Introduction to QualysGuard IT Compliance SaaS Services. Marek Skalicky, CISM, CRISC Regional Account Manager for Central & Adriatic Eastern Europe

Transcription

1 Introduction to QualysGuard IT Compliance SaaS Services Marek Skalicky, CISM, CRISC Regional Account Manager for Central & Adriatic Eastern Europe

2 A Unified and Continuous View of ICT Security, Risks and Compliance Device & Application Security The QualysGuard Cloud Platform and suite of integrated applications allows enterprises to discover and catalog all IT assets, and provides them with a continuous view of their security and compliance posture on a global scale. Benefits Fully automated continuous asset discovery, security & compliance assessments. Up-to-date security intelligence with no software to install and maintain. 2

3 A Unified and Continuous View of ICT Security, Risks and Compliance IT-GRC Automation The QualysGuard Cloud Platform and suite of integrated applications automates the collection of security and compliance data with customizable policies, questionnaires and workflows, helping organizations to automate and expedite compliance Benefits Automated & Agent-less compliance auditing supporting multiple regulatory mandates. Customizable questionnaires and business workflows to evaluate controls, gather evidence & validate compliance. Seamless integration with enterprise GRC solutions. 3

4 QualysGuard SaaS Applications Enterprise SMB Freemium Services QualysGuard On Demand Portal Analyze Comply Monitor Prevent Vulnerability Mgmt. Web App Scan Malware Detection SSL Labs Zero days analyzer Policy Compliance PCI Compliance Qualys Seal SCAP / FDCC Compliance Mgmt* Web Application Logs Botnet Detection* Web App. Firewall* QualysGuard SaaS Technology Platform Scanners & Collectors Open APIs, Web Services & Integrations

5 QualysGuard Suite of Security & Compliance Applications 5

6 Qualys Policy Compliance Management Audits and documents compliance against external regulations & company internal policies Supports major security frameworks & regulations Controls library pre-mapped to frameworks such as CIS, COBIT, ISO27001:2005, HIPAA, ITIL, etc. Agent-less 100% SaaS controls over 50 platforms User defined controls for Win/Unix

7 QualysGuard Policy Compliance Module Introduction Government Regulations National Legislation International Legislation Industry Regulations PCI-DSS BASEL II SOX Company Security Polices Global Company Security Policy Internal Security Standards Regulations & Corporate Objectives COBIT 4.0/4.1 CIS NIST-SP Control Objectives based on Frameworks & Standards ISO 17799/27001 Non-technological Physical Security Controls Personal Security Controls ICT-technological OS Configuration Controls Application Access Controls Process Controls Change Mgmt Controls HR Recruit Controls Set of relevant IT Controls & Specific Polices

8 QualysGuard Policy Compliance Policy Compliance process lifecycle workflow External & Int. company Security Policies OS and Application Security Standards Map to QG Compliance Controls Catalogue Create/Manage Exceptions Company sec. policy structure Create Policies Based on Compliance Needs Create Compliance Policy Reports Assign Policy To Relevant Assets Compliance Scan

9 QualysGuard Policy Compliance Compliance Categories, Frameworks and Technologies Compliance Categories Security Management Authentication Access Control Services Network Security Antivirus/Malware Integrity/Availability Application Control Encryption Technologies Win XP, Vista, Windows 7, Win2000, 2003,2008 Server, RedHat, SUSE, CentOS, AIX, HPUX, Solaris, VMWare ESX Oracle, Ms SQL, CISCO,... Frameworks CIS, COBIT 4.0/4.1, ISO / 27002:2005, NIST SP800-53, ITIL 2,3 Compliance Regulations PCI-DSS, HIPAA, FFIEC, SoX 440 via Cobit mapping

10 QualysGuard Policy Compliance Control anatomy and categorization

11 Customizable Questionnaires for PC Beta available Custom Questionnaires Enables customers to easily build questionnaires using the Unified Compliance Framework (UCF), as well as leverage existing business process workflows to evaluate controls, gather documents and evidence and validate compliance. Benefits Automation of manual assessments Ability to define/customize audit work flow Industry leading policy repository of nearly 1000 standards and regulations via UCF 11

12 Qualys PCI-DSS Compliance PCI Council ASV certified Used by 65% of ASVs and 49% of QSAs certified companies Automates PCI Compliance Periodic network discovery scans Periodic external scans for vulnerabilities Complete annual Self-Assessment Questionnaire Generates proof of PCI Compliance & attestation to submit to acquiring banks Delivers full ASV service ASV certified quarterly reports ASV support and insurance False-negative priority handling

13 QG PCI Compliance module Introduction PCI DSS = Payment Card Industry Data Security Standard QualysGuard PCI is certified by PCI Council with cert. number PCI for Merchants portal GUI PCI for Acquiring Banks portal GUI QualysGuard PCI deployment fully accepted by QSA and Card Brands From 161 certified PCI QSA 79 uses Qualys (49%) From 147 certified PCI ASV 98 uses Qualys (67%) customers is testing IPs for PCI-DSS compliance

14 QG PCI Compliance Workflow Qualys provide full ASV service: Network mapping & Vulnerability scanning attestation ASV Scan Final Certification report (Executive and Technical) PCI Self Assessment Questionnaire ASV insurance ASV support

15 QG PCI Compliance GUI

16 QG PCI Interactive Reporting (Web 2.0)

17 QG PCI - SAQ

18 QG PCI Compliance SAQ - Import Evidence Capability Users can now upload and attach evidence to support SAQ validation in multiple formats including PDF, ZIP, DOC and images Same evidence file can be attached to multiple questionnaires' and requirements

19 PCI Report Templates Downloadable & Online

20 QualysGuard PCI - Acquiring Bank GUI Compliant Questionnaire and No Scan Consolidated view of all Merchants and their Compliance Status regardless of Qualys Partner Submit Date and Next Due Date available by clicking Compliance Details Download Questionnaire Report Download Report on all Merchants C O N F I D E N T I A L 20

21 Free SSL Lab Audit Service Audit implementation of SSL protocol on you Web Certificate Validity and Trust SSL Protocol version support Encryption Cipher Strength Encryption Key Exchange SOLUTION description Risk of Attack description Register here:

22 24.júl. 24.aug. 24.szept. 24.okt. 24.nov. 24.dec. 24.jan. 24.febr. 24.márc. 24.ápr. 24.máj. 24.jún. 24.júl. 24.aug. 24.szept. 24.okt. 24.nov. 24.dec. Qualys Global Community Join us at Total Members

23 CSO Interchange Events Coming to a City Near You 23

24 Qualys Security Conferences 12 Las Vegas, Munich, London and Paris 24

25 Thank You