Enabling Successful IT GRC

Paul Kastner

Director, Industry Solutions, Asia Pacific & Japan

21 October 2008

IT GRC Issues

A sound approach

Automation is key

Growing Importance of GRC

2

Agenda

1

2

3

4

3

GRC challenges

The Financial Crisis: Driving Big Changes to Business

• Regulatory and government response will not be limited to FSIs

• Extreme regulatory scrutiny and rapidly enacted regulations

• Increased investor disclosure

• Increasingly activist shareholders

• Government ownership stakes, consequently tougher oversight

• Financial system regulator and regulatory changes

• Renewed focus on governance and risk management

• Changing accounting rules and faster convergence on IAS

• Risks will be tightly managed

• Risk management will be underpinned by stronger governance

4

GRC is about supporting and enabling good business practices

by adhering to external rules and sound internal policies,

and…

being able to prove it.

GRC defined

Good corporate GRC will be a rallying

cry for investors and regulators

5

• Transparency in finance and operations

• Compliance with regulations

• Well-managed risk

• Effective executive, board, and auditor oversight

• Clearly articulated and well-executed business plans and strategies

Internal and external auditors will be asked to assure GRC at a deeper and more granular level than before

IT GRC underpins the enterprise objectives

6

• IT GRC:

– Governs investment and alignment of IT strategies and resources

– Manages risks associated with introduction, use, and disposition of IT resources

– Manages compliance with company policy, regulatory, and legal requirements

• Good IT GRC delivers:

– Greater business value from IT strategy, investment and alignment

– Significantly reduced business and financial risk from the use of IT

Example of IT Governance, Risk, &

Compliance

Business ObjectiveReduce operational costs

- utilize BPO provider

IT RiskLoss of data by provider

IT GovernanceDefines policies and

control objectives for

provider

IT ComplianceCompany must

demonstrate provider

controls are effective

7

Evolving IT GRC

Network Security

Security & Vulnerability

IT Security IT GRC

Regulatory Compliance

IT Governance, Risk, &

Compliance

00100101

00101010

00101101

00101010?

IT Compliance

8

Business

Risk

Other

Risks

• Market risk • Credit risk

• Interest rate risk • Liquidity risk

Non-IT

Risks

• Business process • People and talent

• Environment • Physical infrastructure

Operational

Risks

IT Risks

Business

Risk

Managing risks to the business

9

Ensuring Public Trust and Security 10

SecurityKeep bad things out

Keep important things in

PerformanceOptimise resources

ComplianceEnsure Adequate Controls

Automate Evidence Collection

Poor IT

Service Levels

Internal & External

Threats

External Regulations &

Internal Governance

AvailabilityKeep systems running

Ensure rapid recovery

Natural Disasters &

System Outages

Information

Interactions

Infrastructure

Proactively managing IT risk is getting

both harder and more critical

10

Practicing good IT GRC isn’t easy

• Complex IT security infrastructure

– Evolving threats – phishing, data leakage

– Proliferation of security technologies

• Poor visibility into compliance posture

– Regulatory & corporate governance pressures to demonstrate due care –incident response, information retention

– Lack of reporting & metrics

• Resource constraints

– Security budgets not increasing

– Lack of skilled security analysts

How do we keep up with

the latest threats &

identify the most critical

ones?

How do we demonstrate

the effectiveness of our

security controls?

Are we compliant with

regulations, internal policies,

contractual obligations?

How do we secure our

environment with limited

resources?

11

Key questions for IT executives

• Risk Management

• Compliance Management

• IT Operational Efficiency

How do I protect my critical business

information?

How do I demonstrate due care?

How do I best leverage my people?

12

13

+

Budget Constraints

Manual processes don’t scale

Homegrown tools eg.. Excel spreadsheets

Point tools = integration cost, fragility

Budgets flat or declining

$ $ $

People / $$$

Result

Budget can’t meet demand

Inefficient use of scarce resources

=

Audit Requirements

Increased frequency of audits

More policies, standards

Better visibility and data confidence

IT Compliance: challenges & implications

14

IT compliance needs to be managed from

end-to-end

SOX

HIPAA

Privacy

FISMA

Basel ll

COSO

COBIT

ISO27001

NIST

Internal policies

PCI-DSS

CIS

NIST

NSA

REGULATIONS FRAMEWORKS STANDARDS

Define

Operating Systems

Databases

Applications

Directories

People

IT POLICIES

Control Sustain

MEASURE

RECORD

REMEDIATE

REPORT

15

First understand the requirements and

then define and publish the policies

• Understand mandates requirements

• Understand best practicesWhat policies are needed to comply with regulations?

• Identify gaps and create new policies or replace old ones

• Map policies to regulations and frameworks

Are they in place?

• Approval and versioning of policies

• Automatic disseminationHow to ensure employees understand policies?

16

Malware

Policy

Endpoint

Policy

Data

Protection

Policy

Incident

Response

Policy

DefineMap

Distribut

e

NIST

PCI

Cobit

SOX

ISO

Privacy FISMA

Automate policy distribution and

management

End User Action:

1. Accept

2. Deny

3. Ask for clarifications

4. Ask for exceptions

THIRD PARTY CONTROLS

BUSINESS CONTINUITY

• Backup Configurations

• Archival Configurations

END POINT CONTROLS

• Network Access Config

• Anti-Virus Config

And Much, Much More…

CORPORATE POLICIES

•Malware

•Access Control

•Acceptable Use

•etc.

TECHNICAL CONTROLS

PLATFORM HARDENING

• Security best practices

• Remediation

ACCESS & ENTITLEMENT

• DB\Group\File Permission

• Classify & Assign Owners

• Approval workflow

VULNERABILITY MGMT

• Non-credentialed checks

• Credentialed checks

• Patch Mgmt

PROCEDURAL CONTROLS

MANUAL ATTESTATION

• Self Survey Capability

ACCEPTANCE TRACKING

• Policy Acceptance

• Exception Mgmt

Other

RegulationPCCI

17

Privacy Corporate

Governance

Link policies with detailed IT controls

18

Malware

Policy

Endpoint

Policy

Data

Protection

Policy

Incident

Response

Policy

Define

Prove

Map

Distribut

e

Procedural Operational

Vulnerability, Patch, Configuration,

PermissionsData and Applications

Archive

Backup Virus

Data

Loss

Non-programmatic attestation

of controls

NIST

PCI

Cobit

SOX

ISO

Privacy FISMA

Implement automated evidence gathering,

enforcement, and reporting

Infrastructure

Enforc

e

Report

19

Close the loop with continuous update

and improvement

• Create ability to proactively manage continuous changes

• New business needs

• Technology changes

• New external and internal threats

• New regulations and enterprise governance requirements

• Provide ongoing audits and compliance checks

20

Automation of IT Compliance process is

the key to successful IT GRC

• Integrated policy definition and reporting

• Automate linkage of frameworks (eg, ISO 27001) with policies and detailed IT controls

• Automated audit preparation

• Automated and continuous scanning and monitoring of violations

• Automated reporting on non-compliance

• Dashboards to provide immediate status

• Automated enforcement

• Repeatable and sustainable process

1.0

0.8

0.6

0.4

0.2

0.0

52-62%

less

0 1 2 3 4 5

Least mature Most mature

Automation reduces compliance spend…

Relative Spend on Regulatory Compliance

21

0

50

100

150

200

250

12 or more 3 to 6 2 or less

Days between

control assessments

Number of procedural

and technical controls

Assessing more controls, more often,

reduces risk …

Annual Data Losses and Deficiencies

Least mature Most mature

IT Compliance automation reduces risk

and cost

Source: IT Policy Compliance Group

Asia Banker Summit, Hanoi, Vietnam, March 2008 22

© 2006 Symantec Corporation. All rights reserved.

THIS DOCUMENT IS PROVIDED FOR INFORMATIONAL PURPOSES ONLY AND IS NOT INTENDED AS ADVERTISING. ALL WARRANTIES RELATING TO THE INFORMATION IN THIS DOCUMENT, EITHER EXPRESS OR IMPLIED, ARE DISCLAIMED TO THE MAXIMUM EXTENT ALLOWED BY LAW. THE INFORMATION IN THIS DOCUMENT IS

SUBJECT TO CHANGE WITHOUT NOTICE.

Paul Kastner

paul_kastner@symantec.com

+61 416 977 867

Control Compliance Suite (Version 9.0),Comprehensive Security & Compliance Solution

Sachin Sohani

Symantec IT Compliance 24

Agenda

Introduction1

Challenges, Maturity and Success2

Symantec Offering3

Symantec IT Compliance 26

Failure to remain compliant can increase business

liability or involve criminal penalties

Different geographies and divisions have different

compliance needs

Compliance errors have gigantic impacts

Finding and retaining compliance expertise

Compliance as overhead versus IT enabling innovation

Cost

Complexity

Governance

Risk

Skill Gaps

Compliance requirements vague

Different parts of the enterprise have different

mandates

Evolving requirements impact cost management

Redundant controls

Manual processes

Operational Challenges

Symantec IT Compliance 27

Compliance Maturity Level

Reactive

One-off implementations

Phase 1 Phase 3

Proactive

Coordinated implementations

Automated

Processes & integrated compliance

Phase 2

“Businesses are adopting a three-phase strategy for

investing in IT support for compliance activities”- Gartner

Symantec IT Compliance 28

Key to Success – Frequent Auditing

Success Factors Leaders (10%) The Rest (90%)

Freq of internal audits 21 days 8 Months

IT time on compliance 33% 24%

IT budget on security 10.4% 7.0%

# of overall deficiencies 20 40

# of significant deficiencies 2 13

MORE FREQUENT AUDITING TRANSLATES INTO BETTER SECURITY

AND COMPLIANCE RESULTS

Leaders are ~6x better because they do more audits…

…But they spend ~50% more because they lack automation

Source: ITpolicycompliance.com

Symantec IT Compliance 29

Explicit Needs

1. Controls (Threats & Risk Assessment),

2. Frameworks & Standards,

3. Developing Policies, Plans, Procedures,

4. Effective Access Rights assessment

5. Remediation from compliance deficiency,

6. High cost of manual assessment,

7. SOE Assessment,

8. More ….

How Control Compliance Suite Works

Symantec IT Compliance 31

Exception

Symantec Control Compliance SuiteA Unified Solution

Technical Controls

Written Policy

Procedural Controls

Create Map Publish Assess Fix

Control self assessment• Questionnaire responses

• Risk-based prioritization

Entitlements review• Group\file permission

• classify & assign owners

• Approval workflow

Configurations• Security best practices

• Remediation

Vulnerabilities

• Non-credentialed checks

• Credentialed checks

• Patch Mgmt

PCISOX

Basel II

NIST

COBIT

ISO

Scoped by Risk Level

Corporate Policies• Info Security

• Access Control

• Termination

32 32

Symantec IT Compliance Process

Automation Platform

32

Policy Manager

• Define/manage written policies

• Distribute policies & track exceptions

• Demonstrate coverage

• Display evidence

Standards Manager

• Create/Select standard

• Assess technical controls

• Detect deviations

• Remediate deficiencies

Response Assessment Manager

• Assess procedural controls

• Report with risk weighted model

• Centralize view of procedural controls

Security Information Manager

• Monitor security control violations

• Prioritize and respond to incidents

• Consolidate and manage security logs

NIST

PCI

COBIT

SOX

ISO

Basel FISMA

Malware

PolicyServer

Policy

Data

Protection

Policy

Control Compliance Suite 9.0

CCS 9.0 Functional Overview

Repository

Technical Controls Assessment

- agent-based and agent-less

Procedural Controls Assessment

- Survey-based

Evidence from Third-party Sources

- CSV data collector

Compliance Reporting

• Regulatory View

• Policy View

• Operational View

• Risk View

Compliance Management

• Policies and Controls

• Entitlements

• Exceptions

• Remediation

Federated Data Processing and

Analysis

Asset

System

Symantec Confidential – Features and roadmap subject to change

• Reporting

• Exception Mgt.

• Risk scoring

New Apps

• Asset System

• Data repository

• Data processing and analysis

• CSV data collector

New Components

• Agent-less data collection

• Agent-based data collection

Existing Components

• Assign ownership, risk

(CIA) ratings

• Assign access rights

• Evaluate for compliance to policies and mandates

• Assess risk

• One-way reconciliation via

rules-based engine

• Create logical groups

• Native ‘discovery’

• External (CSV)

DiscoverReconcile and Store

Classify and

Prioritize

Manage Risk

Implement Asset-centric Compliance

and Risk Management

Symantec Confidential – Features and roadmap subject to change

Assess Your Environment

ViewResults

Schedule Reporting

Customize Definitions

Select Standard(Example: ACSI33)

Select Standard

• Includes Technical Standards

from ACSI 33, NIST…

• Covers Win, Unix, Linux,

Novell, Oracle, SQL, Exch

• Standards updated quarterly

• Includes Regulatory Views

that map standards to regs via

best practice frameworks

Customize Definitions

• Wizard-driven ability to build

custom standard using existing

best practice content

• Edit each parameter to meet

custom specifications

Entitlements Management

• The communication between business and IT

– IT ops lacks the knowledge of who owns the data and who should have access

– Data owners lack the expertise to manage these permissions

• Good governance requires

– Enforcement of access restrictions to sensitive data

– Periodic review of access by data owners

37

Data Owners

Finance

Accounting

HRIT Ops

Review

permissions

Approve / Reject /

Request change

Procedural Controls Assessment

• Automate assessment of procedural controls

– Create from scratch or import from document to generate a new attestation

– Distribute questionnaires to attesters

– Track responses (acceptance, clarification requests, exception requests)

– Generate a remediation task lists with task owners and action items

– Generate reports for business stakeholders

38

2

Respondents

1

Administer survey

Distribute

via web

3

Analyze Results

Consolidate

responses

Symantec IT Compliance 39

Key Points

1. Market share & Experience

2. Assessment Coverage,

– Asset & Risk Based Approach,

– Applications (Active Directory, Databases, MS Exchange, etc.)

– Platforms (Win, Unix, Netware, etc..)

3. Works with & without Agents,

– Ease of deployment & management, less TCO

4. Single Integrated Holistic Solution,

– Covers IT & None IT Governance Requirements

Thank You

Sachin Sohani

0438 466 707

ssohani@symantec.com