Automating and Simplifying Compliance and Risk with Microsoft System Center

Waqas Makhdum (Sr. Product Planner, System Center)

Gunjan Jain(Sr. Program Manager, Solution Accelerator Team)

Microsoft Corporation

SESSION CODE: MGT201

Session Objectives and TakeawaysSession Objectives

Service Manager: Address Compliance Challenges using System Center Service ManagerDemo: Service Manager Compliance and Risk Management solution in action

Key Takeaway

Service manager provides an integrated IT process and compliance management solution that increases compliance visibility, reduces costs through automation, and simplifies audit process

Common Challenges in Addressing Risk and Compliance

What Compliance Means for Different Groups ?

How do we interpret and test IT compliance across a vast enterprise?System

Operations

Audit Requirements & Design

Business Objectives

& Policies

Regulatory Requirements

Regulatory Certification

Requirement Definition

AuditorReports

System Management

Review Log Files, Confirm settings

“Each business change brings new IT compliance requirements. 80% are duplicative, but we review it all, delaying response and increasing cost.

“Configuring and monitoring local and distributed servers and PCs for compliance is so time consuming”

“Make sure that we comply so that we can focus on the business …without an obscene cost”

“It’s too hard to interpret new regulations and sort out overlaps to set policy across functions “

“Based on a bewildering collection of reports, I must certify if we are compliant. It’s my butt on the line”

“Every quarter I learn how non-compliant we have been last month – it’s like ‘whack a mole’, how do I get ahead of these issues and risk”

“Checking log files, re-confirming settings, documenting processes is a waste of time when I have truly critical things to do”

“System changes require regulation specific procedures slowing our response … Do we need more software to manage IT compliance?”

“These periodic audits kill me. What detail will the auditor want to check up on this time?”

Audit Committee

CIO/CSO

ITDM

IT ProIT Pro

ITDM

CIO/CSO

Functional VP

Board of Dir./CEO

Outsourced Compliance & IT Pro

Challenge 1: Volume of Regulations

EU -MIFID

US Sec 17a-3,17c-4

UK FSA email retention

Italy AIPA

Singapore Corp Governance

Electronic signatures in global & national commerce act (e-Sign)

US, Insurance 152 for Records Retention

A top investment bank agrees to a 15M settlement with SEC over records retention

EU data protection act

Canada CSOX

UK FSA Mortgage CP186

Canada electronic evidence act

Japan JSOX

Japan Electronic Ledger storage law

France NFZ 42-013

Germany GDPdu & GoBS

DOD 5015

NASD 3010/3110

One of world’s largest bank faces a FSA enforced complete Operations overhaul after loosing customer data tapes

Reg NMS

Australia CLERP, Corporate Actions HIPAA

India SOX SEBI Clause 49

GLBA

Responsive to User and Business Needs

Process-Led,Model-Driven

User-Focused

Unified &Virtualized

Service-Enabled

Challenge 2: Dynamic IT

DYNAMIC DATACENTERUSER-CENTRICITY ANYWHERE

ACCESSDYNAMIC APPLICATION

LIFECYCLE

Winsk3 SP1 moves to SP2 on April 14 2009

Red Hat Linux 9 at End of Support

VMM 2008 R2 Beta is now available

Windows2008R2 LaunchesMicrosoft Commerce Server 2007 SP1 No longer supported

Exchange Ready!

Support for 32 bit Servers fast vanishing

Microsoft Announces SQL Server 2008

Visual Studio 2008 in Beta

SQL 2000 End of life

Microsoft sets Oct 22 as the

W7 Street date

Customers upgrading to SAP 6.0 for support

Oracle announces End of support for 8i

Vmware GSX 3.x at EOS

Challenge 3: Technology Churn

Addressing Compliance and Risk with System Center

Service Manager: IT Compliance and Risk Solution

Portal Forms

Data Warehouse

Workflows

Configuration Management DB

Wor

k Ite

ms

Con

fig

Item

s

Know

ledg

e

ProblemChange Incident

AssetIT GRC

System CenterConfiguration manager

Active Directory

System CenterOperations manager

Opalis Connectors

S

ERVI

CE M

ANAG

ER

Partner Solutions

Exchange Server Windows Server 2008 Windows 7

Regulatory Documents

Service Manager: IT Compliance and Risk Approach

Significant Percentage of Gross Domestic Product for Most Countries Significant Cost for Each Employee Every Year

Remediation ExceptionsReports

HARMONIZED CONTROL OBJECTIVES

CONTROL ACTIVITIES

Regulations and Standards

Syste

m C

en

ter

IT GRC Process Management Pack

Service Manager

Config. Mgr.Ops. Mgr. Forefront Family

CMDB

Business Objectives & Policies

System Operations

Systems Management

Service Manager: End-to-End Compliance & Risk Solution

Win

dow

s

Serv

er

Win

dow

s

7

MO

SS

Exch

an

ge

Non

-M

icro

soft

(P

art

ner)

SQ

L

Offi

ce

ComplianceStatus

Audit (Authority Document View)

Harmonized Framework

Control Objectives

IT Compliance Management Library

Control Activities and Tests

AuthorityDocumentRequirements

SOX PCI

COBIT

EUDPP

InternalPoliciesISO

Comply/Authority Reports

Incident/Issue

Reports

Residual Risk

Active Directory

IT Pro

ITDM

CIO/CSO

Functional VP

Board of Dir./CEO

Audit Committee

CIO/CSO

ITDM

IT Pro

Syste

m C

en

ter

IT GRC Process Management Pack

Service Manager

Config. Mgr.Ops. Mgr. Forefront Family

CMDB

Business Objectives & Policies

System Operations

Systems Management

Service Manager: End-to-End Compliance & Risk Solution

Win

dow

s

Serv

er

Win

dow

s

7

MO

SS

Exch

an

ge

Non

-M

icro

soft

(P

art

ner)

SQ

L

Offi

ce

ComplianceStatus

Audit (Authority Document View)

Harmonized Framework

Control Objectives

IT Compliance Management Library

Control Activities and Tests

AuthorityDocumentRequirements

SOX PCI

COBIT

EUDPP

InternalPoliciesISO

Comply/Authority Reports

Incident/Issue

Reports

Residual Risk

Active Directory

IT Pro

ITDM

CIO/CSO

Functional VP

Board of Dir./CEO

Audit Committee

CIO/CSO

ITDM

IT Pro

Simplifying Management of Compliance Requirements &

Automating Control Monitoring and Validation

Gunjan Jain

DEMO

Scenario: Adding AmEx Controls to PCI-DSS

Reports

Incident

MonitoringIT Implementer

ValidationAuditor

Remediation

Compliance Manager

PCI-DSS + AmEx DSS

Define Control Activities

Computer DataHW and SW Inventory

DCM Packs

ConfigMgr Connector

Data Warehouse

ETL

Map Control Objectives

PCI-DSS Compliance Manager

New AmEx Compliance Requirements

Scenario -- Always Ready for an IT Audit

Failure

GRC Program Manager

Operations Engineer

Man

ag

ing

Com

plian

ce

Provide Audit Trail

AutomationImplement Procedure

Map Control Objectives

ValidateSettings

Detect Failure

RecordResult

TakeAction

Activities• Process controls• Configuration settings• Monitoring

Reporting

Actions• Change control• GRC incident/issue• GRC problem

CorrectiveActions

Audit Trail• Compliance Reports• Compliance History

2012

H1

H1

V12010

2011SP1

H1

H2

R2

System Center Service Manager Roadmap

H2

IT GRC MP

R2Beta

IT GRC Process Management Pack release: August 2010!

Compliance Library Roadmap

August 2010Windows 7 Windows Server 2008Windows Server 2008 R2System Center Operations ManagerSystem Center Configuration ManagerSystem Center Service Manager

Fall 2010Office 2010SQL Server 2008SQL Server 2008 R2Exchange 2007Windows Server Hyper-V

Spring 2011Windows XPWindows Server 2003Windows VistaOffice 2007Exchange 2010

Roadmap Subject to Change

INTEGRATED EFFICIENT BUSINESS ALIGNED

IT Process and Workflow Automation

CMDB

Leverages Configuration and Operations Manager

Service manager provides an integrated IT process and compliance management solution that increases compliance visibility, reduces costs through automation, and simplifies audit process

Automates end-to-end Compliance

Simplifies Audit Process

Out-of-box Compliance knowledge

Compliance and risk status visibility

Mapping of Business controls with technical standards

Related Content

MGT06-INT: Automating and Simplifying Compliance and Risk (Tue 5:00PM - 6:15PM)

MGT313: Microsoft System Center Service Manager 2010: Drilldown (Thurs 9:45AM - 11:00AM)

MGT310: Implementation, Architecture, and Administration of a Service Manager Deployment (Wed 1:30PM - 2:45PM)

MGT07-INT Extending and Customizing Microsoft System Center Service Manager (Thurs 5:00PM - 6:15PM)

Resources

www.microsoft.com/teched

Sessions On-Demand & Community Microsoft Certification & Training Resources

Resources for IT Professionals Resources for Developers

www.microsoft.com/learning

http://microsoft.com/technet http://microsoft.com/msdn

Learning

Complete an evaluation on CommNet and enter to win!

Sign up for Tech·Ed 2011 and save $500 starting June 8 – June 31st

http://northamerica.msteched.com/registration

You can also register at the

North America 2011 kiosk located at registrationJoin us in Atlanta next year

© 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to

be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

JUNE 7-10, 2010 | NEW ORLEANS, LAJUNE 7-10, 2010 | NEW ORLEANS, LA