Varonis and ISO 27001

Learn how to use Varonis to streamline and automate ISO 27001 compliance.

 
 

Introduction

International Standards Organization (ISO) 27000 series is an internationally recognized framework for best practices in information security management.

 

Developed and published by the International Organization for Standardization and the International Electrotechnical Commission, the primary pillar of the ISO 27000 series is ISO 27001 which outlines best practices, methodologies, and implementation of information security management in an organization.

The hallmark focus of ISO 27001 is to protect the confidentiality, integrity and availability of an organization’s data. Most often, companies start by discovering and identifying potential security problems through an exercise such as a risk assessment, and then define what needs to be done to prevent and remediate existing problems. Ultimately, the core philosophy of ISO 27001 is based on managing risks: identify the risks and then systematically treat them.

Varonis helps meet ISO 27001 standards and regulations as a fully integrated solution focused on protecting enterprise data wherever it lives: on-premises and in the cloud.

 
A.6:

Organization of Information Security

  • DatAdvantage
    DatAdvantage

    Data Audit and Protection

    DatAdvantage maps who can (and who does) access data across file and email systems, shows where users have too much access, and safely automates changes to access control lists and groups.

    Visualize risk, lock down sensitive data, and get full visibility and control across your on-premises and cloud-based data stores on a unified platform.

  • DatAlert
    DatAlert

    Security Analytics

    DatAlert detects suspicious activity and prevents data breaches across platforms, visualizes risk, and prioritizes investigation.

  • Edge
    Varonis Edge

    Perimeter Telemetry

    Varonis Edge analyzes perimeter devices like DNS, VPN, and Web Proxy - applying blended context to activity and alerts in your core data stores.

  • DatAprivilege
    DataPrivilege

    Data Access Governance

    DataPrivilege gives business users the power to review and manage permissions, groups, and access certification, while automatically enforcing business rules.

6.1.1 Information security roles and responsibilities. Control. All informatiozn security responsibilities shall be defined & allocated.

Varonis significantly reduces the risk of data loss and misuse by enabling organizations to manage access to data, empower data owners to grant and revoke access directly, and automatically repair and maintain file system permissions so that organizations are less vulnerable to internal and external threats, more compliant, and consistently following a least privilege model.

6.1.2 Segregation of duties. Control. Conflicting duties and areas of responsibility shall be segregated to reduce opportunities for unauthorized or unintentional modification or misuse of the organization’s assets.

Varonis helps limit access controls and reporting to each user’s scope. Data owners will only see (and manage access to) the shares they are responsible for in the UI. A security operator will be able to see reports and track triggered alerts, but won’t be able to administer the network.

6.1.4 Contact with special interest groups. Control. Appropriate contacts with special interest groups or other specialist security forums and professional associations shall be maintained.

Varonis has expert security researchers, engineers, technical support, professional services, and security specialists available via office hours, online courses, webinars, in-person events, and customer communities.

6.2.1 Mobile device policy. Control. A policy and supporting security measures shall be adopted to manage the risks introduced by using mobile devices.

Varonis Edge monitors remote access of your data and applies analytics to detect abnormal logins or access from foreign locations to your company. With Varonis, you’ll be able to distinguish between a remote login from a known user from a hacker trying to infiltrate your network using stolen credentials.

6.2.2 Teleworking. Control. A policy and supporting measures shall be implemented to protect information accessed, processed or stored at teleworking sites.

Varonis DatAdvantage monitors your primary data stores even as they are access by remote users and you will get alerts if a user tries to copy sensitive files from those data stores. Enforcing a policy that requires users to access important data through the VPN or the Sharepoint site keeps their activity protected by Varonis and protects your data from data breaches.

 
A.7:

Human Resource Security

  • DatAdvantage
    DatAdvantage

    Data Audit and Protection

    DatAdvantage maps who can (and who does) access data across file and email systems, shows where users have too much access, and safely automates changes to access control lists and groups.

    Visualize risk, lock down sensitive data, and get full visibility and control across your on-premises and cloud-based data stores on a unified platform.

  • DatAprivilege
    DataPrivilege

    Data Access Governance

    DataPrivilege gives business users the power to review and manage permissions, groups, and access certification, while automatically enforcing business rules.

7.2.1 Management responsibilities. Control. Management shall require all employees and contractors to apply information security in accordance with the established policies and procedures of the organisation.

Varonis DataPrivilege enables you to enforce a least privilege model across your primary data stores and establish a workflow for data owners to grant temporary access to employees and contractors.

7.2.3 Disciplinary process. Control. There shall be a formal and communicated disciplinary process in place to take action against employees who have committed an information security breach.

Varonis DatAdvantage audits your primary data stores and creates alerts based on user activity to prevent data exfiltration, theft, or data breaches.

7.3.1 Termination or change of employment responsibilities. Control. Information security responsibilities and duties that remain valid after termination or change of employment shall be defined, communicated to the employee or contractor and enforced.

Varonis streamlines the management of access rights for users changing jobs or leaving the company.

Varonis DataPrivilege includes an API to revoke or add user access as part of the termination or employee change process. For example, if you change a user from the Finance group to the HR group, the API will remove the user from the Finance group and add them to the HR group, while automatically updating their ACLs as necessary.

Similarly, if you grant a contractor access rights, you can user Varonis to automatically revoke access on the contract end date.

 
A.8:

Asset Management

  • DatAdvantage
    DatAdvantage

    Data Audit and Protection

    DatAdvantage maps who can (and who does) access data across file and email systems, shows where users have too much access, and safely automates changes to access control lists and groups.

    Visualize risk, lock down sensitive data, and get full visibility and control across your on-premises and cloud-based data stores on a unified platform.

  • DatAlert
    DatAlert

    Security Analytics

    DatAlert detects suspicious activity and prevents data breaches across platforms, visualizes risk, and prioritizes investigation.

  • DatAprivilege
    DataPrivilege

    Data Access Governance

    DataPrivilege gives business users the power to review and manage permissions, groups, and access certification, while automatically enforcing business rules.

  • Data Classification
    Data Classification Engine

    Sensitive Content Discovery

    The Data Classification Engine discovers and identifies sensitive, regulated, & stale data with built-in patterns, predefined categories, customizable regexes and dictionaries.

  • Data Transport Engine
    Data Transport Engine

    Data Retention and Migration

    Data Transport Engine automatically finds, moves, archives, quarantines, or deletes data based on content type, age, access activity, and more.

  • Data Classification Labels

    Automated Classification Tags

    Data Classification Labels automatically applies classification labels and encryption based on existing labelling policy and reports on mislabeled files.

8.1.1 Inventory of assets. Control. Assets associated with information and information processing facilities shall be identified and an inventory of these assets shall be drawn up and maintained.

Varonis DatAdvantage maps and monitors your information storage and email systems, and updates the ACLs and file structures of your
monitored resources daily to ensure the most current information about your data is available.

8.1.2 Ownership of assets. Control. Assets maintained in the inventory shall be owned.

Varonis provides a workflow to identify and maintain data owners for all shares, data, and permissions groups.

DatAdvantage produces reports, identifying the most active users of a share, leading IT to possible data owners.

Once a data owner is set, they can use DataPrivilege to perform entitlement reviews.

8.1.3 Acceptable use of assets. Control. Rules for the acceptable use of information and of assets associated with information and information processing facilities shall be identified, documented and implemented.

Varonis DatAdvantage monitors your data stores for deviant usage patterns, which could be a violation of an acceptable use policy.

DatAlert can send alerts to your security team or SIEM to begin investigatoin and incident response. Additionally, you can configure DatAlert to detect behaviors counter to established business policy for your specific requirements.

8.2.1 Classification of information. Control. Information shall be classified in terms of legal requirements, value, criticality and sensitivity to unauthorised disclosure or modification.

The Varonis Data Classification Engine discovers and identifies sensitive and regulated data like PII, GDPR, and HIPAA - along with any data that you deem sensitive across your primary data stores and emails. Data can be automatically categorized and classified according to type and sensitivity.

The Data Classification Engine automatically identifies new and recent sensitive data that your users create in unsecured locations.

Once the data is classified, you can implement Data Classification Labels to tag the metadata for integration with Microsoft Information Protections to track sensitive data as is moves throughout your network, and Data Transport Engine to migrate or quarantine sensitive data according to policy.

8.2.2 Labeling of information. Control. An appropriate set of procedures for information labeling shall be developed and implemented in accordance with the information classification scheme adopted by the organization.

Varonis Data Classification Labels automatically tags sensitive files for Microsoft Information Protection (MIP), and you can configure what kind of labels match what metadata based on Varonis’ classifications.

8.2.3 Handling of assets. Control. Procedures for handling assets shall be developed and implemented in accordance with the information classification scheme adopted by the organization.

The Varonis Data Classification Engine identifies sensitive data, while DatAlert monitors and alerts on any user that accesses sensitive data outside of their normal usage pattern.

 
A.9:

Access Control

  • DatAdvantage
    DatAdvantage

    Data Audit and Protection

    DatAdvantage maps who can (and who does) access data across file and email systems, shows where users have too much access, and safely automates changes to access control lists and groups.

    Visualize risk, lock down sensitive data, and get full visibility and control across your on-premises and cloud-based data stores on a unified platform.

  • DatAprivilege
    DataPrivilege

    Data Access Governance

    DataPrivilege gives business users the power to review and manage permissions, groups, and access certification, while automatically enforcing business rules.

  • DatAlert
    DatAlert

    Security Analytics

    DatAlert detects suspicious activity and prevents data breaches across platforms, visualizes risk, and prioritizes investigation.

  • Automation Engine
    Automation Engine

    Automated Remediation

    The Automation Engine discovers undetected security gaps and automatically repairs them: fixing hidden security vulnerabilities like inconsistent ACLs and global access to sensitive data.

9.1.1 Access control policy. Control. An access control policy shall be established, documented and reviewed based on business and information security requirements.

Varonis DataPrivilege implements a workflow for your access control policy: users request access in the DataPrivilege console and data owners approve or deny requests in the console or by email. The workflow removes the strain of access management from the IT staff and puts it into the hands of the data owners, who can make better decisions on users access requests.

9.1.2 Access to networks and network services. Control. Users shall only be provided with access to the network and network services that they have been specifically authorized to use.

Varonis provides you the capability to implement the least privilege model across your primary data stores, so that users only have access to the data they need to do their jobs.

Varonis DatAdvantage tracks folders, ACLs, and user activity to show who is using what data, and who is on the ACLs list that might not need to be.

Varonis Automation Engine automatically removes global access croups from your shares automatically and repairs inconsistent ACLs, while DataPrivilege implements a workflow to maintain least privilege at a low resource cost and high ROI.

9.2.1 User registration and deregistration. Control. A formal user registration and de-registration process shall be implemented to enable assignment of access rights.

Varonis DataPrivlege provides an API that works in conjunction with other systems to add or remove user access. You can implement this process to provide users with a base level of permissions based on their group, or automatically revoke all access for a terminated employee.

9.2.2 User access provisioning. Control. A formal user access provisioning process shall be implemented to assign or revoke access rights for all user types to all systems and services.

Varonis DataPrivilege implements a user access provisioning process, granting users basic permissions and providing a workflow for users to request further access to do their jobs.

9.2.3 Management of privileged access rights. Control. The allocation and use of privileged access rights shall be restricted and controlled.

Varonis monitors and analyzes privileged user accounts activity. For example, if an administrator account updates a GPO or changes a group, you will receive an alert and verify the authenticity of the action. If a user is elevated to administrative rights, you will get an alert to verify that action. Most of the time, privilege escalation is part of an infiltration attack.

9.2.5 Review of user access rights. Control. Asset owners shall review users’ access rights at regular intervals.

Varonis DataPrivilege automates entitlement reviews on a set schedule.

At regular intervals, the data owner gets an email that prompts her to log into DataPrivilege and review the ACLs for their shares. They must sign off in the UI that they have completed this task.

9.2.6 Removal or adjustment of access rights. Control. The access rights of all employees and external party users to information and information processing facilities shall be removed upon termination of their employment, contract or agreement, or adjusted upon change.

Varonis DataPrivilege automates entitlement reviews, and canso provides the capability for data owners to grant time limited access.

For example, a contractor can have their access rights removed on the last day of their contract simply by setting that date in the DataPrivilege UI.

Additionally, entitlement reviews will provide detail on the status of users
(including deactivated users).

9.4.1 Information access restriction. Control. Access to information and application system functions by users shall be restricted in accordance with the access control policy.

Varonis DatAdvantage and DatAlert monitor and alert on abnormal behavior that may be a violation of your access policies. With Varonis, organizations can manage access controls, monitor and analyze user activity, and restrict data access according to policy.

9.4.2 Secure Log-on procedures. Control. Where required by the access control policy, access to systems and applications shall be controlled by a secure log-on procedure.

Varonis helps you control and limit access to data by implementing a least privilege model and auditing user activity on that data. Varonis monitors service accounts and activity for abnormal activity and unusual behavior: a service account that accesses data outside of their typical behavior is likely part of an infiltration attack.

9.4.4 Use of privileged utility programs. Control. The use of utility programs that might be capable of overriding system and application controls shall be restricted and tightly controlled.

Varonis monitors user activity for evidence known malware and hacker utilities, and can trigger alerts if any of these tools are accessed on your network.

 
A.12:

Operations Security

  • DatAdvantage
    DatAdvantage

    Data Audit and Protection

    DatAdvantage maps who can (and who does) access data across file and email systems, shows where users have too much access, and safely automates changes to access control lists and groups.

    Visualize risk, lock down sensitive data, and get full visibility and control across your on-premises and cloud-based data stores on a unified platform.

  • DatAlert
    DatAlert

    Security Analytics

    DatAlert detects suspicious activity and prevents data breaches across platforms, visualizes risk, and prioritizes investigation.

  • Edge
    Varonis Edge

    Perimeter Telemetry

    Varonis Edge analyzes perimeter devices like DNS, VPN, and Web Proxy - applying blended context to activity and alerts in your core data stores.

  • Data Transport Engine
    Data Transport Engine

    Data Retention and Migration

    Data Transport Engine automatically finds, moves, archives, quarantines, or deletes data based on content type, age, access activity, and more.

12.1.2 Change management. Control. Changes to the organization, business processes, information processing facilities and systems that affect information security shall be controlled.

Varonis DatAdvantage monitors data stores, email, and domain controllers for changes to configuration files or GPOs. DatAlert flags activity where these critical resources are changed for verification that the changes are within policy.

12.1.3 Capacity management. Control. The use of resources shall be monitored, tuned and projections made of future capacity requirements to ensure the required system performance.

Varonis DatAdvantage shows all inactive and orphaned data so that file shares and network attached storage space can be used efficiently. Varonis Data Transport Engine automates data migrations to send unused assets to less expensive archive storage.

12.2.1 Controls against malware. Control. Detection, prevention and recovery controls to protect against malware shall be implemented, combined with appropriate user awareness.

Varonis protects organizations from malware with rapid detection, optimized access controls, and data-driven recovery.

Varonis DatAlert analyzes data, account activity, and user behavior to alert on suspicious activity and stop ransomware. Varonis Edge analyzes perimeter devices including DNS and VPN to detect attacks like malware, APT intrusion, and exfiltration – and puts them in context with activity and alerts on your core data stores.

12.3.1 Information backup. Control. Backup copies of information, software and system images shall be taken and tested regularly in accordance with an agreed backup policy.

Varonis DatAdvantage audits changes to these folders, and DatAlert will trigger a warning if someone makes an unauthorized change to the images or backup directories.

12.4.1 Event logging. Control. Event logs recording user activities, exceptions, faults and information security events shall be produced, kept and regularly reviewed.

Varonis monitors, analyzes, and logs file activity, events, and user behavior on core data stores.

DatAdvantage provides a detailed record of files server contents and how they are used including: filenames, folders, access privileges to files and folders (i.e. a user’s or groups NTFS permissions), data use by username of group name (i.e. create, open, delete, rename), a list of the likely business owners of data, and more.

Varonis also monitors all administrator and privileged account logins and audits changes to configuration files, security groups, users, and GPOs, and can alert on all of these changes in order to verify they are legitimate or if a user is elevated into a privileged security group outside of policy.

Audit trails can be automatically compiled into user-defined periodic reports for compliance officers and auditors to ensure compliant use and safekeeping. Users and Adminstrators won’t be able to tamper and access Varonis databases that store security events and log information.

12.4.2 Protection of log information. Control. Logging facilities and log information shall be protected against tampering and unauthorized access.

Varonis monitors, analyzes, and logs file activity, events, and user behavior on core data stores.

DatAdvantage provides a detailed record of files server contents and how they are used including: filenames, folders, access privileges to files and folders (i.e. a user’s or groups NTFS permissions), data use by username of group name (i.e. create, open, delete, rename), a list of the likely business owners of data, and more.

Varonis also monitors all administrator and privileged account logins and audits changes to configuration files, security groups, users, and GPOs, and can alert on all of these changes in order to verify they are legitimate or if a user is elevated into a privileged security group outside of policy.

Audit trails can be automatically compiled into user-defined periodic reports for compliance officers and auditors to ensure compliant use and safekeeping. Users and Adminstrators won’t be able to tamper and access Varonis databases that store security events and log information.

12.4.3 Administrator and operator logs. Control. System administrator and system operator activities shall be logged and the logs protected and regularly reviewed.

Varonis monitors, analyzes, and logs file activity, events, and user behavior on core data stores.

DatAdvantage provides a detailed record of files server contents and how they are used including: filenames, folders, access privileges to files and folders (i.e. a user’s or groups NTFS permissions), data use by username of group name (i.e. create, open, delete, rename), a list of the likely business owners of data, and more.

Varonis also monitors all administrator and privileged account logins and audits changes to configuration files, security groups, users, and GPOs, and can alert on all of these changes in order to verify they are legitimate or if a user is elevated into a privileged security group outside of policy.

Audit trails can be automatically compiled into user-defined periodic reports for compliance officers and auditors to ensure compliant use and safekeeping. Users and Adminstrators won’t be able to tamper and access Varonis databases that store security events and log information.

 
A.16:

Information Security Incident Management

  • DatAdvantage
    DatAdvantage

    Data Audit and Protection

    DatAdvantage maps who can (and who does) access data across file and email systems, shows where users have too much access, and safely automates changes to access control lists and groups.

    Visualize risk, lock down sensitive data, and get full visibility and control across your on-premises and cloud-based data stores on a unified platform.

  • DatAlert

    Security Analytics

    DatAlert detects suspicious activity and prevents data breaches across platforms, visualizes risk, and prioritizes investigation.

16.1.1 Responsibilities and procedures. Control. Management of responsibilities and procedures shall be established to ensure a quick, effective and orderly response to information security incidents.

Varonis provides both the initial alert and auditing data to investigate security incidents: visualize security threats with an intuitive dashboard, investigate security incidents - even track alerts and assign them to team members for closure.

16.1.2 Reporting information security events. Control. Information security events shall be reported through appropriate management channels as quickly as possible.

Varonis helps detect unusual file and email activity, suspicious user behavior, and trigger alerts cross-platform to protect your data before it’s too late. Automatic response triggers can stop ransomware in its tracks, and mitigate the impact of compromised accounts and potential data breaches.

Varonis provides both the initial alert and auditing data to investigate security incidents: visualize security threats with an intuitive dashboard, investigate security incidents - even track alerts and assign them to team members for closure.

16.1.3 Reporting information security weaknesses. Control. Employees and contractors using the organization’s information systems and services shall be required to note and report any observed or suspected information security weaknesses in systems or services.

Varonis is like an extra pair of eyes that watches all of your users activity on data stores and emails, monitoring and analyzing that data for unusual activity and suspiciou behavior. With Varonis, organizations can automatically detect potential security vulnerabilities and misconfigurations.

16.1.4 Assessment of and decision on information security events. Control. Information security events shall be assessed and it shall be decided if they are to be classified as information security incidents.

DatAlert gives you actionable intelligence and security analytics on your data: analyze behavioral patterns to see when a user is acting suspiciously - and compare their activity against their peers, their normal working hours, and their typical behavior. With Varonis, organizations can visualize security threats with an intuitive dashboard, investigate security incidents - even track alerts and assign them to team members for closure.

16.1.5 Response to information security incidents. Control. Information security incidents shall be responded to in accordance with the documented procedures.

Varonis enables organizations to monitor and track security incidents, investigate suspicious behavior, and automatically respond to potential security vulnerabilities.

16.1.6 Learning from information security incidents. Control. Knowledge gained from analyzing and resolving information security incidents shall be used to reduce the likelihood or impact of future incidents.

Varonis leverages forensic data to help prevent future attacks: organizations can even rewind to see incidents from the past, identify breaches that may have already occurred, and pre-emptively tune out false positives.

16.1.7 Collection of evidence. Control. The organization shall define and apply procedures for the identification, collection, acquisition and preservation of information, which can serve as evidence.

Varonis DatAdvantage logs user activity on data stores, email, and domain controllers and stores that data in the Varonis database.

 
A.17:

Information Security Aspect of Business Continuity Management

  • DatAdvantage
    DatAdvantage

    Data Audit and Protection

    DatAdvantage maps who can (and who does) access data across file and email systems, shows where users have too much access, and safely automates changes to access control lists and groups.

    Visualize risk, lock down sensitive data, and get full visibility and control across your on-premises and cloud-based data stores on a unified platform.

  • DatAlert
    DatAlert

    Security Analytics

    DatAlert detects suspicious activity and prevents data breaches across platforms, visualizes risk, and prioritizes investigation.

17.1.1 Planning information security continuity. Control. The organization shall determine its requirements for information security and the continuity of information security management in adverse situations, e.g. during a crisis or disaster.

Varonis helps execute a layered security strategy, with a fully integrated solution focused on protecting enterprise data stored on-premises and in the cloud. Varonis enables organizations to detect and prevent security incidents, investigate unusual activity and user behavior, even roll back and restore changes to an earlier state.

17.1.2 Implementing information security continuity. Control. The organization shall establish, document, implement and maintain processes, procedures and controls to ensure the required level of continuity for information security during an adverse situation.

Varonis helps execute a layered security strategy, with a fully integrated solution focused on protecting enterprise data stored on-premises and in the cloud. Varonis enables organizations to detect and prevent security incidents, investigate unusual activity and user behavior, even roll back and restore changes to an earlier state.

17.1.3 Verify, review and evaluate information security continuity. Control. The organization shall verify the established and implemented information security continuity controls at regular intervals in order to ensure that they are valid and effective during adverse situations.

Varonis helps execute a layered security strategy, with a fully integrated solution focused on protecting enterprise data stored on-premises and in the cloud. Varonis enables organizations to detect and prevent security incidents, investigate unusual activity and user behavior, even roll back and restore changes to an earlier state.

 
A.18:

Compliance with Internal Requirements, such as Policies, and with External Requirements, such as Laws

  • DatAdvantage
    DatAdvantage

    Data Audit and Protection

    DatAdvantage maps who can (and who does) access data across file and email systems, shows where users have too much access, and safely automates changes to access control lists and groups.

    Visualize risk, lock down sensitive data, and get full visibility and control across your on-premises and cloud-based data stores on a unified platform.

  • DatAlert
    DatAlert

    Security Analytics

    DatAlert detects suspicious activity and prevents data breaches across platforms, visualizes risk, and prioritizes investigation.

  • DatAprivilege
    DataPrivilege

    Data Access Governance

    DataPrivilege gives business users the power to review and manage permissions, groups, and access certification, while automatically enforcing business rules.

  • Data Classification
    Data Transport Engine

    Data Retention and Migration

    The Data Classification Engine discovers and identifies sensitive, regulated, & stale data with built-in patterns, predefined categories, customizable regexes and dictionaries.

18.1.1 Identification of applicable legislation and contractual requirements. Control. All relevant legislative statutory, regulatory, contractual requirements and the organization’s approach to meet these requirements shall be explicitly identified, documented and kept up to date for each information system and the organization.

Varonis Data Classification Engine can help identify and classify applicable legislation and contractual requirements, based on keyword, pattern matching, category, and more.

18.1.2 Intellectual property rights. Control. Appropriate procedures shall be implemented to ensure compliance with legislative, regulatory and contractual requirements related to intellectual property rights and use of proprietary software products.

Varonis automatically scans and classifies sensitive, regulated information stored in file shares, NAS devices, SharePoint, and Office 365. Organizations can create rules with Varonis that combine content sensitivity with risk exposure, usage and file system metadata, so that nothing falls through the cracks.

Automatically classify regulated data and customer information, and easily report on access and file activity for your auditors. Monitor activity so that you can report on security violations, prevent data breaches, and cybersecurity events on IP and other prorietary data.

18.1.3 Protection of records. Control. Records shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release, in accordance with legislatory, regulatory, contractual and business requirements.

Varonis helps streamline data privacy practices and lock down sensitive data to meet data activity requirements and data breach laws. With Varonis, organizations can automatically move data according to business policy, quarantine sensitive or regulated data that is overexposed, and archive or delete stale data that’s no longer being used.

18.1.4 Privacy and protection of personally identifiable information. Control. Privacy and protection of personally identifiable information shall be ensured as required in relevant legislation and regulation where applicable.

Varonis helps companies meet compliance requirements: automatically identify and classify personally identifyable information (PII) data, establish access controls and data protection policies, and build a unified data security strategy to protect customer data.

18.2.2 Compliance with security policies and standards. Control. Managers shall regularly review the compliance of information processing and procedures within their area of responsibility with the appropriate security policies, standards and any other security requirements.

Varonis DataPrivilege enables the workflow for data owners to manage their own shares, so that they can regularly review (and revoke) data access.

18.2.3 Technical compliance review. Control. Information systems shall be regularly reviewed for compliance with the organization’s information security policies and standards.

Varonis helps organizations meet compliance and regulatory standards: with Varonis, organizations can automatically classify regulated data and customer information, and easily report on access and file activity for your auditors. Monitor activity so that you can report on security violations, prevent data breaches, and cybersecurity events.

Interested in seeing Varonis in action?

Request a demo or contact sales at 877-292-8767