1

Solving IT Risk and Compliance ChallengesSymantec™ Control Compliance Suite

Robin Crohns

Build a sustainable

program

2

Stay ahead of threats

Completevisibility

Focus on top

priorities

Present in business context

Technical Controls AssessmentProcedural Controls Assessment

Policy ManagementDemonstrable Processes

Massive Data Volumes

TH

REA

T C

OM

PLIAN

CE

Risk Awareness

Symantec Threat & Risk Management GroupChallenge of Presenting Credible Data, Every Day

Insider AbuseCommodity Malware

Coordinated Attacks (APT)Changing Landscape

Massive Data Volumes

Control Compliance Suite

Endpoint ProtectionData Loss

PreventionEncryption

Managed Security Services

DeepSight

Symantec CCS Risk Manager & Protection Center

Solving IT Risk and Compliance Challenges

Agenda

3

Managing Risk & Compliance – Key Concerns1

Symantec Approach to IT GRC2

Symantec Control Compliance Suite3

Solving IT Risk and Compliance Challenges

Managing IT Risk and Compliance – Key Concerns

Solving IT Risk and Compliance Challenges 4

Comply with key mandates

Stay ahead of threats

Focus on top priorities

Build sustainable

risk program

Connect to business

Expanding from Compliance to Risk – Considerations

Solving IT Risk and Compliance Challenges 5

Compliance Centric

Risk Centric

• Driven by external mandates• Focus on pass / fail checkbox• Large volume of audit findings leads

to inaction• Can get by with tactical point

solutions

• Internal needs & external context• Focus on continuous improvement• Risk-prioritized issues drive action• More holistic solution needed for

pragmatic view of business risk

Challenges that Limit this Evolution

Solving IT Risk and Compliance Challenges 6

• Manual approach less accurate• Incomplete view• Fail to keep up with changing environment

Manual Data Collection

Operating in a Silo

• Info Sec seen as “Dr No”• Limited visibility into IT Ops• Unable to communicate in business terms

• Prone to error or dispute• Limitations of one-time snapshot• Lack of metrics for accountability

Subjective Assessments

7

Managing Risk & Compliance – Key Concerns1

Symantec Approach to IT GRC2

Symantec Control Compliance Suite3

Solving IT Risk and Compliance Challenges

8

Bottom

-Up A

ppro

ach Bottom-Up Approach

ASSETS CONTROLS

EVIDENCE

Relational Database

Native Technical Controls

1 ProceduralQuestionnaires

2 3rd Party Data3

Reports and Dashboards

4

Symantec Has Evolved its Solution From the Bottom Up

Solving IT Risk and Compliance Challenges

With proven ability to process large volumes of data, we are now adding an abstraction layer

9

Addressing these Challenges

Solving IT Risk and Compliance Challenges

2

• Draw data driven conclusions which are more defensible

• Prioritize issues based on business risk rather than technical severity

• Remediate highest priority risks first

Risk Prioritization

1

• Convey impact of IT risk in business-relevant terms

• Drive awareness, action and accountability with targeted metrics

• Eliminate silos between Security and IT Ops

Better Visibility

3

• Automate assessment and remediation lifecycle

• Facilitate continual assessments for better data accuracy

• Enable on-demand response to issues

Automation

Swedish Global Customer • Security Baseline Assessment for servers• Automated Assessments of servers several times a year• Detailed Reports with prioritized actions• Yes, someone needs to fix the deviations...

• Moving forward...– Continuous Vulnerability Scanning– Define Dashboards and Reports for different stakeholders

Solving IT Risk and Compliance Challenges 10

11

Managing Risk & Compliance – Key Concerns1

Symantec Approach to IT GRC2

Symantec Control Compliance Suite3

Solving IT Risk and Compliance Challenges

ASSETS CONTROLS

EVIDENCE

Symantec Approach to Risk and Compliance

Solving IT Risk and Compliance Challenges 12

Environment

PLAN

• Define business and risk objectives• Create policies for multiple mandates• Map to controls and de-duplicate

REPORT• Demonstrate compliance to multiple

stakeholders• Correlate risk across business assets• High level dashboards with drill down

\ASSESS• Identify deviations from technical

standards• Discover critical vulnerabilities• Evaluate procedural controls• Combine data from 3rd party sources

REMEDIATE

• Risk-based prioritization• Closed loop tracking of deficiencies• Integration with ticketing systems

StakeholdersSecurity / Audit IT / Operations Business / Mgmt.

Mapped Control Statements from Mandates...

Solving IT Risk and Compliance Challenges 13

...or Mandates mapped to Control Statements

Solving IT Risk and Compliance Challenges 14

And what are the technical checks that gives the answer?

Solving IT Risk and Compliance Challenges 15

Drill-down Dashboards

Solving IT Risk and Compliance Challenges 16

Content Strategy – Driving Competitive Advantage

Solving IT Risk and Compliance Challenges 17

• 100+ regulations and frameworks - Federal & industry standards- Major InfoSec standards (ISO, COBIT, NIST)- Regional-specific regulations

• Mapped to common controls library• Mapped to technical & procedural controls

Regulatory ContentSecurity Benchmarks & Standards• 50+ out-of-box security standards - CIS, SCAP, Symantec Security Essentials• Industry-best platform coverage - OS, DB, Virtual Platforms, Apps Middleware• Monthly patch updates

Symantec Best Practices• Sample policies for HIPAA and other regs• Custom dashboard panels• Custom workflow connectors• Policy-based questionnaires

Security Awareness Content• Focused on end users and IT Ops teams• 15+ video-based training modules• Ready-to-use posters and newsletters• PCI, Privacy & HIPAA training for end users

360° Content Coverage

Organizational Benefits of the Most Mature

Solving IT Risk and Compliance Challenges 18

Business risks related to IT are visible to senior managers

Business value of IT is visible to senior managers

Acceptable risks and exceptions are prioritized

Controls for policy and regulatory compliance are prioritized

Value and risks related to IT are prioritized

Thank you!

Copyright © 2011 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.

This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.

Thank you!

19

Solving IT Risk and Compliance Challenges