Compliance

Meet and validate complex regulatory compliance requirements with no effort on your part, in an efficient and cost-effective manner.

 

The ClearSkies™ Big Data Advanced Security Analytics Platform’s unique capabilities empower you to effortlessly meet, accelerate and validate compliance with regulatory requirements related to cybersecurity. It is specifically designed at its core to provide the functionalities and features that enable you to comply with the industry-leading Standards ISO 27001, PCI DSS, SWIFT, FISMA, HIPAA and GDPR.

The ClearSkies™ Secure Web Portal’s user-friendly centralized interface allows you to

 

effortlessly navigate the requirements of the Standards and Regulations,

 

define their scope,

 

review their status, and

 

identify actions for timely remediation.

Real-time monitoring through customizable dashboards and reports enables a broad compliance overview, making it easy to spot gaps and manage them appropriately, performing full audit on Compliance Administration. Out-of-the-box reports empower you to meet, validate and demonstrate compliance to the appropriate regulating bodies. This helps with upholding compliance with each requirement separately as well as granting you full control over your compliance status.

Furthermore, ClearSkies™ Big Data Advanced Security Analytics Platform features secure collection and consolidation of log data (data in transit is encrypted and masked for security and confidentiality) together with File Integrity Monitoring (FIM), for maintaining an audit trail of who did what and where.

Additionally, it utilizes analysis of log data collected with the use of in-depth User & Entity Behavior Analysis (UEBA), Artificial Intelligence, Predictive and Machine Learning models, for the early detection and response to targeted attacks and data breaches before it is too late.

Finally, automated alerting channels enable quick notifications on your compliance status as well as security incidents, helping you to address notification obligations and to timely coordinate responses.

Supported regulatory compliance requirements

The General Data Protection Regulation (GDPR) (Regulation EU 2016/679) aims to harmonize and modernize data protection regulations for the citizens of the European Union (EU) with respect to privacy and security. It increases their rights regarding their personal information.

The GDPR affects all organization that collect and/or process EU citizens’ personal information. Should they fail to meet and demonstrate GDPR compliance, hefty fines may apply, of up to €20 million or 4% of annual turnover, whichever is greater.

 

General Data Protection Regulation

Article 25

25 Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing…

Article 28

28 Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of this Regulation…

Article 30

30 Each controller and, where applicable, the controller’s representative, shall maintain a record of processing activities under its responsibility. That record shall contain all of the following information: (a)the name and contact details of the controller and, where applicable…

Article 32

32 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons…

Article 33

33 In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55…

Article 34

34 When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.

Article 39

39 The data protection officer shall have at least the following tasks: (a) to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation…

Article 58

58 Each supervisory authority shall have all of the following investigative powers: (a) to order the controller and the processor, and, where applicable, the controller’s or the processor’s representative to provide any information it requires for the performance of its tasks; (b) to carry out investigations in the form of data protection audits

Article 59

59 Each supervisory authority shall draw up an annual report on its activities, which may include a list of types of infringement notified and types of measures taken in accordance with Article 58(2). Those reports shall be transmitted to the national parliament…

The Payment Card Industry Data Security Standard (PCI DSS) is a set of comprehensive requirements designed to ensure that all organizations that store, process and/or transmit cardholder data operate in a secure environment. Organizations that fail to comply with the PCI DSS, and have the security of their card payment process compromised may face hefty penalties and fines. In addition, merchants whose card payment process is not PCI DSS compliant, run the risk of losing their ability to accept credit card payments.

To comply with the PCI DSS, organizations must be able to manage access control, encrypt cardholder data, and audit cardholder data at rest in an array of intricate requirements. Due to the shortage of resources and the considerable ongoing administration needs emerging from the amount of yearly transactions on your PCI network, organizations are challenged in their task to achieve PCI DSS compliance.

 

Payment Card Industry Data Security Standard
PCI DSS

10.5.5

10.5.5 Examine system settings, monitored files, and results from monitoring activities to verify the use of file-integrity monitoring or change-detection software on logs.

11.5. (a, b) 

11.5.a Verify the use of a change-detection mechanism by observing system settings and monitored files, as well as reviewing results from monitoring activities.

 

Examples of files that should be monitored:

  • System executables
  • Application executables
  • Configuration and parameter files
  • Centrally stored, historical or archived, log and audit files
  • Additional critical files determined by entity (for example, through risk assessment or other means).

11.5.b Verify the mechanism is configured to alert personnel to unauthorized modification (including changes, additions, and deletions) of critical files, and to perform critical file comparisons at least weekly.

 

ISO 27001 is the internationally recognized Standard for Information Security designed to provide organizations with a comprehensive framework and best practice guidance towards implementing an Information Security Management System (ISMS). ISO 27001 can be implemented in any kind of organization, small or big, profit or non-profit, private or state-owned. The Standard itself is supported by a certification framework through which organizations can be certified and be subject to an audit by an authorized body.

 

International Standards Origination

ISO 27001

A.12.4.1 Event logs recording user activities, exceptions, faults and information security events shall be produced, kept and regularly reviewed.
A.12.4.2 Logging facilities and log information shall be protected against tampering and unauthorized access.
A.12.4.3 System administrator and system operator activities shall be logged and the logs protected and regularly reviewed.

The Society for Worldwide Interbank Financial Telecommunication (SWIFT) ‘Customer Security Controls Framework’ consists of 16 mandatory controls, such as multifactor authentication and continuous monitoring, and 11 recommended controls, including vulnerability scanning, as a response to large-scale cyberattacks against financial institutions. It is enforced to all of SWIFT member banks across 200 countries, and the upholding of these controls is transparent amongst members through the entire SWIFT messaging platform. The Standard includes controls for securing the organization’s environment, limiting access to relevant data, knowing who accessed what and when, and detecting and responding to cyberattacks.

2.4

 

Society for Worldwide Interbank Financial Telecommunications

SWIFT

2.1

2.1 Confidentiality, integrity, and authentication mechanisms are implemented to protect SWIFT-related application-to-application and operator-to-application data flows.

Protection of internal data flows safeguards against unintended disclosure, modification, and access of the data while in transit. 

2.4 2.4 Confidentiality, integrity, and mutual authentication mechanisms are implemented to protect data flows between back office (or middleware) applications and connecting SWIFT infrastructure components. Protection of data flows between the back office (or middleware) and the connecting SWIFT infrastructure safeguards against man-in-the-middle, unintended disclosure, modification, and data access while in transit.

2.5

2.5 Sensitive SWIFT-related data leaving the secure zone is encrypted. Encryption of sensitive data leaving the secure zone protects against unintended disclosure of the data when it is extracted from its normal operating environment.

The Health Insurance Portability and Accountability Act (HIPAA) is a set of 154 regulatory requirements, and mandates how electronic protected health information (ePHI) is to be handled by private organizations, related to security and privacy. It applies to any organization which handles personal information regarding healthcare, due to its sensitive nature. This includes hospitals, clinics and insurance companies, all of which must comply with HIPAA when transmitting, processing and storing electronic protected health information (ePHI). Failure to comply may result in legal and financial damages, as well as a compromised business reputation.

Health Insurance Portability & Accountability Act

HIPAA

§164.312.c.2

 

§164.312.c.2 Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner. 

§164.312.e.2.i

§164.312.e.2.i Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of. 

The Federal Information Security Management Act (FISMA) is a regulatory framework for US federal agencies, defined specifically for the cybersecurity of government information, systems, operations and assets. It holds agencies responsible for taking steps towards information security from human threats, as well as natural disasters. This means adopting cost-effective policies and procedures for ensuring an acceptable information security risk level against unauthorized access, use, disclosure, disruption, modification or destruction of data, thus maintaining integrity, confidentiality and availability.

 

Federal Information Security Management Act

FISMA

AU-10 (1)

AU-10 (1) This control enhancement supports audit requirements that provide organizational personnel with the means to identify who produced specific information in the event of an information transfer. Organizations determine and approve the strength of the binding between the information producer and the information based on the security category of the information and relevant risk factors. 

AU-10 (3)

AU-10 (3) Chain of custody is a process that tracks the movement of evidence through its collection, safeguarding, and analysis life cycle by documenting each person who handled the evidence, the date and time it was collected or transferred, and the purpose for the transfer. If the reviewer is a human or if the review function is automated but separate from the release/transfer function, the information system associates the identity of the reviewer of the information to be released with the information and the information label. In the case of human reviews, this control enhancement provides organizational officials the means to identify who reviewed and released the information. In the case of automated reviews, this control enhancement ensures that only approved review functions are employed. 

SI-4 (4)

SI-4 (4) Unusual/unauthorized activities or conditions related to information system inbound and outbound communications traffic include, for example, internal traffic that indicates the presence of malicious code within organizational information systems or propagating among system components, the unauthorized exporting of information, or signaling to external information systems. Evidence of malicious code is used to identify potentially compromised information systems or information system components. 

SI-4 (5)

SI-4 (5) Alerts may be generated from a variety of sources, including, for example, audit records or inputs from malicious code protection mechanisms, intrusion detection or prevention mechanisms, or boundary protection devices such as firewalls, gateways, and routers. Alerts can be transmitted, for example, telephonically, by electronic mail messages, or by text messaging. Organizational personnel on the notification list can include, for example, system administrators, mission/business owners, system owners, or information system security officers.

SI-4 (12)

SI-4 (12) This control enhancement focuses on the security alerts generated by organizations and transmitted using automated means. In contrast to the alerts generated by information systems in SI-4 (5), which tend to focus on information sources internal to the systems (e.g., audit records), the sources of information for this enhancement can include other entities as well (e.g., suspicious activity reports, reports on potential insider threats).

SI-4 (16)

Correlating information from different monitoring tools can provide a more comprehensive view of information system activity. The correlation of monitoring tools that usually work in isolation (e.g., host monitoring, network monitoring, anti-virus software) can provide an organization-wide view and in so doing, may reveal otherwise unseen attack patterns. 

CM-4(2) 

CM-4 (2) Implementation is this context refers to installing changed code in the operational information system.

SI-7 (2)

SI-7 (2) The use of automated tools to report integrity violations and to notify organizational personnel in a timely matter is an essential precursor to effective risk response. Personnel having an interest in integrity violations include, for example, mission/business owners, information system owners, systems administrators, software developers, systems integrators, and information security officers.

SI-7 (3)

SI-7 (3) The organization employs centrally managed integrity verification tools. 

SI-7 (8)

SI-7 (8) Organizations select response actions based on types of software, specific software, or information for which there are potential integrity violations.