Our customers are under increasing pressure to adhere to numerous security compliance standards and design networks that address the best practices associated with these standards. As any healthcare provider can tell you, the content of the standards themselves can be daunting to understand and apply, which has driven organizations to look outside for assistance.

1. WHITE PAPER
Windstream’s Position on Security Compliance
Compliance In General Our customers are under increasing Government Mandated Privacy Acts
pressure to adhere to numerous security (Massachusetts, California, and
compliance standards and design Minnesota, with others to follow) –
networks that address the best practices Applies to anyone doing business in
associated with these standards. As these states
any healthcare provider can tell you, the Health Insurance Portability and
content of the standards themselves can Accountability Act (HIPAA) –
be daunting to understand and apply, Applies to the healthcare vertical
which has driven organizations to look Gramm-Leach-Bliley Act (GLBA) –
outside for assistance. Applies to the financial vertical
Sarbanes-Oxley Act (SOX) –
Top Five Industry Compliance Applies to public companies
Standards
Payment Card Industry Digital Security
Standard (PCI DSS) – Applies to any
company processing, transporting, or
storing credit card information
Overview of Standards PCI DSS – The goal of PCI DSS 1, 2010. It applies generally to those
is to create a framework for good businesses that own or license personal
security practice around the handling information about Massachusetts
of cardholder data. A PCI-compliant residents. Personal information includes
operating environment is one in which Massachusetts residents’ first and last
the cardholder data exists (i.e., it does names, or first initials and last names, in
NOT refer to the whole corporate combination with any of the following:
network), and PCI DSS defines the Social Security number, driver’s license
requirements for how access to this data number or state-issued identification
must be controlled, monitored, logged, card number, financial account
and audited. number, or credit or debit card number.
Therefore, if you have any employees,
Government Mandated Privacy Acts receive payments from individuals
(Massachusetts) – The Massachusetts (whether by check or credit card), or
Data Privacy Act (201 CMR 17), now send out 1099s, your business owns or
recently revised, went into effect March licenses personal information and, thus,
© Windstream 2012
DATE: 3.27.12 | REVISION: 2 | 009574_Windstream’s_Position | CREATIVE: MF | JOB#: 9574 - Windstream’s Position on Security Compliance | COLOR: GS | TRIM: 8.5” x 11”

2. WHITE PAPER
Overview of Standards must comply with the law. Minnesota applies to information of any consumers
(Cont.) and California recently passed similar past or present of the financial
laws and it’s expected that this trend institution’s products or services.)
will continue for the remaining 47 This plan must include:
states in the near future. Denoting at least one employee to
manage the safeguards
HIPAA – HIPAA covers a number of Constructing thorough risk
healthcare standards, one of which management on each department
is the HIPAA Security Rule, which handling the non-public information
requires implementation of three types Developing, monitoring, and testing a
of safeguards: program to secure the information
Modifying the safeguards as needed
Administrative with the changes in how information is
Physical collected, stored, and used
Technical
This rule is intended to do what most
In addition, it imposes other businesses should already be doing:
organizational requirements and protecting their clients. The Safeguards
a need to document processes Rule forces financial institutions to
analogous to the Privacy Rule. take a closer look at how they manage
Implementing within and adhering private data and to do a risk analysis
to this rule is extremely difficult due on their current processes. No process
to the highly technical nature of the is perfect, so this has meant that every
contents of the rule. financial institution has had to make
some effort to comply with the GLBA.
GLBA – The Safeguards Rule,
a part of the GLB Act, requires SOX – The impact of IT security within
financial institutions to develop a SOX is somewhat indirect since the law
written information security plan is primarily focused on the accuracy of
that describes how the company is financial reporting data. IT security is
prepared for, and plans to continue to important under SOX only to the extent
protect clients’ non-public personal that it enhances the reliability and
information. (The Safeguards Rule integrity of that reporting.
© Windstream 2012

3. WHITE PAPER
Windstream’s Strategy Around The Internet Service Provider (ISP) 10. Continuous Vulnerability Assessment
Compliance has an interesting role in compliance. and Remediation
Since the essential underlying focus of 11. Account Monitoring and Control
popular compliance standards today 12. Malware Defenses
is on individual enterprise context, it’s 13. Limitation and Control of Network
impossible for Windstream to provide Ports, Protocols, and Services
“instant on” compliance. However, with 14. Wireless Device Control
our Security Consultation services, as 15. Data Loss Prevention
well as the best practices that we’ve 16. Secure Network Engineering
implemented internally and consult 17. Penetration Tests and Red Team
our customers to follow, Windstream Exercises
has made it as easy as possible for 18. Incident Response Capability
customers from all verticals to meet and 19. Data Recovery Capability
exceed the standards laid out for them 20. Security Skills Assessment and
by the various regulatory bodies. Each Appropriate Training to Fill Gaps
compliance standard is built around a
foundation of concepts best outlined Furthermore, Windstream is actively
by the SANS Institute and mirrored by taking advantage of the SAS 70 auditing
Windstream’s business best practices. process to provide customers with the
They include: necessary information to inform their
auditors and planners of compliance-
1. Inventory of Authorized and friendly topologies and practices. A
Unauthorized Devices SAS 70 is performed by a third party
2. Inventory of Authorized and that reviews our security controls, then
Unauthorized Software verifies that we’re adhering to them by
3. Secure Configurations for Hardware reviewing, auditing, and scoring our
and Software on Laptops, performance. Since our customers are
Workstations, and Servers under a myriad of compliance standards,
4. Secure Configurations for Network we developed our controls based upon
Devices such as Firewalls, Routers, the best practices mentioned above
and Switches and mapped our practices to PCI
5. Boundary Defense DSS and other compliance standards.
6. Maintenance, Monitoring, and This way, we can present our SAE
Analysis of Audit Logs 16 documentation to any customer
7. Application Software Security who needs to prove that Windstream
8. Controlled Use of Administrative practices security standards which
Privileges exceed the compliance standards to
9. Controlled Access Based on Need which they’re being held. This approach
to Know makes the most sense for both
Windstream and our customers.
© Windstream 2012

4. WHITE PAPER
Things We’re Watching & Since Windstream’s role is central to there are a number of best practices
What We’re Doing customer network security, we as an ISP and technologies that we’re focusing
and Managed Security Service Provider on to control access, then monitor and
(MSSP) must be “ahead of the curve” to equip zones within the organization with
maintain our position within the confines legitimate access to these services to
of the popular compliance standards properly handle threats.
because the overwhelming buying
triggers for our services surround these Enclaving – There is no ‘silver bullet’ in
standards. We see emerging threats and security. If there were, this multi-billion
general business practices that require dollar industry would not exist. Given
review and standards application on a that reality, it’s becoming increasingly
regular basis. more prudent to design networks
(LAN and WAN) that are zoned (or
Top Three Emerging Trends enclaved) in such a way that in the
event of a successful attack or breach,
Best practices surrounding safe and the impact to the organization as a
secure utilization of social media whole is minimized. As threats grow in
Best practices incorporating enclaving complexity, best practices around this
of network elements to reduce the concept are increasing in value.
impact of a breach or incident
Best practices surrounding the Mobile Devices – Innovation and
deployment, control, and risk incorporation of mobile devices is
mitigation associated with mobile skyrocketing across all industries. Mobile
technology (Android, iPad, iPhone, device security, as a result, is becoming
WiFi, etc.) a targeted focus for our customers and
our organization. The development of
Social Media – Malware and bot-net best practices and the deployment
threats are synonymous with social of security technology with a focus
media. While it’s a well known best on mobile device risk reduction and
practice to develop Web acceptable mitigation is a top priority at Windstream.
use policies that block access to
these services, an increasing number
of organizations use social media
as an advertising and information
distribution outlet. With this trend,
009574 | 3/12 © Windstream 2012