1 / 17

Automating IT Data Collection and Compliance for GRCM Controls

Automating IT Data Collection and Compliance for GRCM Controls. Jason Creech, Qualys Director, Policy Compliance November 14, 2012. Agenda. Defining GRC IT GRCM Overview and Capabilities Limitations and Solutions Case Studies Additional Resources Questions. Defining GRC.

anahid
Download Presentation

Automating IT Data Collection and Compliance for GRCM Controls

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Automating IT Data Collection and Compliance for GRCM Controls Jason Creech, Qualys Director, Policy Compliance November 14, 2012

  2. Agenda • Defining GRC • IT GRCM • Overview and Capabilities • Limitations and Solutions • Case Studies • Additional Resources • Questions

  3. Defining GRC

  4. IT GRCM Core Capabilities • IT Asset Repository • Controls and Policy Mapping • Policy Distribution and Attestation • IT Control Self-Assessment and Measurement • Automated General Computer Control (GCC) Collection • Remediation and Exception Management • IT Compliance Dashboards • IT Risk Evaluation

  5. IT GRCM Offerings • Asset Management • IT Asset Repository • Policy Management • Policy Distribution and Attestation • Control and Policy Mapping • Compliance Management • IT Control Self-Assessment and Measurement • Automated General Computer Control (GCC)Collection • Remediation and Exception Management • IT Compliance Dashboards • Threat Management • Vulnerabilities • Remediation and Exception Management • Risk Management • IT Risk Evaluation

  6. IT GRCM Current Limitations • IT Asset Repository • Static Asset Repository • Limited Scalability • Controls and Policy Mapping • No Detailed Device Configurations • IT Control Self-Assessment and Measurement • Manually Assess All Controls • Limited Scalability for Device Configurations • Automated General Computer Control (GCC) Collection • Lacks Native Capabilities • Limited Correlation of External Results

  7. IT Asset Repository • Server • Server • Server • Server • Server • Server • Server • Server • Server • Server • Server • Server • Server • Server • Server • Server • Server • Server • Server • Server • Server • Server • Server • Server • Server • Server • Server • Server • Server • Server • Server • Server • Asset

  8. Controls and Policy Mapping • Configuration Item • Password settings: Minimum password age in days. • Configuration Method • CCE-3240-9 • CCE-4180-6 • … • CCE-5664-8 • CCE-6078-0

  9. IT Control Self Assessment and Measurement 84* x 1 = 84 Questions 78* x 1,000 = 78,000 Questions 43* x 1 = 43 Questions _________________ 78,127 Questions * NIST Special Publication 800-53, Revision 3, August 2009

  10. Automated General Computer Control (GCC) Collection Control

  11. Case Study 1: Challenges • Global Manufacturer of Mobile Devices and Telecom Equipment • 20,000 Assets • Manual assessment impossible • Lacking technical configuration mapping • Wanted to correlate security and compliance

  12. Case Study 1: Solution • Asset Management • Policy Management • Threat Management • Risk Management • Compliance Management Vulnerabilities High Mis-Configurations High Control Deficiencies High Security Vulnerability Configuration Compliance

  13. Case Study 2: Challenges • Global Financial Services Company • Static Asset Repository • CMDB integration into GRC • Unable to detect rogue devices • 10,000 Assets • Manual assessment impossible • Over 2.5M configurations to validate • Lacking technical configuration mapping

  14. Case Study 2: Solution Asset Exist? No Identify Owner Yes Scan • Asset Management • (from CMDB) • Policy Management Discovered Assets • Risk Management • Compliance Management Configuration Compliance Mis-Configurations High Control Deficiencies High

  15. Summary/Benefits • Dynamic Asset Repository • Verifies CMDB • Identifies Rogue Assets/Asset Owners • Policy and Control Mapping • Correlates Detailed Configuration Data • Automated Configuration Collection • Eliminates Manual Questionnaires • Correlates Security and Compliance Data

  16. Additional Resources • Automating IT Data Collection and Compliance for GRCM Controls: https://community.qualys.com/docs/DOC-2152 • IT Policy Compliance for Dummies: http://www.qualys.com/forms/ebook/itpcfordummies/ • Bridging the Gap Between IT and the Business Using IT GRC: http://www.corp-integrity.com/wp-content/uploads/2010/12/BRIDGING-THE-GAP-BETWEEN-IT-AND-BUSINESS-USING-IT-GRC-v3.pdf • Topic Overview: Governance, Risk, and Compliance: http://www.forrester.com/rb/Research/topic_overview_governance%2C_risk%2C_and_compliance/q/id/39611/t/2?action=5

  17. Questions?

More Related