Privacy Support That Works !™

• Contact Us
• Sitemap
• Sign In

> Home > Strategic Alliances > US Privacy Solution Reviews > Application Auditing

Compuware - Application Auditing Review
		Nymity's Independent Privacy Solutions Review provides an unbiased assessment of the legal and privacy benefits of Compuware's Application Auditing solution by detailing how this service will help your organization comply with privacy laws.

Privacy Compliance: Application Auditing

Requirements for the security of personally-identifiable information ("PII") is increasingly being included in legislation and other industry regulations. These laws and regulations create obligations for organizations to ensure that PII is protected and does not become subject to a security breach, and generally include financial and other liabilities for organizations who fail to appropriately safeguard customer and employee PII. In many cases, these laws specifically deal with the organization's responsibility to ensure employee compliance with the organization's security program.

Legislative Requirements

The Health Insurance Portability and Accountability Act ("HIPAA") Security and Privacy rule requires covered entities to ensure the confidentiality and integrity of protected health information ("PHI"), to protect against reasonably anticipated threats and hazards to the security of PHI, and to ensure compliance with the Security and Privacy rule by its workforce (45 C.F.R. § 164.306). The Security and Privacy rule (45 C.F.R. § 164.308) requires entities to establish workforce security standards, which includes the implementation of procedures to supervise workforce members who work with electronic PHI and procedures to determine that the access of workforce member to electronic PHI is appropriate. Covered entities are also required to implement hardware, software and/or procedural mechanisms that record and examine activity that contain or use electronic PHI (45 C.F.R. § 164.312). The Health Information Technology for Economic and Clinical Health Act ("HITECH Act") extends the requirements of the HIPAA Security and Privacy rule to business associates of covered entities. The Safe Harbor Act provides that organizations must take reasonable precautions to protect personal information ("PI") from loss, misuse and unauthorized access, disclosure, alteration and destruction. The Enforcement Principle in Safe Harbor provides that effective privacy protection includes mechanisms for assuring compliance with the Safe Harbor Principles. The FTC standards for safeguarding customer information (16 C.F.R. § 314) issued pursuant to the Gramm-Leach-Bliley Act ("GLBA") require that organizations develop a security program based on a risk assessment that includes considerations relating to detecting, preventing and responding to attacks, intrusions or other system failures (16 C.F.R. § 314.4).

Many state laws also include requirements for organizations to ensure employee compliance. As an example, Massachusetts 201 CMR17.03(3)2 requires organizations to consider such risks as employee compliance with policies and procedures and a means for detecting and preventing security system failures.

Industry Regulations

In addition to legislated requirements industry has also created regulations relating to security of PII. The Payment Card Industry - Data Security Standard ("PCI-DSS") outlines a number of specific data security requirements that apply to all merchants and service providers that handle, process or store credit card. In addition to the specific technical and physical safeguards outlined, PCI-DSS Requirement 10 creates obligations for organizations to implement automated audit trails for all system components, defines what audit trail entries should be recorded for all system components and requires audit trails to be secured to prevent alteration of the records.

The Generally Accepted Privacy Principles ("GAPP"), developed by the American Institute of Certified Public Accountants ("AICPA") and the Canadian Institute of Chartered Accountants ("CICA"), requires in Principle 8.2.2 that organizations establish logical access controls and implement appropriate authentication protocols. The supporting criteria expands on this requirement to include the implementation of monitoring and intrusion detection systems which would include monitoring employee access to systems as well as inappropriate external access or intrusion attempts.

Regulatory and/or Legal Actions

Many breaches have resulted in actions by regulators or class-action lawsuits, such as Choicepoint, TJX, Hannaford Brothers, and Heartland Payment Systems. These actions have resulted in significant financial costs for the affected organizations, including penalties from regulators (Choicepoint - $10M in civil penalties and $5M in consumer redress, TJX - $9.75 M monetary award paid in agreement with 41 state attorneys general) and/or credit card industry (Heartland - MasterCard levied a fine of more than $6M).

---

How Does Compuware's Application Auditing Solution Enable Compliance? Compuware's Application Auditing helps organizations maintain compliance by protecting against data breaches that can be caused by trusted insiders who have authorized access to the organization's PII holdings. Implement and Maintain Compliance To achieve compliance with the wide range of federal and state laws that require organizations to ensure employees comply with its security program, Compuware's solution acts like a surveillance camera on the organization's applications by recording authorized internal activity between users and the application. All user transaction activity is documented. The solution therefore acts as a deterrent to inappropriate activities, reducing the risk of potential breaches caused by insider activity. If a breach should occur, audit trails generated by the Application Auditing solution would assist in identifying the specific activity that triggered the breach, identify the affected parties and assist in ensuring that notification is limited to only affected parties and that notification, if required, is completed within the timeframe required by the relevant breach notification law(s). The audit logs will be of value for investigative purposes, by both internal and external investigators. Demonstrate Compliance Utilization of the Application Auditing solution demonstrates to regulators and other investigative bodies that the organization has taken steps to ensure compliance with its security program. The logs and audit trails retained of all user transactions provides evidence of due diligence of actions taken to prevent the breach and the appropriateness of the actions taken during notification of affected parties. Organizations who provide services to other companies can use the Compuware Application Auditing solution to demonstrate their commitment to the security of their current and prospective client's customer's PII as a potential competitive advantage.

Compuware Application Auditing Application Auditing is a solution that: audits activity of internal users to deter negative actions; records in-depth audit trails of each screens users access; retains production application activity to allows searches for suspected unauthorized use; provides independent data that cannot be modified; provides evidence for use in legal proceedings; supports forensic investigations; permits reviews all of transactions and provide summary reports. Compuware's Application Auditing solution uses Hiperstation to provide a true picture of what a user has seen and what actions they took. Case Studies Client No. 1 had invested in preventing external breaches, but its auditors were concerned about internal risks. The company’s customer service representatives are authorized to use its applications and they generate millions of transactions a day. Using the Application Auditing solution, the company now creates an audit trail of all user activity. Not only does it deter misuse by authorized users, it reduces the impact if a data breach does occur. Client No. 2, which has hundreds of worldwide employees who conduct more than 8 million highly sensitive, online transactions daily, has relied on Compuware Application Auditing solution to record and save all application traffic for the past 10 years. The client checks the audit trail for suspected misuse and has used the information as acceptable evidence for legal proceedings. Client No. 3, an international bank, uses the solution to record key users’ activities in production. At the end of each day, it creates a file of sensitive information that was processed that day. The company’s security officers review the file and, if they suspect any misconduct, they can access full details. The good news is the recording process costs less than 0.1 percent of CPU.

Compliance ROI (Privacy ROI) Organizations can determine their privacy return on investment (ROI) by understanding the impacts of being found non-compliant with relevant legislative requirements and the costs associated with a breach of PII. These costs come in many forms, both from internal and external. Examples of external costs include fines levied by regulators, the costs of defending lawsuits and penalties levied by relevant associations, such as the payment card industry brands. Internal costs include costs associated with breach notification, providing free credit-monitoring services, the cost of internal investigations including engaging forensic auditors, lost business etc. The Ponemon Institute estimates that 40% of data security breaches are the result of non-malicious employee error, while 30% are caused by malicious employee activity. It also found that after a breach has occurred 20% of customers have terminated a business relationship with the organization the suffered the breach; an additional 40% of customers said they would consider terminating the relationship. The institute estimated that in 2008 the average cost of a breach was $202 per compromised record. Examples of how Compuware's Application Auditing solution can potentially provide savings to organizations include: simple and easy production of key evidence required in legal proceedings, reducing litigation costs; assist in identifying affected parties in a security breach, minimizing the risk of over-notification, saving expense relating to notification and post-breach services such as credit monitoring; quickly provide evidence to forensic investigators, reducing time to identify who was involved and what systems, applications or sensitive data were impacted; by guarding against breach incidents, avoid the additional cost of post-breach remediation programs; by implementing a documented process that deters inappropriate activities and assists in breach research, reduce the overall cost of regulatory and industry compliance related to data security and privacy.

---

Next Steps

Implementing Compuware's Application Auditing solution will reduce the potential of non-compliance.
See Compuware for information about these resources.

• Strategic Alliances
  • Research Contributors
  • IAPP
  • PrivaWorks Real Risk Study
  • USCIB
  • US Privacy Solution Reviews
    • Application Auditing
    • Test Data Privacy
    • Training Employees
    • Breach Response Services
  • Canadian Privacy Solution Reviews
  • Privacy by Design
  • The Future of Privacy
  • The Ponemon Institute
  • Carswell

• Free Privacy Maps
• Privacy Research Tools
• Visit Customer List

Copyright © 2002-2010 Nymity

Privacy Statement · Legal notice