system center 2012 - it grc

System Center – IT GRCPresented by EdgileJanuary 2013

Identity Management | Data Protection | Authentication Strategies

© 2013 Edgile, Inc. – All Rights Reserved

Table of Contents

System Center – IT GRC

Introductions

IT GRC Perspectives

Overview of SC IT GRC

SC IT GRC Demo

1

2

3

4

Next Steps5

© 2013 Edgile, Inc. – All Rights Reserved 3

Introductions

Business-Aligned Security

Edgile aligns security with the strategy, goals and demands of the business; allowing us to redefining security in terms of Strategic Capabilities and transform the perception of security from a risk reduction activity into a Strategic Imperative for the company.

Aligning Securitywith the Strategy,

Goals and Demandsof the Business


Established in 2001 by Partners and Senior Managers from Deloitte to Deliver Security Solutions to Leading Companies: Microsoft Security Solutions from the boardroom to the network Addressing the most challenging

security issues confronting our customers

Long-term relations drive solutions from strategy to deployment

Edgile Exceeds Big-4 in Quality and Style: Senior resources with real

world experience Small, focused and capable teams Senior technologist

Introductions

Edgile Background

Professionalism

MSExpertise

VARS

Big 4

High

Low

CompetitorsJunior Resources,

High % of Clients NotReference-able

Low High

Boutiques


Introductions

Edgile Services Framework


Introductions

Representative Clients


What are the key IT challenges related to meeting the GRC requirements?

What are some opportunities?

What are your general IT GRC goals and objectives?

What are your goals and objectives in evaluating the System Center IT GRC capabilities?

What are the specific laws, regulations and internal policies that you are required to comply with?

Any strategic business initiatives for IT?

Introductions

Understanding Your Needs

IT GRC Drivers

Challenges

Goals and Objectives

Table of Contents


Introductions

IT GRC Perspectives


SC IT GRC Demo

1

2

3

4

Next Steps5


IT GRC Perspectives

GRC Trends

Current State Managed in silos Mostly reactionary More projects than programs Handled separately from

mainstream processes and decision-making

People used as middleware Limited and fragmented use

of technology

Future State Enterprise approach Integrated GRC Program-based approach Embedded within

mainstream processes and decision-making

Effective use of information technology

Architected solutions


IT GRC Perspectives

The Weak Link

Collection of Controls Evidence

Laws, Regulations,Corporate Policies Data Protection Breach Notification SOX, PCI, HIPAA, etc. Security and Privacy

GRC Frameworks COBIT ISO 27001 ITIL

GRC Visibility KPIs KRIs GRC Intelligence

For the Majority of Organizations, this is Still a Very Manual Process

GRC Platform Archer (RSA) MetricStream OpenPages (IBM) Edgile iGRC

Business and IT Processes Financial Sales Operations

Non-IT Assets Physical Property Intellectual

Property

IT Assets Servers Clients Network


IT GRC Perspectives

Controls & Compliance Automation

A set of control objectives and activities that support the requirements imposed by laws, regulations and internal policies.

Automated procedures to verify and demonstrate that the control activities are operating as intended.

Automated Controls and Compliance Testing

Internal Controls

The ability to implement internal controls in an automated manner.

Controls Automation

The ability to automate the measuring and reporting of the effectiveness of implemented internal controls.

Compliance Automation


IT GRC Perspectives

Beyond Compliance

Aligning Securitywith the Strategy,

Goals and Demandsof the Business

The Center for Strategic and International Studies has published The Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines*

The automation of these Top 20 Controls will radically lower the cost of security while improving its effectiveness. The U.S. State Department has already demonstrated more than 94% reduction in "measured" security risk through the rigorous automation and measurement of the Top 20 Controls

The top 3 critical security controls are:

1. Inventory of Authorized and Unauthorized Devices

2. Inventory of Authorized and Unauthorized Software

3. Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers

*Additional information available at http://www.sans.org/critical-security-controls/

System Center and the IT GRC Management Pack Can Address the Top3 Critical Security Controls through Controls and Compliance Automation

http://www.sans.org/critical-security-controls/

http://www.sans.org/critical-security-controls/


IT GRC Perspectives

Asset Life Cycle Management1. Perform Inventory

2. Create Key Control Objectivesand Control Activities

3. Create Configuration Baselines in DCM

4. DeployBaselines

5. Monitor and Alerton Baseline Variances

6. Remediate Variances

7. Report on Compliance

Service Manager Configuration Manager

and DCM Operations Manager

Table of Contents


Introductions

IT GRC Perspectives


SC IT GRC Demo

1

2

3

4

Next Steps5


Overview of System Center IT GRC

Provides a platform for performing compliance and risk management by extending the infrastructure of System Center Service Manager (SCSM)

Uses components of SCSM including the configuration management database (CMDB), class model, data warehouse infrastructure, reporting features and Connector Framework

IT GRC Process Management PackProvides:Document Management

Program Management

Control Management

Risk Management

GRC Incident Management

Knowledge Library– Microsoft Control Library– IT Compliance – Management Library– Management Packs

Provides:Incident Management

Problem Management

Change Management

Configuration Management

Uses the Desired Configuration Management (DCM) feature in Configuration Manager along with product specific baselines to enable control test automation

The Configuration Manager connector populates the Service Manager data warehouse database with control test results, which are processed for validation against compliance objectives

The Process Pack for IT GRC is a Process Management Pack for System Center Service Manager 2012

Provides Compliance Test Automation

– IT Compliance – Management Library– Management Packs

Managed ComputersSystemCenter

ServiceManager

Connector

Table of Contents


Introductions

IT GRC Perspectives


SC IT GRC Demo

1

2

3

4

Next Steps5


SC IT GRC Demo

Demo EnvironmentDC-2012-01

Active Directory, DNSWindows Server 2012

CM-2012-01Configuration Manager 2012 SP1

Windows Server 2012SQL Server 2012

SM-2012-03Service Manager 2012

Windows 2008 R2SQL Server 2008 R2

SM-2012-04SM Data Warehouse

Windows Server 2008 R2SQL Server 2008 R2

OM-2012-01Operations Manager 2012 SP1

Windows Server 2012SQL Server 2012


SC IT GRC Demo

Use Case Scenarios

Description: SCM used to export the ISO27000 configuration baseline to a DCM pack. Customize items in baseline; setup targets and deploy. Install the ISO27000 Program in SCSM and customize the automated control activity for account lock.

Benefit Highlighted: Ability to customize and standardize baselines for deployment.

UC 1: DeploySecure Baselines

Description: Schedule Configuration Manager to perform automated testing of control.

Benefit Highlighted: Automated testing of deviations from baselines.

UC 2: Perform AutomatedTesting

UC 3: Reportand Remediate

Premise: Company’s CISO elected to pursue ISO27001 certification. To achieve certification, IT: Is required to manage and secure devices according to ISO27001 standards Decided to use System Center 2012 (SC12) to maintain a device inventory in the CMDB Implemented SC12, the Process Pack for IT GRC and applied the ISO27000 program control

objectives and activities Can assert all critical devices are configured securely according to defined baselines and maintained

to ensure that deviations are corrected in a timely manner

Description: From SCSM, verify compliance status using Configuration Manager test results. Control test results can be exported to other GRC platforms. Perform remediation as needed.

Benefit Highlighted: Automated monitoring, collection and reporting of control test results.


SC IT GRC Demo

UC 1: Deploy Secure Baselines

1. Export ISO27000 Configuration

Baseline

2. CustomizeBaseline; Setup

Targets and Deploy

DCM Pack

SCCM

Devices with

Secure Baseline

s

Security Compliance

Manager

SCSM

3. Install ISO27000 Program and

Customize Controls


SC IT GRC Demo

UC 2: Perform Automated Testing

1. Schedule Automated Testing

SCCMDevices

with Complia

nt Baseline

s

Devices with Non-Compliant Baselines

2. Automated Scanningand Collection


SC IT GRC Demo

UC 3: Report and Remediate

2. Verify Compliance Status

3. Remediate

SCCM

Devices with Non-

Compliant Baselines

IT GRC Platform

SCSM Data Warehouse

5. Export Control Test Results

1. Control Test Results

4. Updates


Managing External Control FeedsEvidence supporting other external control events may be collected, processed and distributed from the SCSM data warehouse. Example:

An employee leaves the company, and by policy accounts, are disabled within 24 hours in AD An Identity and Access Management (IAM) system can trigger a record creation in the SCSM

data warehouse The record is updated once the AD account is disabled and resulting report serves as

compliance evidence Subsequently, SCSM can export the status to an IT GRC platform or SharePoint dashboard

portal

1. Create Event Record

IAM System

IT GRC PlatformSCSM Data Warehouse

3. Export Compliance Status

2. Update Event Record

Dashboard Portal

Table of Contents


Introductions

IT GRC Perspectives


SC IT GRC Demo

1

2

3

4

Next Steps5


Next Steps

Requirements Development Understand business needs and priorities Gather and analyze requirements and use

cases 3 to 5 weeks based on scope $25K to $50K* based on scope Deliverable: Requirements and

Recommendations document

Proof of Concept and Roadmap Demonstrate solution can meet business

RQMTs Well defined based on value add use cases 2 to 3 weeks $15K to $25K* (other pricing options are

available) Deliverable: POC Environment and

Executive presentationAutomation Value Analysis Develop benefits objectives, monetary

benefits Identify cost drivers and factors 3 to 5 weeks based on scope $25K to $50K* based on scope Deliverable: Detailed Analysis Workbook and

Executive presentation

SCCM Process Pack Design Identify non-functional, technical

requirements Detail infrastructure components, key

decisions 4 to 6 weeks based on scope $35K to $60K* based on scope Deliverable: SCCM Process Pack Design

document

Typically clients pursue one of the activities and deliverables.

* Does not include out-of-pocket expenses

Table of Contents


Addendum6


Addendum

Edgile iGRC Solution Overview

Annual subscription Quarterly updates Harmonized library Content available for:

– Financial Services – Healthcare – Life Sciences– Retail– Government– Manufacturing– Gaming – Energy

Annual subscription SaaS offering Management capabilities

for:– Audit– Policy, Standards– Risk (ERM, ORM & IT)– Compliance– Regulatory – Finding & Remediation – Vendor Risk Management– Business Continuity Planning

Content Software Services Strategy and roadmap Implementation Risk assessment Control definition Remediation planning Compliance readiness

– HIPAA/HITECH/HITRUST– PCI DSS (Edgile is a QSA)– GLBA and FFIEC– Sarbanes Oxley– etc.

Intelligent Governance, Risk and Compliance


iGRC Portal

Addendum

Edgile iGRC Solution Overview

iGRC Enabled Risk Assessment Compliance Management Vendor Risk Management Findings & Remediation

Management Identity Management Access Management Role Attestation & Certification Regulatory Framework Key Risk Monitoring Business Continuity

Management Control Plan Management Configuration Management Vulnerability Management Threat Intel Monitoring Asset & Inventory Management Patch Management Change Management IT Process Automation Run Book Automation etc.

Applications Infrastructure Property Plant& EquipmentDepartments Business &

IT Processes

Extract, Transform, Load (ETL)

Business 1 Business 2 Security& Privacy Risk Team Business

Continuity …

Reporting Dashboard AnalyticsEngine Workflow Control

Plan …

Audience Specific Users

Common Utilities

DataWarehouse

Portal

Database

system center 2012 - it grc

Technology