In a new paper for NetVision customers titled Active HIPAA Response, we break down the security and privacy requirements found within the HIPAA regulation text and map NetVision policies and reports to those requirements. While organizations need to perform discovery of Protected Health Information (PHI), NetVision’s HIPAA compliance pack provides quick setup of compliance reporting related to Windows file system and Active Directory for complete coverage of Microsoft networking platforms.  The HIPAA package is also available for Novell networking environments.  NetVision isn’t claiming to make anyone compliant with a set of canned reports.  But, if you’re concerned about HIPAA requirements, the HIPAA compliance pack automates the creation of a set of reports that map to the areas within HIPAA for which NetVision can help.  Let us know if you’d like more information!

In this article from CFO magazine, the author discusses the value of Continuous Audit.  He tells the story of Harrah’s Entertainment and their 24×7 approach to audit.  One interesting quote:

Increasingly, though, individual practitioners see the cutting edge as auditing 100% of data relating to transactions, processes, policies, or whatever else is to be audited, rather than reviewing small samplings at longer intervals, as many organizations still do

You might be thinking easier said than done.  But getting back to the original point, with Continuous Audit, 100% sample is actually easily accomplished because every relevant event can be parsed through a policy filter and flagged when appropriate.

NetVision has recognized the value of Continuous Audit for more than a decade.  We believe there are two sides to an effective audit program - (1) current state assessment and (2) real-time monitoring.  And we hear from our customers that (like Harrah’s) they see real value in including real-time monitoring.  Putting Continuous Audit in place makes compliance audits move quicker and cost less.  …not to mention the obvious benefits to security.

Are you focused on Active Directory? And being asked to provide your end of a PCI audit? Figuring out how AD relates to PCI-DSS (Payment Card Industry Data Security Standards) can be quite complicated. If you’re interested in getting help or learning more, go to:

PCI Compliance for Active Directory Administrators

Everybody is talking about the cost of non-compliance. But what about the enormous cost of achieving compliance? For many, that cost seems to make the assurance of being compliant seem hardly worthwhile (think insurance). You wouldn’t pay $20,000/yr. for homeowners insurance that covers up to $100k/yr. …especially when the threat of catastophe seems unlikely.

The bottom line - there are better ways to approach the problem. If you’re laying out every regulation and trying to map some control in your environment to each of the requirements, you’re probably paying way too much in both cost and effort. Simplify by taking a multi-regulatory approach. And (of course) leverage pragmatic solutions that cut costs to acheive the same goal. Spending what amounts to some large percentage of the potential threat cost is not your only option! That’s the idea behind SIMON.