Introduction to QualysGuard IT Compliance SaaS Services Marek Skalicky, CISM, CRISC Regional Account Manager for Central & Adriatic Eastern Europe
A Unified and Continuous View of ICT Security, Risks and Compliance Device & Application Security The QualysGuard Cloud Platform and suite of integrated applications allows enterprises to discover and catalog all IT assets, and provides them with a continuous view of their security and compliance posture on a global scale. Benefits Fully automated continuous asset discovery, security & compliance assessments. Up-to-date security intelligence with no software to install and maintain. 2
A Unified and Continuous View of ICT Security, Risks and Compliance IT-GRC Automation The QualysGuard Cloud Platform and suite of integrated applications automates the collection of security and compliance data with customizable policies, questionnaires and workflows, helping organizations to automate and expedite compliance Benefits Automated & Agent-less compliance auditing supporting multiple regulatory mandates. Customizable questionnaires and business workflows to evaluate controls, gather evidence & validate compliance. Seamless integration with enterprise GRC solutions. 3
QualysGuard SaaS Applications Enterprise SMB Freemium Services QualysGuard On Demand Portal Analyze Comply Monitor Prevent Vulnerability Mgmt. Web App Scan Malware Detection SSL Labs Zero days analyzer Policy Compliance PCI Compliance Qualys Seal SCAP / FDCC Compliance Mgmt* Web Application Logs Botnet Detection* Web App. Firewall* QualysGuard SaaS Technology Platform Scanners & Collectors Open APIs, Web Services & Integrations
QualysGuard Suite of Security & Compliance Applications 5
Qualys Policy Compliance Management Audits and documents compliance against external regulations & company internal policies Supports major security frameworks & regulations Controls library pre-mapped to frameworks such as CIS, COBIT, ISO27001:2005, HIPAA, ITIL, etc. Agent-less 100% SaaS 2300+ controls over 50 platforms User defined controls for Win/Unix
QualysGuard Policy Compliance Module Introduction Government Regulations National Legislation International Legislation Industry Regulations PCI-DSS BASEL II SOX Company Security Polices Global Company Security Policy Internal Security Standards Regulations & Corporate Objectives COBIT 4.0/4.1 CIS NIST-SP800-53 Control Objectives based on Frameworks & Standards ISO 17799/27001 Non-technological Physical Security Controls Personal Security Controls ICT-technological OS Configuration Controls Application Access Controls Process Controls Change Mgmt Controls HR Recruit Controls Set of relevant IT Controls & Specific Polices
QualysGuard Policy Compliance Policy Compliance process lifecycle workflow External & Int. company Security Policies OS and Application Security Standards Map to QG Compliance Controls Catalogue Create/Manage Exceptions Company sec. policy structure Create Policies Based on Compliance Needs Create Compliance Policy Reports Assign Policy To Relevant Assets Compliance Scan
QualysGuard Policy Compliance Compliance Categories, Frameworks and Technologies Compliance Categories Security Management Authentication Access Control Services Network Security Antivirus/Malware Integrity/Availability Application Control Encryption Technologies Win XP, Vista, Windows 7, Win2000, 2003,2008 Server, RedHat, SUSE, CentOS, AIX, HPUX, Solaris, VMWare ESX Oracle, Ms SQL, CISCO,... Frameworks CIS, COBIT 4.0/4.1, ISO 17799 / 27002:2005, NIST SP800-53, ITIL 2,3 Compliance Regulations PCI-DSS, HIPAA, FFIEC, SoX 440 via Cobit mapping
QualysGuard Policy Compliance Control anatomy and categorization
Customizable Questionnaires for PC Beta available Custom Questionnaires Enables customers to easily build questionnaires using the Unified Compliance Framework (UCF), as well as leverage existing business process workflows to evaluate controls, gather documents and evidence and validate compliance. Benefits Automation of manual assessments Ability to define/customize audit work flow Industry leading policy repository of nearly 1000 standards and regulations via UCF http://www.qualys.com/forms/questionnaires/ 11
Qualys PCI-DSS Compliance PCI Council ASV certified Used by 65% of ASVs and 49% of QSAs certified companies Automates PCI Compliance Periodic network discovery scans Periodic external scans for vulnerabilities Complete annual Self-Assessment Questionnaire Generates proof of PCI Compliance & attestation to submit to acquiring banks Delivers full ASV service ASV certified quarterly reports ASV support and insurance False-negative priority handling
QG PCI Compliance module Introduction PCI DSS = Payment Card Industry Data Security Standard QualysGuard PCI is certified by PCI Council with cert. number 3728-01-02 PCI for Merchants portal GUI PCI for Acquiring Banks portal GUI QualysGuard PCI deployment fully accepted by QSA and Card Brands From 161 certified PCI QSA 79 uses Qualys (49%) From 147 certified PCI ASV 98 uses Qualys (67%) +1500 customers is testing 500.000 IPs for PCI-DSS compliance
QG PCI Compliance Workflow Qualys provide full ASV service: Network mapping & Vulnerability scanning attestation ASV Scan Final Certification report (Executive and Technical) PCI Self Assessment Questionnaire ASV insurance ASV support
QG PCI Compliance GUI
QG PCI Interactive Reporting (Web 2.0)
QG PCI - SAQ
QG PCI Compliance SAQ - Import Evidence Capability Users can now upload and attach evidence to support SAQ validation in multiple formats including PDF, ZIP, DOC and images Same evidence file can be attached to multiple questionnaires' and requirements
PCI Report Templates Downloadable & Online
QualysGuard PCI - Acquiring Bank GUI Compliant Questionnaire and No Scan Consolidated view of all Merchants and their Compliance Status regardless of Qualys Partner Submit Date and Next Due Date available by clicking Compliance Details Download Questionnaire Report Download Report on all Merchants C O N F I D E N T I A L 20
Free SSL Lab Audit Service Audit implementation of SSL protocol on you Web Certificate Validity and Trust SSL Protocol version support Encryption Cipher Strength Encryption Key Exchange SOLUTION description Risk of Attack description Register here: http://www.ssllabs.com
24.júl. 24.aug. 24.szept. 24.okt. 24.nov. 24.dec. 24.jan. 24.febr. 24.márc. 24.ápr. 24.máj. 24.jún. 24.júl. 24.aug. 24.szept. 24.okt. 24.nov. 24.dec. Qualys Global Community Join us at https://community.qualys.com Total Members 4500 4000 3500 3000 2500 2000 1500 1000 500 0 22
CSO Interchange Events Coming to a City Near You http://www.csointerchange.org 23
Qualys Security Conferences 12 Las Vegas, Munich, London and Paris http://www.qualys.com/qsc 24
Thank You mskalicky@qualys.com