HIPAA

Thousands of U.S. health care organizations have been waiting for the Health Insurance Portability and Accountability Act (HIPAA) Security Rule to be finalized. First proposed almost five years ago, the rule has now been issued in final form. The Security Rule is just one part of HIPAA federal legislation that was passed into law in August 1996.

Now that the law is in its final form the question remains how do I get my enterprise compliant? With BCC’s Managed Baseline Solution Service Package it is now possible for you to determine where you are not compliant with generally accepted HIPAA IT requirements, remediate all IT compliance issues, and put in place controls that continually maintain compliance over time. Passing IT audits is made simple because once the BCC baseline control solution is placed on your network the network itself helps you remain compliant. With the BCC Regulatory Watch Service BCC can alert you of a change or you could automatically download baseline control solution updates whenever a new vulnerability is identified or there is a regulatory change.

PCI

When customers offer their bankcard at the point of sale, over the Internet, on the phone, or through the mail, they want assurance that their account information is safe. That’s why Visa USA has instituted the Cardholder Information Security Program (CISP). Mandated since June 2001, CISP is intended to protect Visa cardholder data–wherever it resides–ensuring that members, merchants, and service providers maintain the highest information security standard. In 2004, the CISP requirements were incorporated into an industry standard known as Payment Card Industry (PCI) Data Security Standard resulting from a cooperative effort between Visa and MasterCard to create common industry security requirements. Visa USA maintains CISP as the managing program for data security compliance endorsing the PCI Data Security Standard.

In order to assist in achieving compliance with this security standard, the Managed Baseline Solution Service Package can design and implement a baseline control solution to continually monitor and control all computers and the network against this standard. For example, the baseline control solution will continually monitor firewall and firewall configuration, audit system access, audit stored cardholder data integrity and access, verify data is encrypted, verify anti-virus and software programs have current updates, restrict access to cardholder data, and monitor for open ports and other known vulnerabilities. The system can alert by sending e-mails, call a cell phone or send a console alert. It can be set to automatically remediate non-compliant elements and send all actions to an audit log.

SOX

The Public Company Accounting Reform and Investor Protection Act of 2002 – commonly SOX or Sarbanes-Oxley has changed how private and public companies do business.

Section 404 as it pertains to Information Technology is still coupled to the much larger financial audit and is influenced by the financial and governance requirements. This law has placed an onerous burden on the IT department to show that they are compliant and prove that they will remain compliant. From the SOX auditor’s point of view, it is preferable if controls are automated since automation makes it more difficult for individuals to manipulate the control either in error or maliciously.

That’s what can be done using The Managed Baseline Solution Service Package. Using this solution all required protections are automated, monitored for change, alerted if changed, and all information is stored in an auditable log file.

The appeal of the MBS Service Package is that the enterprise IT operation can accomplish much more in security, production and IT support with the visibility and control that is generated by the same BCC baseline control solution that solves the SOX compliance need.

ISO

ISO 27001 is the formal standard against which organizations may seek independent certification of their Information Security Management Systems (meaning their frameworks to design, implement, manage, maintain and enforce information security processes and controls systematically and consistently throughout the organizations).The standard covers all types of organizations (e.g. commercial enterprises, government agencies and non-profit organizations). It specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving documented ISMS within the context of the organization’s overall risk management processes. It specifies requirements for the implementation of security controls customized to the needs of individual organizations or parts thereof. ISO 27001 provides an ISMS model for adequate and proportionate security controls to protect information assets and give confidence to interested parties.

BCC uses the guidance of ISO 27001/17799 to determine where an organization stands with regard to meeting the standard required for ISO certification. The Enterprise IT Assessment can be used by your enterprise to assess your organization’s progress toward this globally adopted ISO standard. The MBS Service Package can then provide a baseline control solution that will reinforce compliance to ISO guidelines consistent with your enterprise goals. As part of the BCC deliverables a template version of all required policies and procedures for your enterprise is also supplied.

Among the reasons for enterprise interest in this ISO standard, some are less for certification and more for improved business practices. The MBS Service Package offers our clients the possibility of directing the solution toward specific, targeted results, e.g. production reliability or more efficient IT support. The resulting baseline control solution then focuses its enhanced visibility and control on those targeted results.

Production Reliability

Production reliability becomes a bottom line issue for IT through many routes. The most obvious in the private sector is when the revenue stream is directly impacted by IT faults in the production environment. One of many industries that could serve as an example would be the broadcast media industry where their increasing dependence on the IT operation can result in high efficiency and high quality product when the IT environment runs smoothly or direct revenue loss when it does not.

The critical impact of IT environment reliability risk on enterprise success permeates both the private and the government sector today, whether the downside is customer anger or nation security. An increasing array of industry best practices and government regulation is striving to drive reliability higher by systematically identifying steps to take and processes to put in place to strengthen the reliability of business processes where the underpinning is in IT operations.

The fundamental issue that is being grappled with is that of getting a high number of 9’s in business process reliability from a custom-built and ever-changing IT environment that has millions of dynamically alterable components whose current states are never directly monitored and controlled.

BCC uses its unique enterprise baseline control techniques, distributed expert system and common control plane technology to craft customized enterprise baseline control strategies and implement them in collaboration with its clients. The client gains dramatically increased visibility and control of the states of all IT network and system components down to the byte that can impact critical enterprise business processes.

As is the case for all BCC solutions, the control framework is easily managed and modified from a central point to accommodate the continual stream of changes stemming from industry practices, regulations, or technology advancement. All BCC solutions are also uniquely architected to remain virtually invisible to users and generate negligible load on either network or systems.

BCC’s Enterprise IT Assessment can be used to target improved production reliability at the same time it is assessing any compliance or security needs for the enterprise. Everything that could impact production, from platform modifications to operating process protection to revision level control to supervisor change control, can be designed into a BCC baseline control strategy for production reliability. As part of this BCC service a control strategy layer can be defined that specifically isolates reliability protection for any business process. The assessment can then be optionally followed by a full Managed Baseline Solution Services Package to quickly and efficiently implement enterprise baseline control with the MBS common control plane technology with distributed expert system capability and central management control.

Security Programs

Gaining a quantum leap in cyber visibility and control is the most effective way to strengthen an enterprise security program. Enterprise baseline control using the MBS common control plane technology with a distributed expert system provides the unique combination of broad, diverse management scope and deep dive granular control down to the byte level.

Enterprise baseline control solutions from BCC are designed to explicitly delineate the elements of a cyber security program in a control framework that permits it to be implemented across the entire enterprise, accommodating all the needed diversity in technology and security requirements that are typical in enterprise IT environments. This BCC solution gives the enterprise the powerful capability to define their security program in a medium that actually “makes it so” as the control solution is implemented.

Perhaps more importantly, the enterprise baseline control solutions from BCC can be immediately and centrally adjusted as industry best practices, technologies and government regulations change—keeping the documented security program and the actual security program in perfect step. All Baseline Control solutions are also uniquely architected to remain virtually invisible to users and generate negligible load on either network or systems.

BCC’s Enterprise IT Assessment can be used to target security program development at the same time it is assessing any compliance or production reliability needs for the enterprise. Everything that could impact security, from intrusion prevention to virus protection to password policies to data integrity, can be designed into a BCC baseline control strategy for a stronger security program. As part of this BCC service a control strategy layer can be defined that specifically isolates security program control parameters and provides special remote alerts for specified security events. The assessment can then be optionally followed by a full Managed Baseline Solution Service Package to quickly and efficiently implement enterprise baseline control with the MBS common control plane technology with distributed expert system capability and central management control. As part of this service package, BCC can provide a fully customized security policy manual for your enterprise that you can review, modify and adopt to immediately reflect the improved security program in place in your enterprise.

Organizations managing classified systems and networks may have limitations that prohibit portions of the collaborative services of the MBS Service Package. BCC accommodates clients with these limitations by tailoring baseline control solutions using the StatePointPlus Technology Application Service.

For those organizations with highly restrictive IT environments and extraordinary security requirements, BCC’s ShadowForce Security Baseline Service can be used where the industry’s highest levels of stealth, robustness and response automation are appropriate.

Empowering IT Support

For the last decade everybody has talked about improving IT support because the thing that’s being supported is growing so incredibly complex and dynamic that it seems almost intuitive that any automation could improve some facet of the activity. There are also any number of articles that have been written during this time to reaffirm that there is “no silver bullet” with which to attack this formidable entanglement of technology, business processes, training, expectation and transition. BCC has a different view.

An enterprise IT operation typically supports an aggregate set of production activities using many millions of small, dynamically configurable components that perform interdependently on a non-continuous basis inside their only visible IT assets—computers and networks. With no one in the IT operation being able to see any of these millions of components and observe whether they are performing as expected, BCC would agree that there is “no silver bullet” for dramatically reducing the support for such a production system. But what if you could see all of those components all the time?

BCC baseline control solutions are control strategies that are specifically customized for an enterprise IT operation and are designed to monitor and control the status and performance of all of those millions of components to a known desired state. Theoretically, this should provide an IT support improvement that is dramatically in excess of any technology that has been implemented in that enterprise before.

But before this “silver” improvement can be realized in a real-world IT operation there are five more pieces of the puzzle that must be supplied.

1. The design of the control solution must be practical to accomplish.
2. The human observation and control of such a large number of components must be practical on a daily basis.
3. The common control plane that is accomplishing this management automation can’t displace network and cpu resources that must be committed to production.
4. The dynamic nature of the IT ecosystem requires that the control solution be rapidly and easily adjusted as requirements, technology and infrastructure change.
5. The entire implementation of the baseline control solution must be practical to accomplish without absorbing technical staff to the point that the old paradigm of support doesn’t fall apart while transitioning to the new one.

The BCC Managed Baseline Solution Service Package has been crafted to provide all of the puzzle pieces to produce a dramatic change in how an IT support staff perceives and pursues their mission. An installed baseline control solution from BCC provides unprecedented visibility and control of the sea of components that are underpinning enterprise business processes, empowering technical staff with the information and the control to proactively support their enterprise mission.

Disaster Recovery / Business Continuance

The term “disaster” no longer conjures up remote possibilities…it calls to mind recent experiences for a large segment of the IT industry both in the US and abroad. Failing to recover IT operations quickly can jeopardize public safety as well as bottom lines and jobs at a time when it hurts the most.

The aggregate possibility of meteorological, terrorist, or cyber-criminal events is simply too high to discount as an acceptable business risk in today’s world. The implied accountability for applying proper control is seen in today’s corporate attitude toward disaster recovery—if the disaster is natural, e.g. fire or storm, corporate clients and partners are typically supportive and forgiving; if the disaster is cyber, e.g. intruder damage or theft, they are decidedly not supportive and are more likely to take you to court. Industry leaders will no longer wink at corporations who fail to manage their own cyber risk. Now more than ever, organizations must accommodate in their IT priorities plans for expeditious recovery from disaster, especially organizations such as public services that can have a direct impact on the health and safety of the public.

Redundancy is a key consideration in disaster planning, but this is hard to achieve because all IT environments evolve as requirements and technology change. The MBS Service Package can design a baseline control solution that builds into the daily operation of IT the quantification and control of system configuration dynamics that enables daily assurance of backup site viability. The baseline control solution can explicitly assure the duplication of disaster recovery aspects of computer baseline attributes across both primary and backup systems. This means that continual affirmation of disaster recovery planning can be performed as part of the routine configuration management discipline that supports the organization’s primary mission.

The discipline that baseline control solutions bring to the configuration dynamics of an IT operation reduce the ongoing cost of managing a disaster backup facility and increase the confidence that the backup environment will be effective when it is called upon. Managing the IT operation to well defined baselines that are automatically kept current enables the establishment of environment redundancy that is essential for business continuance in the face of any major disruption in facility availability for any reason. It also supports the productive use of the backup environment on a continual basis because the backup requirements are being explicitly monitored and enforced, not falling victim to the configuration drift that inevitably results from production activities.

Equally important, the baseline control solution provides the perfect vehicle for quickly configuring new equipment that must come on board to re-establish full production capability. As it performs this role it can provide management with a real world picture that tracks the progress of the recovery project across multiple sites, and a central control capability to enforce consistency and organizational requirements throughout the recovery. Since the history of configuration dynamics is preserved by the EBM technology being used, the path of the recovery can be examined at any point in the recovery project to explore future disaster process improvements or investigate recovery shortfalls.

MBS design and EBM technology provides a disaster recovery approach that not only manages risk but actually reduces normal IT support cost for both the primary and the backup sites by reducing configuration management support. Meaningful disaster recovery speed requires that a surviving redundant capability can be readily confirmed as production ready. The bit-by-bit granularity of a baseline control solution provides the only tenable statement of readiness for backup production systems and a basis for confidence as new systems are inevitably introduced during recovery. By leveraging the proactive configuration enforcement power of a baseline control solution in daily operation the path to recovery from disaster can be reaffirmed everyday.