© 2008 IBM Corporation 1H08 Security Sales Play: Section 6: Security Compliance and Audit Management Marne E. Gordan GRC Market Manager [email protected]

© 2008 IBM Corporation

1H08 Security Sales Play:Section 6: Security Compliance and Audit Management

Marne E. GordanGRC Market [email protected]+1 703 960 9536

IBM Tivoli Security Sales

2

Tivoli Software: IBM Service Management: Visibility, Control & Automation

Section 6 | Security and Audit Management © 2008 IBM Corporation

Agenda

Prospecting Play: Security Compliance and Audit Management

Topic overview

Applying VCA to the opportunity

Objection Handling

Case Study

3



What is the Business Problem? Our customers and prospects are on compliance overload

–Increased

–security and compliance requirements–complexity –cost

–Moving target

–Managing compliance over time – Customer has no control over setting the target or the goals– What worked for the previous audit doesn’t always work for the

next one–Especially when regulations require changing audit firms

– Customer is at the mercy of auditors and/or examiners

4



How Serious Is the Problem? Serious

–The organization must be prepared to demonstrate its security posture.

–Senior management often has personal responsibility and liability associated with data security

Global –Telstra (Australia) delisted from US markets rather than deal with

Sarbanes-Oxley compliance

–FIAT chose to seek funding from European markets, rather than continue to deal with US regulations

5



Prevalent Regulations, Standards, and Sources

6



ISM - Overcoming the Barriers ‘Operations’-specific focal points based on real-world pains

Deliver a web-services infrastructure that is agile, high-performing and secure.

Optimize infrastructure utilization and service availability by moving from re-active to pro-active management.

Control cost and quality of service delivery through process automation and optimization.

Service Delivery & Process Automation

Service Availability & Performance

SOA Management

IT Operations

Security, Risk and Compliance Management

Stay ahead of outsider and insider threats to data, systems and applications.

Security Operations

Storage Management Create highly resilient storage infrastructures, protect valuable information assets and comply with data protection policies.

Storage Operations

Maximize the performance and lifetime value of all business assets across the enterprise.

Asset and Financial Management

Enterprise Operations

Improve flexibility, reduce operating expenses, improve customer satisfaction and successfully integrate future network technologies.Service AssuranceService

Provider Ops.

7



The IBM Security Frameworkon-demand protection to stay ahead of outsider and insider threats

The IBM Security Framework

Common Policy, Event Handling and Reporting

The IBM Security Framework

Common Policy, Event Handling and Reporting

Security Governance, Risk Management and Compliance

Security Governance, Risk Management and Compliance

Network, Server, and End-point

Physical Infrastructure

People and Identity

Data and Information

Application and Process

• SECURITY COMPLIANCE• Demonstrable policy enforcement aligned to regulations, standards, laws,

agreements (PCI, FISMA, etc..)

• IDENTITY & ACCESS• Enable secure collaboration with internal and external users with

controlled and secure access to information, applications and assets

• DATA SECURITY• Protect and secure your data and information assets

• APPLICATION SECURITY• Continuously manage, monitor and audit application security

• INFRASTRUCTURE SECURITY• Comprehensive threat and vulnerability management across networks,

servers and end-points

8



IBM Approach

VisibilityVisibility

See See your your

businessbusiness

Only IBM delivers Only IBM delivers integrated integrated

visibility across visibility across Business & IT Business & IT

Audiences.Audiences.

e.g. Contextual LoB, Compliance, Security, Service, & Domain

Dashboards

ControlControl

Govern Govern your your

assetsassets


control across control across Business & IT Business & IT

Assets.Assets.

e.g. EAM, IT Asset Mgmt, Change & Config, Access & Identity Mgmt, Data Mgmt.

AutomationAutomation

Build Build agility into agility into OperationsOperations


automation across automation across Business & IT Business & IT Operations.Operations.

e.g. Enterprise Ops,Service provider Ops, IT Ops,

Security Ops, Storage Ops...

9



Contact: Compliance Officer (financial); Security/Privacy Officer (healthcare); CISO/CIO (other)

Lead with: 1. How are threats and events quantified and prioritized?2. How is it proved that systems are correctly secured?3. How is access to data determined and granted?4. How is visibility into invalid access obtained?

Competition:

Log Logic

Sensage

ArcSight

VisibilityVisibility

See See your your

businessbusiness

Security and Compliance Issue• Protect sensitive data in transit and in storage • The organizations must demonstrate:

1. What data is being accessed2. How logical access is restricted 3. How that restriction is efficiently managed

Solutions:1. SIEM combined PID (TSOM and TCIM) – visibility into data

disclosure2. TSCM – configuration (status auditing); TAM OS – lockdown3. TCIM -- system access4. Log management PID (new)

10



Solutions: 1a. FIM – user provisioning and access control (SOA: 3rd parties)1b. TIM – Account plus Access rights2a. TCIM – Access management2b. TAM -- Provisioning and de-provisioning users (TAM OS)

Contact: CISO/ISO; Compliance Officer

Lead with: 1. How is security policy implemented against innovation projects? 2. How is access to systems by privileged users controlled?

Competition:

Oracle

CA

Sun

Microsoft

Novell

ControlControl

Govern Govern your your

assetsassets

Security and Compliance Issue• Deploy controls appropriate to the target (systems and data) • The organizations must understand and demonstrate:

1. What data is being accessed2. How logical access is restricted 3. How that restriction is efficiently managed

11



AutomationAutomation

Build Build agility into agility into OperationsOperations

Solutions:1. Tivoli SIEM – monitoring and aggregating multiple sources2. TIM -- Access rights; TAM -- Consistency across environment3. TCIM – User activity

Contact: CISO/ISO; Compliance Officer

Lead with: 1. How do I automate reporting and collection of security

event data?2. How is data access monitored?3. How is privileged user activity monitored?

Security and Compliance Issue• Manage and monitor the target over time • The organization must be able to:

1. Obtain target-wide data from tools2. Obtain aggregate data from multiple sources3. Analyze all data4. Produce meaningful reporting

Competition:

Novell

12



Call Scenario A rep in Western Europe is calling on a large retailer

Compliance Requirement:

• PCI Requirements:Protect sensitive systems and data• cardholder data environment• cardholder data

Leading questions:

• Encourage the prospect to reveal manual process

• Lead YOU to the value proposition of Tivoli products

13



Objection ScenarioMost Common Objection Most Common Objection

We’re already doing it ourselves. (ie. The IT and/or security team We’re already doing it ourselves. (ie. The IT and/or security team developed their own compliance tools and reporting)developed their own compliance tools and reporting)

Response • The most widely-deployed compliance tool/software in the world is MicroSoft Excel.

Supported entirely by manual process, which means• Unreliable version control• Subjective input• Interpretive reporting• Unrepeatable results• Questionable findings

• Management has no • Enterprise or target wide view of controls in place• Reasonable assurance that controls are functioning effectively

• Auditors will insist upon their own testing rather than rely on management opinion based upon the findings of a manual process

What That Really MeansWe’ve developed a checklist in Excel

14



Objection Handling

Objection 1…

– Too expensive

Objection 2…

– Management Apathy (ie – the CFO won’t approve expenditures for compliance, management would rather pay the fines than spend on compliance activities, etc. )

Response: Pay now or pay later

The costs of security breaches can be staggering – data recovery, repairing associated damage to systems, overtime for security personnel, etc. Consulting or forensic investigation is often necessary, as is a follow-up security audit. It doesn’t end with the breach. Data breach notification is expensive. There are fines and penalties associated with non-compliance, not to mention legal fees, settlements, etc. It can add up quickly. In most cases, these are unbudgeted costs.

Response: Management faces personal responsibility/liability

Quite a few organizations suffer from “management apathy”, where C-level executives say they would rather take their chances and get caught being out of compliance than pay to implement and manage the required controls. Legally (and ethically) this is a disastrous business strategy.

15



Objection Handling

Objection 3…– We don’t have any

compliance requirements. (ie – we are not affected by SOX, PCI, etc.) [this is an objection typically raised by small business, and occasionally by mid-sized businesses. Larger organizations rarely raise this objection.]

Response: Are you certain?The organization’s general counsel is typically responsible for identifying the state and federal requirements to which the organization is subject, as well as any applicable international laws. Many organizations, however, were surprised to find that they were subject to requirements from outside their core industry. HIPAA, GLB, and PCI are prime examples, because they include third party organizations that have access to data designated as sensitive. Sarbanes-Oxley affects all organizations that are publicly traded in US markets. Make sure your prospect has an up-to-date inventory of applicable regulations and standards.

16



Kohl’s Department Stores

Client requirements Manage user identification and access rights to increase the

accessibility of business-critical systems and avoid the security breaches associated with personnel turnover

Improve the company’s ability to comply with Sarbanes-Oxley (SOX) regulations

Also subject to PCI DSS

Solution Bolstered information technology (IT) security by engaging

IBM Global Technology Services to implement an automated identity management solution based on IBM Tivoli® Access Manager, IBM Tivoli Identity Manager and IBM Tivoli Directory Integrator applications

Installed IBM eServer™ pSeries® servers to support the security software

Benefits Allows Kohl’s to provision a new account in 20 minutes

instead of 3 weeks, reducing the per-account cost from US$230 to US$15

Enables the client to save 60 hours of IT labor per week, since fewer password resets are required

Helps to put Kohl’s in compliance with SOX regulations

Can also positively impact PCI compliance

kohls.com

Industry: RetailProfile: An apparel and home products retailer with more than 560 stores across 37 U.S. statesSize: 10,000 or more employeesCategory: Infrastructure Solutions – IT Security

17



Proving it to the auditor…Tivoli security portfolio reports

General Audit Event Details Report

General Audit Event History

Audit Event History by User

Failed Authentication History

Failed Authorization History

Locked Account History

User Password Change History

Administrator and Self-Care Password Change History

Certificate Expiration Report

Most Active Accessors Report

Authorization Event History by Action

General Administration Event History

User Administration Event History

Group Administration Event History

Security Server Audit Event History

Resource Access By Accessor Report

Resource Access By Resource Report

Monitor and log all security activities

Perform Provisioning Activities



Provisioning Activities performed by Individual

Server Availability Report

Services

Policies

General Authorization Event History




Maintain effective authentication and access

General Authentication Event History

Failed Authentication Event History

Authenticate All Users

Identity Management

General Audit Event Details Report

General Audit Event History

Audit Event History by User

Failed Authentication History

Failed Authorization History




Certificate Expiration Report

Most Active Accessors Report

Authorization Event History by Action




Security Server Audit Event History

Resource Access By Accessor Report

Resource Access By Resource Report


Perform Provisioning Activities



Provisioning Activities performed by Individual

Server Availability Report

Services

Policies

General Authorization Event History




Maintain effective authentication and access

General Authentication Event History

Failed Authentication Event History

Authenticate All Users

Identity Management

Individual Accounts

Accounts by Role

Accounts on Service

Entitlement by individual


ACI

Follow Appropriate Segregation of Duties

Individual Accounts

Accounts by Role

Accounts on Service


Reconciliation Status

Non-compliant accounts

Periodically Review Access Rights

Policies governing a role

Approvals/Rejections

Pending Approvals

Suspended Accounts

Suspended People

Define User Account Management Procedures

User Account Management

Individual Accounts

Accounts by Role

Accounts on Service



ACI

Follow Appropriate Segregation of Duties

Individual Accounts

Accounts by Role

Accounts on Service


Reconciliation Status

Non-compliant accounts

Periodically Review Access Rights

Policies governing a role

Approvals/Rejections

Pending Approvals

Suspended Accounts

Suspended People

Define User Account Management Procedures

User Account Management

Mean Time to Ticket Acknowledgement Total Ticket Volume for Priorities Mean Time to Ticket Resolution

Supports timely investigation of unauthorized activities

Incident Resolution Status by Watchlist – SOX-related systems Analyst Responsiveness Trend Report Incident Time to Resolution ReportIncident Time to Resolution Trend Report

Incidents and problems are recorded, analyzed and resolved in a timely manner

Incident and Problem Management

Mean Time to Ticket Acknowledgement Total Ticket Volume for Priorities Mean Time to Ticket Resolution

Supports timely investigation of unauthorized activities

Incident Resolution Status by Watchlist – SOX-related systems Analyst Responsiveness Trend Report Incident Time to Resolution ReportIncident Time to Resolution Trend Report

Incidents and problems are recorded, analyzed and resolved in a timely manner

Incident and Problem Management

Top Destination Threats by Event Class - SOX

Top Events by Event Class – SOX

Top 20 Source IPs by Watchlist - SOX

Asset Vulnerability Detail by Watchlist – SOX

Top Repeated Connections

Top Destination IPs by Event Class

Top Repeated Connections from Sensor

Top Destination IPs for Protocol

Top Destinations by Sensor

Top Repeated Connections with Dest Port

Top Destinations by Watchlist – SOX

Top Source IPs

Top Source IPs for Event Class

Top Dest Threats and Respective Source Threats by Event

Top Source IPs for Protocol

Top Dest Threats and Respective Source Threats for IP

Top Sources by Sensor

Top Sources by Watchlist


Operational Security Management

Top Destination Threats by Event Class - SOX

Top Events by Event Class – SOX

Top 20 Source IPs by Watchlist - SOX

Asset Vulnerability Detail by Watchlist – SOX

Top Repeated Connections

Top Destination IPs by Event Class

Top Repeated Connections from Sensor

Top Destination IPs for Protocol

Top Destinations by Sensor

Top Repeated Connections with Dest Port

Top Destinations by Watchlist – SOX

Top Source IPs

Top Source IPs for Event Class

Top Dest Threats and Respective Source Threats by Event

Top Source IPs for Protocol

Top Dest Threats and Respective Source Threats for IP

Top Sources by Sensor

Top Sources by Watchlist


Operational Security Management

ISO 27001

PCI

Sarbanes-Oxley

GLB

HIPAA

-

FISMA-

Compliance Reporting

TCIM

18



In Conclusion The implementation period for the prevalent regulations is over

– SOX 404 – November 2007 for all filers in US markets

– PCI – December 2007 for all merchants in the payment system

– HIPAA and GLB are years into maturity

– ISO 27001, ITIL, CobiT and COSO are voluntary standards with no fixed deadlines Compliance is NOT over

– 30+% of retailers world wide will not make the compliance deadline for PCI*

– 53% of organizations have failed to meet one or more of PCI’s 230 requirements

– An estimated 8% of filers will not make the SOX Section 404 compliance deadline

– 12 – 15% of affected filers have made a negative assertion or received a qualified opinion on the internal controls+

– Hundreds of US organizations have suffered data breaches, and notified their consumers as required by state law

So cut to the chase . . . . – Ask about the results of testing, audits, reports of findings, etc.

– Ask about areas of weakness and/or concerns

– Ask how the organization demonstrates compliance – management and monitoring

– Ask how the organization can “prove” compliance

•Source: http://www.darkreading.com/document.asp?doc_id=134856•+ this includes all internal controls, not just those related to IT

19


Section 6 | Security and Audit Management © 2008 IBM Corporation19

Please Take a Few Minutes to Complete a 5 Question Survey

Now that you have completed this virtual training session we would ask that you take our 5 question survey at the following web site

This will give us the chance to improve and enhance our training to better serve you and your needs

http://w3.rchland.ibm.com/systemsgroup/surveys/sec6_tsenable/

20



Thank You

MerciGrazie

Gracias

Obrigado

Danke

Japanese

English

French

Russian

German

Italian

Spanish

Brazilian Portuguese

Arabic

Traditional Chinese

Simplified Chinese

Tamil

Thai

Korean

Hindi

Documents

© 2008 IBM Corporation 1H08 Security Sales Play: Section 6: Security Compliance and Audit Management Marne E. Gordan GRC Market Manager [email protected]