Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

System Center 2012 - IT GRC


Published on

IT GRC provides end-to-end IT governance, risk, and compliance (IT GRC) management and automation for desktop and datacenter computers.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

System Center 2012 - IT GRC

  1. 1. Identity Management | Data Protection | Authentication StrategiesSystem Center – IT GRCPresented by EdgileJanuary 2013© 2013 Edgile, Inc. – All Rights Reserved
  2. 2. Table of ContentsSystem Center – IT GRC1 Introductions2 IT GRC Perspectives3 Overview of SC IT GRC4 SC IT GRC Demo5 Next Steps
  3. 3. Introductions Business-Aligned Security Aligning Security with the Strategy, Goals and Demands of the Business Edgile aligns security with the strategy, goals and demands of the business; allowing us to redefining security in terms of Strategic Capabilities and transform the perception of security from a risk reduction activity into a Strategic Imperative for the company.© 2013 Edgile, Inc. – All Rights Reserved 3
  4. 4. Introductions Edgile Background Established in 2001 by Partners and Senior Managers from Deloitte to Deliver Security Solutions to Leading Companies:  Microsoft Security Solutions from the boardroom to the network  Addressing the most challenging security issues confronting our customers  Long-term relations drive solutions from strategy to deployment High Edgile Exceeds Big-4 in Quality Boutiques and Style: MS VARS  Senior resources with real Expertise Competitors Junior Resources, world experience High % of Clients Not Reference-able Big 4  Small, focused and capable teams Low Low High  Senior technologist Professionalism© 2013 Edgile, Inc. – All Rights Reserved 4
  5. 5. Introductions Edgile Services Framework© 2013 Edgile, Inc. – All Rights Reserved 5
  6. 6. Introductions Representative Clients© 2013 Edgile, Inc. – All Rights Reserved 6
  7. 7. Introductions Understanding Your Needs  What are the specific laws, regulations and internal IT GRC policies that you are required to comply with? Drivers  Any strategic business initiatives for IT?  What are the key IT challenges related to meeting Challenges the GRC requirements?  What are some opportunities?  What are your general IT GRC goals and Goals and objectives? Objectives  What are your goals and objectives in evaluating the System Center IT GRC capabilities?© 2013 Edgile, Inc. – All Rights Reserved 7
  8. 8. Table of ContentsSystem Center – IT GRC1 Introductions2 IT GRC Perspectives3 Overview of SC IT GRC4 SC IT GRC Demo5 Next Steps
  9. 9. IT GRC Perspectives GRC Trends Current State Future State  Managed in silos  Enterprise approach  Mostly reactionary  Integrated GRC  More projects than programs  Program-based approach  Handled separately from mainstream  Embedded within mainstream processes and decision-making processes and decision-making  People used as middleware  Effective use of information  Limited and fragmented use technology of technology  Architected solutions© 2013 Edgile, Inc. – All Rights Reserved 9
  10. 10. IT GRC Perspectives The Weak Link GRC Visibility GRC Frameworks Laws, Regulations,  KPIs  COBIT Corporate Policies  KRIs  ISO 27001  Data Protection  GRC Intelligence  ITIL  Breach Notification  SOX, PCI, HIPAA, etc.  Security and Privacy GRC Platform  Archer (RSA)  MetricStream  OpenPages (IBM)  Edgile iGRC Collection of Controls Evidence IT Assets Non-IT Assets Business and  Servers  Physical Property IT Processes  Clients  Intellectual  Financial  Network Property  Sales  Operations For the Majority of Organizations, this is Still a Very Manual Process© 2013 Edgile, Inc. – All Rights Reserved 10
  11. 11. IT GRC Perspectives Controls & Compliance Automation A set of control objectives and activities Internal that support the requirements imposed Controls by laws, regulations and internal policies. Controls The ability to implement internal controls Automation in an automated manner. The ability to automate the measuring Compliance and reporting of the effectiveness of Automation implemented internal controls. Automated Automated procedures to verify and Controls and demonstrate that the control activities are Compliance operating as intended. Testing© 2013 Edgile, Inc. – All Rights Reserved 11
  12. 12. IT GRC Perspectives Beyond Compliance  The Center for Strategic and International Studies has published The Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines* Aligning Security  The automation of these Top 20 Controls will radically lower the cost of with the Strategy, security while improving its effectiveness. The U.S. State Department has Goals and Demands already demonstrated more than 94% reduction in "measured" security risk through the rigorous automation andBusiness of the Top 20 Controls of the measurement  The top 3 critical security controls are: 1. Inventory of Authorized and Unauthorized Devices 2. Inventory of Authorized and Unauthorized Software 3. Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers System Center and the IT GRC Management Pack Can Address the Top 3 Critical Security Controls through Controls and Compliance Automation *Additional information available at© 2013 Edgile, Inc. – All Rights Reserved 12
  13. 13. IT GRC Perspectives Asset Life Cycle Management 1. Perform Inventory 7. Report on 2. Create Key Control Objectives Compliance and Control Activities  Service Manager  Configuration Manager 6. Remediate and DCM 3. Create Configuration Variances  Operations Manager Baselines in DCM 5. Monitor and Alert 4. Deploy on Baseline Variances Baselines© 2013 Edgile, Inc. – All Rights Reserved 13
  14. 14. Table of ContentsSystem Center – IT GRC1 Introductions2 IT GRC Perspectives3 Overview of SC IT GRC4 SC IT GRC Demo5 Next Steps
  15. 15. Overview of System Center IT GRC IT GRC Process Management Pack Provides: Managed Computers System Document Management Center Program Management Control Management Provides: Service Provides Compliance Risk Management Incident Management Manager Test Automation GRC Incident Management Problem Management Connector – IT Compliance Knowledge Library Change Management – Management Library – Microsoft Control Library Configuration Management – Management Packs – IT Compliance – Management Library – Management Packs The Process Pack for IT GRC is a Process Management Pack for System Center Service Manager 2012  Provides a platform for performing compliance and  Uses the Desired Configuration Management (DCM) risk management by extending the infrastructure of feature in Configuration Manager along with product System Center Service Manager (SCSM) specific baselines to enable control test automation  Uses components of SCSM including the  The Configuration Manager connector populates configuration management database (CMDB), class the Service Manager data warehouse database with model, data warehouse infrastructure, reporting control test results, which are processed for validation features and Connector Framework against compliance objectives© 2013 Edgile, Inc. – All Rights Reserved 15
  16. 16. Table of ContentsSystem Center – IT GRC1 Introductions2 IT GRC Perspectives3 Overview of SC IT GRC4 SC IT GRC Demo5 Next Steps
  17. 17. SC IT GRC Demo Demo Environment SM-2012-03 DC-2012-01 Service Manager 2012 Active Directory, DNS Windows 2008 R2 Windows Server 2012 SQL Server 2008 R2 SM-2012-04 SM Data Warehouse Windows Server 2008 R2 SQL Server 2008 R2 CM-2012-01 Configuration Manager 2012 SP1 Windows Server 2012 SQL Server 2012 OM-2012-01 Operations Manager 2012 SP1 Windows Server 2012 SQL Server 2012© 2013 Edgile, Inc. – All Rights Reserved 17
  18. 18. SC IT GRC Demo Use Case Scenarios Premise: Company’s CISO elected to pursue ISO27001 certification. To achieve certification, IT:  Is required to manage and secure devices according to ISO27001 standards  Decided to use System Center 2012 (SC12) to maintain a device inventory in the CMDB  Implemented SC12, the Process Pack for IT GRC and applied the ISO27000 program control objectives and activities  Can assert all critical devices are configured securely according to defined baselines and maintained to ensure that deviations are corrected in a timely manner  Description: SCM used to export the ISO27000 configuration UC 1: Deploy baseline to a DCM pack. Customize items in baseline; setup targets and deploy. Install the ISO27000 Program in SCSM and Secure customize the automated control activity for account lock. Baselines  Benefit Highlighted: Ability to customize and standardize baselines for deployment. UC 2: Perform  Description: Schedule Configuration Manager to perform automated testing of control. Automated  Benefit Highlighted: Automated testing of deviations from Testing baselines.  Description: From SCSM, verify compliance status using Configuration Manager test results. Control test results can be UC 3: Report exported to other GRC platforms. Perform remediation as needed. and Remediate  Benefit Highlighted: Automated monitoring, collection and reporting of control test results.© 2013 Edgile, Inc. – All Rights Reserved 18
  19. 19. SC IT GRC Demo UC 1: Deploy Secure Baselines 1. Export ISO27000 Configuration Baseline Security Compliance DCM SCCM Manager Pack Devices with 2. Customize Secure Baseline; Setup Baselines Targets and Deploy 3. Install ISO27000 Program and Customize Controls SCSM© 2013 Edgile, Inc. – All Rights Reserved 19
  20. 20. SC IT GRC Demo UC 2: Perform Automated Testing 1. Schedule 2. Automated Scanning Automated Testing and Collection SCCM Devices with Compliant Baselines Devices with Non-Compliant Baselines© 2013 Edgile, Inc. – All Rights Reserved 20
  21. 21. SC IT GRC Demo UC 3: Report and Remediate 3. Remediate 4. Updates SCCM 2. Verify Compliance Devices Status with Non-Compliant Baselines 1. Control Test Results SCSM Data Warehouse 5. Export Control Test Results IT GRC Platform© 2013 Edgile, Inc. – All Rights Reserved 21
  22. 22. Managing External Control Feeds Evidence supporting other external control events may be collected, processed and distributed from the SCSM data warehouse. Example:  An employee leaves the company, and by policy accounts, are disabled within 24 hours in AD  An Identity and Access Management (IAM) system can trigger a record creation in the SCSM data warehouse  The record is updated once the AD account is disabled and resulting report serves as compliance evidence  Subsequently, SCSM can export the status to an IT GRC platform or SharePoint dashboard portal IAM System Dashboard Portal 1. Create Event 2. Update Event Record Record 3. Export Compliance Status SCSM Data Warehouse IT GRC Platform© 2013 Edgile, Inc. – All Rights Reserved 22
  23. 23. Table of ContentsSystem Center – IT GRC1 Introductions2 IT GRC Perspectives3 Overview of SC IT GRC4 SC IT GRC Demo5 Next Steps
  24. 24. Next Steps Typically clients pursue one of the activities and deliverables. Requirements Development Proof of Concept and Roadmap  Understand business needs and priorities  Demonstrate solution can meet business RQMTs  Gather and analyze requirements and use cases  Well defined based on value add use cases  3 to 5 weeks based on scope  2 to 3 weeks  $25K to $50K* based on scope  $15K to $25K* (other pricing options are available)  Deliverable: Requirements and Recommendations  Deliverable: POC Environment and Executive document presentation Automation Value Analysis SCCM Process Pack Design  Develop benefits objectives, monetary benefits  Identify non-functional, technical requirements  Identify cost drivers and factors  Detail infrastructure components, key decisions  3 to 5 weeks based on scope  4 to 6 weeks based on scope  $25K to $50K* based on scope  $35K to $60K* based on scope  Deliverable: Detailed Analysis Workbook and  Deliverable: SCCM Process Pack Design document Executive presentation * Does not include out-of-pocket expenses© 2013 Edgile, Inc. – All Rights Reserved 24
  25. 25. Table of ContentsSystem Center – IT GRC6 Addendum
  26. 26. Addendum Edgile iGRC Solution Overview Intelligent Governance, Risk and Compliance Content Software Services  Annual subscription  Annual subscription  Strategy and roadmap  Quarterly updates  SaaS offering  Implementation  Harmonized library  Management capabilities  Risk assessment  Content available for: for:  Control definition – Audit – Financial Services  Remediation planning – Policy, Standards – Healthcare – Risk (ERM, ORM & IT)  Compliance readiness – Life Sciences – Compliance – HIPAA/HITECH/HITRUST – Retail – Regulatory – PCI DSS (Edgile is a QSA) – Government – Finding & Remediation – GLBA and FFIEC – Manufacturing – Vendor Risk Management – Sarbanes Oxley – Gaming – Business Continuity Planning – etc. – Energy© 2013 Edgile, Inc. – All Rights Reserved 26
  27. 27. Addendum Edgile iGRC Solution Overview Portal iGRC Portal Audience Specific Users iGRC Enabled  Risk Assessment Security Business Business 1 Business 2 & Privacy Risk Team Continuity …  Compliance Management  Vendor Risk Management  Findings & Remediation Reporting Dashboard Analytics Workflow Control … Management Engine Plan  Identity Management Common Utilities  Access Management  Role Attestation & Certification  Regulatory Framework  Key Risk Monitoring Data  Business Continuity Database Management Warehouse  Control Plan Management  Configuration Management  Vulnerability Management Extract, Transform, Load (ETL)  Threat Intel Monitoring  Asset & Inventory Management  Patch Management  Change Management Business & Property Plant Departments IT Processes Applications Infrastructure & Equipment  IT Process Automation  Run Book Automation  etc.© 2013 Edgile, Inc. – All Rights Reserved 27