Automating and Simplifying Compliance and Risk with Microsoft System Center
Waqas Makhdum (Sr. Product Planner, System Center)
Gunjan Jain(Sr. Program Manager, Solution Accelerator Team)
Microsoft Corporation
SESSION CODE: MGT201
Session Objectives and TakeawaysSession Objectives
Service Manager: Address Compliance Challenges using System Center Service ManagerDemo: Service Manager Compliance and Risk Management solution in action
Key Takeaway
Service manager provides an integrated IT process and compliance management solution that increases compliance visibility, reduces costs through automation, and simplifies audit process
What Compliance Means for Different Groups ?
How do we interpret and test IT compliance across a vast enterprise?System
Operations
Audit Requirements & Design
Business Objectives
& Policies
Regulatory Requirements
Regulatory Certification
Requirement Definition
AuditorReports
System Management
Review Log Files, Confirm settings
“Each business change brings new IT compliance requirements. 80% are duplicative, but we review it all, delaying response and increasing cost.
“Configuring and monitoring local and distributed servers and PCs for compliance is so time consuming”
“Make sure that we comply so that we can focus on the business …without an obscene cost”
“It’s too hard to interpret new regulations and sort out overlaps to set policy across functions “
“Based on a bewildering collection of reports, I must certify if we are compliant. It’s my butt on the line”
“Every quarter I learn how non-compliant we have been last month – it’s like ‘whack a mole’, how do I get ahead of these issues and risk”
“Checking log files, re-confirming settings, documenting processes is a waste of time when I have truly critical things to do”
“System changes require regulation specific procedures slowing our response … Do we need more software to manage IT compliance?”
“These periodic audits kill me. What detail will the auditor want to check up on this time?”
Audit Committee
CIO/CSO
ITDM
IT ProIT Pro
ITDM
CIO/CSO
Functional VP
Board of Dir./CEO
Outsourced Compliance & IT Pro
Challenge 1: Volume of Regulations
EU -MIFID
US Sec 17a-3,17c-4
UK FSA email retention
Italy AIPA
Singapore Corp Governance
Electronic signatures in global & national commerce act (e-Sign)
US, Insurance 152 for Records Retention
A top investment bank agrees to a 15M settlement with SEC over records retention
EU data protection act
Canada CSOX
UK FSA Mortgage CP186
Canada electronic evidence act
Japan JSOX
Japan Electronic Ledger storage law
France NFZ 42-013
Germany GDPdu & GoBS
DOD 5015
NASD 3010/3110
One of world’s largest bank faces a FSA enforced complete Operations overhaul after loosing customer data tapes
Reg NMS
Australia CLERP, Corporate Actions HIPAA
India SOX SEBI Clause 49
GLBA
Responsive to User and Business Needs
Process-Led,Model-Driven
User-Focused
Unified &Virtualized
Service-Enabled
Challenge 2: Dynamic IT
DYNAMIC DATACENTERUSER-CENTRICITY ANYWHERE
ACCESSDYNAMIC APPLICATION
LIFECYCLE
Winsk3 SP1 moves to SP2 on April 14 2009
Red Hat Linux 9 at End of Support
VMM 2008 R2 Beta is now available
Windows2008R2 LaunchesMicrosoft Commerce Server 2007 SP1 No longer supported
Exchange Ready!
Support for 32 bit Servers fast vanishing
Microsoft Announces SQL Server 2008
Visual Studio 2008 in Beta
SQL 2000 End of life
Microsoft sets Oct 22 as the
W7 Street date
Customers upgrading to SAP 6.0 for support
Oracle announces End of support for 8i
Vmware GSX 3.x at EOS
Challenge 3: Technology Churn
Service Manager: IT Compliance and Risk Solution
Portal Forms
Data Warehouse
Workflows
Configuration Management DB
Wor
k Ite
ms
Con
fig
Item
s
Know
ledg
e
ProblemChange Incident
AssetIT GRC
System CenterConfiguration manager
Active Directory
System CenterOperations manager
Opalis Connectors
S
ERVI
CE M
ANAG
ER
Partner Solutions
Exchange Server Windows Server 2008 Windows 7
Regulatory Documents
Service Manager: IT Compliance and Risk Approach
Significant Percentage of Gross Domestic Product for Most Countries Significant Cost for Each Employee Every Year
Remediation ExceptionsReports
HARMONIZED CONTROL OBJECTIVES
CONTROL ACTIVITIES
Regulations and Standards
Syste
m C
en
ter
IT GRC Process Management Pack
Service Manager
Config. Mgr.Ops. Mgr. Forefront Family
CMDB
Business Objectives & Policies
System Operations
Systems Management
Service Manager: End-to-End Compliance & Risk Solution
Win
dow
s
Serv
er
Win
dow
s
7
MO
SS
Exch
an
ge
Non
-M
icro
soft
(P
art
ner)
SQ
L
Offi
ce
ComplianceStatus
Audit (Authority Document View)
Harmonized Framework
Control Objectives
IT Compliance Management Library
Control Activities and Tests
AuthorityDocumentRequirements
SOX PCI
COBIT
EUDPP
InternalPoliciesISO
Comply/Authority Reports
Incident/Issue
Reports
Residual Risk
Active Directory
IT Pro
ITDM
CIO/CSO
Functional VP
Board of Dir./CEO
Audit Committee
CIO/CSO
ITDM
IT Pro
Syste
m C
en
ter
IT GRC Process Management Pack
Service Manager
Config. Mgr.Ops. Mgr. Forefront Family
CMDB
Business Objectives & Policies
System Operations
Systems Management
Service Manager: End-to-End Compliance & Risk Solution
Win
dow
s
Serv
er
Win
dow
s
7
MO
SS
Exch
an
ge
Non
-M
icro
soft
(P
art
ner)
SQ
L
Offi
ce
ComplianceStatus
Audit (Authority Document View)
Harmonized Framework
Control Objectives
IT Compliance Management Library
Control Activities and Tests
AuthorityDocumentRequirements
SOX PCI
COBIT
EUDPP
InternalPoliciesISO
Comply/Authority Reports
Incident/Issue
Reports
Residual Risk
Active Directory
IT Pro
ITDM
CIO/CSO
Functional VP
Board of Dir./CEO
Audit Committee
CIO/CSO
ITDM
IT Pro
Simplifying Management of Compliance Requirements &
Automating Control Monitoring and Validation
Gunjan Jain
DEMO
Scenario: Adding AmEx Controls to PCI-DSS
Reports
Incident
MonitoringIT Implementer
ValidationAuditor
Remediation
Compliance Manager
PCI-DSS + AmEx DSS
Define Control Activities
Computer DataHW and SW Inventory
DCM Packs
ConfigMgr Connector
Data Warehouse
ETL
Map Control Objectives
PCI-DSS Compliance Manager
New AmEx Compliance Requirements
Scenario -- Always Ready for an IT Audit
Failure
GRC Program Manager
Operations Engineer
Man
ag
ing
Com
plian
ce
Provide Audit Trail
AutomationImplement Procedure
Map Control Objectives
ValidateSettings
Detect Failure
RecordResult
TakeAction
Activities• Process controls• Configuration settings• Monitoring
Reporting
Actions• Change control• GRC incident/issue• GRC problem
CorrectiveActions
Audit Trail• Compliance Reports• Compliance History
2012
H1
H1
V12010
2011SP1
H1
H2
R2
System Center Service Manager Roadmap
H2
IT GRC MP
R2Beta
IT GRC Process Management Pack release: August 2010!
Compliance Library Roadmap
August 2010Windows 7 Windows Server 2008Windows Server 2008 R2System Center Operations ManagerSystem Center Configuration ManagerSystem Center Service Manager
Fall 2010Office 2010SQL Server 2008SQL Server 2008 R2Exchange 2007Windows Server Hyper-V
Spring 2011Windows XPWindows Server 2003Windows VistaOffice 2007Exchange 2010
Roadmap Subject to Change
INTEGRATED EFFICIENT BUSINESS ALIGNED
IT Process and Workflow Automation
CMDB
Leverages Configuration and Operations Manager
Service manager provides an integrated IT process and compliance management solution that increases compliance visibility, reduces costs through automation, and simplifies audit process
Automates end-to-end Compliance
Simplifies Audit Process
Out-of-box Compliance knowledge
Compliance and risk status visibility
Mapping of Business controls with technical standards
Related Content
MGT06-INT: Automating and Simplifying Compliance and Risk (Tue 5:00PM - 6:15PM)
MGT313: Microsoft System Center Service Manager 2010: Drilldown (Thurs 9:45AM - 11:00AM)
MGT310: Implementation, Architecture, and Administration of a Service Manager Deployment (Wed 1:30PM - 2:45PM)
MGT07-INT Extending and Customizing Microsoft System Center Service Manager (Thurs 5:00PM - 6:15PM)
Resources
www.microsoft.com/teched
Sessions On-Demand & Community Microsoft Certification & Training Resources
Resources for IT Professionals Resources for Developers
www.microsoft.com/learning
http://microsoft.com/technet http://microsoft.com/msdn
Learning
Sign up for Tech·Ed 2011 and save $500 starting June 8 – June 31st
http://northamerica.msteched.com/registration
You can also register at the
North America 2011 kiosk located at registrationJoin us in Atlanta next year
© 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to
be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.