TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
Lunch and Learn: June 29, 2010
1.
2.
3.
4.
5.
6.
7.
8.
9.
10. Automation Reduces Audit Costs and Improves Outcomes Symantec Control Compliance Suite 10.0 * Based on a survey of 3,280 companies Source: IT Policy Compliance Group Automation increases audit frequency which reduces risk 0 1 2 3 4 5 6 7 Least mature Most mature Months between assessments Mature organizations use automation to reduce costs by up to 54% Least mature Most mature Relative spend on regulatory compliance 0% 20% 40% 60% 80% 100% 54% less
16. Written Policy Management Symantec Confidential Display Evidence Demonstrate Coverage Distribute Define Written Policy
17.
18.
19.
20.
21.
22.
23.
24.
Hinweis der Redaktion
In talking to our customers we have found that their compliance challenges typically fall into these 3 categories (1) IT Risks (2) Regulatory or Compliance Readiness (3) Security and Compliance Costs: IT Risks Security threats are growing in number and sophistication Large complex IT infrastructures make it difficult to control deviations from standards or configuration drift Most of our customers have to comply with a growing number of industry regulations and internal mandates For example, today’s average enterprise is exploring 17 standards and frameworks, according to Symantec’s 2010 State of the Enterprise Security study Audit Readiness Many companies we speak to have challenges providing auditable evidence of their compliance posture and are simply not confident of passing upcoming audits They realize the need to increase the frequency of compliance assessments but this is a costly proposition when compliance processes are handled manually Security and Compliance Costs Many companies we speak to still resort to checklists and ad hoc controls Most still have a silo’d approach towards compliance, with overlapping regulatory requirements leading to redundant efforts because of IT control overlaps This leads to overspending on the audit process in order to eventually pass – the IT Policy Compliance Group notes that 70% are spending 2x more on audits than needed (IT Policy Compliance Group 2008 Annual Report - Independent research consortium made up of over 3,000 members and 26 advisory firms. This benchmark research was conducted with over 2,600 firms – 90% of which were located in North America.)
Compliance also costs real money on an on-going basis Boeing paid $165M to pass its SOX audit from 2004 through 2007: three and a half times more than similar Aerospace companies They needed 1 audit firm and 2 consulting firms to assist in closing the gap for SOX The root problems uncovered by these SOX 404 controls tests were inconsistent information security policies, procedures and controls Boeing is not alone: 70% of organizations are spending twice as much as is necessary to pass audits according to the IT Policy Compliance Group The connection between information security and audit has been proven from recent research: organizations who are not doing anything about audit are the same organizations experiencing the highest levels of data loss and theft (IT Policy Compliance Group)
Automation can not only reduce compliance costs but also IT risks The graph on the left shows how automation can facilitate more frequent audit checks which ultimately reduces risk amongst the most mature companies. The risks we are referring to include theft or loss of customer data, compliance deficiencies that must be corrected to pass an audit and business downtime from IT disruptions/failures Audit costs are a function of 3 things (1) # of controls you need to evaluate (2) frequency of evaluation (3) # of times you run controls/fix errors before you become compliant The graph on the right shows that as companies move from low maturity to high maturity initially the cost of compliance increases. This is because of two things Firstly, immature companies typically use multiple point solutions to manage policies, assets and distribute questionnaires driving up costs Secondly as a company moves along the maturity curve they tend to assess controls more frequently which also drives up costs It’s only when a they consolidate efforts under one automated compliance solution that they can reduce these costs by up to 54%
As you already know, Control Compliance Suite is a fully-automated solution designed to effectively manage your IT risk and compliance challenges at lower levels of cost and complexity CCS 10.0 delivers added value by providing even greater visibility into your IT risk and compliance posture for improved decision making This is achieved by integrating content awareness from Symantec Data Loss Prevention, adding advanced vulnerability assessment capabilities and providing the ability to automatically collect and manage data evidence from multiple external sources To compliment these capabilities, CCS 10.0 features dynamic Web-based dashboards making it possible to get the right information to the right people quickly and easily
With CCS you can leverage a database of 125 sample policies and policy templates covering multiple best practice frameworks and industry regulations As regulations change have a team in TX who monitor changes and translate into technical and procedural control statements so you don’t have to (feed live updates quarterly) CCS is purpose-built to manage the full policy lifecycle: define, review, input, approval & distribution It includes a policy “map” view that provides visual representation of what policies align to which regulations and frameworks, so that you can quickly identify any gaps You can also define a superset of control requirements across multiple regulations, frameworks and policies enabling you to avoid control overlaps and prioritize these high value controls
Policy Manager does 4 key things: Define written policies (with CCS 8.5 we also ship with many pre-built policy templates) Electronically distribute these policies and track acceptances/exceptions Demonstrate coverage of mandated control objectives. Collect evidence and report on compliance levels.
CCS Standards Manager uses proven, trusted BindView and ESM technologies, developed over 12+ years of experience Standards Manger allows you to determine which IT controls are needed and map them to external regulations/ best practices and internal policies You can leverage best in class pre-packaged content - we have over 2,900 control statements mapped to thousands of technical and procedural controls Standards Manger features an Entitlements Module that automatically reviews entitlements to sensitive data – you can even set up periodic review and approval cycles to ensure permissions granted to sensitive data are tracked over time You can automatically identify any deviations from technical standards or configuration drift (for networked servers/ desktops/ databases/directories) It also gathers compliance evidence via a flexible agent-based or agentless method so you can answer key questions like “Which accounts lack passwords or have weak or expired passwords?” “When was the last time each application on each machine was updated?”
CCS VM delivers end to end discovery and vulnerability assessment of Web applications, databases, servers and other network devices It includes vulnerability detection for AJAX and Web 2.0 applications Features vulnerability content for most popular database management systems - MySQL®, Sybase®,Informix®, Oracle®, PostgreSQL and others You can map out your extended network identifying threats from both managed and unmanaged devices to gain a single view of security threats across IT infrastructure (chaining) A unique risk scoring algorithm provides insight into whether or not a vulnerability is exploitable CCS VM includes support for Supervisory Control and Data Acquisition (SCADA) systems (critical for NERC initiatives)
RAM automates the assessment of procedural controls governing employee behavior We offers out of the box, comprehensive coverage for 60+ regulations, frameworks & best practices that are translated into questionnaires to assess the effectiveness of your procedural controls… so you don’t have to RAM uses a web-based survey tool with analytical capabilities that allows you to poll business owners on the completion of required procedures It integrates with Active Directory so you can filter who you survey You can conduct risk-weighted surveys, viewing and sorting responses by any variable, such as asset, respondent, regulation, policy or procedure and then rank deficiencies based on risk Following the distribution of new policies you can track responses such as acceptances, clarification requests and exception requests RAM facilitates more frequent evaluation of your procedural controls, improving you risk and compliance posture Usage scenarios include: conducting security awareness training to track retention of policies and procedures/ conducting vendor assessments to ensure appropriate safe-handling of controls and procedures for PII and other confidential information
Symantec DLP is now tightly integrated with CCS 10.0 so you can ensure IT assets with the most sensitive information comply with security and regulatory policies Symantec DLP scans networks, endpoints and servers to locate sensitive data and sends incident and asset data back to CCS for analysis and review CCS then creates an asset group by tagging these assets with sensitive information so you can prioritize them for technical controls evaluations and elevate hardening measures accordingly
CCS 10.0 features highly customizable dashboards allowing you to select from multiple panel views and filtering options, build actionable reports, and drill down to granular data to discover root causes and isolate problem areas. For example, you can deliver reports that show the percentage of systems in compliance with security standards for each business unit while allowing users to see exactly which servers met or failed to meet standards Dashboards combine data gathered from all assets, data sets, controls and policies in one location to facilitate comprehensive analysis of your IT risk and compliance posture Since there is no additional software required—these browser-based dashboards ensure low-cost, low-risk end-user deployment
CCS allows you to prioritize remediation efforts based on risk and the importance of the asset so you focus on fixing the most critical deviations first CCS quantifies risk based on the industry-standard risk-scoring algorithm – the Common Vulnerability Scoring System (CVSS). Based on a range of 1-10 – high risk assets like PCI servers have a higher risk score You can also assign a compliance score – the higher the score is the more important it is that the asset be in compliance (e.g. could set a compliance score of 99% for external facing web server but lower for print server) CCS offers out-of-the-box integration with Symantec’s Altiris Service Desk 7 – closed loop remediation. Once CCS detects a compliance failure you can initiate automated remediation ticketing where tickets are created on the back end and automatically verified when closed CCS delivers open-loop remediation with other popular systems (Remedy, HP Service Desk) – assisted ticket creation via API This triggered workflow reduces burden on helpdesks and ensures quicker response
![Welcome We will be starting in approximately 10 minutes ,[object Object],[object Object]](https://image.slidesharecdn.com/complianceautomationll6-29-2010-100630084540-phpapp01/85/Lunch-and-Learn-June-29-2010-1-320.jpg)
![Welcome We will be starting in approximately 5 minutes ,[object Object],[object Object]](data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7)