MapR-Supported Enterprise Regulatory Standards

Organizations of all sizes are seeing an increase in audit and compliance demands from regulators and customers. The MapR Converged Data Platform is designed from the ground up to empower MapR customers to be compliant with many of these standards. Compliance with standards is just one way that MapR helps customers mitigate risk around today’s security threats and breaches.

The MapR strategy is to be governance-focused and standards-focused enabling customers to meet their stringent security demands. MapR is focused on the following standards:

PCI

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security requirements for companies that process credit card data. The standard is an end to end standard focused on the secure processing, storing, and transmitting credit card information. The scope of the PCI certification covers all the operational system components handling credit card information to ensure credit card data security and integrity. While the extent of the certification focuses on all the elements that comprise the system processing the credit card data, MapR has customers that have been successful in achieving PCI certification by leveraging MapR advanced security capabilities including robust Authentication, Authorization, Auditing, and Data Protection.

HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) is United States law designed to provide privacy standards to protect patients' medical records. This law focuses on the entire organizational process and procedures in protecting patients’ medical records. This law requires an organization to perform a periodic technical and non-technical evaluation to make sure that its security policies and procedures meet the HIPAA security requirements. While the scope of the law is organization-wide, leveraging MapR advanced security technologies - such as robust Authentication, Authorization, Auditing, and Data Protection - can play a role in the protection of patient data and in meeting HIPAA obligations.

FIPS

The Federal Information Processing Standard (FIPS) Publication 140-2, is a United States government security standard used to approve cryptographic computer logic and algorithm used by the system. The approved cryptographic algorithms according to FIPS 140-2 are:

Symmetric Asymmetric Message Authentication Hashing
AES DSS TDES SHA1
TDES SHS AES SHA-256
EES RNG HMAC SHA-512

MapR uses AES symmetric encryption algorithm and SHA-256 hashing algorithm for its encryption needs coming from either Java or Crypto++. Both Java and Crypto++ and the algorithms MapR uses are compliant with 140-2. For more information, see Crypto++ https://www.cryptopp.com/#news and Java http://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/FIPS.html

NIST

National Institute of Standards and Technology (NIST) 800-53 is a United States government publication that recommends a set of security requirements for computer systems used by the federal government. The requirements which is referred to as “security controls” include documenting access control, audit and accountability, awareness and training, configuration management, contingency planning, identification and authentication, incident response, maintenance, media protection, personnel security, physical and environment protection, planning, program management, risk assessment, security assessment and authorization, system and communication protection, system and information integrity, and system and services acquisition. While the scope of these requirements is broad in nature, leveraging MapR advanced security technologies - such as robust Authentication, Authorization, Auditing, and Data Protection - can play a role in the protection of data and in complying to 800-53.

FISMA

The Federal Information Security Management Act (FISMA) is United States legislation that defines a comprehensive framework to protect the government operational aspect of the government computer systems. FISMA was signed into law as part of the Electronic Government Act of 2002. The main requirements for FISMA are for the hosting environment to maintain an inventory of information systems, categorize information and information systems according to risk level, keep a system security plan, utilize security controls as defined in 800-53, conduct risk assessment, and perform continuous monitoring.

While the scope of these requirements is broad in nature, leveraging MapR advanced security technologies - such as robust Authentication, Authorization, Auditing, and Data Protection - can play a role in the protection of data and in complying to FISMA requirements.

FedRAMP

The Federal Risk and Authorization Management Program (FedRAMP) is the United States government-wide mandated that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. Fundamentally FedRAMP extends FISMA with an added focus on cloud hosting environments such as Amazon AWS or Microsoft Azure, which are both FedRAMP compliant. They have dedicated federal systems that are FedRAMP certified. Both AWS and Azure offer MapR software on the compliant FedRAMP cloud system.

ISO 27001

ISO 27001 is an industry standard for computer hosting environments specifically focus on a specification for an information security management system (ISMS). An ISMS is a framework of policies and procedures that include all legal, physical, and technical controls involved in an organization’s information risk management processes for the hosting environment. Many cloud hosting services such as AWS or Azure are compliant to ISO 27001. Both AWS and Azure offer MapR software on the compliant ISO 27001 cloud system.

GDPR

The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a European Union regulation focused on a unify data protection for individuals within the European Union (EU). The standard is an organizational wide standard in the security of citizens’ private information, giving residents the ability to control their personal data. While the scope of the law is broad in nature, leveraging MapR advanced security technologies - such as robust Authentication, Authorization, Auditing, and Data Protection - can play a role in the protection of data and in complying to GDPR.

DISCLAIMER: This document is provided for general information purposes only. You use this information at your own risk. This document is not warranted to be error-free, nor subject to any other warranties or conditions, whether expressed orally or implied in law, including implied warranties and conditions of merchantability or fitness for a particular purpose. We specifically disclaim any liability with respect to this document, and no contractual obligations are formed either directly or indirectly by this document. For legal advice or representation, contact a licensed attorney in your area.