IT Compliance and Governance with DLP Controls and Vulnerability Scanning Software

Delivering on the Promise.

By: Brian Rosenfelt, CPA

And

Joseph Compton, CISSP, CISA

IT Compliance and

Governance with DLP

Controls and Vulnerability

Scanning Software

February 16, 2012


• Data Loss Prevention Controls

• Aids in policy development

• Helps identify data to be protected

• Provides real-time incident response tickets

• Provides centralized audit reports

• Vulnerability Scanners

• Identify Network Device Weakness

• Used to validate machine configuration

• Used to identify missing patches

Security Software Agenda


The Software Data Loss Prevention

Controls

• DLP tools have been around for a long time

• Expensive

• Geared toward single task

• Poor alerting

• New unified platforms are coming online

• Comprehensive approach

• Unified exception and audit reporting

• Real time incident responses

• Controls can be configured to function as

• Detective

• Corrective

• Preventive


Data in Motion Organizational Challenges

• What is the confidential data?

• Where is the confidential data stored?

• Where is the confidential data going?

• Can the controls enforce data use polices?


Enterprise Data Protection and Governance What can these

tools protect • Email encryption

• Content profiling

• Web filtering

• End-point protection

• Document management

• Finger printing

• Employee monitoring


Multiple endpoints Security / DLP

• Storage drives (CD, DVD, USB)

• Print devices

• Websites

• Home networks

• Screen capture

• Clipboard monitoring

• Content profiling


CTH Technologies Secure Care Our DLP Solution

• Agent based technology

• Works on and off the network

• Lockdown the desktop with policy enforcement

• Policies will travel


Define

confidential

data policy

Run

scan and

discover

exposed data

Enforce policy

by

automatically

protecting

files

Report on risk

and

compliance

Remediate

incidents


Employee

sends

confidential

data

Detects or

prevents

incident

Notifies

employee

Report on

risk and

compliance

Workflow

automates

remediation


Employee

sends

confidential

data

Detects

incidents

Tags email

message

Report on risk

and

compliance

Automatically

encrypts

tagged

messages

SENSITIVE


CTH Demo


Business Intelligence CTH DLP Summary

• Behavioral Analytics

• Employee Monitoring

• Employee Activity / Productivity Reports

• Software Audit Reporting

• Usage Report

• Compliance Report


DLP Solutions should CTH DLP Summary

• Capture and Monitor

• Desktop Data

• Customer and Employee Data

• Application Performance Data

• Analyze Data

• User

• Machine

• Application

• Risk Mitigation Compliance


SAINT Security Scanner • Besides a tool for security testers, auditors can leverage the power of

the Saint Security Scanner

• Review Network Device Configuration

• Perform Security Patch Audits

• Test for PCI Compliance (Payment Card Industry)

• Test for FISMA Compliance (Federal Information Security Act)

• Test for HIPPA Compliance (Health Insurance Portability and

Accountability Act)

• Test for NERC Compliance(North American Electric Reliability

Corporation)

.


What Can SAINT Do? Compliance

Features • Besides various compliance checks SAINT can also

run OVAL (Open vulnerability and Assessment

Language) Vulnerability and Inventory tests

• XCCDF and SCAP (NIST Extensible Configuration

Checklist Description Format and Security Content

Automation Protocol)

• Import Lists from National Vulnerability Database

http://web.nvd.nist.gov/view/ncp/repository


What else is out there? Other Scanning

Tools and Resources

• A list of approved Scanners:

http://nvd.nist.gov/scapproducts.cfm

• Other DLP Vendors: Code Green Networks,

Websense, Axway, and SMARSH




• There are a variety of automated controls available

• Each type can be used to speed up policy and

procedure development

• Auditors / Like security testers should have access

to these tools

• The right toolset should be customizable to the for

any environment or reporting criteria

What We Learned Summary


Our Philosophy

• Clients - Provide premier business services to our

clients

• Employees - Foster an environment that

maximizes personal and professional growth

• Business Contacts - Maintain the highest ethical

standards

• Community - Enhance the future of our

community

Whether seen by our clients, employees,

business contacts or community, our identity

is the symbol of a promise delivered with

enthusiasm, innovation, teamwork, drive and

commitment.


Questions?

IT Compliance and Governance with DLP Controls and Vulnerability Scanning Software

Technology

Transcript of IT Compliance and Governance with DLP Controls and Vulnerability Scanning Software