Lunch and Learn: June 29, 2010


Published on

Control Compliance Suite and Policy Portal presentation.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • In talking to our customers we have found that their compliance challenges typically fall into these 3 categories (1) IT Risks (2) Regulatory or Compliance Readiness (3) Security and Compliance Costs: IT Risks Security threats are growing in number and sophistication Large complex IT infrastructures make it difficult to control deviations from standards or configuration drift Most of our customers have to comply with a growing number of industry regulations and internal mandates For example, today’s average enterprise is exploring 17 standards and frameworks, according to Symantec’s 2010 State of the Enterprise Security study Audit Readiness Many companies we speak to have challenges providing auditable evidence of their compliance posture and are simply not confident of passing upcoming audits They realize the need to increase the frequency of compliance assessments but this is a costly proposition when compliance processes are handled manually Security and Compliance Costs Many companies we speak to still resort to checklists and ad hoc controls Most still have a silo’d approach towards compliance, with overlapping regulatory requirements leading to redundant efforts because of IT control overlaps This leads to overspending on the audit process in order to eventually pass – the IT Policy Compliance Group notes that 70% are spending 2x more on audits than needed (IT Policy Compliance Group 2008 Annual Report - Independent research consortium made up of over 3,000 members and 26 advisory firms. This benchmark research was conducted with over 2,600 firms – 90% of which were located in North America.)
  • Compliance also costs real money on an on-going basis Boeing paid $165M to pass its SOX audit from 2004 through 2007: three and a half times more than similar Aerospace companies They needed 1 audit firm and 2 consulting firms to assist in closing the gap for SOX The root problems uncovered by these SOX 404 controls tests were inconsistent information security policies, procedures and controls Boeing is not alone: 70% of organizations are spending twice as much as is necessary to pass audits according to the IT Policy Compliance Group The connection between information security and audit has been proven from recent research: organizations who are not doing anything about audit are the same organizations experiencing the highest levels of data loss and theft (IT Policy Compliance Group)
  • Automation can not only reduce compliance costs but also IT risks The graph on the left shows how automation can facilitate more frequent audit checks which ultimately reduces risk amongst the most mature companies. The risks we are referring to include theft or loss of customer data, compliance deficiencies that must be corrected to pass an audit and business downtime from IT disruptions/failures Audit costs are a function of 3 things (1) # of controls you need to evaluate (2) frequency of evaluation (3) # of times you run controls/fix errors before you become compliant The graph on the right shows that as companies move from low maturity to high maturity initially the cost of compliance increases. This is because of two things Firstly, immature companies typically use multiple point solutions to manage policies, assets and distribute questionnaires driving up costs Secondly as a company moves along the maturity curve they tend to assess controls more frequently which also drives up costs It’s only when a they consolidate efforts under one automated compliance solution that they can reduce these costs by up to 54%
  • As you already know, Control Compliance Suite is a fully-automated solution designed to effectively manage your IT risk and compliance challenges at lower levels of cost and complexity CCS 10.0 delivers added value by providing even greater visibility into your IT risk and compliance posture for improved decision making This is achieved by integrating content awareness from Symantec Data Loss Prevention, adding advanced vulnerability assessment capabilities and providing the ability to automatically collect and manage data evidence from multiple external sources To compliment these capabilities, CCS 10.0 features dynamic Web-based dashboards making it possible to get the right information to the right people quickly and easily
  • With CCS you can leverage a database of 125 sample policies and policy templates covering multiple best practice frameworks and industry regulations As regulations change have a team in TX who monitor changes and translate into technical and procedural control statements so you don’t have to (feed live updates quarterly) CCS is purpose-built to manage the full policy lifecycle: define, review, input, approval & distribution It includes a policy “map” view that provides visual representation of what policies align to which regulations and frameworks, so that you can quickly identify any gaps You can also define a superset of control requirements across multiple regulations, frameworks and policies enabling you to avoid control overlaps and prioritize these high value controls
  • Policy Manager does 4 key things: Define written policies (with CCS 8.5 we also ship with many pre-built policy templates) Electronically distribute these policies and track acceptances/exceptions Demonstrate coverage of mandated control objectives. Collect evidence and report on compliance levels.
  • CCS Standards Manager uses proven, trusted BindView and ESM technologies, developed over 12+ years of experience Standards Manger allows you to determine which IT controls are needed and map them to external regulations/ best practices and internal policies You can leverage best in class pre-packaged content - we have over 2,900 control statements mapped to thousands of technical and procedural controls Standards Manger features an Entitlements Module that automatically reviews entitlements to sensitive data – you can even set up periodic review and approval cycles to ensure permissions granted to sensitive data are tracked over time You can automatically identify any deviations from technical standards or configuration drift (for networked servers/ desktops/ databases/directories) It also gathers compliance evidence via a flexible agent-based or agentless method so you can answer key questions like “Which accounts lack passwords or have weak or expired passwords?” “When was the last time each application on each machine was updated?”
  • CCS VM delivers end to end discovery and vulnerability assessment of Web applications, databases, servers and other network devices It includes vulnerability detection for AJAX and Web 2.0 applications Features vulnerability content for most popular database management systems - MySQL®, Sybase®,Informix®, Oracle®, PostgreSQL and others You can map out your extended network identifying threats from both managed and unmanaged devices to gain a single view of security threats across IT infrastructure (chaining) A unique risk scoring algorithm provides insight into whether or not a vulnerability is exploitable CCS VM includes support for Supervisory Control and Data Acquisition (SCADA) systems (critical for NERC initiatives)
  • RAM automates the assessment of procedural controls governing employee behavior We offers out of the box, comprehensive coverage for 60+ regulations, frameworks & best practices that are translated into questionnaires to assess the effectiveness of your procedural controls… so you don’t have to RAM uses a web-based survey tool with analytical capabilities that allows you to poll business owners on the completion of required procedures It integrates with Active Directory so you can filter who you survey You can conduct risk-weighted surveys, viewing and sorting responses by any variable, such as asset, respondent, regulation, policy or procedure and then rank deficiencies based on risk Following the distribution of new policies you can track responses such as acceptances, clarification requests and exception requests RAM facilitates more frequent evaluation of your procedural controls, improving you risk and compliance posture Usage scenarios include: conducting security awareness training to track retention of policies and procedures/ conducting vendor assessments to ensure appropriate safe-handling of controls and procedures for PII and other confidential information
  • Symantec DLP is now tightly integrated with CCS 10.0 so you can ensure IT assets with the most sensitive information comply with security and regulatory policies Symantec DLP scans networks, endpoints and servers to locate sensitive data and sends incident and asset data back to CCS for analysis and review CCS then creates an asset group by tagging these assets with sensitive information so you can prioritize them for technical controls evaluations and elevate hardening measures accordingly
  • CCS 10.0 features highly customizable dashboards allowing you to select from multiple panel views and filtering options, build actionable reports, and drill down to granular data to discover root causes and isolate problem areas. For example, you can deliver reports that show the percentage of systems in compliance with security standards for each business unit while allowing users to see exactly which servers met or failed to meet standards Dashboards combine data gathered from all assets, data sets, controls and policies in one location to facilitate comprehensive analysis of your IT risk and compliance posture Since there is no additional software required—these browser-based dashboards ensure low-cost, low-risk end-user deployment
  • CCS allows you to prioritize remediation efforts based on risk and the importance of the asset so you focus on fixing the most critical deviations first CCS quantifies risk based on the industry-standard risk-scoring algorithm – the Common Vulnerability Scoring System (CVSS). Based on a range of 1-10 – high risk assets like PCI servers have a higher risk score You can also assign a compliance score – the higher the score is the more important it is that the asset be in compliance (e.g. could set a compliance score of 99% for external facing web server but lower for print server) CCS offers out-of-the-box integration with Symantec’s Altiris Service Desk 7 – closed loop remediation. Once CCS detects a compliance failure you can initiate automated remediation ticketing where tickets are created on the back end and automatically verified when closed CCS delivers open-loop remediation with other popular systems (Remedy, HP Service Desk) – assisted ticket creation via API This triggered workflow reduces burden on helpdesks and ensures quicker response
  • Lunch and Learn: June 29, 2010

    1. 1. Welcome We will be starting in approximately 10 minutes <ul><li>Compliance Automation and Policy Management </li></ul><ul><li>Lunch & Learn </li></ul>
    2. 2. Welcome We will be starting in approximately 5 minutes <ul><li>Compliance Automation and Policy Management </li></ul><ul><li>Lunch & Learn </li></ul>
    3. 3. Welcome We will be starting in approximately 2 minutes <ul><li>Compliance Automation and Policy Management </li></ul><ul><li>Lunch & Learn </li></ul>
    4. 4. WELCOME <ul><li>Compliance Automation and Policy Management </li></ul><ul><li>Lunch & Learn </li></ul>
    5. 5. Prevalent MasterCard Update <ul><li>Service company no longer in business. </li></ul><ul><li>Looking for an alternative to the card. </li></ul><ul><li>All registrants for this Lunch and Learn were sent a certificate that can be used for lunch. </li></ul><ul><li>We will send instructions whether any additional funds left on the card can be used. </li></ul>
    6. 6. <ul><li>Lunch or Technical </li></ul><ul><ul><li>[email_address] </li></ul></ul><ul><li>Topic Q&A </li></ul><ul><ul><li>Please use chat feature in GoToMeeting client. </li></ul></ul><ul><li>My Contact information: </li></ul><ul><ul><li>Jonathan Dambrot </li></ul></ul><ul><ul><li>[email_address] </li></ul></ul><ul><ul><li>646-442-4236 </li></ul></ul>Questions or Issues
    7. 7. About Prevalent Networks <ul><li>Founded January 5, 2004 </li></ul><ul><li>Solution Focus on Risk Management </li></ul><ul><ul><li>Information Security </li></ul></ul><ul><ul><li>IT Compliance </li></ul></ul><ul><ul><li>Disaster Recovery, Availability, and Backup </li></ul></ul><ul><ul><li>Infrastructure </li></ul></ul><ul><li>Consulting and Engineering Services across all solution areas. </li></ul><ul><li>Certified Sales and Consulting Staff Across All Solutions </li></ul><ul><ul><li>Symantec Platinum Partner </li></ul></ul><ul><ul><ul><li>Sit on the Symantec Partner Advisory Council and Technical Advisory Council </li></ul></ul></ul><ul><ul><li>Highest level partner for most other vendors. </li></ul></ul><ul><li>Offices in New Jersey (HQ), New York, Mass, and Philadelphia </li></ul><ul><ul><li>National Project Teams </li></ul></ul>
    8. 8. Enterprise Governance, Risk and Compliance: Key Concerns Symantec Control Compliance Suite 10.0 <ul><li>Increasing sophistication of threats </li></ul><ul><li>Changing infrastructure & configurations </li></ul><ul><li>Increasing regulatory mandates </li></ul>Security Risks <ul><li>Frequency of assessments </li></ul><ul><li>Internal and external audit </li></ul><ul><li>Reporting to multiple constituencies </li></ul>Regulatory / Audit Compliance <ul><li>Overlapping matrix control objectives </li></ul><ul><li>Manual assessment of controls </li></ul><ul><li>Scale and diversity of environment </li></ul>Security and Compliance Costs
    9. 9. Costs of IT Compliance Remain High Symantec Control Compliance Suite 10.0 Source: IT Policy Compliance Group n=3,000 ; Seattle Post Intelligencer - <ul><li>Case study: Boeing Aerospace </li></ul><ul><ul><li>Failed SOX audit in 2004 </li></ul></ul><ul><ul><li>Spent $165M in 2005-2007 to resolve issues </li></ul></ul><ul><ul><li>Root problem: inconsistent information security policies, procedures, and controls, including: </li></ul></ul><ul><ul><ul><li>Database and application patching </li></ul></ul></ul><ul><ul><ul><li>Failed/missing controls </li></ul></ul></ul><ul><ul><ul><li>Improper access rights </li></ul></ul></ul>2006 – 2008 Average Annual Regulatory Audit Spend MM
    10. 10. Automation Reduces Audit Costs and Improves Outcomes Symantec Control Compliance Suite 10.0 * Based on a survey of 3,280 companies Source: IT Policy Compliance Group Automation increases audit frequency which reduces risk 0 1 2 3 4 5 6 7 Least mature Most mature Months between assessments Mature organizations use automation to reduce costs by up to 54% Least mature Most mature Relative spend on regulatory compliance 0% 20% 40% 60% 80% 100% 54% less
    11. 11. IT Governance Risk and Compliance is a Complex Problem Symantec Control Compliance Suite 10.0 3 rd PARTY EVIDENCE TECHNICAL CONTROLS <ul><li>Automatically identify deviations from technical standards </li></ul><ul><li>Identify critical vulnerabilities </li></ul><ul><li>Replace paper-based surveys with web-based questionnaires to evaluate if polices were read and understood </li></ul><ul><li>Combine evidence from multiple sources and map to policies </li></ul>ASSETS CONTROLS EVIDENCE NEW POLICY <ul><li>Define and manage policies for multiple mandates with out-of-the-box policy content </li></ul><ul><li>Map policies to control statements </li></ul>PROCEDURAL CONTROLS REPORT <ul><li>Gather results in one central repository and deliver dynamic web-based dashboards and reports </li></ul>REMEDIATE <ul><li>Remediate deficiencies based on risk via integration with popular ticketing systems </li></ul>DATA CONTROLS <ul><li>Tight integration with Symantec™ Data Loss Prevention to prioritize assessment and remediation of assets based on value of data </li></ul>NEW IMPROVED IMPROVED
    12. 12. Symantec Control Compliance Suite Symantec Control Compliance Suite 10.0 3 rd PARTY EVIDENCE DATA CONTROLS TECHNICAL CONTROLS <ul><li>Symantec™ Control Compliance Suite Standards Manager </li></ul><ul><li>Symantec™ Control Compliance Suite Vulnerability Manager </li></ul><ul><li>Symantec™ Control Compliance Suite Policy Manager </li></ul><ul><li>Symantec™ Control Compliance Suite Response Assessment Manager </li></ul><ul><li>Symantec™ Control </li></ul><ul><li>Compliance Suite (Infrastructure) </li></ul><ul><li>Symantec™ ServiceDesk 7.0 </li></ul><ul><li>Symantec™ Data Loss Prevention Discover </li></ul><ul><li>Symantec™ Control </li></ul><ul><li>Compliance Suite (Infrastructure) </li></ul>NEW ASSETS CONTROLS EVIDENCE NEW POLICY PROCEDURAL CONTROLS REPORT REMEDIATE IMPROVED IMPROVED
    13. 13. Symantec Control Compliance Suite Symantec Confidential
    14. 14. Define and Manage Policies Symantec Control Compliance Suite 10.0 <ul><li>Automate entire IT policy lifecycle to reduce cost and complexity </li></ul><ul><li>Define policies with out-of-the-box policy content </li></ul><ul><li>Assess coverage for regulations and best practices </li></ul><ul><li>Automatic regulatory updates </li></ul><ul><li>Map policies to control statements </li></ul><ul><li>De-duplicate common controls across multiple regulations </li></ul>Control Compliance Suite Policy Manager POLICY Corporate Policies Lifecycle Define 1 Review 2 Track Acceptances/ Exceptions 5 Approve 3 Distribute 4
    15. 15. Policy-driven Risk and Compliance Management <ul><li>Evidentiary data feeds for technical controls </li></ul><ul><li>Evidence for non-technical controls </li></ul>Create Map Distribute Prove Symantec Confidential ISO <ul><li>CORPORATE POLICIES </li></ul><ul><li>Malware </li></ul><ul><li>Access Control </li></ul><ul><li>Acceptable Use </li></ul>SOX PCI COBIT
    16. 16. Written Policy Management Symantec Confidential Display Evidence Demonstrate Coverage Distribute Define Written Policy
    17. 17. Automatically Assess IT Infrastructure Symantec Control Compliance Suite 10.0 Control Compliance Suite Standards Manager <ul><li>Improve visibility into IT risk and reduce compliance cost and complexity </li></ul><ul><li>Automate assessment of technical controls to identify deviations or configuration drift </li></ul><ul><li>Leverage best-in-class pre-packaged content </li></ul><ul><li>Manage exceptions </li></ul><ul><li>Flexible agent based or agent-less data gathering options </li></ul>TECHNICAL CONTROLS Define Standards 1 Analyze and Fix 3 Managed/Unmanaged Assets 2 Evaluate (agent and/or agent-less)
    18. 18. Conduct Advanced Vulnerability Assessment Symantec Control Compliance Suite 10.0 Control Compliance Suite Vulnerability Manager <ul><li>Proactively prevent threats to critical assets and information </li></ul><ul><li>Identify critical vulnerabilities in Web applications, databases, servers and other network devices </li></ul><ul><li>More than 54,000 checks across 14,000 vulnerabilities </li></ul><ul><li>Unique vulnerability “chaining” mechanism </li></ul><ul><li>Unique risk scoring algorithm </li></ul><ul><li>High performance 64-bit scan engine </li></ul>Control Compliance Suite Vulnerability Manager chains together all vulnerabilities found to uncover new, hidden issues TECHNICAL CONTROLS
    19. 19. Automatically Evaluate Procedural Controls Symantec Control Compliance Suite 10.0 Control Compliance Suite Response Asset Manager PROCEDURAL CONTROLS <ul><li>Replace costly, time-consuming manual processes </li></ul><ul><li>Automate assessment of procedural controls </li></ul><ul><li>Web-based questionnaires covering 60+ regulations and frameworks </li></ul><ul><li>Assess via risk-weighted surveys </li></ul><ul><li>Track responses - acceptances, exception and clarification requests </li></ul>Administer Survey Analyze Results Respondents Distribute via web Consolidate responses
    20. 20. Identify and Prioritize Critical Assets Symantec Control Compliance Suite 10.0 <ul><li>Gain a better overview of compliance and security posture </li></ul><ul><li>Use Symantec Data Loss Prevention Discovery information to identify assets with critical data </li></ul><ul><li>Prioritize these assets for controls evaluation </li></ul><ul><li>Elevate hardening measures on these assets </li></ul><ul><li>Show Control Compliance Suite and Data Loss Prevention data side by side to prioritize remediation efforts </li></ul>DATA CONTROLS Data Loss Prevention Discover
    21. 21. Report on Risk and Compliance Posture Symantec Control Compliance Suite 10.0 REPORT Control Compliance Suite (Infrastructure) <ul><li>Deliver relevant data to multiple stakeholders for better decision making </li></ul><ul><li>Web-based dynamic dashboards and reports </li></ul><ul><li>Integrate technical, procedural and data controls with evidence from external systems </li></ul><ul><li>Select from multiple panel views and filtering options and drill down for granular details </li></ul><ul><li>Low cost end-user deployment </li></ul>
    22. 22. Remediate Deficiencies Based On Risk Symantec Control Compliance Suite 10.0 REMEDIATE Symantec ServiceDesk <ul><li>Improve IT risk posture by fixing the most critical deviations first </li></ul><ul><li>Prioritize remediation efforts based on compliance and risk scores (quantify risk using CVSS) </li></ul><ul><li>Provide detailed remediation instructions </li></ul><ul><li>Automated integration with ticketing systems: </li></ul><ul><ul><li>Closed-loop verification with Altiris™ Service Desk </li></ul></ul><ul><ul><li>Remedy™, HP Service Manager™ </li></ul></ul>
    23. 23. CCS and Policy Portal Demo <ul><li>Compliance Automation and Policy Management </li></ul>
    24. 24. Questions….. <ul><li>Thank you! </li></ul>