Using QUalysgUard to Meet sox CoMplianCe & it Control objectives



Similar documents
Delivering Security & Compliance On Demand

Criticial Need for Stronger Network Security. QualysGuard SaaS-based Vulnerability Management for Stronger Security and Verification of Compliance

HOW TO PASS AN IT AUDIT

Web Application Security How to Minimize Prevalent Risk of Attacks

The Top 10 Reports for Managing Vulnerabilities

FISMA Compliance: Making the Grade

Achieving Business Imperatives through IT Governance and Risk

IT Security & Compliance. On Time. On Budget. On Demand.

AN OVERVIEW OF INFORMATION SECURITY STANDARDS

Offline Scanner Appliance

Delivering IT Security and Compliance as a Service

BIG SHIFT TO CLOUD-BASED SECURITY

Sarbanes-Oxley Control Transformation Through Automation

New Requirements for Security and Compliance Auditing in the Cloud

Defending the Database Techniques and best practices

White Paper. Regulatory Compliance and Database Management

IT Audit in the Cloud

Cautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work

Bringing Continuous Security to the Global Enterprise

Practical Guidance for Auditing IT General Controls. September 2, 2009

The Convergence of IT Security and Compliance with a Software as a Service (SaaS) approach

Using Assurance Models in IT Audit Engagements

Certified Information Security Manager (CISM)

NARROWING THE SECURITY GAP WITH AUTOMATED CONFIGURATION ASSESSMENT

QualysGuard WAS. Getting Started Guide Version 4.1. April 24, 2015

Published April Executive Summary

Governance, Risk, and Compliance (GRC) White Paper

8 Key Requirements of an IT Governance, Risk and Compliance Solution

Vulnerability Management

Qualys PC/SCAP Auditor

Vendor Risk Management Financial Organizations

SECURITY. Risk & Compliance Services

Current IBAT Endorsed Services

IronBee Open Source Web Application Firewall

How To Monitor Your Entire It Environment

Achieving SOX Compliance with Masergy Security Professional Services

Maintaining PCI-DSS compliance. Daniele Bertolotti Antonio Ricci

ROUTES TO VALUE. Business Service Management: How fast can you get there?

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

IBM Security Intelligence Strategy

Information Security and Risk Management

Strengthen security with intelligent identity and access management

The Challenges and Myths of Sarbanes-Oxley Compliance

Leveraging a Maturity Model to Achieve Proactive Compliance

WHITE PAPER. Best Practices for Wireless Network Security and Sarbanes-Oxley Compliance

QRadar SIEM 6.3 Datasheet

Self-Service SOX Auditing With S3 Control

Vulnerability Audit: Why a Vulnerability Scan Isn t Enough. White Paper

STATE OF NEW JERSEY IT CIRCULAR

EMC CONSULTING SECURITY STANDARDS AND COMPLIANCE SERVICES

A CobiT Case Study. Drawing on CobiT for the implementation of an Enterprise Risk Management Framework. December 2008

This article will provide background on the Sarbanes-Oxley Act of 2002, prior to discussing the implications for business continuity practitioners.

An Overview of Information Security Frameworks. Presented to TIF September 25, 2013

Symantec Control Compliance Suite Standards Manager

Sarbanes-Oxley Compliance for Cloud Applications

Security & IT Governance: Strategies to Building a Sustainable Model for Your Organization

Intro to QualysGuard IT Risk & Asset Management. Marek Skalicky, CISM, CRISC Regional Account Manager for Central & Adriatic Eastern Europe

Why you need an Automated Asset Management Solution

NetIQ FISMA Compliance & Risk Management Solutions

Microsoft s Compliance Framework for Online Services

Log Management How to Develop the Right Strategy for Business and Compliance. Log Management

How To Buy Nitro Security

PCI Policy Compliance Using Information Security Policies Made Easy. PCI Policy Compliance Information Shield Page 1

AVANTGARD Hosting and Managed Services

Understanding Vulnerability Management Life Cycle Functions

DETECT AND RESPOND TO THREATS FROM THE DATA CENTER TO THE CLOUD

IT Governance Dr. Michael Shaw Term Project

North American Electric Reliability Corporation (NERC) Cyber Security Standard

Boosting enterprise security with integrated log management

IT audit updates. Current hot topics and key considerations. IT risk assessment leading practices

Impact of New Internal Control Frameworks

NE T GENERATION CLOUD SECURITY PLATFORM

Security and Compliance Suite Rollout Guide. August 4, 2015

Mapping COBIT 5 with IT Governance, Risk and Compliance at Ecopetrol S.A. By Alberto León Lozano, CISA, CGEIT, CIA, CRMA

Managed Services For Business FAQ Blue Saffron IT Resource Management

Managing Privileged Identities in the Cloud. How Privileged Identity Management Evolved to a Service Platform

CORE Security and GLBA

Total Protection for Compliance: Unified IT Policy Auditing

Overcoming Active Directory Audit Log Limitations. Written by Randy Franklin Smith President Monterey Technology Group, Inc.

DATASHEET CONTROL COMPLIANCE SUITE VENDOR RISK MANAGER 11.1

Adopt a unified, holistic approach to a broad range of data security challenges with IBM Data Security Services.

Symantec Security Compliance Solution Symantec s automated approach to IT security compliance helps organizations minimize threats, improve security,

GETTING STARTED WITH THE PCI COMPLIANCE SERVICE VERSION 2.3. May 1, 2008

White Paper: Consensus Audit Guidelines and Symantec RAS

10 Building Blocks for Securing File Data

Transcription:

WHITE PAPER Using QualysGuard to Meet SOX Compliance & IT Objectives

Using QualysGuard To Meet SOX Compliance and IT Objectives page 2 CobIT 4.0 is a significant improvement on the third release, making it more relevant, filling some gaps and adding clarity. Most importantly, it better aligns with good and best practices in the management of IT and so increases the possibility that its use will result in a better-managed IT environment and, specifically, improve risk management. Therefore, we continue to recommend that enterprises use it to challenge their established IT governance procedures and to improve the controls they have in place. CobIT 4.0 Is a Good Step Forward Simon Mingay 29 December 2005 Meeting new regulatory compliance requirements can be a struggle for any company. The concerns about where do I start? and can I leverage existing processes to meet these new requirements? are obvious questions with not-soobvious answers. Guidance provided by the Public Company Accounting Oversight Board (PCAOB) is embedded in long and complex documents known as Audit Standards ; unless you are a seasoned audit professional, much of this guidance can easily be misinterpreted or misunderstood. Section 404 of the Sarbanes-Oxley Act of 2002 (SOX) requires the management of public companies to assess the effectiveness of an organization s internal control over financial reporting and annually report the result of that assessment. In order to satisfy this requirement, SOX mandates that affected organizations use a recognized internal control framework. Actually, it makes specific reference to the Committee of the Sponsoring Organizations of the Treadway Commission (COSO), which is accepted by many enterprises as the standard internal control framework. The CobiT framework has basically become the standard for IT general computing controls (GCC s) and is mapped back to the five focus areas of IT governance and respective COSO control domains. The Sarbanes-Oxley Act of 2002 has fundamentally changed the business and regulatory landscape for all companies publically traded in the US. SOX is intended to instill confidence back into the investor community after several corporate scandals resulted in the loss of billions of dollars in invested capital. SOX does this by increasing corporate governance requirements through measures that will strengthen internal checks and balances and ultimately, provide transparency, as well as elevated corporate accountability. It is important to emphasize that section 404 does not require senior management and business process owners to merely establish and maintain an adequate internal control structure, but also to assess its effectiveness on an annual basis. Most would agree that the reliability of financial reporting is heavily dependent on a wellcontrolled and secure IT environment. Accordingly, organizations must consider addressing IT controls in a financial reporting context. The QualysGuard Vulnerability Management Service maps to many of these controls. CobiT, administered by the Information Systems Audit and Association (ISACA), is a high-level yet comprehensive framework for managing risk and control over IT assets, comprising four domains, 34 IT processes and 318 detailed control objectives. Unlike COSO, CobiT includes controls that address operational and compliance objectives, but only those related to financial reporting have been considered in the development of this document. CobiT provides an actionable framework by which an entity can achieve compliance with SOX, when this framework is strategically implemented, to reduce identified risk areas to acceptable levels. The following tables outline some specific activities in CobiT that map to the QualysGuard Vulnerability Management service benefits for each section. In support of the items below, PO3 represents one of CobiT s 34 IT processes.

Using QualysGuard To Meet SOX Compliance and IT Objectives page 3 COSO Component Company Level Activity Level Information & CobIT Area Plan and Organize (IT ) IT strategic planning Information architecture Determine technological direction IT organization relationships Manage the IT investment of management aims and direction Management of human resources Compliance with external requirements of risks Manage projects Management of quality Acquire and Implement (Program Development and Program Change) Identify automated solutions Acquire or develop application software Acquire technology infrastructure Develop and maintain policies and procedures Install & test application software & technology infrastructure Manage changes Deliver and Support (Computer Operations and Access to Programs and Data) Define and manage service levels Manage third-party services Manage performance and capacity Ensure continuous service Ensure systems security Identify and allocate costs Educate and train users Assist and advise customers Manage the configuration Manage problems and incidents Manage data Manage facilities Manage operations Monitor and Evaluate (IT ) Adequacy of internal controls Independent assurance Internal audit

Using QualysGuard To Meet SOX Compliance and IT Objectives page 4 CobIT Domain - Planning and Organization P03 Determine Technological Direction P04 Define the IT organization and relationships P05 Manage the IT Investment P08 Insure Compliance with external organizations P09 Assess s QualysGuard can help to determine the needs for other additional products in the security architecture. QualysGuard can be used to define the relationships between security teams (VM to Desktop Support) through the use of the remediation capabilities. Trending information from QualysGuard can help to determine the need for IT investment (system and/or software upgrades) over time. QualysGuard reports can assist organizations in meeting compliance with SOX, GLBA, and HIPAA among other regulations by discovering devices in the IT environment that may be vulnerable or improperly configured. QualysGuard provides customers a method of assessing risks within their environment based on CVSS and by allowing each customer to create an individualized value matrix for devices in the architecture. CobIT Domain - Acquire and Implement AI4 Develop and Maintain procedures AI5 Install and accredit systems AI6 Manage Changes QualysGuard introduces a structure (our six-step approach) for the management of vulnerabilities, from discovery to remediation. These steps are the groundwork for needed for the creation of organizational IT processes and procedures. The QualysGuard solution allows for the creation of a gold standard for the security of a particular host. This can be used to accredit a system s configuration prior to deployment. The remediation features in the QualysGuard solution can be used for the management of changes, such as patches, to update or reconfigure network- or user-based IT resources.

Using QualysGuard To Meet SOX Compliance and IT Objectives page 5 CobIT Domain - Delivery & Support DS5 Ensure System Security DS9 Manage the Configuration DS10 Manage Problems and Incidents QualysGuard qualifies the classifications of what systems vulnerabilities, include, to help to ensure understanding of the interrelationships in security remediation. QualysGuard scans can indicate that hosts may not be configured correctly, which may also result in a reduced level of system security. QualysGuard s built-in ticket remediation system can assist in the management of problems and root cause analysis of security incidents. CobIT Domain - ME2 Monitor and Evaluate Internal ME3 Ensure Compliance with External Requirements QualysGuard provides an automated method of testing all technically defined controls. Companies impacted by SOX compliance are required to perform periodic self-assessments related to the effectiveness of internal controls placed in Production. Taking into consideration that this is an ongoing process, QualysGuard can greatly reduce the cost and human resource overhead associated. QualysGuard Vulnerability Management and Policy Compliance reports can be used as evidentiary support for meeting regulatory and contractual requirements and expectations. In addition to its use as a vulnerability management and remediation tool, QualysGuard maps to many of the areas of the COSO framework and can be used to demonstrate compliance with Sarbanes-Oxley Act of 2002, Section 404. For those companies using the CobiT framework for overall IT governance, QualysGuard functionality provides a method of meeting specific CobiT governance requirements. The table below outlines the QualysGuard capabilities that map to the specific control objectives.

Using QualysGuard To Meet SOX Compliance and IT Objectives page 6 CobIT 4.0 s CobIT Sub- QualysGuard Capabilities PO 9 Assess and Manage IT s AI6 Manage Changes DS2 Manage Third-party Services DS5 Ensure Systems Security DS8 Manage Service Desk and Incidents DS9 Manage the Configuration DS10 Manage Problems ME2 Monitor and Evaluate Internal ME3 Ensure Regulatory Compliance PO9.3 Event Identification Identifies vulnerabilities. Asses support for CVSS. Identifies device misconfigurations. Information available on demand. AI6.4 Change Status Tracking The incorporation of a remediation management system within QualysGuard allows for and Reporting tracking of changes to systems. Action logs available for viewing and (with QG 4.7) download for tracking changes to QualysGuard. Scan and report notifications available via email. AI6.5 Change Closure and Action logs available for viewing and (with QG 4.7) download. Documentation Multi role support segregation of duties (SoD). Scan and report notifications available via email. DS2.4 Supplier Performance Many customers have purchased Qualys to monitor third party service providers. Audits SLA compliance for those who ve outsourced IT infrastructure patching maintenance. DS5.4 User Account QualysGuard can assist in meeting this requirement by auditing for unused accounts Management (QID 105234). QualysGuard can provide audits of user rights and privileges. DS5.5 Security Testing, Automated QualysGuard scans using credentialed access can test for compliance and Surveillance and accreditation of systems. This can be accomplished through the use of specific templates containing level 1 and 2 vulnerabilities. DS5.6 Security Incident QualysGuard threat, impact and solution data is well defined as part of Qualys reporting. Definition CVSS is supported for indicating impact level. DS5.9 Malicious Software Report templates containing specific Qualys QIDs represent and identify Trojans, Prevention, Detection and back-doors, key loggers and rootkits on systems and can be used as part of an overall Correction strategy for DS5.9. DS8.3 Incident Escalation QualysGuard Remediation specifically supports all DS8 controls allowing for DS8.4 Incident Closure vulnerability remediation assignment and control. DS8.5 Trend Analysis Reports are available to support remediation trend analysis. Export to third part ticketing system is supported. DS9.3 Configuration Integrity Specific Qualys QIDs represent system configuration detections that include software Review inventories. These can be compared to user defined baselines. QualysGuard can perform system software audits. DS10.1 Identification and QualysGuard Remediation specifically supports all DS10 controls allowing for vulnerability Classification of Problems remediation assignment and control. DS10.2 Problem Tracking and Reports are available to support remediation trend analysis. Resolution Export to third part ticketing system is supported. DS10.3 Problem Closure DS10.4 Integration of Change, Configuration and Problem Management ME2.1 of Internal QualysGuard supports vulnerability trending and benchmarking reports to control the Framework IT environment. ME2.1 of Internal QualysGuard supports exception control through the ignore vulnerability function on a Framework host-by host basis. This information can be made available across users. QualysGuard provides subscription based timely security notifications about emergency threat detections. ME2.7 Remedial Actions Qualys supports remediation change management and process control. Remediation can be assigned specific individuals. Tracking reports are available. ME3.3 Evaluation of Information gathered through QualysGuard scans can assist with compliance with Compliance With Regulatory many regulatory compliances. Requirements User access rights to files and folders, File permissions, Patches, Malicious Software, Host event log settings, and other security setting information is relevant for HIPAA, Sarbanes-Oxley, NIST 800-53, and other regulatory compliances.

Using QualysGuard To Meet SOX Compliance and IT Objectives page 7 About Qualys Qualys, Inc. is the leading provider of on demand IT security risk and compliance management solutions delivered as a service. Qualys Softwareas-a-Service solutions are deployed in a matter of hours anywhere in the world, providing customers an immediate and continuous view of their security and compliance postures. The QualysGuard service is used today by more than 3,500 organizations in 85 countries, including 35 of the Fortune Global 100 and performs more than 200 million IP audits per year. Qualys has the largest vulnerability management deployment in the world at a Fortune Global 50 company. Qualys has established strategic agreements with leading managed service providers and consulting organizations including BT, Etisalat, Fujitsu, IBM, I(TS)2, LAC, SecureWorks, Symantec, TELUS and VeriSign. For more information, please visit www.qualys.com. www.qualys.com USA Qualys, Inc. 1600 Bridge Parkway, Redwood Shores, CA 94065 T: 1 (650) 801 6100 sales@qualys.com UK Qualys, Ltd. 224 Berwick Avenue, Slough, Berkshire, SL1 4QT T: +44 (0) 1753 872101 Germany Qualys GmbH München Airport, Terminalstrasse Mitte 18, 85356 München T: +49 (0) 89 97007 146 France Qualys Technologies Maison de la Défense, 7 Place de la Défense, 92400 Courbevoie T: +33 (0) 1 41 97 35 70 Japan Qualys Japan K.K. Pacific Century Place 8F, 1-11-1 Marunouchi, Chiyoda-ku, 100-6208 Tokyo T: +81 3 6860 8296 Hong Kong Qualys Hong Kong Ltd. 2/F, Shui On Centre, 6-8 Harbour Road, Wanchai, Hong Kong T: +852 2824 8488 Qualys, the Qualys logo and QualysGuard are registered trademarks of Qualys, Inc. All other trademarks are the property of their respective owners. 6/09

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information