Is Your Agency Subject to the Requirements Specified in Army Regulation 25-2? - Chris Boswell
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
WHITE PAPER | NOVEMBER 2014 Is Your Agency Subject to the Requirements Specified in Army Regulation 25-2? Chris Boswell North American Security
2 | WHITE PAPER: ARMY REGULATION 25-2 ca.com
Table of Contents
Executive Summary 3
Section 1: 4
AR 2502 Detailed Requirements
Section 2: 10
CA Technologies Solutions
Section 3: 14
About the Author3 | WHITE PAPER: ARMY REGULATION 25-2 ca.com
Executive Summary
Challenge
Army Regulation 25-2 includes a number of technical, administrative and operational safeguards designed
to protect unclassified, sensitive, or classified information stored, processed, accessed, or transmitted by
information systems. Compliance with this policy is mandatory for active Army, Army National Guard and
U.S. Army Reserve personnel, as well as all users of Army information systems, including related agencies
such as Department of Defense, sister services such as U.S. Army Corps of Engineers and any contractors
working on Army information systems pursuant to Army contracts.
Opportunity
CA Technologies provides a number of critical capabilities which address key requirements within Army
Regulation 25-2. This white paper will explore those requirements in detail as well as the solutions
developed to help achieve and maintain compliance going forward.
Benefits
AR 25-2 outlines a number of controls that must be in place to protect Army Information Systems. The
majority of these controls are outlined in Chapter 4 Information Assurance Policy. CA Technologies provides
a number of security solutions to address the more technical requirements described in this chapter, as
highlighted in the figure below:
CA Technologies
Policy Requirement
Facilitates Compliance
Section 1 General Policy 4
Section 2 Software Security 4
Section 3 Hardware, Firmware, and Physical Security
Section 4 Procedural Security 4
Section 5 Personal Security
Section 6 Information Systems Media
Section 7 Network Security 4
Section 8 Incident and Intrusion Reporting
Section 9 Information Assurance Vulnerability Mangement
Section 10 Miscellaneous Provisions4 | WHITE PAPER: ARMY REGULATION 25-2 ca.com
Section 1:
AR 2502 Detailed Requirements
Section I: 4-5 Minimum Information Assurance Requirements
# Requirement CA Technologies Solutions
4-5.9.a Disabling or removing security CA Privileged Identity Manager host based agents allow
or protective software and their organizations to build and establish a trusted computing base that
mechanisms and their associated can be leveraged to help ensure that security or protective software
logs from information systems. is not tampered with, even by root or other privileged users.
4-5.9.c IA personnel will implement system CA Privileged Identity Manager fine grain access control policies
and device access controls using the allow organizations to enforce the principle of least privilege
principle of least privilege (POLP) (POLP) and maintain separation of duties, even when users are
via automated or manual means accessing privileged accounts.
to actively protect the IS from
compromise, unauthorized use or
access, and manipulation.
4-5.9.c.4 Verify systems are configured to CA Privileged Identity Manager provides its own centrally managed,
automatically generate an auditable secure and digitally signed log that will serve as an authoritative
record or log entry for each access source for all access attempts. IA personnel can access CA Privileged
granted or attempted. Identity Manager reports to monitor and report system activity and
demonstrate compliance with agency mandates.
4-5.9.c.5 Validate that systems identify users The CA Privileged Identity Manager Shared Account Management
through the user’s use of unique capability helps control access to shared system service accounts
user identifications (USERIDs) and other privileged user accounts by forcing users to formally
check out accounts and uniquely identify themselves before gaining
access to systems. For *NIX systems, CA Privileged Identity Manager
also provides a PAM Kerberos module that can be implemented
to allow users to sign onto systems using their Active Directory
USERIDs. This streamlines and simplifies security, operations and
information assurance because it removes the need to store and
manage USERID’s locally on each *NIX server individually. As a
result, important tasks such as deprovisioning become much easier
to manage and report against.
4-5.9.c.6 Validate that systems authenticate CA Privileged Identity Manager achieves CAC integration through
users through the use of the CAC as a integration with CA Single Sign-On.
two-factor authentication mechanism.
The CAC has certificates on the
integrated circuit chip (ICC), and will
be used as the primary user identifier
and access authenticator to systems.
4-5.9.c.9 Validate that system configurations The CA Privileged Identity Manager Shared Account Management
prohibit anonymous accesses or capability forces users to formally check out accounts and uniquely
accounts (for example, Student1, identify themselves before gaining access to systems. As a result,
Student2, Patron1, Patron2, anonymous). users are not able to sign on to systems anonymously.5 | WHITE PAPER: ARMY REGULATION 25-2 ca.com
# Requirement CA Technologies Solutions
4-5.9.c.10 Prohibit the use of generic group accounts. Permit CA Privileged Identity Manager can lock down and generally
exceptions only on a case-by-case basis when supporting prohibit the use of generic group accounts. In those situations
an operational or administrative requirement such as watch- where support, operations or administration personnel require
standing or helpdesk accounts, or that require continuity of access, CA Privileged Identity Manager can require formal
operations, functions, or capabilities. IAMs will implement workflow request and approval before access is granted.
procedures to identify and audit users of group accounts When the session has ended the account password will be
through other operational mechanisms such as duty logs. automatically revoked and CA Privileged Identity Manager
will provide an auditable record of the individual who actually
used the group account.
4-5.9.c.11 Verify that system configurations limit the number of user CA Privileged Identity Manager centrally manages and
failed log-on attempts to three before denying access to enforces the number of failed log-on attempts allowed as
(locking ) that account, when account locking is supported by well as lockout duration across disparate platforms.
the IS or device. If IS-supported, the system will prevent rapid
retries when an authenticator is incorrectly entered and gives
no indications or error messages that either the authenticator
or ID was incorrectly entered (for example, implement time
delays between failed attempts).
4-5.9.c.12 Verify that system configurations generate audit logs, and CA Privileged Identity Manager provides its own centrally
investigate security event violations when the maximum managed, secure and digitally signed log that will serve as
number of authentication attempts is exceeded, the an authoritative source for IA personnel to investigate and
maximum number of attempts from one IS exceeded, or report against violations where the maximum number of
the maximum number of failed attempts over a set period authentication attempts is exceeded.
is exceeded.
4-5.9.c.14 If documented in the C&A package and authorized by the CA Privileged Identity Manager provides the ability to
DAA, time-based lockouts (that is, access is restricted based restrict user access based on time, IP address, terminal port
on time or access controls based on IP address, terminal or combination of these.
port, or combinations of these) and barriers that require
some time to elapse to enable bypassing may be used.
4-5.9.c.14.a Implement mandatory audit trails to record all successful CA Privileged Identity Manager provides its own centrally
and unsuccessful log-on attempts. managed, secure and digitally signed log that will serve as an
authoritative source for IA personnel to investigate and report
against successful and unsuccessful log-on attempts.
4-5.9.c.17 Create and enforce access auditing, and protect physical CA Privileged Identity Manager enforces access auditing and
access control events (for example, card reader accesses) provides its own centrally managed, secure and digitally
and audit event logs for physical security violations or signed log that will serve as an authoritative source for IA
access controls to support investigative efforts as required. personnel to investigate and report against successful and
unsuccessful log-on attempts.6 | WHITE PAPER: ARMY REGULATION 25-2 ca.com
# Requirement CA Technologies Solutions
4-5.9.f.8 Upon acceptance for operational use (whether developmental, GOTS, CA Privileged Identity Manager provides a “Watchdog”
or COTS), keep software under close and continuous CM controls to service that allows users to create a Trusted
prevent unauthorized changes Computing Baseline and monitor it on a continuous
basis for unauthorized changes. This capability directly
supports the agency’s continuous monitoring efforts.
4-5.9.h. SAs will configure ISs to automatically log all access attempts. Audits The CA Privileged Identity Manager User Activity
of IS will be either automated or by manual means. SAs will implement Reporting Module (UARM) aggregates and correlates
audit mechanisms for those ISs that support multiple users. log information from a variety of sources and
1. Use audit servers to consolidate system audit logs for centralized provide mechanisms which consolidate auditing
review to remove the potential for unauthorized editing or deletion activity into a centrally managed location. IA
of audit logs in the event of an incident or compromise. managers can leverage UARM to conduct their own
inspections, investigate failed login attempts and
2. Commands, organizations, tenants, activities, and installations will
account lockouts and reconstruct events to support
support centralized audit server implementations in the enterprise.
security and operations personnel.
3. Centralized audit servers logs will be maintained for a minimum of 1 year.
4. Conduct self-inspections by the respective SA/NA or IA manager.
5. Enable and refine default IS logging capabilities to identify
abnormal or potentially suspicious local or network activity–—
a. Investigate all failed login attempts or account lockouts.
b. Maintain audit trails in sufficient detail to reconstruct events
in determining the causes of compromise and magnitude of
damage should a malfunction or a security violation occurs.
Maintain system audit logs locally for no less than 90 days.
c. Retain classified and sensitive IS audit files for 1 year (5
years for SCI systems, depending on storage capability).
d. Provide audit logs to the ACERT, Army–Global Network
Operations and Security Center (A–GNOSC), LE, or CI personnel
to support forensic, criminal, or counter-intelligence
investigations as required.
e. Review logs and audit trails at a minimum weekly, more
frequently if required, and take appropriate actions.
4-5.9. j.1 Implement safeguards to detect and minimize unauthorized access CA Privileged Identity Manager provides fine
and inadvertent, malicious, or non-malicious modification or grain, resource- based access controls which can
destruction of data. be leveraged to build policies to protect data
integrity. Because of its low-level integration
with the operating system kernel, CA Privileged
Identity Manager is uniquely capable of preventing
unauthorized access and inadvertent, malicious or
non-malicious modification or destruction of data,
even from privileged users defined within the system.
4-5.9. j.6 Protect data at rest (for example, databases, and files) to the Even encryption does not provide absolute protection
classification level of the information with authorized encryption from privileged users and internal threats. CA Privileged
and strict access control measures implemented. Identity Manager provides fine grain, resource-based
access controls that can help protect data at rest from
even the most powerful administrators.7 | WHITE PAPER: ARMY REGULATION 25-2 ca.com
Section II: 4-6, 4-7- Software Security Controls and Database Management
# Requirement CA Technologies Solutions
4.6.a IA personnel will implement controls to protect system software CA Privileged Identity Manager provides fine grain
from compromise, unauthorized use, or manipulation. access control capabilities to scope who has access
to system software. Features include the ability to
restrict program access by privileged users such
as administrator and root, as well as the ability to
create Program ACLs (PACLs) which would prevent
software from being modified by other setuid or setgid
programs. CA Privileged Identity Manager also includes
a “Watchdog” service that allows users to create a
Trusted Computing Baseline and performs file integrity
monitoring to prevent and detect unauthorized
software changes.
4.6.f Program managers and DAA will restrict systems used or designated CA Privileged Identity Manager can be used to tag
as “test platforms” from connecting to operational network. and label systems in virtual environments and
PM and DAAs can authorize temporary connections to conduct prevent those systems from connecting to operational
upgrades, download patches, or perform vulnerability scans when networks based upon labels. This functionality is
off-line support capabilities are insufficient and protections have completely automated to enhance security and
been validated. Remove the “test platform” IS immediately upon streamline the software development process.
completion of the action until it has been operationally accredited
and is fully compliant.
4.6.i Use of data assurance and operating systems integrity products (for CA Privileged Identity Manager provides file monitoring
example, public key infrastructure (PKI), and network security capabilities analogous to Tripwire,
IPTables and TCP Wrappers, but also provides additional
Tripwire, Internet protocol security (IPSec), transmission control data assurance capabilities such as password vaulting,
protocol/Internet protocol ( TCP/IP) wrappers) will be included in product session recording, Kerberos Pluggable Authentication
development and integrated into end-state production systems. Module for UNIX systems and fine grain access controls.
4.6. j IAMs and developers will transition high-risk services such as, but not CA Privileged Identity Manager provides host-
limited to, ftp or telnet to secure technologies and services such as based capabilities to help enforce not only the
secure ftp (sftp) and secure shell (ssh). mechanisms used to access systems but the
systems, locations and users authorized to access
those systems as well.
4.7.h The System Owner will place databases on isolated and dedicated CA ControlMinder’s fine grain access policies
servers with restricted access controls. DBAs will not install other can effectively scope the privileges of database
vulnerable servers or services (for example, web servers, ftp servers) administrators so that vulnerable servers or services
that may compromise or permit unauthorized access of the database cannot be installed, even if the user assumes root or
through another critical vulnerability identified in the additional administrator privileges.
servers or services.
4.7. j.7 Control measures to protect database(s) servers and interfaces from The CA Privileged Identity Manager provides host-
direct, unauthorized, or un-authenticated Internet access using based network access capabilities analogous to TCP
filtering and access control devices or capabilities (for example, Wrappers and IPTables to provide a central mechanism
firewalls, routers, ACLs). for protecting database servers and interfaces from
direct, unauthorized or un-authenticated Internet access.8 | WHITE PAPER: ARMY REGULATION 25-2 ca.com
# Requirement CA Technologies Solutions
4-12 a. Implement two-factor authentication techniques as the access CA Privileged Identity Manager provides fine
control mechanism in lieu of passwords. Use CAC as the primary grain access control capabilities to scope
access credential, or biometric or single-sign on access control who has access to system software. Features
devices when the IS does not support CAC. include the ability to restrict program access
b. The IAM or designee will manage the password generation, by privileged users such as administrator
issuance, and control process. If used, generate passwords in and root, as well as the ability to create
accordance with the BBP for Army Password Standards. Program ACLs (PACLs) which would prevent
software from being modified by other setuid
c. The holder of a password is the only authorized user of that
or setgid programs. CA Privileged Identity
password.
Manager also includes a “Watchdog”
d. The use of one-time passwords is acceptable, but organizations service that allows users to create a Trusted
must transition to secure access capabilities such as SSH or secure Computing Baseline and performs file
sockets layer (SSL). See remote access requirements in para 4–5d. integrity monitoring to prevent and detect
e. SAs will configure ISs to prevent displaying passwords in the clear unauthorized software changes.
unless tactical operations (for example, headsup displays while an
aircraft is in flight) pose risks to life or limb.
f. IAMs will approve and manage procedures to audit password files
and user accounts for weak passwords, inactivity, and change
history. IAMs will conduct quarterly auditing of password files on
a stand-alone or secured system with limited access.
g. Deployed and tactical systems with limited data input capabilities
will incorporate password control measures to the extent possible.
h. IAMs and SAs will remove or change default, system, factory
installed, function-key embedded, or maintenance passwords.
i. IAMs and SAs will prohibit automated scripts or linkage capabilities,
including, but not limited to, Web site links that embed both
account and authentication within the unencrypted link.
j. SAs/NAs, with DAA approval, will implement procedures for user
authentication or verification before resetting passwords or
unlocking accounts in accordance with the C&A package.
k. SAs/NAs will conduct weekly auditing of service accounts for
indications of misuse.
l. The use of password generating software or devices is authorized as
a memory aid when it randomly generates and enforces password
length, configuration, and expiration requirements; protects from
unauthorized disclosure through authentication or access controls;
and presents a minimal or acceptable risk level in its use.9 | WHITE PAPER: ARMY REGULATION 25-2 ca.com
Section VII: 4-20 – Network Security
# Requirement CA Technologies Solutions
4-20.e.3 Employ identification, authentication, and encryption CA Privileged Identity Manager provides a password vaulting
technologies when accessing network devices mechanism for privileged credentials that enables secure
access to network devices. Once deployed, CA Privileged
Identity Manager effectively converts existing systems to a
one-time password authentication mechanism for privileged
accounts in your environment, allowing users to rotate
passwords as credentials are checked out (or in) for use.
CA Privileged Identity Manager can also be deployed
to enforce how users are accessing network devices For
example, CA Privileged Identity Manager can be deployed
so that passwords are not displayed to the end user at
all, but authorized mechanisms such as SSH are used to
automatically log users into network devices.
4-20.f.1. Configure ISs to use encryption when available or as part of the CA Data Protection provides content inspection of email
global enterprise to secure the content of the email to meet messages and can enforce encryption of messages based
the protection requirements of the data. on the sensitivity of the content and the protection
requirements of the data.
4-20.f.5 All personnel will employ Government owned or provided e-mail CA Privileged Identity Manager can prevent the use of third
systems or devices for official communications. party commercial email accounts for official purposes.
The use of commercial ISP or e-mail accounts for official purposes
is prohibited.
4-20.f.6 Auto-forwarding of official mail to non-official accounts or CA Data Protection can prevent official mail from being
devices is prohibited. forwarded to non-official accounts and devices.
4-20.f.7 Permit communications to vendors or contractors for official CA Data Protection content inspection technology can
business and implement encryption and control measures enforce encryption of messages to vendors or contractors
appropriate for the sensitivity of the information transmitted. to help ensure information is securely transmitted.
4-20.g.5 Network management and IA personnel will implement and CA Privileged Identity Manager provides fine grain access
enforce local area management access and security controls. control capabilities that can be used to lock down both
Publicly accessible web sites will not be installed or run under public and non-public web servers. In the event that certain
a privileged- level account on any web server. Non-public web servers require privileged accounts to run,
web servers will be similarly configured unless operationally CA Privileged Identity Manager can effectively jail the
required to run as a privileged account, and appropriate risk application and scope the privileges of the account to limit
mitigation procedures have been implemented. the impact of account or service compromise
4-20.g.8 Extranet and intranet servers will provide adequate encryption CA Single Sign-On delivers robust access and authorization
and user authentication. controls, as well as session management to protect web-
based resources.10 | WHITE PAPER: ARMY REGULATION 25-2 ca.com
# Requirement CA Technologies Solutions
4-20.g.10 Network managers and IA personnel will configure all servers CA Single Sign-On delivers robust access and authorization
(including Web servers) that are connected to publicly controls, as well as session management to protect web-
accessible computer networks such as the Internet, or based resources. CA Privileged Identity Manager provides
protected networks such as the SIPRNET, to employ access and robust fine grain access controls to protect underlying
security controls (for example, firewalls, routers, host-based systems hosting Army applications.
IDSs) to ensure the integrity, confidentiality, accessibility, and
availability of DOD ISs and data.
4-20.g.14 All private (non-public) Army Web sites that restrict access with CA Single Sign-On delivers robust access and authorization
password protection or specific address filtering will implement controls, as well as session management to protect
SSL protocols utilizing a Class 3 DOD PKI certificate as a minimum. web-based resources utilizing Class 3 DOD PKI certificates.
NETCOM/9th SC (A) issues and manages these certificates.
4-20.i All personnel will use only IA security software listed on the CA Technologies security solutions are actively being used
IA tools list on Army systems and networks. The list of Army throughout the Army today and are either listed on the
approved IA tools is available through the IA Web site. Requests approved IA tools list or are in the process of being recertified
for consideration and approval for additional security software to reflect the latest versions available.
packages to be added to the IA tools list must be submitted
through NETCOM/9th SC (A) channels ATTN: NETC–EST–I, ATTN:
OIA&C to CIO/G–6.
Section 2:
CA Technologies Solutions
CA Privileged Identity Manager
CA Privileged Identity Manager is an IT resource protection and privilege management security solution. It
is a mature product that has been in service in the Federal government and commercial and private sector
for many years. In addition to AR 25-2, CA Privileged Identity Manager also maps to NIST 800-53 across a
variety of control areas providing the security enforcement, centralized management, and repeatable
processes that an organization must have to enable compliance. CA Privileged Identity Manager can make
IT security a standardized process that provides continuity of operations and helps reduce risk.
CA Privileged Identity Manager helps to mitigate both internal and external risk by controlling how business
or privileged users access and use enterprise data. The result is a higher level of security, a lower level of
administrative costs, easier audit/compliance processes and a better user experience.
CA Privileged Identity Manager is designed to provide a comprehensive solution to privileged user
management, protecting servers, applications and devices across platforms and operating systems.
CA Privileged Identity Manager operates at the system level to enable efficient and consistent enforcement
across systems— including Windows, UNIX, Linux and virtualized environments. By distributing server
security policies to endpoint devices, servers, and applications via an advanced policy management
capability, you can control privileged users and provide a proactive approach to securing sensitive
information and critical systems without impacting normal business and IT activities. Moreover, you can
securely support auditing of each policy change and enforcement action in order to be able to comply with
Federal (IRS) regulations.11 | WHITE PAPER: ARMY REGULATION 25-2 ca.com
CA Privileged Identity Manager provides a holistic approach to access management as it includes key
capabilities to protect and lock down critical data and applications, manage privileged identities, centralize
UNIX authentication with Microsoft Active Directory and provide a secure auditing and reporting infrastructure.
CA Privileged Identity Manager Key features:
• Regulates and audits access to your critical servers, devices, and applications consistently across platforms
• Manages privileged user passwords
• Allows you to proactively demonstrate fine-grained control over privileged users and system accounts
• Helps enforce your internal and regulatory compliance requirements by creating and reporting on server
access policies
• Helps reduce administrative costs by centrally managing security policies across your globally
distributed enterprise
• Enables you to authenticate UNIX & Linux privileged users from a single Active Directory user store
• Hardens the operating system which reduces external security risks and facilitates operating
environment reliability
• Integrates OOTB with an auditing infrastructure that produces in-depth regulation specific reports
CA Single Sign-On
The Web is open for business around-the-clock, and CA Single Sign-On reliably and effectively enables your
organization’s online presence to be secure, available and accessible to the right users. Recognized for
having the most advanced security management capabilities and enterprise-class site administration,
CA Single Sign-On can scale to support millions of users and thousands of protected resources.
CA Single Sign-On allows organizations to meet the challenge of deploying resources via the Web while
maintaining high performance and high availability. It controls who is able to access which applications
and under what conditions, improves users’ online experiences and simplifies security administration. By
enforcing policies and monitoring and reporting online activities and user privileges, CA Single Sign-On also
eases regulatory compliance.
CA Single Sign-On provides a broad range of benefits including:
• Ensure the Right Users have the Right Access: With CA Single Sign-On, the secure management of
identities across diverse web systems means the system controls access by leveraging the user’s context
to the business (partner, consultant, customer, etc.) and their rights to each application. CA Single Sign-On
WAM enables users to connect to the information and applications they need to do their jobs, place an
order or otherwise transact business.
• Increase Security to Mitigate Risks: CA Single Sign-On reduces the risk of unauthorized access to critical
resources and sensitive information, protecting the content of an entire web portal or set of applications.
Centralized security enforcement and FIPS certified cryptographic algorithms means that there are no
holes left open in a CA Single Sign-On secured web environment.12 | WHITE PAPER: ARMY REGULATION 25-2 ca.com
• Provide Users with a Positive Online Experience: CA Single Sign-On lets a user sign on once to access
web applications, engaging them in a unified, personalized online experience rather than frustrating them
with multiple logins.
• Increase Business Opportunities: CA Single Sign-On allows organizations to securely deploy web
applications to multiple different user communities, enabling increased business opportunities that can
enhance revenue. Extend CA Single Sign-On with identity federation and your organization can improve
collaboration with partners, further enhancing relationships to increase revenue, manage cost and
mitigate risk.
• Manage Costs: CA Single Sign-On mitigates IT administration costs. It also reduces the security burden
on users and thus the burden on the help desk caused by lost or forgotten credentials. It also reduces
redundant security-related application development and maintenance costs.
• Ease Regulatory Compliance: Central policy management, enforcement, reporting and auditing support
your ability to comply with IT impacting regulations.
CA Single Sign-On provides a centralized security management foundation that enables the secure use of
the Web to deliver applications and cloud services to customers, partners, and employees. CA Single Sign-On is a
WAM solution, and as such it enables Web single sign-on (SSO), centralized user authentication and authentication
management, policy-based authorization, enterprise-level manageability, auditing, and reporting.
CA Single Sign-On provides the central point of integration and management through which specific
authentication technologies and credentials can be used for login to some or all Web applications and user
communities that CA Single Sign-On is being used to protect; thereby eliminating the need to code or
integrate these technologies with the underlying applications. This capability allows organizations to
increase security without impacting their existing applications or the user experience.
Finally, CA Single Sign-On has been recognized as the market leader for WAM, having the most advanced
security management features and capabilities, and proven experience scaling to support millions of users
and thousands of protected web sites/resources. CA Single Sign-On was first WAM product to be placed in
the Gartner Magic Leadership Quadrant, where it has remained since 2001. CA Single Sign-On is the most
widely-deployed WAM solution in the industry (over 1,500 deployed customers) and is used to protect some
of the largest Web sites and portals in the world, including over 83 Million users at one customer, over
3,000 protected web sites at another customer, and approximately 40 million authentications and
authorizations a day at a third customer.13 | WHITE PAPER: ARMY REGULATION 25-2 ca.com
CA Data Protection
CA Data Protection allows organizations to take better control of information. CA Data Protection is an
information protection and control solution that helps minimize the accidental, negligent and malicious
misuse of data while helping to comply with various data protection standards and regulations. Through
the delivery of broad information and communication coverage, precise policy enforcement and Content-
Aware Identity and Access Management (IAM), organizations are able to take a comprehensive approach
to reducing risk to their most critical assets while enabling critical business processes.
CA Data Protection allows the organization to define configurable business and regulatory policies,
accurately detect sensitive but complex data, and monitor known and unknown business processes in order
to enforce appropriate employee behavior. It provides this with a customizable level of control at various
essential locations: Endpoints, Network, Message Servers and Stored Data. It then securely delegates
violations for review while measuring key performance metrics over time to drive ongoing program
improvement. This is delivered through a central management platform that provides an executive
dashboard, detailed and customizable reporting and seamless workflow capabilities.
• Discover where your sensitive information resides, classify it according to its level of sensitivity, and
enforce policies on its use.
• Protects data wherever it resides—at the endpoint, on the message server, on the network or stored within
a file system.
• Identity aware DLP allows policies to be enforced based on the identity of the user; policies can also be
changed dynamically based on the user’s role.
• Provide robust actions to block, warn, quarantine, redirect, encrypt, move, delete, replace, monitor and
apply digital rights to data being accessed.
Identity Manager
CA Privileged
Policy Requirement Protection
CA Single
CA Data
Sign-On
Section 1 General Policy 4
Section 2 Software Security 4
Section 4 Procedural Security 4
Section 7 Network Security 4 4 414 | WHITE PAPER: ARMY REGULATION 25-2
Section 3:
About the Author
Chris Boswell has over 13 years of experience developing and implementing security, risk and compliance
solutions. During his tenure at CA Technologies, Chris has held a variety of technical and management
positions across our security services, product management and sales organizations. His work in the
governance, risk and compliance domain has led to several patent filings for CA Technologies. Chris currently
coordinates sales activities for our information protection and control solutions, CA Data Protection and
CA Data Protection, and works closely with product and development teams on behalf of customers to
address emerging security, risk and compliance challenges.
Connect with CA Technologies at ca.com
CA Technologies (NASDAQ: CA) creates software that fuels transformation for companies and enables
them to seize the opportunities of the application economy. Software is at the heart of every business,
in every industry. From planning to development to management and security, CA is working with
companies worldwide to change the way we live, transact and communicate – across mobile, private
and public cloud, distributed and mainframe environments. Learn more at ca.com.
Copyright © 2014 CA. All rights reserved Microsoft Windows and Microsoft Active Directory are eitherregistered trademarks or trademarks of Microsoft Corporation in the United
States and/or other countries. Linux® is the registered trademark of Linus Torvalds in the U.S. and other countries. UNIX is a registered trademark of The Open Group. All
trademarks, trade names, service marks and logos referenced herein belong to their respective companies. This document is for your informational purposes only. CA assumes no
responsibility for the accuracy or completeness of the information. To the extent permitted by applicable law, CA provides this document “as is” without warranty of any kind,
including, without limitation, any implied warranties of merchantability, fitness for a particular purpose, or non-infringement. In no event will CA be liable for any loss or
damage, direct or indirect, from the use of this document, including, without limitation, lost profits, business interruption, goodwill or lost data, even if CA is expressly advised in
advance of the possibility of such damages. CA does not provide legal advice. Neither this document nor any software product referenced herein serves as a substitute for your
compliance with any laws (including but not limited to any act, statute, regulation, rule, directive, standard, policy, administrative order, executive order, and so on (collectively,
“Laws”), referenced herein or any contract obligations with any third parties. You should consult with competent legal counsel regarding any such Laws or contract obligations.
CS200_94652_1114You can also read
