Upload
prevalentnetworks
View
616
Download
2
Tags:
Embed Size (px)
DESCRIPTION
Control Compliance Suite and Policy Portal presentation.
Citation preview
WelcomeWe will be starting in approximately 10 minutes
• Compliance Automation and Policy Management
Lunch & Learn
WelcomeWe will be starting in approximately 5 minutes
• Compliance Automation and Policy Management
Lunch & Learn
WelcomeWe will be starting in approximately 2 minutes
• Compliance Automation and Policy Management
Lunch & Learn
WELCOME
• Compliance Automation and Policy Management
Lunch & Learn
Prevalent MasterCard Update
• Service company no longer in business.
• Looking for an alternative to the card.
• All registrants for this Lunch and Learn were sent a certificate that can be used for lunch.
• We will send instructions whether any additional funds left on the card can be used.
• Lunch or Technical – [email protected]
• Topic Q&A – Please use chat feature in GoToMeeting client.
• My Contact information:– Jonathan Dambrot– [email protected]– 646-442-4236
Questions or Issues
About Prevalent Networks
• Founded January 5, 2004• Solution Focus on Risk Management
– Information Security– IT Compliance– Disaster Recovery, Availability, and Backup– Infrastructure
• Consulting and Engineering Services across all solution areas.• Certified Sales and Consulting Staff Across All Solutions
• Symantec Platinum Partner • Sit on the Symantec Partner Advisory Council and Technical
Advisory Council• Highest level partner for most other vendors.
• Offices in New Jersey (HQ), New York, Mass, and Philadelphia– National Project Teams
Symantec Control Compliance Suite 10.0
8
Enterprise Governance, Risk and Compliance: Key Concerns
• Increasing sophistication of threats• Changing infrastructure & configurations• Increasing regulatory mandates
• Increasing sophistication of threats• Changing infrastructure & configurations• Increasing regulatory mandates
Security Risks
• Frequency of assessments• Internal and external audit• Reporting to multiple constituencies
• Frequency of assessments• Internal and external audit• Reporting to multiple constituencies
Regulatory / Audit ComplianceRegulatory / Audit Compliance
• Overlapping matrix control objectives• Manual assessment of controls• Scale and diversity of environment
• Overlapping matrix control objectives• Manual assessment of controls• Scale and diversity of environment
Security and Compliance Costs
Symantec Control Compliance Suite 10.0
9
Costs of IT Compliance Remain High
Source: IT Policy Compliance Group n=3,000 ; Seattle Post Intelligencer - www.seattlepi.com/boeing/sox/Source: IT Policy Compliance Group n=3,000 ; Seattle Post Intelligencer - www.seattlepi.com/boeing/sox/
Case study: Boeing Aerospace
• Failed SOX audit in 2004
• Spent $165M in 2005-2007 to resolve issues
• Root problem: inconsistent information security policies, procedures, and controls, including:
- Database and application patching
- Failed/missing controls
- Improper access rights
2006 – 2008 Average Annual Regulatory Audit SpendMM
Symantec Control Compliance Suite 10.0
10
Automation Reduces Audit Costs and Improves Outcomes
* Based on a survey of 3,280 companiesSource: IT Policy Compliance Group
* Based on a survey of 3,280 companiesSource: IT Policy Compliance Group
Automation increases audit frequency which reduces risk
Automation increases audit frequency which reduces risk
0
1
2
3
4
5
6
7
Least mature
Most mature
Mon
ths
betw
een
asse
ssm
ents
Mature organizations use automation to reduce costs by up to 54%
Mature organizations use automation to reduce costs by up to 54%
Least mature
Most mature
Rela
tive
spen
d on
regu
lato
ry c
ompl
ianc
e
0%
20%
40%
60%
80%
100%
54%less
ASSETSASSETSASSETSASSETS CONTROLSCONTROLSCONTROLSCONTROLS
EVIDENCEEVIDENCEEVIDENCEEVIDENCE
Symantec Control Compliance Suite 10.0
11
IT Governance Risk and Compliance is a Complex Problem
33rdrd PARTY PARTY EVIDENCEEVIDENCE
TECHNICAL CONTROLSTECHNICAL CONTROLS
• Automatically identify deviations from technical standards
• Identify critical vulnerabilities
NEWNEW
POLICYPOLICY• Define and manage
policies for multiple mandates with out-of-the-box policy content
• Map policies to control statements
PROCEDURAL CONTROLSPROCEDURAL CONTROLS
• Replace paper-based surveys with web-based questionnaires to evaluate if polices were read and understood
REPORTREPORT• Gather results in one central repository and deliver dynamic web-based dashboards and reports
REMEDIATEREMEDIATE• Remediate deficiencies based on risk via integration with popular ticketing systems
DATADATACONTROLSCONTROLS• Tight integration with
Symantec™ Data Loss Prevention to prioritize assessment and remediation of assets based on value of data
NEWNEW• Combine evidence
from multiple sources and map to policies
IMPROVED
IMPROVED
IMPROVED
IMPROVED
ASSETSASSETSASSETSASSETS CONTROLSCONTROLSCONTROLSCONTROLS
EVIDENCEEVIDENCEEVIDENCEEVIDENCE
Symantec Control Compliance Suite 10.0
12
Symantec Control Compliance Suite
33rdrd PARTY PARTY EVIDENCEEVIDENCE
DATADATACONTROLSCONTROLS
TECHNICAL CONTROLSTECHNICAL CONTROLS
NEWNEW
POLICYPOLICYPROCEDURAL CONTROLSPROCEDURAL CONTROLS REPORTREPORT REMEDIATEREMEDIATE
IMPROVED
IMPROVED
IMPROVED
IMPROVED
• Symantec™ Control Compliance Suite Standards Manager
• Symantec™ Control Compliance Suite Vulnerability Manager
• Symantec™ Control Compliance Suite Policy Manager
• Symantec™ Control Compliance Suite Response Assessment Manager
• Symantec™ Control Compliance Suite
(Infrastructure)
• Symantec™ ServiceDesk 7.0
• Symantec™ Data Loss Prevention Discover
• Symantec™ Control Compliance Suite
(Infrastructure)NEWNEW
Symantec Confidential 13
Symantec Control Compliance Suite
Symantec Control Compliance Suite 10.0
14
Define and Manage Policies• Automate entire IT policy
lifecycle to reduce cost and complexity
• Define policies with out-of-the-box policy content
• Assess coverage for regulations and best practices
• Automatic regulatory updates
• Map policies to control statements
• De-duplicate common controls across multiple regulations
POLICYPOLICY
Control Compliance Suite Policy Manager
Corporate Policies Lifecycle
DefineDefine1
ReviewReview2
Track Acceptances/Track Acceptances/ExceptionsExceptions
5
ApproveApprove3
DistributeDistribute4
Policy-driven Risk and Compliance Management
ISO
• Evidentiary data feeds for technical controls• Evidence for non-technical controls
• Evidentiary data feeds for technical controls• Evidence for non-technical controls
CORPORATE POLICIES•Malware•Access Control•Acceptable Use
CORPORATE POLICIES•Malware•Access Control•Acceptable Use
Create
Map
DistributeProve
SOXPCI
COBIT
15Symantec Confidential
Written Policy Management
Display Evidence
Demonstrate CoverageDistributeDefine Written
Policy
16Symantec Confidential
Symantec Control Compliance Suite 10.0
17
Automatically Assess IT Infrastructure TECHNICAL TECHNICAL CONTROLSCONTROLS
Control Compliance Suite Standards Manager• Improve visibility into IT risk
and reduce compliance cost and complexity
• Automate assessment of technical controls to identify deviations or configuration drift
• Leverage best-in-class pre-packaged content
• Manage exceptions• Flexible agent based or agent-
less data gathering options
Define StandardsDefine StandardsDefine StandardsDefine Standards11
Analyze and FixAnalyze and FixAnalyze and FixAnalyze and Fix33
Managed/Unmanaged AssetsManaged/Unmanaged AssetsManaged/Unmanaged AssetsManaged/Unmanaged Assets22
Evaluate (agent and/or agent-less)Evaluate (agent and/or agent-less)
Symantec Control Compliance Suite 10.0
18
Conduct Advanced Vulnerability Assessment TECHNICAL TECHNICAL CONTROLSCONTROLS
Control Compliance Suite Vulnerability
Manager• Proactively prevent threats to critical assets and information
• Identify critical vulnerabilities in Web applications, databases, servers and other network devices
• More than 54,000 checks across 14,000 vulnerabilities
• Unique vulnerability “chaining” mechanism
• Unique risk scoring algorithm
• High performance 64-bit scan engineControl Compliance Suite Vulnerability Manager
chains together all vulnerabilities found to uncover new, hidden issues
Symantec Control Compliance Suite 10.0
19
Automatically Evaluate Procedural Controls
Control Compliance Suite Response Asset Manager
PROCEDURAL CONTROLSPROCEDURAL CONTROLS
• Replace costly, time-consuming manual processes
• Automate assessment of procedural controls
• Web-based questionnaires covering 60+ regulations and frameworks
• Assess via risk-weighted surveys
• Track responses - acceptances, exception and clarification requests
Administer Administer SurveySurvey
Analyze ResultsAnalyze Results
RespondentsRespondents
Distribute via web
Consolidate responses
Symantec Control Compliance Suite 10.0
20
Identify and Prioritize Critical Assets
• Gain a better overview of compliance and security posture
• Use Symantec Data Loss Prevention Discovery information to identify assets with critical data
• Prioritize these assets for controls evaluation
• Elevate hardening measures on these assets
• Show Control Compliance Suite and Data Loss Prevention data side by side to prioritize remediation efforts
DATA CONTROLSDATA CONTROLS
Data Loss Prevention Discover
Symantec Control Compliance Suite 10.0
21
Report on Risk and Compliance Posture REPORTREPORT
Control Compliance Suite(Infrastructure)
• Deliver relevant data to multiple stakeholders for better decision making
• Web-based dynamic dashboards and reports
• Integrate technical, procedural and data controls with evidence from external systems
• Select from multiple panel views and filtering options and drill down for granular details
• Low cost end-user deployment
Symantec Control Compliance Suite 10.0
22
Remediate Deficiencies Based On Risk REMEDIATEREMEDIATE
Symantec ServiceDesk
• Improve IT risk posture by fixing the most critical deviations first
• Prioritize remediation efforts based on compliance and risk scores (quantify risk using CVSS)
• Provide detailed remediation instructions
• Automated integration with ticketing systems:
− Closed-loop verification with Altiris™ Service Desk
− Remedy™, HP Service Manager™
CCS and Policy Portal Demo
• Compliance Automation and Policy Management
Questions…..
• Thank you!