220 likes | 534 Views
Solving IT Risk and Compliance Challenges Symantec™ Control Compliance Suite. Robin Crohns. THREAT. Symantec Threat & Risk Management Group Challenge of Presenting Credible Data, Every Day. Symantec CCS Risk Manager & Protection Center. Risk Awareness. Control Compliance Suite
E N D
Solving IT Risk and Compliance ChallengesSymantec™ Control Compliance Suite Robin Crohns
THREAT Symantec Threat & Risk Management GroupChallenge of Presenting Credible Data, Every Day Symantec CCS Risk Manager & Protection Center Risk Awareness Control Compliance Suite Endpoint Protection Data Loss Prevention Encryption Technical Controls Assessment Procedural Controls Assessment Policy Management Demonstrable Processes Massive Data Volumes Managed Security Services DeepSight Insider Abuse Commodity Malware Coordinated Attacks (APT) Changing Landscape Massive Data Volumes COMPLIANCE Stay ahead of threats Build a sustainable program Present in business context Complete visibility Focus on top priorities Solving IT Risk and Compliance Challenges
Agenda Managing Risk & Compliance – Key Concerns 1 Symantec Approach to IT GRC 2 Symantec Control Compliance Suite 3 Solving IT Risk and Compliance Challenges
Managing IT Risk and Compliance – Key Concerns Connect to business Build sustainable risk program Focus on top priorities Stay ahead of threats Comply with key mandates Solving IT Risk and Compliance Challenges
Expanding from Compliance to Risk – Considerations Risk Centric Compliance Centric • Internal needs & external context • Focus on continuous improvement • Risk-prioritized issues drive action • More holistic solution needed for pragmatic view of business risk • Driven by external mandates • Focus on pass / fail checkbox • Large volume of audit findings leads to inaction • Can get by with tactical point solutions Solving IT Risk and Compliance Challenges
Challenges that Limit this Evolution • Operating in a Silo • Info Sec seen as “Dr No” • Limited visibility into IT Ops • Unable to communicate in business terms • Subjective Assessments • Prone to error or dispute • Limitations of one-time snapshot • Lack of metrics for accountability Manual Data Collection • Manual approach less accurate • Incomplete view • Fail to keep up with changing environment Solving IT Risk and Compliance Challenges
Managing Risk & Compliance – Key Concerns 1 Symantec Approach to IT GRC 2 Symantec Control Compliance Suite 3 Solving IT Risk and Compliance Challenges
Symantec Has Evolved its Solution From the Bottom Up With proven ability to process large volumes of data, we are now adding an abstraction layer Bottom-Up Approach Bottom-Up Approach Relational Database EVIDENCE Native Technical Controls Procedural Questionnaires Reports and Dashboards 1 2 3 4 3rd Party Data ASSETS CONTROLS Solving IT Risk and Compliance Challenges
Addressing these Challenges 2 1 3 Risk Prioritization Better Visibility Automation • Draw data driven conclusions which are more defensible • Prioritize issues based on business risk rather than technical severity • Remediate highest priority risks first • Convey impact of IT risk in business-relevant terms • Drive awareness, action and accountability with targeted metrics • Eliminate silos between Security and IT Ops • Automate assessment and remediation lifecycle • Facilitate continual assessments for better data accuracy • Enable on-demand response to issues Solving IT Risk and Compliance Challenges
Swedish Global Customer • Security Baseline Assessment for servers • Automated Assessments of servers several times a year • Detailed Reports with prioritized actions • Yes, someone needs to fix the deviations... • Moving forward... • Continuous Vulnerability Scanning • Define Dashboards and Reports for different stakeholders Solving IT Risk and Compliance Challenges
Managing Risk & Compliance – Key Concerns 1 Symantec Approach to IT GRC 2 Symantec Control Compliance Suite 3 Solving IT Risk and Compliance Challenges
Symantec Approach to Risk and Compliance Stakeholders Business / Mgmt. IT / Operations Security / Audit Report Plan • Demonstrate compliance to multiple stakeholders • Correlate risk across business assets • High level dashboards with drill down • Define business and risk objectives • Create policies for multiple mandates • Map to controls and de-duplicate Remediate Assess \ • Identify deviations from technical standards • Discover critical vulnerabilities • Evaluate procedural controls • Combine data from 3rd party sources • Risk-based prioritization • Closed loop tracking of deficiencies • Integration with ticketing systems EVIDENCE ASSETS CONTROLS Environment Solving IT Risk and Compliance Challenges
Mapped Control Statements from Mandates... Solving IT Risk and Compliance Challenges
...or Mandates mapped to Control Statements Solving IT Risk and Compliance Challenges
And what are the technical checks that gives the answer? Solving IT Risk and Compliance Challenges
Drill-down Dashboards Solving IT Risk and Compliance Challenges
Content Strategy – Driving Competitive Advantage Regulatory Content Security Benchmarks & Standards • 50+ out-of-box security standards • - CIS, SCAP, Symantec Security Essentials • Industry-best platform coverage • - OS, DB, Virtual Platforms, Apps Middleware • Monthly patch updates • 100+ regulations and frameworks • Federal & industry standards • Major InfoSec standards (ISO, COBIT, NIST) • Regional-specific regulations • Mapped to common controls library • Mapped to technical & procedural controls • 360° Content Coverage Security Awareness Content Symantec Best Practices • Sample policies for HIPAA and other regs • Custom dashboard panels • Custom workflow connectors • Policy-based questionnaires • Focused on end users and IT Ops teams • 15+ video-based training modules • Ready-to-use posters and newsletters • PCI, Privacy & HIPAA training for end users Solving IT Risk and Compliance Challenges
Organizational Benefits of the Most Mature Controls for policy and regulatory compliance are prioritized Value and risks related to IT are prioritized Business risks related to IT are visible to senior managers Business value of IT is visible to senior managers Acceptable risks and exceptions are prioritized Solving IT Risk and Compliance Challenges