System Center 2012 - IT GRC

Identity Management | Data Protection | Authentication Strategies

System Center – IT GRC
Presented by Edgile
January 2013

© 2013 Edgile, Inc. – All Rights Reserved

Table of Contents

1 Introductions

2 IT GRC Perspectives

3 Overview of SC IT GRC

4 SC IT GRC Demo

5 Next Steps

Introductions
Business-Aligned Security

Aligning Security
with the Strategy,
Goals and Demands
of the Business

Edgile aligns security with the strategy, goals and demands
of the business; allowing us to redefining security in terms
of Strategic Capabilities and transform the perception of
security from a risk reduction activity into a Strategic
Imperative for the company.

© 2013 Edgile, Inc. – All Rights Reserved 3

Introductions
Edgile Background
Established in 2001 by Partners and Senior Managers from Deloitte
to Deliver Security Solutions to Leading Companies:
 Microsoft Security Solutions from the boardroom to the network
 Addressing the most challenging
security issues confronting
our customers
 Long-term relations drive solutions
from strategy to deployment
High
Edgile Exceeds Big-4 in Quality Boutiques

and Style: MS VARS

 Senior resources with real Expertise
Competitors
Junior Resources,
world experience High % of Clients Not
Reference-able Big 4
 Small, focused and capable teams Low

Low High
 Senior technologist Professionalism


Introductions
Edgile Services Framework


Introductions
Representative Clients


Introductions
Understanding Your Needs

 What are the specific laws, regulations and internal
IT GRC policies that you are required to comply with?
Drivers
 Any strategic business initiatives for IT?

 What are the key IT challenges related to meeting
Challenges the GRC requirements?
 What are some opportunities?

 What are your general IT GRC goals and
Goals and objectives?
Objectives  What are your goals and objectives in evaluating
the System Center IT GRC capabilities?


IT GRC Perspectives
GRC Trends

Current State Future State
 Managed in silos  Enterprise approach
 Mostly reactionary  Integrated GRC
 More projects than programs  Program-based approach
 Handled separately from mainstream  Embedded within mainstream
processes and decision-making processes and decision-making
 People used as middleware  Effective use of information
 Limited and fragmented use technology
of technology  Architected solutions


IT GRC Perspectives
The Weak Link
GRC Visibility GRC Frameworks Laws, Regulations,
 KPIs  COBIT Corporate Policies
 KRIs  ISO 27001  Data Protection
 GRC Intelligence  ITIL  Breach Notification
 SOX, PCI, HIPAA, etc.
 Security and Privacy

GRC Platform
 Archer (RSA)
 MetricStream
 OpenPages (IBM)
 Edgile iGRC

Collection of Controls Evidence

IT Assets Non-IT Assets Business and
 Servers  Physical Property IT Processes
 Clients  Intellectual  Financial
 Network Property  Sales
 Operations

For the Majority of Organizations, this is Still a Very Manual Process


IT GRC Perspectives
Controls & Compliance Automation
A set of control objectives and activities
Internal
that support the requirements imposed
Controls
by laws, regulations and internal policies.

Controls The ability to implement internal controls
Automation in an automated manner.

The ability to automate the measuring
Compliance
and reporting of the effectiveness of
Automation
implemented internal controls.

Automated
Automated procedures to verify and
Controls and
demonstrate that the control activities are
Compliance
operating as intended.
Testing


IT GRC Perspectives
Beyond Compliance
 The Center for Strategic and International Studies has published The Twenty
Critical Security Controls for Effective Cyber Defense: Consensus Audit
Guidelines* Aligning Security
 The automation of these Top 20 Controls will radically lower the cost of
with the Strategy,
security while improving its effectiveness. The U.S. State Department has
Goals and Demands
already demonstrated more than 94% reduction in "measured" security risk
through the rigorous automation andBusiness of the Top 20 Controls
of the measurement
 The top 3 critical security controls are:
1. Inventory of Authorized and Unauthorized Devices
2. Inventory of Authorized and Unauthorized Software
3. Secure Configurations for Hardware and Software on Mobile
Devices, Laptops, Workstations and Servers

System Center and the IT GRC Management Pack Can Address the Top
3 Critical Security Controls through Controls and Compliance Automation

*Additional information available at http://www.sans.org/critical-security-controls/


IT GRC Perspectives
Asset Life Cycle Management
1. Perform
Inventory

7. Report on 2. Create Key Control Objectives
Compliance and Control Activities

 Service Manager
 Configuration Manager
6. Remediate and DCM 3. Create Configuration
Variances  Operations Manager Baselines in DCM

5. Monitor and Alert 4. Deploy
on Baseline Variances Baselines


Overview of System Center IT GRC
IT GRC Process
Management Pack
Provides: Managed Computers
System
Document Management Center
Program Management
Control Management
Provides: Service Provides Compliance
Risk Management
Incident Management Manager Test Automation
GRC Incident Management
Problem Management Connector – IT Compliance
Knowledge Library
Change Management – Management Library
– Microsoft Control Library
Configuration Management – Management Packs
– IT Compliance
– Management Library
– Management Packs

The Process Pack for IT GRC is a Process Management Pack for System
Center Service Manager 2012
 Provides a platform for performing compliance and  Uses the Desired Configuration Management (DCM)
risk management by extending the infrastructure of feature in Configuration Manager along with product
System Center Service Manager (SCSM) specific baselines to enable control test automation
 Uses components of SCSM including the  The Configuration Manager connector populates
configuration management database (CMDB), class the Service Manager data warehouse database with
model, data warehouse infrastructure, reporting control test results, which are processed for validation
features and Connector Framework against compliance objectives


SC IT GRC Demo
Demo Environment
SM-2012-03
DC-2012-01 Service Manager 2012
Active Directory, DNS Windows 2008 R2
Windows Server 2012 SQL Server 2008 R2

SM-2012-04
SM Data Warehouse
Windows Server 2008 R2
SQL Server 2008 R2

CM-2012-01
Configuration Manager 2012 SP1
Windows Server 2012
SQL Server 2012

OM-2012-01
Operations Manager 2012 SP1
Windows Server 2012
SQL Server 2012


SC IT GRC Demo
Use Case Scenarios
Premise: Company’s CISO elected to pursue ISO27001 certification. To achieve certification, IT:
 Is required to manage and secure devices according to ISO27001 standards
 Decided to use System Center 2012 (SC12) to maintain a device inventory in the CMDB
 Implemented SC12, the Process Pack for IT GRC and applied the ISO27000 program control objectives and activities
 Can assert all critical devices are configured securely according to defined baselines and maintained to ensure that
deviations are corrected in a timely manner

 Description: SCM used to export the ISO27000 configuration
UC 1: Deploy baseline to a DCM pack. Customize items in baseline; setup
targets and deploy. Install the ISO27000 Program in SCSM and
Secure customize the automated control activity for account lock.
Baselines  Benefit Highlighted: Ability to customize and standardize
baselines for deployment.

UC 2: Perform  Description: Schedule Configuration Manager to perform
automated testing of control.
Automated  Benefit Highlighted: Automated testing of deviations from
Testing baselines.

 Description: From SCSM, verify compliance status using
Configuration Manager test results. Control test results can be
UC 3: Report exported to other GRC platforms. Perform remediation as needed.
and Remediate  Benefit Highlighted: Automated monitoring, collection and
reporting of control test results.


SC IT GRC Demo
UC 1: Deploy Secure Baselines
1. Export ISO27000
Configuration Baseline

Security Compliance DCM SCCM
Manager Pack Devices
with
2. Customize Secure
Baseline; Setup Baselines
Targets and Deploy

3. Install ISO27000
Program and
Customize Controls

SCSM


SC IT GRC Demo
UC 2: Perform Automated Testing

1. Schedule 2. Automated Scanning
Automated Testing and Collection

SCCM
Devices
with
Compliant
Baselines

Devices with Non-Compliant Baselines


SC IT GRC Demo
UC 3: Report and Remediate
3. Remediate 4. Updates

SCCM

2. Verify Compliance Devices
Status with
Non-Compliant
Baselines

1. Control Test Results

SCSM Data Warehouse

5. Export Control Test Results

IT GRC Platform


Managing External Control Feeds
Evidence supporting other external control events may be collected, processed and distributed
from the SCSM data warehouse. Example:
 An employee leaves the company, and by policy accounts, are disabled within 24 hours in AD
 An Identity and Access Management (IAM) system can trigger a record creation in the SCSM data warehouse
 The record is updated once the AD account is disabled and resulting report serves as compliance evidence
 Subsequently, SCSM can export the status to an IT GRC platform or SharePoint dashboard portal

IAM System Dashboard Portal

1. Create Event 2. Update Event
Record Record

3. Export Compliance Status

SCSM Data Warehouse IT GRC Platform


Next Steps
Typically clients pursue one of the activities and deliverables.

Requirements Development Proof of Concept and Roadmap
 Understand business needs and priorities  Demonstrate solution can meet business RQMTs
 Gather and analyze requirements and use cases  Well defined based on value add use cases
 3 to 5 weeks based on scope  2 to 3 weeks
 $25K to $50K* based on scope  $15K to $25K* (other pricing options are available)
 Deliverable: Requirements and Recommendations  Deliverable: POC Environment and Executive
document presentation

Automation Value Analysis SCCM Process Pack Design
 Develop benefits objectives, monetary benefits  Identify non-functional, technical requirements
 Identify cost drivers and factors  Detail infrastructure components, key decisions
 3 to 5 weeks based on scope  4 to 6 weeks based on scope
 $25K to $50K* based on scope  $35K to $60K* based on scope
 Deliverable: Detailed Analysis Workbook and  Deliverable: SCCM Process Pack Design document
Executive presentation

* Does not include out-of-pocket expenses


Table of Contents

6 Addendum

Addendum
Edgile iGRC Solution Overview
Intelligent Governance, Risk and Compliance

Content Software Services
 Annual subscription  Annual subscription  Strategy and roadmap
 Quarterly updates  SaaS offering  Implementation
 Harmonized library  Management capabilities  Risk assessment
 Content available for: for:  Control definition
– Audit
– Financial Services  Remediation planning
– Policy, Standards
– Healthcare
– Risk (ERM, ORM & IT)  Compliance readiness
– Life Sciences
– Compliance – HIPAA/HITECH/HITRUST
– Retail
– Regulatory – PCI DSS (Edgile is a QSA)
– Government
– Finding & Remediation – GLBA and FFIEC
– Manufacturing
– Vendor Risk Management – Sarbanes Oxley
– Gaming
– Business Continuity Planning – etc.
– Energy


Addendum
Edgile iGRC Solution Overview
Portal
iGRC Portal Audience Specific Users iGRC Enabled
 Risk Assessment
Security Business
Business 1 Business 2
& Privacy
Risk Team
Continuity
…  Compliance Management
 Vendor Risk Management
 Findings & Remediation
Reporting Dashboard
Analytics
Workflow
Control
… Management
Engine Plan  Identity Management
Common Utilities  Access Management
 Role Attestation & Certification
 Regulatory Framework
 Key Risk Monitoring
Data  Business Continuity
Database Management
Warehouse
 Control Plan Management
 Configuration Management
 Vulnerability Management
Extract, Transform, Load (ETL)
 Threat Intel Monitoring
 Asset & Inventory Management
 Patch Management
 Change Management
Business & Property Plant
Departments
IT Processes
Applications Infrastructure
& Equipment  IT Process Automation
 Run Book Automation
 etc.


System Center 2012 - IT GRC

More Related Content

What's hot

Viewers also liked

Similar to System Center 2012 - IT GRC

More from Norman Mayes

Recently uploaded

System Center 2012 - IT GRC