IT Compliance and Governance with DLP Controls and Vulnerability Scanning Software
1. Delivering on the Promise.
IT Compliance and
Governance with DLP
Controls and Vulnerability
Scanning Software
By: Brian Rosenfelt, CPA
And
Joseph Compton, CISSP, CISA
February 16, 2012
2. Delivering on the Promise.
Security Software
Agenda
• Data Loss Prevention Controls
• Aids in policy development
• Helps identify data to be protected
• Provides real-time incident response tickets
• Provides centralized audit reports
• Vulnerability Scanners
• Identify Network Device Weakness
• Used to validate machine configuration
• Used to identify missing patches
3. Delivering on the Promise.
The Software
Data Loss
• DLP tools have been around for a long time
Prevention
• Expensive
Controls
• Geared toward single task
• Poor alerting
• New unified platforms are coming online
• Comprehensive approach
• Unified exception and audit reporting
• Real time incident responses
• Controls can be configured to function as
• Detective
• Corrective
• Preventive
4. Delivering on the Promise.
Organizational Data in Motion
Challenges
• What is the confidential data?
• Where is the confidential data stored?
• Where is the confidential data going?
• Can the controls enforce data use polices?
5. Delivering on the Promise.
Enterprise Data Protection and Governance
What can these
tools protect
• Email encryption
• Content profiling
• Web filtering
• End-point protection
• Document management
• Finger printing
• Employee monitoring
7. Delivering on the Promise.
CTH Technologies Secure Care
Our DLP
• Agent based technology
Solution
• Works on and off the network
• Lockdown the desktop with policy enforcement
• Policies will travel
8. Delivering on the Promise.
Define Run Enforce policy Remediate Report on risk
confidential scan and by incidents and
data policy discover automatically compliance
exposed data protecting
files
9. Delivering on the Promise.
Employee Detects or Notifies Workflow Report on
sends prevents employee automates risk and
confidential incident remediation compliance
data
10. Delivering on the Promise.
SENSITIVE
Employee Detects Tags email Automatically Report on risk
sends incidents message encrypts and
confidential tagged compliance
data messages
14. Delivering on the Promise.
DLP Solutions should
CTH DLP
Summary
• Capture and Monitor
• Desktop Data
• Customer and Employee Data
• Application Performance Data
• Analyze Data
• User
• Machine
• Application
• Risk Mitigation Compliance
15. Delivering on the Promise.
SAINT Security Scanner
• Besides a tool for security testers, auditors can leverage the power of
the Saint Security Scanner
• Review Network Device Configuration
• Perform Security Patch Audits
• Test for PCI Compliance (Payment Card Industry)
• Test for FISMA Compliance (Federal Information Security Act)
• Test for HIPPA Compliance (Health Insurance Portability and
Accountability Act)
• Test for NERC Compliance(North American Electric Reliability
Corporation)
.
16. Delivering on the Promise.
What Can SAINT Do?
Compliance
• Besides various compliance checks SAINT can also
Features run OVAL (Open vulnerability and Assessment
Language) Vulnerability and Inventory tests
• XCCDF and SCAP (NIST Extensible Configuration
Checklist Description Format and Security Content
Automation Protocol)
• Import Lists from National Vulnerability Database
http://web.nvd.nist.gov/view/ncp/repository
17. Delivering on the Promise.
What else is out there?
Other Scanning
Tools and
• A list of approved Scanners:
Resources http://nvd.nist.gov/scapproducts.cfm
• Other DLP Vendors: Code Green Networks,
Websense, Axway, and SMARSH
18. Delivering on the Promise.
What We Learned
Summary
• There are a variety of automated controls available
• Each type can be used to speed up policy and
procedure development
• Auditors / Like security testers should have access
to these tools
• The right toolset should be customizable to the for
any environment or reporting criteria
19. Delivering on the Promise.
Our Whether seen by our clients, employees,
Philosophy business contacts or community, our identity
is the symbol of a promise delivered with
enthusiasm, innovation, teamwork, drive and
commitment.
• Clients - Provide premier business services to our
clients
• Employees - Foster an environment that
maximizes personal and professional growth
• Business Contacts - Maintain the highest ethical
standards
• Community - Enhance the future of our
community