automating policy compliance and it governance
DESCRIPTION
This presentation covers the foundations of a successful IT Governance and Policy Compaliance program and how an organization can seamlessly align IT controls and processes with strategic business objectives.TRANSCRIPT
Jason Creech, Director of Strategic Alliances
Automating Policy ComplianceAnd IT Governance
2
IT GRC
Information Technology – Governance, Risk, & Compliance
Became mainstream about two years ago G, R, and C no longer considered separate silos Focus on the commonalities between the disciplines Aligns IT initiatives with business objectives
So what is GRC?
2
C O N F I D E N T I A L
3
Basic IT GRC Definitions
IT GovernanceDefines how decisions will be made, by who, accountability, and
measurement
IT Risk Management Ensures strategic IT objectives take into account acceptable levels of
risk in relation to stakeholders, industry mandates, and regulations
IT Compliance Establishes and monitors IT Controls and ensures that decisions are
made and prioritized in accordance with policy
C O M P A N Y C O N F I D E N T I A L
3
4
Why Do We Need IT GRC
To Meet regulatory requirements and industry mandates To Address needs of stakeholders To Prioritize IT tasks for elimination of critical IT risks To Facilitate internal and external audit requirements To Align IT process with business objectives
4
5
Challenges?
Increasing Regulatory Requirements Different Stakeholders With Different Needs Manual Processes In Reporting Compliance Communication Between Departments
5
Regulatory Landscape
Increasing in number No standardization Constantly changing
66
FDA 21 CFR Part 11 (Pharma)
HIPAA Security Rule
EU Data Protection Directive
GLBA
1990s
PIPEDA (Canada)
FDCC/SCAP
NIST SP 800-53
PCI Data Security Standard
EC Data Privacy Directive
BS 7799 / ISO 17799 / 27001 / 27002
FISMA 2002
Basel II Accord
Sarbanes-Oxley
NERC
California SB 1386 Privacy
2000 and
beyond
FFIEC IT Exam Handbook
ITIL v3
Meet Compliance Stakeholder Needs
Consolidate securityConsolidate security datadata
Proactively identify threatsProactively identify threats
Prioritize IT risksPrioritize IT risks
Assign and verifyAssign and verify remediationremediation
Compliance and Security Summary MetricsCompliance and Security Summary Metrics
Reduce reporting costs Reduce reporting costs
Identify areas of risk to theIdentify areas of risk to the LOBLOB
Reduce audit costs Reduce audit costs
Automate collection of audit dataAutomate collection of audit data
Automate viewsAutomate views into security datainto security data
Automate risk & regulatory reportingAutomate risk & regulatory reporting Prioritize and track remediationPrioritize and track remediation
Utilize existing remediation toolsUtilize existing remediation tools
Closed-loop workflowClosed-loop workflow
8
Bridging Departmental Gaps
Simple Compliance Framework
Procedures and Guidelines
Detail
Policies,
Standards,
Business
Requirements
Controls
(Manual/Auto)
Procedures
and
Guidelines
Enforcement
Regulations
Frameworks
Standards
SOX
HIPAA
GLBA
CobIT
COSO
ISO17799
PCI
NIST
NERC
“Example: Vulnerable Processes must
be eliminated..”
CID 1130
The telnet
daemon
shall be
disabled
AIX 5.x Technology
Telnet streams are transmitted in
clear text, including usernames
and passwords. The entire
session is susceptible to
interception by Threat Agents.
Knowledge
and
Expertise
FrameworkLevel
Detailed Technical
BU
Managers/Audit
Compliance
Security
Operations
9
QualysGuard Simplifies and Automates
An agent-less and scalable audit technology in a SaaS model Automates the harvesting of IT data Identifies violations of IT Policy Improves relevance of IT data to regulatory concerns. Sarbanes-Oxley HIPAA GLBA FISMA CobiT ISO27002 FFIEC ITIL
9
1010
Benefits
Immediate Deployment Ease of Use / Automated Accuracy Scalability Flexible Reporting Security Cost-Effective / Lowest TCO
11
How does QualysGuard PC Work?
Leverages Same Infrastructure as QualysGuard VM…
11
1212
Summary
QualysGuard Policy Compliance Automates IT GRC process via:
SaaS model Agent-less design Seamless integration Scheduled Collection of compliance data Sharing of compliance data across the organization
Security and Regulatory Compliance Convergence in one single application delivered as SaaS