When the information security staff, compliance officers and legal counsel say to get the systems in IT compliance, what should Windows administrators do?
The best way to address privacy and data protection compliance is to look at the applicable laws and find common requirements. That's a more effective way to do it than to address piecemeal IT compliance requirements one law at a time.
To start, administrators should identify common requirements within all the applicable laws, regulations, standards and contracts. They should map out the commonalities within a matrix that can then be used for easy reference to clearly see all the commonalities.
Table 1 lists many -- but far from all -- of the activities a Windows administrator can do to support compliance throughout the indicated laws and standards.
Table 1: Windows Server common data protection legal requirements
New Page 1
[TABLE]
Legend
This matrix may look slightly different from organization to organization, so it's helpful to review this table with your legal counsel and information security department. Whether or not your enterprise decides to engage in all these compliance activities will depend on your own requirements and your lawyer's interpretation of the law as it applies to your organization.
Enable system events (logging) in Windows -- Almost every data protection law, regulation and standard requires that organizations be able to determine who has accessed personally identifiable information (PII) along with the details around that access.
Log successful access attempts to PII and mission critical resources -- Even if individuals have authorized acc
To continue reading for free, register below or login
To read more you must become a member of SearchWinIT.com
ess to network resources, organizations must be able to determine when they used that access and what they did with it.
Make data backups -- Assure the availability of PII and other mission-critical resources. Windows administrators must make backups of PII and related data to comply with availability requirements.
Establish access controls based upon job responsibilities -- A common data protection legal requirement is to restrict access to Windows and other network resources to only those users who have a specific business need to have that access.
Require authentication -- Across the board, laws, regulations and industry standards require organizations to implement authentication that allows only one person to use each user ID. Authentication not only establishes accountability for access activities but also tracks and determines when individuals have been in systems with a PII.
Encrypt PII -- No laws or regulations that I am aware of explicitly require PII to be encrypted. However, most list encryption as a method of protecting PII that organizations must consider. A number of regulatory oversight guidance documents also encourage organizations to encrypt PII. Additionally, PCI DSS requires encryption in certain situations. Windows administrators should encrypt PII whenever possible.
Restrict inbound Internet traffic -- Many data protection legal requirements advise organizations to establish barriers into the corporate networks from outside public networks. For example, PCI DSS specifically states in Requirement 1: "All systems must be protected from unauthorized access from the Internet, whether entering the system as e-commerce, employees' Internet-based access through desktop browsers or employees' email access."
Limit unsuccessful user ID login attempts after three consecutive tries -- Some regulations, laws and industry standards require user accounts to be locked after a specific number of unsuccessful attempts, such as six within PCI DSS. However, others require accounts to be locked according to best practices, such as what's indicated within NIST documents, which specify after three unsuccessful attempts.
Implement tools to prevent malicious code attacks -- Many data protection legal requirements specify that organizations must implement technologies and procedures to guard against, detect and report malicious code. Windows administrators must ensure that up-to-date antivirus and malicious code prevention systems are implemented and appropriately managed.
Implement intrusion detection and incident monitoring tools -- Most data protection legal requirements indicate that organizations must implement tools and procedures to prevent network intrusions. For example, GLBA requires organizations to implement -- based upon the results of risk analysis -- intrusion-detection and incident-monitoring tools to be used for "detecting, preventing and responding to attacks, intrusions or other systems failures."
Unify your compliance activities -- By implementing a core set of controls, Windows administrators can help their organizations meet compliance with numerous applicable laws, regulations and industry standards.
The following checkpoints make Windows administration compliance responsibilities and activities as effective, efficient and manageable as possible:
Rebecca Herold, CISSP, CISA, CISM, CIPP, FLMI, has more than 17 years of experience in IT, information security, privacy and compliance, and is the owner and principal of Rebecca Herold LLC. She is an adjunct professor for the Norwich University Master of Science in Information Assurance program and is writing her 11th book. Her articles can be found at www.privacyguidance.com and www.realtime-itcompliance.com.
