Regulatory Compliance and corresponding Cisco security solutions

Regulatory Compliance and corresponding Cisco security solutions

While frameworks can be used to create a security policy, an organization must also take into consideration the regulatory compliance and laws that apply to the industries and locations in which it operates. Such laws are made to protect the industry and its consumers and offer specific guidelines to ensure security of information.

Various regulatory compliance and legislative acts apply to industries around the world. An organization needs to consider them while creating its security policies. There is usually a very heavy penalty associated with failure to comply with these laws. In this section, we briefly discuss two of the most important such regulations and legislative acts.

Health Insurance Portability and Accountability Act (HIPAA)

The Health Insurance Portability and Accountability Act (HIPAA) was enacted by the U.S. Congress in August 1996. It applies to the organizations in the healthcare industry. In particular, it states that any entity that creates, receives, transmits, or maintains protected health information in electronic form must make good-faith efforts to protect the data and the computing environment from known and reasonably anticipated threats and vulnerabilities. Such entities are also required to protect the confidentiality, integrity, and availability of such electronic data.

HIPAA is technology neutral and does not define controls to allow flexibility in adopting new technology. It provides standards and in some cases implementation specifications to comply, but most often, industry standards such as ISO 27002 and NIST CSF are used to meet the requirements of the act.

Note Cisco has published a compliance guide for HIPAA security rule design and implementation. Much of the information in this section is compiled from that guide. I strongly suggest reading the guide in preparation for the CCIE exam. It can be found at this link.

Penalties associated with violation of HIPAA are severe and depend on the knowledge of and actions before and during the fact. On one end of the spectrum, if the covered entity had a reasonable amount of prevention in place and could not have known or avoided the violation, the penalty ranges from $100 to $50,000. On the other end of the spectrum, if the covered entity is found willfully negligent by not having enough protection in place or allowing the violation even after having knowledge of it, the penalty ranges from $50,000 to $1,500,000—plus possible imprisonment. Ignorance of the HIPAA rules cannot be used as an excuse for violation.

While the act in its entirety is beyond the scope of this blog, Table 1 broadly classifies and maps the security requirements to Cisco security products and technologies.

Table 1 HIPAA and Cisco Security

HIPAA Security Requirement

Cisco Security Product/Solution

Notes

Identity management and access control

Cisco ISE, ASA, NGFW

Identity management and access control to health information is a central theme in HIPAA. Cisco ISE can provide that by controlling access to the network. Further access control can be provided by ASA and NGFW.

Segmentation

Cisco ISE, TrustSec, ASA, NGFW

Segmentation of clinical and administrative information is critical to applying effective security measures. Cisco ISE along with TrustSec-enabled enforcement devices such as ASA and NGFW can provide effective segmentation.

Encryption

Various VPN solutions on ASA, NGFW, and routers

Encryption of data in transit, especially between covered entities, is a critical requirement. Various Cisco VPN solutions can be used to achieve that.

Logging, audit, and monitoring

Firepower NGFW and NGIPS with Firepower Management Center (FMC)

The act requires logging, monitoring, and audit of data access as well as intrusion attempts. Cisco NGFW and NGIPS solutions provide strong intrusion prevention along with logging, monitoring, and audit capabilities with FMC.

It is important to remember that Table 1 provides a generalized overview of the security requirements and corresponding Cisco security solutions. The actual design and implementation will depend on the size of the network and the organization.

 

Вас заинтересует / Intresting for you:

Cisco: securing the Management...
Cisco: securing the Management... 117 views Андрей Волков Wed, 01 Apr 2020, 08:38:48
Payment Card Industry Data Sec...
Payment Card Industry Data Sec... 134 views Андрей Волков Wed, 25 Mar 2020, 05:55:34
Security Models review: Cisco ...
Security Models review: Cisco ... 368 views Андрей Волков Fri, 27 Mar 2020, 05:10:32
Cisco: Securing the Control Pl...
Cisco: Securing the Control Pl... 133 views Андрей Волков Sat, 04 Apr 2020, 07:09:39