Your SlideShare is downloading. ×
Sage Solutions Brief.Mjo
Sage Solutions Brief.Mjo
Sage Solutions Brief.Mjo
Sage Solutions Brief.Mjo
Sage Solutions Brief.Mjo
Sage Solutions Brief.Mjo
Sage Solutions Brief.Mjo
Sage Solutions Brief.Mjo
Sage Solutions Brief.Mjo
Sage Solutions Brief.Mjo
Sage Solutions Brief.Mjo
Sage Solutions Brief.Mjo
Sage Solutions Brief.Mjo
Sage Solutions Brief.Mjo
Sage Solutions Brief.Mjo
Sage Solutions Brief.Mjo
Sage Solutions Brief.Mjo
Sage Solutions Brief.Mjo
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Sage Solutions Brief.Mjo


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide
  • The automated fusion and correlation of the data produced by the multiple technologies forming the technical control framework will allow COM to maximize the return on investment for the technology. Additionally, an automated solution serves as a force multiplier that does not require the typical headcount associated with the manual collection, correlation and analysis of the data gathered during an average assessment and/or monitoring window. The automated solution is able to determine enterprise risk and compliance status while providing a comprehensive dashboard and reporting capability to ensure that stakeholders at every level are provided a means to monitor and measure what matters most to them.
  • In the beginning, people use existing general purpose tools to built semi-automated GRC solutions. Not scalable, not integrated Not a big issue when you only need 1 to 2 solutions
  • Transcript

    • 1. Solution Overview National Continuity Solutions Platform Michael J. O’Dell CBCP – Sage Management
    • 2.
      • Company Profile :
      • Veteran-Owned Small Business
      • Technical Services Provider
        • Intelligence Community
        • Defense Threat Reduction Agency
        • U.S. Military
      • Rapidly Growing (Inc. 500 list, 2009)
      • 56 employees (majority TS/SCI cleared)
      • LLC, Founded in Maryland in 2004
      • Top Secret Facility Clearance
      • Locations :
      • Hanover, MD
        • NSA
        • Others: DIA, USAF
      • Springfield, VA
        • Defense Threat Reduction Agency
        • Others: SPAWAR, AFTAC, DHHS
      • Princeton, NJ
        • Defense Threat Reduction Agency
      • Sierra Vista, AZ
        • US Army Intelligence Center
        • Joint Interoperability Test Command
      Company Profile
    • 3. Continuous Assessment and Monitoring Analyze & Prioritize Point-In-Time Audit Test Monitor & Alert Define Policy & Risk Translate Map Assess Collect Remediate Dashboard
    • 4. Solution Architecture 8500.2 CNSSI 1253 800-53 ISO 800-66 Content Packs GRC Platform Connectors Integrated GRC Data Model Organizations Policies Assets Configurations Controls Risks Mappings Evidences Engines Workflow Collaboration Analytics What-If Risk Calculator Correlation Common Controls Assessment Business Interfaces Reports Dashboards Notification Tasks Office Integration Application Builder UI Configuration Key Indicators Middleware Workflow Reporting Data Integration Content Management Applications Policy Risk Compliance Vendor Threat Privacy Incident
    • 5. Compliance Solution Market Trends Manual Processes Automation Compliance Driven Business & Risk Driven Custom Controls Standard Controls Compliance and Risk Silos Common Control Framework Fragmented Tools Integrated Solution Periodic Audits Continuous Monitoring Internally Developed Tools Purpose-Built Platform Consulting Engagements Software Solutions Cylinder of Excellence View Enterprise Wide Visibility Past Present
    • 6. Custom & Manual Solutions Help Desk Leverage existing technologies Tools not suite to purpose Poor data integrity and quality Limited point-to-point integration Heavily relying on scripting, macros, kron jobs Fragile integrations Mostly manual processes Heavily relying on Excel and Word Use Help Desk tool to route workflows Document Management Excel Word Reporting Tools Data Warehouse
    • 7. Purpose-Built GRC Platform Open technology stack Hot pluggable with open sourced, Oracle, IBM, ... Consistent with corporate technology strategy Purpose-built GRC platform Optimized for GRC, SOA platform vision Predefined GRC business objects / entities Simple upgrade and extension Single-point integration Simple upgrade and extension No point integration Feature-rich applications Integrated functionality, no redundancy Cross-regulation scalability Open content Global community and localized support Partner and customer friendly IT GRC Platform Dashboards, Reports, Indicators Automation & Collaboration Engines Common Control Framework Integrated GRC Data Model Open Connector Architecture Workflow Reporting Data Integration NIST 800-53 ISO SOX
    • 8. Applications Manual & automated assessment Compliance reporting & metrics Collaborative policy lifecycle mgmt. Policy distribution & compliance testing Collaborative risk definition & mapping Real time risk monitoring Compliance & impact assessments Policy awareness & incident readiness Partner classification & risk assessment Delegated administration Monitor, test & Remediate Scan, virtual scan & advanced warning Incident lifecycle Management Operational response plan Compliance Policy Enterprise Risk Vendor Risk Threat & Vulnerability Privacy Incident
    • 9. Open Connectors Connectors eSurvey Configuration Management Vulnerability Management Incident Management DB Configuration & Access Checks Identity & Access Control Checks Application Controls Checks Segregation of Duties Checks Others 28 Connectors And Growing
    • 10.
      • Bottom-line:
      • FISMA C&A – NIST 800-53A, 800-60, FIPS 199, 800-37, 800-55 
      • Configuration and Patch scan integration
      • Vulnerability Scan integration
      • Dynamic POA&M
      Compliance Automation and Continuous Assessments integrated with existing C&A processes for FISMA requirements
      • Business Challenge:
      • Existing C&A processes separate from Security Operations
      • Moving to continuous configuration and patch level assessment based on computing asset criticality
      • Inefficient manual & consultant driven tools, i.e. spreadsheets, C&A document repositories, and C&A SSP tools
      • Need to reduce average C&A cost by 60% on an SSP project scope basis, to free up budget for new control & risk initiatives
      • Solution:
      • Real time visibility on risk and compliance status against FISMA and IT Security Risk Management requirements
      • Risk reduction through integrated compliance automation and continuous configuration, patch and vulnerability assessment
      Several Federal Agencies
    • 11.
      • Bottom-line:
      • DOD 8500.2, STIGS, 800-53 and DOD 5400 Continuous Assessment 
      • Enhanced Situational Awareness of Risk and Privacy Protection
      Automated Risk Management and Continuous Assessment for Operational Security and PII Protection
      • Business Challenge:
      • De-centralized security operations limiting situational awareness
      • Limited protection of operational security as well as the war fighter’s PII
      • Static view of security posture and performance of the network
      • Isolated tool sets creating redundancy and operational inefficiency with manual correlation
      • Security incidents and data breaches going undetected for long periods of time
      • Solution:
      • Provides a comprehensive technical control framework for enhanced automated monitoring capabilities as well as assessment and correlation of attributes used to develop key compliance and risk indicators as an effective force multiplier to allow the command level program office to constantly maintain the pulse of the security posture and risk across the global infrastructure
      • Real time visibility on risk and compliance status against 8500.2 and PII Risk Management requirements
      • Provides a comprehensive IA program through threat analysis and technology risk assessments in order to leverage the most appropriate technologies and cost effective solutions for the network.
      DOD Program
    • 12. Representative Customers
    • 13. Role Based Dashboards
    • 14. Vulnerability Database
    • 15. Deficiencies & Mitigation Assessment
    • 16. FIPS-199 Categorization
    • 17. System Security Plan
    • 18. Plan of Actions & Milestones