Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
1 © Copyright 2012 EMC Corporation. All rights reserved.
BUILDING BEST OF BREED eGRC SOLUTION
With RSA Archer and Qualys
Jason Creech Director, Policy Compliance, Qualys
Laurie DiPietratonio Technical Account Manager, Qualys (formally CVS)
2 © Copyright 2012 EMC Corporation. All rights reserved.
Agenda
Why Automate – Increase Regulatory Requirements
– Communication and Awareness Challenges
– Increased Visibility and Avoidance of Findings
Evolve a Vulnerability Management Program with eGRC Integration
– Case Study and Lessons Learned
Q & A
3 © Copyright 2012 EMC Corporation. All rights reserved.
Automation of Manual IT Security Processes Regulatory Landscape (U.S.)
Driving Force Behind IT Security Software
Seeing more standards, frameworks, regulations, many industry specific…
Still no standardization despite many regulations are over a decade old…
1990s
2000 and beyond
FDA 21 CFR Part 11 (Pharma)
HIPAA Security Rule
EU Data Protection Directive
GLBA
FFIEC IT Exam Handbook
PIPEDA (Canada)
FDCC/SCAP
NIST SP 800-53
PCI Data Security Standard
EC Data Privacy Directive
ISO 17799 / 27001 / 27002
FISMA 2002
Basel II (III) Accord
Sarbanes-Oxley
NERC 1, 2, 3, 4…
California SB 1386 Privacy
ITIL v3
4 © Copyright 2012 EMC Corporation. All rights reserved.
Challenges of a Compliance Framework IT Compliance (Security) Policy Basics
Simple Compliance Framework
Procedures and Guidelines Detail
Policies, Standards, Business
Requirements
Controls (Manual/
Automatic)
Procedures and
Guidelines Enforcement
Regulations Frameworks Standards
SOX HIPAA GLBA
CoBIT COSO
ISO17799
PCI NIST NERC
“Example: Vulnerable Processes must be eliminated..”
CID 1130 The telnet daemon shall be disabled
AIX 5.x Technology Telnet streams are transmitted in clear text, including usernames and passwords…
SME
• Control Implementation
• GRC Vendor
• Data Harvesting Vendors
Business Unit Managers and Compliance Audit
Security Operations
High Level
Detailed Level
5 © Copyright 2012 EMC Corporation. All rights reserved.
Why Automate? Increased Visibility and Integrity of Data
Manual Audit Sampling Methods
Manual Audit A
Manual Audit B
Probability of Compliance Drift
Six Months Audit Schedule
Software Assisted Automated Audits
Avoid Treating Audits As A Discovery Exercise, Audits Should be Confirmation Exercise!
A B C D E F G I
Probability of Compliance Drift
6 © Copyright 2012 EMC Corporation. All rights reserved.
Delivering a Global & Continuous View of Security and Compliance
Integration of VM with IT-GRC – Automates the collection of security and
compliance data with customizable policies, questionnaires and workflows, helping organizations to expedite compliance
Benefits – Agent-less compliance auditing supporting
multiple regulatory mandates
– Customizable questionnaires and workflows to evaluate controls, gather evidence and validate compliance
– Seamless integration with the Archer GRC solution
7 © Copyright 2012 EMC Corporation. All rights reserved.
QualysGuard API Integration with Archer
Business Process
Technical Infrastructure
Operating System
Database
Web Application
Network
Perimeter
Technical Data
Collection
Via Scanning
Qualys API
Archer Data Feed
Manager
Business Service: Automated Funds Transfer
IT GRC Process Management
Vulnerability and Threat Data
IT Configuration Compliance Data
8 © Copyright 2012 EMC Corporation. All rights reserved.
Case Study
Integration Use Case at America’s Leading Retail Pharmacy
9 © Copyright 2012 EMC Corporation. All rights reserved.
What Makes a Strong Vulnerability Management Program?
Technology
Strategy
Process
Awareness
10 © Copyright 2012 EMC Corporation. All rights reserved.
Technology
11 © Copyright 2012 EMC Corporation. All rights reserved.
Why a VM Program?
Our Expanded QualysGuard Deployment offers us:
– An automated lifecycle for network auditing and vulnerability management across the enterprise
– Network discovery and mapping – Asset prioritization – Vulnerability assessment
reporting – Remediation tracking – Faster, more frequent scanning
12 © Copyright 2012 EMC Corporation. All rights reserved.
Strategy
13 © Copyright 2012 EMC Corporation. All rights reserved.
Two-Part Strategy
Strategy 1: The Program Strategy – Implementing a strong Vulnerability Management
Standard, with executive sponsorship
Strategy 2: The Enterprise Strategy – Incorporate your Vulnerability Management in the
greater Information Security Program
14 © Copyright 2012 EMC Corporation. All rights reserved.
Process
15 © Copyright 2012 EMC Corporation. All rights reserved.
Why eGRC?
Workflow
Tailored solution for our enterprise
Metrics – Dashboards and Reporting
Promotion – increased end-user awareness and involvement
16 © Copyright 2012 EMC Corporation. All rights reserved.
Awareness
17 © Copyright 2012 EMC Corporation. All rights reserved.
Awareness
Program Coordinator
Remediation SME Support
Weekly Remediation Meetings
Information Repository
Regular Trainings
Regular Email Communications
Senior Management Briefings
18 © Copyright 2012 EMC Corporation. All rights reserved.
The Newly Restructured Program Achieved the Following
Remediation owner active participation led to greater completion rates
The program had 10% better completion on time metrics for Q3 and 15% better for Q4 than prior quarters
Senior management’s better understanding of allowing for the program to influence other program processes across the enterprise
We expanded our scope and were scanning more assets than ever before
We were able to provide the actual metrics to rate performance
Thank you.