There are many different types of government and financial compliance requirements. It is important to understand that these compliance requirements are minimal baselines that can be interpreted differently depending on the business goals of the organization. Compliance requirements must be mapped with the business goals to ensure that risks are appropriately identified and mitigated.
For example, a business may have a policy that requires all servers with customer personally identifiable information (PII) on them to have logging enabled and minimum password lengths of 10 characters. This policy can help in an organization’s efforts to maintain compliance with any number of different regulations.
Common compliance regulations and guides include, but are not limited to:
- BASEL II
- Center for Internet Security Benchmarks (CIS)
- Control Objectives for Information and related Technology (COBIT)
- Defense Information Systems Agency (DISA) STIGs
- Federal Information Security Management Act (FISMA)
- Federal Desktop Core Configuration (FDCC)
- Gramm-Leach-Bliley Act (GLBA)
- Health Insurance Portability and Accountability Act (HIPAA)
- ISO 27002/17799 Security Standards
- Information Technology Information Library (ITIL)
- National Institute of Standards (NIST) configuration guidelines
- National Security Agency (NSA) configuration guidelines
- Payment Card Industry Data Security Standards (PCI DSS)
- Sarbanes-Oxley (SOX)
- Site Data Protection (SDP)
- United States Government Configuration Baseline (USGCB)
- Various State Laws (e.g., California’s Security Breach Notification Act - SB 1386)
These compliance checks also address real-time monitoring such as performing intrusion detection and access control. For a more in depth look at how Tenable’s configuration auditing, vulnerability management, data leakage, log analysis, and network monitoring solutions can assist with the mentioned compliance regulations, please refer to the Tenable whitepaper Real-Time Compliance Monitoring.