On Compliance to Industry Regulations – HIPAA, PCI DSS, CIPA, NERC CIP

We talked about product certifications such as Common Criteria, USGv6, or FIPS 140-2 and other government driven evaluations in a recent blog post. On a related but different topic, we’re often asked whether our network security products are compliant to industry regulations and standards, such as:

  • The Health Insurance Portability and Accountability Act (HIPAA) in Healthcare
  • The Payment Card Industry Data Security Standard (PCI DSS) in all industries touching cardholder information - online retail, electricity distribution, and even healthcare
  • Children's Internet Protection Act (CIPA) in education, and even healthcare
  • The North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) for the power grid and underlying SCADA networks

image

In most cases, the regulations apply to our customers that need to demonstrate compliance and are subject to audits. Our network security platform can help make the compliance and audit processes easier, quicker and therefore less costly. Every regulation and industry has its own unique requirements that need to be carefully reviewed and evaluated, but as a starting point, I wanted to offer a couple of generic ways in which we help:

(1) We help reduce the scope of compliance: Our security platform allows you to segment your network by zones and enforce security policies that are based on business-oriented parameters such as applications, users and content, as traffic passes from one zone to another. This ensures tighter isolation of the sensitive information that is subject to the regulation, and narrows the scope of the compliance effort. An example is for PCI DSS where network segmentation isolates cardholder data to specific servers or areas of the network, not only reducing the costs of implementing compliance but also the risks of the sensitive data ever being compromised.

(2) We simplify the audit process: Compliance auditors require access to many pieces of data, including firewall logs. They’ll need proof that the security policies are enforced, consistently and everywhere, and will review traffic logs to check who has access to the zone and in which capacity (user, administrator,…) and whether any changes made over time were appropriate. Because we classify all traffic by user, application and content, our reporting and log viewer capabilities immediately provide you with a complete picture of the zone traffic at the level needed by auditors without additional work. An example is for NERC CIP regulations, we support having several levels of administrative rights and can easily report on who has rights to what and in which capacity across the network.

(3) We reduce the risks of sensitive data being compromised: With the ability to monitor and inspect all content as specified by security policy rules, you can flag outbound traffic for unauthorized transfer of sensitive data (cardholder data, social security numbers and other recognizable strings) using file and data patterns and either blocking the transfer altogether or sending an alert.

If you’re interested in more details, you can download one of the following white papers as examples:

For any questions related to compliance, contact us at certifications@paloaltonetworks.com.