Jason Creech, Director of Strategic Alliances Automating Policy Compliance And IT Governance

IT GRC Information Technology – Governance, Risk, & Compliance Became mainstream about two years ago G, R, and C no longer considered separate silos Focus on the commonalities between the disciplines Aligns IT initiatives with business objectives So what is GRC?

Information Technology – Governance, Risk, & Compliance

Became mainstream about two years ago

G, R, and C no longer considered separate silos

Focus on the commonalities between the disciplines

Aligns IT initiatives with business objectives

So what is GRC?

Basic IT GRC Definitions IT Governance Defines how decisions will be made, by who, accountability, and measurement IT Risk Management Ensures strategic IT objectives take into account acceptable levels of risk in relation to stakeholders, industry mandates, and regulations IT Compliance Establishes and monitors IT Controls and ensures that decisions are made and prioritized in accordance with policy C O N F I D E N T I A L C O M P A N Y C O N F I D E N T I A L

IT Governance

Defines how decisions will be made, by who, accountability, and measurement

IT Risk Management

Ensures strategic IT objectives take into account acceptable levels of risk in relation to stakeholders, industry mandates, and regulations

IT Compliance

Establishes and monitors IT Controls and ensures that decisions are made and prioritized in accordance with policy

Why Do We Need IT GRC To Meet regulatory requirements and industry mandates To Address needs of stakeholders To Prioritize IT tasks for elimination of critical IT risks To Facilitate internal and external audit requirements To Align IT process with business objectives

To Meet regulatory requirements and industry mandates

To Address needs of stakeholders

To Prioritize IT tasks for elimination of critical IT risks

To Facilitate internal and external audit requirements

To Align IT process with business objectives

Challenges? Increasing Regulatory Requirements Different Stakeholders With Different Needs Manual Processes In Reporting Compliance Communication Between Departments

Increasing Regulatory Requirements

Different Stakeholders With Different Needs

Manual Processes In Reporting Compliance

Communication Between Departments

Regulatory Landscape Increasing in number No standardization Constantly changing FDA 21 CFR Part 11 (Pharma) HIPAA Security Rule EU Data Protection Directive GLBA 1990s PIPEDA (Canada) FDCC/SCAP NIST SP 800-53 PCI Data Security Standard EC Data Privacy Directive BS 7799 / ISO 17799 / 27001 / 27002 FISMA 2002 Basel II Accord Sarbanes-Oxley NERC California SB 1386 Privacy 2000 and beyond FFIEC IT Exam Handbook ITIL v3

Increasing in number

No standardization

Constantly changing

Meet Compliance Stakeholder Needs Consolidate security data Proactively identify threats Prioritize IT risks Assign and verify remediation Compliance and Security Summary Metrics Reduce reporting costs Identify areas of risk to the LOB Reduce audit costs Automate collection of audit data Automate views into security data Automate risk & regulatory reporting Prioritize and track remediation Utilize existing remediation tools Closed-loop workflow

Consolidate security data

Proactively identify threats

Prioritize IT risks

Assign and verify remediation

Compliance and Security Summary Metrics

Reduce reporting costs

Identify areas of risk to the LOB

Reduce audit costs

Automate collection of audit data

Automate views into security data

Automate risk & regulatory reporting

Prioritize and track remediation

Utilize existing remediation tools

Closed-loop workflow

Bridging Departmental Gaps Simple Compliance Framework Procedures and Guidelines Detail Knowledge and Expertise Framework Level Detailed Technical BU Managers/Audit Compliance Security Operations Policies, Standards, Business Requirements Controls (Manual/Auto) Procedures and Guidelines Enforcement Regulations Frameworks Standards SOX HIPAA GLBA CobIT COSO ISO17799 PCI NIST NERC “ Example: Vulnerable Processes must be eliminated..” CID 1130 The telnet daemon shall be disabled AIX 5.x Technology Telnet streams are transmitted in clear text, including usernames and passwords. The entire session is susceptible to interception by Threat Agents.

QualysGuard Simplifies and Automates An agent-less and scalable audit technology in a SaaS model Automates the harvesting of IT data Identifies violations of IT Policy Improves relevance of IT data to regulatory concerns. Sarbanes-Oxley HIPAA GLBA FISMA CobiT ISO27002 FFIEC ITIL

An agent-less and scalable audit technology in a SaaS model

Automates the harvesting of IT data

Identifies violations of IT Policy

Improves relevance of IT data to regulatory concerns.

Sarbanes-Oxley

HIPAA

GLBA

FISMA

CobiT

ISO27002

FFIEC

ITIL

Benefits Immediate Deployment Ease of Use / Automated Accuracy Scalability Flexible Reporting Security Cost-Effective / Lowest TCO

Immediate Deployment

Ease of Use / Automated

Accuracy

Scalability

Flexible Reporting

Security

Cost-Effective / Lowest TCO

How does QualysGuard PC Work? Leverages Same Infrastructure as QualysGuard VM…

Leverages Same Infrastructure as QualysGuard VM…

Summary QualysGuard Policy Compliance Automates IT GRC process via: SaaS model Agent-less design Seamless integration Scheduled Collection of compliance data Sharing of compliance data across the organization Security and Regulatory Compliance Convergence in one single application delivered as SaaS

QualysGuard Policy Compliance Automates IT GRC process via:

SaaS model

Agent-less design

Seamless integration

Scheduled Collection of compliance data

Sharing of compliance data across the organization