IT Compliance and Governance with DLP Controls and Vulnerability Scanning Software
Delivering on the Promise. IT Compliance and Governance with DLPControls and Vulnerability Scanning Software By: Brian Rosenfelt, CPA And Joseph Compton, CISSP, CISA February 16, 2012
Delivering on the Promise. Security SoftwareAgenda • Data Loss Prevention Controls • Aids in policy development • Helps identify data to be protected • Provides real-time incident response tickets • Provides centralized audit reports • Vulnerability Scanners • Identify Network Device Weakness • Used to validate machine configuration • Used to identify missing patches
Delivering on the Promise. The SoftwareData Loss • DLP tools have been around for a long timePrevention • Expensive Controls • Geared toward single task • Poor alerting • New unified platforms are coming online • Comprehensive approach • Unified exception and audit reporting • Real time incident responses • Controls can be configured to function as • Detective • Corrective • Preventive
Delivering on the Promise.Organizational Data in Motion Challenges • What is the confidential data? • Where is the confidential data stored? • Where is the confidential data going? • Can the controls enforce data use polices?
Delivering on the Promise. Enterprise Data Protection and GovernanceWhat can these tools protect • Email encryption • Content profiling • Web filtering • End-point protection • Document management • Finger printing • Employee monitoring
Delivering on the Promise. Business IntelligenceCTH DLPSummary • Behavioral Analytics • Employee Monitoring • Employee Activity / Productivity Reports • Software Audit Reporting • Usage Report • Compliance Report
Delivering on the Promise. DLP Solutions shouldCTH DLPSummary • Capture and Monitor • Desktop Data • Customer and Employee Data • Application Performance Data • Analyze Data • User • Machine • Application • Risk Mitigation Compliance
Delivering on the Promise.SAINT Security Scanner• Besides a tool for security testers, auditors can leverage the power of the Saint Security Scanner • Review Network Device Configuration • Perform Security Patch Audits • Test for PCI Compliance (Payment Card Industry) • Test for FISMA Compliance (Federal Information Security Act) • Test for HIPPA Compliance (Health Insurance Portability and Accountability Act) • Test for NERC Compliance(North American Electric Reliability Corporation).
Delivering on the Promise. What Can SAINT Do?Compliance • Besides various compliance checks SAINT can also Features run OVAL (Open vulnerability and Assessment Language) Vulnerability and Inventory tests • XCCDF and SCAP (NIST Extensible Configuration Checklist Description Format and Security Content Automation Protocol) • Import Lists from National Vulnerability Database http://web.nvd.nist.gov/view/ncp/repository
Delivering on the Promise. What else is out there?Other Scanning Tools and • A list of approved Scanners: Resources http://nvd.nist.gov/scapproducts.cfm • Other DLP Vendors: Code Green Networks, Websense, Axway, and SMARSH
Delivering on the Promise. What We LearnedSummary • There are a variety of automated controls available • Each type can be used to speed up policy and procedure development • Auditors / Like security testers should have access to these tools • The right toolset should be customizable to the for any environment or reporting criteria
Delivering on the Promise. Our Whether seen by our clients, employees,Philosophy business contacts or community, our identity is the symbol of a promise delivered with enthusiasm, innovation, teamwork, drive and commitment. • Clients - Provide premier business services to our clients • Employees - Foster an environment that maximizes personal and professional growth • Business Contacts - Maintain the highest ethical standards • Community - Enhance the future of our community