The NetIQ Risk & Compliance Approach

Transcription

1 Achieving Unified Compliance With NetIQ White Paper January 2006 Contents Unified Compliance Introduced...1 Unified Compliance Approach2 Implementing Unified Compliance With NetIQ...4 NetIQ s Methodology for Compliance & Risk Management...6 Sustaining a Successful Compliance and Risk Management Process...9 The NetIQ Advantage...11 Conclusion...12 With the widening focus on Information Security, organizations face a number of compliance requirements from state and federal agencies, customers and suppliers and even credit card companies. Having met the initial compliance requirements, organizations are just now coming to recognize the full significance and cost of their compliance programs. Setting up compliance and control processes has been time-consuming and labor-intensive for many organizations, creating a drag on the bottom line. Analysts estimate that spending for compliance programs will top $15 billion in This realization is driving the need for a single approach to multiple compliance drivers and the use of more automation. The term that is emerging is, Unified Compliance. This white paper takes a close look at the aspects of Unified Compliance that can be addressed with NetIQ solutions. With NetIQ, companies can implement and manage controls which make compliance programs sustainable and repeatable, while gaining visibility into sources of vulnerability and risk exposure. About NetIQ Corporation...13

2 THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT ARE FURNISHED UNDER AND ARE SUBJECT TO THE TERMS OF A LICENSE AGREEMENT OR A NON-DISCLOSURE AGREEMENT. EXCEPT AS EXPRESSLY SET FORTH IN SUCH LICENSE AGREEMENT OR NON-DISCLOSURE AGREEMENT, NETIQ CORPORATION PROVIDES THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT AS IS WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. SOME STATES DO NOT ALLOW DISCLAIMERS OF EXPRESS OR IMPLIED WARRANTIES IN CERTAIN TRANSACTIONS; THEREFORE, THIS STATEMENT MAY NOT APPLY TO YOU. This document and the software described in this document may not be lent, sold, or given away without the prior written permission of NetIQ Corporation, except as otherwise permitted by law. Except as expressly set forth in such license agreement or non-disclosure agreement, no part of this document or the software described in this document may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, or otherwise, without the prior written consent of NetIQ Corporation. Some companies, names, and data in this document are used for illustration purposes and may not represent real companies, individuals, or data. This document could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein. These changes may be incorporated in new editions of this document. NetIQ Corporation may make improvements in or changes to the software described in this document at any time NetIQ Corporation, all rights reserved. U.S. Government Restricted Rights: If the software and documentation are being acquired by or on behalf of the U.S. Government or by a U.S. Government prime contractor or subcontractor (at any tier), in accordance with 48 C.F.R (for Department of Defense (DOD) acquisitions) and 48 C.F.R and (for non-dod acquisitions), the government s rights in the software and documentation, including its rights to use, modify, reproduce, release, perform, display or disclose the software or documentation, will be subject in all respects to the commercial license rights and restrictions provided in the license agreement. Check Point, FireWall-1, Provider-1, SiteManager-1, and VPN-1 are trademarks or registered trademarks of Check Point Software Technologies Ltd. ActiveAgent, ActiveAnalytics, ActiveAudit, ActiveReporting, ADcheck, AppAnalyzer, Application Scanner, AppManager, AuditTrack, Chariot, ClusterTrends, CommerceTrends, Configuration Assessor, ConfigurationManager, the cube logo design, DBTrends, DiagnosticManager, Directory and Resource Administrator, Directory Security Administrator, Domain Migration Administrator, End2End, Exchange Administrator, Extended Management Pack, FastTrends, File Security Administrator, Firewall Appliance Analyzer, Firewall Reporting Center, Firewall Suite, Ganymede, the Ganymede logo, Ganymede Software, Group Policy Administrator, immarshal, Intergreat, Knowledge Scripts, MailMarshal, Marshal, Migrate.Monitor.Manage, Mission Critical Software, Mission Critical Software for E-Business, the Mission Critical Software logo, MP3check, NetIQ, the NetIQ logo, the NetIQ Partner Network design, NetWare Migrator, OnePoint, the OnePoint logo, Operations Manager, PentaSafe, PSAudit, PSDetect, PSPasswordManager, PSSecure, Qcheck, RecoveryManager, Security Analyzer, Security Manager, Security Reporting Center, Server Consolidator, SQLcheck, VigilEnt, Visitor Mean Business, Vivinet, W logo, WebMarshal, WebTrends, WebTrends Analysis Suite, WebTrends for Content Management Systems, WebTrends Intelligence Suite, WebTrends Live, WebTrends Log Analyzer, WebTrends Network, WebTrends OLAP Manager, WebTrends Report Designer, WebTrends Reporting Center, WebTrends Warehouse, Work Smarter, WWWorld, and XMP are trademarks or registered trademarks of NetIQ Corporation or its subsidiaries in the United States and other jurisdictions. All other company and product names mentioned are used only for identification purposes and may be trademarks or registered trademarks of their respective companies.

3 Unified Compliance Introduced As the use of desktops, laptops, and the Internet, along with the volume of consumer data collected and stored, increased in the mid-to-late 1990 s there was a corresponding increase in legislative activity for safety and security. Although every company today has to deal with a certain amount of legislated acts, there are some industries, such as financial services, that have to contend with a large number of regulations. Over the past five years, there has been an explosion in terms of new regulations. Organizations across all industries have to meet a growing number of U.S. and International regulations such as the Health Insurance Portability and Accountability Act, Federal Information Security Management Act, and Basel II, which contains International Compliance requirements. The Sarbanes-Oxley Act, one of the most significant regulations in the recent past, has mandated management to establish and report on their control structure and states such as California have joined in with legislation that requires disclosure to customers when an organization loses their personal information. The term unified compliance was recently introduced by the IT Compliance Institute as a project to be the first independent initiative to exclusively support IT compliance management. The UCP [Unified Compliance Project] parses and reconstructs complex corporate regulations into a holistic IT compliance view. ( 1/16/06) At its heart is the concept of build once, use many to minimize the costs and difficulties of addressing multiple existing and future IT compliance requirements by a single organization. Achieving Unified Compliance With NetIQ 1

4 Unified Compliance Approach Build once means define and implement one set of Information Security controls, while use many means understanding how to report against those controls for each set of compliance requirements. There are several information security control frameworks available to help you get started: ISO17799 from the International Standards Organization in Europe, CobiT from the Information Systems Assurance and Control Association (ISACA), the IT Infrastructure Library, and the upcoming results from Unified Compliance Project. However, because these are attempts at universal control sets for organizations of all sizes, locations, and industries however, it will still be necessary to customize to meet your unique needs. The major challenges that customers face in these efforts include: Breaking-Down Regulations into Standards and Best Practices Most regulations today provide general overviews without providing detailed instructions on requirements, and checklists. For example, the Gramm-Leach-Bliley Act states that financial institutions must ensure the confidentiality and integrity of consumer information, but provides no specifics on how to achieve this. Customers need solutions that break down regulations into standards, best practices and policies. Administrators look for guidelines and best practices that add bulk and definition to vague regulation requirements. The frameworks mentioned above can provide assistance in this area, as well as guidance provided by regulatory agencies, industry associations, and consultants. To drill down even further and provide specific guidance on recommended system configurations, organizations such as Center for Internet Security (CIS) and National Institute of Science and Technology s Computer Security Resource Center (NIST CRCS). Automating Compliance Process to Make it Sustainable Organizations have spent huge amounts of money in meeting initial compliance requirements for Sarbanes-Oxley and other regulations. In order to make the whole compliance process repeatable and sustainable, companies need solutions that can automate IT control areas that when performed manually are time-consuming and error-prone. Implementing, Managing and Documenting Controls A compliance architecture supports the integration of controls into an organization by centralizing many IT controls and using technology to help enforce process controls. While there are areas of commonality across various standards and guidelines, the major controls can be grouped under three main categories. Organizational Controls Organizational controls can be thought of as activities such as budget processes, business strategy, organization charts, legal processes, and policies and procedures. These controls are part of the structure of the entire organization, not just part of IT and are often explicitly required by the regulations. 2 White Paper

5 Management Controls Management controls can be thought of as security processes such as risk assessment, continuity planning, incident response, and auditing/compliance reporting. They are more specific to IT than Organizational Controls, but apply to the governance of the entire IT environment. Most IT regulations will specify at least some of these controls. Technical Controls Technical controls can be thought of as specific IT procedures that ensure an organization s information is secure. They are very specific to the world of IT and often require specialized training to perform. Rarely are technical controls spelled out within a regulation it is left up to the organization and practioners to interpret what procedures to implement in order to achieve compliance. Examples of technical controls include encryption levels and key management, audit log management, identification and authentication, service level agreements, change control, intrusion detection, anti-virus, and many others. Achieving Unified Compliance With NetIQ 3

6 Implementing Unified Compliance With NetIQ IT compliance programs cover disciplines from physical security to HR processes, from system continuity planning to identification and authentication. Most information security controls frameworks have somewhere between 8 and 12 distinct domains, with some as high as 32. These domains can break down in to hundreds of controls an impossible range of coverage for any one vendor. Indeed, many of the controls are process oriented, requiring no additional technology. However, some controls are extremely labor intensive, and almost impossible to perform manually. NetIQ offers the broadest range of automated compliance solutions. Some specific examples of controls we can help you implement and automate are explored below: Policy Management (Organizational Control) It is important that all areas have documented policies and procedures. In addition, organizations need to ensure that policies are approved by management, and communicated to appropriate employees. And for the auditors and lawyers, you need to be able to prove that employees received and understood the policies and procedures that apply to them. With NetIQ VigilEnt Policy Center, organizations can easily document and distribute policies and procedures through your intranet. Over 1400 security policies and standards will help you create new or update existing policies In addition, tracking and reporting ensures that the required individuals have reviewed and approved the documentation. Finally, electronic signatures and quizzes ensure that employees have been properly trained. IT Compliance Reporting (Management Control) It is not enough to perform all of these activities, processes, and procedures of course. You must also coherently report your results to management, internal and external auditors, and other applicable third parties. At the highest levels, management will want to know simply, are we in compliance?, but of course others will want more detail about compliance levels for particular sections of the regulation or compliance across different regulations. This is where the concept of unified compliance becomes critical in building and sustaining a cost-effective compliance program. The NetIQ Risk and Compliance Center solution aligns security metrics gathered from your IT systems to demonstrate compliance with one or more IT-related policies and regulations. It displays those metrics in a powerful yet easy-to-understand, web-based dashboard for compliance management. This solution also analyzes IT risk factors such as compliance exceptions and vulnerabilities across the key areas of your business. Segregation of Duties (Management Control) IT managers need to meet a key regulation that requires the separation of job functions to ensure that no can commit and cover up fraud or a security breach. For example, it is important to put checks in place that would not allow a person creating a purchase order to be the signing authority. With NetIQ products, IT managers can segregate key functions such as configuration management, configuration policy setting, system auditing, and vulnerability assessment. NetIQ extends Active Directory capabilities to ensure that users and administrators have only the privileges they need to do their jobs. Administrators can segregate the duties of configuration assessment, policy writing, compliance reporting, and remediation by performing these tasks within NetIQ Vulnerability Manager and relying on its granular access control. 4 White Paper

7 Log Management (Technical Control) All IT regulations mandate directly or indirectly the collection, review, and storage of audit logs to have a record of system events, user activities, and transaction processing. Log consolidation and analysis is a must in today s regulated, litigated, risky world. By consolidating and analyzing event logs to a central repository, administrators can ease the burdens associated with log management across heterogeneous environments. NetIQ solutions ensure that proper audit log settings are enabled throughout. With NetIQ Vulnerability Manager, IT managers can schedule regular assessments to check that the appropriate audit log settings are enabled across all major server platforms in one report, and automatically distribute the report to the appropriate individuals. Entitlement Reporting (Technical Control) IT organizations have controls on entitlement reports, which are lists of who has access to what resources. These reports are extremely difficult and time consuming to produce manually. In addition, most organizations don t have an up-to-date repository of personnel reporting structures that can be used in an automated way. By automating key functions with NetIQ solutions, IT managers can easily manage entitlement reports and electronically distribute them to management, and disable stale and suspicious accounts. NetIQ solutions enable customers to regularly review users with advanced privileges across all systems in a single report. With NetIQ Vulnerability Manager, IT organizations get a single report of administrator accounts across Windows, UNIX, Linux, iseries, SQL, Oracle and IIS. Change Control (Technical Control) IT organizations are required to record and manage all the changes to a computing and business environment. While most organizations are at least documenting and routing change requests through a Help Desk ticketing system, they usually limit their definition to software and hardware upgrades. Often not part of the formal change control process are important sections like Group Policies, User Access Privileges, and Configuration Settings. NetIQ Change Control & Audit solutions assure that you can authorize, verify, audit and monitor changes across your IT environments. Through an automated approach, IT change management processes are reinforced with the knowledge and confidence that only authorized and intended changes have been implemented. With support for best practices, such as ITIL and COBIT, NetIQ Change Control & Audit solutions enable you to more easily comply with leading regulations such as Sarbanes-Oxley and HIPAA NetIQ Security Solutions enable managers to monitor for configuration changes and unauthorized access attempts. NetIQ Vulnerability Manager enables IT organizations to regularly run reports on system configurations. The solution performs a vulnerability assessment and policy scan on a system before it is placed into production, and schedules regular scans to detect unauthorized changes. This can be linked to NetIQ Security Manager for real-time alerting on system changes or to monitor certain files for unauthorized changes. Achieving Unified Compliance With NetIQ 5

8 NetIQ s Methodology for Compliance & Risk Management NetIQ delivers compliance and risk management solutions with embedded knowledge coming from years of experience and hundreds of customer deployments. NetIQ solutions enable companies to successfully automate and apply the right controls to their environment and report on regulatory compliance in the most cost effective manner. Unlike other products that focus on just one area of IT compliance, NetIQ solutions help customers achieve multiple compliance and risk objectives. NetIQ has defined a three-stage methodology for compliance and risk management. This methodology is largely based on principles from leading compliance and risk management frameworks such as COSO s Enterprise Risk Management Integrated Framework3, ISACA s Control Objectives for Information and Related Technology (COBIT), the National Institute of Standards and Technology (NIST) risk management framework (based on numerous Special Publications and Federal Information Processing Standards), and others. Enhancing these frameworks and models, NetIQ s methodology provides the flexibility to fit almost any process that has been implemented by an organization. Assess The assess stage is characterized by three primary activities: 1. Inventory and Prioritize Systems Some organizations have begun to effectively manage their IT inventory, using such practices as ITIL configuration management and a corresponding configuration management database (CMDB). NetIQ Vulnerability Manager supports the prioritization of assets based on their importance to the business. For example, NetIQ Vulnerability Manager can update an inventory system with the latest service packs, hot-fixes, and applications. 2. Grade Compliance to Standard Baselines A critical component for compliance programs is the assessment of systems against a defined set of security standards. For example, many organizations adopt benchmarks based on generally accepted practices, such as the benchmarks from the Center for Internet Security. By combining scores with the asset importance levels, NetIQ Vulnerability Manager provides reliable risk-based compliance metrics. 3. Identify Vulnerable & Exploited Systems Another critical component is the identification of systems with vulnerabilities. Policies usually mandate protection against known vulnerabilities and threats. NetIQ Vulnerability Manager goes beyond traditional network vulnerability assessment products by providing exceptionally accurate identification of vulnerabilities as well as the identification of already exploited systems. NetIQ Vulnerability Manager employs a highly accurate and scalable method without flooding the network with malformed packets and other noise. 6 White Paper

9 Operate The operations stage is characterized by monitoring, but also includes the practice of incident management. The activities for the operate stage are directly supported by NetIQ Security Manager, a rules-based enterprise-class security incident and event management solution. The operate stage is characterized by three primary activities: 1. Efficiently Review Security Logs & Events NetIQ Security Manager provides the consolidation of security and other logs from critical servers and devices, such as Windows, UNIX, Linux, and iseries servers as well as network devices. It then enables summary reporting, online analysis (via OLAP), and robust query capabilities for the data warehouse of log files that it creates and maintains. In doing so, customers can reduce the time for reviewing log files from hours to minutes, and meet or exceed many regulatory requirements. 2. Detect Threats, Changes & Policy Violations Changes and policy violations can significantly compromise the security of systems, exposing them to risks or directly causing performance problems. NetIQ Security Manager provides the automated detection of security events and incidents, such as potential intrusions, system changes, and policy violations. 3. Manage Security Incidents NetIQ Security Manager supports rapid incident response and tracks security alerts through resolution. For example, Security Manager improves response and resolution times by making security logs accessible and easily queried, and tracks security events and alerts through response steps, such as acknowledgement. In addition, NetIQ Vulnerability Manager supports incident response by providing configuration data to the response team. It simplifies comparison of critical servers and workstations and provides reporting capabilities which are highly effective during incident investigation. Control Effective controls ensure compliance with mandates and regulations, and manage the risks associated with information and related technologies. The control stage seeks to implement preventive controls where possible, as dictated by policies and other guidance, or corrective controls. The control stage is characterized by three primary activities: 1. Educate Employees & Improve Awareness VigilEnt Policy Center provides role-based distribution of policies, standards and other documents. For example, VigilEnt Policy Center can distribute Windows hardening standards to all Windows administrators, based on their membership in specified containers in Active Directory. It can also require those administrators to digitally sign the document, agreeing to abide by or enforce the standards. Exception reports help compliance managers target areas of need, enabling them to cost-effectively improve awareness. Achieving Unified Compliance With NetIQ 7

10 2. Enforce Configuration Standards NetIQ Vulnerability Manager provides the information to know exactly where and how to remediate compliance exceptions and vulnerabilities. Through NetIQ Security Manager and AppManager, NetIQ Vulnerability Manager also feeds assessment results into existing processes and tools for remediation via operations staff. 3. Implement Compensating Controls NetIQ Security Manager can be used to monitor the service account for changes, interactive logins, and other suspicious activities. NetIQ Vulnerability Manager can routinely assess the service accounts for the ability to login interactively, for the strength of their existing passwords, for other privileges and so on. In doing so, organizations can properly address the risks presented by service accounts when they cannot be brought into compliance. Technical 8 White Paper

11 Sustaining a Successful Compliance and Risk Management Process In order to maximize compliance and improve their overall security level, IT organizations should implement comprehensive solutions that help understand and mitigate risks, along with meeting the requirements across all applicable regulations. By performing risk assessment to prioritize implementation of security controls, companies can plan a successful compliance program that is well integrated with existing processes and organizations. During the implementation phase, it is important to have the right resources in place. For example, understaffed, under-skilled teams will lead to time and budget overruns, incorrect implementations, and possibly increased security risks. Companies must also keep security requirements aligned with performance and availability requirements, and create documentation for varying levels of employees within the organization. With a process-oriented approach, companies can anticipate potential problems and devise the right solution to meeting regulations successfully. By implementing key controls, companies can create checks and standardize best policies to minimize risks while meeting compliance requirements easily, and in a sustainable manner. To be effective, assessments should be performed routinely, such as once a month, and be automated. A truly successful risk management solution needs to meet technical requirements of the IT security administrator and business requirements of auditors and the management of the company. In order to implement a sustainable and repeatable compliance program an objective of most compliance and risk management programs organizations must be able to measure progress. Metrics come in many varieties, but ultimately must illustrate compliance to regulatory requirements and other business drivers as well as demonstrate managed risk. Some customers who have successfully managed risk management and compliance programs with NetIQ solutions include: Red Robin Red Robin is a casual dining restaurant chain with over 250 locations across the United States and Canada, is relying on NetIQ solutions to meet auditing requirements for Sarbanes-Oxley while successfully and securely monitoring its network. By automatically collecting all the log information with Security Manager, the company has been able to save two full days that an employee would spend reviewing logs for Sarbanes-Oxley compliance. Our NetIQ systems and security management solution has enabled us to automate daily administrative duties and also ensure a high level of security. ----Bill Randall, director, MIS Infrastructure, Red Robin Beverly Healthcare Beverly Healthcare, with headquarters in Fort Smith, Arkansas, provides long-term care for the elderly. By deploying NetIQ s Security Management and Operational Change Control solutions, Beverly Healthcare has streamlined its IT department. With NetIQ Directory and Resource Administrator, Beverly Healthcare is effectively managing IT security and resource policies across the company. NetIQ VigilEnt Policy Center has helped Beverly Healthcare centralize policy creation, while efficiently managing audits. Beverly Healthcare is also relying on NetIQ Security Manager to protect the company against intrusions and aggregate data for Sarbanes-Oxley compliance. Achieving Unified Compliance With NetIQ 9

12 With VigilEnt Policy Center, for the first time we have a comprehensive product that allows us to organize and compile all our policies in one location. Whether it is proactively looking at compliance issues or staying on top of expiration dates, we can efficiently address any issue. --- David Valcik, vice president of IT for Beverly Healthcare 10 White Paper

13 The NetIQ Advantage NetIQ s unique Knowledge-Based Service Assurance strategy embeds intelligence into the software, enabling customers to assure the highest levels of service for critical enterprise applications. NetIQ s best-of-breed solutions for Security Management, Configuration & Vulnerability Management, Performance & Availability Management and Operational Change Control enable customers to apply distinct, but interrelated service assurance processes to effectively manage any IT environment. No other company can offer you such a complete set of solutions to meet your compliance needs. NetIQ Security Solutions NetIQ's Security Management solutions deploy quickly and easily with built-in knowledge of today s major compliance issues to ensure effective protection from, and response to, security-related threats, consolidation and analysis of audit logs, compliance with configuration standards, communication of written policies. NetIQ solutions reduce the time required to identify and resolve security threats. Integration and sharing of data across the product line enables you to implement a single set of security controls while easily reporting across multiple sets of requirements. NetIQ Risk & Compliance Center aligns security metrics gathered from your IT systems to demonstrate compliance with IT-related policies and regulations and displays them in a customizable web-based dashboard. NetIQ Vulnerability Manager provides a fully integrated solution across a broad range of platforms. NetIQ Vulnerability Manager provides enterprise-class compliance for policies and standards, vulnerability identification and remediation of non-compliant configurations, services and user accounts. NetIQ Security Manager consolidates event management of best-of-breed security products into a central security console. This enables real-time notification, automated response, loganalysis and workflow management for suspicious activities. VigilEnt Policy Center Provides built-in expertise with more than 1,400 out-of-the box security policies and best practice standards that enable you to create, review, publish online, update and track compliance across the enterprise saving hundreds of hours of effort. NetIQ s Operational Change Control Solutions NetIQ's Operational Change Control solutions enable you to administer, secure and audit operational changes to Active Directory and Group Policies with ease. Not only do NetIQ solutions ensure that changes are authorized and approved, you can also identify unauthorized and high-profile changes and delegate administration to match business service standards. Additionally, Group Policy changes can be implemented across the enterprise thoroughly and securely by performing offline analysis prior to implementation. NetIQ Change Guardian for Active Directory product minimizes the risks associated with changes to Active Directory by assuring that changes to the production Active Directory environment are authorized, monitored, verified and audited through implementation. Directory and Resource Administrator provides advanced delegation and robust, policybased administration capabilities that improve the security and efficiency of a Windows environment and can assist in meeting regulatory requirements. Achieving Unified Compliance With NetIQ 11

14 NetIQ Group Policy Administrator is the industry s leading solution for planning, managing, troubleshooting and reporting on Group Policy. NetIQ Group Policy Guardian delivers complete real-time monitoring and alerting for Active Directory Group Policy, enabling administrators to quickly identify, verify and track Group Policy changes while capturing changes in an auditing database. NetIQ s Performance and Availability Solutions Use NetIQ solutions to monitor the performance and availability for systems and applications, identifies and resolves problems affecting service level availability, and provides SLA reporting. NetIQ AppManager Suite enables IT organizations to meet service level commitments while maximizing staff efficiency. Industry-leading components of the AppManager Suite provide deep diagnosis, advanced analysis and reporting, and IT performance management across Windows, Unix and Linux systems and applications. Key components of the suite include: AppManager Analysis Center turns data into actionable knowledge, enabling effective management of services, business/infrastructure applications and elements. AppManager Performance Profiler continuously profiles an environment's changing characteristics, automatically managing monitoring thresholds and sending trusted alerts when it detects abnormal behavior. AppManager Diagnostic Console provides a central, easy-to use console for viewing and managing critical server and application resources across the enterprise. Conclusion Although the growing number of compliance requirements and regulations can seem daunting, companies can systematically meet these requirements without impacting their bottom-line. Realizing that regulatory and policy compliance is an ongoing process, IT organizations are focusing their efforts on finding the right risk management program that provides the standards and best practices to make the process repeatable. Companies need to focus on managing and implementing controls to meet and manage regulations and risk management programs. Industry-leading NetIQ solutions are helping companies worldwide to manage risk management programs and to meet key regulations while aligning IT processes with key business goals. 12 White Paper

15 About NetIQ Corporation A World Leader in Systems and Security Management, NetIQ delivers business-critical solutions to assure, analyze and optimize the performance, availability and security of your IT infrastructure. Only NetIQ supplies the best-of-breed tools you need to Work Smarter to manage and secure your critical infrastructure investments, such as servers, databases, web sites, , voice and video and mission-critical applications. Not only can we help you customize and refine your Systems Management and Security Management controls to fit your particular environment, but we can also provide critical insights into your web site performance. Focused on providing you with the competitive advantage necessary to survive and thrive in today s chaotic business environment, NetIQ offers a complete range of easy-to-deploy, cross-platform solutions from our industry- and market-leading Windows Systems Management solutions to our solutions for Linux and UNIX; and from our integrated Security Management products to our awardwinning WebTrends Web Analytics tools. NetIQ counts more than 4,000 of the world's leading enterprises as key customers. In addition, our partnerships with industry leaders, such as Microsoft, IBM, HP and Dell, give NetIQ a unique advantage in the global marketplace. With customer-proven solutions and strong relationships, NetIQ delivers the tools you need to reduce your risk and deliver value from day one. To learn more about NetIQ, visit us online at Achieving Unified Compliance With NetIQ 13