Simplify Compliance by Implementing PAM: SOX, HIPAA, and PCI DSS
By: Arti Loftus
Originally published on InfoTech Spotlight
Regulatory compliance is becoming more challenging for all industries, but in the financial, payments, contact center, and healthcare industries, the requirements are becoming even more intense, especially given attacks (and successful breaches) of mission-critical systems in these industries.
We caught up with Orhan Yildirim, CTO, Ironsphere, a Privileged Access Management (PAM) company based in New Jersey, to learn about the changes they are seeing and how PAM can help automate and deliver on compliance needs, including complex and expensive audits.
“Let’s start with Sarbanes-Oxley Act,” Orhan Yildirim said. “Otherwise known as SOX, it is an important part of compliance challenges. “We work with many large, global banks, and have addressed SOX at deep levels. The government has advanced the standard by requiring that board-level audit committees, rather than CEOs or CFOs, participate. This means that the mechanisms must be top tier, and the reporting clear and concise.”
With board members “directly responsible for the appointment, compensation, and oversight” of the external auditing of public companies, SOX regulations insist that no conflict of interest exists between audit committee members and accounting firms hired to perform such audits.
“Accounting firms have a direct line of reporting to audit committees,” Orhan Yildirim explained.
The Public Company Accounting Oversight Board, which enforces SOX auditing standards, has warned public company accounting firms that they can no longer provide audit opinions without establishing a basis for using that work or otherwise providing substantive evidence of having supervised, and are being asked to substantiate objective opinions with evidence of internal control uniformity across the enterprise.
“Demand for our PAM solutions often comes from board members,” Yildirim said, “who understand how stressed their IT teams are, and wish to support them with better tools.”
A sister to SOX is PCI, short for the “Payment Card Industry Data Security Standard (PCI DSS).”
“Given the ramping up of attacks on financial payments systems,” Orhan Yildirim said, “all banks that process the payment transactions associated with these cards are responsible for ensuring that merchants meet the standard or face severe penalties.”
Yildirim also said PCI could be even more difficult given third-party providers and partners. “PCI DSS applies not only to the primary business, but also to any platform that supports that business by accepting, storing, processing, or transmitting payment card data, including personal data from credit and debit cards. Any business partner or vendor that handles cardholder data or sensitive authentication data is classified as a PCI merchant and is required to comply. The large banks we work with are very well-aware of their responsibility for the entire ecosystem they have built, which makes third-party PAM capabilities deeply valuable.”
PCI DSS requirements are intended to ensure that organizations:
• Build and maintain secure networks and systems
• Protect cardholder data
• Maintain a vulnerability management program
• Implement strong access control measures
• Regularly monitor and test networks
• Maintain an information security policy
“PAM is the first line of defense,” Orhan Yildirim said, “in complying efficiently to protect data and reputations every day, while also supporting audits as they come up. PAM must be able to ensure cardholder data can only be accessed by authorized users, with explicit approval for only the data needed to perform their job role. PAM solutions must enforce strong password management settings, track and record sessions, secure audit logs, and generally prevent the abuse of accounts.”
The third major compliance challenge is in the healthcare industry.
The Health Insurance Portability and Accountability Act was signed into law on August 21, 1996, in the U.S. One of the most important provisions of HIPAA is the mandatory safeguarding of all recorded personal health information (PHI), including PHI stored in an electronic form (ePHI).
The reach of HIPAA’s provisions for safeguarding PHI was extended under the Health Information Technology for Economic and Clinical Health (HITECH) Act on February 17, 2009, and again on January 25, 2013, in HIPAA’s omnibus final rule.
Covered entities include hospitals, medical billing centers, health insurance companies, healthcare clearinghouses, and other health care providers.
“Organizations subject to HIPAA must ensure the confidentiality of all electronically protected health information created, shared and stored,” Orhan Yildirim said. “With COVID-19, we are seeing massive attacks from adversaries on healthcare systems, including those using non-HIPAA compliant platforms to deliver telemedicine during the crisis. While this is understandable, give the global health emergency, we are seeing a surge in demand for fully compliant systems moving forward.”
HIPAA’s requirements, in brief, are to:
- Ensure the confidentiality, integrity, and availability of all electronically protected health information created, received, maintained, or transmitted
- Regularly review system activity records, such as audit logs, access reports, and security incident tracking reports
- Establish, document, review, and modify a user’s right of access to a workstation, transaction, program, or process containing ePHI
- Monitor login attempts and report discrepancies
- Identify, respond to, and document PHI breach incidents, as well as properly notify specified parties
“By implementing a quality Privileged Access Management (PAM) solution, enterprises and organizations can address multiple needs in a unified and efficient way,” Orhan Yildirim said. “Not only can overburdened IT teams protect what they connect, but they can prove regulatory compliance by automating more controls and being able to generate alerts, reports, and audit materials, should their organization face a regulatory review. There has never been a more important time for complying with regulations, nor a more important time for IT teams to use productivity tools so they can keep up with these new pressures.”
We have all found ourselves in a different world of work given the events that have defined 2020, and few professionals are feeling the pressure more than IT and OT teams.
Just as cyber risks evolve, the evolution of risk appetite frameworks is more active than ever. With more sophisticated adversaries, more digital transformation initiatives, more mobile works, ecosystem partnerships and connectivity to multiple clouds and services, enlightened management teams and their boards are updating their levels of “risk tolerance.”
Two-factor authentication has been around for decades – requiring an additional step between entering a username and password, for example, then entering a one-time security code sent to a mobile device – to access applications, systems and data.