Title.

Regulatory and standards compliance reporting

Compliance

Organisations of all sizes and in both the public and private sector are increasingly required to be in compliance with a number of legislative and industry regulations and standards.  Compliance with these regulations should be seen as part of the Information Security Management System (ISMS) or process.  In the United States regulations such as SOX, FISMA, HIPPA and in Europe Basel II and privacy legislation are driving organisations to seek tools to assist and automate their compliance.  The impact of some regulations, for example Sarbanes Oxley (SOX) is significant not only in the United States but globally.

The Payment card Industry Data Security Standard (PCI DSS) is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. This comprehensive standard is intended to help organizations proactively protect customer credit card data.

Most organisations subject to such regulations use controls and standards such as ISO 270001 and guidelines to achieve compliance.

ISO 27001 is the formal standard against which organizations may seek independent certification of their Information Security Management Systems. An ISMS is a framework to design, implement, manage, maintain and enforce information security processes and controls systematically and consistently throughout the organizations.

Gartner Group represented (below) the relationship between regulations, control objectives and controls.

Assuria Auditor is a software tool that supports the controls within an ISMS.  A key issue with compliance is planning and measuring acceptable levels of compliance.

With Assuria Auditor unique mapping of Checks to controls, control objectives and regulations delivers a powerful tool to help achieve compliance to appropriate standards.

New Assuria Auditor features

Assuria AutoUpdate #61 introduces new regulatory and standards compliance reporting to Assuria Auditor.  The Assuria Auditor Console database has been updated to include, where appropriate, the mapping of each Assuria Auditor’s 2500 checks to a reference within the standard.

Currently available standards are ISO 27001, PCI, SOX and CVE and BID.  ISO 17799 will be available soon.  Other standard including HIPPA, FISMA etc are on the way.  Any users with specific standards requirements should contact Assuria.

A new option is added to the Assuria Auditor reporting that is to report by the selected standard.  In addition the Policy Navigators for each of the supported platforms has been provided.

Example report content

An Initial-on-all report sorted by applicable PCI sections.

For each check the Standard applicable is, where appropriate reported.

Current reporting options are not changed.  All reports will include the mapping of applicable standards to checks.

If not required the “Standards applicable” can switched off using the “Include Elements” tab of the Report Options screen.

Policy Navigators

Assuria Auditor Policy Navigators are a great way to discover features and facilities on Assuria Auditor, at AutoUpdate #61 the Policy Navigators for each platform include Standards.

The applicable sections of each standards are included in the Policy Navigators.

And within each standard section each check can be easily cross referenced.

Assuria Auditor Regulatory and Standards based reporting, part of Assuria Auditor from Auto Update #61 may 2007.