s break down the main regulations you might run into. Depending on your country and industry your business might be affected by one or more of these in addition to other regulations not covered here.

PCI-DSS – The Payment Card Industry Data Security Standard (PCI-DSS) is an information security standard for organizations that handle credit cards from the major vendors (i.e. MasterCard, VISA, Discover, American Express, etc.). Simply put, if your business handles credit card information in any way – maybe through an online shopping cart or by taking cards over the phone and hand processing them – you have exposure under PCI-DSS.

HIPAA – The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is US legislation that provides data privacy and security provisions for safeguarding medical information. It’s important to note that this regulation extends beyond just hospitals and doctor’s offices and includes anyone who handles information related to an individual’s healthcare. This would include businesses providing billing and collection services, healthcare records storage, and anything to do with the maintenance or upkeep of an individual’s healthcare record (physical or electronic). If your business handles any material that includes healthcare information that could potentially identify an individual you have exposure under HIPAA.

SSAE-16 – The Statement on Standards and Attestation Engagements (SSAE) No. 16 (previously the SAS-70 and soon to become the SSAE-18) is an audit standard created by the American Institute of Certified Public Accountants’ (AICPA). The SSAE-16 is designed to ensure a service organization has the appropriate processes and IT controls in place to assure the safety and security of their client’s information and the quality of the services they perform for them.  The SOC-1 exam primarily focuses on internal controls over financial reporting (ICFR) but has expanded over the years to often include testing process documentation. The SOC-2 report expands on the SOC-1 to include not only the review of processes and controls but the testing of those controls over the reporting period (generally a year). Generally speaking, if your business performs outsourced service that affects the financial statements of another company you have exposure under the SSAE-16 SOC-1 and if you’re handling payroll, loan servicing, data center/co-location/network monitoring, software as a service (SaaS), or medical claims processing (including statement printing and online payment solutions) you would also have exposure under SOC-2.

SOC – The Sarbanes-Oxley Act of 2002 (SOX), also known as the “Public Company Accounting Reform and Investor Protection Act”, is a US Federal law that sets requirements for all U.S. public company boards, management, and public accounting firms for financial reporting, disclosures, and records keeping. It is important to note that while the bulk of SOX focuses on public companies, there are provisions in the Act that also apply to privately held companies. Generally speaking, if you are a public company you are covered by the Act.

What do These Regulations Mean to You?

So, once you’ve determined which regulations your business needs to adhere to what are the specific activities you need to take to meet those requirements?

Below is a short list of the things needed to be in place in order to demonstrate compliance with these regulations. It’s important to note these are only the activities that can be monitored and recorded electronically. Each of these compliance requirements includes additional process documentation, i.e. detail a D&R plan, maintain a ledger, document on an offsite backup process and restore procedure, etc. which is not listed below.

PCI-DSS

This list focuses on small to medium-sized merchants processing credit cards, but not storing credit card data. This list gets much longer if your company processes large numbers of credit card transactions, processes transactions over certain amounts, acts as a clearinghouse or cc processor, or stores any credit card information.

• Collect event logs from all relevant devices (firewalls, routers, and servers) within the PCI-DSS zone, or entire network if card processing is not segmented, and alert/report on “unusual” activity.
• Collect device configurations and alert/report on changes to all relevant devices (firewalls, routers, and servers) within the PCI-DSS zone, or entire network if card processing is not segmented.
• Confirm any/all DBs that store card data are encrypted at the drive or DB level; credit card data should be encrypted both at rest and while in motion.

HIPAA

• Collect event logs from all servers/workstations that store healthcare information or records and any networking equipment this information passes through, and alert/report on “unusual” activity.
• Confirm any/all DBs that healthcare data are stored on are encrypted at the drive or DB level; healthcare information should be encrypted both at rest and while in motion.

SSAE-16 SOC1/2

This list covers most service provider requirements. However, companies that host or develop software would have additional requirements.

• Provide for NMS/NPM of network devices and servers, this may include processing of event logs; alert on out of performance issues; demonstrate escalation process; log all NMS/NPM setting changes for audit purposes.
• Collect device configurations; alert on unauthorized configuration changes; demonstrate escalation process.
• Ensure all servers/workstations are being patched at the OS-level and for each critical application.
• Ensure all servers/workstations are running antivirus with the most recent antivirus updates.
• Check password criteria (length, complexity, and short and long expiration); this should be managed centrally through AD/MS-LDAP.
• Check to ensure there are no local admin accounts, all guest accounts are disabled, and any local named accounts meet password requirements.
• Report on user account access, all users have limited access (<Admin) and for those that need Admin, they have both a regular account and a separate Admin account.

Sarbanes-Oxley (SOX) (SOX Section-404)

The SOX Act focuses on financial reporting and accountability, but Section-404 covers requirements from an IT perspective. Generally, the SSAE-16 SOC-2 requirements listed above will often fulfil SOX Section-404.

• Provide for NMS/NPM of network devices and servers, this may include processing of event logs; alert on out of performance issues; demonstrate escalation process; log all NMS/NPM setting changes for audit purposes.
• Collect device configurations; alert on unauthorized configuration changes; demonstrate escalation process.
• Ensure all servers/workstations are being patched at the OS-level and for each critical application.
• Ensure all servers/workstations are running antivirus with the most recent antivirus updates.
• Check password criteria (length, complexity, and short and long expiration); this should be managed centrally through AD/MS-LDAP.
• Check to ensure there are no local admin accounts, all guest accounts are disabled, and any local named accounts meet password requirements.
• Report on user account access, all users have limited access (<Admin) and for those that need Admin, they have both a regular account and a separate Admin account.

How Do You Do It?

OK, good.

So, you’ve made it this far and figured out which regulations apply to your company and you have a list of the activities you need to monitor. But, how do you actually do it?

List of Devices – In almost every regulation you’ll need to provide a list of all your equipment – workstations and servers. This can easily be handled through Open-AudIT, which provides automated methods for discovering and auditing all the devices on your network, including reporting on local user accounts and user groups, and antivirus installs. This also includes scheduled reporting that can provide all relevant information the morning that you need it.

Topology Diagrams – You should have a detailed topology diagram available that’s always up-to-date. This can be done using a combination of NMIS to gather Layer 2 and 3 connectivity information and opCharts to create the topology diagrams.

Performance and Fault Monitoring – Opmantek’s NMIS can provide very robust performance and fault monitoring capabilities, as well as handle event escalation and notifications.

Syslog and Application Log Monitoring – You can expand on NMIS’ Performance and Fault monitoring by adding opEvents, which can parse Syslog and application logs, generate notifications, and even perform event remediation.

Device Configuration Change Monitoring – Beyond the basic reporting of performance and fault issues comes the need to monitor devices for unauthorized or improper configuration changes. opConfig can collect device configurations, raise events for changes, and even help you centrally manage your network devices.

Next Steps

Well, here we are at the end. We’ve covered the main regulations, provided a list of what needs to be done, and even gone over each of Opmantek’s products and how they can help you address those requirements. Where you go from here is up to you.

If you still have questions, please reach out. We’re here to help you navigate these regulatory requirements by delivering solutions that make your life easier and help you sleep a more soundly.

Best,

Mark H

Charlotte, NC

Investing time into automation can be extremely beneficial for you to achieve increased results, with less effort over time. Gartner has suggested that any manual task that is done more than four times a year should be automated. That may be on the extreme end because there are certain pitfalls that need to be avoided. The below image shows how people can spend too much time optimising and reviewing without actually saving any time.

Although this is a perfectly valid scenario, that occurs frequently, it shouldn’t scare you off automation. Here at Opmantek, we believe we have the tools to make Network Automation easy for you. There are too many individual ways to outline in one post, so this post will look at a single part and how it can make your life easier.

Open-AudIT’s Scheduled Reporting

Through Open-AudIT you gain a lot of insight into your network, the devices attached, as well as the software that is running on the devices. There is a lot of information that is collected, the difficult part is deciding what information is valuable to your organization. For example, a business may be interested in the new devices that are connected to their network or new software that has been installed recently. This information can be collected automatically and at specific times, wrapped up in a nice bow and then emailed to you.

Once you have Open-AudIT installed and have a device discovered you can create a scheduled report on that information. To create a report the first step is ensuring that the correct email details are in place. Navigate to ‘Admin’ in the menu bar on the top right, then ‘Configuration’ and finally ‘Email’ and you will have the email configuration screen loaded. Ensure all the details are correct and send a test email to yourself to make sure it is working.

Now we get to the fun stuff, that will make your life easier, while everyone thinks you are working double time. Open-AudIT uses ‘Tasks’ as the title for its automation, a task list can be found in ‘Admin’ and then ‘Tasks’, then ‘List Tasks.’ From this screen, you can set up the following types of tasks, Baseline, Discovery, Report, Query, Summary or Collector. In our previous post we did a single device discovery and had some success, let’s do that again but we will schedule it for Monday morning.

Click on ‘Create’ on the top right and you will have all the options for scheduling available to you, essentially this is the same as a manual process, just adding in the time element. Enter a nice test name (this can always be edited later) and for type, we want a report. This will add an additional menu item and we want the report titled ‘Devices Discovered in the Last 7 Days.’ See below for what it should look like. I have created this task to run every Monday morning at 8:50 am, this is perfect coffee drinking reading material.

If you configure this correctly, come Monday you will have a nice CSV report to look at, with one entry for our discovered device. However, in the future, this could be scaled to your organisational size, and before you even start your day, automation has completed a job for you. This demonstration is for one of the fantastic features inside Open-AudIT, there is more that is available too. Open-AudIT has a 20 device trial license for you to test out the features. If you would like a larger trial license don’t hesitate to contact us or even request a demo, we can help you get more wins every day.

Businesses are becoming more reliant on information technology to achieve day-to-day business goals. The importance of having the right technological processes in place has a direct result on the viability and profitability of a business. A common misconception when regarding poor internet connectivity, “the Internet is down”, this demonstrates how important maintaining a network is, because troubleshooting should start and end with a network engineer. However, in practice, that employee will take time out of their day to ‘fix the Internet’, the time taken is the business cost for not having a reliable network monitoring solution in place. The less reliable the network is, the higher the direct financial loss is.

At Opmantek, we take pride in being solution focused, let’s look at what you would need to solve the above problem. The solution to this problem is to have the right combination of tools, talent and design, you need the right people, in the right environment armed with the best toolset. Opmantek can assist any business by having the right tools, regardless of business size. The tools have been designed with synergy in mind, they all integrate with each other, there is set and forget configuration and full customisation is available if it is needed for your organisation. As well as APIs that will help integrate with existing software, it is made to have to be seamless in its installation.

The installation process is fast, the Virtual Machine can be up and running in 3 minutes, usable by your organisation just minutes after that. The flexibility of the software is seen when operating at scale or across regions because the solution can scale horizontally and vertically at any size you require, regardless of geographic locations. The software leverages agentless scripting, that removes the need to install software on every device while giving it the ability to generate incredible amounts of detail about your network. It is multi-tenanted out of the box and designed to be used for any device, any kit and anywhere.  Our demo server is housed in the Gold Coast office, see below, and used across the world, without delay.

The ability to share information with key stakeholders is crucial for business and personal success. Without the right knowledge, bad decisions can be executed. The ability to see information is essential, but so are the business decisions surrounding editing information. Without strict control over access, there can be security risks, even if they are not deliberate. Having the flexibility to implement role-based access controls or creating view only dashboards is an extremely valuable feature that gives the right information to the right people.

In the example above, where we had the broken internet, the ability to recognize that there is an issue, the speed of recognition, the ability to detect the root-cause of the issue and the speed that the issue is resolved are metrics that a successful network team would like to increase while fixing the connectivity issues. There are horror stories in the industry about groups of servers going down and the event notifications being missed due to other issues. The ability to correlate events, intelligently analyze resource load and automate remediation will help a network team reduce the time to solve issues. Opmantek offers a sophisticated business rules engine, that automates diagnostics and actions in response to events and gives actionable insight with guidelines to remediation.

Gartner has long preached that if a process is conducted four times a year, it should be automated, here at Opmantek we value that insight and extend it. We believe in automated and customizable alert escalation procedures. Custom thresholding is an extremely valuable tool if used correctly, combined with alert escalation and notification procedures will reduce the stress of a network engineer, reduce the workload and move the focus, from fighting fires to improving the overall efficiency of the network.

Businesses that are now operating in a bring your own device (BYOD) environment coupled with the Internet of Things (IoT) have seen the unprecedented stress on their networks, specifically where there was never a focus on networking. As technology has progressed, so has a general business’s reliance on technology to complete simple tasks. With this increased reliance on IT for business operations, there is a growth in the necessity of choosing the right Network Monitoring solution.

Want to see the power of our Network Monitoring solutions?

Register for a demo today and get back your workday!