Solutions

Vormetric Data Protection Compliance Solutions

Many organizations struggle with regulatory compliance requirements such as PCI DSS, SOX, Graham-Leach-Bliley, HIPAA-HITECH and others. Industry regulations, federal regulations and various data privacy acts require implementation of data security and audit controls to protect regulated data. The implementation of such controls presents a complex IT challenge and can pose a cumbersome barrier to achieving compliance. The primary controls are:

  • Encryption of regulated data compliance
  • Policy-driven separation of duties (SOD) and access control of encrypted data Need to know – PCI SOD
  • Reporting on data access compliance

An efficient implementation of these data security controls requires minimizing any changes to existing applications, databases and IT infrastructure while being able to secure data across varied data platforms in physical, virtual and cloud environments.

Encryption of Regulated Data Compliance

A variety of regulations require encryption of data, from encrypting credit card numbers for PCI DSS compliance to encrypting Personally Identifiable Information (PII) to control the impact of various state data breach and data privacy laws. For example, PCI DSS sections 3.4-3.6 requires demonstrating that stored credit card holder data is protected. These sections require organizations accepting payment cards to render Primary Account Numbers (PAN) unreadable anywhere they reside. Similarly, the HITECH Act requires relevant Electronic Patient Health Information (EPHI) to be encrypted as specified in the HIPAA Security Rule.

Policy-driven Separation of Duties and Access Control Compliance

Not everyone needs to view sensitive data – even privilege users like SysAdmins, and various regulatory regimes mandate access control over regulated data so that data is accessed on a "need to know" basis. Such controls can provide separation of duties so that workers accessing an application view the data while IT administrators can administer and manipulate files for IT operations without viewing the underlying regulated data. For example, PCI DSS section 7 requires restricting access to cardholder data by business to a need-to-know basis.

Reporting on Data Access Compliance

Regulatory regimes involve auditing to verify compliance with a given regime. Solutions to address various regulatory regimes need to provide extensive reporting so auditors can verify compliance with the mandates their organization must comply with. For example, PCI DSS Track section 10 requires monitoring all access to network resources and cardholder data.

© 2001-2012 Vormetric, Inc. All rights reserved.