View
216
Download
0
Embed Size (px)
Citation preview
© 2008 IBM Corporation
1H08 Security Sales Play:Section 6: Security Compliance and Audit Management
Marne E. GordanGRC Market [email protected]+1 703 960 9536
IBM Tivoli Security Sales
2
Tivoli Software: IBM Service Management: Visibility, Control & Automation
Section 6 | Security and Audit Management © 2008 IBM Corporation
Agenda
Prospecting Play: Security Compliance and Audit Management
Topic overview
Applying VCA to the opportunity
Objection Handling
Case Study
3
Tivoli Software: IBM Service Management: Visibility, Control & Automation
Section 6 | Security and Audit Management © 2008 IBM Corporation
What is the Business Problem? Our customers and prospects are on compliance overload
–Increased
–security and compliance requirements–complexity –cost
–Moving target
–Managing compliance over time – Customer has no control over setting the target or the goals– What worked for the previous audit doesn’t always work for the
next one–Especially when regulations require changing audit firms
– Customer is at the mercy of auditors and/or examiners
4
Tivoli Software: IBM Service Management: Visibility, Control & Automation
Section 6 | Security and Audit Management © 2008 IBM Corporation
How Serious Is the Problem? Serious
–The organization must be prepared to demonstrate its security posture.
–Senior management often has personal responsibility and liability associated with data security
Global –Telstra (Australia) delisted from US markets rather than deal with
Sarbanes-Oxley compliance
–FIAT chose to seek funding from European markets, rather than continue to deal with US regulations
5
Tivoli Software: IBM Service Management: Visibility, Control & Automation
Section 6 | Security and Audit Management © 2008 IBM Corporation
Prevalent Regulations, Standards, and Sources
6
Tivoli Software: IBM Service Management: Visibility, Control & Automation
Section 6 | Security and Audit Management © 2008 IBM Corporation
ISM - Overcoming the Barriers ‘Operations’-specific focal points based on real-world pains
Deliver a web-services infrastructure that is agile, high-performing and secure.
Optimize infrastructure utilization and service availability by moving from re-active to pro-active management.
Control cost and quality of service delivery through process automation and optimization.
Service Delivery & Process Automation
Service Availability & Performance
SOA Management
IT Operations
Security, Risk and Compliance Management
Stay ahead of outsider and insider threats to data, systems and applications.
Security Operations
Storage Management Create highly resilient storage infrastructures, protect valuable information assets and comply with data protection policies.
Storage Operations
Maximize the performance and lifetime value of all business assets across the enterprise.
Asset and Financial Management
Enterprise Operations
Improve flexibility, reduce operating expenses, improve customer satisfaction and successfully integrate future network technologies.Service AssuranceService
Provider Ops.
7
Tivoli Software: IBM Service Management: Visibility, Control & Automation
Section 6 | Security and Audit Management © 2008 IBM Corporation
The IBM Security Frameworkon-demand protection to stay ahead of outsider and insider threats
The IBM Security Framework
Common Policy, Event Handling and Reporting
The IBM Security Framework
Common Policy, Event Handling and Reporting
Security Governance, Risk Management and Compliance
Security Governance, Risk Management and Compliance
Network, Server, and End-point
Physical Infrastructure
People and Identity
Data and Information
Application and Process
• SECURITY COMPLIANCE• Demonstrable policy enforcement aligned to regulations, standards, laws,
agreements (PCI, FISMA, etc..)
• IDENTITY & ACCESS• Enable secure collaboration with internal and external users with
controlled and secure access to information, applications and assets
• DATA SECURITY• Protect and secure your data and information assets
• APPLICATION SECURITY• Continuously manage, monitor and audit application security
• INFRASTRUCTURE SECURITY• Comprehensive threat and vulnerability management across networks,
servers and end-points
8
Tivoli Software: IBM Service Management: Visibility, Control & Automation
Section 6 | Security and Audit Management © 2008 IBM Corporation
IBM Approach
VisibilityVisibility
See See your your
businessbusiness
Only IBM delivers Only IBM delivers integrated integrated
visibility across visibility across Business & IT Business & IT
Audiences.Audiences.
e.g. Contextual LoB, Compliance, Security, Service, & Domain
Dashboards
ControlControl
Govern Govern your your
assetsassets
Only IBM delivers Only IBM delivers integrated integrated
control across control across Business & IT Business & IT
Assets.Assets.
e.g. EAM, IT Asset Mgmt, Change & Config, Access & Identity Mgmt, Data Mgmt.
AutomationAutomation
Build Build agility into agility into OperationsOperations
Only IBM delivers Only IBM delivers integrated integrated
automation across automation across Business & IT Business & IT Operations.Operations.
e.g. Enterprise Ops,Service provider Ops, IT Ops,
Security Ops, Storage Ops...
9
Tivoli Software: IBM Service Management: Visibility, Control & Automation
Section 6 | Security and Audit Management © 2008 IBM Corporation
Contact: Compliance Officer (financial); Security/Privacy Officer (healthcare); CISO/CIO (other)
Lead with: 1. How are threats and events quantified and prioritized?2. How is it proved that systems are correctly secured?3. How is access to data determined and granted?4. How is visibility into invalid access obtained?
Competition:
Log Logic
Sensage
ArcSight
VisibilityVisibility
See See your your
businessbusiness
Security and Compliance Issue• Protect sensitive data in transit and in storage • The organizations must demonstrate:
1. What data is being accessed2. How logical access is restricted 3. How that restriction is efficiently managed
Solutions:1. SIEM combined PID (TSOM and TCIM) – visibility into data
disclosure2. TSCM – configuration (status auditing); TAM OS – lockdown3. TCIM -- system access4. Log management PID (new)
10
Tivoli Software: IBM Service Management: Visibility, Control & Automation
Section 6 | Security and Audit Management © 2008 IBM Corporation
Solutions: 1a. FIM – user provisioning and access control (SOA: 3rd parties)1b. TIM – Account plus Access rights2a. TCIM – Access management2b. TAM -- Provisioning and de-provisioning users (TAM OS)
Contact: CISO/ISO; Compliance Officer
Lead with: 1. How is security policy implemented against innovation projects? 2. How is access to systems by privileged users controlled?
Competition:
Oracle
CA
Sun
Microsoft
Novell
ControlControl
Govern Govern your your
assetsassets
Security and Compliance Issue• Deploy controls appropriate to the target (systems and data) • The organizations must understand and demonstrate:
1. What data is being accessed2. How logical access is restricted 3. How that restriction is efficiently managed
11
Tivoli Software: IBM Service Management: Visibility, Control & Automation
Section 6 | Security and Audit Management © 2008 IBM Corporation
AutomationAutomation
Build Build agility into agility into OperationsOperations
Solutions:1. Tivoli SIEM – monitoring and aggregating multiple sources2. TIM -- Access rights; TAM -- Consistency across environment3. TCIM – User activity
Contact: CISO/ISO; Compliance Officer
Lead with: 1. How do I automate reporting and collection of security
event data?2. How is data access monitored?3. How is privileged user activity monitored?
Security and Compliance Issue• Manage and monitor the target over time • The organization must be able to:
1. Obtain target-wide data from tools2. Obtain aggregate data from multiple sources3. Analyze all data4. Produce meaningful reporting
Competition:
Novell
12
Tivoli Software: IBM Service Management: Visibility, Control & Automation
Section 6 | Security and Audit Management © 2008 IBM Corporation
Call Scenario A rep in Western Europe is calling on a large retailer
Compliance Requirement:
• PCI Requirements:Protect sensitive systems and data• cardholder data environment• cardholder data
Leading questions:
• Encourage the prospect to reveal manual process
• Lead YOU to the value proposition of Tivoli products
13
Tivoli Software: IBM Service Management: Visibility, Control & Automation
Section 6 | Security and Audit Management © 2008 IBM Corporation
Objection ScenarioMost Common Objection Most Common Objection
We’re already doing it ourselves. (ie. The IT and/or security team We’re already doing it ourselves. (ie. The IT and/or security team developed their own compliance tools and reporting)developed their own compliance tools and reporting)
Response • The most widely-deployed compliance tool/software in the world is MicroSoft Excel.
Supported entirely by manual process, which means• Unreliable version control• Subjective input• Interpretive reporting• Unrepeatable results• Questionable findings
• Management has no • Enterprise or target wide view of controls in place• Reasonable assurance that controls are functioning effectively
• Auditors will insist upon their own testing rather than rely on management opinion based upon the findings of a manual process
What That Really MeansWe’ve developed a checklist in Excel
14
Tivoli Software: IBM Service Management: Visibility, Control & Automation
Section 6 | Security and Audit Management © 2008 IBM Corporation
Objection Handling
Objection 1…
– Too expensive
Objection 2…
– Management Apathy (ie – the CFO won’t approve expenditures for compliance, management would rather pay the fines than spend on compliance activities, etc. )
Response: Pay now or pay later
The costs of security breaches can be staggering – data recovery, repairing associated damage to systems, overtime for security personnel, etc. Consulting or forensic investigation is often necessary, as is a follow-up security audit. It doesn’t end with the breach. Data breach notification is expensive. There are fines and penalties associated with non-compliance, not to mention legal fees, settlements, etc. It can add up quickly. In most cases, these are unbudgeted costs.
Response: Management faces personal responsibility/liability
Quite a few organizations suffer from “management apathy”, where C-level executives say they would rather take their chances and get caught being out of compliance than pay to implement and manage the required controls. Legally (and ethically) this is a disastrous business strategy.
15
Tivoli Software: IBM Service Management: Visibility, Control & Automation
Section 6 | Security and Audit Management © 2008 IBM Corporation
Objection Handling
Objection 3…– We don’t have any
compliance requirements. (ie – we are not affected by SOX, PCI, etc.) [this is an objection typically raised by small business, and occasionally by mid-sized businesses. Larger organizations rarely raise this objection.]
Response: Are you certain?The organization’s general counsel is typically responsible for identifying the state and federal requirements to which the organization is subject, as well as any applicable international laws. Many organizations, however, were surprised to find that they were subject to requirements from outside their core industry. HIPAA, GLB, and PCI are prime examples, because they include third party organizations that have access to data designated as sensitive. Sarbanes-Oxley affects all organizations that are publicly traded in US markets. Make sure your prospect has an up-to-date inventory of applicable regulations and standards.
16
Tivoli Software: IBM Service Management: Visibility, Control & Automation
Section 6 | Security and Audit Management © 2008 IBM Corporation
Kohl’s Department Stores
Client requirements Manage user identification and access rights to increase the
accessibility of business-critical systems and avoid the security breaches associated with personnel turnover
Improve the company’s ability to comply with Sarbanes-Oxley (SOX) regulations
Also subject to PCI DSS
Solution Bolstered information technology (IT) security by engaging
IBM Global Technology Services to implement an automated identity management solution based on IBM Tivoli® Access Manager, IBM Tivoli Identity Manager and IBM Tivoli Directory Integrator applications
Installed IBM eServer™ pSeries® servers to support the security software
Benefits Allows Kohl’s to provision a new account in 20 minutes
instead of 3 weeks, reducing the per-account cost from US$230 to US$15
Enables the client to save 60 hours of IT labor per week, since fewer password resets are required
Helps to put Kohl’s in compliance with SOX regulations
Can also positively impact PCI compliance
kohls.com
Industry: RetailProfile: An apparel and home products retailer with more than 560 stores across 37 U.S. statesSize: 10,000 or more employeesCategory: Infrastructure Solutions – IT Security
17
Tivoli Software: IBM Service Management: Visibility, Control & Automation
Section 6 | Security and Audit Management © 2008 IBM Corporation
Proving it to the auditor…Tivoli security portfolio reports
General Audit Event Details Report
General Audit Event History
Audit Event History by User
Failed Authentication History
Failed Authorization History
Locked Account History
User Password Change History
Administrator and Self-Care Password Change History
Certificate Expiration Report
Most Active Accessors Report
Authorization Event History by Action
General Administration Event History
User Administration Event History
Group Administration Event History
Security Server Audit Event History
Resource Access By Accessor Report
Resource Access By Resource Report
Monitor and log all security activities
Perform Provisioning Activities
User Administration Event History
Group Administration Event History
Provisioning Activities performed by Individual
Server Availability Report
Services
Policies
General Authorization Event History
Locked Account History
User Password Change History
Administrator and Self-Care Password Change History
Maintain effective authentication and access
General Authentication Event History
Failed Authentication Event History
Authenticate All Users
Identity Management
General Audit Event Details Report
General Audit Event History
Audit Event History by User
Failed Authentication History
Failed Authorization History
Locked Account History
User Password Change History
Administrator and Self-Care Password Change History
Certificate Expiration Report
Most Active Accessors Report
Authorization Event History by Action
General Administration Event History
User Administration Event History
Group Administration Event History
Security Server Audit Event History
Resource Access By Accessor Report
Resource Access By Resource Report
Monitor and log all security activities
Perform Provisioning Activities
User Administration Event History
Group Administration Event History
Provisioning Activities performed by Individual
Server Availability Report
Services
Policies
General Authorization Event History
Locked Account History
User Password Change History
Administrator and Self-Care Password Change History
Maintain effective authentication and access
General Authentication Event History
Failed Authentication Event History
Authenticate All Users
Identity Management
Individual Accounts
Accounts by Role
Accounts on Service
Entitlement by individual
General Administration Event History
ACI
Follow Appropriate Segregation of Duties
Individual Accounts
Accounts by Role
Accounts on Service
Entitlement by individual
Reconciliation Status
Non-compliant accounts
Periodically Review Access Rights
Policies governing a role
Approvals/Rejections
Pending Approvals
Suspended Accounts
Suspended People
Define User Account Management Procedures
User Account Management
Individual Accounts
Accounts by Role
Accounts on Service
Entitlement by individual
General Administration Event History
ACI
Follow Appropriate Segregation of Duties
Individual Accounts
Accounts by Role
Accounts on Service
Entitlement by individual
Reconciliation Status
Non-compliant accounts
Periodically Review Access Rights
Policies governing a role
Approvals/Rejections
Pending Approvals
Suspended Accounts
Suspended People
Define User Account Management Procedures
User Account Management
Mean Time to Ticket Acknowledgement Total Ticket Volume for Priorities Mean Time to Ticket Resolution
Supports timely investigation of unauthorized activities
Incident Resolution Status by Watchlist – SOX-related systems Analyst Responsiveness Trend Report Incident Time to Resolution ReportIncident Time to Resolution Trend Report
Incidents and problems are recorded, analyzed and resolved in a timely manner
Incident and Problem Management
Mean Time to Ticket Acknowledgement Total Ticket Volume for Priorities Mean Time to Ticket Resolution
Supports timely investigation of unauthorized activities
Incident Resolution Status by Watchlist – SOX-related systems Analyst Responsiveness Trend Report Incident Time to Resolution ReportIncident Time to Resolution Trend Report
Incidents and problems are recorded, analyzed and resolved in a timely manner
Incident and Problem Management
Top Destination Threats by Event Class - SOX
Top Events by Event Class – SOX
Top 20 Source IPs by Watchlist - SOX
Asset Vulnerability Detail by Watchlist – SOX
Top Repeated Connections
Top Destination IPs by Event Class
Top Repeated Connections from Sensor
Top Destination IPs for Protocol
Top Destinations by Sensor
Top Repeated Connections with Dest Port
Top Destinations by Watchlist – SOX
Top Source IPs
Top Source IPs for Event Class
Top Dest Threats and Respective Source Threats by Event
Top Source IPs for Protocol
Top Dest Threats and Respective Source Threats for IP
Top Sources by Sensor
Top Sources by Watchlist
Monitor and log all security activities
Operational Security Management
Top Destination Threats by Event Class - SOX
Top Events by Event Class – SOX
Top 20 Source IPs by Watchlist - SOX
Asset Vulnerability Detail by Watchlist – SOX
Top Repeated Connections
Top Destination IPs by Event Class
Top Repeated Connections from Sensor
Top Destination IPs for Protocol
Top Destinations by Sensor
Top Repeated Connections with Dest Port
Top Destinations by Watchlist – SOX
Top Source IPs
Top Source IPs for Event Class
Top Dest Threats and Respective Source Threats by Event
Top Source IPs for Protocol
Top Dest Threats and Respective Source Threats for IP
Top Sources by Sensor
Top Sources by Watchlist
Monitor and log all security activities
Operational Security Management
ISO 27001
PCI
Sarbanes-Oxley
GLB
HIPAA
-
FISMA-
Compliance Reporting
TCIM
18
Tivoli Software: IBM Service Management: Visibility, Control & Automation
Section 6 | Security and Audit Management © 2008 IBM Corporation
In Conclusion The implementation period for the prevalent regulations is over
– SOX 404 – November 2007 for all filers in US markets
– PCI – December 2007 for all merchants in the payment system
– HIPAA and GLB are years into maturity
– ISO 27001, ITIL, CobiT and COSO are voluntary standards with no fixed deadlines Compliance is NOT over
– 30+% of retailers world wide will not make the compliance deadline for PCI*
– 53% of organizations have failed to meet one or more of PCI’s 230 requirements
– An estimated 8% of filers will not make the SOX Section 404 compliance deadline
– 12 – 15% of affected filers have made a negative assertion or received a qualified opinion on the internal controls+
– Hundreds of US organizations have suffered data breaches, and notified their consumers as required by state law
So cut to the chase . . . . – Ask about the results of testing, audits, reports of findings, etc.
– Ask about areas of weakness and/or concerns
– Ask how the organization demonstrates compliance – management and monitoring
– Ask how the organization can “prove” compliance
•Source: http://www.darkreading.com/document.asp?doc_id=134856•+ this includes all internal controls, not just those related to IT
19
Tivoli Software: IBM Service Management: Visibility, Control & Automation
Section 6 | Security and Audit Management © 2008 IBM Corporation19
Please Take a Few Minutes to Complete a 5 Question Survey
Now that you have completed this virtual training session we would ask that you take our 5 question survey at the following web site
This will give us the chance to improve and enhance our training to better serve you and your needs
http://w3.rchland.ibm.com/systemsgroup/surveys/sec6_tsenable/
20
Tivoli Software: IBM Service Management: Visibility, Control & Automation
Section 6 | Security and Audit Management © 2008 IBM Corporation
Thank You
MerciGrazie
Gracias
Obrigado
Danke
Japanese
English
French
Russian
German
Italian
Spanish
Brazilian Portuguese
Arabic
Traditional Chinese
Simplified Chinese
Tamil
Thai
Korean
Hindi