20 Critical Security Controls

Similar documents
CA Configuration Automation

how can I comprehensively control sensitive content within Microsoft SharePoint?

The NIST Framework for Improving Critical Infrastructure Cybersecurity - An Executive Guide

Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

How can Content Aware Identity and Access Management give me the control I need to confidently move my business forward?

content-aware identity & access management in a virtual environment

how can I virtualize my mission-critical servers while maintaining or improving security?

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense

Total Protection for Compliance: Unified IT Policy Auditing

Everything You Wanted to Know about DISA STIGs but were Afraid to Ask

Logica Sweden provides secure and compliant cloud services with CA IdentityMinder TM

How To Monitor Your Entire It Environment

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

CA Automation Suite for Data Centers

Leveraging Privileged Identity Governance to Improve Security Posture

agility made possible

CA Technologies Solutions for Criminal Justice Information Security Compliance

SANS Top 20 Critical Controls for Effective Cyber Defense

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

An Overview of Information Security Frameworks. Presented to TIF September 25, 2013

ForeScout CounterACT CONTINUOUS DIAGNOSTICS & MITIGATION (CDM)

The Future Is SECURITY THAT MAKES A DIFFERENCE. Overview of the 20 Critical Controls. Dr. Eric Cole

The Impact of HIPAA and HITECH

Payment Card Industry Data Security Standard

IBM Data Security Services for endpoint data protection endpoint data loss prevention solution

Enterprise Security Solutions

IBM Tivoli Endpoint Manager for Security and Compliance

How To Achieve Pca Compliance With Redhat Enterprise Linux

agility made possible

WHITEPAPER. Addressing Them with Adaptive Network Security. Executive Summary... An Evolving Network Environment Adaptive Network Security...

SOLUTION BRIEF Improving SAP Security With CA Identity and Access Management. improving SAP security with CA Identity and Access Management

White Paper: Consensus Audit Guidelines and Symantec RAS

Authentication Strategy: Balancing Security and Convenience

journey to a hybrid cloud

Critical Controls for Cyber Security.

IT Security & Compliance. On Time. On Budget. On Demand.

defending against advanced persistent threats: strategies for a new era of attacks agility made possible

solution brief February 2012 How Can I Obtain Identity And Access Management as a Cloud Service?

CA Technologies Healthcare security solutions:

CA Arcot RiskFort. Overview. Benefits

assure the quality and availability of business services to your customers

THE TOP 4 CONTROLS.

Maintaining PCI-DSS compliance. Daniele Bertolotti Antonio Ricci

The Protection Mission a constant endeavor

Enterprise Security. Moving from Chaos to Control with Integrated Security Management. Yanet Manzano. Florida State University.

Looking at the SANS 20 Critical Security Controls

CA NSM System Monitoring Option for OpenVMS r3.2

IBM Data Security Services for endpoint data protection endpoint data loss prevention solution

CA IT Client Manager Asset Inventory and Discovery

A to Z Information Services stands out from the competition with CA Recovery Management solutions

Solving the CIO s Cybersecurity Dilemma: 20 Critical Controls for Effective Cyber Defense

SOLUTION BRIEF BIG DATA MANAGEMENT. How Can You Streamline Big Data Management?

Defending Against Data Beaches: Internal Controls for Cybersecurity

FISMA / NIST REVISION 3 COMPLIANCE

Top 20 Critical Security Controls

Sygate Secure Enterprise and Alcatel

accelerating time to value in Microsoft Hyper-V environments

SOLUTION BRIEF SEPTEMBER Healthcare Security Solutions: Protecting your Organization, Patients, and Information

Protect the data that drives our customers business. Data Security. Imperva s mission is simple:

Wasting Money on the Tools? Automating the Most Critical Security Controls. Mason Brown Director, The SANS Institute

Solving the Security Puzzle

Transforming IT Processes and Culture to Assure Service Quality and Improve IT Operational Efficiency

How To Secure Your System From Cyber Attacks

SOLUTION BRIEF Enterprise Mobility Management. Critical Elements of an Enterprise Mobility Management Suite

Secure Content Automation Protocol (SCAP): How it is increasingly used to automate enterprise security management activities

Security management solutions White paper. IBM Tivoli and Consul: Facilitating security audit and compliance for heterogeneous environments.

Security Compliance and Data Governance: Dual problems, single solution CON8015

agility made possible

Reducing the cost and complexity of endpoint management

IBM Security QRadar Vulnerability Manager

WHITEPAPER. Addressing Them with Secure Network Access Control. Executive Summary... An Evolving Network Environment... 2

can I customize my identity management deployment without extensive coding and services?

HP and netforensics Security Information Management solutions. Business blueprint

March

IBM Tivoli Endpoint Manager for Lifecycle Management

identity as the new perimeter: securely embracing cloud, mobile and social media agility made possible

IBM Endpoint Manager for Core Protection

Governance and Control of Privileged Identities to Reduce Risk

GFI White Paper PCI-DSS compliance and GFI Software products

IBM Tivoli Endpoint Manager for Security and Compliance

Infor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security

Securely Outsourcing to the Cloud: Five Key Questions to Ask

How can Identity and Access Management help me to improve compliance and drive business performance?

Technology Blueprint. Assess Your Vulnerabilities. Maintain a continuous understanding of assets and manage vulnerabilities in real time

Safeguarding the cloud with IBM Dynamic Cloud Security

How To Manage A Privileged Account Management

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

CA Virtual Assurance for Infrastructure Managers

PCI DSS AND THE TOP 20 CRITICAL SECURITY CONTROLS COMPARING SECURITY FRAMEWORKS SERIES

Achieving and Maintaining PCI DSS Compliance with Centralized, Automated Application and Middleware Change Control TECHNICAL WHITE PAPER

CA Endevor Software Change Manager Version 15.0

protect your assets. control your spending

Mitigating the Risks of Privilege-based Attacks in Federal Agencies

Windows Least Privilege Management and Beyond

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

BSM for IT Governance, Risk and Compliance: NERC CIP

White Paper Achieving PCI Data Security Standard Compliance through Security Information Management. White Paper / PCI

NERC CIP VERSION 5 COMPLIANCE

How To Protect Your Cloud From Attack

CA Business Service Insight

Transcription:

WHITE PAPER June 2012 20 Critical Security Controls How CA Technologies can help federal agencies automate compliance processes Philip Kenney CA Security Management

Table of Contents Executive Summary 3 SECTION 1: 4 Meeting FISMA and NIST requirements SECTION 2: 6 How CA Technologies supports the 20 CSCs SECTION 3: 7 Technologies for automating the 20 CSCs SECTION 4: Conclusions 14 A practical platform for implementing the 20 CSCs SECTION 5: 15 About the authors 2

Executive Summary Challenge In 2008, the Center for Strategic and International Studies (CSIS) created a diverse consortium of information security experts from both public and private sectors to identify key security controls that agencies should implement. The resulting document, 20 Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, identified a core set of measures that federal agencies should employ to reduce risk and conform to FISMA requirements. By focusing on these measures as a subset of the comprehensive NIST guidelines, security administrators can implement an evolving approach to comprehensive security by instituting what the document calls quick wins. While the document sets forth activities that CISOs, CIOs and IGs can adopt as their top, shared priorities, many agencies lack critical components of the security infrastructure required to carry them out. Many of the controls require process support or automation to be truly effective. Even with a majority of these individual measures in place, compliance will still be elusive if agencies cannot achieve overall management visibility and control. Opportunity The 20 Critical Security Controls document designates areas where agencies can quickly improve their security postures and sustain those enhancements over time. Given the scope, scale and complexity of the typical agency enterprise, it is certain that neither of those things can be accomplished solely with manual methods and processes. But by automating controls and by managing and documenting control performance agencies can achieve the ultimate goal of FISMA and NIST 800-53, which is to provide improved security. In addition, agencies will be better able to meet their own goals of regulatory compliance. Benefits CA Technologies gives federal agencies a practical and affordable way to enable implementation of many of the 20 Critical Security Controls (CSCs) by combining security automation with service assurance and automation management technology. Security Management solutions from CA Technologies deliver security automation that can help build policy enforcement into processes, improve quality of compliance and reduce burdens on administrators. Service Assurance and Service Automation solutions from CA Technologies provide agencies with centralized visibility into and additional control over their 20 Critical Security Control efforts. CA Technologies is uniquely qualified to support agencies with an overall solution for 20 CSC management and compliance. CA Technologies gives agencies an efficient, cost-effective way to enable and manage compliance by building on what they already own. 3

Section 1: Meeting FISMA and NIST requirements The National Institute of Standards and Technology (NIST) has produced excellent security guidelines that provide a comprehensive set of security controls in NIST Special Publication 800-53, revision 3. By contrast, the CSIS authored document, Twenty Critical Security Controls for Effective Cyber Defense, identifies a subset of security control activities that CISOs, CIOs and IGs can focus on as their foremost priorities for cyber security. This subset is based on attacks occurring recently and those anticipated in the near future. A Head Start for compliance with NIST 800-53 The 20 Critical Security Controls (20 CSCs) principally address technical areas. However, they do map directly to a critical subset of the Priority Code 1 controls identified in NIST Special Publication 800-53. They are intended to give agencies a sound head start in achieving overall NIST 800-53 compliance. The intent is to help agencies ensure that they have assessed and implemented an appropriate set of management and technical controls to address their specific risk areas. Within the guidance of 800-53, the 20 CSCs can be viewed as requirements for establishing consensus priorities when assessing potential security risks to the confidentiality, integrity and availability of systems and information within the agency s enterprise environment. Once a consensus on priorities has been reached by the CIO and CISO, it is recommended that the 20 CSCs be the foundation for implementing management and technical controls within an agency. Both management and technical controls are required Both the 20 CSCs and NIST Special Publication 800-53 make it clear that controls must address two aspects: overall management and specific implementation. Agencies must not only put controls in place, they must also be able to monitor those controls and document their performance. Failure in either aspect constitutes non-compliance. In addition to the requirements of the 20 CSCs and NIST 800-53, agencies must accommodate another practical consideration: the architecture and elements of the security infrastructure they already own. Agencies are unlikely to pursue any approach to implementing the 20 CSCs that does not use their existing systems as a foundation. This means that almost every implementation of the 20 CSCs will take place in a multi-vendor, heterogeneous environment. 4

Finding the right balance It is perhaps easiest to visualize the implementation of the 20 CSCs in three core dimensions: Specific technical controls are those that address individual devices and functions such as cataloging authorized devices, securing configurations, managing access, etc. Management, visibility and control includes capabilities that enable administrators to track, analyze, manage and document data, alerts and other outputs from technical controls. Existing technologies are the systems and software agencies already own. These must serve as a foundation for new implementations. The appropriate balance between dimensions will vary for each agency, depending on the maturity of their security infrastructures, their resources and the particular risks they face. Figure A. Three core dimensions in a heterogeneous environment 5

Section 2: How CA Technologies supports the 20 CSCs CA Technologies combines security automation with service assurance and automation management to help streamline agency implementations of the 20 CSCs. As an industry leading provider of enterprise IT management software, CA Technologies is uniquely positioned to support any agency aiming to meet the requirements for securing their environment. CA Technologies has been providing management and security solutions to industry and government for over thirty years. Based on our experience in providing management and security solutions in large, heterogeneous environments all over the globe, we have developed the following solutions map for implementing the 20 CSCs: Management Unified, central view across the IT environment Automation of Controls Can Be Automated CA Technologies Supports Automation CA Technologies Supports Management 1 Inventory of authorized and unauthorized devices 2 Inventory of authorized and unauthorized software 3 Secure configurations for hardware and software on laptops, workstations and servers 4 Continuous vulnerability assessment and remediation 5 Malware defenses 3 6 Application software security 3 3 7 Wireless device control 8 Data recovery capability 3 9 Security skills assessment and training 3 6

Management Unified, central view across the IT environment Automation of Controls Can Be Automated CA Technologies Supports Automation CA Technologies Supports Management 10 Secure configurations for network devices such as firewalls, routers and switches 11 Limitation and control of network ports, protocols, and services 12 Controlled use of administrative privileges 13 Boundary defense 3 3 14 Maintenance, monitoring and analysis of security audit logs 15 Controlled access based on need to know 16 Account monitoring and control 17 Data loss prevention 18 Incident response capability 3 19 Secure network engineering 3 20 Penetration tests and red team exercise 3 Section 3: Technologies for automating the 20 CSCs CA Technologies combines security automation with service assurance and automation management to help streamline agency implementations of the 20 CSCs. The 20 Critical Security Controls document categorizes tasks into six basic areas: 1. Identifying what assets agencies have 2. Knowing who is using those assets and how 7

3. Controlling access according to roles and responsibilities 4. Keeping configurations, versions and patches up-to-date 5. Managing security data to improve compliance and support audits 6. Ensuring availability by identifying and pre-empting threats Multiply those few tasks by the number of assets in inventory and the number of stakeholders using them and the result is a lot of work for compliance administrators. In addition to identifying the 20 controls, this document provides guidance on how organizations can further improve their controls. The document lists four different categories of increased security that organizations can strive towards. These four categories are: 1. Quick wins: These are identified in the 20 CSC document as QWs. Implementing a QW does not completely mitigate a given threat, but as the name implies, it does identify where security can be rapidly improved. 2. Improved visibility and attribution: These are identified in the 20 CSC document as Vis/Attrib and are focused on improving existing processes and increasing awareness and visibility against given security threat vectors. 3. Hardened configuration and improved information security hygiene: These are identified in the 20 CSC document as Config/Hygiene. This area deals with methods to improve security operations and end-user behavior to reduce vulnerabilities. 4. Advanced: These are identified in the 20 CSC document as Advanced and should only be considered after an organization has addressed the preceding three categories. CA Technologies directly supports 12 of the 15 CSCs that can be automated with security solutions for asset management/configuration, identity management, security information management and threat management: CSC #1: Inventory of authorized and unauthorized devices CA Client Automation CA Client Automation helps provide the level of enforcement and reporting required for detecting and cataloging authorized and unauthorized devices. It can automatically detect systems across heterogeneous platforms and operating systems, and then use both agent and agent-less methods to capture detailed hardware inventory and usage levels for each asset. CA Client Automation contains advanced discovery tools, which can provide continuous monitoring of the network, detection of new devices and application of policy to the newly discovered devices. Collected asset data can be assessed against policies to determine if enforcement or remediation is necessary. It can also be reconciled with an enterprise directory to correlate discovered devices with authorized users. 8

CSC #2: Inventory of authorized and unauthorized software CA Client Automation CA Client Automation helps provide the level of enforcement and reporting to detect and catalog application usage. It can automatically detect systems across heterogeneous platforms and operating systems, then capture detailed inventory information, including: All operating system software All user applications and software Release, versions and patch levels Usage histories and levels Asset data can be assessed against policies to enable enforcement and remediation where necessary. Unauthorized software can be remediated by patching it to the appropriate levels or removing it completely. CSC #3: Secure configurations for hardware & software on laptops, workstations, & servers CA Client Automation, CA Configuration Automation, CA ControlMinder TM CA Client Automation collects and manages detailed hardware and software information for a heterogeneous set of platforms and operating systems. The Federal Desktop Core Configuration (FDCC) Scanner within CA Client Automation provides the capability to continuously scan managed systems for compliance with various mandated FDCC security configurations. Where necessary, automated remediation steps may be provisioned to help eliminate vulnerabilities and bring variant systems into compliance. This scanning can be augmented to include agency-specific controls and to meet agency-specific requirements. CA Configuration Automation uses compliance rules to check that server and application configurations adhere to compliance policies. Built-in rules are used to facilitate compliance with industry standards such as PCI and DISA STIG. In addition to scanning for configuration compliance, the operating systems can be made resistant to unauthorized changes. CA ControlMinder is a privileged user management solution that creates an environment where fine-grained, system hardening settings on servers can be configured, deployed and enforced. It helps protect that environment by hardening servers according to policies and preventing unauthorized persons from changing settings. CA ControlMinder works by hardening the underlying OS, and applying policies that have been pre-defined by an organization to enforce segregation of duty, and enforcing a policy of least privilege. It enables management visibility and control over the environment by automatically generating reports and alerts when a policy violation occurs, or has been prevented. CA ControlMinder can also provide logs files to be centrally collected by CA User Activity Reporting Module. See CSC#6 for additional information. 9

CSC #4: Continuous vulnerability assessment and remediation CA Client Automation, CA Spectrum, CA Configuration Automation As noted above, CA Client Automation collects and manages detailed hardware and software information for a heterogeneous set of platforms and operating systems. CA Client Automation will scan workstations and servers on a scheduled basis, on demand, or in response to an event, for example a security log entry. CA Spectrum will similarly scan network devices on a schedule, on demand, or in response to an event. The Federal Desktop Core Configuration (FDCC) Scanner within CA Client Automation provides the capability to continuously scan managed systems for compliance with various mandated FDCC security configurations. Where necessary, automated remediation steps may be provisioned to help eliminate vulnerabilities and bring variant systems into compliance. CA Client Automation includes remediation capability, being able to patch systems and apply configuration settings. This remediation can be initiated manually, or automatic detection of noncompliance can trigger automated remediation. CA Configuration Automation uses compliance rules to check that server and application configurations adhere to compliance policies. Built-in rules are used to facilitate compliance with industry standards such as PCI and DISA STIG. CSC #7: Wireless Device Control CA Spectrum, CA Client Automation CA Spectrum helps meet the requirements of this security control. CA Spectrum modules provide Wireless Device control, MIB and trap support, descriptive device type identification, OneClick views, technology support and standard capabilities for specific devices and firmware. Examples of devicefamily management modules include Catalyst, PIX Firewall, Wireless LAN Controller and AiroNet. CA Client Automation can be installed on supported wireless devices to help provide protection at the level of workstations as described under Control #3 and others. CSC #10: Secure configurations for network devices such as firewalls, routers, and switches CA Spectrum CA Spectrum helps provide the level of Secure Configurations (SSH v2 Support/communication mode), enforcement and reporting required by this control. It identifies and monitors the configurations of device families and single devices including routers, hubs and switches. Each device can be configured to provide specific services. 10

Details on how devices operate and how they are customized can be included in each configuration. The CA Spectrum Network Configuration Manager component increases uptime, eliminates network issues and lowers costs by enabling administrators to: Create policies for configurations and verify that devices are compliant Prevent or detect performance problems by verifying configurations Manage configurations for devices modeled in Spectrum/OneClick Capture configurations and store them in the Spectrum database Load/merge configurations to devices of the same family type Set up a schedule of automatic captures and policies Maintain a history of network device configurations CSC #11: Limitation and control of network ports, protocols and services CA ControlMinder, CA Client Automation As noted under Control #3, CA ControlMinder helps protect sensitive data and critical applications that reside on the protected host by strictly controlling access to system resources. CA ControlMinder can lock down ports and provide Host-based Intrusion Detection. CA Client Automation can be used, as described under Control #3, to scan open ports and active services and to apply policy to the results. This can include alerting appropriate personnel up to closure of unauthorized ports and termination of disallowed services. CSC #12: Controlled use of administrative privileges CA ControlMinder CA ControlMinder is a security enforcement tool that manages user privileges, including administrative privileges and superusers. Misuse of administrative privileges is the number one method attackers use to compromise enterprise security. CA ControlMinder protects server resources by controlling user, superuser and administrator privileges. It constrains levels of access solely to authorized uses. With the Privileged User Password Management (PUPM) component, administrative passwords are obtained as they are needed, and available for use only while checked out to an authorized user. As soon as a user checks in the password it is changed on the target system. Additionally, CA ControlMinder allows agencies to create and enforce password quality including password composition, minimum and maximum length, repetition and dictionary review. CA ControlMinder helps ensure that any time users change their password they must comply with agency policies and guidelines. 11

CA ControlMinder also aids in eliminating privilege creep through delegation of access rights to designated systems operators. It allows administrators to precisely match users with the privileges they need, thereby helping to eliminate any reason to grant excessive rights. CA ControlMinder includes protected logs that capture administrative actions; these can be forwarded to CA User Activity Reporting Module for central collection and review. This provides an additional level of protection and review since actions by administrators will be collected and audited as standard operating procedures. CSC #14: Maintenance, monitoring and analysis of security audit logs CA User Activity Reporting Module CA User Activity Reporting Module (CA UARM) is a log collection, review, reporting and archiving solution that supports this control requirement. CA UARM collects logs from virtually any source; operating systems, network devices, Syslogs and applications. Collected logs can then be reviewed either by using built-in queries that map to most significant regulatory requirements (HIPAA, FISMA, DoD, etc.), or with user-defined queries. Administrators can define action alerts that will be automatically generated when queries meet certain criteria. CA UARM also centralizes log management. Geographically separated office logs can be collected locally and then reviewed and reported at a central location without moving large volumes of data. Federalized queries can be processed so a review for a specific log event can be created in one location and then used to check all other CA UARM managed sites. CA UARM includes 350+ different reports for many different regulatory requirements as well as extensive ad hoc reporting capabilities. It also supports long-term management with archiving capabilities that keep logs either online or near-online as required. CSC #15: Controlled access based on need to know CA ControlMinder CA ControlMinder helps enforce controlled access based on a need-to-know basis by enabling administrators to associate access rules with specific systems. Users are granted access to sensitive or classified information only if they meet a pre-defined set of criteria. Any type of resource can be associated with access rules that incorporate just about any type of policy-driven qualifications. CA ControlMinder manages access to all these types of resources: Files and folders Processes User IDs and group IDs Privileged programs 12

Network connections Terminals User-defined resources Because access and protections are governed by a combination of policy, procedure and enforcement, CA ControlMinder can help protect data and files, entire systems or processes and even registry entries from authorized access or changes. User activity is captured in audit logs and can be centralized with CA User Activity Reporting Module. CSC #16: Account monitoring and control CA IdentityMinder TM, CA GovernanceMinder TM, CA User Activity Reporting Module CA Technologies is uniquely positioned to support this control because it provides a full complement of components that manage a user s identity life cycle. From the creation of the original user account, managing that account s access throughout its lifecycle, enforcing least privilege rules and access rights, to collecting the complete audit trail of associated user activity CA Technologies offers a robust security solution for account monitoring and control. CA IdentityMinder, CA GovernanceMinder and CA User Activity Reporting Module work together to provide agencies with an integrated identity management platform that helps automate the creation, modification and deletion of user identities and govern access to enterprise resources. CA IdentityMinder goes beyond traditional provisioning systems by providing a unified solution that enables the management of highly diverse and growing user populations on a wide range of enterprise systems, from mainframes to web applications. Key features of CA IdentityMinder include: Automated provisioning & de-provisioning of user accounts and access permissions Centralized audit & reporting of user entitlements Delegated user administration Integrated workflow Password management Registration services User self-service Supports periodic review of user access and creates attestation reports CA GovernanceMinder provides advanced pattern recognition technology and analytical tools that serve as a flexible foundation on which to establish cross-system identity security policies and automate processes required to meet compliance audits. These include entitlements certification and enforcement of consistent identity compliance policies, continually validating that users, roles 13

and resources have appropriately associated entitlements, which helps meet compliance objectives and security requirements. As noted under Control #14, CA User Activity Reporting Module can collect logs from a wide variety of sources, including operating systems, network devices, syslogs and applications. CSC #17: Data loss prevention CA DataMinder TM CA DataMinder monitors a wide breadth of data activities and provides a spectrum of response actions so that the appropriate balance between continuity and enforcement can be achieved throughout an organization. It provides a scalable, accurate and cost effective way to protect and control data-in-motion on the network and in messaging systems, data-in-use at endpoints and data-at-rest on servers and in repositories. CA DataMinder capabilities include: Broad protection coverage Built-in and user-defined policies Automated enforcement actions Secure review for sensitive data Section 4: Conclusions A practical platform for implementing the 20 CSCs The 20 Critical Security Controls document embodies a quick-wins strategy designed to help agencies accelerate compliance with NIST Special Publication 800-53. Both the 20 Critical Security Controls document and 800-53 indicate that compliance must consist of both overall management and implementation of controls. Of the 15 CSCs that are technology based, 12 can be automated with CA Technologies solutions. All 20 controls can be monitored and managed through the combined capabilities of the referenced tools from CA Technologies. Of course, technology alone cannot secure an IT environment. This requires a combination of sound governance, consistent management and the persistent evaluation of results. Security solutions from CA Technologies give agencies a practical platform for doing all three of these things. The 20 CSCs are a means to an end: maintaining a secure IT environment. CA Technologies helps agencies facilitate that means with proven solutions that streamline the process of managing critical controls. 14

For more information on this topic and other areas of IT, please contact your CA Technologies account team or the CA Technologies Federal Sales Hotline at 866-836-5234. Section 5: About the Author Philip Kenney is a Director of Security Management Solutions, for CA Technologies Inc. In his role, Mr. Kenney works with DoD and civilian agencies to ensure that CA Technologies security products are meeting their needs. He coordinates with product management teams to represent the requirements of federal customers as CA Technologies security solutions are developed. Additionally, he manages a team of technical consultants who help government customers understand and realize the full value of Security Management solutions from CA Technologies. Mr. Kenney has over 25 years of IT experience in operational, management and consulting roles spanning a wide range of platforms in both government and business organizations. He focuses on a results oriented approach to ensure technology outcomes are aligned with business needs. Connect with CA Technologies at ca.com Agility Made Possible: The CA Technologies Advantage CA Technologies (NASDAQ: CA) provides IT management solutions that help customers manage and secure complex IT environments to support agile business services. Organizations leverage CA Technologies software and SaaS solutions to accelerate innovation, transform infrastructure and secure data and identities, from the data center to the cloud. CA Technologies is committed to ensuring our customers achieve their desired outcomes and expected business value through the use of our technology. To learn more about our customer success programs, visit ca.com/customer-success. For more information about CA Technologies go to ca.com. Copyright 2012 CA. All rights reserved. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies. This document is for your informational purposes only. CA assumes no responsibility for the accuracy or completeness of the information. To the extent permitted by applicable law, CA provides this document as is without warranty of any kind, including, without limitation, any implied warranties of merchantability, fitness for a particular purpose, or noninfringement. In no event will CA be liable for any loss or damage, direct or indirect, from the use of this document, including, without limitation, lost profits, business interruption, goodwill, or lost data, even if CA is expressly advised in advance of the possibility of such damages. CA does not provide legal advice. Neither this document nor any CA software product referenced herein shall serve as a substitute for your compliance with any laws (including but not limited to any act, statute, regulation, rule, directive, policy, standard, guideline, measure, requirement, administrative order, executive order, etc. (collectively, Laws )) referenced in this document. You should consult with competent legal counsel regarding any Laws referenced herein. acs2452_0612

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information