solving it risk and compliance challenges symantec™ control compliance suite
DESCRIPTION
Solving IT Risk and Compliance Challenges Symantec™ Control Compliance Suite. Robin Crohns. THREAT. Symantec Threat & Risk Management Group Challenge of Presenting Credible Data, Every Day. Symantec CCS Risk Manager & Protection Center. Risk Awareness. Control Compliance Suite - PowerPoint PPT PresentationTRANSCRIPT
1
Solving IT Risk and Compliance ChallengesSymantec™ Control Compliance Suite
Robin Crohns
Build a sustainable
program
2
Stay ahead of threats
Completevisibility
Focus on top
priorities
Present in business context
Technical Controls AssessmentProcedural Controls Assessment
Policy ManagementDemonstrable Processes
Massive Data Volumes
TH
REA
T C
OM
PLIAN
CE
Risk Awareness
Symantec Threat & Risk Management GroupChallenge of Presenting Credible Data, Every Day
Insider AbuseCommodity Malware
Coordinated Attacks (APT)Changing Landscape
Massive Data Volumes
Control Compliance Suite
Endpoint ProtectionData Loss
PreventionEncryption
Managed Security Services
DeepSight
Symantec CCS Risk Manager & Protection Center
Solving IT Risk and Compliance Challenges
Agenda
3
Managing Risk & Compliance – Key Concerns1
Symantec Approach to IT GRC2
Symantec Control Compliance Suite3
Solving IT Risk and Compliance Challenges
Managing IT Risk and Compliance – Key Concerns
Solving IT Risk and Compliance Challenges 4
Comply with key mandates
Stay ahead of threats
Focus on top priorities
Build sustainable
risk program
Connect to business
Expanding from Compliance to Risk – Considerations
Solving IT Risk and Compliance Challenges 5
Compliance Centric
Risk Centric
• Driven by external mandates• Focus on pass / fail checkbox• Large volume of audit findings leads
to inaction• Can get by with tactical point
solutions
• Internal needs & external context• Focus on continuous improvement• Risk-prioritized issues drive action• More holistic solution needed for
pragmatic view of business risk
Challenges that Limit this Evolution
Solving IT Risk and Compliance Challenges 6
• Manual approach less accurate• Incomplete view• Fail to keep up with changing environment
Manual Data Collection
Operating in a Silo
• Info Sec seen as “Dr No”• Limited visibility into IT Ops• Unable to communicate in business terms
• Prone to error or dispute• Limitations of one-time snapshot• Lack of metrics for accountability
Subjective Assessments
7
Managing Risk & Compliance – Key Concerns1
Symantec Approach to IT GRC2
Symantec Control Compliance Suite3
Solving IT Risk and Compliance Challenges
8
Bottom
-Up A
ppro
ach Bottom-Up Approach
ASSETS CONTROLS
EVIDENCE
Relational Database
Native Technical Controls
1 ProceduralQuestionnaires
2 3rd Party Data3
Reports and Dashboards
4
Symantec Has Evolved its Solution From the Bottom Up
Solving IT Risk and Compliance Challenges
With proven ability to process large volumes of data, we are now adding an abstraction layer
9
Addressing these Challenges
Solving IT Risk and Compliance Challenges
2
• Draw data driven conclusions which are more defensible
• Prioritize issues based on business risk rather than technical severity
• Remediate highest priority risks first
Risk Prioritization
1
• Convey impact of IT risk in business-relevant terms
• Drive awareness, action and accountability with targeted metrics
• Eliminate silos between Security and IT Ops
Better Visibility
3
• Automate assessment and remediation lifecycle
• Facilitate continual assessments for better data accuracy
• Enable on-demand response to issues
Automation
Swedish Global Customer • Security Baseline Assessment for servers• Automated Assessments of servers several times a year• Detailed Reports with prioritized actions• Yes, someone needs to fix the deviations...
• Moving forward...– Continuous Vulnerability Scanning– Define Dashboards and Reports for different stakeholders
Solving IT Risk and Compliance Challenges 10
11
Managing Risk & Compliance – Key Concerns1
Symantec Approach to IT GRC2
Symantec Control Compliance Suite3
Solving IT Risk and Compliance Challenges
ASSETS CONTROLS
EVIDENCE
Symantec Approach to Risk and Compliance
Solving IT Risk and Compliance Challenges 12
Environment
PLAN
• Define business and risk objectives• Create policies for multiple mandates• Map to controls and de-duplicate
REPORT• Demonstrate compliance to multiple
stakeholders• Correlate risk across business assets• High level dashboards with drill down
\ASSESS• Identify deviations from technical
standards• Discover critical vulnerabilities• Evaluate procedural controls• Combine data from 3rd party sources
REMEDIATE
• Risk-based prioritization• Closed loop tracking of deficiencies• Integration with ticketing systems
StakeholdersSecurity / Audit IT / Operations Business / Mgmt.
Mapped Control Statements from Mandates...
Solving IT Risk and Compliance Challenges 13
...or Mandates mapped to Control Statements
Solving IT Risk and Compliance Challenges 14
And what are the technical checks that gives the answer?
Solving IT Risk and Compliance Challenges 15
Drill-down Dashboards
Solving IT Risk and Compliance Challenges 16
Content Strategy – Driving Competitive Advantage
Solving IT Risk and Compliance Challenges 17
• 100+ regulations and frameworks - Federal & industry standards- Major InfoSec standards (ISO, COBIT, NIST)- Regional-specific regulations
• Mapped to common controls library• Mapped to technical & procedural controls
Regulatory ContentSecurity Benchmarks & Standards• 50+ out-of-box security standards - CIS, SCAP, Symantec Security Essentials• Industry-best platform coverage - OS, DB, Virtual Platforms, Apps Middleware• Monthly patch updates
Symantec Best Practices• Sample policies for HIPAA and other regs• Custom dashboard panels• Custom workflow connectors• Policy-based questionnaires
Security Awareness Content• Focused on end users and IT Ops teams• 15+ video-based training modules• Ready-to-use posters and newsletters• PCI, Privacy & HIPAA training for end users
360° Content Coverage
Organizational Benefits of the Most Mature
Solving IT Risk and Compliance Challenges 18
Business risks related to IT are visible to senior managers
Business value of IT is visible to senior managers
Acceptable risks and exceptions are prioritized
Controls for policy and regulatory compliance are prioritized
Value and risks related to IT are prioritized
Thank you!
Copyright © 2011 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.
This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.
Thank you!
19
Solving IT Risk and Compliance Challenges