• Print
Details
Category: Solutions

Automated IT-GRC, IT Risk Management, and Compliance

Measure Your Security Posture and Align Risk to Business Assets with a Comprehensive IT-GRC Solution.

IT Risk Management, Compliance and Security Measurement of Business Drivers & Challenges

The ability to measure an organization’s security posture is vital to maintaining a protected network and a productive IT staff and workforce. While organizations today have a multitude of gateway and endpoint controls, vulnerability assessments, and compliance processes, they cannot effectively automate measurement data from these devices and consolidate all of the real-world risks and communicate these indicators in a consistent manner to senior management.

Without the ability to create, track and benchmark IT security metrics, organizations cannot understand the business impact of their IT risk, which can lead to business disruption, loss of sensitive information and non-compliance with both internal policies and external regulations, such as PCI, HIPAA, HITECH, NERC, FISMA, Red Flags Rule, etc.

Overview

Lumension Compliance and IT Risk Management, comprised of Lumension Risk Manager and Lumension Enterprise Reporting, enables organizations to effectively measure their security and compliance posture and align IT risk with business specific business assets. Lumension Compliance and IT Risk Management streamlines and automates IT risk management workflows and consolidates security control, vulnerability assessment and business process survey data into a centralized dashboard view for clear, real-time security and policy compliance trending analysis.

By providing enterprise-wide visibility of the IT environment - including technology, processes and people - and prioritizing IT risk to focus on the greatest impact to the business, Lumension enables security professionals and business executives to demonstrate compliance, protect sensitive information, minimize brand and reputation loss, and address initiatives that improve the business.

With Lumension Compliance and IT Risk Management, you can:

1. Identify: Identify the criticality of IT assets and their role in the support of key business processes, and associate IT risk with those key resources.
2. Assess: Assess your technical and procedural controls for compliance using interfaces to Lumension and third-party tools and conduct non-technical Web-based surveys.
3. Remediate: Prioritize and address technical and procedural control deficiencies, assign and track status of remediation projects.
4. Manage: Create operational and strategic visibility compliance and IT risk posture across the organization. across compliance, IT risk and control environments with role-based and dashboard reporting.




Supported Regulations and Frameworks

Lumension Compliance and IT Risk Management enables organizations to demonstrate compliance across more than 400 regulations and best-practice frameworks through integration of the Unified Compliance Framework (UCF). Below are just a few examples of supported regulations:


Government/Public Sector Regulations

  • Federal Information Security Management Act (FISMA) - US : The Federal Information Security Management Act was established to bolster computer and network security within the Federal Government and affiliated parties (such as government contractors) by mandating yearly audits.
  • Office of Management and Budget (OMB) M-06-16 Mandate - US : OMB M-06-16 Mandate requires agencies to establish safeguards for sensitive agency data on laptops and workstations.
  • Federal Desktop Core Configuration (FDCC) – US : The Federal Desktop Core Configuration provides a set of security configuration standards by which all federal agencies must adhere to as mandated by the Office of Management and Budget and which is now part of FISMA reporting.
  • 201 CMR 17.00: Standards for The Protection of Personal Information of Residents of the Commonwealth - US : By March 2010, Massachusetts will require businesses that collect information about that state’s residents to follow comprehensive information security requirements. The new state data security regulations apply to both in-state and out-of-state companies with operations or customers in Massachusetts.
  • Nevada Data Protection Law SB 227 : The Nevada data protection law is the first state data protection law to provide a "safe harbor" for merchants who are fully PCI-compliant, and it provides further protection for organizations that use NIST-compliant encryption to protect personal information.
  • Data Handling Procedures in UK Government - UK : The Data Handling Procedures in Government report (“the Report”) published in June 2008 sets out clear and mandatory procedures to be followed by all government employees that have access to and responsibility for citizen data.
  • GCSX Code of Connection (CoCo) - UK : The GCSX Code of Connection is a set of IT security rules and con¬trols that need to be adhered to by local authorities across England and Wales who wish to connect to the Government Secure Extranet (GCSX). If an authority fails to meet the security requirements of the Code of Connection then their access to GCSX can be terminated.Authorities are audited annually to ensure they are compliant with the Code of Connection.


Healthcare Regulations

  • Health Insurance Portability and Accountability Act (HIPAA) - US : HIPAA was established in 1996 to protect medical records by establishing transaction standards for the exchange of health information, security standards and privacy standards for the use and disclosure of individually identifiable health information. To achieve compliance with HIPAA requirements, organizations must establish and enforce policies that safeguard the integrity and availability of confidential electronic information.
  • Health Information Technology for Economic and Clinical Health (HITECH) Act – US : The HITECH Act of 2009 advances the electronic exchange of large amounts of health information and expands the reach of the HIPAA data privacy and security requirements to ensure the security of ePHI. Under the HITECH Act, business associates are required to comply with the HIPAA Security Rule requirements. HITECH also establishes mandatory federal security breach reporting requirements, along with expanded criminal and civil penalties for non-compliance.


Utilities Regulations

  • North American Electric Reliability Corporation (NERC) – North America : The North American Electric Reliability Corporation (NERC) is a non-profit corporation chartered to ensure that the bulk electric system in North America is reliable, adequate and secure. As the federally designated Electric Reliability Organization (ERO) in North America, NERC maintains comprehensive reliability standards that define requirements for planning and operating the collective bulk power system. Among these are the Critical Infrastructure Protection (CIP) Cyber Security Standards, commonly referred to as the NERC CIP Standards 002-009, which are designed to ensure the protection of the Critical Cyber Assets which control or affect the reliability of North America’s bulk electricity systems. NERC CIP standards and guidelines apply to all Responsible Entities (REs) within the bulk-power system, which are required to retain 12 months of auditable data, documents and records on their information security controls and specific logs for 90 days in order to be compliant with the new CIP standards


Financial Services Regulations

  • Basel II - Global: Basel II establishes minimum capital requirements for banking organizations to reduce operational risks.
  • Gramm-Leach-Bliley Act (GLBA) - US: GLBA seeks to protect the personal information of consumers stored in financial institutions by requiring all financial institutions to implement and maintain security measures to protect customer information and prevent unauthorized access and use of customer records.


Cross-Industry Regulations and Frameworks

  • Payment Card Industry (PCI) Security Standard - Global : PCI Security Standard seeks to ensure consistency of security standards for credit card issuers, and to assure cardholders that their account information is secure, regardless of where the card was used for payment.
  • Red Flags Rule : The Red Flags Rule provision of the Fair and Accurate Credit Transactions Act of 2003 (FACTA) mandates businesses that extend credit to customers to pay attention to the danger signs that could signal fraudulent activity as a result of identity theft. This regulation is enforceable as of June 1, 2010.
  • Sarbanes-Oxley Act (SOX) - US : SOX was developed in 2002 to protect investors by improving the accuracy and reliability of corporate disclosure.
  • BS ISO/IEC 27002 Compliance - Global : The BS ISO/IEC 27002 standard provides a comprehensive set of controls comprising best practices in information security, intended to serve as a single reference point for identifying the range of controls needed for most situations where information systems are used in industry and commerce, and to be used by large, medium and small profit and non-profit organizations.
  • CobiT - Global : The Control Objectives for Information and related Technology was first released in 1996 by ISACA with the goal of providing an authoritative, up-to-date, international set of generally accepted information technology control objectives for day-to-day use by business managers and auditors. CobiT 4.1 has 34 high level processes that cover 210 control objectives categorized in four domains: Planning and Organization, Acquisition and Implementation, Delivery and Support, and Monitoring and Evaluation.
  • Data Protection Act (DPA) - UK : The Data Protection Act was implemented in 1998 with the purpose of safeguarding the fundamental rights of individuals with regard to the processing of personal data and the free movement of such data.

Key Capabilities and Benefits

Solution Capability

Benefit
Map Business Interests to IT Resources
Define business structures including, company organization, revenue centers, key business processes and critical business information, with IT resources including IT assets, business applications, responsible people/roles and core IT processes.		 Aligns IT with Business Strategy
Ensures that business strategy is always in alignment with IT resources including servers, applications, facilities and personnel.
Identify and Recommend IT Control Assignments
Identifies and recommends required IT controls, including technical, procedural and physical, across various IT assets necessary to support internal and external regulations and control standards.		 Understand Necessary Controls to Ensure Compliance
Ensures that controls across people, process and technology are identified to support specific requirements that an organization must address in order to be compliant and achieve greater security.
Harmonize Multiple IT Controls and Compliance Requirements
Leverage the UCF to map multiple regulations to the required IT controls – more than 400 regulations covered 2400 controls.		 Streamline Compliance Efforts
Harmonizes multiple internal and external compliance mandates into one framework to reduce the time, resources and costs needed to address multiple IT audits without duplication of controls.
Identify and Prioritize IT Risks
Identify the criticality of anticipated IT risks in support of business interests and compliance requirements. Supports “what if” analysis.		 Focus on What Matters Most
Enables IT resources to be prioritized to mitigate the greatest amount of risk to the organization in support of critical regulatory and internal policy requirements.
Automate the Assessment of Technical Controls
Automatically assess technical controls across a broad IT landscape and correlate these assessments for IT risk identification and prioritization, internal and external compliance and IT control adherence. Integrates with Lumension security products as well as third party vulnerability assessment tools.		 Streamline IT Operations
Reduces time and resources required to perform technical control assessment across the organization.
Centralized Knowledge Repository
Centralize all compliance and assessment data into a single knowledgebase for prioritization and optimization of IT risk remediation efforts.		 Consolidate Assessment Data
Reduces disparate collection of data and streamlines IT audit processes.
Automated Web-based Assessment
Workflow-based surveys collect, monitor and track information on procedural controls.		 Reduce Time to Assess Procedural Controls
Streamlines the assessment and ongoing monitoring of procedural processes and controls.
Prioritization of Remediation Deficiencies
Identify critical remediation tasks based on risk to the organization and in support of requirements. Utilize Lumensions award-winning security solutions to effectively and efficiency address technical control deficiencies. Assign and track remediation activities.		 Optimize IT Resources
Prioritizes remediation tasks to support critical internal and external compliance requirements. Enables you to monitor and track progress of remediation activities to reduce costs and increase efficiencies.
Supporting Evidence Documentation
Append supporting documentation and evidence across workflow-based surveys.		 Limit Your Liability
Ensures proof of compliance for procedural controls.
Assign and Manage Remediation Responsibility
Identify roles and individuals responsible for remediating technical and procedural controls.		 Ensure Proper Resources Address Technical and Procedural Controls
Improves audit and compliance workflows by ensuring the right resources are responsible for fixing controls in support of requirements.
Measure and Report on Multiple Regulations
Deliver measurement and reporting on numerous compliance mandates across industry, government, and internal compliance requirements and best-practice frameworks.		 Reduce Time to Report on Compliance
Reports across multiple requirements and frameworks to provide holistic measurement across the entire organization.
Compliance and IT Risk Dashboard Reporting
Customize and deliver top down metrics and executive reporting across operational security, IT risk and compliance postures.		 Demonstrate Compliance
Provides customized dashboard reports that deliver the necessary metrics by audience.
Role-Based Reporting
Produce reports for diverse audiences throughout the organization, including auditors, management and IT operations.		 Ensure Visibility for All Stakeholders
Delivers reports that satisfy internal and external auditors and communicate security gaps to IT operations teams as well as to non-technical business stakeholders.

Sources:
IT Policy Compliance, Managing Spend on Information Security and Audit for Better Results, February 2009
Forrester, Enterprise Management Associates Survey of IT Governance Risk & Control, 2008