Creating Effective Security Controls: A Ten Year Study of High Performing IT Security
|
|
- Joan Singleton
- 8 years ago
- Views:
Transcription
1 Configuration Assessment & & Change Auditing Solutions COMPLIANCE SECURITY CONTROL Creating Effective Security Controls: A Ten Year Study of High Performing IT Security Gene Kim, CISA CTO and Co-Founder VA-SCAN 10/5/2009
2 Where Did The High Performers Come From? 2
3 Agenda An uncomfortable question about information security effectiveness How does information security integrate effectively into daily operations? How did the high performing IT organizations make their good to great transformations? Seven practical steps to go from good to great How does going from good to great feel? Additional resources 3
4 What s the Problem? COMPLIANCE SECURITY CONTROL 4
5 Information Security and Compliance Risks Information security practitioners are always one change away from a security breach Front page news Regulatory fines Brand damage High profile security failures are increasing external pressures for security and compliance Sarbanes-Oxley (SOX) Act of 2002, the Gramm- Leach-Bliley Act, Health Insurance Portability and Accountability Act (HIPAA), emerging privacy laws, and the Payment Card Industry Data Security Standard (PCI DSS) 5
6 Luck Is Not A Strategy 6
7 The Dark Side Of Virtualization Virtualization enables organizations to deploy changes and releases more quickly than ever What works at 60 mph may not work at 200 mph Certain required activities in the physical world made it easier to prevent and detect release risks Watching for servers on the loading dock Budgeting and procurement activities Physical data center access Network cabling What happens when these activities are no longer required to deploy major releases? And when it is easy to download VMplayer, copy virtual machines, etc And what could go wrong? 7
8 Virtualization Is Here 85% of 219 IT organizations are already using virtualization and half are planning to Tripwire Customer Survey 85% of customers are already using virtualization for mission-critical production services. VMware Through 2009, 60% of virtual servers will be less secure than their physical counterparts, and 30% of virtualized servers will be associated with a security incident. Gartner 8
9 Operations And Security Already Don t Get Along Operations Hinders Security Deploys insecure components into production Creates production IT infrastructure hard to understand Has no information security standard Creates self-inflicted outages Uses shared privileged accounts Can t quickly address known security vulnerabilities Security Hinders Operations Creates bureaucracy Generates risky, low value IT operations work Generates large backlog of reviews Creates delays through information security requirements Brings up project issues that cost too much, takes too long, & reduces feature set Words often used to describe information security: hysterical, irrelevant, bureaucratic, bottleneck, difficult to understand, not aligned with 9 the business, immature, shrill, perpetually focused on irrelevant technical minutiae
10 Going from Good to Great COMPLIANCE SECURITY CONTROL 10
11 # Servers Desired Outcome: Create A Higher Performing, More Nimble and More Secure IT Organization 10, Size of Operation Operations Metrics Benchmarks: Best in Class: Server/sysadmin ratios Efficiency of Operation Server/sysadmin ratio Best in Class Ops and Security Source: IT Process Institute (2001) Highest ratio of staff for pre-production processes Lowest amount of unplanned work Highest change success rate Best posture of compliance Lowest cost of compliance 11
12 Higher Performing IT Organizations Are More Stable, Nimble, Compliant And Secure High performers maintain a posture of compliance Fewest number of repeat audit findings One-third amount of audit preparation effort High performers find and fix security breaches faster 5 times more likely to detect breaches by automated control 5 times less likely to have breaches result in a loss event When high performers implement changes 14 times more changes One-half the change failure rate One-quarter the first fix failure rate 10x faster MTTR for Sev 1 outages When high performers manage IT resources One-third the amount of unplanned work 8 times more projects and IT services 6 times more applications 12 Source: IT Process Institute, May 2006
13 Birth Of Epidemiology: Dr. John Snow:
14 Culture Of Change Management High change rate High change success rate 14
15 Culture Of Causality Low MTTR High first fix rate 16
16 Culture Of Planned Work Low unplanned work High project date performance 17
17 Visible Ops: Playbook of High Performers The IT Process Institute has been studying high-performing organizations since 1999 What is common to all the high performers? What is different between them and average and low performers? How did they become great? Answers have been codified in the Visible Ops Methodology 19
18 Over Ten Years, We Benchmarked IT Orgs 20
19 Surprise #2: What The High Performers Do Differently Top Two Differentiators between Good and Great 1. Systems are monitored for unauthorized changes 2. Consequences are defined for intentional unauthorized changes Foundational Controls: Medium vs Low Foundational Controls: High vs Medium 21 Source: IT Process Institute, May 2006
20 2007: Three Controls Predict 60% Of Performance To what extent does an organization define, monitor and enforce the following? Standardized configuration strategy Process discipline Controlled access to production systems 23 Source: IT Process Institute, May 2006
21 High Performers Can Bound Maximum MTTR But look at the huge differences for large outages! Large outages required people to fix!) 24 Source: IT Process Institute, May 2006
22 Seven Practical Steps COMPLIANCE SECURITY CONTROL 25
23 The Seven Practical Steps To Integrate Information Security Into Daily Operations Step 1: Gain situational awareness Step 2: Reduce and monitor privileged access Step 3: Define and enforce VMM configuration standards Step 4: Integrate and help enforce change management processes Step 5: Create library of trusted virtualized builds Step 6: Integrate into release management Step 7: Ensure that all activities go through change management 26
24 Step 1: Gain Situational Awareness Situational awareness: the ability to identify, process, and comprehend the critical elements of information about what is happening to the team with regard to the mission. Questions we want to answer: What IT services are being provided? e.g. power generation, distribution, financial reporting, etc. Who are the business and IT units, and how are they organized? (e.g., the centralized IT services group, an IT outsourcer, etc.) What are the relevant regulatory and contractual requirements for the business process e.g., SOX-404, PCI DSS, FISMA, NERC, etc. Where is reliance being placed and what are critical functionalities? What are the technologies and IT processes being run on? e.g., Microsoft Windows Server, Sun Solaris, SQL Server, Oracle, etc. Are there any high-level risk indicators from the past? (e.g., repeat audit findings, frequent outages, management metrics, etc.) 27
25 Step 2: Reduce And Monitor Privileged Access Know where infrastructure that poses the largest risk to business objectives are. Ensure that access is properly restricted Look for administrators who have high levels of privilege Reduce access They can introduce likelihood of errors, downtime, fraud and security incidents Can affect mission critical IT services Can modify logical security settings Can add, remove and modify VMs To err is human. To really screw up requires the root password. Unknown 28
26 Step 2: Reduce And Monitor Privileged Access Implement preventive controls: Reconcile admins to authorized staff and delete any ghost accounts Ensure reasonable number of admins Issue and revoke accounts upon hiring, firing, reassignment Implement detective controls: Monitor privileged user account adds, removes and changes Reconcile each user account change to an authorized work order Reconcile each user account to an HR record Implement account re-accreditation procedures Hope is not a strategy. Trust is not a control. 29
27 Step 3: Define And Enforce Configuration Standards The goal is to create known, trusted, stable, secure and riskreduced configuration states External configuration guides include: Center for Internet Security (CIS) VMWare: VMware Infrastructure 3, Security Hardening Defense Information Systems Agency (DISA) STIGs Like their physical counterparts, most security vulnerabilities will be introduced through misconfiguration and mismanagement. The security issues related to vulnerability and configuration management get worse, not better, when virtualized. 30 Source: Gartner, Inc. Security Considerations and Best Practices for Securing Virtual Machines by Neil MacDonald, March 2007.
28 Step 4: Help Enforce Change Management Processes Information security needs change management Gain situational awareness of production changes Influence decisions and outcomes. Add value in the change management process by: Assessing the potential information security and operational impact of changes Improving procedures for change authorisation, scheduling, implementation and substantiation Ensuring that change requests comply with information security requirements, corporate policy, and industry standards 31
29 Step 4: Help Enforce Change Management Processes Implement preventive controls Get invited to the Change Advisory Board (CAB) meetings Ensure tone at the top and help define consequences Implement detective controls Build and electrify the fence Substantiate that all changes are authorised Look for red flags and indicators [As auditors,] the top leading indicators of risk when we look at an IT operation are poor service levels and unusual rates of changes. Bill Philhower 32
30 Step 5: Create A Library Of Trusted Builds Our goal is to make it easier to use known, stable and secure builds than unauthorised and insecure builds Implement preventive controls: Defined process of how to assemble hardened and stable builds Work with any existing server provisioning teams to add any standard monitoring agents Ensure that application and service account passwords are changed before deployment 33
31 Step 5: Create A Library Of Trusted Builds Implement detective controls: Verify that deployed infrastructure matches known good states Verify that virtual image configurations against internal and external configuration standards Monitor the approved virtual image library to ensure for all adds, removes and changes Reconcile all adds, removes and changes to an authorised change order. 34
32 Step 6: Integrate Into The Release Management Processes Release management and information security both require standardisation and documentation Checklists Detections and reduction of variance Implement preventive and detective controls: Develop shared templates with release management, QA and project management and integrate into their checkpoints Integrate automated security testing tools Compare preproduction and production images, and reduce any variance 35
33 Step 7: Ensure All Activities Go Through Change Management Ensure that only acceptable number of unauthorized changes is zero Infrastructure Application releases Security patches Break/fix activities 36
34 What Does Transformation Feel Like? COMPLIANCE SECURITY CONTROL 37
35 Find What s Most Important First 38
36 Quickly Find What Is Different 39
37 Before Something Bad Happens 40
38 Find Risk Early 41
39 Communicate It Effectively To Peers 42
40 Hold People Accountable 43
41 Based On Objective Evidence 44
42 Answer Important Questions 45
43 Ever Increasing Situational Mastery 46
44 Show Value To The Business 47
45 Be Recognized For Contribution 48
46 And Do More With Less 49
47 Higher Performing IT Organizations Are More Stable, Nimble, Compliant And Secure High performers maintain a posture of compliance Fewest number of repeat audit findings One-third amount of audit preparation effort High performers find and fix security breaches faster 5 times more likely to detect breaches by automated control 5 times less likely to have breaches result in a loss event When high performers implement changes 14 times more changes One-half the change failure rate One-quarter the change failure rate 10x faster MTTR for Sev 1 outages When high performers manage IT resources One-third the amount of unplanned work 8 times more projects and IT services 6 times more applications 50 Source: IT Process Institute, May 2006
48 Where Tripwire Fits Achieve & Maintain Configuration Control Achieve Known and Trusted State Proactively assess configuration settings against internal & external standards Identify risks & remediate to ensure policy compliance Maintain Known and Trusted State Detect all changes across the IT infrastructure Gain visibility & control through actionable reports, reconciliation and remediation Attain Compliance Mitigate Security Risk Increase Operational Efficiency 54
49 Resources: Tripwire ConfigCheck Simple to use, free utility holding the best-practices knowledge of experts at VMware & Tripwire Easily and rapidly analyzes & validates VMware ESX servers configurations according to VMware hardening guidelines Generates actionable results showing compliance and non-compliance for all guideline tests Provides links to virtualization security resource center that provides remediation guidance for any failed test 55
50 Resources Ο From the IT Process Institute Both Visible Ops Handbooks ITPI IT Controls Performance Study Compliance Resource Center on Stop by the Tripwire booth for a copy of Visible Ops Security Gene Kim s Practical Steps To Ensure Federal Cybersecurity And FISMA Compliance white paper Follow Gene Kim On genek@tripwire.com Blog: 56
51 Key Takeaways Virtualization amplifies weaknesses and risks in enterprise IT processes and policies 60 percent of production virtual machines will be less secure than their physical counterparts through 2009 (Gartner) Addressing these risks is a must have Auditors require the same IT controls across the data center Mitigating risk Tripwire delivers a unified solution for your physical and virtual environments Configuration Assessment Change Auditing Achieve & Maintain A Known and Trusted State 57
52 Resources COMPLIANCE SECURITY CONTROL 58
53 Company Background Recognized Leader of Configuration Audit & Control Award-Winning, Patented Technology for Configuration Assessment & Change Auditing Over 6,000 customers worldwide Pioneer in Change Detection and File Integrity Monitoring IT Best Practice Thought Leaders: Visible Ops Handbook, ITIL v3 contributor, Visible Ops Security 59
54 Visible Ops Security: Linking Security and IT Operations Objectives In 4 Practical Steps Service Design & Management Security Management Service Level Management Capacity Management Availability & Contingency Service Reporting Financial Management Phase 3 Implement development & release controls Management Release Processes Release Management Control Processes Asset & Configuration Management Change Management Resolution Processes Incident Management Problem Management Automation Supplier Processes Customer Relationship Management Supplier Management Phase 2 Find fragile artifacts, and identify meaningful business and technology risks Phase 4 Continually improve Phase 1 Stabilize the patient, modify first response and get plugged into production Sources: ITPI Visible Ops & IT Infrastructure Library (ITIL) / BS
Seven Practical Steps for Federal Cyber Security and FISMA Compliance
Gene Kim CTO, Tripwire, Inc. Seven Practical Steps for Federal Cyber Security and FISMA Compliance white paper Configuration Control for Virtual and Physical Infrastructures Introduction The number of
More informationIT Service Management Metrics that Matter. Reason to Improve: Unintended Consequences of Low Performance
WHITE paper Four Key Benchmarks for Improving IT Performance page 2 page 3 page 4 page 5 page 6 page 6 Mean Time to Repair First Fix Rate Change Success Rate Server to System Administration Ratio Reason
More informationIT Service Management Metrics Metrics that Matter
Gene Kim, CTO, Tripwire, Inc. IT Service Management Metrics Metrics that Matter Four Key Benchmarks for Improving IT Performance white paper Configuration Control for Virtual and Physical Infrastructures
More informationConfiguration Audit & Control
The Leader in Configuration Audit & Control Configuration Audit & Control Brett Bartow - Account Manager Kelly Feagans, Sr. Systems Engineer ITIL, CISA March 4, 2009 Recognized leader in Configuration
More informationDynamic Data Center Compliance with Tripwire and Microsoft
Dynamic Data Center Compliance with Tripwire and Microsoft white paper Configuration Control for Virtual and Physical Infrastructures For IT, gaining and maintaining compliance with one or more regulations
More informationEnforcing IT Change Management Policy
WHITE paper Everything flows, nothing stands still. Heraclitus page 2 page 2 page 3 page 5 page 6 page 8 Introduction How High-performing Organizations Manage Change Maturing IT Processes Enforcing Change
More informationProving Control of the Infrastructure
WHITE paper The need for independent detective controls within Change/Configuration Management page 2 page 3 page 4 page 6 page 7 Getting Control The Control Triad: Preventive, Detective and Corrective
More informationAchieving Control: The Four Critical Success Factors of Change Management. Technology Concepts & Business Considerations
Achieving Control: The Four Critical Success Factors of Change Management Technology Concepts & Business Considerations T e c h n i c a l W H I T E P A P E R Table of Contents Executive Summary...........................................................
More informationReining in the Effects of Uncontrolled Change
WHITE PAPER Reining in the Effects of Uncontrolled Change The value of IT service management in addressing security, compliance, and operational effectiveness In IT management, as in business as a whole,
More informationRSA Solution Brief. The RSA Solution for Cloud Security and Compliance
The RSA Solution for Cloud Security and Compliance The RSA Solution for Cloud Security and Compliance enables enduser organizations and service providers to orchestrate and visualize the security of their
More informationBeyond PCI Checklists:
Beyond PCI Checklists: Securing Cardholder Data with Tripwire s enhanced File Integrity Monitoring white paper Configuration Control for Virtual and Physical Infrastructures Contents 4 The PCI DSS Configuration
More informationThe RSA Solution for. infrastructure security and compliance. A GRC foundation for VMware. Solution Brief
The RSA Solution for Cloud Security and Compliance A GRC foundation for VMware infrastructure security and compliance Solution Brief The RSA Solution for Cloud Security and Compliance enables end-user
More informationTRIPWIRE NERC SOLUTION SUITE
CONFIDENCE: SECURED SOLUTION BRIEF TRIPWIRE NERC SOLUTION SUITE TAILORED SUITE OF PRODUCTS AND SERVICES TO AUTOMATE NERC CIP COMPLIANCE u u We ve been able to stay focused on our mission of delivering
More informationEverything You Wanted to Know about DISA STIGs but were Afraid to Ask
Everything You Wanted to Know about DISA STIGs but were Afraid to Ask An EiQ Networks White Paper 2015 EiQ Networks, Inc. All Rights Reserved. EiQ, the EiQ logo, the SOCVue logo, SecureVue, ThreatVue,
More informationTop Ten Keys to Gaining Enterprise Configuration Visibility TM WHITEPAPER
Top Ten Keys to Gaining Enterprise Configuration Visibility TM WHITEPAPER Regulatory compliance. Server virtualization. IT Service Management. Business Service Management. Business Continuity planning.
More informationThe Value of Vulnerability Management*
The Value of Vulnerability Management* *ISACA/IIA Dallas Presented by: Robert Buchheit, Director Advisory Practice, Dallas Ricky Allen, Manager Advisory Practice, Houston *connectedthinking PwC Agenda
More informationWHITE PAPER. iet ITSM Enables Enhanced Service Management
iet ITSM Enables Enhanced Service Management iet ITSM Enables Enhanced Service Management Need for IT Service Management The focus within the vast majority of large and medium-size companies has shifted
More informationNetIQ FISMA Compliance & Risk Management Solutions
N E T I Q C O M P L I A N C E S E R I E S NetIQ FISMA Compliance & Risk Management Solutions The Federal Information Security Management Act (FISMA) requires federal agencies to create and implement a
More informationPCI Compliance for Cloud Applications
What Is It? The Payment Card Industry Data Security Standard (PCIDSS), in particular v3.0, aims to reduce credit card fraud by minimizing the risks associated with the transmission, processing, and storage
More informationeguide: Designing a Continuous Response Architecture Executive s Guide to Windows Server 2003 End of Life
Executive s Guide to Windows Server 2003 End of Life Facts About Windows Server 2003 Introduction On July 14, 2015 Microsoft will end support for Windows Sever 2003 and Windows Server 2003 R2. Like Windows
More informationFile Integrity Monitoring:
File Integrity Monitoring: Compliance and Security for Virtual and Physical Environments white paper Configuration Control for Virtual and Physical Infrastructures Contents 3 Executive Summary 3 An Increased
More informationData Privacy: The High Cost of Unprotected Sensitive Data 6 Step Data Privacy Protection Plan
WHITE PAPER Data Privacy: The High Cost of Unprotected Sensitive Data 6 Step Data Privacy Protection Plan Introduction to Data Privacy Today, organizations face a heightened threat landscape with data
More informationChange, Configuration, and Release: What s Really Driving Top Performance?
Change, Configuration, and Release: What s Really Driving Top Performance? 7 groups of best practices predict top levels of performance at 341 IT organizations Advancing the Science of IT Management IT
More informationHP Server Automation Standard
Data sheet HP Server Automation Standard Lower-cost edition of HP Server Automation software Benefits Time to value: Instant time to value especially for small-medium deployments Lower initial investment:
More informationAIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE
AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE THE CHALLENGE: SECURE THE OPEN AIR Wirelesss communication lets you take your business wherever your customers,
More informationReal-Time Security for Active Directory
Real-Time Security for Active Directory Contents The Need to Monitor and Control Change... 3 Reducing Risk and Standardizing Controls... 3 Integrating Change Monitoring... 4 Policy Compliance... 4 The
More informationCredit Cards and Oracle: How to Comply with PCI DSS. Stephen Kost Integrigy Corporation Session #600
Credit Cards and Oracle: How to Comply with PCI DSS Stephen Kost Integrigy Corporation Session #600 Background Speaker Stephen Kost CTO and Founder 16 years working with Oracle 12 years focused on Oracle
More informationPCI DSS AND THE TOP 20 CRITICAL SECURITY CONTROLS COMPARING SECURITY FRAMEWORKS SERIES
CONFIDENCE: SECURED WHITE PAPER PCI DSS AND THE TOP 20 CRITICAL SECURITY CONTROLS COMPARING SECURITY FRAMEWORKS SERIES ADVANCED THREAT PROTECTION, SECURITY AND COMPLIANCE BENCHMARKS, STANDARDS, FRAMEWORKS
More informationData Privacy and Gramm- Leach-Bliley Act Section 501(b)
Data Privacy and Gramm- Leach-Bliley Act Section 501(b) October 2007 2007 Enterprise Risk Management, Inc. Agenda Introduction and Fundamentals Gramm-Leach-Bliley Act, Section 501(b) GLBA Life Cycle Enforcement
More informationAssuria Auditor The Configuration Assurance, Vulnerability Assessment, Change Detection and Policy Compliance Reporting Solution for Enterprise
Assuria Auditor The Configuration Assurance, Vulnerability Assessment, Change Detection and Policy Compliance Reporting Solution for Enterprise 1. Introduction Information security means protecting information
More informationLeveraging ITIL Foundational Controls to Achieve SOX Compliance. ISACA San Francisco Fall Conference September 17 th, 2007
Leveraging ITIL Foundational Controls to Achieve SOX Compliance ISACA San Francisco Fall Conference September 17 th, 2007 Agenda for today Introductions & Objectives IT Priorities Overview of Sarbanes-Oxley
More informationAchieving Regulatory Compliance through Security Information Management
www.netforensics.com NETFORENSICS WHITE PAPER Achieving Regulatory Compliance through Security Information Management Contents Executive Summary The Compliance Challenge Common Requirements of Regulations
More informationAIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE
AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE THE CHALLENGE: SECURE THE OPEN AIR Wirelesss communication lets you take your business wherever your customers,
More informationAchieving Compliance in a Virtualized Environment WHITE PAPER
Achieving Compliance in a Virtualized Environment WHITE PAPER Table of Contents Introduction... 3 When Does Virtualization Impact Regulatory Compliance... 3 What We Need To Achieve and Demonstrate Compliance...
More informationSecureVue Product Brochure
SecureVue unifies next-generation SIEM, security configuration auditing, compliance automation and contextual forensic analysis into a single platform, delivering situational awareness, operational efficiency
More informationNetwork Test Labs (NTL) Software Testing Services for igaming
Network Test Labs (NTL) Software Testing Services for igaming Led by committed, young and dynamic professionals with extensive expertise and experience of independent testing services, Network Test Labs
More informationHow to Eliminate the No: 1 Cause of Network Downtime. Learn about the challenges with configuration management, solutions, and best practices.
How to Eliminate the No: 1 Cause of Network Downtime Learn about the challenges with configuration management, solutions, and best practices Share: Through 2015, 80% of outages impacting mission-critical
More informationDefending the Database Techniques and best practices
ISACA Houston: Grounding Security & Compliance Where The Data Lives Mark R. Trinidad Product Manager mtrinidad@appsecinc.com March 19, 2009 Agenda Understanding the Risk Changing threat landscape The target
More informationSecurity management solutions White paper. IBM Tivoli and Consul: Facilitating security audit and compliance for heterogeneous environments.
Security management solutions White paper IBM Tivoli and Consul: Facilitating security audit and March 2007 2 Contents 2 Overview 3 Identify today s challenges in security audit and compliance 3 Discover
More informationHow to Deliver Measurable Business Value with the Enterprise CMDB
How to Deliver Measurable Business Value with the Enterprise CMDB James Moore jdmoore@us.ibm.com Product Manager, Business Service, Netcool/Impact 2010 IBM Corporation Agenda What is a CMDB? What are CMDB
More informationHow to Achieve Operational Assurance in Your Private Cloud
How to Achieve Operational Assurance in Your Private Cloud As enterprises implement private cloud and next-generation data centers to achieve cost efficiencies and support business agility, operational
More informationTen Reasons Why Microsoft Excel Should Not Be Your Documentation Tool
Ten Reasons Why Microsoft Excel Should Not Be Your Documentation Tool The Perils of Relying on Manual Data Collection and Documentation Your IT infrastructure is an integral part of virtually every activity
More informationNETWORK SECURITY FOR SMALL AND MID-SIZE BUSINESSES
NETWORK SECURITY FOR SMALL AND MID-SIZE BUSINESSES September, 2015 Derek E. Brink, CISSP, Vice President and Research Fellow IT Security and IT GRC Report Highlights p2 p4 p6 p7 SMBs need to adopt a strategy
More informationCopyright 11/1/2010 BMC Software, Inc 1
Copyright 11/1/2010 BMC Software, Inc 1 Copyright 11/1/2010 BMC Software, Inc 2 Copyright 11/1/2010 BMC Software, Inc 3 The current state of IT Service How we work today! INCIDENT SERVICE LEVEL DATA SERVICE
More informationTRIPWIRE CUSTOMER SUCCESS STORIES: PCI PARTNERSHIPS FOR RAPID COMPLIANCE SUCCESS
TRIPWIRE CUSTOMER SUCCESS STORIES: PCI PARTNERSHIPS FOR RAPID COMPLIANCE SUCCESS RISK-BASED SECURITY MANAGEMENT S PCI COMPLIANCE SUCCESS STORIES The Payment Card Industry Data Security Standard (PCI DSS)
More informationComply, Improve, Transform: Regulatory Compliance Management for Software Development. Jim Duggan
Comply, Improve, Transform: Regulatory Compliance Management for Software Development Jim Duggan You Can Offset the Costs of Compliance! Complexity Drives Cost UP Sarbanes-Oxley HIPAA EPA Basel II M&A
More informationWhy Cloud CompuTing ThreaTens midsized enterprises and WhaT To do about it
The Cloud Threat Why Cloud CompuTing ThreaTens midsized enterprises and WhaT To do about it This white paper outlines the concerns that often prevent midsized enterprises from taking advantage of the Cloud.
More informationSOLUTION WHITE PAPER. Align Change and Incident Management with Business Priorities
SOLUTION WHITE PAPER Align Change and Incident Management with Business Priorities Table of Contents Executive summary 1 the Need for Business aware Service support processes 2 The Challenge of Traditional
More information08/10/2013. Data protection and compliance. Agenda. Data protection life cycle and goals. Introduction. Data protection overview
Data protection and compliance In the cloud and in your data center 1 November 2013 Agenda 1 Introduction 2 Data protection overview 3 Understanding the cloud 4 Where do I start? 5 Wrap-up Page 2 Data
More informationPublished April 2010. Executive Summary
Effective Incident, Problem, and Change Management Integrating People, Process, and Technology in the Datacenter Published April 2010 Executive Summary Information technology (IT) organizations today must
More informationProtection & Compliance are you capturing what s going on? Alistair Holmes. Senior Systems Consultant
Protection & Compliance are you capturing what s going on? Alistair Holmes. Senior Systems Consultant Comply Prove it! Reduce the risk of security breaches by automating the tracking, alerting and reporting
More information74% 2014 SIEM Efficiency Survey Report. Hunting out IT changes with SIEM
2014 SIEM Efficiency Survey Report Hunting out IT changes with SIEM 74% OF USERS ADMITTED THAT DEPLOYING A SIEM SOLUTION DIDN T PREVENT SECURITY BREACHES FROM HAPPENING Contents Introduction 4 Survey Highlights
More informationMcAfee Database Security. Dan Sarel, VP Database Security Products
McAfee Database Security Dan Sarel, VP Database Security Products Agenda Databases why are they so frail and why most customers Do very little about it? Databases more about the security problem Introducing
More informationThe Benefits of VMware s vcenter Operations Management Suite:
The Benefits of VMware s vcenter Operations Management Suite: Quantifying the Incremental Value of the vcenter Operations Management Suite for vsphere Customers September 2012 Management Insight Technologies
More informationExternal Penetration Assessment and Database Access Review
External Penetration Assessment and Database Access Review Performed by Protiviti, Inc. At the request of Internal Audit April 25, 2012 Note: This presentation is intended solely for the use of the management
More informationMaking Database Security an IT Security Priority
Sponsored by Oracle Making Database Security an IT Security Priority A SANS Whitepaper November 2009 Written by Tanya Baccam Security Strategy Overview Why a Database Security Strategy? Making Databases
More informationPCI Data Security Standards (DSS)
ENTERPRISE APPLICATION WHITELISTING SOLUTION Achieving PCI Compliance at the Point of Sale Using Bit9 Parity TM to Protect Cardholder Data PCI: Protecting Cardholder Data As the technology used by merchants
More informationmanaging the risks of virtualization
managing the risks of virtualization Chris Wraight CA Technologies 28 February 2011 Session Number 8951 abstract Virtualization opens the door to a world of opportunities and well managed virtualization
More informationRESEARCH NOTE CYBER-ARK FOR PRIVILEGED ACCOUNT MANAGEMENT
Document K23 RESEARCH NOTE CYBER-ARK FOR PRIVILEGED ACCOUNT MANAGEMENT THE BOTTOM LINE Managing privileged accounts requires balancing accessibility and control while ensuring audit capabilities. Cyber-Ark
More informationThe Power of Risk, Compliance & Security Management in SAP S/4HANA
The Power of Risk, Compliance & Security Management in SAP S/4HANA OUR AGENDA Key Learnings Observations on Risk & Compliance Management Current State Current Challenges The SAP GRC and Security Solution
More informationSelf-Service SOX Auditing With S3 Control
Self-Service SOX Auditing With S3 Control The Sarbanes-Oxley Act (SOX), passed by the US Congress in 2002, represents a fundamental shift in corporate governance norms. As corporations come to terms with
More informationHow To Ensure Financial Compliance
Evolving from Financial Compliance to Next Generation GRC Gary Prince Principal Solution Specialist - GRC Agenda Business Challenges Oracle s Leadership in Governance, Risk and Compliance Solution Overview
More informationWindows XP End-of-Life Handbook for Upgrade Latecomers
s Why Windows XP End-of-Life Handbook for Upgrade Latecomers s Why Introduction Windows XP end of life is April 8, 2014. Do you have Windows XP systems but can t upgrade to Windows 7 or Windows 8, or can
More informationPCI DSS Compliance: The Importance of Privileged Management. Marco Zhang marco_zhang@dell.com
PCI DSS Compliance: The Importance of Privileged Management Marco Zhang marco_zhang@dell.com What is a privileged account? 2 Lots of privileged accounts Network Devices Databases Servers Mainframes Applications
More informationThe Firewall Audit Checklist Six Best Practices for Simplifying Firewall Compliance and Risk Mitigation
The Firewall Audit Checklist Six Best Practices for Simplifying Firewall Compliance and Risk Mitigation Copyright, AlgoSec Inc. All rights reserved The Need to Ensure Continuous Compliance Regulations
More informationVulnerability Management
Vulnerability Management Buyer s Guide Buyer s Guide 01 Introduction 02 Key Components 03 Other Considerations About Rapid7 01 INTRODUCTION Exploiting weaknesses in browsers, operating systems and other
More informationLeveraging ITIL to Manage Your Virtual Environment. Laurent Mandorla, Manager Fredrik Hallgårde, Consultant BearingPoint, Inc.
Leveraging ITIL to Manage Your Virtual Environment Laurent Mandorla, Manager Fredrik Hallgårde, Consultant BearingPoint, Inc. Agenda Introduction VMware: Great promises, but some significant challenges
More informationNetwork Configuration Management
Network Configuration Management Contents Abstract Best Practices for Configuration Management What is Configuration Management? FCAPS Configuration Management Operational Issues IT Infrastructure Library
More informationWindows Least Privilege Management and Beyond
CENTRIFY WHITE PAPER Windows Least Privilege Management and Beyond Abstract Devising an enterprise-wide privilege access scheme for Windows systems is complex (for example, each Window system object has
More informationAN OVERVIEW OF INFORMATION SECURITY STANDARDS
AN OVERVIEW OF INFORMATION SECURITY STANDARDS February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced
More informationIT Security & Compliance. On Time. On Budget. On Demand.
IT Security & Compliance On Time. On Budget. On Demand. IT Security & Compliance Delivered as a Service For businesses today, managing IT security risk and meeting compliance requirements is paramount
More informationCONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL
CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL WHAT IS CDM? The continuous stream of high profile cybersecurity breaches demonstrates the need to move beyond purely periodic, compliance-based approaches to
More informationWHITEPAPER. Compliance: what it means for databases
WHITEPAPER Compliance: what it means for databases Introduction Compliance is the general term used to describe the efforts made by many (typically larger) organizations to meet regulatory standards. In
More informationBEFORE THE BREACH: Why Penetration Testing is Critical to Healthcare IT Security
BEFORE THE BREACH: Why Penetration Testing is Critical to Healthcare IT Security August 2014 w w w.r e d s p in.c o m Introduction This paper discusses the relevance and usefulness of security penetration
More informationWHITE PAPER Configuration and Change Management for IT Compliance and Risk Management: The Tripwire Approach
WHITE PAPER Configuration and Change Management for IT Compliance and Risk Management: The Tripwire Approach Sponsored by: Tripwire Frederick W. Broussard November 2007 Vivian Tero EXECUTIVE SUMMARY Global
More informationWHITE PAPER. PCI Basics: What it Takes to Be Compliant
WHITE PAPER PCI Basics: What it Takes to Be Compliant Introduction A long-running worldwide advertising campaign by Visa states that the card is accepted everywhere you want to be. Unfortunately, and through
More informationApplying ITIL v3 Best Practices
white paper Applying ITIL v3 Best Practices to improve IT processes Rocket bluezone.rocketsoftware.com Applying ITIL v. 3 Best Practices to Improve IT Processes A White Paper by Rocket Software Version
More informationCompliance Management, made easy
Compliance Management, made easy LOGPOINT SECURING BUSINESS ASSETS SECURING BUSINESS ASSETS LogPoint 5.1: Protecting your data, intellectual property and your company Log and Compliance Management in one
More information3rd Party Assurance & Information Governance 2014-2016 outlook IIA Ireland Annual Conference 2014. Straightforward Security and Compliance
3rd Party Assurance & Information Governance 2014-2016 outlook IIA Ireland Annual Conference 2014 Continuous Education Services (elearning/workshops) Compliance Management Portals Information Security
More informationReal-Time Database Protection and. Overview. 2010 IBM Corporation
Real-Time Database Protection and Monitoring: IBM InfoSphere Guardium Overview Agenda Business drivers for database security InfoSphere Guardium architecture Common applications The InfoSphere portfolio
More informationBest Practices for PCI DSS V3.0 Network Security Compliance
Best Practices for PCI DSS V3.0 Network Security Compliance January 2015 www.tufin.com Table of Contents Preparing for PCI DSS V3.0 Audit... 3 Protecting Cardholder Data with PCI DSS... 3 Complying with
More informationNetwrix Auditor. Сomplete visibility into who changed what, when and where and who has access to what across the entire IT infrastructure
Netwrix Auditor Сomplete visibility into who changed what, when and where and who has access to what across the entire IT infrastructure netwrix.com netwrix.com/social 01 Product Overview Netwrix Auditor
More informationIndependent Evaluation of NRC s Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2015
Independent Evaluation of NRC s Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2015 OIG-16-A-03 November 12, 2015 All publicly available OIG reports (including
More informationTREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION
TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION Improvements Are Needed to the Information Security Program March 11, 2008 Reference Number: 2008-20-076 This report has cleared the Treasury Inspector
More informationCMDB Essential to Service Management Strategy. All rights reserved 2007
CMDB: Essential to the Service Management strategy Business Proposition: This white paper describes how the CMDB is an essential component of the IT Service Management Strategy, and why the FrontRange
More informationCYBER SECURITY DASHBOARD: MONITOR, ANALYSE AND TAKE CONTROL OF CYBER SECURITY
CYBER SECURITY DASHBOARD: MONITOR, ANALYSE AND TAKE CONTROL OF CYBER SECURITY INTRODUCTION Information security has evolved. As the landscape of threats increases and cyber security 1 management becomes
More informationSecurity Trends and Client Approaches
Security Trends and Client Approaches May 2010 Bob Bocchino, CISA ERM Security and Compliance Business Advisor IBU Technology Sales Support Industries Business Unit, Technology Sales Support 1 Mark Dixon
More informationBest Practices in File Integrity Monitoring. Ed Jowett, CISSP ITIL Practitioner Sr. Systems Engineer, Tripwire Inc.
Best Practices in File Integrity Monitoring Ed Jowett, CISSP ITIL Practitioner Sr. Systems Engineer, Tripwire Inc. Who is Ed Jowett 2 Agenda Best Practices in FIM The 3 Main Drivers of FIM Lessons Learned
More informationContinuous IT Compliance: A Stepwise Approach to Effective Assurance BEST PRACTICES WHITE PAPER
Continuous IT Compliance: A Stepwise Approach to Effective Assurance BEST PRACTICES WHITE PAPER Introduction Regardless of industry, most IT organizations today must comply with a variety of government,
More informationVirtualization Impact on Compliance and Audit
2009 Reflex Systems, LLC Virtualization Impact on Compliance and Audit Michael Wronski, CISSP VP Product Management Reflex Systems Agenda Introduction Virtualization? Cloud? Risks and Challenges? Compliance
More informationSECURITY. Risk & Compliance Services
SECURITY Risk & Compliance s V1 8/2010 Risk & Compliances s Risk & compliance services Summary Summary Trace3 offers a full and complete line of security assessment services designed to help you minimize
More informationOvercoming Active Directory Audit Log Limitations. Written by Randy Franklin Smith President Monterey Technology Group, Inc.
Overcoming Active Directory Audit Log Limitations Written by Randy Franklin Smith President Monterey Technology Group, Inc. White Paper 2009 Quest Software, Inc. ALL RIGHTS RESERVED. This document contains
More informationThe CIO s Guide to HIPAA Compliant Text Messaging
The CIO s Guide to HIPAA Compliant Text Messaging Executive Summary The risks associated with sending Electronic Protected Health Information (ephi) via unencrypted text messaging are significant, especially
More informationLeveraging a Maturity Model to Achieve Proactive Compliance
Leveraging a Maturity Model to Achieve Proactive Compliance White Paper: Proactive Compliance Leveraging a Maturity Model to Achieve Proactive Compliance Contents Introduction............................................................................................
More informationWHITEPAPER. 10 Simple Steps to ITIL Network Compliance
WHITEPAPER 10 Simple Steps to ITIL Network Compliance 10 Simple Steps to ITIL Network Compliance Corporate IT has come a long way in its first few decades. Modern business is empowered and supported by
More informationBridging the HIPAA/HITECH Compliance Gap
CyberSheath Healthcare Compliance Paper www.cybersheath.com -65 Bridging the HIPAA/HITECH Compliance Gap Security insights that help covered entities and business associates achieve compliance According
More informationWhite Paper Achieving HIPAA Compliance through Security Information Management. White Paper / HIPAA
White Paper Achieving HIPAA Compliance through Security Information Management White Paper / HIPAA Contents Executive Summary... 1 Introduction: Brief Overview of HIPAA... 1 The HIPAA Challenge: Protecting
More informationHITRUST CSF Assurance Program
HITRUST CSF Assurance Program Simplifying the information protection of healthcare data 1 May 2015 2015 HITRUST LLC, Frisco, TX. All Rights Reserved Table of Contents Background CSF Assurance Program Overview
More informationService Asset & Configuration Management PinkVERIFY
-11-G-001 General Criteria Does the tool use ITIL 2011 Edition process terms and align to ITIL 2011 Edition workflows and process integrations? -11-G-002 Does the tool have security controls in place to
More information