Enabling Successful IT GRC
Paul Kastner
Director, Industry Solutions, Asia Pacific & Japan
21 October 2008
IT GRC Issues
A sound approach
Automation is key
Growing Importance of GRC
2
Agenda
1
2
3
4
3
GRC challenges
The Financial Crisis: Driving Big Changes to Business
• Regulatory and government response will not be limited to FSIs
• Extreme regulatory scrutiny and rapidly enacted regulations
• Increased investor disclosure
• Increasingly activist shareholders
• Government ownership stakes, consequently tougher oversight
• Financial system regulator and regulatory changes
• Renewed focus on governance and risk management
• Changing accounting rules and faster convergence on IAS
• Risks will be tightly managed
• Risk management will be underpinned by stronger governance
4
GRC is about supporting and enabling good business practices
by adhering to external rules and sound internal policies,
and…
being able to prove it.
GRC defined
Good corporate GRC will be a rallying
cry for investors and regulators
5
• Transparency in finance and operations
• Compliance with regulations
• Well-managed risk
• Effective executive, board, and auditor oversight
• Clearly articulated and well-executed business plans and strategies
Internal and external auditors will be asked to assure GRC at a deeper and more granular level than before
IT GRC underpins the enterprise objectives
6
• IT GRC:
– Governs investment and alignment of IT strategies and resources
– Manages risks associated with introduction, use, and disposition of IT resources
– Manages compliance with company policy, regulatory, and legal requirements
• Good IT GRC delivers:
– Greater business value from IT strategy, investment and alignment
– Significantly reduced business and financial risk from the use of IT
Example of IT Governance, Risk, &
Compliance
Business ObjectiveReduce operational costs
- utilize BPO provider
IT RiskLoss of data by provider
IT GovernanceDefines policies and
control objectives for
provider
IT ComplianceCompany must
demonstrate provider
controls are effective
7
Evolving IT GRC
Network Security
Security & Vulnerability
IT Security IT GRC
Regulatory Compliance
IT Governance, Risk, &
Compliance
00100101
00101010
00101101
00101010?
IT Compliance
8
Business
Risk
Other
Risks
• Market risk • Credit risk
• Interest rate risk • Liquidity risk
Non-IT
Risks
• Business process • People and talent
• Environment • Physical infrastructure
Operational
Risks
IT Risks
Business
Risk
Managing risks to the business
9
Ensuring Public Trust and Security 10
SecurityKeep bad things out
Keep important things in
PerformanceOptimise resources
ComplianceEnsure Adequate Controls
Automate Evidence Collection
Poor IT
Service Levels
Internal & External
Threats
External Regulations &
Internal Governance
AvailabilityKeep systems running
Ensure rapid recovery
Natural Disasters &
System Outages
Information
Interactions
Infrastructure
Proactively managing IT risk is getting
both harder and more critical
10
Practicing good IT GRC isn’t easy
• Complex IT security infrastructure
– Evolving threats – phishing, data leakage
– Proliferation of security technologies
• Poor visibility into compliance posture
– Regulatory & corporate governance pressures to demonstrate due care –incident response, information retention
– Lack of reporting & metrics
• Resource constraints
– Security budgets not increasing
– Lack of skilled security analysts
How do we keep up with
the latest threats &
identify the most critical
ones?
How do we demonstrate
the effectiveness of our
security controls?
Are we compliant with
regulations, internal policies,
contractual obligations?
How do we secure our
environment with limited
resources?
11
Key questions for IT executives
• Risk Management
• Compliance Management
• IT Operational Efficiency
How do I protect my critical business
information?
How do I demonstrate due care?
How do I best leverage my people?
12
13
+
Budget Constraints
Manual processes don’t scale
Homegrown tools eg.. Excel spreadsheets
Point tools = integration cost, fragility
Budgets flat or declining
$ $ $
People / $$$
Result
Budget can’t meet demand
Inefficient use of scarce resources
=
Audit Requirements
Increased frequency of audits
More policies, standards
Better visibility and data confidence
IT Compliance: challenges & implications
14
IT compliance needs to be managed from
end-to-end
SOX
HIPAA
Privacy
FISMA
Basel ll
COSO
COBIT
ISO27001
NIST
Internal policies
PCI-DSS
CIS
NIST
NSA
REGULATIONS FRAMEWORKS STANDARDS
Define
Operating Systems
Databases
Applications
Directories
People
IT POLICIES
Control Sustain
MEASURE
RECORD
REMEDIATE
REPORT
15
First understand the requirements and
then define and publish the policies
• Understand mandates requirements
• Understand best practicesWhat policies are needed to comply with regulations?
• Identify gaps and create new policies or replace old ones
• Map policies to regulations and frameworks
Are they in place?
• Approval and versioning of policies
• Automatic disseminationHow to ensure employees understand policies?
16
Malware
Policy
Endpoint
Policy
Data
Protection
Policy
Incident
Response
Policy
DefineMap
Distribut
e
NIST
PCI
Cobit
SOX
ISO
Privacy FISMA
Automate policy distribution and
management
End User Action:
1. Accept
2. Deny
3. Ask for clarifications
4. Ask for exceptions
THIRD PARTY CONTROLS
BUSINESS CONTINUITY
• Backup Configurations
• Archival Configurations
END POINT CONTROLS
• Network Access Config
• Anti-Virus Config
And Much, Much More…
CORPORATE POLICIES
•Malware
•Access Control
•Acceptable Use
•etc.
TECHNICAL CONTROLS
PLATFORM HARDENING
• Security best practices
• Remediation
ACCESS & ENTITLEMENT
• DB\Group\File Permission
• Classify & Assign Owners
• Approval workflow
VULNERABILITY MGMT
• Non-credentialed checks
• Credentialed checks
• Patch Mgmt
PROCEDURAL CONTROLS
MANUAL ATTESTATION
• Self Survey Capability
ACCEPTANCE TRACKING
• Policy Acceptance
• Exception Mgmt
Other
RegulationPCCI
17
Privacy Corporate
Governance
Link policies with detailed IT controls
18
Malware
Policy
Endpoint
Policy
Data
Protection
Policy
Incident
Response
Policy
Define
Prove
Map
Distribut
e
Procedural Operational
Vulnerability, Patch, Configuration,
PermissionsData and Applications
Archive
Backup Virus
Data
Loss
Non-programmatic attestation
of controls
NIST
PCI
Cobit
SOX
ISO
Privacy FISMA
Implement automated evidence gathering,
enforcement, and reporting
Infrastructure
Enforc
e
Report
19
Close the loop with continuous update
and improvement
• Create ability to proactively manage continuous changes
• New business needs
• Technology changes
• New external and internal threats
• New regulations and enterprise governance requirements
• Provide ongoing audits and compliance checks
20
Automation of IT Compliance process is
the key to successful IT GRC
• Integrated policy definition and reporting
• Automate linkage of frameworks (eg, ISO 27001) with policies and detailed IT controls
• Automated audit preparation
• Automated and continuous scanning and monitoring of violations
• Automated reporting on non-compliance
• Dashboards to provide immediate status
• Automated enforcement
• Repeatable and sustainable process
1.0
0.8
0.6
0.4
0.2
0.0
52-62%
less
0 1 2 3 4 5
Least mature Most mature
Automation reduces compliance spend…
Relative Spend on Regulatory Compliance
21
0
50
100
150
200
250
12 or more 3 to 6 2 or less
Days between
control assessments
Number of procedural
and technical controls
Assessing more controls, more often,
reduces risk …
Annual Data Losses and Deficiencies
Least mature Most mature
IT Compliance automation reduces risk
and cost
Source: IT Policy Compliance Group
Asia Banker Summit, Hanoi, Vietnam, March 2008 22
© 2006 Symantec Corporation. All rights reserved.
THIS DOCUMENT IS PROVIDED FOR INFORMATIONAL PURPOSES ONLY AND IS NOT INTENDED AS ADVERTISING. ALL WARRANTIES RELATING TO THE INFORMATION IN THIS DOCUMENT, EITHER EXPRESS OR IMPLIED, ARE DISCLAIMED TO THE MAXIMUM EXTENT ALLOWED BY LAW. THE INFORMATION IN THIS DOCUMENT IS
SUBJECT TO CHANGE WITHOUT NOTICE.
Paul Kastner
+61 416 977 867
Control Compliance Suite (Version 9.0),Comprehensive Security & Compliance Solution
Sachin Sohani
Symantec IT Compliance 24
Agenda
Introduction1
Challenges, Maturity and Success2
Symantec Offering3
Symantec IT Compliance 26
Failure to remain compliant can increase business
liability or involve criminal penalties
Different geographies and divisions have different
compliance needs
Compliance errors have gigantic impacts
Finding and retaining compliance expertise
Compliance as overhead versus IT enabling innovation
Cost
Complexity
Governance
Risk
Skill Gaps
Compliance requirements vague
Different parts of the enterprise have different
mandates
Evolving requirements impact cost management
Redundant controls
Manual processes
Operational Challenges
Symantec IT Compliance 27
Compliance Maturity Level
Reactive
One-off implementations
Phase 1 Phase 3
Proactive
Coordinated implementations
Automated
Processes & integrated compliance
Phase 2
“Businesses are adopting a three-phase strategy for
investing in IT support for compliance activities”- Gartner
Symantec IT Compliance 28
Key to Success – Frequent Auditing
Success Factors Leaders (10%) The Rest (90%)
Freq of internal audits 21 days 8 Months
IT time on compliance 33% 24%
IT budget on security 10.4% 7.0%
# of overall deficiencies 20 40
# of significant deficiencies 2 13
MORE FREQUENT AUDITING TRANSLATES INTO BETTER SECURITY
AND COMPLIANCE RESULTS
Leaders are ~6x better because they do more audits…
…But they spend ~50% more because they lack automation
Source: ITpolicycompliance.com
Symantec IT Compliance 29
Explicit Needs
1. Controls (Threats & Risk Assessment),
2. Frameworks & Standards,
3. Developing Policies, Plans, Procedures,
4. Effective Access Rights assessment
5. Remediation from compliance deficiency,
6. High cost of manual assessment,
7. SOE Assessment,
8. More ….
How Control Compliance Suite Works
Symantec IT Compliance 31
Exception
Symantec Control Compliance SuiteA Unified Solution
Technical Controls
Written Policy
Procedural Controls
Create Map Publish Assess Fix
Control self assessment• Questionnaire responses
• Risk-based prioritization
Entitlements review• Group\file permission
• classify & assign owners
• Approval workflow
Configurations• Security best practices
• Remediation
Vulnerabilities
• Non-credentialed checks
• Credentialed checks
• Patch Mgmt
PCISOX
Basel II
NIST
COBIT
ISO
Scoped by Risk Level
Corporate Policies• Info Security
• Access Control
• Termination
32 32
Symantec IT Compliance Process
Automation Platform
32
Policy Manager
• Define/manage written policies
• Distribute policies & track exceptions
• Demonstrate coverage
• Display evidence
Standards Manager
• Create/Select standard
• Assess technical controls
• Detect deviations
• Remediate deficiencies
Response Assessment Manager
• Assess procedural controls
• Report with risk weighted model
• Centralize view of procedural controls
Security Information Manager
• Monitor security control violations
• Prioritize and respond to incidents
• Consolidate and manage security logs
NIST
PCI
COBIT
SOX
ISO
Basel FISMA
Malware
PolicyServer
Policy
Data
Protection
Policy
Control Compliance Suite 9.0
CCS 9.0 Functional Overview
Repository
Technical Controls Assessment
- agent-based and agent-less
Procedural Controls Assessment
- Survey-based
Evidence from Third-party Sources
- CSV data collector
Compliance Reporting
• Regulatory View
• Policy View
• Operational View
• Risk View
Compliance Management
• Policies and Controls
• Entitlements
• Exceptions
• Remediation
Federated Data Processing and
Analysis
Asset
System
Symantec Confidential – Features and roadmap subject to change
• Reporting
• Exception Mgt.
• Risk scoring
New Apps
• Asset System
• Data repository
• Data processing and analysis
• CSV data collector
New Components
• Agent-less data collection
• Agent-based data collection
Existing Components
• Assign ownership, risk
(CIA) ratings
• Assign access rights
• Evaluate for compliance to policies and mandates
• Assess risk
• One-way reconciliation via
rules-based engine
• Create logical groups
• Native ‘discovery’
• External (CSV)
DiscoverReconcile and Store
Classify and
Prioritize
Manage Risk
Implement Asset-centric Compliance
and Risk Management
Symantec Confidential – Features and roadmap subject to change
Assess Your Environment
ViewResults
Schedule Reporting
Customize Definitions
Select Standard(Example: ACSI33)
Select Standard
• Includes Technical Standards
from ACSI 33, NIST…
• Covers Win, Unix, Linux,
Novell, Oracle, SQL, Exch
• Standards updated quarterly
• Includes Regulatory Views
that map standards to regs via
best practice frameworks
Customize Definitions
• Wizard-driven ability to build
custom standard using existing
best practice content
• Edit each parameter to meet
custom specifications
Entitlements Management
• The communication between business and IT
– IT ops lacks the knowledge of who owns the data and who should have access
– Data owners lack the expertise to manage these permissions
• Good governance requires
– Enforcement of access restrictions to sensitive data
– Periodic review of access by data owners
37
Data Owners
Finance
Accounting
HRIT Ops
Review
permissions
Approve / Reject /
Request change
Procedural Controls Assessment
• Automate assessment of procedural controls
– Create from scratch or import from document to generate a new attestation
– Distribute questionnaires to attesters
– Track responses (acceptance, clarification requests, exception requests)
– Generate a remediation task lists with task owners and action items
– Generate reports for business stakeholders
38
2
Respondents
1
Administer survey
Distribute
via web
3
Analyze Results
Consolidate
responses
Symantec IT Compliance 39
Key Points
1. Market share & Experience
2. Assessment Coverage,
– Asset & Risk Based Approach,
– Applications (Active Directory, Databases, MS Exchange, etc.)
– Platforms (Win, Unix, Netware, etc..)
3. Works with & without Agents,
– Ease of deployment & management, less TCO
4. Single Integrated Holistic Solution,
– Covers IT & None IT Governance Requirements