Complying with data protection legal requirements in a Windows shop

To find common data protection legal requirements, Windows administrators should address IT compliance by looking at all the applicable laws.

Rebecca Herold, Contributor
Rebecca Herold
When the information security staff, compliance officers and legal counsel say to get the systems in IT compliance, what should Windows administrators do?

The best way to address privacy and data protection compliance is to look at the applicable laws and find common requirements. That's a more effective way to do it than to address piecemeal IT compliance requirements one law at a time.

To start, administrators should identify common requirements within all the applicable laws, regulations, standards and contracts. They should map out the commonalities within a matrix that can then be used for easy reference to clearly see all the commonalities.

Table 1 lists many -- but far from all -- of the activities a Windows administrator can do to support compliance throughout the indicated laws and standards.

Table 1: Windows Server common data protection legal requirements

New Page 1

Activities supporting compliance

Laws and Standards (See legend below)

A

B

C

D

E

F

G

H

Enable system events (logging) in Windows

X

X

X

X

X

X

X

X

Log successful access attempts to mission critical resources

X

X

X

X

X

X

 

 

Make data backups

 

X

X

X

X

X

X

X

Establish access controls based upon job responsibilities

X

X

X

X

X

X

X

X

Require authentication

X

X

X

X

X

X

X

X

Encrypt personally identifiable information

 

X

X

 

X

 

X

X

Restrict inbound Internet traffic to the DMZ

 

X

X

X

X

X

 

 

Limit unsuccessful user ID login attempts after three consecutive unsuccessful tries

 

X

X

X

X

 

 

 

Implement tools to prevent malicious code attacks

 

X

X

X

X

 

 

 

Implement intrusion detection and incident monitoring tools

X

X

X

X

X

X

 

 

Legend

A: Sarbanes-Oxley Act
B: Gramm-Leach Bliley Act (GLBA)
C: Payment Card Industry Data Security Standard (PCI DSS)
D: Federal Information Security Management Act
E: Health Insurance Portability and Accountability Act
F: Fair and Accurate Credit Transactions Act
G: Canada's Personal Information Protection and Electronic Data Act
H: EU Data Protection Directive

More on IT compliance and legal requirements
Following access control compliance requirements in a Windows environment

Meeting compliance needs through Windows log management
This matrix may look slightly different from organization to organization, so it's helpful to review this table with your legal counsel and information security department. Whether or not your enterprise decides to engage in all these compliance activities will depend on your own requirements and your lawyer's interpretation of the law as it applies to your organization.

Enable system events (logging) in Windows -- Almost every data protection law, regulation and standard requires that organizations be able to determine who has accessed personally identifiable information (PII) along with the details around that access.

Log successful access attempts to PII and mission critical resources -- Even if individuals have authorized access to network resources, organizations must be able to determine when they used that access and what they did with it.

Make data backups -- Assure the availability of PII and other mission-critical resources. Windows administrators must make backups of PII and related data to comply with availability requirements.

Establish access controls based upon job responsibilities -- A common data protection legal requirement is to restrict access to Windows and other network resources to only those users who have a specific business need to have that access.

Require authentication -- Across the board, laws, regulations and industry standards require organizations to implement authentication that allows only one person to use each user ID. Authentication not only establishes accountability for access activities but also tracks and determines when individuals have been in systems with a PII.

Encrypt PII -- No laws or regulations that I am aware of explicitly require PII to be encrypted. However, most list encryption as a method of protecting PII that organizations must consider. A number of regulatory oversight guidance documents also encourage organizations to encrypt PII. Additionally, PCI DSS requires encryption in certain situations. Windows administrators should encrypt PII whenever possible.

Restrict inbound Internet traffic -- Many data protection legal requirements advise organizations to establish barriers into the corporate networks from outside public networks. For example, PCI DSS specifically states in Requirement 1: "All systems must be protected from unauthorized access from the Internet, whether entering the system as e-commerce, employees' Internet-based access through desktop browsers or employees' email access."

Limit unsuccessful user ID login attempts after three consecutive tries -- Some regulations, laws and industry standards require user accounts to be locked after a specific number of unsuccessful attempts, such as six within PCI DSS. However, others require accounts to be locked according to best practices, such as what's indicated within NIST documents, which specify after three unsuccessful attempts.

Implement tools to prevent malicious code attacks -- Many data protection legal requirements specify that organizations must implement technologies and procedures to guard against, detect and report malicious code. Windows administrators must ensure that up-to-date antivirus and malicious code prevention systems are implemented and appropriately managed.

Implement intrusion detection and incident monitoring tools -- Most data protection legal requirements indicate that organizations must implement tools and procedures to prevent network intrusions. For example, GLBA requires organizations to implement -- based upon the results of risk analysis -- intrusion-detection and incident-monitoring tools to be used for "detecting, preventing and responding to attacks, intrusions or other systems failures."

Unify your compliance activities -- By implementing a core set of controls, Windows administrators can help their organizations meet compliance with numerous applicable laws, regulations and industry standards.

The following checkpoints make Windows administration compliance responsibilities and activities as effective, efficient and manageable as possible:

  1. Configure systems to disallow all access to PII and mission-critical data and allow access to only those with specific job responsibilities.
  2. Create procedures to support compliance with as many applicable laws, regulations and industry standards and contractual requirements as possible based on topics -- not based on a piecemeal approach.
  3. Work with the information security, privacy and compliance departments to continue documenting a list of common IT compliance requirements similar to those in Table 1.
  4. Document all your decisions for your Windows systems settings. Auditors want to see documentation of this type for all kinds of compliance reviews.
  5. Check out the existing matrices showing common compliance requirements at sites such as the IT Unified Compliance Framework site. Check with your information security, compliance, privacy and legal counsel to ensure the suggested activities are indeed necessary based upon their interpretation for your own organization.

Rebecca Herold, CISSP, CISA, CISM, CIPP, FLMI, has more than 17 years of experience in IT, information security, privacy and compliance, and is the owner and principal of Rebecca Herold LLC. She is an adjunct professor for the Norwich University Master of Science in Information Assurance program and is writing her 11th book. Her articles can be found at www.privacyguidance.com and www.realtime-itcompliance.com.

This was first published in May 2008

Dig deeper on Enterprise Infrastructure Management

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchServerVirtualization

SearchCloudComputing

SearchExchange

SearchSQLServer

SearchWinIT

SearchEnterpriseDesktop

SearchVirtualDesktop

Close