Seven Simple Steps that Slash the IT Audit Burden

Transcription

1 Seven Simple Steps that Slash the IT Audit Burden Maximizing your efficiency gains from McAfee Policy Auditor 5

2 Table of Contents Audit Fatigue 3 Tackle Tedium and Disruption 4 Step 1: Policy Definition 5 Policy definition with McAfee 5 Step 2: Policy Implementation and Policy Lifecycle Management 6 Policy management with McAfee 6 Step 3: Data Capture to Validate Policy and Configurations 7 Data collection with McAfee 7 Step 4: Monitoring, Issue, and Patch Management 9 Issue management with McAfee 9 Step 5: Measurement and Scoring 9 Measurement with McAfee 9 Step 6: Waiver Management 10 Waiver management with McAfee 10 Step 7: Reporting Against Key Mandates and Internal Policies 10 Reporting with McAfee 10 Consider the Distinctive Design Inside 11 Standards 11 Management efficiency 11 Security tool integration 11 Take Seven Simple Steps and Sustain Compliance 12 Estimate your savings 12 Get Started 12 About McAfee, Inc. 13

3 Although IT audits are inevitable and increasing they no longer have to be expensive. Auditing systems and system management technologies have matured. Now key control and validation processes can be integrated, streamlined, and automated. You can increase timeliness and accuracy of audit data while reducing IT audit effort, disruption, and cost. Audit Fatigue The audit spotlight now shines on IT. After years of regulation and embarrassing data breaches, the highest levels of management now comfortably discuss IT controls and audit results. However, their quality expectations are rising. Where IT once performed audits annually, many now support quarterly, monthly, and ad hoc exercises. Each audit expands the scope of the technologies assessed, measured, and proven compliant. Broader scope means more complexity and more work. 50% 40% 30% 20% 10% 0% Ad-hoc Quarterly Semi-annual Annual More than 5,000 employees Less than 5,000 employees How often audits are conducted 1 In addition to being more frequent, audit demands have also become more specific. Audits must include granular information on controls, metrics, trend lines, and industry benchmarks. Yet over 51 percent of respondents in a recent survey used spreadsheets or no tools at all. 2 Already over-burdened IT and security teams struggle to collect, organize, and disseminate the required data. If administrators spend three to five hours each week supporting audits, that is a 10 percent tax against productivity. Further, more than half of larger organizations manage 10 or more regulations. Multiple regulations compound effort and complicate both policy and control decisions. 3 Manual data collection precedes manual consolidation of data into multiple graphical views that nontechnical executives and auditors can easily digest. No wonder there s an epidemic of Audit Fatigue. 1 Source: Internet Research Group 2, 3 Internet Research Group survey of 400 audit-related professionals, Audit Effectiveness, July

4 Automated workflow system Compliance/governance technology platform Predominantly spreadsheets to collect and organize audit Combination of tools listed above No specific tools 0% 20% 40% 60% Less than 5,000 employees More than 5,000 employees Type of automated tools organizations use to prepare reports 4 To minimize the operational and organizational toll of audits, McAfee Policy Auditor 5 brings together audit and systems security management processes. Through innovative technology and process integration, it reduces the number of tools required to audit accurately. IT teams can regain control over spiraling audit demands0 while delivering the visibility and accountability required for increasingly skeptical executives. A bonus: this increased efficiency and sustainability actually improves security. Repeatable, measurable controls built on best practices fulfill the intention of most governance and compliance initiatives: confidentiality, integrity, availability, and at least for Sarbanes-Oxley transparency. Tackle Tedium and Disruption At most sites, audits rival log reviews for on-the-job frustration. Administrators say I spent years training for this? and I have real work to do. However, with regulatory compliance penalties, they can t say No. For the purpose-built McAfee Policy Auditor, we decided to target audit and reporting inefficiencies directly. We considered each phase of the IT audit process and looked for steps that could be improved, eliminated, or converted to automation. The most susceptible activities were: Policy definition Policy implementation and lifecycle management Data collection to validate policies and configurations Monitoring, issue, and patch management Measurement and scoring to document non-compliance Waiver management Reporting against key mandates and internal policies 4 Source: Internet Research Group 4

5 Step 1: Policy Definition Most regulated organizations already have defined policies. The challenge comes from change. Users spend hours evaluating refinements in regulatory and industry guidance and then adjusting policies. Considerations include: Mapping vague, industry-specific paper policies and requirements into actionable technical controls and repeatable processes Policies must align across multiple inputs a single financial company might have SOX, GLBA, SB 1386, PCI DSS, and internal governance controls. Different experts have different interpretations, yet the resulting policies must be shown to match industry best practices for each regulation and fulfill the intent of governance committees Most IT and security teams do not have the expertise and confidence to define and maintain these policies without expensive consultants. The workload and costs increase as regulations expand and guidance becomes more complex. Policy definition with McAfee To reduce these variables, McAfee has made it easy to incorporate expert guidance and industry benchmarks within live technical controls. A wizard guides authoring and tailoring of benchmarks and policies. This wizard provides flexibility to match the policy definition models at different size organizations. You implement policies as a set of rules that activate specific checks on each system. Policy Auditor lightens the burden in several ways: Eliminates paper policies McAfee combines the actual text of a regulation or best practice document with the security checks used to measure its compliance. This detail provides context for each security check at every level of the policy. The human world of text documents and computer world of binary controls are now seamlessly integrated. Tailors content templates provided by McAfee experts As a quick-start baseline, McAfee provides content in the form of rules templates, called benchmarks, for key regulations and best practices (PCI DSS, SOX, GLBA, HIPAA, FISMA, ISO 27001, and COBIT). Each benchmark includes multiple rules, and an editor lets you easily tune recommendations to suit the specific needs and preferences of your business. Unlike IT administrators with systems to maintain, content developers from McAfee Avert Labs focus full time on analyzing regulations and developing rules and checks. They compare regulations with security best practices and test, document, and release appropriate controls in templates. They release updates as needed to keep content current. Import best practices Support for the SCAP (Secure Content Adaptation Protocol) family of protocols allows upload of authoritative benchmarks from sources such as the National Institute of Standards and Technology (NIST) and Red Hat. McAfee converts this XML input into editable policies, which you can then compare to your own. In this way, you can map policy violations to a range of industry standards, aligning your organization s controls with industry guidelines. If you decide to match the recommendations, the wizard helps you turn on or turn off the rules that activate specific checks. SCAP provides a set of open standards for defining benchmark checks and configuration settings, as well as an industry-recognized policy format. The SCAP protocols supported include: extensible Checklist Configuration Description Format (XCCDF) Open Vulnerability and Assessment Language (OVAL) Common Configuration Enumeration (CCE) Common Platform Enumeration (CPE) Common Vulnerabilities and Exposures (CVE) Common Vulnerability Scoring System (CVSS) 5

6 User rights management offers important control over policy authoring and other tasks throughout the policy life cycle Step 2: Policy Implementation and Policy Lifecycle Management Once you know the policies you would like to audit, you must consider the process and workflow around main-taining policies over time. Lifecycle management allows policies to respond to evolving threats, regulations, and risk postures. It also helps as you change the types and number of systems, their configurations and applications, and policies. For example, what if you needed to change password requirements from eight characters to six characters for all of your Windows, UNIX, and Mac systems? Which policies and which rules would you need to change? In addition, separation of duties requires an overlay of planning and role-based access controls. Unfortunately, each distinct step and interface provides an opportunity for data-entry error and inconsistent implementation. Policy management with McAfee McAfee helps you maintain an efficient, structured workflow throughout the policy lifecycle. In this way, you can gain your greatest operational savings, and boost your consistency. First, McAfee automates implementation of policies across systems. Policy Auditor 5 tightly integrates with the proven McAfee epolicy Orchestrator (epo ) single-agent, single-console infrastructure. You can: Easily group and manage systems to reflect risks and regulations Since different assets require different scans and assessments, you can build on Active Directory entries and epo system identifications to create tags and groups that include or exclude specific systems in audits With this model, it is simple to create specific profiles for classes of systems, usage types, or data types, then reorganize and update affected systems as policies change. You can organize these profiles by platform type, applications, function, geography, and even by regulation or policy. This approach improves the consistency of policy application while eliminating repetitive, error-prone system administration tasks. Support repeatable policy management Security policies are not carved in stone. Requirements, regulations, and standards evolve over time, and require a manageable, repeatable process for tailoring, reviewing, and publishing policy revisions. Policy Auditor provides the embedded workflow and roles-based access needed to manage this process cleanly. This ensures that audit results always reflect current business requirements. 6

7 New policies go into a received state. They can then be duplicated, edited, or tailored. As an option, a person other than the policy creator can be required to review the policy. It is then published. Old policies are archived. Separation of duties Large organizations strictly enforce who has access to what data, controls, and systems. For instance, the role of IT operations has different objectives than those of IT audit. IT operations main concern is maximum availability of its servers. IT audit s primary concern is to pass an upcoming audit. To satisfy the needs of both roles, McAfee has implemented an innovative model that makes the computer do the work. IT Operations simply sets the white-in and blackout scan windows for the systems using epo policies. IT audit then determines the policies to run and defines how the data currency parameters. Policy Auditor does the rest, making sure not to scan systems during peak usage hours. In addition, you can assign granular permission sets to the various roles to determine what they can and cannot do. For example, define who can create edit, view, or publish a policy; who can run an audit; who can view the results; and who can approve a waiver. Tabbed dashboards organize audits, waivers, benchmarks, and checks. Tabbed dashboards organize audits, waivers, benchmarks, and checks Deploy rules automatically Policy Auditor sends rules and updates through the epo agents and the Policy Auditor plug-in to targeted desktops, laptops, and servers. Four epo dashboards help you monitor status of the rollout. Step 3: Data Capture to Validate Policy and Configurations Audits are all about evidence. To prove compliance, data must be accurate, timely, and specific. However, data quality comes into question when different tools produce data in different formats. Furthermore, each auditor wants their unique information on their schedule, with data reflecting a consistent point in time. Given these demands, data collection has become labor-intensive. It can be tedious to find and decisively document the details you need on a large number of distributed systems. Where there are multiple data sources and interfaces, it takes manual collation: a painful model that does not scale well. Data collection with McAfee Policy Auditor replaces this manual process with several authoritative ways to verify enforcement of policy controls. Each of these options reduces the effort involved and builds confidence with external auditors. Ensure accurate checks System scans use the industry s most extensive check library to validate technical controls and assess the security state of common applications, such as Office, SQL Server, and Apache. Checks can document patch status, file permissions, and the active presence of mitigating controls, such as encryption and restricted file access. Audit heterogeneous and distributed hosts with a single process With Policy Auditor running on each system, including Windows, HP-UX, Linux, Solaris, and Mac OS X, it takes just one tool to generate data for each audit request. Leveraging tags and groups, the epo query and reporting engine can poll all the systems under review, capturing and time-stamping data without manual collation. 7

8 Schedule in advance or audit continuously Instead of manual, ad hoc polling, you can program automated scanning of any size group, implemented consistently by the agent using data currency thresholds and blackout windows. Careful scheduling increases the accuracy of data, reducing emergency data collection and rework. Although participants may change, the data and checks remain reliable. Tactically, scheduling helps limit network congestion and ensure timely data capture despite large numbers of systems. It also limits potential performance or process effects on business-critical servers. Blackout periods protect business processes Strategically, you strengthen the control environment with more frequent audits that automate riskbased controls. If there are control breakdowns or policy violations, you can detect them immediately to minimize risk of loss or damage. Use roles and dashboards to streamline analysis Each audit role network, system, and security operations; internal and external auditors; or senior managers can define and save custom dashboards. This flexibility lets multiple participants aggregate and view different sets of data. Dashboards simplify navigation between policies, checks, and system data, presenting data graphically where possible for better absorption. You can also share queries and data views with collaborators. Custom dashboards help you deliver pertinent data for each audience and enable immediate action 8

9 Sometimes, auditor requests may seem random. Dashboards help you guide the process. You can group and present specific controls that match policies, regulations, and security objectives. As everyone learns the details that matter, you can preempt requests for tweaked data by giving auditors read-only access to more extensive findings. Step 4: Monitoring, Issue, and Patch Management The previous steps have been necessary to put policy auditing in place. Using this infrastructure, you then need to identify and manage violations as they emerge, despite changes in systems and rules and the increasing diversity and complexity of infrastructure. Naturally, existing help desk operations and trouble ticketing systems play a central role in issue management. Your audit tools can help you find violations, prioritize remediations, and document the right details, but only if they can communicate with the people and systems that do these jobs. Issue management with McAfee Policy Auditor enables this step by scanning systems and generating data on rules, checks, audit status, and violations. It can also use epo for quick access to threat and system information as well as overall risk. Assess the damage quickly Web-based dashboard views let you drill down into specific tasks and click directly through to investigate noncompliant systems Transparently initiate and close trouble tickets Optional integrations generate tickets when an audit discovers a misconfiguration. They will later mark issues when resolved. Policy Auditor connectors support BMC Remedy and HP OpenView systems. Export data to remediation tools To guide remediation and patching. McAfee Remediation Manager and other SCAP-compliant systems can import audit and system scan result data Step 5: Measurement and Scoring The bar keeps rising. Audit teams, regulators, and governance committees are more perceptive and less patient after years of experience. Beyond data snapshots, they want to see trends and detect progress, as well as demonstrate parity with industry norms. Executives want data to let them adjust investments and manage risk more proactively as threats and policies evolve. IT audit teams can support these requirements by establishing practical metrics and time-stamped baselines that they can legitimately compare over time. The data should not only be accurate but presented in useful and actionable reports. Measurement with McAfee Once mitigating controls are in place, Policy Auditor becomes a measurement tool. You can initiate and maintain metrics by attaching numeric values to audit results. Each rule can have adjustable scores and weights. Customize scoring Guide attention by applying custom weighting to important sections of policy, ensuring that the most critical audit findings get the focus they deserve Link scores with risk Direct your organization s investment in protections by assigning criticality based on perceived asset value. Content guidance from McAfee includes an expert assessment of violations or rules that are likely to be most critical. Compare with industry best practice Templates help you measure compliance against ISO27001 and COBIT frameworks. After beginning with a broad, best-practices compliance program, most organizations can easily take a step back to measure themselves against more targeted standards, such as PCI DSS. 9

10 Step 6: Waiver Management The dynamic nature of compliance benchmarks and business infrastructure means that no group is ever 100 percent compliant. That is acceptable if you document and justify discrepancies, prevent abuse, and show you have a plan in place to manage your exceptions over time. This precision increases accountability, makes policies more accurate, and supports consistent implementation while enabling business workflows. Waiver management with McAfee McAfee allows you to assign waivers conveniently to individual systems, groups of assets, or policy rules. Control privileges Only users with appropriate authority can define, grant, and document waiver conditions Define flexible waiver conditions Exemption, exception, and suppression options let you determine how to handle a specific issue. For example, exemptions can prohibit audits during quarter-end processing on critical servers. Set expiration dates Waivers require a start and end date to automatically limit exposure Attestation Comments can be added to explain use of compensating controls and remind auditors why the non-compliance state was waived Step 7: Reporting Against Key Mandates and Internal Policies The most important deliverable from any audit is credible proof of compliance. You must offer this proof at multiple levels for different audiences and, ideally, support established processes and systems. However, manual redundant processes and their errors slow this final step. Costs rise as demands increase. Reporting with McAfee The advanced epo reporting system helps you easily find and aggregate data and present it in an infinite variety of reports. Reuse the role-based dashboards built previously to find and present data at different levels of abstraction, or build new reports from scratch. Save repeated queries and tasks Store common queries and create linked, automated tasks to repeat audits and reports with precision, easily show changes against audit baselines, and proactively generate updated data Create executive and auditor views Executives are primarily interested in compliance status; aggregate this information across business or operational units or sub-divide for greater relevance. Let auditors see information by specific regulation. Enable quick action Drill into dashboards and web-based reports for details and next steps Thrid Party Ticketing System McAfee Remedy Service Desk epo Ticketing Policy Auditor Agent Server epo Assets, Policies, Events Policy Auditor Content End Point McAfee Agent Scans to perform sent to agent Scan results sent back to server Policy Templates, Scheduled Scans, Audit Results Issues mapped to tickets PA Plug-in Policy Auditor takes full advantage of the epolicy Orchestrator infrastructure 10

11 Export to portals or reporting tools The XCCDF and OVAL standards allow you to integrate audit results data into existing auditor and executive portals. You can also transfer data through CSV, XML, HTML, and PDF formats. Consolidate audit and endpoint data Speed decision-making with scan and system information in the same report, including details like patch levels and countermeasures that are in place Distribute reports automatically For convenient, reliable notification, send full reports or just alerts on specific concerns via to predefined lists of users. Archive copies automatically for consistent reference points. Consider the Distinctive Design Inside With the market energy propelled by regulatory compliance, multiple commercial solutions address each of these seven steps separately. Some companies have deployed as many as six tools in their race to comply. However, it takes standards support, management efficiency, and security tool integration to make audit processes efficient, consistent, and convenient. Standards Through open standards, Policy Auditor lets you import industry best practices and benchmark guidance to inform policy definition. As you identify issues, you can export scan and audit results into your IT remediation and audit processes. Not just convenient, this transparency raises confidence in the relevance and utility of audit data. Policy Auditor supports SCAP, CSV, HTML, and PDF. Management efficiency Policy Auditor 5 integrates completely within the management console of epolicy Orchestrator. With 155 million users worldwide and a single deployment at over 5 million users, epo provides a rock-solid foundation for implementing and maintaining policy infrastructure. Four tabs within the epo console benchmarks, checks, audits, and waivers ease monitoring and navigation. Drilldown menus make it easy to act. The same epo System Tree used to manage systems for anti-virus is used to audit for policy compliance Advanced query and reporting help every audit participant locate and share critical information epo supports separation of duties with user rights management; audit teams can specify what the controls need to be and IT operations can select the reports. Seven unique permission sets, each with multiple rules, restrict access controls. You can segregate rights to modify, run, and view results. Use our examples or easily create your own. Automation and scheduling options increase consistency and reduce process burdens Through the single agent, single console design, each McAfee or third party product that uses epo extends the operational savings. You eliminate extra management agents and consoles and reduce learning, deployment, and maintenance costs. Security tool integration McAfee Total Protection for Endpoint and McAfee Total Protection for Data use the same epo infrastructure for their policy and function updates. Because of this single agent, audits can include system and data protection countermeasures as well as policy violations. (Note: McAfee Total Protection for Endpoint Advanced includes Policy Auditor for use on client workstations.) For example, epo can help enforce endpoint compliance to mandated security configurations, such as every system must have up-to-date anti-virus installed. Similarly, when you use Policy Auditor with McAfee Network Access Control, you can assess and enforce SCAP-based policies before granting network access. Should assets fall out of compliance while on the network, you can automatically quarantine them until they meet policies. 11

12 McAfee solutions leverage the same security and compliance tasks and processes, including reporting, to minimize the learning curve. By pulling from a single epo database, tools get consistent, up-to-date data. Third-party tools can integrate with epo s open interfaces to streamline operations further. Through these integrations, you gain a complete, reliable understanding on which to make decisions. You can efficiently consider both security and compliance activities within your standard procedures and prioritize the actions that minimize effort and maximize protection. Take Seven Simple Steps and Sustain Compliance At most organizations, compliance and security tools are multiplying irresponsibly as threats evolve. Through McAfee Policy Auditor 5 and its integration with epo, you can rein in implementation and management costs. You can exert control, despite increasing complexity, and avoid Audit Fatigue. Looking for proof? An Insight Express survey of epo and non-epo customers found that integrated security management results in a 44 percent reduction in IT costs and 36 percent improvement in efficiency. Large enterprises using epo reduced their total number of administrators by an average of almost 12 people. Estimate your savings When an organization can cut a dozen administrators with salaries of $100,000, their annual savings is $1.2 million dollars. Estimate your own savings through an ROI calculator created by Forrester: www. mcafee.com/us/enterprise/products/tools/ad/roi Get Started As a purpose-built product, Policy Auditor provides consistent, authoritative validation of compliance. Across the seven steps of auditing, you can meet audit requirements while minimizing cost and effort: 1. Policy definition Build and customize policies based on expert content, open standards, and industry benchmarks 2. Policy implementation and lifecycle management Eliminate manual efforts that threaten accuracy and tax IT and security teams 3. Data collection to validate policies and configurations Use one tool across systems for scheduled and continuous audits 4. Monitoring, issue, and patch management Simplify actions with custom dashboards and roles and open interfaces between tools 5. Measurement and scoring to document noncompliance Weight rules to match business realities and build meaningful metrics 6. Waiver management Use audit processes to accurately reflect workflow and reduce business disruption 7. Reporting against key mandates and internal policies Deliver efficient, relevant reports with automated data collection, display, and distribution Policy Auditor 5 introduces effective auditing of technical controls on top of the security and compliance management system of epo. This powerful combination, closely integrated to become a single tool, makes day-to-day audit operations straightforward. With each added audit cycle, regulation, and system, you can achieve greater economies of scale and efficiencies of operation. Learn more at 12

13 About McAfee, Inc. McAfee, Inc., headquartered in Santa Clara, California, is the world s largest dedicated security technology company. It delivers proactive and proven solutions and services that secure systems and networks around the world, allowing users to browse and shop the web securely. With its unmatched security expertise and commitment to innovation, McAfee empowers home users, businesses, the public sector, and service providers by enabling them to comply with regulations, protect data, prevent disruptions, identify vulnerabilities, and continuously monitor and improve their security. McAfee, Inc Freedom Circle Santa Clara, CA McAfee and/or other noted McAfee related products contained herein are registered trademarks or trademarks of McAfee, Inc., and/or its affiliates in the U.S. and/or other countries. McAfee Red in connection with security is distinctive of McAfee brand products. Any other non-mcafee related products, registered and/or unregistered trademarks contained herein is only by reference and are the sole property of their respective owners McAfee, Inc. All rights reserved. 5921_wp_dtp_seven-steps-audit-burden_0309_v2