No more games on the network

More on how the Warden intersects security regulations

When a rogue user subverts an organization's computer and enters into an agreement that allows for a third party to monitor and (partially) control that system, it means the organization is no longer in control of it -- plain and simple.

Financial services and retail organizations remain under significant scrutiny since the Enron/Anderson debacle. The Payment Card Industry Data Security Standard requires any organization holding or processing credit card data to "limit access to computing resources and cardholder information only to those individuals whose job requires such access" in Section 7.1. It also stipulates that systems involved in card data handling must be hosted (Section 1.3.7) in a manner that denies all "inbound and outbound traffic not specifically allowed." In other words, no more gaming from the cashier's workstation on slow days.

Public companies also have to worry about the Sarbanes-Oxley Act. Self-help software installed by unauthorized users subverts a whole slew of technical and operational management controls in the Control Objectives for Information and Related Technology, referenced as a preferred control framework for Sarbanes-Oxley complkaince. For example, one would find trouble in control areas such as "AI6 Manage Changes," "AI7 Install and Accredit Solutions and Changes," "DS9 Manage the Configuration" and "ME2 Monitor and Evaluate Internal Control" as a start.

Health care service providers can't breathe any easier. Health Insurance Portability and Accountability Act (HIPAA) Security Rule 164.306(a) says, "Covered entities must ... (3) Protect against any reasonably anticipated uses or disclosures of [all electronic protected health information the covered entity creates, receives, maintains or transmits] that are not permitted or required under Subpart E ... [and] (4) Ensure compliance with this subpart by its workforce."

Continuing to use a system with unauthorized monitoring or self-help software installed is a violation of Section 164.312, which indicates that "a covered entity must (a)(1) ... implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in §164.308(a)(4)." I am not prepared to make the tortured argument that the Blizzard software license constitutes a HIPAA-compliant Business Associate contract.

Later in the same section, §164.312(b) requires "Audit controls [that] implement hardware, software and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information." One can even get caught by portions of §164.310(b) concerning observance of policies for physical use of the workstation for "proper functions to be performed [and] the manner in which those functions are to be performed ... of a workstation that can access electronic protected health information."

International Standards -- One can easily find the same requirements in different form in information system management frameworks such as ISO/IEC 27001 (§A.6.2.1 and A.10.4.2 would be a good place to start) and the Information Technology Infrastructure Library (ITIL) Configuration Management and Availability Management operational management procedures. These standards are frequently used to provide assurances between organizations exchanging data, and they are enforced in contracts if not regulatory requirements.

Other regulations and standards requiring the same level of control and diligence in management are easily found in just about every sector. I'm not even sure where to begin the conversation regarding unauthorized installation of monitoring and self-help software on systems covered by the DIACAP or NIACAP national security requirements, but I'm pretty sure it would end when one woke up in Gitmo.


Copyright © 2007 IDG Communications, Inc.

It’s time to break the ChatGPT habit
Shop Tech Products at Amazon