Ultimately, most compliance mandates – PCI DSS, HIPAA, SOX, GLBA, and others – are about protecting one type of data, not necessarily all business data, or all aspects of the systems that store, transmit and process.  In some cases, the target is credit and debit card data (PCI DSS), protected healthcare information (HIPAA), or consumer data (GLBA).  In other cases, it’s a specific type of data, such as financial reports (SOX), and only one aspect of that data (in the case of SOX, integrity of the data… not so much confidentiality or availability).

Regardless of the regulation, their goal is to function as a starting point for a security program that minimally meets their requirements, but is further augmented with additional policies, standards, procedures and controls to protect all valuable assets within the organization.  In order to protect sensitive data from either internal or external threats, it’s important that systems and processes are developed to achieve not only these minimum regulatory requirements, but the additional objectives that make a full-blown security program – which is actually much is harder than it sounds.  Proving either can also be a real challenge for many organizations.

From a compliance perspective, you “can check all of the boxes” to demonstrate that you’re meeting a regulatory standard, but that doesn’t mean that your entire infrastructure is secure.  Take Stuxnet, for example, which targeted the industrial software running on Siemens PLCs (programmable logic controllers).  While energy-related organizations could comply with all of the necessary network security regulations relating to their industrial systems (such as the NERC CIP standards), that won’t stop a Stuxnet-style attack that enters the infrastructure via another part of the network that slowly – but surely – makes its way to its intended target.  In the case of Stuxnet, it was Siemens PLC units.

Ensuring information security and regulatory compliance isn’t easy.  It often requires different data sets to be analyzed and recorded – creating additional work for already stretched information security professionals.  Fortunately, there are some basic, overlapping components to many regulations that also happen to be fundamental aspects of good security practices:

• Visibility into all security-related data (not just one type of data, like logs/events)
• Correlation of data to determine when bad things are happening
• Demonstration of improvement in compliance and security posture over time
• Quantitative risk monitoring to identify systems that are at-risk
• Easy reporting to demonstrate both compliance and network security

Wouldn’t it be nice if there was a way to capture all your network security data from across an entire Enterprise network in real time and report against different subsets – not just from today, but yesterday… or last week… or perhaps last month in order to evidence network security or compliance with regulatory mandates?

Somebody ought to develop a platform like that…

“eIQnetworks already correlates data from more data sources than any other solution on the market, and for that reason SecureVue is uniquely positioned to identify sophisticated in-progress attacks or vulnerabilities that log-only solutions will miss,” said Vijay Basani, eIQnetworks’ CEO. “With the ComplianceVue packages, eIQ now offers a turnkey solution for comprehensive compliance reporting across a broad range of security data including events, configuration data, vulnerabilities, and network flows, proving again that ‘log data is not enough’ to properly prove adherence to regulatory rules.”

The new ComplianceVue packages include a SecureVue Central Server, and the associated compliance reporting modules and dashboards required to provide necessary documentation for regulatory-driven audits. Reporting is effortless, and section-specific compliance reports are directly linked to appropriate rules and requirements of each supported regulation, best practice, or standard. Interactive dashboards provide real-time views into key compliance metrics, and provide drill-down into underlying data to support comprehensive internal and external auditing needs.

For more details and benefits on the new ComplianceVue package, check out the full press release on the eIQ site: “eIQnetworks Introduces ComplianceVue Packages for PCI, NERC and HIPAA to Streamline Regulatory Compliance Reporting”