Sage Management Proprietary Data
Solution OverviewNational Continuity Solutions
Platform
Michael J. O’Dell CBCP – Sage Management
Sage Management Proprietary Data
Company Profile:• Veteran-Owned Small Business• Technical Services Provider
– Intelligence Community– Defense Threat Reduction Agency– U.S. Military
• Rapidly Growing (Inc. 500 list, 2009)• 56 employees (majority TS/SCI cleared)• LLC, Founded in Maryland in 2004• Top Secret Facility Clearance
Locations:
• Hanover, MD– NSA– Others: DIA, USAF
• Springfield, VA– Defense Threat Reduction Agency– Others: SPAWAR, AFTAC, DHHS
• Princeton, NJ– Defense Threat Reduction Agency
• Sierra Vista, AZ– US Army Intelligence Center– Joint Interoperability Test Command
Company ProfileCompany Profile
Sage Management Proprietary Data
Continuous Assessment and MonitoringContinuous Assessment and Monitoring
Analyze & Prioritize
Point-In-Time Audit
Test
Monitor & Alert
Define Policy &
Risk
Translate
Map
Assess
Collect
Remediate
Dashboard
Sage Management Proprietary Data
Solution ArchitectureSolution Architecture
8500.2 CNSSI 1253800-53 ISO800-66ContentPacks
GRCPlatformConnectors
Integrated GRC Data ModelOrganizations
Policies
Assets
Configurations
ControlsRisks
Mappings Evidences
EnginesWorkflow
Collaboration
Analytics
What-If
Risk Calculator Correlation
Common ControlsAssessment
Business InterfacesReports
Dashboards
Notification
Tasks
Office Integration
Application Builder
UI ConfigurationKey Indicators
MiddlewareWorkflow ReportingData
IntegrationContent
Management
Applications
Policy Risk Compliance Vendor Threat Privacy Incident
Sage Management Proprietary Data
Compliance Solution Market Trends
Manual Processes Automation
Compliance Driven Business & Risk DrivenCustom Controls Standard Controls
Compliance and Risk Silos Common Control FrameworkFragmented Tools Integrated Solution
Periodic Audits Continuous Monitoring
Internally Developed Tools Purpose-Built Platform
Consulting Engagements Software Solutions
Cylinder of Excellence View Enterprise Wide Visibility
Past Present
Sage Management Proprietary Data
Custom & Manual Solutions
HelpDesk
Leverage existing technologiesTools not suite to purposePoor data integrity and quality
Limited point-to-point integrationHeavily relying on scripting, macros, kron jobsFragile integrations
Mostly manual processesHeavily relying on Excel and WordUse Help Desk tool to route workflows
Document Management
ExcelWord
Reporting Tools
Data Warehouse
Sage Management Proprietary Data
Purpose-Built GRC Platform
Workflow ReportingData
Integration
NIST 800-53 ISOSOX
Open technology stackHot pluggable with open sourced, Oracle, IBM, ...Consistent with corporate technology strategy
Purpose-built GRC platformOptimized for GRC, SOA platform visionPredefined GRC business objects / entitiesSimple upgrade and extension
Single-point integrationSimple upgrade and extensionNo point integration
Feature-rich applicationsIntegrated functionality, no redundancyCross-regulation scalability
Open contentGlobal community and localized supportPartner and customer friendly
IT GRC Platform
Dashboards, Reports, IndicatorsAutomation & Collaboration Engines
Common Control FrameworkIntegrated GRC Data Model
Open Connector Architecture
Sage Management Proprietary Data
Applications
Compliance
Manual & automated assessment
Compliance reporting & metrics
Collaborative policy lifecycle mgmt.
Policy distribution & compliance testing
Collaborative risk definition & mapping
Real time risk monitoring
Compliance & impact assessments
Policy awareness & incident readiness
Partner classification & risk assessment
Delegated administration
Monitor, test & Remediate
Scan, virtual scan & advanced warning
Policy
Enterprise Risk
Vendor Risk
Threat & Vulnerability
Privacy
Incident lifecycle Management
Operational response plan
Incident
Sage Management Proprietary Data
Open ConnectorsC
on
nec
tors
eSurvey
Configuration Management
Vulnerability Management
Incident Management
DB Configuration & Access Checks
Identity & Access Control Checks
Application Controls Checks
Segregation of Duties Checks
Others
28 Connectors And Growing
Sage Management Proprietary Data
Bottom-line:• FISMA C&A – NIST
800-53A, 800-60, FIPS 199, 800-37, 800-55
• Configuration and Patch scan integration
• Vulnerability Scan integration
• Dynamic POA&M
Bottom-line:• FISMA C&A – NIST
800-53A, 800-60, FIPS 199, 800-37, 800-55
• Configuration and Patch scan integration
• Vulnerability Scan integration
• Dynamic POA&M
Compliance Automation and Continuous Assessments integrated with existing C&A processes for FISMA
requirements
Business Challenge:•Existing C&A processes separate from Security Operations
•Moving to continuous configuration and patch level assessment based on computing asset criticality
•Inefficient manual & consultant driven tools, i.e. spreadsheets, C&A document repositories, and C&A SSP tools
•Need to reduce average C&A cost by 60% on an SSP project scope basis, to free up budget for new control & risk initiatives
Solution:•Real time visibility on risk and compliance status against FISMA and IT Security Risk Management requirements
•Risk reduction through integrated compliance automation and continuous configuration, patch and vulnerability assessment
Several Federal Agencies
Sage Management Proprietary Data
Bottom-line:• DOD 8500.2,
STIGS, 800-53 and DOD 5400 Continuous Assessment
• Enhanced Situational Awareness of Risk and Privacy Protection
Bottom-line:• DOD 8500.2,
STIGS, 800-53 and DOD 5400 Continuous Assessment
• Enhanced Situational Awareness of Risk and Privacy Protection
Automated Risk Management and Continuous Assessment for Operational Security and PII
ProtectionBusiness Challenge:
•De-centralized security operations limiting situational awareness
•Limited protection of operational security as well as the war fighter’s PII
•Static view of security posture and performance of the network
•Isolated tool sets creating redundancy and operational inefficiency with manual correlation
•Security incidents and data breaches going undetected for long periods of time
Solution:•Provides a comprehensive technical control framework for enhanced automated monitoring capabilities as well as assessment and correlation of attributes used to develop key compliance and risk indicators as an effective force multiplier to allow the command level program office to constantly maintain the pulse of the security posture and risk across the global infrastructure
•Real time visibility on risk and compliance status against 8500.2 and PII Risk Management requirements
•Provides a comprehensive IA program through threat analysis and technology risk assessments in order to leverage the most appropriate technologies and cost effective solutions for the network.
DOD Program
Sage Management Proprietary Data
Representative Customers
Sage Management Proprietary Data
Role Based DashboardsRole Based Dashboards
Sage Management Proprietary Data
Vulnerability DatabaseVulnerability Database
Sage Management Proprietary Data
Deficiencies & Mitigation AssessmentDeficiencies & Mitigation Assessment
Sage Management Proprietary Data
FIPS-199 CategorizationFIPS-199 Categorization
Sage Management Proprietary Data
System Security PlanSystem Security Plan
Sage Management Proprietary Data
Plan of Actions & MilestonesPlan of Actions & Milestones