FISMA Compliance with Netwrix Guidelines for applying Netwrix solutions and products to implement security controls of NIST SP 800-53 FISMA Compliance Any Federal agency, its subcontractors, service providers and any organizations that operate IT systems on behalf of Federal agencies must be compliant with FISMA regulation. FISMA was signed into law as a part of the Electronic Government Act of 2002. FIPS Publication 200, Minimum Security Requirements for Federal Information and Information Systems, is a mandatory federal standard developed by NIST in response to FISMA. To comply with the federal standard, organizations first determine the security category of their information system in accordance with FIPS Publication 199, Standards for Security Categorization of Federal Information and Information Systems, derive the information system impact level from the security category in accordance with FIPS 200, and then apply the appropriately tailored set of baseline security controls in NIST Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organizations. Organizations have flexibility in applying the baseline security controls in accordance with the guidance provided in Special Publication 800-53. This allows organizations to tailor the relevant security control baseline so that it more closely aligns with their mission and business requirements and environments of operation. FISMA requirements Overview The minimum security requirements cover seventeen security-related areas with regard to protecting the confidentiality, integrity, and availability of federal information systems and the information processed, stored, and transmitted by those systems. Netwrix assists with implementation and validation of the selected controls from the following security domains: Access Control, Audit and Accountability, Security Assessment and Authorization, Configuration Management, Contingency Planning, Identification and Authentication, Incident Response, Maintenance, Media Protection, Personal Security, Risk Assessment, System and Communications Protection, System and Information Integrity Netwrix provides minimal or zero assistance with the following domains: Awareness and Training, Physical and Environmental Protection , Planning, System and Services Acquisition Please note that the suggested mechanisms to support compliance efforts for each particular control may vary in different organizations depending on their systems configuration, internal procedures, nature of business, and other factors. Reports mentioned in one section may be useful for implementation of another control but may be omitted. The table below is not a complete reference guide for NIST SP800-53 implementation, but a sample mapping that outlines features and capabilities of Netwrix product and indicates areas of applicability. In order to achieve compliance various additional measures must be applied. For your convenience see complete Netwrix Auditor Report List 2|P a g e NIST 800-53 rev4 How Netwrix Helps Netwrix Solution/Product/Report FAMILY: ACCESS CONTROL AC-2 ACCOUNT MANAGEMENT AC-3 ACCESS ENFORCEMENT AC-5 SEPARATION OF DUTIES Audit all information system accounts creation, removal, enablement, disablement and modifications, for compliance with organization-defined procedures and conditions. Configurable email alerts and daily reports on relevant activities to ensure FISMA compliance. Netwrix Auditor for Active Directory Auditing of user access rights, files folders and their permissions across the entire IT infrastructure. Validate that all changes are done in accordance with internal policies. Netwrix Auditor for Active Directory Audit state and changes to password and other account policies. Netwrix Auditor for Exchange Active Directory Change Tracking/User Accounts/Changes to User Accounts Active Directory Change Tracking/User Accounts/New User Accounts Active Directory Change Tracking/User Accounts/Deleted User Accounts AD State-in-Time Assessment/User Accounts/User Accounts with Group Membership Inactive User Tracking/Actions & Notifications Active Directory Change Tracking/Groups/Changes to Security Groups Active Directory Change Tracking/Security/Changes to Objects Security GP State-in-Time Assessment/Policy Settings/Account Policies GP State-in-Time Assessment/Group Policy Objects/All Linked and Unlinked GPOs GP Change Tracking/Account Policies/Changes to Account Policies Mailboxes/Changes to Mailbox Permissions Netwrix Auditor for File Servers Snapshot Reports/Users Object Access Permissions by Object Path Successful Modifications/Permission Changes Netwrix Auditor for SharePoint All Changes/All SharePoint Permission Changes by User Netwrix Auditor for SQL Server All Changes/All SQL Server Changes by User Netwrix Auditor for Windows Server Windows Server System and Security/Local Users and Groups Changes 3|P a g e AC-6 LEAST PRIVILEGE AC-7 UNSUCCESSFUL LOGON ATTEMPTS Audit all privileged accounts activities and cross-check with internal policies to determine the validity of given privileges and prevent and mitigate malicious and risky activities. (Filter by groups with privileged members) Netwrix Auditor Enterprise Overview Audit logon activities. Alerts and reports on account lockouts. Netwrix Auditor for Active Directory AC-9 PREVIOUS LOGON (ACCESS) NOTIFICATION Netwrix Auditor for Active Directory AC-11 SESSION LOCK AD State-in-Time Assessment/Groups/Administrative Groups with Their Members AD Change Tracking/All Changes/All AD Changes by Groups with Originating Workstation AD Change Tracking/Groups/Changes to Administrative Groups Membership AD State-in-Time Assessment/User Accounts/User Accounts with Last Logon Time Active Directory Change Tracking/User Accounts/User Accounts Lockouts Netwrix Auditor for Windows Server AC-8 SYSTEM USE NOTIFICATION Enterprise-Wide Reports/All Changes/All Changes by User For sensitive systems and/or selected user accounts screen activity video recording feature of Netwrix Auditor can be used with customized dialog notification on logon. Event Log Management/Best Practice Reports/Logon Reporter/Failed Logon Attempts Event Log Management/Best Practice Reports/Logon Reporter/Successful User Logons Event Log Management/Best Practice Reports/Logon Reporter/User Logoffs Netwrix Auditor for Windows Server User Session Activity/All Users Activity/All Users Activity by Server User Activity Video Recording Audit state and changes to AD “Screen saver timeout” policy, Remote Desktop session timeout, and other relevant policies. Netwrix Auditor for Active Directory AC-14 PERMITTED ACTIONS WITHOUT IDENTIFICATION OR AUTHENTICATION Audit all activities of users across entire IT infrastructure to determine/prove validity of changes. Netwrix Auditor Enterprise Overview AC-17 REMOTE ACCESS In addition to the monitoring of the states and changes to related policies (see AC-11, AC-12 above), audit all remote desktop sessions. Netwrix Auditor for Windows Server AC-12 SESSION TERMINATION GP State-in-Time Assessment/Group Policy Objects/All GPOs with Their Settings Group Policy Change Tracking/All Changes/All Group Policy Changes Enterprise-Wide Reports/All Changes/All Changes by User Event Log Management/Best Practice Reports/Logon Reporter/Remote Desktop Sessions 4|P a g e AC-21 INFORMATION SHARING AC-22 PUBLICLY ACCESSIBLE CONTENT To ensure FISMA compliance audit access and modifications to the data stored in MS SQL, Fileservers and SharePoint. AC-23 DATA MINING PROTECTION Netwrix Auditor for File Servers Successful Modifications/All File Server Changes Netwrix Auditor for SharePoint All Changes/All SharePoint Changes Netwrix Auditor for SQL Server All Changes/All SQL Server Changes FAMILY: AUDIT AND ACCOUNTABILITY AU-2 AUDIT EVENTS AU-3 CONTENT OF AUDIT RECORDS AU-4 AUDIT STORAGE CAPACITY AU-7 AUDIT REDUCTION AND REPORT GENERATION AU-8 TIME STAMPS AU-9 PROTECTION OF AUDIT INFORMATION AU-11 AUDIT RECORD RETENTION AU-12 AUDIT GENERATION Variety of reports and features can be used for successful FISMA compliance audit. Netwrix Auditor collects configurations states, captures changes and access events, provides complete audit trail for report and analysis, including who, when, where, what data with before and after values, consolidated within two-tiered (file-based and SQL database) solution, storing of up to and beyond 10 years of audit data. Built-in archiving capabilities with configurable retention policies. AU-5 RESPONSE TO AUDIT PROCESSING FAILURES Netwrix Auditor will deliver daily summary report with indication if there were any failures of audit collecting, processing, etc. AU-6 AUDIT REVIEW, ANALYSIS, AND REPORTING In addition to over 200 built-in reports with filtering capabilities that can be reviewed for specific purposes, simplify burden of systematic reviews of audit trails ALL REPORTS FOR THE FOLLOWING SOLUTIONS: Netwrix Auditor for Active Directory Netwrix Auditor for Exchange Netwrix Auditor for File Servers Netwrix Auditor for SharePoint Netwrix Auditor for SQL Server Netwrix Auditor for VMware Netwrix Auditor for Windows Server Netwrix Auditor for Active Directory Active Directory Change Tracking/Change Management/Change Review History (AD) Group Policy Change Tracking/Change Management/Change Review History(GP) 5|P a g e AU-10 NON-REPUDIATION by using Change Review History mechanism of Netwrix Auditor. Real-Time alerts for AD and Windows Server can be configured to provide timely notifications. Netwrix Auditor for Exchange Change Management/Change Review History(EX) Netwrix Auditor for SharePoint Change Management/Change Review History(SP) Netwrix Auditor for Windows Server Windows Server Change Management/Change Review History (WS) Utilize variety of ready to use reports of user activities across all audited systems. Built-in reports for every particular system, for all changes or specific activity. Apply report filtering to increase relevancy of events. Netwrix Auditor Enterprise Overview Enterprise-Wide Reports/All Changes/All Changes by User Netwrix Auditor for Exchange All Changes/All MS Exchange Changes by User with Originating Workstation Netwrix Auditor for File Servers Successful Modifications/All File Server Changes by User Successful Reads/Successful File Reads by User Netwrix Auditor for SharePoint All Changes/All SharePoint Content Changes by User All Changes/All SharePoint Permission Changes by User Netwrix Auditor for SQL Server All Changes/All SQL Server Changes by User Netwrix Auditor for VMware All VMware Changes/All VMware Changes by User Netwrix Auditor for Windows Server AU-14 SESSION AUDIT Use screen activity video recording for critical systems and high privileged users. Windows Server Overall Changes/All Server Changes by User Netwrix Auditor for Windows Server User Session Activity/All Users Activity/All Users Activity by User 6|P a g e FAMILY: SECURITY ASSESSMENT AND AUTHORIZATION CA-2 SECURITY ASSESSMENTS CA-7 CONTINUOUS MONITORING CA-8 PENETRATION TESTING Variety of reports can be used in order to determine effectiveness of security controls and in support of security assessment. VARIOUS REPORTS FOR THE FOLLOWING SOLUTIONS: Netwrix Auditor for Active Directory Netwrix Auditor for Exchange Netwrix Auditor for File Servers Configure Netwrix Auditor auditing policies according to organization-defined metrics and strategies. Validate audit trails by cross-checking against security baselines to assess conformance with FISMA compliance requirements. Verify that only authorized use of systems by authorized personnel is taking place. Netwrix Auditor for SharePoint Netwrix Auditor for SQL Server Netwrix Auditor for VMware Netwrix Auditor for Windows Server FAMILY: CONFIGURATION MANAGEMENT CM-2 BASELINE CONFIGURATION CM-6 CONFIGURATION SETTINGS Compare organization-defined baseline configuration to configuration snapshots and track configuration changes for deviations/violations in Active Directory and Fileservers Netwrix Auditor for Active Directory AD State-in-Time Assessment/Groups/Groups with Members AD State-in-Time Assessment/Organizational Units/Organizational Units with Accounts GP State-in-Time Assessment/Group Policy Objects/All GPOs with Their Status GP Change Tracking/All Changes/All GP Changes by Groups with Originating Workstation AD Change Tracking/All Changes/All AD Changes by User with Originating Workstation Netwrix Auditor for File Servers Snapshot Reports/Accounts Access Permissions by Folders Successful Modifications/Permission Changes Successful Modifications/Shares Changes 7|P a g e CM-3 CONFIGURATION CHANGE CONTROL Review audit trail of configuration changes to IT infrastructure components. Use reports with all changes or choose only relevant ones. Setup retention policies for audit storage. Configure alerts and subscribe for reports on critical (organization-defined) changes. Netwrix Auditor for Active Directory Active Directory Change Tracking/All Changes/All Active Directory Changes Group Policy Change Tracking/All Changes/All Group Policy Changes Netwrix Auditor for Exchange All Changes/All MS Exchange Changes Netwrix Auditor for File Servers Successful Modifications/All File Server Changes Netwrix Auditor for SharePoint All Changes/All SharePoint Configuration Changes Netwrix Auditor for SQL Server All Changes/All SQL Server Changes Netwrix Auditor for VMware All Changes/All VMware Changes Netwrix Auditor for Windows Server CM-4 SECURITY IMPACT ANALYSIS CM-5 ACCESS RESTRICTIONS FOR CHANGE CM-7 LEAST FUNCTIONALITY CM-9 CONFIGURATION MANAGEMENT PLAN CM-10 SOFTWARE USAGE RESTRICTIONS CM-11 USER-INSTALLED SOFTWARE Windows Server Overall Changes/All Server Changes Audit all changes across the entire IT infrastructure to validate that only authorized users allowed to make sensitive changes. Netwrix Auditor Enterprise Overview Some aspects of these controls can be assisted with variety of reports by auditing for violations of properly configured systems. Including Group and Local policies changes, access and permissions modifications, workstations audit, registry monitoring, and other configuration assets that can be critical for maintaining FISMA compliance. VARIOUS REPORTS FOR THE FOLLOWING SOLUTIONS: Enterprise-Wide Reports/All Changes/All Changes by User Netwrix Auditor for Active Directory Netwrix Auditor for Exchange Netwrix Auditor for File Servers Netwrix Auditor for SharePoint Netwrix Auditor for SQL Server Netwrix Auditor for VMware Netwrix Auditor for Windows Server 8|P a g e FAMILY: CONTINGENCY PLANNING CP-4 CONTINGENCY PLAN TESTING CP-6 ALTERNATE STORAGE SITE CP-12 SAFE MODE Test IT systems in various modes of operations and analyze audit trails for incidents and other problems to validate effectiveness of the system functions. VARIOUS REPORTS FOR THE FOLLOWING SOLUTIONS: Netwrix Auditor for Active Directory Netwrix Auditor for Exchange Netwrix Auditor for File Servers Netwrix Auditor for SharePoint Netwrix Auditor for SQL Server CP-13 ALTERNATIVE SECURITY MECHANISMS CP-10 INFORMATION SYSTEM RECOVERY AND RECONSTITUTION Netwrix Auditor for VMware Netwrix Auditor for Windows Server In addition to the analysis of historic data on configuration states and changes to Active Directory, use built-in restore feature with object-level and attribute-level recovery wizard. Netwrix Auditor for Active Directory AD State-in-Time Assessment/Computer Accounts/Computer Accounts with Status AD State-in-Time Assessment/Organizational Units/Organizational Units with Accounts AD State-in-Time Assessment/User Accounts/User Accounts with Group Membership GP State-in-Time Assessment/Group Policy Objects/All GPOs with Their Delegation Settings Active Directory Change Tracking/All Changes/All Active Directory Changes Active Directory Object Restore FAMILY: IDENTIFICATION AND AUTHENTICATION IA-2 IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) IA-4 IDENTIFIER MANAGEMENT IA-5 AUTHENTICATOR MANAGEMENT Full auditing of user accounts state, creations, deletions and modifications in Active Directory, SQL Server, Windows server to validate conformance with NIST SP 800-53 guidelines and organization-defined requirements to support FISMA compliance. Auditing of password policies and changes. Automatic password expiration notifications. Netwrix Auditor for Active Directory AD State-in-Time Assessment/User Accounts/User Accounts with Status AD State-in-Time Assessment/User Accounts/Expired User Accounts Active Directory Change Tracking/User Accounts/Changes to User Accounts Active Directory Change Tracking/User Accounts/Deleted User Accounts Active Directory Change Tracking/User Accounts/New User Accounts GP State-in-Time Assessment/Policy Settings/Account Policies GP Change Tracking/Account Policies/Changes to Password Policy Settings Inactive User Tracking Password Expiration Alerting 9|P a g e IA-6 AUTHENTICATOR FEEDBACK Password management with challenge-response system. IA-8 IDENTIFICATION AND AUTHENTICATION (NONORGANIZATIONAL USERS) Netwrix Auditor for SQL Server Object Changes/Login Changes Object Changes/User Changes Netwrix Auditor for Windows Server Windows Server System and Security/Local Users and Groups Changes Netwrix Password Manager Policies & Features Additionally Netwrix assists with various aspects of the following controls: FAMILY: INCIDENT RESPONSE IR-4 INCIDENT HANDLING (monitor systems operations, and use on-demand reporting to perform root cause analysis of incidents) IR-5 INCIDENT MONITORING (audit and analyze data collection) IR-6 INCIDENT REPORTING (utilize scheduled reporting and real-time alerts) IR-9 INFORMATION SPILLAGE RESPONSE (audit of all data creations to identify violations) FAMILY: MAINTENANCE MA-2 CONTROLLED MAINTENANCE (capture audit trail of activities during maintenance and validate proper systems functionality afterward) MA-4 NONLOCAL MAINTENANCE (audit remote access sessions and activities) FAMILY: MEDIA PROTECTION MP-2 MEDIA ACCESS and MP-7 MEDIA USE (audit access and changes to content on Fileservers and modifications in SQL and SharePoint for violations) 10 | P a g e FAMILY: PERSONNEL SECURITY PS-4 PERSONNEL TERMINATION (revocation of authenticators/credentials associated with the individual) PS-5 PERSONNEL TRANSFER (access authorization modifications audit) FAMILY: RISK ASSESSMENT RA-3 RISK ASSESSMENT and RA-5 VULNERABILITY SCANNING (monitor for unauthorized access, changes and related consequences, use audit trail for reporting) FAMILY: SYSTEM AND COMMUNICATIONS PROTECTION SC-2 APPLICATION PARTITIONING and SC-3 SECURITY FUNCTION ISOLATION (audit of privileged users, access control and systems management activities) SC-5 DENIAL OF SERVICE PROTECTION (monitor for user restrictions violations and irregularities in systems function) SC-6 RESOURCE AVAILABILITY (monitor for interruptions of user access, activities, and systems availability) FAMILY: SYSTEM AND INFORMATION INTEGRITY SI-4 INFORMATION SYSTEM MONITORING (monitor systems for illegal access and suspicious activities, audit privileged users) SI-5 SECURITY ALERTS, ADVISORIES, AND DIRECTIVES (use alerts for violations and compromise indicators, notifications and reports) SI-6 SECURITY FUNCTION VERIFICATION (verify correctness of systems functioning by looking for deviations from baseline) SI-7 SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY (monitor critical changes to the systems, workstations registry audit) SI-12 INFORMATION HANDLING AND RETENTION (audit all operations with data for compliance with policies and regulations) 11 | P a g e
© Copyright 2024