SOURCE: Application Security, Inc.

June 05, 2006 08:30 ET

AppSecInc Fuels Compliance for Government Organizations via Database Security Best-Practice Policies at the Gartner IT Security Summit

Comprehensive Policies Ensure Compliance With FISMA and DITSCAP Federal Regulations

WASHINGTON, DC -- (MARKET WIRE) -- June 5, 2006 -- GARTNER IT Security Summit -- Application Security, Inc. (AppSecInc) (www.appsecinc.com) today announced best-practice policies to help government organizations meet the stringent requirements of the Federal Information Security Management Act (FISMA) and the U.S. Department of Defense (DoD) Information Technology Security Certification and Accreditation Process (DITSCAP). AppSecInc made the announcement from the Gartner IT Security Summit, taking place June 5-7 at the Marriott Wardman Park Hotel in Washington, D.C.

These requirements are at least in part a response to the ongoing security breach epidemic -- since February 2005, more than 83 million Americans have had their personal information compromised. Whether the result of human error, insider espionage, or external attacks, no sector has been spared by these breaches, including government agencies. And for government organizations, the impact of these compromises ranges from the disruption of operations, to embarrassing disclosures, to national security risks.

In response to this epidemic, the Defense Information Service Agency (DISA) recently established a new set of security guidelines specific to databases. The Database Security Technical Implementation Guide (STIG) identifies known security vulnerabilities, configuration items, and other issues which must be addressed under the authority of DoD. For instance, Directive 8500.1 mandates that "all information assurance (IA) and IA-enabled IT products incorporated into DoD information systems shall be configured in accordance with DoD approved security configuration guidelines."

To ease compliance with these requirements, AppSecInc has partnered with Network Security Systems Plus (NSSPLUS) to jointly create a comprehensive policy template for implementing DISA STIG database security mandates. For example, using AppSecInc's industry-leading vulnerability assessment solution, AppDetective™, users can easily:

--  Discover database instances across their infrastructure
--  Assess them against the STIG checklist
--  Enumerate all the issues which must be addressed to achieve compliance
--  And remediate these issues based on fix scripts and detailed
    information on appropriate patch updates and work-arounds
    
Reporting tied to the policy template makes it easy for government organizations to generate the required documentation as needed.

NSSPLUS is a leading provider of network security and information assurance consulting services. The company's security engineers and information assurance consultants perform comprehensive evaluations of the technical and non-technical security features of DoD Military Health Systems enterprise networks, and implement safeguards and remedies in support of the Certification & Accreditation process. NSSPLUS has more than nine years of DITSCAP contract support experience with Tricare Management Activity (TMA) -- including interpreting and applying the DISA STIGS and Checklist to the DITSCAP process to enforce compliance of the configuration of network components within the C&A boundary for DoD network enterprises.

"Using AppDetective with our DISA STIG best-practice policy template, government customers can far more easily identify and secure all their databases -- both known and unknown -- throughout their organization," said Felix Thomas, president & CEO of Network Security Systems Plus, LLC. "We are pleased to work with AppSecInc to help government organizations comply with regulations like DITSCAP effectively and efficiently."

"Implementing compliance initiatives are a necessary but extremely time- and resource-intensive endeavor," said Ted Julian, vice president of marketing & strategy for AppSecInc. "By collaborating with Network Security Systems Plus, LLC, we can now offer automated, repeatable best practices to help government agencies efficiently navigate these regulations, quickly ensuring compliance with federal mandates while maintaining the absolute integrity of their sensitive data."

In addition to DISA's STIG, the National Institute of Standards and Technology (NIST) has expanded its repository of approved "hardening" configuration guides and checklists to include database security best practices. In accordance with these guidelines -- and in collaboration with NIST -- the Center for Internet Security (CIS) has approved a checklist to ensure compliance as outlined in the NIST Special Publications. The Office of Management and Budget FISMA 2005 Reporting Guidance also requires federal agencies to comply with the requirements of these publications.

AppSecInc has developed an automated best-practice policy template mapped to the CIS NIST checklist. Also available for AppDetective, this policy template enables government agencies to:

--  Dramatically accelerate checklist implementation
--  Generate extensive and meaningful audit reports for compliance and
    FISMA reporting
--  Greatly increase the number of databases that are checked for
    compliance without any increases in personnel
--  Proactively and immediately evaluate all databases for new, high-risk
    vulnerabilities before extensive damage can be done
    
Availability

Intuitive and easy-to-use, the DISA STIG and CIS NIST best-practice security policies are immediately available for download from the AppSecInc website at: www.appsecinc.com/downloads/. The DISA STIG and CIS NIST templates are the latest additions to the company's extensive range of best-practice policies that address the following standards:

--  Sarbanes-Oxley Act (SOX)
--  Federal Information Security Management Act (FISMA)
--  Health Insurance Portability and Accountability Act (HIPAA)
--  Gramm-Leach-Bliley Act (GLBA)
--  California Senate Bill No. 1386
--  Payment Card Industry (PCI) Data Security Standard
--  National Energy Regulatory Commission (NERC)
    
About the Gartner IT Security Summit

The Gartner IT Security Summit hits the critical spot between strategic planning and tactical advice. Gartner analysts, industry experts and IT security practitioners deliver unbiased, realistic analysis on the current state of IT security, as well as an independent overview of the market over the next 12-18 months. Covering the depth and breadth of topics comprising IT security today, the Gartner IT Security Summit has a single objective: to bring to light the repeatable, manageable security processes needed to address today's and tomorrow's threats. Additional information is available at www.gartner.com/us/itsecurity.

About Network Security Systems Plus (NSSPLUS)

Network Security Systems Plus (NSSPLUS) is a leading network security and information assurance consulting services company. Our security engineers and information assurance consultants perform comprehensive evaluations of the technical and non-technical security features of DoD Military Health System enterprise networks. We implement safeguards and remedies in support of the Certification & Accreditation process. Our primary support objectives are to insure that system development, design, and implementation methodologies comply with the DoD DITSCAP process.

We have over 9 years of DITSCAP contract support experience with Tricare Management Activity (TMA) performing Certification and Accreditation on TMA central systems and Large Purchase Care Providers (PCP) networks. This includes specific experience in interpreting and applying the DISA STIGS and Checklist to the DITSCAP process to enforce compliance of the configuration of network components within the C&A boundary for DoD network enterprises.

NSSPLUS has in-depth expertise with DISA Standard Technology Implementation Guideline (STIGS), Security Readiness Reviews (SRR) and Security Checklist for all hardware platforms and operating systems including mainframes, midrange, network servers, and workstations. We configure security scanning policies for automated tools in order to provide tractability to the DISA STIGS to support the TRICARE Management Activity (TMA) DITSCAP program.

About Application Security, Inc. (AppSecInc)

AppSecInc is the leading provider of application security solutions for the enterprise. AppSecInc's products -- the industry's only complete vulnerability management solution for the application tier -- proactively secure enterprise applications at more than 500 organizations around the world. By securing data at its source, we enable organizations to more confidently extend their business with customers, partners and suppliers while meeting regulatory compliance requirements. Our security experts, combined with our strong support team, deliver up-to-date application safeguards that minimize risk and eliminate its impact on business. Please contact us at 1-866-927-7732 to learn more, or visit us on the web at www.appsecinc.com.

AppSecInc and AppDetective are trademarks of Application Security, Inc. All other company and product names are trademarks of their respective companies.

Contact Information