Blog posts tagged with 'compliance'

16 May 2008 10:10 AM EDT

posted in Citrix Security Blog and  AppExpert - Netscaler by Kurt Roemer

Everybody has heard the stories and wants to believe - but there's no such thing as "PCI Compliant" products*.

People are constantly asking the question: Is "Product X" PCI compliant? The short answer is: No.

The long answer requires some careful explanation.

PCI sets forth 12 major requirements for an organization to meet, with the result of meeting these requirements culminating in an attestation of compliance. The PCI auditor verifies that the intent of PCI has been met, and compliance is granted. (OK, I know I just oversimplified a very complex set of processes - but the result is the same: the organization is deemed compliant or not)

But, what about the products that are used to support organizational PCI compliance? Network firewalls, antivirus, IDS/IPS, and application firewalls are listed in the PCI specification as core products whose functionality is required to obtain PCI compliance. Don't these products have to be certified as compliant? No, there is no provision for product compliance in the PCI DSS v1.1 specification.

So, given that PCI doesn't directly certify products, what should an organization do to provide audit assurance that products can be used for the intended PCI purpose?

1. Verify vendor claims - just because a salesperson says it, it doesn't make the statement true.
   
2. Rely on trusted third-parties - organizations like ICSA Labs, NSS Labs, WASC and OWASP have detailed product capability matrixes, testing and certification criteria, and comparative data.
   
3. Discuss concerns with your auditors - because PCI auditors make the final decision on compliance, they should be involved in key decisions leading up to the certification event.
   

There have been some wild claims with PCI - including the notion of "PCI certified products." When faced with conflicting information, work with trusted vendors and partners, press your auditor or PCI QSA for the documented facts, and escalate ambiguity as necessary through to the PCI Security Standards Council.

With factual information and proper actions, we can all help PCI reach its lofty goal: Increase trust in credit card usage by holding merchants to a high standard - the PCI DSS.

PCI Backgrounder

PCI DSS, the Payment Card Industry Data Security Standard (or simply PCI) specifies compliance standards for credit card usage. If your organization stores, processes, or transmits credit card data, PCI applies to you. The PCI Security Standards Council maintains and publishes the standard at www.pcisecuritystandards.org.

*Note: There is a "Listing of PCI Security Standards Council Approved PIN Entry Devices" at: https://www.pcisecuritystandards.org/pin/pedapprovallist.html_. The PED's are the only products to have PCI SSC approval._

Permalink | Comments (1)

19 Mar 2008 01:14 PM EDT

posted in XenApp by Carlos Nieves

In my previous SmartAuditor blog post, I described how SmartAuditor works and its benefits for improving security and regulatory compliance. Well, guess what? Recently, a major healthcare company (obviously highly regulated by HIPAA) with tens of thousands of employees shared with me their thoughts, experiences, and main use cases regarding our SmartAuditor technology. In addition to providing care and services, this healthcare company partners with numerous nursing homes, hospitals and other healthcare organizations in the United States. The interesting part is that the more I talk to customers about SmartAuditor for recording ICA sessions, the more interesting the use cases get. So here's their success story.

Background

This customer offshore most of their development to India, had employees and non-employees accessing production systems remotely on a daily basis and wanted to monitor what they were doing, and needed to deliver custom applications in a faster way. They started using the SmartAuditor technology since it was released as a beta a little over two years ago.

The Challenges

The main challenges for this customer were:

• How to track and monitor IT change control?
• How to ensure employees comply with company policies?
• How to allow offshore developers to see user interaction with custom applications in QA and test environments?

Use Case #1: IT change control management

The customer had a lot of employees and non-employees logging in remotely to production systems on a daily basis and wanted to monitor them and ensure they were compliant (especially tracking the activity of users offshore). In order to improve security and compliance, they set up a secure portal using Citrix Access Gateway and turned on the SmartAuditor capabilities of Citrix XenApp. So by using SmartAuditor, any time a developer, employee or non-employee access the production system, all the ICA sessions are being recorded, making sure that they are keeping up with company policies.

Use Case #2: Rapid application delivery

Like most businesses, this customer has some fragile and complex applications and users that just don't get it. So instead of releasing an application into production and having users call the help desk trying to diagnose problems, this customer put SmartAuditor ahead of the process. The customer turned SmartAuditor on before the application was fully delivered into production. They took the application and released it only to their test users and generated a list with issues. Then, with the rapid playback and bookmarking capabilities of SmartAuditor, the developers very quickly diagnosed what was wrong with the application and made the changes. The main benefits the customer got out of this were that they were able to deliver the application to market quicker and that the application was clean. By doing this, they have minimized the number of help desk calls and problem resolution for this application.

The Benefits

The main benefits for this customer were:

• Enhanced auditing for improving compliance
  • Encouraged employees to comply with company policies. The customer is watching and recording. People log in, get out, and stick to the script.
• Improved the quality of the application development process by visually seeing problems and accelerating time-to-resolution
  • The rapid playback and bookmarking capabilities saved time. Experts were able to find the issues and solved them right away.

The Results

• Low storage requirements
  • With SmartAuditor, compression over a period of time was very good. The customer has been using SmartAuditor for over 2 years. In that period of time, they recorded 8,222 sessions which only required 43GB of storage space. On average, that's a 5.2MB file size per recorded session. Wow!
• Excellent performance when recording and reviewing sessions
• Faster application delivery and better user acceptance

How are you using SmartAuditor? What has been your experience with this feature of XenApp?

Permalink | Comments (5)