Transcript
Page 1: Lunch and Learn: June 29, 2010

WelcomeWe will be starting in approximately 10 minutes

• Compliance Automation and Policy Management

Lunch & Learn

Page 2: Lunch and Learn: June 29, 2010

WelcomeWe will be starting in approximately 5 minutes

• Compliance Automation and Policy Management

Lunch & Learn

Page 3: Lunch and Learn: June 29, 2010

WelcomeWe will be starting in approximately 2 minutes

• Compliance Automation and Policy Management

Lunch & Learn

Page 4: Lunch and Learn: June 29, 2010

WELCOME

• Compliance Automation and Policy Management

Lunch & Learn

Page 5: Lunch and Learn: June 29, 2010

Prevalent MasterCard Update

• Service company no longer in business.

• Looking for an alternative to the card.

• All registrants for this Lunch and Learn were sent a certificate that can be used for lunch.

• We will send instructions whether any additional funds left on the card can be used.

Page 6: Lunch and Learn: June 29, 2010

• Lunch or Technical – [email protected]

• Topic Q&A – Please use chat feature in GoToMeeting client.

• My Contact information:– Jonathan Dambrot– [email protected]– 646-442-4236

Questions or Issues

Page 7: Lunch and Learn: June 29, 2010

About Prevalent Networks

• Founded January 5, 2004• Solution Focus on Risk Management

– Information Security– IT Compliance– Disaster Recovery, Availability, and Backup– Infrastructure

• Consulting and Engineering Services across all solution areas.• Certified Sales and Consulting Staff Across All Solutions

• Symantec Platinum Partner • Sit on the Symantec Partner Advisory Council and Technical

Advisory Council• Highest level partner for most other vendors.

• Offices in New Jersey (HQ), New York, Mass, and Philadelphia– National Project Teams

Page 8: Lunch and Learn: June 29, 2010

Symantec Control Compliance Suite 10.0

8

Enterprise Governance, Risk and Compliance: Key Concerns

• Increasing sophistication of threats• Changing infrastructure & configurations• Increasing regulatory mandates

• Increasing sophistication of threats• Changing infrastructure & configurations• Increasing regulatory mandates

Security Risks

• Frequency of assessments• Internal and external audit• Reporting to multiple constituencies

• Frequency of assessments• Internal and external audit• Reporting to multiple constituencies

Regulatory / Audit ComplianceRegulatory / Audit Compliance

• Overlapping matrix control objectives• Manual assessment of controls• Scale and diversity of environment

• Overlapping matrix control objectives• Manual assessment of controls• Scale and diversity of environment

Security and Compliance Costs

Page 9: Lunch and Learn: June 29, 2010

Symantec Control Compliance Suite 10.0

9

Costs of IT Compliance Remain High

Source: IT Policy Compliance Group n=3,000 ; Seattle Post Intelligencer - www.seattlepi.com/boeing/sox/Source: IT Policy Compliance Group n=3,000 ; Seattle Post Intelligencer - www.seattlepi.com/boeing/sox/

Case study: Boeing Aerospace

• Failed SOX audit in 2004

• Spent $165M in 2005-2007 to resolve issues

• Root problem: inconsistent information security policies, procedures, and controls, including:

- Database and application patching

- Failed/missing controls

- Improper access rights

2006 – 2008 Average Annual Regulatory Audit SpendMM

Page 10: Lunch and Learn: June 29, 2010

Symantec Control Compliance Suite 10.0

10

Automation Reduces Audit Costs and Improves Outcomes

* Based on a survey of 3,280 companiesSource: IT Policy Compliance Group

* Based on a survey of 3,280 companiesSource: IT Policy Compliance Group

Automation increases audit frequency which reduces risk

Automation increases audit frequency which reduces risk

0

1

2

3

4

5

6

7

Least mature

Most mature

Mon

ths

betw

een

asse

ssm

ents

Mature organizations use automation to reduce costs by up to 54%

Mature organizations use automation to reduce costs by up to 54%

Least mature

Most mature

Rela

tive

spen

d on

regu

lato

ry c

ompl

ianc

e

0%

20%

40%

60%

80%

100%

54%less

Page 11: Lunch and Learn: June 29, 2010

ASSETSASSETSASSETSASSETS CONTROLSCONTROLSCONTROLSCONTROLS

EVIDENCEEVIDENCEEVIDENCEEVIDENCE

Symantec Control Compliance Suite 10.0

11

IT Governance Risk and Compliance is a Complex Problem

33rdrd PARTY PARTY EVIDENCEEVIDENCE

TECHNICAL CONTROLSTECHNICAL CONTROLS

• Automatically identify deviations from technical standards

• Identify critical vulnerabilities

NEWNEW

POLICYPOLICY• Define and manage

policies for multiple mandates with out-of-the-box policy content

• Map policies to control statements

PROCEDURAL CONTROLSPROCEDURAL CONTROLS

• Replace paper-based surveys with web-based questionnaires to evaluate if polices were read and understood

REPORTREPORT• Gather results in one central repository and deliver dynamic web-based dashboards and reports

REMEDIATEREMEDIATE• Remediate deficiencies based on risk via integration with popular ticketing systems

DATADATACONTROLSCONTROLS• Tight integration with

Symantec™ Data Loss Prevention to prioritize assessment and remediation of assets based on value of data

NEWNEW• Combine evidence

from multiple sources and map to policies

IMPROVED

IMPROVED

IMPROVED

IMPROVED

Page 12: Lunch and Learn: June 29, 2010

ASSETSASSETSASSETSASSETS CONTROLSCONTROLSCONTROLSCONTROLS

EVIDENCEEVIDENCEEVIDENCEEVIDENCE

Symantec Control Compliance Suite 10.0

12

Symantec Control Compliance Suite

33rdrd PARTY PARTY EVIDENCEEVIDENCE

DATADATACONTROLSCONTROLS

TECHNICAL CONTROLSTECHNICAL CONTROLS

NEWNEW

POLICYPOLICYPROCEDURAL CONTROLSPROCEDURAL CONTROLS REPORTREPORT REMEDIATEREMEDIATE

IMPROVED

IMPROVED

IMPROVED

IMPROVED

• Symantec™ Control Compliance Suite Standards Manager

• Symantec™ Control Compliance Suite Vulnerability Manager

• Symantec™ Control Compliance Suite Policy Manager

• Symantec™ Control Compliance Suite Response Assessment Manager

• Symantec™ Control Compliance Suite

(Infrastructure)

• Symantec™ ServiceDesk 7.0

• Symantec™ Data Loss Prevention Discover

• Symantec™ Control Compliance Suite

(Infrastructure)NEWNEW

Page 13: Lunch and Learn: June 29, 2010

Symantec Confidential 13

Symantec Control Compliance Suite

Page 14: Lunch and Learn: June 29, 2010

Symantec Control Compliance Suite 10.0

14

Define and Manage Policies• Automate entire IT policy

lifecycle to reduce cost and complexity

• Define policies with out-of-the-box policy content

• Assess coverage for regulations and best practices

• Automatic regulatory updates

• Map policies to control statements

• De-duplicate common controls across multiple regulations

POLICYPOLICY

Control Compliance Suite Policy Manager

Corporate Policies Lifecycle

DefineDefine1

ReviewReview2

Track Acceptances/Track Acceptances/ExceptionsExceptions

5

ApproveApprove3

DistributeDistribute4

Page 15: Lunch and Learn: June 29, 2010

Policy-driven Risk and Compliance Management

ISO

• Evidentiary data feeds for technical controls• Evidence for non-technical controls

• Evidentiary data feeds for technical controls• Evidence for non-technical controls

CORPORATE POLICIES•Malware•Access Control•Acceptable Use

CORPORATE POLICIES•Malware•Access Control•Acceptable Use

Create

Map

DistributeProve

SOXPCI

COBIT

15Symantec Confidential

Page 16: Lunch and Learn: June 29, 2010

Written Policy Management

Display Evidence

Demonstrate CoverageDistributeDefine Written

Policy

16Symantec Confidential

Page 17: Lunch and Learn: June 29, 2010

Symantec Control Compliance Suite 10.0

17

Automatically Assess IT Infrastructure TECHNICAL TECHNICAL CONTROLSCONTROLS

Control Compliance Suite Standards Manager• Improve visibility into IT risk

and reduce compliance cost and complexity

• Automate assessment of technical controls to identify deviations or configuration drift

• Leverage best-in-class pre-packaged content

• Manage exceptions• Flexible agent based or agent-

less data gathering options

Define StandardsDefine StandardsDefine StandardsDefine Standards11

Analyze and FixAnalyze and FixAnalyze and FixAnalyze and Fix33

Managed/Unmanaged AssetsManaged/Unmanaged AssetsManaged/Unmanaged AssetsManaged/Unmanaged Assets22

Evaluate (agent and/or agent-less)Evaluate (agent and/or agent-less)

Page 18: Lunch and Learn: June 29, 2010

Symantec Control Compliance Suite 10.0

18

Conduct Advanced Vulnerability Assessment TECHNICAL TECHNICAL CONTROLSCONTROLS

Control Compliance Suite Vulnerability

Manager• Proactively prevent threats to critical assets and information

• Identify critical vulnerabilities in Web applications, databases, servers and other network devices

• More than 54,000 checks across 14,000 vulnerabilities

• Unique vulnerability “chaining” mechanism

• Unique risk scoring algorithm

• High performance 64-bit scan engineControl Compliance Suite Vulnerability Manager

chains together all vulnerabilities found to uncover new, hidden issues

Page 19: Lunch and Learn: June 29, 2010

Symantec Control Compliance Suite 10.0

19

Automatically Evaluate Procedural Controls

Control Compliance Suite Response Asset Manager

PROCEDURAL CONTROLSPROCEDURAL CONTROLS

• Replace costly, time-consuming manual processes

• Automate assessment of procedural controls

• Web-based questionnaires covering 60+ regulations and frameworks

• Assess via risk-weighted surveys

• Track responses - acceptances, exception and clarification requests

Administer Administer SurveySurvey

Analyze ResultsAnalyze Results

RespondentsRespondents

Distribute via web

Consolidate responses

Page 20: Lunch and Learn: June 29, 2010

Symantec Control Compliance Suite 10.0

20

Identify and Prioritize Critical Assets

• Gain a better overview of compliance and security posture

• Use Symantec Data Loss Prevention Discovery information to identify assets with critical data

• Prioritize these assets for controls evaluation

• Elevate hardening measures on these assets

• Show Control Compliance Suite and Data Loss Prevention data side by side to prioritize remediation efforts

DATA CONTROLSDATA CONTROLS

Data Loss Prevention Discover

Page 21: Lunch and Learn: June 29, 2010

Symantec Control Compliance Suite 10.0

21

Report on Risk and Compliance Posture REPORTREPORT

Control Compliance Suite(Infrastructure)

• Deliver relevant data to multiple stakeholders for better decision making

• Web-based dynamic dashboards and reports

• Integrate technical, procedural and data controls with evidence from external systems

• Select from multiple panel views and filtering options and drill down for granular details

• Low cost end-user deployment

Page 22: Lunch and Learn: June 29, 2010

Symantec Control Compliance Suite 10.0

22

Remediate Deficiencies Based On Risk REMEDIATEREMEDIATE

Symantec ServiceDesk

• Improve IT risk posture by fixing the most critical deviations first

• Prioritize remediation efforts based on compliance and risk scores (quantify risk using CVSS)

• Provide detailed remediation instructions

• Automated integration with ticketing systems:

− Closed-loop verification with Altiris™ Service Desk

− Remedy™, HP Service Manager™

Page 23: Lunch and Learn: June 29, 2010

CCS and Policy Portal Demo

• Compliance Automation and Policy Management

Page 24: Lunch and Learn: June 29, 2010

Questions…..

• Thank you!