Application Security, Inc. (AppSecInc) (www.appsecinc.com) today announced best-practice policies to help government organizations meet the stringent requirements of the Federal Information Security Management Act (FISMA) and the U.S. Department of Defense (DoD) Information Technology Security Certification and Accreditation Process (DITSCAP). AppSecInc made the announcement from the Gartner IT Security Summit, taking place June 5-7 at the Marriott Wardman Park Hotel in Washington, D.C.
These requirements are at least in part a response to the ongoing security breach epidemic — since February 2005, more than 83 million Americans have had their personal information compromised. Whether the result of human error, insider espionage, or external attacks, no sector has been spared by these breaches, including government agencies. And for government organizations, the impact of these compromises ranges from the disruption of operations, to embarrassing disclosures, to national security risks.
In response to this epidemic, the Defense Information Service Agency (DISA) recently established a new set of security guidelines specific to databases. The Database Security Technical Implementation Guide (STIG) identifies known security vulnerabilities, configuration items, and other issues which must be addressed under the authority of DoD. For instance, Directive 8500.1 mandates that “all information assurance (IA) and IA-enabled IT products incorporated into DoD information systems shall be configured in accordance with DoD approved security configuration guidelines.”
To ease compliance with these requirements, AppSecInc has partnered with Network Security Systems Plus (NSSPLUS) to jointly create a comprehensive policy template for implementing DISA STIG database security mandates. For example, using AppSecInc´s industry-leading vulnerability assessment solution, AppDetective™, users can easily:
— Discover database instances across their infrastructure
— Assess them against the STIG checklist
— Enumerate all the issues which must be addressed to achieve compliance
— And remediate these issues based on fix scripts and detailed
information on appropriate patch updates and work-arounds
Reporting tied to the policy template makes it easy for government organizations to generate the required documentation as needed.
NSSPLUS is a leading provider of network security and information assurance consulting services. The company´s security engineers and information assurance consultants perform comprehensive evaluations of the technical and non-technical security features of DoD Military Health Systems enterprise networks, and implement safeguards and remedies in support of the Certification & Accreditation process. NSSPLUS has more than nine years of DITSCAP contract support experience with Tricare Management Activity (TMA) — including interpreting and applying the DISA STIGS and Checklist to the DITSCAP process to enforce compliance of the configuration of network components within the C&A boundary for DoD network enterprises.
“Using AppDetective with our DISA STIG best-practice policy template, government customers can far more easily identify and secure all their databases — both known and unknown — throughout their organization,” said Felix Thomas, president & CEO of Network Security Systems Plus, LLC. “We are pleased to work with AppSecInc to help government organizations comply with regulations like DITSCAP effectively and efficiently.”
“Implementing compliance initiatives are a necessary but extremely time- and resource-intensive endeavor,” said Ted Julian, vice president of marketing & strategy for AppSecInc. “By collaborating with Network Security Systems Plus, LLC, we can now offer automated, repeatable best practices to help government agencies efficiently navigate these regulations, quickly ensuring compliance with federal mandates while maintaining the absolute integrity of their sensitive data.”
In addition to DISA´s STIG, the National Institute of Standards and Technology (NIST) has expanded its repository of approved “hardening” configuration guides and checklists to include database security best practices. In accordance with these guidelines — and in collaboration with NIST — the Center for Internet Security (CIS) has approved a checklist to ensure compliance as outlined in the NIST Special Publications. The Office of Management and Budget FISMA 2005 Reporting Guidance also requires federal agencies to comply with the requirements of these publications.
AppSecInc has developed an automated best-practice policy template mapped to the CIS NIST checklist. Also available for AppDetective, this policy template enables government agencies to:
— Dramatically accelerate checklist implementation
— Generate extensive and meaningful audit reports for compliance and
— Greatly increase the number of databases that are checked for
compliance without any increases in personnel
— Proactively and immediately evaluate all databases for new, high-risk
vulnerabilities before extensive damage can be done
Intuitive and easy-to-use, the DISA STIG and CIS NIST best-practice security policies are immediately available for download from the AppSecInc website at: www.appsecinc.com/downloads/. The DISA STIG and CIS NIST templates are the latest additions to the company´s extensive range of best-practice policies that address the following standards:
— Sarbanes-Oxley Act (SOX)
— Federal Information Security Management Act (FISMA)
— Health Insurance Portability and Accountability Act (HIPAA)
— Gramm-Leach-Bliley Act (GLBA)
— California Senate Bill No. 1386
— Payment Card Industry (PCI) Data Security Standard
— National Energy Regulatory Commission (NERC)