Compliance Management

The Challenge

A multitude of internal and external requirements, including PCI, HIPAA, NERC, FISMA, SOX and others, and frameworks such as COBIT and ISO27002, are addressed within organizational silos, leading to redundant workflows and an inefficient allocation of resources. Audit workflows are often performed manually, with data captured in numerous disjointed spreadsheets allowing for more error and higher costs. And to compensate for the lack of compliance understanding visibility across the organization, expensive third-party consulting resources are often used to validate compliance and control requirements.

The result is a projected spend of 30 to 50 percent more on compliance than what is necessary1. And many organizations still don’t know how compliant they really are. A recent survey found that 43 percent of existing access rights were either excessive or should have been retired 2.

To demonstrate compliance and stay competitive in this business environment, organizations leverage a IT-GRC software solution that centralizes, streamlines and automates their compliance and IT risk management workflows.

The Solution

The solution automates the compliance and IT risk management workflow to reduce the cost of supporting numerous compliance requirements, and ensures that IT risks are prioritized by their potential impact on the business. Key capabilities include risk profiling of IT assets and business interests, use of the Unified Compliance Framework (UCF), which harmonizes IT controls across numerous compliance mandates, automated assessment of technical, physical and procedural controls, and continuous monitoring and reporting to satisfy a diverse IT risk and compliance audience.

By enabling you to intelligently understand and manage your IT risk exposure, optimize IT resources, and ensure the proper measurement against regulations and corporate governance requirements the solution helps you demonstrate value to the bottom line.

With the solution, you can:

Identify

Identify the criticality of IT assets and their role in the support of key business processes, and associate IT risk with key resources.

Assess

Assess your technical and procedural controls for compliance with interfaces to third-party tools and Web-based surveys.

Remediate

Prioritize and address technical and procedural control deficiencies.

Manage

Create operational and strategic visibility compliance and IT risk posture across the organization. across compliance, IT risk and control environments with role-based and dashboard reporting.

Sources:

IT Policy Compliance, Managing Spend on IT Security and Audit for Better Results, February 2009
Forrester, Enterprise Management Associates Survey of IT Governance Risk & Control, 2008

The Benefits

Solution Capability

These features model the relationship between IT assets and business interests to identify IT-borne business risk.

Key Product Features

Map Business Interests to IT Resources  - Align business structure including, company organization, revenue centers, key business processes and critical business information, with IT resources including IT assets, business applications, responsible people/roles and core IT processes.
Identify IT Control Assignments  - Identify required IT controls, including technical, procedural and physical, across various IT assets necessary to support internal and external regulations and control standards.
Harmonize Multiple IT Controls and Compliance Requirements  - Leverage the UCF to map multiple regulations to the required IT controls – more than 400 regulations covered in total.
Identify and Prioritize IT Risks -  Identify the criticality of anticipated IT risks in support of business interests and compliance requirements. Supports “what if” analysis.
Automate the Assessment of Technical Controls  - Automatically assess technical controls across a broad IT landscape and correlate these assessments for IT risk identification and prioritization, internal and external compliance and IT control adherence. Integrates with third party vulnerability assessment tools.
Centralized Knowledge Repository  - Centralize all compliance and assessment data into a single knowledgebase for prioritization and optimization of IT risk remediation efforts.
Automated Web-based Assessment  - Workflow-based surveys collect, monitor and track information on procedural controls.
Prioritization of Remediation Deficiencies  - Identify critical remediation tasks based on risk to the organization and in support of requirements. Utilize Lumension’s award-winning security solutions to effectively and efficiency address technical control deficiencies.
Supporting Evidence Documentation -  Append supporting documentation and evidence across workflow-based surveys.
Assign and Manage Remediation Responsibility -  Identify roles and individuals responsible for remediating technical and procedural controls.
Measure and Report on Multiple Regulations  - Deliver measurement and reporting on numerous compliance mandates across industry, government, and internal compliance requirements and best-practice frameworks.
Compliance and IT Risk Dashboard Reporting  - Customize and deliver top down metrics and executive reporting across operational security, IT risk and compliance postures.
Role-Based Reporting  - Produce reports for diverse audiences throughout the organization, including auditors, management and IT operations.

Benefits

Aligns IT with Business Strategy  - Ensures that business strategy is always in alignment with IT resources including servers, applications, facilities and personnel.
Understand Necessary Controls to Ensure Compliance  - Ensures that controls across people, process and technology are identified to support specific requirements that an organization must address.
Streamline Compliance Efforts  - Harmonizes multiple internal and external compliance mandates into one framework to reduce the time, resources and costs needed to address multiple IT audits.
Focus on What Matters Most  - Enables IT resources to be prioritized to mitigate the greatest amount of risk to the organization in support of critical regulatory and internal policy requirements.
Streamline IT Operations  - Reduces time and resources required to perform technical control assessment across the organization.
Consolidate Assessment Data  - Reduces disparate collection of data and streamlines IT audit processes.
Reduce Time to Assess Procedural Controls  - Streamlines the assessment and ongoing monitoring of procedural processes and controls.
Optimize IT Resources  - Prioritizes remediation tasks to support critical internal and external compliance requirements.
Limit Your Liability  - Ensures proof of compliance for procedural controls.
Ensure Proper Resources Address Technical and Procedural Controls  - Imroves audit and compliance workflows by ensuring the right resources are responsible for fixing controls in support of requirements.
Reduce Time to Report on Compliance  - Reports across multiple requirements and frameworks to provide holistic measurement across the entire organization.
Demonstrate Compliance  - Provides customized dashboard reports that deliver the necessary metrics by audience.
Ensure Visibility for All Stakeholders  - Delivers reports that satisfy internal and external auditors and communicate security gaps to IT operations teams as well as to non-technical business stakeholders.