system center 2012 - it grc
DESCRIPTION
IT GRC provides end-to-end IT governance, risk, and compliance (IT GRC) management and automation for desktop and datacenter computers.TRANSCRIPT
System Center – IT GRCPresented by EdgileJanuary 2013
Identity Management | Data Protection | Authentication Strategies
© 2013 Edgile, Inc. – All Rights Reserved
Table of Contents
System Center – IT GRC
Introductions
IT GRC Perspectives
Overview of SC IT GRC
SC IT GRC Demo
1
2
3
4
Next Steps5
© 2013 Edgile, Inc. – All Rights Reserved 3
Introductions
Business-Aligned Security
Edgile aligns security with the strategy, goals and demands of the business; allowing us to redefining security in terms of Strategic Capabilities and transform the perception of security from a risk reduction activity into a Strategic Imperative for the company.
Aligning Securitywith the Strategy,
Goals and Demandsof the Business
© 2013 Edgile, Inc. – All Rights Reserved 4
Established in 2001 by Partners and Senior Managers from Deloitte to Deliver Security Solutions to Leading Companies: Microsoft Security Solutions from the boardroom to the network Addressing the most challenging
security issues confronting our customers
Long-term relations drive solutions from strategy to deployment
Edgile Exceeds Big-4 in Quality and Style: Senior resources with real
world experience Small, focused and capable teams Senior technologist
Introductions
Edgile Background
Professionalism
MSExpertise
VARS
Big 4
High
Low
CompetitorsJunior Resources,
High % of Clients NotReference-able
Low High
Boutiques
© 2013 Edgile, Inc. – All Rights Reserved 5
Introductions
Edgile Services Framework
© 2013 Edgile, Inc. – All Rights Reserved 6
Introductions
Representative Clients
© 2013 Edgile, Inc. – All Rights Reserved 7
What are the key IT challenges related to meeting the GRC requirements?
What are some opportunities?
What are your general IT GRC goals and objectives?
What are your goals and objectives in evaluating the System Center IT GRC capabilities?
What are the specific laws, regulations and internal policies that you are required to comply with?
Any strategic business initiatives for IT?
Introductions
Understanding Your Needs
IT GRC Drivers
Challenges
Goals and Objectives
Table of Contents
System Center – IT GRC
Introductions
IT GRC Perspectives
Overview of SC IT GRC
SC IT GRC Demo
1
2
3
4
Next Steps5
© 2013 Edgile, Inc. – All Rights Reserved 9
IT GRC Perspectives
GRC Trends
Current State Managed in silos Mostly reactionary More projects than programs Handled separately from
mainstream processes and decision-making
People used as middleware Limited and fragmented use
of technology
Future State Enterprise approach Integrated GRC Program-based approach Embedded within
mainstream processes and decision-making
Effective use of information technology
Architected solutions
© 2013 Edgile, Inc. – All Rights Reserved 10
IT GRC Perspectives
The Weak Link
Collection of Controls Evidence
Laws, Regulations,Corporate Policies Data Protection Breach Notification SOX, PCI, HIPAA, etc. Security and Privacy
GRC Frameworks COBIT ISO 27001 ITIL
GRC Visibility KPIs KRIs GRC Intelligence
For the Majority of Organizations, this is Still a Very Manual Process
GRC Platform Archer (RSA) MetricStream OpenPages (IBM) Edgile iGRC
Business and IT Processes Financial Sales Operations
Non-IT Assets Physical Property Intellectual
Property
IT Assets Servers Clients Network
© 2013 Edgile, Inc. – All Rights Reserved 11
IT GRC Perspectives
Controls & Compliance Automation
A set of control objectives and activities that support the requirements imposed by laws, regulations and internal policies.
Automated procedures to verify and demonstrate that the control activities are operating as intended.
Automated Controls and Compliance Testing
Internal Controls
The ability to implement internal controls in an automated manner.
Controls Automation
The ability to automate the measuring and reporting of the effectiveness of implemented internal controls.
Compliance Automation
© 2013 Edgile, Inc. – All Rights Reserved 12
IT GRC Perspectives
Beyond Compliance
Aligning Securitywith the Strategy,
Goals and Demandsof the Business
The Center for Strategic and International Studies has published The Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines*
The automation of these Top 20 Controls will radically lower the cost of security while improving its effectiveness. The U.S. State Department has already demonstrated more than 94% reduction in "measured" security risk through the rigorous automation and measurement of the Top 20 Controls
The top 3 critical security controls are:
1. Inventory of Authorized and Unauthorized Devices
2. Inventory of Authorized and Unauthorized Software
3. Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers
*Additional information available at http://www.sans.org/critical-security-controls/
System Center and the IT GRC Management Pack Can Address the Top3 Critical Security Controls through Controls and Compliance Automation
© 2013 Edgile, Inc. – All Rights Reserved 13
IT GRC Perspectives
Asset Life Cycle Management1. Perform Inventory
2. Create Key Control Objectivesand Control Activities
3. Create Configuration Baselines in DCM
4. DeployBaselines
5. Monitor and Alerton Baseline Variances
6. Remediate Variances
7. Report on Compliance
Service Manager Configuration Manager
and DCM Operations Manager
Table of Contents
System Center – IT GRC
Introductions
IT GRC Perspectives
Overview of SC IT GRC
SC IT GRC Demo
1
2
3
4
Next Steps5
© 2013 Edgile, Inc. – All Rights Reserved 15
Overview of System Center IT GRC
Provides a platform for performing compliance and risk management by extending the infrastructure of System Center Service Manager (SCSM)
Uses components of SCSM including the configuration management database (CMDB), class model, data warehouse infrastructure, reporting features and Connector Framework
IT GRC Process Management PackProvides:Document Management
Program Management
Control Management
Risk Management
GRC Incident Management
Knowledge Library– Microsoft Control Library– IT Compliance – Management Library– Management Packs
Provides:Incident Management
Problem Management
Change Management
Configuration Management
Uses the Desired Configuration Management (DCM) feature in Configuration Manager along with product specific baselines to enable control test automation
The Configuration Manager connector populates the Service Manager data warehouse database with control test results, which are processed for validation against compliance objectives
The Process Pack for IT GRC is a Process Management Pack for System Center Service Manager 2012
Provides Compliance Test Automation
– IT Compliance – Management Library– Management Packs
Managed ComputersSystemCenter
ServiceManager
Connector
Table of Contents
System Center – IT GRC
Introductions
IT GRC Perspectives
Overview of SC IT GRC
SC IT GRC Demo
1
2
3
4
Next Steps5
© 2013 Edgile, Inc. – All Rights Reserved 17
SC IT GRC Demo
Demo EnvironmentDC-2012-01
Active Directory, DNSWindows Server 2012
CM-2012-01Configuration Manager 2012 SP1
Windows Server 2012SQL Server 2012
SM-2012-03Service Manager 2012
Windows 2008 R2SQL Server 2008 R2
SM-2012-04SM Data Warehouse
Windows Server 2008 R2SQL Server 2008 R2
OM-2012-01Operations Manager 2012 SP1
Windows Server 2012SQL Server 2012
© 2013 Edgile, Inc. – All Rights Reserved 18
SC IT GRC Demo
Use Case Scenarios
Description: SCM used to export the ISO27000 configuration baseline to a DCM pack. Customize items in baseline; setup targets and deploy. Install the ISO27000 Program in SCSM and customize the automated control activity for account lock.
Benefit Highlighted: Ability to customize and standardize baselines for deployment.
UC 1: DeploySecure Baselines
Description: Schedule Configuration Manager to perform automated testing of control.
Benefit Highlighted: Automated testing of deviations from baselines.
UC 2: Perform AutomatedTesting
UC 3: Reportand Remediate
Premise: Company’s CISO elected to pursue ISO27001 certification. To achieve certification, IT: Is required to manage and secure devices according to ISO27001 standards Decided to use System Center 2012 (SC12) to maintain a device inventory in the CMDB Implemented SC12, the Process Pack for IT GRC and applied the ISO27000 program control
objectives and activities Can assert all critical devices are configured securely according to defined baselines and maintained
to ensure that deviations are corrected in a timely manner
Description: From SCSM, verify compliance status using Configuration Manager test results. Control test results can be exported to other GRC platforms. Perform remediation as needed.
Benefit Highlighted: Automated monitoring, collection and reporting of control test results.
© 2013 Edgile, Inc. – All Rights Reserved 19
SC IT GRC Demo
UC 1: Deploy Secure Baselines
1. Export ISO27000 Configuration
Baseline
2. CustomizeBaseline; Setup
Targets and Deploy
DCM Pack
SCCM
Devices with
Secure Baseline
s
Security Compliance
Manager
SCSM
3. Install ISO27000 Program and
Customize Controls
© 2013 Edgile, Inc. – All Rights Reserved 20
SC IT GRC Demo
UC 2: Perform Automated Testing
1. Schedule Automated Testing
SCCMDevices
with Complia
nt Baseline
s
Devices with Non-Compliant Baselines
2. Automated Scanningand Collection
© 2013 Edgile, Inc. – All Rights Reserved 21
SC IT GRC Demo
UC 3: Report and Remediate
2. Verify Compliance Status
3. Remediate
SCCM
Devices with Non-
Compliant Baselines
IT GRC Platform
SCSM Data Warehouse
5. Export Control Test Results
1. Control Test Results
4. Updates
© 2013 Edgile, Inc. – All Rights Reserved 22
Managing External Control FeedsEvidence supporting other external control events may be collected, processed and distributed from the SCSM data warehouse. Example:
An employee leaves the company, and by policy accounts, are disabled within 24 hours in AD An Identity and Access Management (IAM) system can trigger a record creation in the SCSM
data warehouse The record is updated once the AD account is disabled and resulting report serves as
compliance evidence Subsequently, SCSM can export the status to an IT GRC platform or SharePoint dashboard
portal
1. Create Event Record
IAM System
IT GRC PlatformSCSM Data Warehouse
3. Export Compliance Status
2. Update Event Record
Dashboard Portal
Table of Contents
System Center – IT GRC
Introductions
IT GRC Perspectives
Overview of SC IT GRC
SC IT GRC Demo
1
2
3
4
Next Steps5
© 2013 Edgile, Inc. – All Rights Reserved 24
Next Steps
Requirements Development Understand business needs and priorities Gather and analyze requirements and use
cases 3 to 5 weeks based on scope $25K to $50K* based on scope Deliverable: Requirements and
Recommendations document
Proof of Concept and Roadmap Demonstrate solution can meet business
RQMTs Well defined based on value add use cases 2 to 3 weeks $15K to $25K* (other pricing options are
available) Deliverable: POC Environment and
Executive presentationAutomation Value Analysis Develop benefits objectives, monetary
benefits Identify cost drivers and factors 3 to 5 weeks based on scope $25K to $50K* based on scope Deliverable: Detailed Analysis Workbook and
Executive presentation
SCCM Process Pack Design Identify non-functional, technical
requirements Detail infrastructure components, key
decisions 4 to 6 weeks based on scope $35K to $60K* based on scope Deliverable: SCCM Process Pack Design
document
Typically clients pursue one of the activities and deliverables.
* Does not include out-of-pocket expenses
Table of Contents
System Center – IT GRC
Addendum6
© 2013 Edgile, Inc. – All Rights Reserved 26
Addendum
Edgile iGRC Solution Overview
Annual subscription Quarterly updates Harmonized library Content available for:
– Financial Services – Healthcare – Life Sciences– Retail– Government– Manufacturing– Gaming – Energy
Annual subscription SaaS offering Management capabilities
for:– Audit– Policy, Standards– Risk (ERM, ORM & IT)– Compliance– Regulatory – Finding & Remediation – Vendor Risk Management– Business Continuity Planning
Content Software Services Strategy and roadmap Implementation Risk assessment Control definition Remediation planning Compliance readiness
– HIPAA/HITECH/HITRUST– PCI DSS (Edgile is a QSA)– GLBA and FFIEC– Sarbanes Oxley– etc.
Intelligent Governance, Risk and Compliance
© 2013 Edgile, Inc. – All Rights Reserved 27
iGRC Portal
Addendum
Edgile iGRC Solution Overview
iGRC Enabled Risk Assessment Compliance Management Vendor Risk Management Findings & Remediation
Management Identity Management Access Management Role Attestation & Certification Regulatory Framework Key Risk Monitoring Business Continuity
Management Control Plan Management Configuration Management Vulnerability Management Threat Intel Monitoring Asset & Inventory Management Patch Management Change Management IT Process Automation Run Book Automation etc.
Applications Infrastructure Property Plant& EquipmentDepartments Business &
IT Processes
Extract, Transform, Load (ETL)
Business 1 Business 2 Security& Privacy Risk Team Business
Continuity …
Reporting Dashboard AnalyticsEngine Workflow Control
Plan …
Audience Specific Users
Common Utilities
DataWarehouse
Portal
Database