Security/Compliance
More Secure Endpoints
Studies have shown that a locked down environment is more cost effective to support because the end users
are less likely to make unnecessary changes to the core system configuration.
A least privileges approach protects your distributed desktop environment against malware and malicious
intent to change security settings and disable other security solutions. Implementing a locked down environment
is also key in complying with various regulatory and compliance initiatives. For Enterprises seeking to secure
desktops and laptops, the desktop refresh to Windows 7 can be used as a way to roll out changes in how security
privileges are managed on the endpoint so that the local logged on user does not need to have local administrator rights.
Corporate Compliance Mandates
Many industries and corporations have strict regulations and corporate compliance policies based on regulations and
requirements of the business. These policies are designed to safeguard the business and provide compliance to
regulations and mitigate risk. Enforcement of these Compliance policies and mandates can often be too restrictive
at the desktop-level and in many cases interfere with worker productivity or cause an increase in IT support calls.
This is primarily due to the fact that a proven method for organizations to secure desktops is to lock down its distributed
desktop environment. Removing administrative privileges at the desktop level is quite effective in controlling and protecting
your systems, however, to be a worthy business practice, desktop lockdown must provide true cost savings while enforcing
the compliance policies. The right solution will allow end users to have the functionality they need in order to do their
job while still adhering
to the policies designed to reduce system vulnerability.
Privilege management and application control tools help achieve total cost of ownership (TCO) reasonably close to that of a locked and well-managed user, while giving users some ability to control their systems.
Gartner: The Cost of Removing Administrative Rights for the Wrong Users
April 2011 | Terrence Cosgrove
Viewfinity offers IT professionals the ability to manage administrative rights and privileges so that the compliance
policy mandates are not compromised due to the functional requirements that employees need to get their job done.
Detailed feature/functionality information related to our
Privilege Management product is available in the products
section of our website.
USGCB/FDCC, PCI DSS and HIPAA Compliance
Heavy fines and other restrictive measures are levied if companies,
government agencies and contractors do not adhere to the respective compliance mandates.
HIPAA imposes both civil and criminal penalties for failure to comply with its regulations.
Visa recently began levying monthly fines of $25,000 to U.S. merchant banks (or acquirers)
for each of their large merchants that did not validate PCI DSS compliance by the deadline.
As of January 2008, Visa is levying monthly fines of $5,000 to U.S.
acquirers for non-compliant middle-sized merchants.
Federal Government Configuration Baseline (USGCB/FDCC)
The Federal Government Configuration Baseline is a list of security settings recommended by
the National Institute of Standards and Technology for computers that are
connected directly to the network of a United States government agency.
In March 2007 the Office of Management and Budget issued a memorandum instructing
United States government agencies to develop plans for using the Microsoft Windows XP and Vista security configurations.
Released in June 2008, USGCB/FDCC Major Version 1.0 specifies 674 settings, while Major
Version 1.1 (released October 31, 2008) has no new or changed settings, but only
expands on reporting options.
HIPAA Encryption & Security Requirements
Hospitals, clinics, and other health-care organizations are privy to more of a person's
sensitive information
than almost any other kind of organization. However, analysts report that over the last several years,
data security breaches have exposed the names and information related to more than 1.5 million patients.
IT departments are responsible for ensuring HIPAA regulations are followed and one method for enforcing
this is to restrict administrative privileges at the desktop level.
In addition to these penalties, covered entities who fail to comply with HIPAA may be subject to loss of goodwill,
credibility, public trust and revenue. More information can be found on
The Office of HIPAA Privacy & Security’s website.
Endpoint Security Requirements and PCI Compliance
The increasing use of credit and debit cards, along with the rise of online retail shopping,
has prompted a growing number of attacks on cardholder data, including external hacking,
theft of storage media, and illegal activities by company employees. The growing number of remote users has further compounded the risk of these data security breaches, especially when those users are accessing data with portable devices such as laptops, handhelds, smartphones, USB drives, and other removable media.
To address these data security issues, leading credit card companies including American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International developed the Payment Card Industry Data Security Standards (PCI DSS).
The standard is based on 12 data-centric requirements that combine the use of data encryption and end-user access control with activity monitoring and logging. PCI DSS applies to credit card payment processors, card issuers, businesses that accept cards for payment or organizations that process card transactions.
Complying with USGCB/FDCC, PCI Compliance, SOX, HIPAA and Other Mandates
Managing a security structure as defined by the USGCB/FDCC, HIPAA or any other compliance mandate can be a daunting task. There are processes and procedures that must be followed to the letter, and it’s imperative that the mandate be implemented and managed. One of the key principles of robust security is removing the local user as a direct Administrator of the computer. However, removing local Administrator rights presents an issue all on its own, as end users require elevated rights to install applications, install drivers (such as printers and ActiveX controls), perform maintenance on the computer, and more.
Policy Management: Automating Compliance Policies
Viewfinity Privilege Management features offer IT department’s new methods for enforcing compliance policies on all its PC assets regardless of the endpoint client’s location or connectivity status. Both officially supported applications and those installed by end users can be better managed and provisioned. Upon installation, they automatically become part of the pool of applications that are managed according to your predefined policies. Administrators can be assured that no matter what end users might be doing while working offsite, all established compliance rules are continuously enforced.
Critical applications can be grouped by agency/workunits or functional roles and then associated with groups of computers for which a set of policies should be applied. Enforcement criteria range from notification-only of certain application installation or usage to imposing security rules by blocking black listed applications. With our automated policy management, Viewfinity addresses the needs of management, end users and IT. While ensuring desktop security and lockdown, end users have the flexibility to install applications that normally require administrative rights to execute.
Viewfinity Privilege Management features provide the ability to restrict individual applications from operating on your network on a per-machine or per-group basis. Applications can be restricted entirely or simply hidden during working hours while still remaining available to the end user for home or travel use.
Active Directory Integration, Including Support for Mobile Workers
Our Privilege Management features are integrated with Active Directory however, Viewfinity does not require laptops or desktops to be part of the Active Directory domain or to be directly connected to the corporate network in order to activate policies that manage administrator privileges. As soon as the PC connects to the internet, Viewfinity delivers the policies and rules established by the IT Administrator. Once delivered, all policies continue to be enforced even while working offline.
Viewfinity Compliance Verification
Policy Validation and Auditing
A key component for policy enforcement is the ability to audit and report on the status of privilege management policies. Viewfinity provides centralized management capabilities to report on and review the status of policies to determine whether they have been successfully delivered and activated. With our real-time monitoring and recording of laptop, desktop and application events, IT management has an auditable record of all changes being made on the laptop or desktop. When an audit needs to be performed on a specific PC, our Activity Recording feature both expedites the process, as well as aiding in the interpretation of the results of information collected. These reporting capabilities are key management tools for avoiding fines and confirming compliance adherence.
Resources
Viewfinity Privilege Management
Best Practices for PC Lockdown and Control Policies