WHITE PAPER. Achieving Effective IT Security with Continuous ISO Compliance

Transcription

1 WHITE PAPER Achieving Effective IT Security with Continuous ISO Compliance

2 Executive Summary ISO is recognized internationally as a structured methodology for information security and is widely used as a benchmark for protecting sensitive and private information. In this white paper, learn how with Tripwire Enterprise, organizations can quickly achieve IT configuration integrity by proactively assessing how their current configurations measure up to specifications as given in ISO Tripwire Enterprise provides organizations with powerful configuration control through its compliance policy management, change auditing, real-time analysis of change and one-touch access to remediation advice. You ll also be introduced to Tripwire Log Center, Tripwire s complete log and event management solution that also fulfills many controls specified in the ISO standard. Tripwire, the leading provider of IT security and compliance automation solutions, helps organizations gain continuous compliance with regulations, standards like ISO 27001, and internal policy by helping them take control of security and compliance of their IT infrastructure. Tripwire security and compliance automation solutions include Tripwire Enterprise for configuration control and Tripwire Log Center for log and security event management. And Tripwire Customer Services can help organizations quickly maximize the value of their Tripwire technology implementation. Tripwire solutions deliver visibility across the entire IT infrastructure, intelligence to enable better and faster decisions, and automation that reduces manual, repetitive tasks. In the increasingly regulated world of information security, uniform standards are sometimes hard to find. Numerous governmental laws and directives exist, but these typically cover specific types of data (such as the EU Data Protection Directive, PIPEDA and so forth covering sensitive personal information) or regulate a specific market sector or specific company function (such as internal controls on reporting of financial information to the public, as in Sarbanes-Oxley (SOX) and Japan s Financial Instrument and Exchange Law, known as JSOX ). Industry standards that are binding under a system of contracts also exist, but these are again limited to participants in a particular industry (most notably, PCI DSS for credit card merchants, members and service providers). To what metric does an entity turn if it seeks an umbrella -like standard that is neither imposed by law nor specific to a certain industry? What benefits are achieved by implementing such a standard? ISO 27001: THE UMBRELLA FOR ISMS The one standard that cuts across all security-related operations and subject matter is the International Standards Organization s IEC/ISO The ISO standard was published in October 2005 as a replacement to the BS standard. It is a certification standard for the creation and maintenance of an Information Security Management System (ISMS), and in that sense is more like a globe than a roadmap to information security. Organizations that seek ISO certification ISMS are examined against ISO The objective of the standard is to provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a company s ISMS. Its fundamental purpose is to act as a compendium of techniques for securing IT environments and thus effectively managing business risk as well as demonstrating regulatory compliance. The standard is non-industry or business function specific. The standard follows the four-part Plan-Do-Check-Act (PDCA) approach. It contains eight separate sections, the first three of which are introductory and the latter five of which outline actions to be taken: Section 4: Information Security Management System Entity must identify risks, adopt a ISMS plan tailored to these risks, monitor, review, maintain and improve the ISMS Section 5: Management Responsibility Management must adopt, implement and train staff on the ISMS Section 6: Internal ISMS Audits Audit ISMS at regular intervals Section 7: Management Review Assess audit results and update risk assessment to check effectiveness of ISMS Section 8: ISMS Improvement Utilize continuous improvement, take corrective action and adopt measures for preventative action. 2 WHITE PAPER Achieving Effective IT Security with Continuous ISO Compliance

3 ISO does not, however, mandate specific procedures nor define the implementation techniques for gaining certification. For further implementation steps, the standard points to a set of eleven control objectives and controls that are taken from ISO 17799:2005, Information technology Security techniques Code of practice for information security management. BENEFITS OF ADOPTING ISO ISO is recognised internationally as a structured methodology for information security and is widely used as a benchmark for protecting sensitive and private information. A widely-held opinion is that ISO is an umbrella over other requirements of law or regulation (such as JSOX, SOX and the Data Protection Directive) or contractual standards (PCI DSS) because it requires companies to review such obligations when assessing risk under section b)2). Companies that choose to adopt ISO also demonstrate their commitment to high levels of information security, as the principles of the standard synch well with the principles of the OECD Guidelines for the Security of Information Systems and Networks. It is also compatible with other management standards such as ISO 9001:2000 (Quality management systems Requirements) and ISO 14001:2004 (Environmental management systems Requirements with guidance for use). For these reasons, companies have adopted the standard because it works well with management principles or just makes good business sense. In the current global marketplace, several benefits flow to a company that obtains certification to ISO 27001: Standardization of practice: Systems from different companies are more likely to work together if the same standard applies; An international standard: By complying with an international standard, management proves that they are taking due diligence in ensuring the security of their customer data. In fact, one of the stated reasons by Indian companies for certification is to demonstrate security readiness to their international customers; Alignment with the organisation: Fosters interdepartmental cooperation, as departments need to be in alignment in order to ensure certification; Alignment with industry groups: Cross-border industry groups can agree on a common standard rather than having to refer to country-specific legislation. For example, ISO is widely accepted and implemented throughout EMEA, many of whose members require their business partners to have certification before working with them; Alignment with governmental guidelines: Industry groups that are urged by governments to self-regulate can turn to a common standard. For example, adoption of such guidelines for privacy and security is encouraged by the Japanese government. Tripwire Enterprise and the ISO Controls The Tripwire Enterprise solution provides organisations with powerful configuration control through its compliance policy management, change auditing, real-time analysis of changes and one-touch access to remediation guidance. With Tripwire Enterprise, organisations can quickly achieve IT configuration integrity by proactively assessing how their current configurations measure up to specifications as given in ISO This provides organisations immediate visibility into the state of their systems, and through automation, saves time and effort over a manual efforts. For non-compliant configurations, Tripwire Enterprise reports that condition as part of its risk assessment feature, it offers remediation guidance for bringing the settings into compliance. Once this state has been achieved, Tripwire s change auditing monitors systems for changes that could affect ISO compliance, maintaining the IT infrastructure in a known and trusted state. Tripwire Enterprise then analyzes each change in real time using ChangeIQ TM capabilities. These capabilities automatically examine each change to see if it introduces risk or non-compliance. If it does, Tripwire Enterprise flags it for immediate attention and possible remediation; If not, Tripwire Enterprise auto-promotes it. Given that the majority of changes are inten- 3 WHITE PAPER Achieving Effective IT Security with Continuous ISO Compliance

4 tional and beneficial, this auto-promotion capability saves IT countless hours manually reviewing changes. There are several controls that reference IT technology in ISO Not all can be tested adequately with software, or are relevant to the IT Infrastructure. Tripwire Enterprise provides two means of coverage for the ISO controls. Compliance Policy Management, to proactively assess settings and checks that they are compliant against the controls., and change auditing, which continuously monitors settings for changes that may take them out of compliance. For settings that are not compliant, Tripwire Enterprise provides the necessary remediation steps to bring that setting back into compliance. There are some controls that Tripwire Enterprise can address by using its industry leading change monitoring. Tripwire can monitor various levels of settings as part of the Change Management controls that are specified in the ISO standard. HIGH-PERFORMANCE LOG AND EVENT MANAGEMENT FROM TRIPWIRE Tripwire Log Center also helps meet the log compliance requirements of ISO with ultra-efficient log management and sophisticated event management in a single, easy-to-deploy solution. When organizations combine Tripwire Log Center with Tripwire Enterprise, they broaden compliance coverage and reduce security risk by increasing visibility, intelligence and automation. Controls addressed by Tripwire Enterprise include: A.10 COMMUNICATIONS AND OPERATIONS MANAGEMENT A.10.1 Operational Procedures and Responsibilities The objective of this control is to ensure the correct and secure operation of information processing facilities Change Management Changes to information processing facilities and systems shall be controlled Segregation of duties Duties and areas of responsibility shall be segregated to reduce opportunities for unauthorised or unintentional modifications or misuse of the organisations assets. Tripwire Enterprise can monitor any changes to file systems, databases and active directory, providing the what and who information to any changes that were made to critical systems, thus enforcing a sound change process. Using Roles within Tripwire Enterprise, an organisation has complete control over who can have access to files, directories and critical areas within your IT Infrastructure, thus preventing unauthorised or unintentional modifications of files Separation of development, test and operational facilities Development, test and operational facilities shall be separated to reduce the risks of unauthorised access or changes to the operational system. User groups can be developed within Tripwire Enterprise to separate duties of individuals within those groups, restricting permissions and file access rights where necessary to reduce the risk of any unauthorised or unintentional changes to systems. 4 WHITE PAPER Achieving Effective IT Security with Continuous ISO Compliance

5 A.10.2 Third Party Service Delivery Management The objective of this control is to implement and maintain the appropriate level of information security and service delivery in line with third party service delivery agreements Managing changes to third party services Changes to the provision of services, including maintaining and improving existing information security policies, procedures and controls, shall be managed, taking account of the criticality of business systems and processes involved and re-assessment of risks. Tripwire Enterprise can monitor changes to critical systems and be aligned with applications, procedures and business systems to ensure changes don t happen, and if they do, give visibility to those changes, thus reducing risk. A.10.4 Protection Against Malicious and Mobile Code The objective of this control is to protect the integrity of software and information Controls against malicious code Detection, prevention and recovery controls to protect against malicious code and appropriate user awareness procedures shall be implemented. By monitoring critical files, Tripwire Enterprise can detect when edits to files have been made, who made the edits, and whether code was changed, deleted or new code added, thus creating a process around code management, and reducing the risk of malicious behavior. A.10.6 Network Security Management The objective of this control is to ensure the protection of information in networks and the protection of the supporting infrastructure Network Controls Networks shall be adequately managed and controlled, in order to be protected from threats, and to maintain security for the systems and applications using the network, including information in transit Security of Network Services Security features, service levels, and management requirements of all network services shall be identified and included in any network services agreement, wither these services are provided in-house or outsourced. Tripwire Enterprise provides critical assessment of network configuration settings to help maintain the ongoing security of internal systems and applications that rely upon the network. For example, ensuring that anonymous SID/name translation is disabled in the security options policy of a Windows 2003 Server. This setting prevents the null user from translating a binary SID into an actual account name, which may provide useful information that could be used in an attack. Maintaining security best practices on important network services is crucial for securing any network. Tripwire Enterprise provides ongoing assessment of network services to measure individual compliance with established best practices. For example, validating that the License Logging Service is disabled on a Windows system. This service is a license-management tool with a vulnerability that permits remote code execution. Disabling this service, as well as other unnecessary services, is a security best practice that helps limit avenues of attack. 5 WHITE PAPER Effective Security with a Continuous Approach to ISO Compliance

6 A.10.7 Media Handling The objective of this control is to prevent unauthorised disclosure, modification, removal or destruction of assets, and interruption to business activities Management of Removable Media There should be procedures in place for the management of removable media. An unmanaged approach to removable media can be a serious vulnerability. Tripwire Enterprise provides assurance that system configuration settings are configured to reduce common risks associated with removable media. For example, ensuring that security options on a Windows system are configured to only allow administrators to format and eject removable NTFS media. A.10.8 Exchange of Information The objective of this control is to maintain the security of information and software exchanged within an organisation and with any external entity Information Exchange Policies and Procedures Business Information Systems Formal exchange policies, procedures and controls shall be in place to protect the exchange of information through the use of all types of communications facilities. Policies and procedures shall be developed and implemented to protect information associated with the interconnection of business information systems. Compliance policy management helps to ensure that proper measures are in place to safeguard the exchange of information and eliminate unnecessary communication risks. For example, verifying that the NetMeeting Remote Desktop Sharing Service is disabled on a Windows system. This service supports NetMeeting, but may be subject to hacker attacks and buffer overflows. Tripwire Enterprise verifies that proper system configuration settings are used to safeguard information necessary for disparate business information systems to interconnect. For example, ensuring that strong key protection is required for user keys stored on a covered system. Strong key protection requires users to enter a password associated with a key every time they use the key. This helps prevent user keys from being compromised if a computer is stolen or hijacked. A.10.9 Electronic Commerce Services The objective of this control is to ensure the security of electronic commerce services, and their secure use Publicly Available Information The integrity of information being made available on a publicly available system shall be protected to prevent unauthorised modification. Tripwire Enterprise provides the use of roles to restrict unauthorised access to important files as well as the necessary monitoring of these files such that changes made are flagged and alerts sent to pertinent individuals. 6 WHITE PAPER Achieving Effective IT Security with Continuous ISO Compliance

7 A Monitoring The objective of this control is to detect unauthorised information processing activities Audit Logging Audit logs recording user activities, exceptions, and information security events shall be produced and kept for an agreed period to assist in future investigations and access control monitoring. Enterprise verifies that important audit logging settings are configured to support possible audit investigations and ongoing access control monitoring Protection of Log Information Administrator and Operator Logs Logging facilities and log information shall be protected against tampering and unauthorised access. System administrator and system operator activities shall be logged. Assuming that other log settings are configured correctly, a problem with logging events could indicate a security threat. The compliance policy manager in Tripwire Enterprise verifies that security options are configured to shut down a system if an event cannot be logged to the security log for any reason. Enterprise verifies that application, system and security logs can be configured for necessary storage capacity. For example, the maximum size of the security log should be at least 80 MB to store an adequate amount of log data for auditing purposes Clock Synchronisation The clocks of all relevant information processing systems within an organisation or security domain shall be synchronised with an agreed accurate time source. For Windows systems, the compliance policy manager in Tripwire Enterprise determines if the Windows Time Service is used and that the system is configured to synchronise with a secure, authorised time source. A.11 ACCESS CONTROL A.11.2 User Access Management The objective of this control is to ensure authorised user access and to prevent unauthorised access to information systems Privilege Management The allocation and use of privileges shall be restricted and controlled. Enterprise tests numerous privilege-related settings to ensure restrictions are in place and configured correctly. For example, Windows systems should be configured to disallow the granting of the SeTcbPrivilege right to any user. This right allows users to access the operating system in the Local System security context, which overrides the permissions granted by user group memberships. 7 WHITE PAPER Achieving Effective IT Security with Continuous ISO Compliance

8 A.11.3 User Responsibilities The objective of this control is to prevent unauthorised user access, and compromise or theft of information and information processing facilities Password Use Users shall be required to follow good security practices in the selection and use of passwords Unattended User Equipment Users shall ensure that unattended equipment has appropriate protection. Enforcing proper password security standards is critical to securing any system. The compliance policy manager in Tripwire Enterprise verifies that common best practices are being used for password-related properties such as complexity, minimum length and maximum age. Tripwire Enterprise verifies that each system is configured to use a password-protected screen saver that activates within the appropriate idle time and offers no grace period before password entry is required Clear Desk and Clear Screen Policy A clear desk policy for papers and removable media and a clear screen policy for information processing facilities shall be adopted. Enterprise validates that the current user has a password-protected screen saver that is active. A.11.4 Network Access Control The objective of this control is to prevent unauthorised access to networked services Policy on Use of Network Services User Authentication for External Connections Equipment Identification in Networks Users shall only be provided with access to the services that they have been specifically authorised to use. Appropriate authentication methods shall be used to control access by remote users. Automatic equipment identification shall be considered as a means to authenticate connections from specific locations and equipment. Tripwire Enterprise provides a number of compliance policy management tests that help ensure proper access to services is maintained. For example, verifying that a system restricts anonymous access to named pipes and shares to those that are specifically listed in other security options. This configuration helps protect named pipes and shares from unauthorised access. Enterprise can help verify proper authentication methods are in place to control access by remote users. For example, refusing to allow a remote login when a user attempts to use a blank password (even if the blank password is valid for that account). Tripwire Enterprise verifies that the security options for a Windows 2003 domain controller are configured to allow a domain member to change its computer account password. If the domain controller does not permit a domain member to change its password, the domain member computer is more vulnerable to a password attack. 8 WHITE PAPER Achieving Effective IT Security with Continuous ISO Compliance

9 Remote Diagnostic and Configuration Port Protection Physical and logical access to diagnostic and configuration ports shall be controlled. Enterprise tests a number of remote access settings to ensure they meet established guidelines for controlling remote access. For example, verifying that the Remote Desktop Help Session Manager Service is disabled on a Windows system Network Connection Control For shared networks, the capability of users to connect to the network shall be restricted, in line with the access control policy Network Routing Control Routing controls shall be implemented for networks to ensure that computer connections and information flows do not breach the access control policy of business applications. Tripwire Enterprise helps validate that controls are in place to enforce proper network connection restrictions on shared networks. For example, always requiring passwords and appropriate encryption levels when using Terminal Services. Enterprise can assist with the ongoing validation of your access control policy by verifying proper routing controls are in place and configured correctly. For example, on a Windows system with two valid networking devices installed, source routing traffic that passes through the device can spoof the device into thinking that the traffic came from a safe source. A.11.5 Operating System Access Control The objective of this control is to prevent unauthorised access to operating systems Secure Log on Procedures Access to operating systems shall be controlled by a secure log-on procedure. Enterprise can assess important log on settings to determine whether they support an overall secure log-on procedure. For example, not displaying the last valid user name and requiring the use of CTRL+ALT+DEL keys to force the use of the Windows authentication process User Identification and Authentication Password Management System All users shall have a unique identifier (user ID) for their personal use only, and a suitable authentication technique shall be chosen to substantiate the claimed identity of a user. Systems for managing passwords shall be interactive and ensure quality passwords. Proper authentication of user IDs is a fundamental component of controlling operating system access. Tripwire Enterprise provides critical tests to assess authentication settings. For example, verifying that the LAN Manager authentication model for a Windows system is configured correctly so it will only send NTLMv2 authentication and refuse all LM authentication challenges. Ensuring quality passwords requires proper configuration of password-related settings. Tripwire Enterprise can assess these settings and provide assurance that all passwords being used meet minimum quality requirements. For example, enforcing the use of strong passwords and restricting password reuse/history. 9 WHITE PAPER Achieving Effective IT Security with Continuous ISO Compliance

10 Use of System Utilities The use of utility programs that might be capable of overriding system and application controls shall be restricted and tightly controlled Session Time-Out Inactive sessions shall shut down after a defined period of inactivity Limitation of Connection Time Restrictions on connection times shall be used to provide additional security for high-risk applications. Enterprise can help maintain a strict policy on the use of utility programs. For example, verifying that the FTP Publishing Service and TFTP Daemon Service are both disabled, or that the SeDebugPrivilege right is not assigned to any users on a Windows system. This right gives users the ability to debug any process on the system and is susceptible to exploits that collect account names, passwords, and other sensitive data from the Local Security Authority (LSA). Tripwire Enterprise will verify that an appropriate idle session time-out is established. In the case of Windows systems that communicate using the Server Message Block (SMB) protocol, the compliance policy manager in Tripwire Enterprise will test that the idle session timeout threshold is set to 15 minutes or less. There are a number of ways to restrict connection times as part of an enhanced security protocol for high-risk applications. Tripwire Enterprise can determine if best-practices are being used such as setting appropriate time limits for Terminal Services sessions and using Group Policy to restrict connections to designated hours of the day. A.11.6 Application and Information Access Control The objective of this control is to prevent unauthorised access to information held in applications systems Information Access Restriction Access to information and application systems functions by users and support personnel shall be restricted in accordance with the defined access control policy. Enterprise provides out-of-the-box tests that help establish an acceptable information access control policy. For example, ensuring that critical file and registry permissions have been set properly to restrict access. A.11.7 Mobile Computing and Telecommunicating The objective of this control is to ensure information security when using mobile computing and telecommuting facilities Mobile Computing and Communications A formal policy shall be in place, and appropriate security measures shall be adopted to protect against the risks of using mobile computing and communications facilities. Mobile computing and related communications pose unique risks that necessitate additional security measures. The compliance policy manager in Tripwire Enterprise can help mitigate these risks by determining if established best practices are in use. For example, verifying that Windows systems are configured to negotiate signed communications with any Server Message Block (SMB) server. By supporting mutual authentication and protection against packet tampering, signed communication helps to protect against man-inthe-middle attacks. 10 WHITE PAPER Achieving Effective IT Security with Continuous ISO Compliance

11 A.12 INFORMATION SYSTEMS ACQUISITION, DEVELOPMENT AND MAINTENANCE A.12.2 Correct Processing in Applications The objective of this control is to prevent errors, loss, unauthorised modifications or misuse of information in applications Control of Internal processing Validation checks shall be incorporated into applications to detect any corruption of information through processing errors or deliberate acts. By monitoring changes that occur within applications, Tripwire Enterprise can detect any changes to critical files, and monitor who may have introduced errors that caused file corruption. A.12.4 Security of System Files The objective of this control is to ensure the security of system files Control of operational software There shall be procedures in place to control the installation of software on operational systems. Tripwire Enterprise can detect changes to the operating system, which includes new software installations, when it was installed, and who performed the installation. Tripwire Enterprise can also be incorporated with Change Ticketing systems authorising these installations, showing that status. A.12.5 Security in Development and Support Process The objective of this control is to maintain the security of application system software and information Change control procedures The implementation of changes shall be controlled by the use of formal change control procedures. Tripwire Enterprise is the industry leader in change audit and detection and should be an integral part of any formal change control procedure. Tripwire Enterprise is also integrated with major change ticketing systems to help control formal change processes Technical review of applications after operating system changes Restrictions on changes to software packages When operating systems are changed, business critical applications shall be reviewed and tested to ensure there is no adverse impact on organisational operations or security. Modifications to software packages shall be discouraged, limited to necessary changes, and all changes shall be strictly controlled. Tripwire Enterprise provides several reports around changes to systems, as well as links within these reports that can show specific systems that changed, as well as who made the changes. These reports provide a documented audit trail that can be reviewed and approved to prevent potential problems. Tripwire Enterprise monitors all changes that happen on defined systems, providing information if files have been modified, added or deleted. Having Tripwire Enterprise ensures change is monitored and controlled. 11 WHITE PAPER Achieving Effective IT Security with Continuous ISO Compliance

12 A.13 INFORMATION SECURITY INCIDENT MANAGEMENT A.13.2 Management of Information Security Incidents and Improvements The objective of this control is to ensure a consistent and effective approach is applied to the management of information security incidents Collection of evidence Where a follow-up action against a person or organisation after an information security incident involves legal action (either civil or criminal), evidence shall be collected, retained and presented to conform to the rules for evidence laid down in the relevant jurisdiction(s). As part of the audit trail and reporting capabilities within Tripwire Enterprise, changes that are made to systems that could provide potential vulnerabilities or security incidents can be documented, providing information as to the person(s) responsible for any breaches in security. A.15 COMPLIANCE A Compliance with Security Policies and Standards, and Technical Compliance The objective of this control is to ensure compliance of systems with organisational security police and standards Technical Compliance Checking Information Systems shall be regularly checked for compliance with security implementation standards. Enterprise validates that each Windows 2003 Server has the latest service pack installed. A.15.3 Information Systems Audit and Considerations The objective of this control is to maximise the effectiveness of and to minimise interference to/from the information systems audit process Information systems audit controls Protection of information systems audit tools Audit requirements and activities involving checks on operational systems shall be carefully planned and agreed to minimise the risk of disruptions to business processes. Access to information systems audit tools shall be protected to prevent any possible misuse or compromise. Tripwire Enterprise provides documented audit proof behind system compliance, as well as changes that happen with IT systems. By incorporating Tripwire Enterprise in the change management process, changes are monitored and documented and if changes disrupt business process, they can be immediately reconciled and remediated. By using Roles and User Groups in Tripwire Enterprise, access to privileged information and software like Tripwire Enterprise can be controlled/limited to users who have proper permissions. Tripwire Enterprise requires installation by a user with Administrative privileges. Users of Tripwire Enterprise can then be set up to have either full access, just read access, or several variances in between. 12 WHITE PAPER Achieving Effective IT Security with Continuous ISO Compliance

13 Sample Policy Test and Change Audit Screenshots from Tripwire Enterprise Screenshot showing assessments that address the Communication and Operations Management control. Specifically, section A , Security of Network Services. This section checks that services that don t need to be enable are specifically disabled. Screenshot showing assessments that address the Access Control control of ISO Specifically, section A.11.6, Operating System Access Control. These controls deal with permissions and authentication processes within the operating system. Screenshot showing assessments that address the Compliance control. Specifically, section A , Technical Compliance Checking. This is a check that the appropriate packages are installed for that system. Screenshot showing default role types in Tripwire Enterprise with different access rights and permissions described, depending on the role. New roles can be created and permissions set up accordingly. 13 WHITE PAPER Achieving Effective IT Security with Continuous ISO Compliance

14 Tripwire Enterprise Change Process Compliance report, highlighting authorized vs. unauthorized changes to a system. Tripwire Enterprise Detailed Changes report showing detailed information on what changes were made, when they occurred and who made the changes. 14 WHITE PAPER Achieving Effective IT Security with Continuous ISO Compliance

15 The Nodes With Changes report shows which systems had changes, when they occurred and other details Development/Blog_Jeff_Bardin_Conspiracy_to_Commit_ Security.aspx?blogId= WHITE PAPER Achieving Effective IT Security with Continuous ISO Compliance

16 ABOUT TRIPWIRE Tripwire is the leading global provider of IT security and compliance automation solutions that help businesses and government agencies take control of their entire IT infrastructure. Over 7,000 customers in more than 86 countries rely on Tripwire s integrated solutions. Tripwire VIA, the comprehensive suite of industry-leading file integrity, policy compliance and log and event management solutions, is the way organizations proactively prove continuous compliance, mitigate risk, and achieve operational control through Visibility, Intelligence and Automation. Learn more at tripwire.com Tripwire, Inc. Tripwire is a registered trademark of Tripwire, Inc. All other product and company names are property of their respective owners. All rights reserved. WP2714a