Solution/Product/Report Mapping To Primary Compliance ... · PDF filePage 1...

Solution/Product/Report Mapping To Primary Compliance Requirements of

SOX, PCI, HIPAA, GLBA and FISMA

Contents

SOX COMPLIANCE ...................................................................................................................................................................................................................... 5

AI3: ACQUIRE AND MAINTAIN TECHNOLOGY INFRASTRUCTURE...................................................................................................................................................................... 5 AI6: MANAGE CHANGES ........................................................................................................................................................................................................................ 7 AI7: INSTALL AND ACCREDIT SOLUTIONS AND CHANGES ............................................................................................................................................................................. 10 DS3: MANAGE PERFORMANCE AND CAPACITY ......................................................................................................................................................................................... 12 DS4 ENSURE CONTINUOUS SERVICE ....................................................................................................................................................................................................... 12 DS5 ENSURE SYSTEMS SECURITY ............................................................................................................................................................................................................ 13 DS9: MANAGE THE CONFIGURATION ...................................................................................................................................................................................................... 15 DS10: MANAGE PROBLEMS ................................................................................................................................................................................................................. 15 DS13: MANAGE OPERATIONS ............................................................................................................................................................................................................... 15

PCI COMPLIANCE ..................................................................................................................................................................................................................... 17

7. RESTRICT ACCESS TO CARDHOLDER DATA BY BUSINESS NEED-TO-KNOW ...................................................................................................................................................... 17 8. ASSIGN A UNIQUE ID TO EACH PERSON WITH COMPUTER ACCESS .............................................................................................................................................................. 18 10. TRACK AND MONITOR ALL ACCESS TO NETWORK RESOURCES AND CARDHOLDER DATA ................................................................................................................................. 21

HIPAA COMPLIANCE ................................................................................................................................................................................................................ 25

§ 164.308: ADMINISTRATIVE SAFEGUARDS ............................................................................................................................................................................................. 25 § 164.312: TECHNICAL SAFEGUARDS ..................................................................................................................................................................................................... 28 § 164.528 ACCOUNTING OF DISCLOSURES OF PROTECTED HEALTH INFORMATION. .......................................................................................................................................... 29

GLBA COMPLIANCE .................................................................................................................................................................................................................. 31

ACCESS CONTROL: ACCESS RIGHTS ADMINISTRATION(TIER I: OBJECTIVES 4 & 7, TIER II: SECTION A) .............................................................................................................. 31 ACCESS CONTROL: AUTHENTICATION (TIER I: OBJECTIVE 4, TIER II: SECTION A) ......................................................................................................................................... 33 ACCESS CONTROL: NETWORK ACCESS (TIER I: OBJECTIVE 4, TIER II: SECTION B) ........................................................................................................................................ 34 ACCESS CONTROL: OPERATING SYSTEM ACCESS (TIER I: OBJECTIVE 4, TIER II: SECTION C) ............................................................................................................................ 34 ACCESS CONTROL: APPLICATION ACCESS (TIER I: OBJECTIVE 4, TIER II: SECTION G) .................................................................................................................................... 37 ACCESS CONTROL: REMOTE ACCESS (TIER I: OBJECTIVE 4) ...................................................................................................................................................................... 38 SECURITY MONITORING (TIER I, OBJECTIVE 6, TIER II: SECTION M)........................................................................................................................................................ 39

FISMA COMPLIANCE ................................................................................................................................................................................................................ 41

FAMILY: ACCESS CONTROL CLASS: TECHNICAL ...................................................................................................................................................................................... 41

FAMILY: AUDIT AND ACCOUNTABILITY CLASS: TECHNICAL ........................................................................................................................................................................ 44 FAMILY: CERTIFICATION, ACCREDITATION, AND SECURITY ASSESSMENTS CLASS: MANAGEMENT ..................................................................................................................... 52 FAMILY: CONFIGURATION MANAGEMENT CLASS: OPERATIONAL .............................................................................................................................................................. 53 FAMILY: MEDIA PROTECTION CLASS: OPERATIONAL ............................................................................................................................................................................... 56 FAMILY: PERSONNEL SECURITY CLASS: OPERATIONAL ............................................................................................................................................................................. 57 FAMILY: SYSTEM AND INFORMATION INTEGRITY CLASS: OPERATIONAL ....................................................................................................................................................... 59

APPENDIX A: NETWRIX EVENT LOG MANAGER REPORTS ........................................................................................................................................................ 61

ACCOUNT MANAGEMENT REPORTS ........................................................................................................................................................................................................ 61 AUDITING REPORTS ............................................................................................................................................................................................................................. 61 LOGON REPORTS ................................................................................................................................................................................................................................. 62 EVENT REPORTS .................................................................................................................................................................................................................................. 62 MISCELLANEOUS REPORTS .................................................................................................................................................................................................................... 63

APPENDIX B: NETWRIX LOGON REPORTER REPORTS ............................................................................................................................................................... 65

EVENTS, LOGONS, LOGOFFS, LOCKOUTS AND MORE ................................................................................................................................................................................... 65

APPENDIX C: NETWRIX ACTIVE DIRECTORY CHANGE REPORTER REPORTS ............................................................................................................................... 67

ALL CHANGES REPORTS ........................................................................................................................................................................................................................ 67 AD STRUCTURE REPORTS...................................................................................................................................................................................................................... 68 OBJECT SECURITY ................................................................................................................................................................................................................................ 68 GROUP MEMBERSHIP ........................................................................................................................................................................................................................... 69 USER ACCOUNT .................................................................................................................................................................................................................................. 69 BEST PRACTICE REPORTS ...................................................................................................................................................................................................................... 70

APPENDIX D: NETWRIX GROUP POLICY CHANGE REPORTER .................................................................................................................................................... 76

ALL CHANGES REPORTS ........................................................................................................................................................................................................................ 76 ACCOUNT LOCKOUT POLICY .................................................................................................................................................................................................................. 77 LOCAL POLICIES .................................................................................................................................................................................................................................. 77 SECURITY SETTINGS ............................................................................................................................................................................................................................. 77 SOFTWARE INSTALLATION ..................................................................................................................................................................................................................... 78 PASSWORD POLICY .............................................................................................................................................................................................................................. 78

APPENDIX E: NETWRIX EXCHANGE CHANGE REPORTER ........................................................................................................................................................... 79

ALL CHANGES REPORTS ........................................................................................................................................................................................................................ 79 MAILBOX ........................................................................................................................................................................................................................................... 79 RECIPIENT .......................................................................................................................................................................................................................................... 80 SERVER ............................................................................................................................................................................................................................................. 81

STORAGE GROUP ................................................................................................................................................................................................................................ 81 STORE ............................................................................................................................................................................................................................................... 81

APPENDIX F: NETWRIX SHAREPOINT CHANGE REPORTER REPORTS......................................................................................................................................... 83

ALL CHANGES REPORTS ........................................................................................................................................................................................................................ 83

APPENDIX G: NETWRIX FILE SERVER CHANGE REPORTER REPORTS ......................................................................................................................................... 84

SUCCESSFUL MODIFICATIONS ................................................................................................................................................................................................................ 84 SUCCESSFUL READS ............................................................................................................................................................................................................................. 85 FAILED MODIFICATION ATTEMPTS .......................................................................................................................................................................................................... 85 FAILED READ ATTEMPTS ....................................................................................................................................................................................................................... 86

APPENDIX H: NETWRIX SERVER CONFIGURATION CHANGE REPORTER REPORTS .................................................................................................................... 87

APPENDIX I: NETWRIX SQL SERVER CHANGE REPORTER REPORTS ........................................................................................................................................... 87

ALL CHANGE REPORTS ......................................................................................................................................................................................................................... 87 OBJECT CHANGES ................................................................................................................................................................................................................................ 88

APPENDIX J: NETWRIX VMWARE CHANGE REPORTER REPORTS .............................................................................................................................................. 91

ALL CHANGE REPORTS ......................................................................................................................................................................................................................... 91 CLUSTER ............................................................................................................................................................................................................................................ 92 DATACENTER ...................................................................................................................................................................................................................................... 92 DATASTORE........................................................................................................................................................................................................................................ 93 FOLDER ............................................................................................................................................................................................................................................. 93 HOST ................................................................................................................................................................................................................................................ 94 RESOURCE POOL ................................................................................................................................................................................................................................. 94 ROLE ................................................................................................................................................................................................................................................ 95

SOX Compliance

All public companies in the U.S. are subject to Sarbanes Oxley (SOX) compliance without exceptions. SOX compliance requirements

also apply overseas operations of U.S. public companies and international companies listed on U.S. exchanges. Failure to comply with

SOX can result in fines of up to 5 million dollars and up to 20 years of imprisonment of C-level executives accountable for SOX

implementation. Other countries have similar laws, for example, Canada enacted a regulation known as Bill 198, Japan established

aptly named J-SOX, and both are very similar to the "American" SOX in many parts.

SOX requires public companies to adopt Internal Controls over Financial Reporting (ICFR), and these controls of course include IT

controls that affect financial reporting operations. The Act includes two sections that affect IT departments: Section 302 (15 U.S.C. §

7241: "Corporate Responsibility for Financial Reports") and 404 (15 U.S.C. § 7262: "Management Assessment of Internal Controls")

of SOX. SOX defines three major requirements: establishing of controls, ongoing evaluation of controls (monitoring and testing), and

disclosure ("auditability") of control effectiveness (including defects and weaknesses that can result in fraud). Manual implementation

of these requirements can result in increased operational costs, while automation usually results in much lower compliance costs,

increased efficiency, and other benefits.

The Sarbanes-Oxley Act does not provide any recommendations for implementation of SOX and this why several organizations

created different standards of IT controls implementation. The most widely recognized IT-specific standards are COSO "Internal

Control - Integrated Framework" endorsed by SEC and COBIT (Control Objectives for Information and Related Technology) created

by ISACA (www.isaca.org).

NetWrix SOX Compliance Suite covers many requirements of both frameworks to sustain compliance and pass compliance audits. In

general, this automated compliance solution helps to maintain established controls by tracking and reporting all changes in IT

infrastructure for auditing purposes and implementing secure identity management practices to ensure system security.

SOX NetWrix Implementation Components Reports

AI3: Acquire and Maintain Technology Infrastructure

AI3.2 Infrastructure Resource The NetWrix solution ensures AD Change Reporter/ All Active

http://www.law.cornell.edu/uscode/15/usc_sec_15_00007241----000-.html



http://www.sec.gov/rules/final/33-8238.htm#iib3a

Protection and Availability auditability during configuration,

integration and maintenance of

hardware and infrastructural

software to protect resources and

ensure availability and integrity.

The use of infrastructure

components, such as Active

Directory, Group Policy, file servers,

and virtualization systems is

monitored and can be easily

evaluated. The NetWrix solution

streamlines creation of reports for

auditors, CCOs, security managers,

and risk managers.

AD Change Reporter

Group Policy Change Reporter

File Server Change Reporter

Server Configuration Change

Reporter

SQL Server Change Reporter

VMware Change Reporter

Directory Changes

Group Policy Change Reporter /

All Group Policy Changes

File Server Change Reporter /

All File Server Changes


Reporter/ All Server Changes

SQL Server Change Reporter/

All SQL Server Changes

VMware Change Reporter/All

VMware Changes

AI3.3 Infrastructure

Maintenance

The NetWrix solution monitors

and reports on changes in

infrastructure systems (Active

Directory, Group Policy, file

servers, VMware servers, etc) to

make sure they are controlled in

line with the organization's

change management procedure.

The solution also includes

capabilities for periodic reviews

against business needs (e.g.

recent changes in group

membership and access rights),

patch management

(automatically tests that all

currently required patches are

AD Change Reporter



Reporter




NetWrix Patch Reporter

AD Change Reporter/ All Active

Directory Changes






Reporter / All Server Changes

SQL Server Change Reporter /


VMware Change Reporter / All

http://www.netwrix.com/active_directory_change_reporting_freeware.html

http://www.netwrix.com/group_policy_auditing_change_reporting_freeware.html

http://www.netwrix.com/file_server_auditing_change_reporting_freeware.html

http://www.netwrix.com/server_configuration_monitor_freeware.html


http://www.netwrix.com/sql_server_audit_change_reporter_freeware.html

http://www.netwrix.com/change_reporter_for_vmware_infrastructure_3_freeware.html








http://www.netwrix.com/patch_management_freeware.html

installed on all managed

servers), upgrade strategies,

risks, vulnerabilities assessment

and security requirements. The

NetWrix solution streamlines

creation of reports for auditors,

CCOs, security managers, and

risk managers.

VMware Changes

AI3.4 Feasibility Test

Environment

Development and test

environments aim to support

efficient feasibility and

integration of infrastructure

components. NetWrix solution

provides an easy way to

automatically document all

changes made in test

environments to replicate them

in production environments.

AD Change Reporter



Reporter





Directory Changes



File Server Change Reporter/All

File Server Changes






VMware Changes

AI6: Manage Changes

AI6.3: Emergency Changes

Emergency changes that do not

follow the established change

processes must be documented

and NetWrix helps to implement

AD Change Reporter / All

Active Directory Changes


Active Directory Configuration








automated change

documentation process to make

sure no change goes

undocumented. Even if your

organization already has

specialized management tools

for making changes (e.g. Group

Policy versioning system with

check-in/checkout/approval

capabilities), there is a chance

that these tools can be bypassed

in emergency situations and

required changes made directly

into the system. The NetWrix

solution captures all changes at

the system level, no matter what

management tool is used.

AD Change Reporter



Reporter




Changes


Active Directory Schema

Changes




Software Installation Policy

Changes








Server Instance Changes


VMware Changes

VMware Change Reporter /

Clusters Removed

AI6.4: Change Status Tracking

and Reporting

The NetWrix solution provides a

reporting system to

automatically document all

AD Change Reporter




Directory Changes











changes in system components

(e.g. servers, Active Directory,

virtual machines), make sure

that approved changes are

implemented as planned, and,

most importantly, no

unauthorized changes take place.

Reporter







Security Policy Changes




File Server Changes


Permission Changes




VMware Changes

AI6.5: Change Closure and

Documentation

Whenever changes are

implemented, the associated

system and user documentation

and procedures must be updated

accordingly. The NetWrix

solution makes it easy to review

all changes and make sure that

all related aspects are reflected

in the documentation.

AD Change Reporter



Reporter





Directory Changes





















VMware Changes

AI7: Install and Accredit Solutions and Changes

AI7.4: System and Data

Conversion

As long as all changes are

automatically documented (full

audit trail is created in Active

Directory, servers, physical and

virtual machines) an

organization can easily replicate

changes from test environment

to production and make sure that

everything is done according to

a previously tested

implementation plan.

AD Change Reporter



Reporter





Directory Changes






File Server Changes




VMware Changes

AI7.7: Final Acceptance Test

The outcome of the testing

process can be easily evaluated

through review of changes in

infrastructure components by

business process owners and IT

stakeholders.

AD Change Reporter



Reporter





Directory Changes




















File Server Changes




VMware Changes

AI7.8: Promotion to

Production

Full record of changes

implemented on production

environments can be reviewed to

ensure it's in line with the

implementation plan. Audit trails

can be compared with those

generated on the test

environment to make sure

everything went as planned.

AD Change Reporter



Reporter





Directory Changes






File Server Changes




VMware Changes

AI7.9: Post-implementation

Review

Post-implementation review is

greatly simplified by viewing all

changes made in affected

systems in a set of easy to use

reports targeting Active

Directory, servers, virtual

machines, and other systems.

AD Change Reporter



Directory Changes














Reporter






File Server Changes




VMware Changes

DS3: Manage Performance and Capacity

DS3.5: Monitoring and

Reporting

NetWrix provides monitoring

tools for available disk space on

servers and service downtime for

selected system services to

ensure resilience, contingency,

current and projected workloads,

storage plans and resource

acquisition.

Disk Space Monitor,

Service Monitor

Disk Space Monitor daily report

Service Monitor daily report

DS4 Ensure Continuous Service

DS4.3: Critical IT Resources

The NetWrix solutions provides

quick object-level and attribute-

level recovery capabilities for

Active Directory and file servers

to focus attention on items

specified as most critical in IT

infrastructure.

Active Directory Object Restore

Wizard


Directory Changes






http://www.netwrix.com/disk_space_monitor_freeware.html

http://www.netwrix.com/windows_services_monitoring_freeware.html

http://www.netwrix.com/active_directory_object_restore_wizard_freeware.html


DS5 Ensure Systems Security

DS5.3: Identity Management

- NetWrix solution complements

standard mechanisms provided

by Active Directory to ensure

that all users and their activity

on IT systems are uniquely

identifiable, including situations

when shared administrative

accounts (e.g. local server admin

accounts) are required.

- The self-service identity

password management

capabilities ensure secure

verification (based on challenge

response mechanism) of users

even if they forget their

passwords, in a cost-effective

manner.

- The self-service group

management capabilities provide

an easy way of implementing

access rights management and

user entitlement according to

current job functions. This

ensures that user access rights

are requested by user

management, approved by

system owners and implemented

by the security-responsible

person, in a cost-effective

Event Log Manager,

AD Change Reporter,


Reporter,

File Server Change Reporter,

VMware Change Reporter,


Reporter,

Password Manager,

Event Log Manager,

Privileged Account Manager

Event Log Manager/All Events

by Date


Directory Changes


Active Directory Changes by

Object Type


Reporter/ All Server Changes by

Date


All File Server Changes by Date


All File Server Changes by Type


VMware Changes

Password Manager /

Enrollment on-demand report


by Date

http://www.netwrix.com/event_log_archiving_consolidation_freeware.html








http://www.netwrix.com/password_manager.html


http://www.netwrix.com/privileged_account_manager.html

manner.

Privileged Account Manager/

User Activity Report

DS5.4: User Account

Management

The self-service group

management capabilities makes

it easy to implement an approval

procedure outlining the data or

system owner granting the

access privileges and perform

regular management review of

all accounts and related

privileges.


AD Change Reporter

Privileged Account Manager/

User Activity Report


Directory Changes

DS5.5: Security Testing,

Surveillance and Monitoring

NetWrix provides the logging

and monitoring function to

enable the early prevention

and/or detection and subsequent

timely reporting of unusual

and/or abnormal activities that

may need to be addressed.

Password Expiration Notifier

Event Log Manager


daily report

Event Log Manager alerts

DS5.9: Malicious Software

Prevention, Detection and

Correction

NetWrix provides a tool to

ensure that up-to-date security

patches are in place across the

N/A



http://www.netwrix.com/password_expiration_notifier_freeware.html


organization to protect

information systems and

technology from malware (e.g.,

viruses, worms, spyware, spam).

DS9: Manage the Configuration

DS9.x: Manage the

Configuration

The NetWrix solution monitors

and records all changes to

relevant information and

configuration items and capable

of maintaining a baseline of

configuration items for all

systems and services. It also

simplifies periodic reviews of the

configuration data to verify and

confirm the integrity of the

current and historical

configuration, including

detection of unauthorized and

unlicensed software.


Reporter



DS10: Manage Problems

DS10.2: Problem Tracking and

Resolution

NetWrix provides audit trail

facilities that allow tracking,

analyzing and determining the

root cause of all reported

problems for all configuration

items.

N/A

DS13: Manage Operations

DS13.3: IT Infrastructure The NetWrix solution collects Event Log Manager, Event Log Manager/All Events




Monitoring chronological information is

stored in operation logs to

enable reconstruction, review,

and examination of the time

sequences of operations and the

other activities surrounding or

supporting operations.


Reporter,

Logon Reporter

by Date



Logon Reporter/Logon Reports



http://www.netwrix.com/logon_reporter_freeware.html

PCI Compliance

All vendors that accept credit cards are subject to PCI compliance. Failure to comply with PCI may result in fines, loss of reputation,

and inability to accept major credit cards.

The following table summarizes requirements of PCI-DSS 1.2 compliance and shows how NetWrix provides a complete PCI

compliance Suite. This includes the following PCI DSS requirements covered:

#7 (Restrict access to cardholder data by business need-to-know)

#8 (Assign a unique ID to each person with computer access)

#10 (Track and monitor all access to network resources and cardholder data)

The rest must be covered by internal procedures (e.g. physical security, network perimeter security, testing and verification).

PCI NetWrix Solution Components Report Mapping

7. Restrict access to cardholder data by business need-to-know

7.1 Limit access to system

components and cardholder

data to only those individuals

whose job requires such access.

Auditing functionality to monitor

all security-related changes in

Active Directory, Group Policy,

Exchange, file servers, SQL

Servers, virtualization

environments. Audited use of

high-privileged system accounts.

AD Change Reporter





AD Change Reporter /

Administrative Group

Membership Changes

AD Change Reporter/ Object

Security Changes


Permission Changes

SQL Server Change

Reporter/Object Changes

http://www.netwrix.com/PCI_Compliance.html#7








Privileged Account

Manager/User Activity

7.2 Establish a mechanism for

systems with multiple users that

restricts access based on a

user´s need to know and is set

to "deny all" unless specifically

allowed.

Monitoring of file and folders and

their permissions, Active Directory

and Group Policy objects, SQL

Server security for early detection

of unauthorized changes to

security access settings (e.g.

granting of new permissions).

AD Change Reporter



AD Change Reporter/ All


Group Policy Change

Reporter/All Group Policy

Changes

File Server Change

Reporter/Permission Changes


Login Changes


Credential Changes

8. Assign a unique ID to each person with computer access

8.1 Assign all users with a

unique user name before

allowing them to access system

components or cardholder data.

Complete auditing of user logons

to analyze violations and prevent

usage of the same ID by multiple

persons (e.g. from different

computers).

Event Log Manager,

Logon Reporter

Event Log Manager/Logon

Reporter

Logon Reporter/All logon

reports

8.5.1 Control addition, deletion,

and modification of user IDs,

credentials and other identifier

objects.

Full auditing of user account

creations, deletions, password

resets, and modifications to all

user account attributes: in Active

Directory and SQL Server.

AD Change Reporter


AD Change Reporter / User

Accounts Created











Login Changes


User Changes

8.5.2 Verify user identity before

performing password resets.

Web-based challenge-response

system based on verification

question/answer pairs selected by

users upon enrollment, with full

control over the number of

required verification answers. The

same data can be used by help

desk personnel to assist with

password resets on the phone.

Password Manager

Password Manager/User


8.5.3 Set first-time passwords

to a unique value for each user

and change immediately after

the first use.

Auditing of all newly created user

accounts and their initial attributes

(including "must change at next

logon") to prevent violations.

AD Change Reporter

AD Change Reporter/ User

Account Modifications

8.5.4 Immediately revoke

access for any terminated users.

Auditing of disabled accounts,

automated de-provisioning of

inactive user accounts.

AD Change Reporter

Inactive Users Tracker

AD Change Reporter/ Users

Disabled

Inactive Users Tracker/Daily

report

8.5.5 Remove or disable

inactive user accounts at least

every 90 days.

Automated disabling and removal

with full reporting. Inactive Users Tracker


report

8.5.6 Enable accounts used by

vendors for remote

maintenance only during the

Auditing of account creation,

enabling, disabling, and deletion,

with time stamps to analyze their

AD Change Reporter


AD Change Reporter / User





http://www.netwrix.com/inactive_users_tracker_freeware.html




time period needed. lifetime. SQL Server Change Reporter /

Login Changes


User Changes

8.5.7 Communicate password

procedures and policies to all

users who have access to

cardholder data.

Automatic customizable reminders

for expiring passwords, redirection

to password requirements

document if user enters "weak"

password during reset.


Password Manager

Password Expiration

Notifier/Daily report, User

notification reports


Activity on-demand report

8.5.8 Do not use group, shared,

or generic accounts and

passwords.

Full auditing of account use (find

all actions done under a shared

account and help eliminate its

usage) and delegated access with

account checkout/check-in

concept.

AD Change Reporter




Active Directory Changes by

User

File Server Change Reporter/

All File Server Changes by

User

Privileged Account

Manager/User activity report

8.5.9 Change user passwords at

least every 90 days.

Audits changes to password policy

settings in Active Directory,

automatically reminds users about

impending password expirations,

provides easy way to change

passwords to minimize the number

of help desk calls.



Password Manager

Group Policy Change

Reporter/ All Password Policy

Changes

Password Expiration

Notifier/Daily report











8.5.10 - 8.5.12 Password

complexity requirements

(Require a minimum password

length of at least seven

characters, Use passwords

containing both numeric and

alphabetic characters, Do not

allow an individual to submit a

new password that is the same

as any of the last four

passwords he or she has used).

Audits changes to password

policies in Active Directory,

implements self-service password

reset functionality to help users

with forgotten passwords without

involvement of help desk

personnel.


Password Manager

Group Policy Change

Reporter/ All Password Policy

Changes



8.5.13 Limit repeated access

attempts by locking out the user

ID after not more than six

attempts.

Complements the built-in AD

mechanism with extensive account

lockout troubleshooting

capabilities to resolve false

positives and prevent user

frustration and system downtime.

Auditing of account unlock and

password reset operations to

monitor unauthorized access.

Account Lockout Examiner

AD Change Reporter/ User


8.5.14 Set the lockout duration

to thirty minutes or until

administrator enables the user

ID.

Auditing of account lockout policy

changes to prevent non-compliant

policy changes.


Group Policy Change

Reporter/ Account Lockout

Policy Changes

8.5.16 Authenticate all access

to any database containing

cardholder data. This includes

access by applications,

administrators, and all other

users.

Auditing of changes to database

logins and roles, SQL server

security settings.



Login Changes, Roles

Changes, Credential Changes,

User Changes

10. Track and monitor all access to network resources and cardholder data



http://www.netwrix.com/account_lockout_examiner.html



10.1 Establish a process for

linking all access to system

components (especially those

done with administrative

privileges such as root) to each

individual user.

Full features auditing and

reporting of all administrative

activity within Active Directory,

Group Policy, file servers,

virtualization environments, SQL

Server, etc. Detection of who

changed what, when, and where.

AD Change Reporter







/ All Group Policy Changes



File Server Change

Reporter/All File Server

Changes


VMware Changes

10.2 Implement automated

audit trails to reconstruct the

required events.

Complete audit trail processing

capabilities for servers and

workstations, both user-initiated

and administrative activity.

Event Log Manager

AD Change Reporter






File Server Change


Changes


VMware Changes



Event Log Manager / All

Events by Date

10.3 Record at least the

following audit trail entries for

all system components for each

Full information of every change:

who changed what, when, where,

in Active Directory, File Server,

AD Change Reporter

















event: User identification, Type

of event, Date and time,

Success or failure indication,

Origination of event, Identity or

name of affected data, system

component, or resource.

virtual machines, SQL Servers. SQL Server Change Reporter File Server Change Reporter

/All File Server Changes


VMware Changes



10.5 Secure audit trails so they

cannot be altered.

Securable file-based storage with

optional SQL Server storage. Full

featured role based access to all

reports. Centralized collection,

archiving, and consolidation of

event logs to secure file-based

storage.

All modules All reports

10.6 Review logs for all system

components at least daily.

Full-featured web-based

reporting functionality with

predefined reports and ability to

create custom reports on any type

of collected data. Out-of-the box

reports scheduled daily and sent

via e-mail for review.

All modules All reports

10.7 Retain audit trail history

for at least one year, with a

minimum of three months

immediately available for

analysis.

Unlimited storage capabilities

with efficient storage use to store

up to 8 years of past audit trails

and history of changes to system

components and security settings.

Full-featured web-based

reporting for immediate access to

all required data.

Event Log Manager

AD Change Reporter




All reports







HIPAA Compliance

The Health Insurance Portability and Accountability Act (HIPAA) is a set of standards created by Congress that aim to safeguard

protected health information (PHI) by regulating healthcare providers. HIPAA has been around since 1996 but has never been taken

seriously before the new act called HITECH (The Health Information Technology for Economic and Clinical Health Act) was enacted

that becomes effective in February 2010. The original HIPAA includes two sections: Title I is mostly about protecting workers

healthcare coverage in case they change or lose their jobs, and HIPAA Title II, also known as Administrative Simplification (AS),

which is all about protection of patient data (section 164). HITECH act further extends HIPAA with additional provisions.

From an IT department's standpoint, a typical HIPAA/HITECH implementation is based on the following core principles aimed to

provide transparency and accountability (auditability) of regulated data and systems:

Identity management and access control: to ensure that data is only accessible by personnel that have a business need.

System configuration control: tracking of administrative activities.

Monitoring of access to data: knowledge of who accessed what data and when and review on a regular basis.

Data handling and encryption control: protection of data in storage and during transfers.

Meeting the requirements of HIPAA/HITECH requires all healthcare organizations to setup processes and controls that ensure security

and integrity of PHI. The ability to show that PHI is secured through reliable access control and monitoring is key to ensure a

successful HIPAA audit.

The following table summarizes requirements set forth in part 164 of C.F.R. 45 of HIPAA and shows how NetWrix provides a

HIPAA/HITECH suite to sustain compliance. Items marked with 'R' are required. Items marked with 'A' are "addressable": that

means it must be either fully implemented or the reason why it was not implemented must be clearly documented.

HIPAA NetWrix Solution Components Reports

§ 164.308: Administrative Safeguards

R: 164.308(a)(1)(ii)(D) Information system activity

review: Implement procedures

to regularly review records of

Extensive auditing and reporting on

both administrative and user

activity in Active Directory, Group

Policy, Exchange, the file servers,

Event Log Manager

AD Change Reporter




File Server Change

http://www.netwrix.com/HITECH_Compliance.html



http://law.justia.com/us/cfr/title45/45-1.0.1.3.70.html




information system activity,

such as audit logs, access

reports, and security incident

tracking reports.

virtual environments (VMware,

Microsoft), SQL Servers. Detection

of who did what, when, and where

with advanced rollback capabilities

of unauthorized actions. Centralized

consolidation and archival or audit

trials with web-based reporting

using predefined and custom-built

reports covering all major types of

activities: logins, logoffs, user

account operations, file access on

servers, workstations, both

successful and failed.


Non-owner Mailbox Access

Reporter



Changes


VMware Changes




by Date


Reporter/Daily reports

A: 164.308(a)(3)(ii)(C) Termination procedures:

Implement procedures for

terminating access to

electronic protected health

information when the

employment of a workforce

member ends.

Auditing of disabled accounts,

automated de-provisioning of

inactive user accounts. Automated

disabling and removal with full

reporting.

AD Change Reporter


AD Change Reporter / Users

Disabled


report

R: 164.308(a)(4)(ii)(A) Isolating health care

clearinghouse functions: If a

healthcare clearinghouse is

part of a larger organization,

the clearinghouse must

implement policies and

procedures that protect the

electronic protected health

information of the

clearinghouse from

Auditing of all types of changes and

access to critical data and security-

related settings in Active Directory,

file servers, virtual machines,

databases, to make sure that no

members of larger organization

change or access data of its child

organization. Prevention of external

media usage.

AD Change Reporter




USB Blocker






All VMware Changes




http://www.netwrix.com/non_owner_mailbox_access_reporter_exchange_freeware.html









http://www.netwrix.com/usb_blocker_freeware.html

unauthorized access by the

larger organization.

USB Blocker/*

A: 164.308(a)(4)(ii)(C) Access establishment and

modification: Implement

policies and procedures that,

based upon the entity's access

authorization policies,

establish, document, review,

and modi fy a user's right of

access to a workstation,

transaction, program, or

process.

Complete auditing and automated

change documentation for all types

of access rights, privileges, and

policies that control access to

workstations, programs,

transactions, and other systems.

AD Change Reporter






File Server Change


Changes


VMware Changes



A: 164.308(a)(5)(ii)(C) Log-in Monitoring:

Procedures for monitoring

log-in attempts and reporting

discrepancies.

Centralized consolidation and easy

to use reporting of all successful

and failed logon/logoff activities

with extensive filtering capabilities.

Logon Reporter

Logon Reporter / Successful

User Logons

Logon Reporter / User Logoffs

A: 164.308(a)(5)(ii)(D) Password Management:

Procedures for creating,

changing, and safeguarding

passwords.

Auditing of all password changes.

Workflow-based control of

privileged account use. Self-service

password management for end

users with customizable password

security settings and secure access

based on user identity verification.

Prevention of excessive help desk

calls related to secure password

policies.

AD Change Reporter

Event Log Manager

Password Manager



Event Log Manager /

Password Changes by User

Event Log Manager /

Administrative Password

Resets



Password Expiration

Notifier/Daily report, User












AD Change Reporter/



Administrative Password

Resets

Privileged Account


R: 164.308(a)(6)(ii) Response and Reporting:

Identify and respond to

suspected or known security

incidents; mitigate, to the

extent practicable, harmful

effects of security incidents

that are known to the covered

entity; and document security

incidents and their outcomes.

Auditing of all administrative and

user activities with configurable

alerts and reporting that documents

all security incidents and helps with

early detection and prevention of

further security incidents.

AD Change Reporter


Event Log Manager


by Date


Permission Changes

AD Change Reporter/ Security

Group Modifications

AD Change Reporter / Object

Security Changes

R: 164.308(a)(7)(ii)(B) Disaster recovery plan:

Establish (and implement as

needed) policies and

procedures for responding to

an emergency or other

occurrence.

Quick rollback of unauthorized and

accidental changes to Active

Directory objects, including restore

of deleted objects. File versioning

and restore capabilities based on

Volume Shadow Copy services.

AD Object Restore Wizard






§ 164.312: Technical Safeguards






R: 164.312(a)(2)(i) Unique user identification:

Assign a unique name and/or

number for identifying and

tracking user identity.

In addition to standard AD user

authentication, shared accounts

used for administration and

applications are audited and

associated with individual user

identities through password check

out concept.


Privileged Account


R: 164.312(b) Audit Controls: Implement

hardware, software, and/or

procedural mechanisms that

record and examine activity in

information systems that

contain or use electronic

protected health information.

Auditing, archiving, and reporting

of access to the protected health

information, auditing of privileged

access, changes to security-related

settings, and all other significant

security events, intrusions, and

anomalies.

AD Change Reporter


Event Log Manager


by Date

AD Change Reporter/ Security

Group Modifications

AD Change Reporter / Object

Security Changes


Permission Changes

R: 164.312(d) Person or entity

authentication: Implement

procedures to verify that a

person or entity seeking

access to electronic protected

health information is the one

claimed.

In addition to standard AD

authentication, all users can be

verified using question/answer

(challenge/response) system to

verify their identity when they

forget their passwords (e.g. verify

user's badge ID and/or mother's

maiden name). This ensures that all

password reset requests are

authorized and cannot be initiated

by malicious person acting on

behalf of someone else.

Password Manager



§ 164.528 Accounting of disclosures of protected health information.






R: 164.528(a) Right to an accounting of

disclosures of protected health

information: An individual

has a right to receive an

accounting of disclosures of

protected health information

made by a covered entity in

the six years prior to the date

on which the accounting is

requested.

Holding records of all activities for

6 years and more to be able to fully

reconstruct all activities and access

attempts to protected health

information upon request.

All products All reports

GLBA Compliance

The Gramm-Leach-Bliley Act (GLBA) of 1999 was enacted to improve financial industry though removal of regulations that

prevented merger of different type of financial institutions (e.g. banks and insurance companies) with the goal to open up competition

between companies and modernize financial services industry.

Section 501(b) of GLBA contains important provisions aimed at protection of information. Information is one of a financial

institution's most important assets. Protection of information assets is necessary to establish and maintain trust between the financial

institution and its customers, maintain compliance with the law, and protect the reputation of the institution.

Section 501(b) compliance is sometimes referred to as FFIEC compliance after the name of the Federal Financial Institutions

Examination Council (FFIEC) that created a document called FFIEC Examination Handbook for Information Security to help GLBA

auditors perform adequate compliance audits. The table below summarizes requirements of section 501(b) as per the FFIEC Handbook

(Document body and appendix A) and shows how the NetWrix provides a complete solution to these requirements.

GLBA NetWrix Solution Components Reports

ACCESS CONTROL: Access rights administration(Tier I: Objectives 4 & 7, Tier II: Section A)

Reviewing periodically

user's access rights at an

appropriate frequency based

on the risk to the application

or system: A monitoring

process to oversee and

manage the access rights

granted to each user on the

system (p. 23).

Extensive auditing and reporting of

changes to users accounts, security

and distribution groups, policies,

permissions, and other objects that

control access to information in

Active Directory, Group Policy,

Exchange, file servers, virtual

environments (VMware, Microsoft ),

and SQL Servers. Detection of who

did what, when, and where with

advanced rollback capabilities of

unauthorized actions.

AD Change Reporter







File Server Change


Changes

VMware Change

Reporter/All VMware

Changes

SQL Server Change

Reporter/ All SQL Server

Changes

http://www.ffiec.gov/ffiecinfobase/booklets/information_security/information_security.pdf






Group Policy Change

Reporter/All Group Policy

Changes

Logging and auditing the

use of privileged access (p.

24).

Centralized consolidation and archival

or audit trials with web-based

reporting using predefined and

custom-built reports covering all

major types of privileged access, both

successful and failed: logins, logoffs,

access to mailboxes, user account

operations, file access.

Event Log Manager

AD Change Reporter




Reporter





/ All File Server Changes


Successful File Reads

VMware Change

Reporter/All VMware

Changes

SQL Server Change


Changes

Event Log Manager/All

Events by Date


Reporter/Daily reports

Reviewing privileged access

rights at appropriate

intervals and regularly

reviewing privilege access

allocations (p. 24).

Complete auditing of all changes to

access rights and privileges with

archiving feature that allows to review

all changes at any time for request

time frame.

AD Change Reporter







All VMware Changes












SQL Server Change


Changes



File Server Change


Changes

Prohibiting shared

privileged access by

multiple users (p. 24).

Privileged account management

system to ensure that every access

attempt under a shared account is

assign to an individual account and

properly audited.



/ User Activity

ACCESS CONTROL: Authentication (Tier I: Objective 4, Tier II: Section A)

The user should select them

without any assistance from

any other user, such as the

help desk.

Web-based self-service password

management system that operates

without intervention of human

personnel to prevent sharing of

passwords during password resets,

while enforcing full compliance with

required password policies (such as

password strength, prevention of

reuse, etc).

Password Manager

Password Manager / User


Authentication systems

should force changes to

shared secrets on a schedule

commensurate with risk.

Complimentary to the built-in

password expiration mechanism in

Active Directory, NetWrix solution

minimizes administrative burden

related to expired passwords for users

who are never prompted to change



/ Daily report, User





their password by the system (e.g.

remote users, VPN clients, non-

Windows clients).

Prevention of attacks that

target a specific account and

submits passwords until the

correct password is

discovered.

Complimentary to the built-in account

lockout mechanism in Active

Directory, NetWrix solution helps to

reduce the effects of false positives by

proactive monitoring and resolution

of account lockout incidents.

Account Lockout Examiner N/A

A policy that forbids the

same or similar password on

particular network devices.

Privileged account management

system that automatically generates

random passwords and assigns

different passwords to different

systems on a scheduled basis.



/ User Activity

ACCESS CONTROL: Network Access (Tier I: Objective 4, Tier II: Section B)

Cross-domain network

access monitoring to detect

security incidents and

unauthorized activity.

Not provided, a hardware or software-

based firewall must be used to

separate and audit clearly defined

network segments called domains

(e.g. DMZ and internal network).

Network domains are not Active

Directory domain per the Handbook

(some vendors mistakenly confuse

these concepts).

N/A N/A

ACCESS CONTROL: Operating system access (Tier I: Objective 4, Tier II: Section C)

Restricting and monitoring

privileged access.

Auditing of all types of access to

critical data and security-related

settings in Active Directory, file

servers, virtual machines, databases,

AD Change Reporter













to make sure no change falls under the

radar.

Object Security Changes




/ Successful File Reads


All VMware Changes


/ All SQL Server Changes

Logging and monitoring

user or program access to

sensitive resources and

alerting on security events.

Centralized consolidation and easy to

use reporting of security event with

extensive filtering capabilities and

user-friendly reports. Ability to

subscribe to reports generated on

schedule.

Event Log Manager







Events by Date

Update operating systems

with security patches and

using appropriate change

control mechanisms.

Complimentary to a patch

management system such as WSUS,

NetWrix provides a tool to report on

patch compliance for a defined set of

patches and updates. This tool can be

used to verify patch deployment status

on multiple systems in bulk.

NetWrix Patch Reporter N/A

Log user or program access

to sensitive system

resources including files,

Audit trail archiving and

consolidation to track access to files

and programs. Monitoring of user



Reporter

File Server Change


Changes



http://www.netwrix.com/patch_management_freeware.html




programs, processes, or

operating system

parameters.

activities related to changes to system

parameters.

Event Log Manager




Events by Date



Filter logs for potential

security events and provide

adequate reporting and

alerting capabilities.

Extensive event log collection system

with filtering, reporting, and real -

time alerting capabilities to ensure

that critical security events never

happen unnoticed.

Event Log Manager


Events by Date

Event Log Manager / Real-

time Alerts

Lock or remove external

drives from system consoles

or terminals residing outside

physically secure locations.

Easy to configure policy-based

blocking of external peripheral

devices that requires no routine

management tasks.

USB Blocker N/A

Monitor operating system

access by user, terminal,

date, and time of access.

Auditing of access to all types of

systems with reporting of who did

what and when.

AD Change Reporter

Event Log Manager





File Server Change


Changes



SQL Server Change


Changes









Events by Date

ACCESS CONTROL: Application access (Tier I: Objective 4, Tier II: Section G)

Monitoring access rights to

ensure they are the

minimum required for the

user's current business

needs.

Monitoring of security group

membership, privileges, and access

rights to ensure that no excessive

rights are given and no rights are

given proper without authorization.

AD Change Reporter



AD Change Reporter/


Membership Changes


Security Group

Modifications

Group Policy Change

Reporter / Security Policy

Changes


/ Permission Changes

Logging access and security

events.

Auditing of all administrative and

user activities with configurable alerts

and reporting that documents all

security incidents and helps with early

detection and prevention of further

security incidents.

AD Change Reporter


Event Log Manager



Membership Changes






Events by Date

Using software that enables

rapid analysis of user

Real-time alerting and schedule

reporting of different types of user

Event Log Manager

AD Change Reporter











activities. activities, such as logons, changes to

files and permissions, changes to

system configurations.

File Server Change Reporter Membership Changes

File Server Change


Changes




Events by Date

Maintaining consistent

processes for promptly

removing access to

departing employees.

Routine detection of inactive user

accounts and automatic deactivation

based specified thresholds to ensure

that no account remain active for

terminated and reassigned employees.


Inactive Users Tracker /

Daily report

ACCESS CONTROL: Remote access (Tier I: Objective 4)

Tightly controlling remote

access rights through

management approvals and

subsequent audits.

Regularly review remote

access approvals and

rescind those that no longer

have a compelling business

justification.

Auditing of dial-in and VPN access

on user accounts. Predefined reports

that show newly granted remote

access rights to users. Ability to

review all remote access permissions

granted within specific timeframe.

AD Change Reporter

AD Change Reporter /Dial-in

Access Modifications

Logging and monitoring all

remote access

communications. Log and

monitor the date, time, user,

user location, duration, and

Auditing of logins, remote desktop

connections, and other types of

remote access with full information

on who logged in and when, source IP

address, etc.

Event Log Manager

Logon Reporter


reports


Events by Date






purpose for all remote

access.

SECURITY MONITORING (Tier I, Objective 6, Tier II: Section M)

Analyzing the results of

monitoring to accurately

and quickly identify,

classify, escalate, report,

and guide responses to

security events.

Web-based reporting system with

predefined reports and ability to

create custom reports for specific

analysis needs.

AD Change Reporter




Event Log Manager



File Server Change


Changes



VMware Change

Reporter/All VMware

Changes

SQL Server Change


Changes

Monitoring network and

host activity to identify

policy violations and

anomalous behavior.

Complete auditing of user and

administrative activities, including

logons, access to data and

configuration.

AD Change Reporter


Event Log Manager

Logon Reporter



File Server Change


Changes













reports


Events by Date

Monitoring host and

network condition to

identify unauthorized

configuration and other

conditions which increase

the risk of intrusion or other

security events.

Complete auditing of changes in

server configurations, Active Di

rectory, Group Policy to detect

unauthorized or accidental changes

that might open security holes and

other possibilities for attacks.

AD Change Reporter



Reporter



Membership Changes


Security Group

Modifications

Group Policy Change

Reporter / Security Policy

Changes







FISMA Compliance

The Federal Information Act of 2002 (FISMA), enacted as Title III of the E-Government Act of 2002, was established to address the

importance of information security related to both the economic and national security interests of the United States. The Act, which

has forged a thorough structure by which information security controls can be judged on as based upon their effectiveness and

comprehensiveness, maintains minimum security requirements and controls to be abided by all federal agencies.

NetWrix Corporation provides a comprehensive line of auditing solutions that can be used to promote adherence to the following

FISMA requirements:

Control

Number Requirement NetWrix Provides NetWrix Solution Reports

FAMILY: Access Control CLASS: Technical

AC-2

The organization manages

information system accounts,

including establishing, activating,

modifying, reviewing, disabling,

and removing accounts. The

organization reviews information

system accounts at least annually.

Automated and consolidated

auditing and reporting of all

account management activities

in Active Directory, Group

Policy, Exchange, SQL server

database, file server,

SharePoint and virtual

environment changes, as well

as logon activities. Reports

include information about

who made changes to what

accounts, when and where

those changes were made.

Reports include all

established, activated,

modified, disabled, and

removed accounts, and

streamline the annual review

Change Reporter family



Group Policy Change

Reporter / All Group

Policy Changes

File Server Change

Reporter / All File Server

Changes

Server Configuration

Change Reporter/ All

Server Changes

SQL Server Change


Changes

http://www.netwrix.com/change_management_solutions.html

process.

VMware Change

Reporter/All VMware

Changes

Exchange Change

Reporter/ All MS

Exchange Changes

SharePoint Change

Reporter/ All SharePoint

Changes

AC-3

The information system enforces

assigned authorizations for

controlling access to the system in

accordance with applicable policy.

Complete Active Directory,

Group Policy, and file server

change auditing that notifies

administrators via report in

any instance of user rights

modifications. Reports can be

used as audit trail for auditors.

Active Directory Change

Reporter

Group Policy Change

Reporter

File Server Change

Reporter



Group Policy Change


Policy Changes

File Server Change


Changes

AC-5

The information system enforces

separation of duties through

assigned access authorizations.

Tracking of all user logons

and separation of duties via

individual user IDs to ensure

clearly identifiable users at all

times, even if the accounts are

shared between multiple

employees.

Logon Reporter

Privileged Account

Manager


reports

Privileged Account

Manager / User Activity

AC-7

The information system enforces a

limit of X consecutive invalid

access attempts by a user during a

NetWrix solutions minimize

costs associated with

implementation of strong

Account Lockout Examiner

Identity Management Suite


Daily report











http://www.netwrix.com/identity_management.html

[organization-defined] time

period. The information system

automatically locks the

account/node for an [organization-

defined time period] or delays next

login prompt according to

[organization-defined delay

algorithm] when the maximum

number of unsuccessful attempts is

exceeded.

password policies. Automated

alerts sent to administrators on

all account lockouts,

scheduled reports are sent

with all logon activities,

including failed attempts, self-

service password management

tools allow end user to reset

their passwords securely and

without contacting IT help

desk. Automated monitoring

of policy changes capture all

unauthorized changes to

password policies.

Logon Reporter

Group Policy Change

Reporter

Privileged Account


Password Expiration

Notifier/Daily report,

User notification reports

AD Change Reporter/

User Account

Modifications

Logon Reporter/Failed

Logon Attempts

Group Policy Change

Reporter / Password

Policies

AC-13

The organization supervises and

reviews the activities of users with

respect to the enforcement and

usage of information system

access controls.

Automated reports notify

predetermined report

recipients of all user activities

and can be archived for

historical review or used as

comprehensive audit trail for

FISMA auditors.


Logon Reporter



Group Policy Change


Policy Changes

File Server Change


Changes



Server Changes

SQL Server Change







Changes

VMware Change

Reporter/All VMware

Changes

Exchange Change

Reporter/ All MS

Exchange Changes

SharePoint Change


Changes


reports

AC-19

The organization: (i) establishes

usage restrictions and

implementation guidance for

organization-controlled portable

and mobile devices; and (ii)

authorizes, monitors, and controls

device access to organizational

information systems.

Complete reporting and audit

trails that audit and optionally

all mobile devices that

connect to peripheral ports.

USB Blocker N/A

FAMILY: Audit and Accountability CLASS: Technical

AU-2

The information system generates

audit records for the following

events: [organization-defined

auditable events].

Auditing and reporting of all

types of events, including

login events, access control,

identity management

administration, file access


Identity Management Suite

Event Log Manager



Group Policy Change




http://www.netwrix.com/identity_management.html


events, and other generic

events defined by

organization.

Logon Reporter Policy Changes

File Server Change


Changes



Server Changes

SQL Server Change


Changes

VMware Change

Reporter/All VMware

Changes

Exchange Change

Reporter/ All MS

Exchange Changes

SharePoint Change


Changes


Daily report

Privileged Account


Password Expiration


Notifier/Daily report,

User notification reports


Events by Date


reports

AU-3

The information system produces

audit records that contain

sufficient information to establish

what events occurred, the sources

of the events, and the outcomes of

the events.

Complete reports include who,

what, when and where each

change occurred, as well as

the current and new values of

every system modification.




Group Policy Change


Policy Changes

File Server Change


Changes



Server Changes

SQL Server Change


Changes

VMware Change

Reporter/All VMware

Changes

Exchange Change

Reporter/ All MS


Exchange Changes

SharePoint Change


Changes

AU-4

The organization allocates

sufficient audit record storage

capacity and configures auditing to

reduce the likelihood of such

capacity being exceeded.

Automated auditing and

reporting at custom intervals.

All reports are consolidated,

compressed and stored in a

centralized location to

minimize CPU and memory

usage. Additional tool is

provided to monitor available

disk space and alert on low

disk space conditions.

Disk Space Monitor

Disk Space Monitor daily

report

AU-5

The information system alerts

appropriate organizational officials

in the event of an audit processing

failure and takes the following

additional actions: [organization-

defined actions to be taken (e.g.,

shut down information system,

overwrite oldest audit records,

stop generating audit records)].

Alerts are sent when audit log

overwrite occurs or any

changes in audit log overwrite

policies are detected. In

addition to that, all audit data

is archived for a specified

period of time for viewing at a

later date even if the original

event logs are lost.

Event Log Manager


Change Reporter


Events by Date

Event Log Manager/

Audit Log Cleared


Change Reporter / All

Server Changes by Date

AU-6

The organization regularly

reviews/analyzes information

system audit records for

indications of inappropriate or

unusual activity, investigates

suspicious activity or suspected

violations, reports findings to

appropriate officials, and takes

All significant activities are

audited, reported and sent in

daily E-mails for review of

any unusual activity.

Extensive collection of

predefined reports is available

out of the box with ability to

create custom reports and

Active Directory Change

Reporter

Change Reporter Suite

Event Log Manager

Logon Reporter



Group Policy Change


Policy Changes

File Server Change

http://www.netwrix.com/disk_space_monitor_freeware.html






http://www.netwrix.com/change_auditing_solution.html



necessary actions. make them available for

regular reviews.


Changes



Server Changes

SQL Server Change


Changes

VMware Change

Reporter/All VMware

Changes

Exchange Change

Reporter/ All MS

Exchange Changes

SharePoint Change


Changes


Events by Date


reports

AU-7

The information system provides

an audit reduction and report

generation capability.

All change management

solutions produce automated

audit reports for E-mail or

inconsole viewing. The

change auditing solutions


Event Log Manager



Group Policy Change




remove unnecessary "noise"

events that administrators

deem insignificant, allowing

for simplified manual review.

Policy Changes

File Server Change


Changes



Server Changes

SQL Server Change


Changes

VMware Change

Reporter/All VMware

Changes

Exchange Change

Reporter/ All MS

Exchange Changes

SharePoint Change


Changes


Events by Date

AU-8


time stamps for use in audit record

generation.

Timestamps are available for

every audited event and alert.


Event Log Manager



Group Policy Change




Policy Changes

File Server Change


Changes



Server Changes

SQL Server Change


Changes

VMware Change

Reporter/All VMware

Changes

Exchange Change

Reporter/ All MS

Exchange Changes

SharePoint Change


Changes


Events by Date

AU-9

The information system protects

audit information and audit tools

from unauthorized access,

modification, and deletion.

Protection via permissions and

access rights that audit

information maintained by all

NetWrix solutions.

All NetWrix Products N/A

http://www.netwrix.com/products.html

AU-10


the capability to determine

whether a given individual took a

particular action.

Audit reports notify

administrators of exactly who

took what actions and made

what changes or took what

action.




Group Policy Change


Policy Changes

File Server Change


Changes



Server Changes

SQL Server Change


Changes

VMware Change

Reporter/All VMware

Changes

Exchange Change

Reporter/ All MS

Exchange Changes

SharePoint Change


Changes

AU-11

The organization retains audit

records for [organization-defined

time period] to provide support for

Reports can be archived for a

specified amount of time for

viewing at a later date. 10






after-the-fact investigations of

security incidents and to meet

regulatory and organizational

information retention

requirements.

years and more can be kept in

long-term archive and quickly

made available for after-the-

fact investigations or security

incidents.

Group Policy Change


Policy Changes

File Server Change


Changes



Server Changes

SQL Server Change


Changes

VMware Change

Reporter/All VMware

Changes

Exchange Change

Reporter/ All MS

Exchange Changes

SharePoint Change


Changes

FAMILY: Certification, Accreditation, and Security Assessments CLASS: Management

CA-7

The organization monitors the

security controls in the

information system on an ongoing

Daily reports show all changes

to security controls and

policies. Many predefined





basis. reports are available to

simplify the ongoing review

processes.

Group Policy Change


Policy Changes

File Server Change


Changes



Server Changes

SQL Server Change


Changes

VMware Change

Reporter/All VMware

Changes

Exchange Change

Reporter/ All MS

Exchange Changes

SharePoint Change


Changes

FAMILY: Configuration Management CLASS: Operational

CM-3

The organization authorizes,

documents, and controls changes

to the information system.

All changes to the information

system are documented and

archived in easy to read audit





reports that show who

changed what, when, and

where and show full details

about all changes. Some types

of unauthorized changes can

be automatically rolled back

to their original states.

Group Policy Change


Policy Changes

File Server Change


Changes



Server Changes

SQL Server Change


Changes

VMware Change

Reporter/All VMware

Changes

Exchange Change

Reporter/ All MS

Exchange Changes

SharePoint Change


Changes

CM-4

The organization monitors changes

to the information system

conducting security impact

analyses to determine the effects

of the changes.

Convenient change

monitoring capabilities,

ensuring that all modifications

are available for security

impact analysis in an easy to

understand format showing




Group Policy Change


Policy Changes


what was changed and what

configuration settings existed

before changes.

File Server Change


Changes



Server Changes

SQL Server Change


Changes

VMware Change

Reporter/All VMware

Changes

Exchange Change

Reporter/ All MS

Exchange Changes

SharePoint Change


Changes

CM-5

The organization: (i) approves

individual access privileges and

enforces physical and logical

access restrictions associated with

changes to the information system;

and (ii) generates, retains, and

reviews records reflecting all such

changes.

Workflow-based approvals

and access right granting to

monitor access privileges and

changes.

Self-Service Group

Manager N/A

CM-6

The organization: (i) establishes

mandatory configuration settings

for information technology

products employed within the

information system; (ii) configures

the security settings of information

technology products to the most

restrictive mode consistent with

operational requirements; (iii)

documents the configuration

settings; and (iv) enforces the

configuration settings in all

components of the information

system.

Adherence to all Group Policy

and event log management

configuration settings. All

changes to policy settings are

detected and highlighted in

detailed reports for granular

control and enforcement

policies.




Group Policy Change


Policy Changes

File Server Change


Changes



Server Changes

SQL Server Change


Changes

VMware Change

Reporter/All VMware

Changes

Exchange Change

Reporter/ All MS

Exchange Changes

SharePoint Change


Changes

FAMILY: Media Protection CLASS: Operational


MP-2

The organization restricts access to

information system media to

authorized individuals.

Audits and reports all file

serves access and changes,

and blocks both import and

export of data through

peripheral device restriction.

USB Blocker

File Server Change

Reporter

File Server Change


Changes

FAMILY: Personnel Security CLASS: Operational

PS-4

The organization, upon

termination of individual

employment, terminates

information system access,

conducts exit interviews, retrieves

all organizational information

system-related property, and

provides appropriate personnel

with access to official records

created by the terminated

employee that are stored on

organizational information

systems.

Automated tracking of all

dormant user accounts,

deactivating those that are

inactive for a specified

amount of time. Archiving of

electronic records of

communication with full-text

search capabilities.



Daily report

PS-5

The organization reviews

information systems/facilities

access authorizations when

personnel are reassigned or

transferred to other positions

within the organization and

initiates appropriate actions.

Provides tracking of access

authorizations, reporting on

changes to permissions and

user movements between

departments in organizational

units. Automated user

provisioning tools ensure that

right access is granted to the

right people at the right time

based on organizational

structure.

Self-Service Group

Manager N/A

PS-7 The organization establishes Accurate auditing and Change Reporter family AD Change Reporter/ All






personnel security requirements

including security roles and

responsibilities for third-party

providers and monitors provider

compliance.

reporting of all user events,

including login activity,

Active Directory

modifications, and server,

object or USB device access.

Event Log Manager

Logon Reporter

USB Blocker


Group Policy Change


Policy Changes

File Server Change


Changes



Server Changes

SQL Server Change


Changes

VMware Change

Reporter/All VMware

Changes

Exchange Change

Reporter/ All MS

Exchange Changes

SharePoint Change


Changes


Events by Date





reports

FAMILY: System and Information Integrity CLASS: Operational

SI-4

The organization employs tools

and techniques to monitor events

on the information system, detect

attacks, and provide identification

of unauthorized use of the system.

Centralized collection and

consolidation of all types of

events, including login

activity, Active Directory

modifications, and server,

object or USB device access

to identify unauthorized use.


Event Log Manager

Logon Reporter

USB Blocker



Group Policy Change


Policy Changes

File Server Change


Changes



Server Changes

SQL Server Change


Changes

VMware Change

Reporter/All VMware

Changes

Exchange Change

Reporter/ All MS

Exchange Changes





SharePoint Change


Changes


Events by Date


reports

Appendix A: NetWrix Event Log Manager Reports

Account Management Reports

Account Management

Shows account management operations: creation and deletion of accounts and groups and group membership.

Account Management Changes

Lists account management changes grouped by user according to the specified filter.

Administrative Password Resets

Shows all admin-initiated password resets.


Lists all password changes initiated by users. Password resets made by administrators are not included in this report.

Auditing Reports

Audit Log Access

Lists all audit log access grouped by user according to the specified filter.

Audit Log Cleared

Shows audit trail cleanup operations. Such operations should never be done without good justification and must be carefully reviewed for security and compliance purposes.

Audit Policy Changes

Shows changes to audit policy settings. Audit policy shall be clearly defined in every organization and change only after explicit approval by management.

Logon Reports

Failed Logon Attempts

Shows failed authentication attempts in Active Directory. This report is crucial to security and compliance of every organization.

Failed User Account Validation

Lists all unsuccessful user account validations grouped by user according to the specified filter.

Successful User Account Validation

Lists all successful user account validations grouped by user according to the specified filter.

Successful User Logoffs

Lists all successful user logoffs grouped by user according to the specified filter.

Successful User Logons

Shows logons made by users. This report is one of the most important security reports and can be used to track user activity during security and compliance reviews.

User Logoffs

Shows user logoffs filtered by user name. User logoff information can be analyzed to detect the exact time users stopped using the system in order to exclude certain users from security investigations related to unauthorized access

Event Reports

All Events by Computer

Shows all events grouped by computer, filtered by date range and other parameters.

All Events by Date

Shows all events grouped by date, filtered by date range and other parameters.

All Events by Source

Shows all events grouped by source (e.g. 'Security', 'Application Management'), filtered by date range and other parameters.

All Events by User

Shows all events grouped by user, filtered by date range and other parameters.

All Object Access Events by User

Shows all object access events, e.g. file and folder access, registry, and other system objects. Object access auditing must be enabled for this report to work.

All System Events by User

Shows all system events.

Miscellaneous Reports

Host Session Status

Lists all host session statuses grouped by user according to the specified filter.

Remote Desktop Sessions

Shows remote desktop sessions, initiated, terminates, and reconnected.

Security Group Membership Changes

Security groups control access to data and resources and all changes must be carefully reviewed on a regular basis in order to ensure overall security and sustain compliance with regulations.

Real-Time Alerts

Provides alerts for specific events in real-time

Appendix B: NetWrix Logon Reporter Reports

Events, Logons, Logoffs, Lockouts and more

All Events by Computer

Shows all events grouped by computer, filtered by date range and other parameters.

All Events by Date

Shows all events grouped by date, filtered by date range and other parameters.

All Events by User

Shows all events grouped by user, filtered by date range and other parameters.


Shows all admin-initiated password resets.

Failed Logon Attempts

Shows failed authentication attempts in Active Directory. This report is crucial to security and compliance of every organization.


Lists all password changes initiated by users. Password resets made by administrators are not included in this report.

Successful User Logons

Shows logons made by users. This report is one of the most important security reports and can be used to track user activity during security and

compliance reviews.

User Account Lockouts

This report shows all account lockout events. Account lockouts can have many possible reasons and surges in the numbers of account lockouts

must be carefully analyzed to detect and prevent security incidents.

User Accounts Unlocked

This report show manually unlocked user accounts. Account unlocking should be performed only by designated help desk personnel or

automated software tools and this report can be used to detect violations of this recommended policy.

User Logoffs

Shows user logoffs filtered by user name. User logoff information can be analyzed to detect the exact time users stopped using the system in

order to exclude certain users from security investigations related to unauthorized access

Appendix C: NetWrix Active Directory Change Reporter Reports

All Changes Reports

All Active Directory Changes

Shows all changes made to AD objects, permissions, and configuration, filtered by date range and user name who made changes.

All Active Directory Configuration Changes

Shows all changes made inside the AD configuration container, such as domains and trusts, domain controllers, sites, etc. Changes in the

configuration container can adversely affect AD functionality and must be regularly reviewed to detect mistakes and unauthorized changes.

All Active Directory Schema Changes

Shows all changes made to AD schema (classes and attributes). Schema change auditing is disabled by default and must be explictly enabled.

All Active Directory Changes by Object Type

Shows all changes to AD objects, permissions, and configuration grouped by date. You can filter by date range and user name who made changes.

All Active Directory Changes by User

Shows all changes to AD objects, permissions, and configuration grouped by users who made changes. You can filter by date range and user

name who made changes.

All Active Directory Changes by Date

Shows all changes to AD objects, permissions, and configuration grouped by date. You can filter by date range and user name who made

changes.

All Active Directory Changes by Date (Chart)

Graphics representation of all changes to AD objects, permissions, and configuration grouped by date. You can filter by date range and user

name who made changes.

All Active Directory Changes by User (Chart)

Graphics representation of all changes to AD objects, permissions, and configuration grouped by users who made changes. You can filter by

preferred date range.

All Active Directory Site Changes

Shows all changes made to AD sites. AD sites rarely change and this report should be reviewed to detect accidental and unauthorized changes.

AD Structure Reports

Group Members

This report shows all users, groups and etc. located in the selected groups

Organizational Unit Accounts

This report shows users from the selected OUs and 'Users' and 'Built-In' containers including their usernames and account statuses

(enabled/disabled)

Sensitive Group Members

This report displays users, groups and etc. located only in the Domain Admins group and Enterprise Admins group

Object security

Administrative Group Membership Changes

Administrative groups like Domain Admins and Enterprise Admins should be very well-defined and rarely change. Changes to group memberships must be closely monitored.


Shows changes to object permissions and audit settings. Changes to object permissions usually reflect delegation of rights to organizational units and other objects.

Group membership

Security Group Modifications

Shows all types changes made to security groups, including name, description, membership, and permissions.

User Account

Dial-in Access Modifications

Shows changes to dial-in and VPN access rights. Normally only remote employees should be granted dial-in and VPN access and all changes to dial-in access must be reviewed by management.

Users Disabled

Shows all disabled user accounts. User accounts are normally disabled when employees leave the organization and this report can be used to ensure that all recently terminated employees have their accounts properly deactivated and no longer have access to the network.

Users Enabled

Shows all enabled user accounts. User accounts are rarely enabled and usually enabling means that some previously terminated employee joined the organization once again (e.g. as a part of their new contract engagement). All recently enabled accounts must be carefully reviewed for security purposes.

User Account Modifications

Shows changes made to all user account attributes (e.g. name, contact info, dial-in permissions, manager, etc).

User Accounts Renamed

Shows all account name operations. Accounts are rarely renamed (usually only if user changes his or her name) and this report should be

reviewed from time to time to verify accurateness.

User Accounts Created

Shows all newly created user accounts. Creation of new accounts shall reflect hiring of new employees and addition of new services and

applications.


Shows all successful password updates made by users by entering their existing passwords, as opposed to password resets done by administrators without knowing a current password. Password change auditing is disabled by default, you to explicitly enable in program settings.


Administrative password resets are usually done by IT help desk personnel who have access rights to make password resets without knowing

current passwords. Password resets may result in gaining of unauthorized access and therefore must be reviewed on e regular basis.

Best Practice Reports

AD Structure

Organizational Unit Setting Modifications

Shows changes made to organizational units (e.g. name, description, delegation), excluding changes made to child objects.

Organizational Units Created

Shows newly created organizational units. Creation of organizational units must be well-planned according to the organization structure and

business practices.

Organizational Units Removed

Shows deleted AD organizational units. Use this report for early detection of accidentally deleted OUs and use the Restore Wizard to quickly

recover OUs and their child objects.

Computer Account

Computer Account Modifications

Shows all changes to computer account (e.g renames, delegation settings, etc). Computer accounts are normally controlled by domain members

(servers and workstations).

Computer Accounts Created

Shows computer accounts created when workstations and servers are joined into domains.

Computer Accounts Removed

Shows deleted computer accounts. Deletion of computer accounts is a typical cleanup operation, but it should be reviewed from time to time to

ensure that no computer accounts are being mistakenly deleted.

Service Packs Applied to Computers

Shows changes to service pack installations on DCs, member servers and workstations. This report can be used to analyze effects of system

failures related to service pack updates.

Domain Controller

Domain Controller Modifications

Shows changes to DC configurations. Accidental and unathorized changes can break AD operation and must be carefully monitored.

Domain Controllers Demoted

DC demotion is a privileged operation and must be done wisely to avoid disruptions in operations.

Domain Controllers Promoted

Promoted Shows addition of new domain controllers to domains. All DC promotions must be planned and reviewed for accuracy and security.

Group Membership


Administrative groups like Domain Admins and Enterprise Admins should be very well-defined and rarely change. Changes to group

memberships must be closely monitored.

All Changes by Group Members

This report displays all changes made by Members from the selected Groups

Distribution Group Modifications

Shows modifications to distribution group properties, including group membership. Changes to distribution groups must be reviewed on a

regular basis because distribution groups control recipients of information and unauthorized changes can result in disclose and leakage of

confidential information inside and outside an organization.

Distribution Groups Created

Shows newly create distribution groups. Structure of distribution groups should reflect your organization’s information flow.

Distribution Groups Removed

Shows deleted distribution groups. Use this report for early detection of accidentally deleted groups and use the Restore Wizard to quickly

recover them.

Security Group Membership Changes

Shows addition and removal of members from security groups, including local, global, and universal groups. Security groups control who has

access to what and therefore must closely monitored for changes as requires by major compliance regulations.

Security Group Modifications

Shows all types changes made to security groups, including name, description, membership, and permissions.

Security Groups Created

Shows newly created security groups, including local, global, and universal groups. Creation of security groups should reflect major changes to

security access roles structure and therefore should be carefully reviewed for accurateness.

Object Security


Administrative groups like Domain Admins and Enterprise Admins should be very well-defined and rarely change. Changes to group

memberships must be closely monitored.

All Changes by Group Members

This report displays all changes made by Members from the selected Groups


Shows changes to object permissions and audit settings. Changes to object permissions usually reflect delegation of rights to organizational units

and other objects.

User Account

Account Expiration Modifications

Shows modifications to account expiration settings. For example, somebody when turned off account expiration for a set of accounts, which

might indicate security issue (e.g. account expiration should never be turned off for temporary contractor accounts).

Accounts Enabled or Disabled

Accounts are usually disabled for terminated employees and can be re-enabled back when employees join the company again. All such

operations should be carefully monitored to make no unathorized accounts remain active.




Administrative Password Resets by User



Dial-in Access Modifications

Shows changes to dial-in and VPN access rights. Normally only remote employees should be granted dial-in and VPN access and all changes to

dial-in access must be reviewed by management.

Logon Hours Modifications

Logon hours setting controls allowed logon times and usually prevents access during non-business hours. Changes to this setting may indicate

potential security issues. Logon Workstations Modifications: This setting specifies a list of workstation the user is allowed to login to.

Logon Workstations Modifications

Shows modifications to allowed login workstations on the user account level. Workstation access restrictions are usually mandated by

compliance and security requirements and changes to these restrictions must be audited.


Shows all successful password updates made by users by entering their existing passwords, as opposed to password resets done by

administrators without knowing a current password. Password change auditing is disabled by default, you to explicitly enable in program

settings.

User Account Modifications

Shows changes made to all user account attributes (e.g. name, contact info, dial-in permissions, manager, etc).

User Accounts Created


applications.

User Accounts Created With Details


applications.

User Accounts Deleted

Shows all deleted user accounts. According to best practices, accounts should be first disabled and then deleted after some time frame. This

report should be reviewed regularly to detect accidentally deleted accounts and restore them using the AD Object Restore Wizard.

User Accounts Deleted With Details

Shows all deleted user accounts. According to best practices, accounts should be first disabled and then deleted after some time frame. This

report should be reviewed regularly to detect accidentally deleted accounts and restore them using the AD Object Restore Wizard.

User Accounts Lockouts

This report shows all account lockout events. Account lockouts can have many possible reasons and surges in the numbers of account lockouts

must be carefully analyzed to detect and prevent security incidents.

User Accounts Renamed

Shows all account name operations. Accounts are rarely renamed (usually only if user changes his or her name) and this report should be

reviewed from time to time to verify accurateness.

User Accounts Unlocked

This report show manually unlocked user accounts. Account unlocking should be performed only by designated help desk personnel or

automated software tools and this report can be used to detect violations of this recommended policy.

Users Disabled

Shows all disabled user accounts. User accounts are normally disabled when employees leave the organization and this report can be used to

ensure that all recently terminated employees have their accounts properly deactivated and no longer have access to the network.

Users Enabled

Shows all enabled user accounts. User accounts are rarely enabled and usually enabling means that some previously terminated employee

joined the organization once again (e.g. as a part of their new contract engagement). All recently enabled accounts must be carefully reviewed

for security purposes.

Appendix D: NetWrix Group Policy Change Reporter

All Changes Reports


Shows all changes made to Group Policy objects, setting values, GPO links, and permissions. Filtered by date range and user name who made changes.

All Group Policy Changes (Chart)

Shows all changes made to Group Policy objects, setting values, GPO links, and permissions. Filtered by date range and user name who made changes.

Account Lockout Policy

Account Lockout Policy Changes

Shows all changes made to account lockout policy settings. For example, changes to lockout threshold and duration. Unathorized changes of account lockout settings may indicate attempts to compromise system security.

Lockout Duration Policy Changes

Shows modifications of account lockout duration setting. Changes to this setting should be done wisely and always reviewed for accurateness.

Local Policies

Audit Policy Changes

Audit policy defines what types of actions are logged to audit trails by the system. Every organization should have clearly defined audit policy that changes only after management approval.

Interactive Logon Policy Changes

Shows changes to interactive logon rights. Interactive logon is a privileged operation and granting of this right should be always justified and approved by security specialists.

Rename Administrator and Guest Policy Changes

Administrator and Guest accounts can be renamed for security purposes. Modification of this policy can indicate potential security incidents (e.g. someone renamed accounts back to simplify network intrusion attempts).

Security Settings

Security Policy Changes

Shows all changes made to security policies (e.g. Local Policy, Account Policy, Password Policy, etc). All such changes must be reviewed on a regular basis to mitigate security risks.

Software Installation

Software Installation Policy Changes

This report shows all changes made to GPO software deployment settings. Organization's deployment policies should be clearly defined and all changes carefully reviewed as they are made.

Password Policy

All Password Policy Changes

Password policy includes password history, expiration, complexity, and other settings that affect password security as mandated by organization's policy. No change to password policy must never fall under the radar.

Password Age Policy Changes

Shows changes to minimum and maximum password age settings. Such changes shall never be done without careful planning and approval by security and compliance managers.

Password Complexity Policy Changes

Password complexity policy defines requirements for user passwords and changes to this policy shall never be implemented without management approval.

Password Encryption Policy Changes

This policy defines whether passwords are stored using reversible encryption or not. This settings should never be changed.

Password History Policy Changes

Password history defines how many previous passwords are remembered to disallow usage of 'favorite' passwords and ensure that user use a new password every time they change it.

Appendix E: NetWrix Exchange Change Reporter

All Changes Reports

All MS Exchange Changes

Shows all changes made to Exchange permissions and configuration, filtered by date range and username who made changes.

All MS Exchange Changes by Date

Shows all changes made to Exchange permissions and configuration grouped by date. Filtered by date range and user name who made changes.

All MS Exchange Changes by Date (Chart)

Graphics representation of all changes made to Exchange permissions and configuration grouped by date. Filtered by preferred date range.

All MS Exchange Changes by Object Type

Shows all changes made to Exchange objects grouped by object type (Store, Server, Address List, etc). Filtered by date range and user name who made changes.

All MS Exchange Changes by User

Shows all changes made to Exchange objects grouped by user who made changes. Filtered by date range and user name who made changes.

All MS Exchange Changes by User (Chart)

Graphics representation of all changes to Exchange objects grouped by user who made changes. You can filter by preferred date range.

Mailbox

Mailbox Quota Changes

Shows all changes in mailbox quota settings. Changes to mailbox quotas shall be regularly reviewed by Exchange administrators to control storage usage.

Mailbox Settings and Permission Changes

Shows changes to user mailboxes. All changes made to mailboxes must be regularly reviewed for accuracy.

Mailboxes Created

Shows creation of new mailboxes that usually reflects hiring of new employees. Newly created mailboxes must be reviewed to detect unauthorized activity.

Mailboxes Removed

Shows deleted mailboxes. This report should be reviewed to detect accidental destruction of mailboxes and ensure their fast recovery from backup storage.

Recipient

Recipient Policies Added

Shows newly created recipient policies. New policies should be reviewed for accuracy on a regular basis.

Recipient Policies Removed

Shows deleted recipient policies. This report can be used to detect accidental and unauthorized deletions before they affect organization's e-mail system.

Recipient Policy Changes

Show all changes made to recipient policy settings and permissions. Changes to security policy must be monitored for security and compliance.

Recipient Update Service Changes

Lists all recipient update service changes grouped by user (Exchange 2003 only)

Recipient Update Services Added

Lists all added recipient update services grouped by user (Exchange 2003 only)

Recipient Update Services Removed

Lists all removed recipient update services grouped by user (Exchange 2003 only)

Server

MS Exchange Servers Added

Shows addition of new servers to Exchange organizations. Installation of new servers must be reviewed to make sure no rogue servers are installed.

Storage Group

MS Exchange Storage Group Changes

Storage groups contain all Exchange stores and modifications of storage group settings can affect the entire Exchange organization.

MS Exchange Storage Groups Added

Storage group creation is usually a carefully planned operation and this report can be used to review the process.

MS Exchange Storage Groups Removed

Storage groups are rarely removed and this report should be reviewed regularly to detect any unplanned actions.

Store

MS Exchange Store Changes

Exchange stores hold all exchange data, such as messages, contacts, tasks, etc. This report shows modification of store settings and permissions, without changes made to stored content.

MS Exchange Stores Added

Shows all new created stores. Creation of new stores should be carefully planned and reviewed to avoid unnecessary creation of new stores.

MS Exchange Stores Removed

Shows all deleted stores. Stores are rarely deleted and this report can be used to detect all accidental and unauthorized deletions before they impact the operations.

Appendix F: NetWrix SharePoint Change Reporter Reports

All Changes Reports

All SharePoint Changes

Shows all created, deleted and modified items.

All SharePoint Changes by Server

Shows all created, deleted, and modified items, grouped by file server name.

Appendix G: NetWrix File Server Change Reporter Reports

Successful Modifications


Shows all created, deleted, and modified files, folders, shares, and permissions.

Permission Changes

Shows changes in file, folder, and share permissions in the specified time frame. This report must be reviewed on a regular basis to detect unauthorized access and verify that only allowed groups of people have access to sensitive data.

All File Server Changes by Date

Shows all created, deleted, and modified files, folders, shares, and permissions, grouped by modification date. This report is very useful for compliance audits to show that all data modifications are traceable and auditable.

All File Server Changes by Type

Lists all file server changes grouped by object type according to specified filter.

All File Server Changes by User

Shows all created, deleted, and modified files, folders, shares, and permissions, grouped by user name who made changes.

All File Server Changes by Server

Shows all created, deleted, and modified files, folders, shares, and permissions, grouped by file server name.

Files and Folders Created

Shows all newly created files and folders for a specified period of time. This report can be used to analyze growth of disk space usage.

Files and Folders Deleted

Lists all file server changes where the action is "Removed", grouped according to the specified filter.

Files Folders and Shares Modified

Shows who changed what files, folders and shares, and when, including permission changes. You can restore modified files to their previous versions if file versioning is enabled in program options.

Successful Reads


Shows all file read attempts that were successful. This report can be used for compliance audits to show that all access to sensitive information is traceable and auditable.

Successful File Reads by Date

Successful File Reads by DateShows all file read attempts that were successful, grouped by date. This report can be used for compliance audits to show that all access to sensitive information is traceable and auditable.

Successful File Reads by Server

Shows all file read attempts that were successful, grouped by server name. This report can be used to analyze what servers are being accessed.

Successful File Reads by User

Reports what users read what files and when, grouped by user. This report can be used to analyze all access attempts by specific users.

Failed Modification Attempts

Failed Modification Attempts

Reports all attempts to change files, folders, and permissions that failed due to lack of access rights. This report must be regularly reviewed to track unauthorized access attempts

Failed Modification Attempts by Date

Shows all failed attempts to write to files and change permissions, grouped by date.

Failed Modification Attempts by Server

Shows all failed attempts to write to files and change permissions, grouped by server name.

Failed Modification Attempts by User

Shows all failed attempts to write to files and change permissions, grouped by user name. This report can be used to show what users were trying to gain unauthorized access.

Failed Read Attempts

Failed Read Attempts

Reports all unauthorized file access attempts. This report can be used for compliance audits to show that all unauthorized data access activities are traceable and easily auditable.

Failed Read Attempts by Date

Reports all unauthorized file access attempts, grouped by date. This report can be used for compliance audits to show that all unauthorized data access activities are traceable and easily auditable.

Failed Read Attempts by Server

Reports all unauthorized file access attempts, grouped by server name. This report can be used to analyze what file servers are subject to unauthorized access attempts.

Failed Read Attempts by User

Reports all unauthorized file access attempts. This report can be used for compliance audits to show that all unauthorized data access activities are traceable and easily auditable.

Appendix H: NetWrix Server Configuration Change Reporter Reports

All Server Changes

Shows all configuration changes filtered by date, server name, and object name

All Server Changes by Date

Shows all configuration changes grouped by date. Changes can be filtered by date, server name, and object name

All Server Changes by Object Type

Shows all configuration changes filtered by date, server name and configuration grouped by Object Type. You can filter

All Server Changes by User

Shows all configuration changes filtered by date, server name and configuration grouped by users who made changes. You can filter by date range and user name who made changes.

Appendix I: NetWrix SQL Server Change Reporter Reports

All Change Reports


Shows all changes made to SQL server objects and permissions, including created, modified, and deleted server instances, roles, tables, columns, stored procedures, and all other types of objects. This report can be used for compliance audits to show that all changes are traceable and auditable.

All SQL Server Changes By Date

Shows all changes made to SQL server objects and permissions, including created, modified, and deleted server instances, roles, tables, columns, stored procedures, and all other types of objects. This report can be used for compliance audits to show that all changes are traceable and auditable.

All SQL Server Changes By Object Type

Shows all changes made to SQL server objects and permissions, including newly created objects, modified objects, and deleted objects. Changes are grouped by object type: server, database, role, table, column, etc.

All SQL Server Changes By User

Shows all changes to SQL server object grouped by user name who made changes. This report can be used to analyze user activities for specific users.

Object changes

Server Instance Changes

Lists changes to SQL Server instances.

Login Changes

Shows creation and deletion of database logins, and modification of login attributes. This report must be reviewed on a regular basis because database logins control access to sensitive data.

User Changes

Shows creations, deletions, and modifications or users in databases. This report must be reviewed on a regular basis because user accounts control access to sensitive data.

Credential Changes

Shows all credential changes made within specified timeframe. This report must be reviewed on a regular basis to unauthorized access attempts.

Role Changes

Shows all changes in roles, such as creation and deletion of roles, and changes in role properties and memberships. This report must be carefully reviewed on a regular basis, because roles control security access to databases.

Application Role Changes

Lists changes to database application roles.

Database Changes

Shows all changes in databases and their properties, such newly created and deleted databases, data file locations, and other attributes, excluding changes in the inner objects (such as tables, columns, and stored procedures).

Database Column Changes

Lists changes to database columns.

Database Schema Changes

Shows all changes in database schema, such creation and deletion of schemas, and changes in schema properties (e.g. modification of dbo schema).

Database View Column Changes

Lists changes to database view columns.

Database View Index Column Changes

Lists changes to database view index columns.

Server Role Changes

Shows creation and deletion of server roles and changes of role properties and memberships. This report must be reviewed on a regular basis because roles control server-wide access to sensitive data.

Stored Procedure Changes

Shows creations, deletions, and modifications of stored procedures. Such changes must be carefully reviewed, because applications rely on stored procedures.

Table Changes

Shows creations, deletions, and modifications of tables in databases, excluding changes in table columns. This report must be carefully reviewed to detect unauthorized changes that can severely impact database applications

View Changes

Shows created, deleted, and modified database views. This report must be carefully reviewed to detect unauthorized changes that can severely impact database applications.

View Index Changes

Shows created, deleted, and modified database views indices. This report must be carefully reviewed to detect unauthorized changes that can severely impact database applications.

Appendix J: NetWrix VMware Change Reporter Reports

All Changes By User (Chart)

Graphical representation of user-made changes percentage. The data may be filtered by date range.

All Guest OS (Chart)

Graphical representation of operational systems amount. The data may be filtered by virtual center and snapshot date.

All Proccessors Types (Chart)

Graphics representation of all processor types and their amount.You can filter by virtual center and snapshot date.

VMware Inventory Report

This report displays properties and their values for all the objects. You can filter the contents by properties or object names.

All Change Reports

All VMware Changes

Shows who made what changes to VMware infrastructure objects and settings, including hosts, containers, resource pools, virtual machines. Filtered by date range and user name who made changes.

All VMware Changes by Date

Shows who made what changes to VMware infrastructure objects and settings, including hosts, containers, resource pools, virtual machines. Filtered by date range and user name who made changes.

All VMware Changes by Object Type

Shows who made what changes to VMware infrastructure objects and settings grouped by object type (e.g. host, container, resource pool, etc). Filtered by date range and user name who made changes.

All VMware Changes by User

Shows who made what changes to VMware infrastructure objects and setting grouped by user who made changes. Filtered by date range and user name who made changes.

Cluster

Clusters Removed

Shows deleted clusters. This report can be used to detect accidentally deleted objects before deletion affects the entire infrastructure.

Cluster Changes

Shows changes made to clusters. Such changes must be carefully reviewed as they usually affect the entire virtual infrastructure.

Clusters Added

Shows newly created clusters. Such additions must be well-planned and reviewed.

Datacenter

Datacenter Added

Shows newly created data centers. Such additions must be well-planned reviewed and reviewed.

Datacenter Changes

Shows changes made to data centers. Such changes must be carefully reviewed as they usually affect the entire virtual infrastructure.

Datacenter Removed

Shows deleted data centers. This report can be used to detect accidentally deleted objects to be restored from backup before deletion affects the entire infrastructure.

Datastore

Datastore Added

Shows newly created data stores. Creation of new data stores must be well-planned and reviewed.

Datastore Removed

Shows deleted data stores. This report can be used to detect accidentally deleted objects to be restored from backup before deletion affects the production infrastructure.

Folder

Folder Changes

Shows changes made to folder objects (e.g. folder renamed, permissions changes), without showing changes to child objects.

Folder Permission Changes

Shows changes to folder permission. This report must be reviewed on a regular basis to detect unauthorized assignment of permissions to virtual machines and other objects.

Folder Permissions Added

Lists all folder permissions added according to the specified filter.

Folder Permissions Removed

Lists all folder permissions removed according to the specified filter.

Folders Added

Shows newly created folders. Creation of new folders should reflect the environment-specific details and reviewed on a regular basis.

Folders Removed

Shows deleted folders. Deletion of folders should be monitored to detect accidental deletions and initiate restore from backup timely.

Host

Host System Changes

Shows changes made to host systems (ESX and ESXi servers). Reconfiguration of host system can affect managed virtual machines and such changes must be carefully reviewed.

Host Systems Added

Shows creation of new host systems (ESX and ESXi servers). Addition of new physical servers should be well-planned and this report can be used to review such operations.

Host Systems Removed

Shows physical hosts removed from the virtual infrastructure. Removal of host systems should be planned in advance and this reports can be used for reviews.

Resource Pool

Resource Pool Changes

Shows changes to resource pools. Resource pools control how resources are allocated to virtual machine and uncontrolled changes can lead to major disruptions in virtual machine operations.

Resource Pools Added

Shows newly added resource pools. Resource pools are usually created when new resources are added to the virtual environment and this report can be used to review new resource pools.

Resource Pools Removed

Shows deleted resource pools. This report can be used to detect unplanned and accidental operations affecting the overall operations of virtual machines.

Role

Role Changes

Shows changes to security roles. Security roles control access and must be regularly reviewed according to major compliance regulations.

Roles Added

Shows new created security roles. Creation of new roles should reflect organizational changes in the company and this report can be used to review and control such changes.

Roles Removed

Shows removed roles. Removal of roles should reflect organizational changes in the company and this report can be used to review and control such changes.

Snapshot

Snapshot Changes

Shows creation, modification, and deletion of virtual machine snapshots. This report can be used to control changes to snapshots and prevent loss of important data and settings.

Power State Changes

Shows virtual machine power on, pause, resume, and power off events on managed virtual machines. This report can be used to review planned maintenance operations of virtual machines.

Virtual machine

Virtual Machine Changes

Show changes made to individual virtual machine configurations, such as virtual hardware, settings, and permissions.

Virtual Machine Permission Changes

Show changes made to virtual machine permissions. Permissions affect who can access virtual machines and all changes must be reviewed on a regular basis.

Virtual Machine Permissions Added

Lists all virtual machine permissions added according to the specified filter.

Virtual Machine Permissions Removed

Lists all virtual machine permissions removed according to the specified filter.

Virtual Machines Removed

Shows removal of virtual machines. This report can be used to detect unplanned removals to initiate their restore from backup.

Virtual Machines Sprawl

Shows creation of new virtual machines over time. This report is very important to analyze and control the virtual machine sprawl and prevent

excessive use of computing power by unused and inactive virtual machines.

Solution/Product/Report Mapping To Primary Compliance ... · PDF filePage 1...

Documents

Transcript of Solution/Product/Report Mapping To Primary Compliance ... · PDF filePage 1...