Title: Fortify
1The Benefits of Compliance Automation
Presented by Paul Duval, CISSP Prevalent
Networks
2Agenda
- About Prevalent Networks
- IT Compliance Landscape
- Compliance Challenges and Pitfalls
- Benefits of Automation in Compliance
-
- Measuring Success
- Questions Answers
3About Prevalent Networks - www.prevalent.net
- Prevalent Networks is an Information Security
technology company that works with the leaders in
networking, security, and business continuity to
deliver solutions that create information
anywhere, security everywhere. - Founded in 2004 by Jonathan Dambrot and Norman
Menz. - Three Segments
- Security, Infrastructure, Availability (SIA)
- Compliance Advisory and Automation (CAA)
- Business Continuity on Demand (BCoD)
- Headquartered in Warren, NJ
- Regional Sales Offices in NY, MA, and PA
-
4IT Compliance Landscape
- Then
- Self-imposed, internal IT function
- Ensure that systems were configured or patched
properly. - Now
- Driven by external regulations and requirements
- Demonstrate effective processes and controls
across a broad range of areas. - Demonstrate practice due care
- Adhere to strong security and technology controls
practices - Protect their own information as well as that of
their customers. - Compliance to not one, but multiple regulations,
with varying degrees of either redundancy or
subtle distinction.
5The Regulatory IT Compliance Landscape
6Other Compliance Drivers
- Adherence to internal standards and policy
- New or changed legislation e.g. MA Data
Privacy - Follow industry best practice frameworks
- COBIT
- ISO 27000
- NIST, CIS, etc.
- Avoid bad press
- Improve operational efficiencies
- Improve security
- Whatever the drivers for compliance may be, there
can be many challenges with implementing it and
doing it well.
7Compliance Challenges and Pitfalls
- Manual Assessments
- Effectiveness
- Inadequate tools
- Scope, amount of information gathered
- Consistency and interpretation of results
- Reconciling silos of data
- Responsibilities scattered throughout the
organization - Reallocation of IT resources
- Frequency of Review
8Compliance Challenges and Pitfalls
- Many organizations struggle with compliance
because they lack basic policy structure - Lack of developed policies.
- Policies are not reviewed or updated with any
frequency. - Policies are not aligned with best practices or
a controls framework. - Policies are not known or understood.
- Policies are not enforced or monitored.
- Little or no exception management / risk
acceptance process.
9Compliance Challenges and Pitfalls
- Many organizations also struggle with the
relationship between risk, information security
and compliance. - Risk Assessments are not understood or
performed. - Risk and compliance are often managed as
separate activities. - Do not take a risk-based approach and focus
priorities on higher risk areas. - Compliance is often treated as a one-time event
to pass an audit.
10Compliance Challenges and Pitfalls
- Manual assessments are burdensome and often
fraught with problems - Lack of consistent results
- Difficult information gathering, and reconciling
data - Not timely or accurate information for
Management - Reporting is often weak or non-existing with
manual methods
11Compliance Best Practices
- Manage compliance as an ongoing process risk
management program, not a one-time project. - Perform frequent audits/continuous monitoring.
- Map to specific control statements in
regulations or frameworks. - Path to more effective business practices.
- Consistent, repeatable checks and results.
- Visibility into compliance posture.
- Automate where possible.
12Who Needs Compliance Automation?
The May 2008 Annual Report on IT Governance, Risk
and Compliance demonstrates that those firms with
mature compliance practices had consistently
higher revenues than all other firms much higher
profits than all others better customer
retention rates dramatically lower financial
risks and losses from the loss or theft of
customer data significantly reduced financial
impact from business disruptions caused by IT
disruptions and much lower spending on
regulatory audit. www.ITpolicycompliance.co
m
13Benefits of Compliance Automation
Automation saves time, money and
resources. Running automated, scheduled checks
of systems saves time, avoiding lengthy manual
checks of individual servers to a plethora of
configuration settings. Automated checks can be
run frequently and on-demand, fulfilling the
continuous monitoring goal. Reports and
dashboards save time by providing quick
visibility into the compliance posture and any
necessary remediation.
14Benefits of Compliance Automation
- Automation saves money, reducing costs by
providing one solution for compliance to multiple
regulations, frameworks or standards rather than
separate, one-off initiatives - Reduce redundant assessments eliminate
unnecessary controls - Provide consistency ensure all systems evaluated
against same standard - Repeatable and Measurable
- Enable non-IT stakeholders to participate and
conduct technical and non-technical checks of
controls to standards reduce dependency on IT
resources
15Benefits of Compliance Automation
- The key to effectively assess and manage risk is
to have a controls framework against which to
measure. - The best automated tools delineate the various
regulations or frameworks and their associated
control statements and allow companies to map
their policies or control objectives to them
providing a clear landscape for the company to
identify and proactively control its compliance. - As regulations and frameworks eventually change,
automatic updates to the content provide ease of
administration over existing efforts. - COBIT 4.0 to 4.1, and PCI 1.1 to 1.2 for
example.
16Key Automation Areas
17Benefits of Compliance Automation
- Automated solutions can also assist with
non-technical checks of compliance, and can
automate self-assessments for non-programmatic
areas that traditionally have relied on
paper-based or manual solutions such as - Creation and dissemination of corporate policies
or mandates - Creating on-line questionnaires and workflows to
measure acceptance of polices and standards - Assign risk-based weighting to questions and
responses to properly identify and handle risk - Online tutorials and quizzes can fulfill
training and awareness requirements
18Non-Technical, Procedural Controls
- Utilize automation tools that can offer the
ability to quickly create content for new or
changed legislation or frameworks - MA Data Privacy
- COBIT 4.0 to 4.1
- PCI 1.1 to 1.2
- Mandatory requirements for user awareness,
training, testing - Vendor compliance
- Policy Acception and Policy Exception
- We have seen great results in compliance when
non-technical and non-technical controls are
combined. - Overall compliance posture and visibility that is
centralized.
19Measuring Success
- Feedback from organization
- Co-operation among groups
- Management feedback
- Establish a continuous process for improvement
and measuring effectiveness. - Prioritize remediation based on organizational
risk - Improved results!
20Understanding the Role of Technology.in
Compliance Automation
- Compliance Reporting Technologies
- Policy Development and Management
- Risk Assessment Modeling and Classification
- Policy Compliance Mapping
- Automated Assessment and Reporting
- Exception Tracking
- Demonstrate Policy is implemented as Practice
- Map organization practice against Best Practice
Frameworks - What Reporting Technologies Cannot Do
- Sole Solution for Compliance Reporting
- Suggest Policy, buy cannot define it for you
21Don'ts
- Do not try to roll your own compliance reporting
solution. Auditors will be suspect of results. - Do not be afraid to track compliance exceptions.
Exceptions demonstrate proper due diligence. - Do not consider compliance as an annual event,
integrate it into business practice. - Do not try to assume what an auditor will want
to see. - Do not use technology as a crutch.
- Compliance is not just to appease auditors it
can truly improve operations, security posture,
and increase competitive advantage. - Information Security and Compliance are business
enablers!
22Thank You!
www.prevalent.net