Lumension® Risk Manager


Lumension Risk Manager automates IT risk management and compliance workflows and provides enterprise-wide visibility to ensure effective measurement of your security posture

IT Risk Management and Assessment: Business Issues & Challenges

Most organizations have implemented a variety of operational and security controls to address today’s dynamic threats, but they lack the means to assimilate security data from multiple sources and continuously measure their security posture. Enterprise-wide visibility of IT risk posed by applications, devices, business processes, and users engaging with data is vital to ensuring continuous protection of critical business systems and information.

The ability to manage IT risk across the organization has traditionally been challenging, due to the inability to correlate data across disparate security products in the environment. Another challenge is the inability to identify, prioritize and communicate key IT risk and security metrics to senior management and line-of-business executives in a consistent and straightforward manner.

The failure to understand and communicate the business impact of IT risk across the organization can lead to business disruption, loss of sensitive information and non-compliance with both internal policies and external regulations. By aligning IT risk with business decision-making, IT and business leaders can effectively reduce business risk, minimize brand and reputation loss, and address initiatives that improve the business.

Overview

Lumension Risk Manager, a component of the Lumension Compliance and IT Risk Management solution, enables IT security professionals and business leaders to collaborate in the effective creation and measurement of IT risk to protect critical business systems and information and to ensure continuous compliance with internal policies and external mandates.

Lumension Risk Manager provides comprehensive, real-time trending views across the organization to display continuous measurement of your security posture through the following capabilities:

  • Measuring Security Posture: Lumension Risk Manager consolidates multiple sources of IT risk information from 3rd party vulnerability scans, antivirus solutions and more and correlates this assessment data across all of the IT assets in the organization, providing trending analysis and security posture scores at any time.
  • Identifying and Prioritizing IT Risk: Easily model the relationship between your IT assets and business processes to identify IT-borne business risk. Lumension Risk Manager categorizes areas of IT risk into technology, people and processes, and then develops a powerful risk profile through its patent-pending risk intelligence engine. The risk profile information is automatically correlated with internal policy and external compliance requirements and suggests mitigating IT controls to address critical risk to the business.
  • Streamlining Controls and Assessment: - Leveraging the industry-standard Unified Compliance Framework (UCF), Lumension Risk Manager harmonizes controls across hundreds of different regulations including PCI DSS, HITECH, HIPAA, SOX, FISMA, NERC, CobiT, NIST, ISO frameworks, and many more, along with internal policy controls. This means that no control is ever duplicated in your assessments and the structure and language of each control follows the same predictable format. Lumension Risk Manager also enables you to streamline and automate the workflow for assessing technical, physical and procedural controls by interfacing to either Lumension security solutions or third party point products such as vulnerability scanners. Utilize automated surveys to complete your assessment of physical and procedural controls.
  • Demonstrating Compliance: Generate reports to highlight compliance with both internal policies as well as with external regulations such as PCI DSS, HIPAA, HITECH, FISMA, and more. Lumension Risk Manager enables you to continuously demonstrate compliance with key metrics to satisfy a diverse IT risk and compliance audience through compliance and IT risk reporting, operational security reporting and remediation modeling and forecasting. Create “what-if” scenarios to better estimate how a project or remediation effort will improve your IT risk and compliance posture. Assign and track remediation projects to measure and reflect improvement in compliance and IT risk metrics.
  • Reducing IT Security and Compliance Time and Expense: In a challenging economic climate, reducing cost is always top of mind for CISOs. By streamlining visibility and measurement as well as IT risk management workflows; Lumension Risk Manager enables organizations to reduce audit preparation, cost and reporting of the compliance and security posture.

Features & Benefits


Key Product Features Benefit
IT Risk Profiling
These features model the relationship between IT assets and business interests to identify IT-borne business risk.
IT Asset Catalog with Comprehensive Resource Types
IT Asset repository includes all resource types, including applications, databases, servers, networks, data centers, people, and processes.
Ensure Comprehensive Visibility of IT Risk Exposure
Security breaches can occur through many different avenues - servers, applications, data centers, endpoints, stolen/lost USB drives, etc. By cataloging all of these different asset types, you can gain visibility into all of the areas of potential IT risk exposure.
Business Interest Mapping
Create a catalog of key information and processes unique to your business that need to be protected from IT risk. Business interests are mapped to assets and risk scenarios to provide a business risk context for IT resources.
Correlate IT Risk to Business Impact
Ensures risk-based analysis of your IT posture to provide valuable insight into prioritizing security control gaps that should be addressed.
Business Impact Analysis through Stakeholder Surveys
Use stakeholder surveys to determine the business impact of a risk scenario that compromises the confidentiality, integrity, or availability of a business interest.
Automate Survey Workflow
Provides an automated effective means for identifying, capturing and incorporating business stakeholder input into the risk analysis process.
Risk Profile Surveys
Use automated surveys to allow system owners to set risk profile attributes for assets.
Automate Previously Manual Tasks
Provides an efficient manner for obtaining system owner input into the risk analysis process.
Reasonably Anticipated Risks
Automatically enumerate all of the reasonably anticipated risks that should be mitigated for each asset.
Effective Communication of IT Risks to Business Audience
Natural language IT risk statements enable the security team to clearly communicate IT risks to non-technical audiences.
Dynamic Groups
Define asset groups with attribute-based criteria. Membership in a group is determined dynamically based on whether an asset’s risk profile matches the group’s criteria.
Improve Visibility into IT Environment
Provides flexibility and efficiency in metrics and reporting.
Patent-Pending Risk Intelligence Engine
Analyzes each assest’s risk profile to automatically identify:
  • Risks the asset is exposed to
  • Required compliance mandates
  • Controls that must be implemented to satisfy both compliance and mitigate risk
Optimize IT Resources
Automatic risk profile analysis saves time over manual risk analysis practices. The intelligence-based approach eliminates the need for highly-skilled security experts to spend time performing manual risk analysis.
IT Controls Framework
Harmonizes control requirements for compliance mandates and risk mitigation.
Controls Framework
Controls Framework includes technical, procedural, and physical controls.
Comprehensive Controls
Risk and security cover more than just the technical controls you assess. Lumension Risk Manager’s comprehensive controls model ensures end-to-end visibility of all control activities needed to ensure protection of information.
Unified Compliance Framework(UCF)
Network Frontiers’ industry-vetted, harmonized mapping of unique controls to compliance regulations is developed and maintained in collaboration with industry experts, legal advisors, and standards-setting bodies across global regulations.
Support Multiple Compliance Mandates
Automatically harmonizes IT control frameworks with industry regulation requirements to ensure that controls are reasonable and sufficient to satisfy multiple compliance mandates
Control Harmonization
Common controls (e.g. “Strong Passwords”) are normalized into a single control, which is cross-referenced to all standards and regulations that call for the requirement.
Assess Once, Comply with Many
Eliminates overlapping control requirements that result from multiple standards and regulatory requirements.
Compliance Library
Over 400 Regulations and Standards documents are included with full cross-references to supporting IT controls.
Optimize Compliance Workflows
Immediately understand the controls required to implement on Subjects and avoid time spent performing custom cross-walks across multiple requirements documents.
Internal Compliance and Security Policy / Control Mapping
Import internal compliance and security policies and cross-reference them to the harmonized controls framework.
Prove Compliance with Internal Policies
Demonstrates compliance with internal policies through a common assessment process.
Controls Linked to Risk Mitigation
Controls are automatically linked to the risk scenarios they help prevent, detect, or correct.
Quickly Mitigate IT Risk
Demonstrates how IT controls can mitigate actual business IT risk.
IT Controls Assessment
Automated assessment of technical, physical and procedural controls.
Workflow for Assessing Physical and Procedural Controls
Automated risk assessment workflow provides structure around the process of collecting scores and evidence for physical and procedural controls.
Streamline IT Risk Management Workflow
Saves time by organizing the data collection efforts associated with scoring physical and procedural controls into a single view.
Automated Self-Assessment Surveys
Send multiple-choice question surveys to system owners to receive up-to-date control implementation status. Once approved, survey responses automatically update scores.
Automate Previously Manual Tasks
Saves time over in-person interviews and manual data collection methods.
Survey Delegation
Survey recipients can delegate surveys to other team members as needed.
Ensure Effective Survey Workflow
Ensures that survey questions are routed to the appropriate person to answer the question without extensive up-front org-chart discovery by the security team.
Control Score Aging
Configurable timers track the age of every control score to determine when controls need to be re-assessed.
Ensure Current Assessment Information
Automatically detects when score information has expired and needs to be updated to keep compliance and risk metrics up-to-date.
Interfaces to Security Point Products
Built-in connectors to Lumension security solutions and other third party vulnerability scanning tools, with field-configurable connectivity via SQL and automated data import and processing of XML and flat-file data, enable you to synthesize detailed data from disparate security tools.
Automate Vulnerability and Configuration Assessment
Saves time by eliminating the need to manually parse through technical security reports to update high-level risk and compliance control scores - giving you a single place to access both roll-up and drill-down level reports about your security posture.
Attachments for Evidence Collection
Attachments on control scores provide evidence of the asserted score. Attachments can be files or URLs (for example, a URL to an internal document repository containing policies).
Simplified Management
Provides a convenient way to manage the myriad evidence artifacts required to demonstrate the validity of self-assessment scores.
Accountability for IT Risk Scores
Every score record contains the UserID corresponding to who made the change.
Ensure Audit Accountability
Provides accountability for score information.
Exception Management
Exception Management includes exception requests, approval/rejection, expiration and notification.
Enhance Compliance and IT Risk Management
Provides flexibility to mark certain scores as “exempt” for a fixed period of time so that the exception state is visible, but not counted in compliance and IT risk calculations.
Control Scoring History
All historical control scores are automatically archived.
Proof of Compliance
Ensures that historical scoring information is available when needed.
Custom Control Score Status Indicator
Score items within the assessment workflow can be flagged to indicate status.
Rapid Evaluation of Control Scores
Flagging score status allows for quick triage of scores that require follow-up.
Auditor Self-Service Scoring Panel
The direct score entry panel is optimized for rapid scoring and data entry of assessment test results.
Optimize Audit Results Documentation
Allows auditors and security analysts to quickly document the results of their security testing activities.
Approval-Based Workflow
Scores entered from self-assessment surveys and the auditor self-service panel can be reviewed and approved prior to committing them to the permanent scoring record.
Ensure Accuracy of Scoring Information
Provides an opportunity for internal quality assurance on scoring information, and ensures that incorrect survey responses don’t affect trend data or scoring history.
Risk and Compliance Reporting
Generate reports and metrics to satisfy a diverse risk and compliance audience.
Compliance Reporting
Compliance reports demonstrate section-by-section status of your compliance with industry regulations, compliance mandates, and your own security policy
Deliver Comprehensive Reports
Provides detailed reports to satisfy internal and external auditors.
IT Risk Reporting
IT Risk reports catalog security gaps and how they could affect key business interests.
Measure IT Risk to Business Impact
Enables the communication of security gaps in a way that is easily understood by non-technical business stakeholders.
Operational Security Reporting
Operational security reports provide detailed security gap information for departments within IT operations.
Deliver Metrics for Rapid Security Enforcement
Enables the communication of security gaps to IT operations teams and sets specific expectations on remediation.
Risk and Compliance Index
Distill mountains of security gap analysis information into risk and compliance index scores.
Improve Internal Communication Regarding IT Risk and Compliance
Provides simple metrics that communicate your overall security, risk, and compliance posture.
Trending Analysis
Metrics on compliance, IT risk, and operational security are trended on a daily basis.
Quickly Determine Trends
Demonstrate trends of security, risk, and compliance program improvement over time.
Key Performance Indicators
Track the aggregate score for a user defined subset of controls and subjects against a target value.
Focus on Metrics Vital to Your Business
Enables you to keep a watchful eye on specific areas of interest with a simplified report-card view of your security posture.
Customizable Dashboard Views
Combine existing dashboard widgets into a personalized custom view.
Highlight Metrics that You Need to See
Allows individual users, such as executives, business owners, system owners, external auditors, and security professionals to easily view the key metrics that are important to them.
Consolidated Findings Analysis
Employ the heuristics engine to effectively analyze control scores to discover patterns, such as a certain group of subjects that contribute disproportionately to a poor compliance score, or a certain type of control that fails across a broad array of subjects.
Ensure Rapid Remediation for High Priorities
Allows you to quickly spot patterns in scoring information so that you can identify high-value remediation efforts.
Remediation Tracking to Improve Security Control Deficiencies
Provide assignment and status tracking of remediation projects. Projects can be tracked according to ownership and deadlines. Upon completion of a project, scores can be automatically updated.
Highlight Improvements in Security Posture
Enables you to prioritize resources to pursue remediation activities that will have the greatest impact to the business and reflect improvement in your security and IT risk metrics.
Remediation Modeling and Forecasting
Create "what-if" project scenarios to optimize IT resources to see how that project or remediation will improve your risk and compliance metrics.
Improve Operational Efficiencies
Enables the prioritization of IT resources and remediation efforts based on the impact to metrics, and compare remediation projects by cost and time estimates across all controls.
Automated E-mail Notificationss
Alerts are configurable to specific users/groups and provide notifications of key conditions and state changes within your security posture.
Improve Visibility on Changes
Ensures that users are aware of security policy changes and that security administrators are notified of security posture changes, such as a server that is failing a critical control or an application that is overdue on an assessment.

Requirements

Requirements Version
Hardware
  • Dedicated Server
  • Dual-Core Processor preferred, single core processor is suitable
  • 2GB RAM
  • 50 GB of available disk space
  • 7200 RPM Drive and/or RAID configuration preferred
  • A single 100 Mbps network connection (with access to the Internet)
Operating System Microsoft Windows Server 2003 / 2005 / 2008
SQL Server
  • Microsoft SQL Server 2005/2008 – can be installed locally or on a remote database server.
  • Microsoft SQL Server 2005 Express Edition
Internet Browser
  • Firefox 3 or higher
  • Microsoft Internet Explorer 7 or higher
  • Safari 3 or higher