1 © Copyright 2012 EMC Corporation. All rights reserved.

BUILDING BEST OF BREED eGRC SOLUTION

With RSA Archer and Qualys

Jason Creech Director, Policy Compliance, Qualys

Laurie DiPietratonio Technical Account Manager, Qualys (formally CVS)

2 © Copyright 2012 EMC Corporation. All rights reserved.

Agenda

Why Automate – Increase Regulatory Requirements

– Communication and Awareness Challenges

– Increased Visibility and Avoidance of Findings

Evolve a Vulnerability Management Program with eGRC Integration

– Case Study and Lessons Learned

Q & A

3 © Copyright 2012 EMC Corporation. All rights reserved.

Automation of Manual IT Security Processes Regulatory Landscape (U.S.)

Driving Force Behind IT Security Software

Seeing more standards, frameworks, regulations, many industry specific…

Still no standardization despite many regulations are over a decade old…

1990s

2000 and beyond

FDA 21 CFR Part 11 (Pharma)

HIPAA Security Rule

EU Data Protection Directive

GLBA

FFIEC IT Exam Handbook

PIPEDA (Canada)

FDCC/SCAP

NIST SP 800-53

PCI Data Security Standard

EC Data Privacy Directive

ISO 17799 / 27001 / 27002

FISMA 2002

Basel II (III) Accord

Sarbanes-Oxley

NERC 1, 2, 3, 4…

California SB 1386 Privacy

ITIL v3

4 © Copyright 2012 EMC Corporation. All rights reserved.

Challenges of a Compliance Framework IT Compliance (Security) Policy Basics

Simple Compliance Framework

Procedures and Guidelines Detail

Policies, Standards, Business

Requirements

Controls (Manual/

Automatic)

Procedures and

Guidelines Enforcement

Regulations Frameworks Standards

SOX HIPAA GLBA

CoBIT COSO

ISO17799

PCI NIST NERC

“Example: Vulnerable Processes must be eliminated..”

CID 1130 The telnet daemon shall be disabled

AIX 5.x Technology Telnet streams are transmitted in clear text, including usernames and passwords…

SME

• Control Implementation

• GRC Vendor

• Data Harvesting Vendors

Business Unit Managers and Compliance Audit

Security Operations

High Level

Detailed Level

5 © Copyright 2012 EMC Corporation. All rights reserved.

Why Automate? Increased Visibility and Integrity of Data

Manual Audit Sampling Methods

Manual Audit A

Manual Audit B

Probability of Compliance Drift

Six Months Audit Schedule

Software Assisted Automated Audits

Avoid Treating Audits As A Discovery Exercise, Audits Should be Confirmation Exercise!

A B C D E F G I

Probability of Compliance Drift

6 © Copyright 2012 EMC Corporation. All rights reserved.

Delivering a Global & Continuous View of Security and Compliance

Integration of VM with IT-GRC – Automates the collection of security and

compliance data with customizable policies, questionnaires and workflows, helping organizations to expedite compliance

Benefits – Agent-less compliance auditing supporting

multiple regulatory mandates

– Customizable questionnaires and workflows to evaluate controls, gather evidence and validate compliance

– Seamless integration with the Archer GRC solution

7 © Copyright 2012 EMC Corporation. All rights reserved.

QualysGuard API Integration with Archer

Business Process

Technical Infrastructure

Operating System

Database

Web Application

Network

Perimeter

Technical Data

Collection

Via Scanning

Qualys API

Archer Data Feed

Manager

Business Service: Automated Funds Transfer

IT GRC Process Management

Vulnerability and Threat Data

IT Configuration Compliance Data

8 © Copyright 2012 EMC Corporation. All rights reserved.

Case Study

Integration Use Case at America’s Leading Retail Pharmacy

9 © Copyright 2012 EMC Corporation. All rights reserved.

What Makes a Strong Vulnerability Management Program?

Technology

Strategy

Process

Awareness

10 © Copyright 2012 EMC Corporation. All rights reserved.

Technology

11 © Copyright 2012 EMC Corporation. All rights reserved.

Why a VM Program?

Our Expanded QualysGuard Deployment offers us:

– An automated lifecycle for network auditing and vulnerability management across the enterprise

– Network discovery and mapping – Asset prioritization – Vulnerability assessment

reporting – Remediation tracking – Faster, more frequent scanning

12 © Copyright 2012 EMC Corporation. All rights reserved.

Strategy

13 © Copyright 2012 EMC Corporation. All rights reserved.

Two-Part Strategy

Strategy 1: The Program Strategy – Implementing a strong Vulnerability Management

Standard, with executive sponsorship

Strategy 2: The Enterprise Strategy – Incorporate your Vulnerability Management in the

greater Information Security Program

14 © Copyright 2012 EMC Corporation. All rights reserved.

Process

15 © Copyright 2012 EMC Corporation. All rights reserved.

Why eGRC?

Workflow

Tailored solution for our enterprise

Metrics – Dashboards and Reporting

Promotion – increased end-user awareness and involvement

16 © Copyright 2012 EMC Corporation. All rights reserved.

Awareness

17 © Copyright 2012 EMC Corporation. All rights reserved.

Awareness

Program Coordinator

Remediation SME Support

Weekly Remediation Meetings

Information Repository

Regular Trainings

Regular Email Communications

Senior Management Briefings

18 © Copyright 2012 EMC Corporation. All rights reserved.

The Newly Restructured Program Achieved the Following

Remediation owner active participation led to greater completion rates

The program had 10% better completion on time metrics for Q3 and 15% better for Q4 than prior quarters

Senior management’s better understanding of allowing for the program to influence other program processes across the enterprise

We expanded our scope and were scanning more assets than ever before

We were able to provide the actual metrics to rate performance

Thank you.