Fortify - PowerPoint PPT Presentation

1 / 22
About This Presentation
Title:

Fortify

Description:

Compliance is often treated as a one-time event to pass an audit. ... regulations, frameworks or standards rather than separate, one-off initiatives ... – PowerPoint PPT presentation

Number of Views:458
Avg rating:3.0/5.0
Slides: 23
Provided by: pauld84
Category:
Tags: fortify

less

Transcript and Presenter's Notes

Title: Fortify


1
The Benefits of Compliance Automation
Presented by Paul Duval, CISSP Prevalent
Networks
2
Agenda
  • About Prevalent Networks
  • IT Compliance Landscape
  • Compliance Challenges and Pitfalls
  • Benefits of Automation in Compliance
  • Measuring Success
  • Questions Answers

3
About Prevalent Networks - www.prevalent.net
  • Prevalent Networks is an Information Security
    technology company that works with the leaders in
    networking, security, and business continuity to
    deliver solutions that create information
    anywhere, security everywhere.
  • Founded in 2004 by Jonathan Dambrot and Norman
    Menz.
  • Three Segments
  • Security, Infrastructure, Availability (SIA)
  • Compliance Advisory and Automation (CAA)
  • Business Continuity on Demand (BCoD)
  • Headquartered in Warren, NJ
  • Regional Sales Offices in NY, MA, and PA

4
IT Compliance Landscape
  • Then
  • Self-imposed, internal IT function
  • Ensure that systems were configured or patched
    properly.
  • Now
  • Driven by external regulations and requirements
  • Demonstrate effective processes and controls
    across a broad range of areas.
  • Demonstrate practice due care
  • Adhere to strong security and technology controls
    practices
  • Protect their own information as well as that of
    their customers.
  • Compliance to not one, but multiple regulations,
    with varying degrees of either redundancy or
    subtle distinction.

5
The Regulatory IT Compliance Landscape
6
Other Compliance Drivers
  • Adherence to internal standards and policy
  • New or changed legislation e.g. MA Data
    Privacy
  • Follow industry best practice frameworks
  • COBIT
  • ISO 27000
  • NIST, CIS, etc.
  • Avoid bad press
  • Improve operational efficiencies
  • Improve security
  • Whatever the drivers for compliance may be, there
    can be many challenges with implementing it and
    doing it well.

7
Compliance Challenges and Pitfalls
  • Manual Assessments
  • Effectiveness
  • Inadequate tools
  • Scope, amount of information gathered
  • Consistency and interpretation of results
  • Reconciling silos of data
  • Responsibilities scattered throughout the
    organization
  • Reallocation of IT resources
  • Frequency of Review

8
Compliance Challenges and Pitfalls
  • Many organizations struggle with compliance
    because they lack basic policy structure
  • Lack of developed policies.
  • Policies are not reviewed or updated with any
    frequency.
  • Policies are not aligned with best practices or
    a controls framework.
  • Policies are not known or understood.
  • Policies are not enforced or monitored.
  • Little or no exception management / risk
    acceptance process.

9
Compliance Challenges and Pitfalls
  • Many organizations also struggle with the
    relationship between risk, information security
    and compliance.
  • Risk Assessments are not understood or
    performed.
  • Risk and compliance are often managed as
    separate activities.
  • Do not take a risk-based approach and focus
    priorities on higher risk areas.
  • Compliance is often treated as a one-time event
    to pass an audit.

10
Compliance Challenges and Pitfalls
  • Manual assessments are burdensome and often
    fraught with problems
  • Lack of consistent results
  • Difficult information gathering, and reconciling
    data
  • Not timely or accurate information for
    Management
  • Reporting is often weak or non-existing with
    manual methods

11
Compliance Best Practices
  • Manage compliance as an ongoing process risk
    management program, not a one-time project.
  • Perform frequent audits/continuous monitoring.
  • Map to specific control statements in
    regulations or frameworks.
  • Path to more effective business practices.
  • Consistent, repeatable checks and results.
  • Visibility into compliance posture.
  • Automate where possible.

12
Who Needs Compliance Automation?
The May 2008 Annual Report on IT Governance, Risk
and Compliance demonstrates that those firms with
mature compliance practices had consistently
higher revenues than all other firms much higher
profits than all others better customer
retention rates dramatically lower financial
risks and losses from the loss or theft of
customer data significantly reduced financial
impact from business disruptions caused by IT
disruptions and much lower spending on
regulatory audit. www.ITpolicycompliance.co
m
13
Benefits of Compliance Automation
Automation saves time, money and
resources. Running automated, scheduled checks
of systems saves time, avoiding lengthy manual
checks of individual servers to a plethora of
configuration settings. Automated checks can be
run frequently and on-demand, fulfilling the
continuous monitoring goal. Reports and
dashboards save time by providing quick
visibility into the compliance posture and any
necessary remediation.
14
Benefits of Compliance Automation
  • Automation saves money, reducing costs by
    providing one solution for compliance to multiple
    regulations, frameworks or standards rather than
    separate, one-off initiatives
  • Reduce redundant assessments eliminate
    unnecessary controls
  • Provide consistency ensure all systems evaluated
    against same standard
  • Repeatable and Measurable
  • Enable non-IT stakeholders to participate and
    conduct technical and non-technical checks of
    controls to standards reduce dependency on IT
    resources

15
Benefits of Compliance Automation
  • The key to effectively assess and manage risk is
    to have a controls framework against which to
    measure.
  • The best automated tools delineate the various
    regulations or frameworks and their associated
    control statements and allow companies to map
    their policies or control objectives to them
    providing a clear landscape for the company to
    identify and proactively control its compliance.
  • As regulations and frameworks eventually change,
    automatic updates to the content provide ease of
    administration over existing efforts.
  • COBIT 4.0 to 4.1, and PCI 1.1 to 1.2 for
    example.

16
Key Automation Areas
17
Benefits of Compliance Automation
  • Automated solutions can also assist with
    non-technical checks of compliance, and can
    automate self-assessments for non-programmatic
    areas that traditionally have relied on
    paper-based or manual solutions such as
  • Creation and dissemination of corporate policies
    or mandates
  • Creating on-line questionnaires and workflows to
    measure acceptance of polices and standards
  • Assign risk-based weighting to questions and
    responses to properly identify and handle risk
  • Online tutorials and quizzes can fulfill
    training and awareness requirements

18
Non-Technical, Procedural Controls
  • Utilize automation tools that can offer the
    ability to quickly create content for new or
    changed legislation or frameworks
  • MA Data Privacy
  • COBIT 4.0 to 4.1
  • PCI 1.1 to 1.2
  • Mandatory requirements for user awareness,
    training, testing
  • Vendor compliance
  • Policy Acception and Policy Exception
  • We have seen great results in compliance when
    non-technical and non-technical controls are
    combined.
  • Overall compliance posture and visibility that is
    centralized.

19
Measuring Success
  • Feedback from organization
  • Co-operation among groups
  • Management feedback
  • Establish a continuous process for improvement
    and measuring effectiveness.
  • Prioritize remediation based on organizational
    risk
  • Improved results!

20
Understanding the Role of Technology.in
Compliance Automation
  • Compliance Reporting Technologies
  • Policy Development and Management
  • Risk Assessment Modeling and Classification
  • Policy Compliance Mapping
  • Automated Assessment and Reporting
  • Exception Tracking
  • Demonstrate Policy is implemented as Practice
  • Map organization practice against Best Practice
    Frameworks
  • What Reporting Technologies Cannot Do
  • Sole Solution for Compliance Reporting
  • Suggest Policy, buy cannot define it for you

21
Don'ts
  • Do not try to roll your own compliance reporting
    solution. Auditors will be suspect of results.
  • Do not be afraid to track compliance exceptions.
    Exceptions demonstrate proper due diligence.
  • Do not consider compliance as an annual event,
    integrate it into business practice.
  • Do not try to assume what an auditor will want
    to see.
  • Do not use technology as a crutch.
  • Compliance is not just to appease auditors it
    can truly improve operations, security posture,
    and increase competitive advantage.
  • Information Security and Compliance are business
    enablers!

22
Thank You!
www.prevalent.net
Write a Comment
User Comments (0)
About PowerShow.com