TalaTek Enterprise Compliance Management Solution
•
1 like•445 views
TalaTek provides an Enterprise Compliance Management Solution (ECMS) that transforms security authorization and accreditation documentation into an enterprise risk management process. ECMS provides total visibility and control over compliance through centralized risk measurements, security trend analysis, and continuous monitoring across all system assets. It gives managers an at-a-glance view of organizational risk and integrates with federal reporting requirements.
Recommended
More Related Content
What's hot
What's hot (20)
Similar to TalaTek Enterprise Compliance Management Solution
Similar to TalaTek Enterprise Compliance Management Solution (20)
Recently uploaded
Recently uploaded (20)
TalaTek Enterprise Compliance Management Solution
- 1. Security as a Service: Enterprise Compliance Management Solution (ECMS) by TalaTek LLC
- 2. • TalaTek provides cost-effective, in-depth solutions to your compliance issues by managing your risk – We guide agencies and businesses in the management and automation of their compliance requirements enabling them to meet their security needs. • TalaTek’s ‘Security as a Service’ (SaaS) model transforms the customary documentation exercise into a value-add process – We make it our job to be up-to-date on complicated industry standards and regulations in order to help you meet them. We are your committed security resources. • TalaTek pioneered efforts to change how the Security Authorization & Accreditation (SA&A) is performed in the federal government – We successfully implemented a solution that changed a stove-piped documentation effort to an enterprise risk management process meeting NIST standards • TalaTek provides you with total control and visibility into the compliance and security process – Risk measurements for all system assets are consolidated on one, central database offering a dashboard that highlights risks, security trends, and status of mitigation plans • TalaTek gives management an at-a-glance view of their risk across the entire organization – Our solution also provides on-demand reports and integrates with OMB’s CyberScope reporting requirements. 2 TALATEK ECMS Solution Overview | Why TalaTek
- 3. 3 The Problem The current Security Authorization & Accreditation process ‘as implemented’ is an open ended process that is missing some key components: 1. Visibility and control over the process 2. Ability to research trends and impact of security weaknesses and/or investments in security 3. Risk measurement metrics by which to assess the threats against critical assets/data 4. Continuous monitoring of risk TALATEK ECMS Solution Overview |
- 4. 4 The Solution TALATEK ECMS Solution Overview |
- 5. 5 What is ECMS TalaTek Enterprise Compliance Management Solution (ECMS) is currently implemented at the Pension Benefits Guaranty Corporation (PBGC), where TalaTek is a prime contractor supporting the Continuous Monitoring program for the PBGC Paying Agent services. The TalaTek ECMS is a managed service that includes: • Risk management and compliance services through a Governance, Risk Management and Compliance (GRC) application • The GRC application is hosted for our clients and managed by TalaTek TALATEK ECMS Solution Overview | ECMS can be installed at the customer’s private data center or in a private cloud at a hosting facility. We use ECMS as our methodology to deliver quality risk management services for our clients. We believe that our customers shouldn't have to choose between compliance and security, we provide both using people, process and technology.
- 6. ECMS - An Enterprise Solution TALATEK ECMS Solution Overview | Lack of awareness of risks is a key challenge to information risk management. Our solution provides an organization-wide approach to continuous monitoring of information and information system security. Consolidating compliance input from the various sources Measuring control effectiveness Providing actionable data measurements for all enterprise systems Enterprise-Wide Security Compliance Status and Management Workstations Network Devices Web Servers Email Servers Mobility System B System C System A 6
- 7. How ECMS Solves the Problem • Improving the risk model for the organization based on the risk analysis •Inherited controls impact on the system • POA&M tracking and prioritization • Residual Risk measurements that correspond to the impact and likelihood of a given risk • Affect of implemented security tools/processes • Determine need for additional measures Risk Trend Analysis Qualitative and Quantitative Control Measures Continuous Monitoring Prioritization of Risk and Remediation Measures Our solution improves the security process by providing a focus on Risk Management and Continuous Monitoring in accordance with NIST requirements: 7 TALATEK ECMS Solution Overview |
- 8. Agency (Overall) 0.658 DC_1 (0.612) DC_2 (0.724) DC_3 (0.724) System1 0.617 System2 (0.723) System3 ( 0.748) System4 (0.32) 0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 Risk Per System ResidualRiskValues Risk Measurements Across Agency Systems Trend Analysis- Residual Risk Calculations Calculation of residual risk for all non-compliant controls per measured system. Agency risk: measures risk at the top tier of the agency, based on cumulative risk of all systems Data Center risk: measures risk as a cumulative value of all hosted systems TALATEK ECMS Solution Overview |10
- 9. Continuous Monitoring NIST 800-137 Continuous Monitoring Continuous monitoring of security and risk is a challenging task in light of the constant organizational change with system additions, upgrades and decommissions, changes to operating environments, and the ever increasing quantity and sophistication of security threats. Process management capabilities of the CMS solution, allow TalaTek to: Map to Risk Tolerance Adapt to ongoing needs Actively involve management TALATEK ECMS Solution Overview |12
- 10. Common Controls Provider Implementation of common controls raises challenges in compliance management, such as the need for: • Simple means for risk measurements • Clear responsibility of control implementation • Accountability for mitigation strategies With the Talatek solution, metrics are developed for system-level data to make it meaningful in the context of mission/business or organizational risk management. TALATEK ECMS Solution Overview |15
- 11. A moderate system - 250+ controls and enhancements based on NIST 800-53 Rev 4.0 Challenges for an agency with several systems: • Manage the thousands of controls consistently • Ensure a uniform process • Make sense of the data collected Managing Thousands of Controls TALATEK ECMS Solution Overview | TalaTek’s solution provides a central database for searches, metrics, trend analysis, and reporting. 16
- 12. Security Categorizati on 800-60 FIPS 199 Privacy Impact Assessment System Security Plan Risk Assessment Other Deliverables For each system undergoing the compliance process there are a set of deliverables that need to be created, maintained and updated on a continuous basis. Talatek solution allows us to create centralized templates that are used consistently across all systems. Any updates can be done once and used uniformly by all users. Compliance Deliverables 17 TALATEK ECMS Solution Overview |
- 13. 18 Risk Management Security Categorization Questionnaire NIST 800-60 Privacy Impact Assessment Questionnaire Security Authorization & Accreditation (SA&A) Documents Repository POA&M Management Continuous Monitoring FISMA Reporting Resource Management- Reminders and Escalations TalaTek ECMS Summary TALATEK ECMS Solution Overview |
- 14. About TalaTek Specialties: Risk Management, Compliance and Security Services Women-Owned Small Business (WOSB) founded in 2006 2010 GISLA* awards (ISC2) finalist Sustained annual growth and excellent client references Expertise in ITIL, NIST, HIPAA and ISO 27001 Headquarters in Oakton, Virginia, with multiple Federal and commercial customers TalaTek, LLC info@talatek.com TALATEK ECMS Solution Overview | *Government Information Security Leadership Awards (GISLA) 19
Editor's Notes
- The talatek managed services provide (blue arrows) the security process which focuses on security investment analysis, such as the results of the use of security and compliance products, measurements for qualitative controls,With a feedback process that continually improves the risk model for the organization based on specific metrics. The solution offers the control evaluation that delivers user friendly information via a web portal, to include: risk analysis and remediation status/priority, Automated SSP/SAR and other custom reports, Automated POA&M management/prioritization and tracking.The information is available at the system level and at the enterprise level, allowing for trends and risks to be tracked and measured across all enterprise systems, replacing the old approach to compliance.All that yields results (green arrows) represented in improved procedures, feedback on policy, improved enterprise security and compliance management.The overall benefit is an effective continuous monitoring process in accordance with NIST SP 800-137.
- An organization-wide approach to continuous monitoring of information and information system security supports risk-related decision-making at the organization/governance level, the mission/business process level, and the information systems level.We solve that problem by: Consolidating compliance input from the various sourcesMeasuring control effectivenessProviding actionable data measurements for all enterprise systems
- Define a continuous monitoring strategy based on risk tolerance that maintains clear visibility into assets and awareness of vulnerabilities and utilizes up-to-date threat information.Establish measures, metrics, and status monitoring and control assessment frequencies that convey organizational security status and detect changes to the organization’s information infrastructure and environments of operation, maintain visibility into assets, awareness of vulnerabilities, knowledge of threats, and status of security control effectiveness in a manner that supports continued operation within established risk tolerances.Implement a continuous monitoring program to collect the data required for the predefined metrics and to report on findings; automate collection, analysis and reporting of data where possible.Analyze the data collected and Report findings, determining the appropriate response. It may be necessary to collect additional information to clarify or supplement existing monitoring data.Respond to findings with technical, management and operational mitigating activities or acceptance, transference/sharing, or avoidance/rejection.Review and Update the monitoring program, adjusting the continuous monitoring strategy and maturing measurement capabilities to increase visibility into assets and awareness of vulnerabilities; further enable data driven control of the security of an organization’s information infrastructure; and increase organizational resiliency.
- TalaTek believes in the need to change how ‘compliance’ is managed in the federal government We believe that during the next 5 years the government should be able to replace the focus on meeting compliance as a paper exercise, with an understanding the actual risks and threats to their information & IT infrastructureWe believe in the need for both the security experts and automated systems that generate credible and actionable continuous monitoring steps for the organizationWe believe it is important to provide the XSO’s with the needed awareness of the level of overall risk to make decisions about the investment in security measures Challenge the perception that vulnerability scans are all that an agency needs to protect its information’s availability, confidentiality and integrity Our solution addresses a key challenge to information risk management which is a lack of awareness of risks A holistic view of agency risks that provides the XSO’s with educated insights to make business-appropriate risk management decisionsThe team believes our success is measured by the increased awareness of our customer We believe in the need for both the security experts and automated systems that generate credible and actionable risk intelligence for the organization Security experts provide the understanding of risks mitigations and means for identified risks