|
Technology Features:
Manages Up to 50 Login Records Simultaneously
Generates Cryptographically Strong Passwords
Complies with All DoD, Govt. & Industry Password Security Policies
Manages Root and Group Passwords
Approved, Trusted Technology; Recoverable
Enterprise Grade - Pre-Configurable for User
Flexible Design
Multi-Layer, Defense-in-Depth Approach
From Tactical to Practical. Enterprise grade password management tokens with a U.S. Military pedigree. Mandylion technology was matured under a Department of Defense research program seeking practical solutions to a modern war fighter's problem: password overload. The solution? An uncannily simple, inexpensive key chain sized token which aids in the generation and secure management of any password based login record.
A Password Security Policy & Compliance Management Tool
Sarbanes-Oxley Compliance? Gramm Leach Bliley? HIPAA? FACTA? FISMA? Regulations now mandate reporting on controls that safeguard the enterprise’s computing systems. Merely having a policy in place is no longer adequate. Management and Governmental entities must now certify that these policies and controls are also operating effectively.
Strong Password Policy
The first security barrier to an organization’s IT infrastructure is its access control system. In fact, security is synonymous with access control. Any encounter with a modern information system is a screen prompt for user-ID and password, Most organizations, however, do a better job at crafting their vacation and expense reimbursement policies then they do their password policies, An excellent example of a well written password policy is available from the SANS Institute.
Sarbanes Oxley & Passwords
Compliance with the Sarbanes-Oxley Act of 2002 is a major concern and top priority to the CEOs, CFOs, Board of Directors, and Audit Committees of public companies, as well as to auditors, accountants, attorneys and regulatory governing bodies. A significant amount of attention is currently focused on Section 302 (Disclosure) and Section 404 (Internal Controls). Because the section 404 attestation begins as an audit, the auditors look to existing security policies. In the face of rapidly expanding vulnerabilities, new and exotic exploits, growing internal and external threats and rapidly changing technology platforms, most organizations have been slow to update to their documented system security policies. The problem is that auditors began with the policies as they exist today. An organization that has not updated its policies is left scrambling to grab whatever is available. Too often this legacy approach to system security is leading to bad decisions and then bad procurements.
Security experts have long recommended that computer users choose hard-to-break passwords and change them frequently in order to frustrate hackers. Now, those recommendations are being newly forced on millions of U.S. workers in the name of preventing financial fraud under the Sarbanes-Oxley corporate-reform act.
No matter that Sarbanes-Oxley doesn't actually require changing passwords: In the name of those "internal controls," auditors and consultants are prodding companies to require that employees pick tougher passwords, and change them more frequently.
Sarbanes-Oxley Sections 302 and 404 are designed to ensure information required to be disclosed is initiated, processed, recorded, and reported, and that management has assessed the effectiveness of internal controls regarding the reliability of financial reporting. Successful compliance with Sarbanes-Oxley Sections 302 and 404 requires considerable organization and focus.
CEOs and CFOs of public companies must:
Certify that they have reviewed financial statements and each annual or quarterly report.
Certify that each such report fairly represents the company's financial condition.
Certify that they have established and are maintaining internal controls.
Ensure the effectiveness of such internal controls every quarter.
Address significant changes in internal controls or other factors that could significantly affect such controls.
Identify corrective actions taken regarding deficiencies/weaknesses in controls.
Disclose any significant deficiencies in internal controls and/or any fraud involving persons with a significant role in upholding such controls.
FISMA & Passwords
The goal of FISMA is to have federal agencies define and architect the required security mechanisms within IT initiatives that support and enforce security planning, testing, and evaluation.
FISMA creates a defined architecture for reporting information security incidents within the federal government. The Act takes a very stringent approach towards a defined systems process approach for computer security. This process is a new effort for many federal organizations. FISMA directs each agency to a designated Chief Information Officer that will be responsible for the organization’ s information security program, as well as an Inspector General (IG) or independent auditor to perform the required annual security assessments.
FISMA compliance requires initial and regular risk assessments and management reviews. Organizations must begin the FISMA process with an organizational risk assessment and then implement the required information security mechanism controls to ensure for the security of those identified risks in their organization.
FISMA also codifies the following:
The ultimate responsibility for information security with the head of each Agency;
Establishes the Chief Information Officer (CIO) of each Federal agency as the focal point for information security;
Requires the CIO to: Develop and maintain an Agency wide information security program;
Designate and empower a chief information security officer (CISO);
Mandates that each Agency report annually to OMB and Congress on the Agency’s compliance with the Act;
NIST playing a role in setting IT security standards and guidelines;
The requirement that every Agency compile and maintain an inventory of its major systems.
FACTA & Passwords
The Federal Trade Commission (FTC) and The Federal Deposit Insurance Corporation (FDIC) are the principal Federal Agencies that were chartered to create regulations in response to the FACTA legislation. From a consumer perspective, the most notable work done by the FTC was the establishment of the National Fraud Alert System, a powerful tool to help a consumer fight and limit the damages done to their credit by an identity theft breach. The legislation also called for each Agency to play an educational role in helping consumers understand and protect themselves against the risk of Identity Theft happening to them.
The FTC consumer education site:
www.ftc.gov/infosecurity provides consumers with a comprehensive plan on minimizing their risk of ID Theft.
Using strong passwords is the first tip the FTC offers: www.consumer.gov/idtheft provides consumers with a one stop shop of the steps they should take if they become a victim of ID Theft.
The FDIC consumer education site: www.fdic.gov/consumers/consumer/alerts/index.html
provides consumers with a list of items that help them avoid “phishing scams” as well as ID Theft.
The FDIC site quotes Eloy Villafranca, an FDIC Community Affairs Officer, in offering the consumer and businesses tips on ID Theft. Her tips are, “Use passwords that will be hard for hackers to guess”, “Also, shut down your PC when you are not using it”, "Don't believe that you are safe if you merely log off the Internet," she adds, "Hackers can still get into your computer as long as there is power going to the PC."
The FDIC site also offers “Ten Simple Things You Can Do to Fight Fraud”. The number one item on that list is: PASSWORDS, make them strong and keep them secure.
HIPAA & Passwords
The push for standardization of diagnostic codes and increasing computerization of patient information, combined with increasing transfers of that information between relevant parties, poses many new security and privacy risks that never existed before. In recognition of this increased risk, the drafters of this legislation included provisions for the regulation of information privacy and information systems security. As of April 2003, the regulations have been finalized and formally adopted, and all health care organizations that maintain or transmit electronic health information are required to comply by April, 2005. Smaller healthcare organizations have until April, 2006 to achieve compliance.
The HIPAA rules are basically privacy regulations that outline how the healthcare industry and its business partners must protect patient data. Although the spirit of the HIPAA privacy protections for health information requires changes in both procedures for handling health information (staff and management issues) and technical safeguards for information stored or transmitted electronically, the implementation of these protections has been broken out into a set of Privacy Rules (enforced beginning in April, 2003) and a separate set of Security Rules (enforced beginning in April, 2005)
To meet the initial Privacy requirements, it is essential to obtain training for all staff, create required documents (such as your Privacy Policy and Procedures manual and Notice of Privacy Practices) and begin logging information releases and other HIPAA - related activity. Among other things that you do to prevent unauthorized persons from having access to protected health information, you should implement real password protection. You should change any default password or common passwords and you should require that all users select and use a secure password to gain access to systems. Passwords that are common knowledge within an office are not secure, nor are passwords written on scraps of paper taped to the monitor.
HIPAA has a general requirement that those working in a medical setting should have access to only the information necessary to do their jobs. Some have interpreted this standard to mean that users must use secure personal identifiers (such as ID codes and passwords) to access software containing protected information and that the software should provide for display or suppression of data based on the person's role in the organization. Compliance with these HIPAA security rules is not mandatory until 2005.
GLBA & Passwords
Although primarily a set of banking laws and regulations, there are significant privacy requirements flowing from GLBA that effect almost every business. These are called the “Privacy Provisions” of the Act There are two principal parts to these Privacy Provisions. the Financial Privacy Rule;
Safeguards Rule.
The Financial Privacy Rule
The Financial Privacy Rule governs the collection and disclosure of customers’ personal financial information by financial institutions. It also applies to companies, whether or not they are financial institutions, who receive such information. The Privacy Rule that came out in May of 2000. This rule described, in detail, the different types of notices that were required that described an institution's practices with regards to information sharing. The deadline for complying with this Rule was July 1, 2001.
The Safeguards Rule
The Safeguards Rule requires all financial institutions to design, implement and maintain safeguards to protect customer information. The Safeguards Rule applies not only to financial institutions that collect information from their own customers, but also to financial institutions – such as credit reporting agencies – that receive customer information from other financial institutions. This rule described the required elements that organizations needed to include in their Comprehensive Information Security Program. The deadline for this Rule was May 23, 2003.
The Safeguards Rule requires organizations to develop, implement and maintain a "comprehensive written information security program". This written program must contain administrative, technical and physical safeguards to protect customer information. This means strong password policies.
To develop the program an organization undertakes a risk identification and assessment process to identify reasonably foreseeable internal and external risks that threaten the security, confidentiality and integrity of customer information. If current safeguards are judged inadequate, new protective measures must be immediately planned for and implemented. For many corporations, the program will include such things as the need for locks on desks and file cabinets, protection of customer data on laptops via the use of strong passwords that are changed on a regular basis and the adequacy of security measures at the "home offices” for their telecommuters.
Although the regulations state that the safeguards should be appropriate to the size and complexity of your operations. This suggests that smaller, less complex companies will have a lighter compliance load than their larger counterparts. That is a misrepresentation as comprehensive written information security program for any entity large or small is a formidable task.
The GLB Act gives authority to multiple Federal Agencies and the States to administer and enforce the Financial Privacy Rule and the Safeguards Rule. These two regulations apply to “financial institutions,” which include not only banks, securities firms, and insurance companies, but also companies providing many other types of financial products and services to consumers. Among these services are lending, brokering or servicing any type of consumer loan, transferring or safeguarding money, preparing individual tax returns(CPA’s lawyers), providing financial advice or credit counseling, providing residential real estate settlement services, collecting consumer debts and an array of other activities.
Presented below is a summary of the Federal Agencies with regulatory authority flowing from the GLBA:
Federal Trade Commission (FTC) – Is the catchall authority. The FTC has authority over any financial institution or “other person” that is not subject to the jurisdiction of any agency or authority covered elsewhere in the Act.
State Insurance Authority of any State - Any person engaged in providing any type of insurance.
The remaining 6 Federal Agencies with GLBA Enforcement Power:
Office of the Comptroller of the Currency - Power to enforce the Act’s provisions on National banks, Federal branches of foreign banks and their subsidiaries.
Board of Governors of the Federal Reserve System - Power to enforce the Act’s provisions on Federal Reserve System member banks, foreign banks, bank holding companies and any subsidiaries or affiliates of these institutions.
Board of Directors of the Federal Deposit Insurance Corporation (FDIC) - FDIC insured banks, State branches of foreign banks and their subsidiaries.
Director of the Office of Thrift Supervision - Savings associations and their subsidiaries insured by the FDIC.
Board of the National Credit Union Administration - Any federally insured credit union, and any subsidiaries of such an entity.
Securities and Exchange Commission (SEC) - Any broker or dealer, investment company, or registered investment adviser.
|
