• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Automating Policy Compliance and IT Governance
 

Automating Policy Compliance and IT Governance

on

  • 1,819 views

This presentation covers the foundations of a successful IT Governance and Policy Compaliance program and how an organization can seamlessly align IT controls and processes with strategic business ...

This presentation covers the foundations of a successful IT Governance and Policy Compaliance program and how an organization can seamlessly align IT controls and processes with strategic business objectives.

Statistics

Views

Total Views
1,819
Views on SlideShare
1,816
Embed Views
3

Actions

Likes
3
Downloads
116
Comments
0

2 Embeds 3

http://www.slideshare.net 2
http://www.lmodules.com 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Automating Policy Compliance and IT Governance Automating Policy Compliance and IT Governance Presentation Transcript

  • Jason Creech, Director of Strategic Alliances Automating Policy Compliance And IT Governance
  • IT GRC
    • Information Technology – Governance, Risk, & Compliance
    • Became mainstream about two years ago
    • G, R, and C no longer considered separate silos
    • Focus on the commonalities between the disciplines
    • Aligns IT initiatives with business objectives
    • So what is GRC?
  • Basic IT GRC Definitions
    • IT Governance
    • Defines how decisions will be made, by who, accountability, and measurement
    • IT Risk Management
    • Ensures strategic IT objectives take into account acceptable levels of risk in relation to stakeholders, industry mandates, and regulations
    • IT Compliance
    • Establishes and monitors IT Controls and ensures that decisions are made and prioritized in accordance with policy
    C O N F I D E N T I A L C O M P A N Y C O N F I D E N T I A L
  • Why Do We Need IT GRC
    • To Meet regulatory requirements and industry mandates
    • To Address needs of stakeholders
    • To Prioritize IT tasks for elimination of critical IT risks
    • To Facilitate internal and external audit requirements
    • To Align IT process with business objectives
  • Challenges?
    • Increasing Regulatory Requirements
    • Different Stakeholders With Different Needs
    • Manual Processes In Reporting Compliance
    • Communication Between Departments
  • Regulatory Landscape
    • Increasing in number
    • No standardization
    • Constantly changing
    FDA 21 CFR Part 11 (Pharma) HIPAA Security Rule EU Data Protection Directive GLBA 1990s PIPEDA (Canada) FDCC/SCAP NIST SP 800-53 PCI Data Security Standard EC Data Privacy Directive BS 7799 / ISO 17799 / 27001 / 27002 FISMA 2002 Basel II Accord Sarbanes-Oxley NERC California SB 1386 Privacy 2000 and beyond FFIEC IT Exam Handbook ITIL v3
  • Meet Compliance Stakeholder Needs
    • Consolidate security data
    • Proactively identify threats
    • Prioritize IT risks
    • Assign and verify remediation
    • Compliance and Security Summary Metrics
    • Reduce reporting costs
    • Identify areas of risk to the LOB
    • Reduce audit costs
    • Automate collection of audit data
    • Automate views into security data
    • Automate risk & regulatory reporting
    • Prioritize and track remediation
    • Utilize existing remediation tools
    • Closed-loop workflow
  • Bridging Departmental Gaps Simple Compliance Framework Procedures and Guidelines Detail Knowledge and Expertise Framework Level Detailed Technical BU Managers/Audit Compliance Security Operations Policies, Standards, Business Requirements Controls (Manual/Auto) Procedures and Guidelines Enforcement Regulations Frameworks Standards SOX HIPAA GLBA CobIT COSO ISO17799 PCI NIST NERC “ Example: Vulnerable Processes must be eliminated..” CID 1130 The telnet daemon shall be disabled AIX 5.x Technology Telnet streams are transmitted in clear text, including usernames and passwords. The entire session is susceptible to interception by Threat Agents.
  • QualysGuard Simplifies and Automates
    • An agent-less and scalable audit technology in a SaaS model
    • Automates the harvesting of IT data
    • Identifies violations of IT Policy
    • Improves relevance of IT data to regulatory concerns.
      • Sarbanes-Oxley
      • HIPAA
      • GLBA
      • FISMA
      • CobiT
      • ISO27002
      • FFIEC
      • ITIL
  • Benefits
      • Immediate Deployment
      • Ease of Use / Automated
      • Accuracy
      • Scalability
      • Flexible Reporting
      • Security
      • Cost-Effective / Lowest TCO
  • How does QualysGuard PC Work?
    • Leverages Same Infrastructure as QualysGuard VM…
  • Summary
      • QualysGuard Policy Compliance Automates IT GRC process via:
        • SaaS model
        • Agent-less design
        • Seamless integration
        • Scheduled Collection of compliance data
        • Sharing of compliance data across the organization
    Security and Regulatory Compliance Convergence in one single application delivered as SaaS