Monday, August 25, 2014

Continuously Monitor Security Compliance: #2 on XYPRO’s Top 10 List of NonStop Security Fundamentals

Because high-availability and fault-tolerant systems need strong security

Alright, so let’s assume that you’ve followed the best practices described in items #3 to #10 of XYPRO’s Top 10 NonStop Security Fundamentals, as well as security recommendations from HP and other sources, and you’ve established strong security procedures for your HP NonStop system—how can you actually assess the strength of your security configuration and verify compliance with corporate policy, industry best practices and regulations, like PCI DSS or SOX? And equally important, how do you re-assess and maintain that strong security configuration over time as changes occur?

Those questions bring us to #2 on our Top 10 List:

#2: Continuously monitor security compliance

Defining a security policy and applying it to your system is essential to protecting your NonStop system and complying with government and commercial regulations. Of course, applying a security policy is not a one-time event. Managing system settings, access rules and security configurations is an on-going requirement that must account for new users, new objects, new rules or other system changes.

In a complex payments environment, for example, there may be thousands of security parameters that need to be measured, managed and reported to auditors—manually monitoring and measuring security compliance is not really feasible, it’s time consuming, a resource hog and prone to human error. XYPRO recommends a systematic approach using NonStop-specific compliance monitoring software. There are a few 3rd-party vendor compliance solutions for the NonStop, including XYGATE Compliance PRO (XSW).

Whichever solution you choose, it should enable you to easily research the security on your HP NonStop server, report the information found, build policies that monitor the state of the security rules in your environment and compare your existing security against supplied PCI, SOX, HIPAA and standard best practice policy recommendations. Furthermore, the solution should allow you to analyze configuration data for security, audit and system management information in the current snapshot, compared over time or compared against a set of absolute rules. Of course, this compliance information is important to auditors (both internal and external) so the solution should have the ability to automate investigations and report generation for security and system configuration information.

An effective compliance monitoring program should include, at least, the following aspects:

• Monitor compliance with Corporate Security Policy
   and Standards.
• Systematically review security settings vs. NonStop best
   practices.
• Assess compliance with applicable government or industry
   regulations (e.g., PCI, SOX, HIPAA).
• Monitor security configuration changes.
• Enable security compliance alerting.
• Conduct periodic integrity checking of operating system and
   application object files to ensure that only authorized
   and tested versions are in use.
• Obtain file access maps for Safeguard, Guardian, and access
   management software , such as XYGATE Object Security (XOS)
   and XYGATE Access Control (XAC).
• Report compliance with key regulations (like PCI DSS, SOX or
   HIPAA) and your own information security policy.


A quick note on “Best Practices”: we’ve referenced them quite a bit in this article and throughout our Top 10 list, so what are NonStop best practices? NonStop best practices typically document the expected (i.e., recommended) value of a single characteristic of a single object. These best practices are positive system configuration parameters that can be measured and tested. For example, a best practice can consist of the following: “The Safeguard parameter NAME-LOGON must be set to YES”. While there are many sources of best practice information, a comprehensive resource for NonStop security information can be found in the books “Securing Your HP NonStop Server: A Practical Handbook” and “Securing HP NonStop Servers in an Open Systems World”.

So, that’s #2: Continuously monitor security compliance. Ensuring compliance is a critical aspect of any IT security program and compliance monitoring solutions provide the means to systematically measure, manage and report on a complex and dynamic NonStop security environment.

Stay tuned to the XYPRO blog site—next up on our list is NonStop Security Fundamental #1. Also, get notified automatically when new XYPRO blogs come out by following XYPRO on LinkedIn or Twitter.

If you’d like additional information or help with NonStop security, please contact XYPRO for assistance. For over 30 years, XYPRO has provided NonStop security solutions and services that help companies protect their NonStop systems and comply with industry regulations (such as PCI DSS, HIPAA, and SOX).

No comments:

Post a Comment