Automating Policy Compliance and IT Governance


Published on

This presentation covers the foundations of a successful IT Governance and Policy Compaliance program and how an organization can seamlessly align IT controls and processes with strategic business objectives.

Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Automating Policy Compliance and IT Governance

    1. 1. Jason Creech, Director of Strategic Alliances Automating Policy Compliance And IT Governance
    2. 2. IT GRC <ul><li>Information Technology – Governance, Risk, & Compliance </li></ul><ul><li>Became mainstream about two years ago </li></ul><ul><li>G, R, and C no longer considered separate silos </li></ul><ul><li>Focus on the commonalities between the disciplines </li></ul><ul><li>Aligns IT initiatives with business objectives </li></ul><ul><li>So what is GRC? </li></ul>
    3. 3. Basic IT GRC Definitions <ul><li>IT Governance </li></ul><ul><li>Defines how decisions will be made, by who, accountability, and measurement </li></ul><ul><li>IT Risk Management </li></ul><ul><li>Ensures strategic IT objectives take into account acceptable levels of risk in relation to stakeholders, industry mandates, and regulations </li></ul><ul><li>IT Compliance </li></ul><ul><li>Establishes and monitors IT Controls and ensures that decisions are made and prioritized in accordance with policy </li></ul>C O N F I D E N T I A L C O M P A N Y C O N F I D E N T I A L
    4. 4. Why Do We Need IT GRC <ul><li>To Meet regulatory requirements and industry mandates </li></ul><ul><li>To Address needs of stakeholders </li></ul><ul><li>To Prioritize IT tasks for elimination of critical IT risks </li></ul><ul><li>To Facilitate internal and external audit requirements </li></ul><ul><li>To Align IT process with business objectives </li></ul>
    5. 5. Challenges? <ul><li>Increasing Regulatory Requirements </li></ul><ul><li>Different Stakeholders With Different Needs </li></ul><ul><li>Manual Processes In Reporting Compliance </li></ul><ul><li>Communication Between Departments </li></ul>
    6. 6. Regulatory Landscape <ul><li>Increasing in number </li></ul><ul><li>No standardization </li></ul><ul><li>Constantly changing </li></ul>FDA 21 CFR Part 11 (Pharma) HIPAA Security Rule EU Data Protection Directive GLBA 1990s PIPEDA (Canada) FDCC/SCAP NIST SP 800-53 PCI Data Security Standard EC Data Privacy Directive BS 7799 / ISO 17799 / 27001 / 27002 FISMA 2002 Basel II Accord Sarbanes-Oxley NERC California SB 1386 Privacy 2000 and beyond FFIEC IT Exam Handbook ITIL v3
    7. 7. Meet Compliance Stakeholder Needs <ul><li>Consolidate security data </li></ul><ul><li>Proactively identify threats </li></ul><ul><li>Prioritize IT risks </li></ul><ul><li>Assign and verify remediation </li></ul><ul><li>Compliance and Security Summary Metrics </li></ul><ul><li>Reduce reporting costs </li></ul><ul><li>Identify areas of risk to the LOB </li></ul><ul><li>Reduce audit costs </li></ul><ul><li>Automate collection of audit data </li></ul><ul><li>Automate views into security data </li></ul><ul><li>Automate risk & regulatory reporting </li></ul><ul><li>Prioritize and track remediation </li></ul><ul><li>Utilize existing remediation tools </li></ul><ul><li>Closed-loop workflow </li></ul>
    8. 8. Bridging Departmental Gaps Simple Compliance Framework Procedures and Guidelines Detail Knowledge and Expertise Framework Level Detailed Technical BU Managers/Audit Compliance Security Operations Policies, Standards, Business Requirements Controls (Manual/Auto) Procedures and Guidelines Enforcement Regulations Frameworks Standards SOX HIPAA GLBA CobIT COSO ISO17799 PCI NIST NERC “ Example: Vulnerable Processes must be eliminated..” CID 1130 The telnet daemon shall be disabled AIX 5.x Technology Telnet streams are transmitted in clear text, including usernames and passwords. The entire session is susceptible to interception by Threat Agents.
    9. 9. QualysGuard Simplifies and Automates <ul><li>An agent-less and scalable audit technology in a SaaS model </li></ul><ul><li>Automates the harvesting of IT data </li></ul><ul><li>Identifies violations of IT Policy </li></ul><ul><li>Improves relevance of IT data to regulatory concerns. </li></ul><ul><ul><li>Sarbanes-Oxley </li></ul></ul><ul><ul><li>HIPAA </li></ul></ul><ul><ul><li>GLBA </li></ul></ul><ul><ul><li>FISMA </li></ul></ul><ul><ul><li>CobiT </li></ul></ul><ul><ul><li>ISO27002 </li></ul></ul><ul><ul><li>FFIEC </li></ul></ul><ul><ul><li>ITIL </li></ul></ul>
    10. 10. Benefits <ul><ul><li>Immediate Deployment </li></ul></ul><ul><ul><li>Ease of Use / Automated </li></ul></ul><ul><ul><li>Accuracy </li></ul></ul><ul><ul><li>Scalability </li></ul></ul><ul><ul><li>Flexible Reporting </li></ul></ul><ul><ul><li>Security </li></ul></ul><ul><ul><li>Cost-Effective / Lowest TCO </li></ul></ul>
    11. 11. How does QualysGuard PC Work? <ul><li>Leverages Same Infrastructure as QualysGuard VM… </li></ul>
    12. 12. Summary <ul><ul><li>QualysGuard Policy Compliance Automates IT GRC process via: </li></ul></ul><ul><ul><ul><li>SaaS model </li></ul></ul></ul><ul><ul><ul><li>Agent-less design </li></ul></ul></ul><ul><ul><ul><li>Seamless integration </li></ul></ul></ul><ul><ul><ul><li>Scheduled Collection of compliance data </li></ul></ul></ul><ul><ul><ul><li>Sharing of compliance data across the organization </li></ul></ul></ul>Security and Regulatory Compliance Convergence in one single application delivered as SaaS