SSH Keys for Compliance, Regulations, Audit
Organizations in regulated markets and industries (finance, banking, energy, healthcare) continue to face major regulations, standards & laws that impact their operations. These regulations cover all aspects of the organizations' operations, and exert their influence also over the trusted access to IT resources. Many customers of SSH Communications Security are driven by the compliance mandates that these regulations put forth. Our SSH key management offering addresses these compliance requirements.
This page presents a summary of a few regulatory directives that compliance, risk and audit professionals struggle to keep up with and satisfy their requirements:
PCI DSS 3.1
Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle branded credit card information (VISA, MC, AMEX, Discover, JCB). PCI DSS is an actionable framework for developing a robust payment card data security processes.
HIPAA – is the acronym for the Health Insurance Portability and Accountability Act that was passed by Congress in 1996. HIPAA does the following:
Provides the ability to transfer and continue health insurance coverage for millions of American workers and their families when they change or lose their jobs
Reduces health care fraud and abuse
Mandates industry-wide standards for health care information on electronic billing and other processes
Requires the protection and confidential handling of protected health information
Sarbanes–Oxley Act (SOX)
Sarbanes–Oxley Act is an example of a government driven act that requires publically traded financial organizations to attest annually to the effectiveness of their internal controls. The Sarbanes–Oxley Act of 2002 also known as the “Public Company Accounting Reform and Investor Protection Act” (in the US Senate) and “Corporate and Auditing Accountability and Responsibility Act” (in the House) and more commonly called Sarbanes–Oxley, Sarbox or SOX , is a United States federal law that set new or expanded requirements for all U.S. public company boards, management and public accounting firms.
Basel II and III
The Basel accords comprise a set of international standards for the capital reserves banks must maintain in order to weather the potential consequences of financial and operational risks. The Basel committee determined that IT governance, risk and compliance (GRC) plays a crucial role in determining risk adjusted capital reserve requirements.
Secure Shell plays a vital role in IT operations. In the highly automated data centers of today, Secure Shell also enables automated data transfers, backups, cloud provisioning, log management, system health monitoring and so on. The Basel mandates contain objectives for IT security that include requirements that pertain to Secure Shell.
NISTIR 7966 details everything an individual needs to know about the SSH protocol and the security of interactive and automated access management using SSH, its wide usage and how to manage the deployments based on industry best practices. Learn more about how the guidelines will help your organization best manage and control SSH User Keys.
The SANS CIS Critical Security Controls are a recommended set of actions that provide specific and actionable ways to stop today’s most pervasive and dangerous cyber-attacks. These controls prioritize and focus a smaller number of actions with high yield results.
Large-scale ICT environments employ large volumes of servers, routers, switches, database and application servers, and other networked systems. These systems are maintained and administered with the SSH protocol and a software suite that provides secure administrative login, application tunneling, and secure file transfer. The SSH protocol is a standard component of every server and networked device.
Statement on Standards for Attestation Engagements 16 (SSAE-16)
Statement on Standards for Attestation Engagements 16 is an auditing standard for service organizations. SSAE 16 was drafted with the intention and purpose of updating the US service organization reporting standard so that it mirrors and complies with the new international service organization reporting standard – ISAE 3402. SSAE 16 also establishes a new Attestation Standard called AT 801 which contains guidance for performing the service auditor’s examination.
Federal Financial Institutions Examination Council (FFIEC)
Federal Financial Institutions Examination Council is a formal U.S. government interagency body that includes five banking regulators—the Federal Reserve Board of Governors (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), and the Consumer Financial Protection Bureau (CFPB). It is “empowered to prescribe uniform principles, standards, and report forms…to promote uniformity in the supervision of financial institutions”.
Cybersecurity Framework – Recognizing that the national and economic security of the United States depends on the reliable functioning of critical infrastructure, the President issued Executive Order 13636, Improving Critical Infrastructure Cybersecurity, in February 2013. It directed National Institute of Standards and Technology (NIST) to work with stakeholders to develop a voluntary framework – based on existing standards, guidelines, and practices — for reducing cyber risks to critical infrastructure.
ISO/IEC 27001 Information Security Management
The ISO 27000 family of standards helps organizations keep information assets secure. Using this family of standards will help your organization manage the security of assets such as financial information, intellectual property, employee details or information entrusted to you by third parties. ISO/IEC 27001 is the best-known standard in the family providing requirements for an information security management system (ISMS).