five key elements of complete it compliance
DESCRIPTION
Five Key Elements of Complete IT ComplianceTRANSCRIPT
-
Five Key Elements of Complete IT ComplianceHow bridging the SecOps gap can keep even the most complex and dynamic environments fully secure and compliant
-
2bmc.com/compliance
The Goal Comprehensive configuration complianceEnsuring complete compliance with regulatory requirements and best practices grows more challenging every day. Existing IT processes and organizations struggle to keep up with the rapid pace of business today, or with the scope of the mandates and threats to be accounted for. Security and compliance teams need to move fast to reduce risk, but run into conflicts with under-resourced operations teams attempting to control changeleading to a SecOps gap between audit and remediation. As a result, it takes too long to resolve even known issues where fixes are documented and available, compromising business requirements for speed and agility.
In the past, the needs of the business have often overruled the requirements of compliance, but in light of recent high-profile security breaches and compliance failures, this attitude is no longer an option. Organizations must modernize their approach to compliance and close the SecOps gap with a strategy designed for todays complex, dynamic IT environments. This includes:
Comprehensive discovery of the entire application infrastructure, including both core and non-core systems as well as unofficial shadow IT applications
Granular, flexible definition of the desired configuration of systems to achieve compliance with regulations and policies
Live comparison of the discovered environment to audit against policies and regulations and identify changes that may trigger a violation
Drift control to automatically remediate errors, identify exceptions, and bring systems back into compliance as necessary
Integrated change management to govern the compliance process within the same context of control, scheduling, and best practices as any other configuration changes
Its a common-sense modelbut many IT organizations continue to fall short of this comprehensive approach, relying on disconnected processes and tools that leave the business at risk.
-
3 bmc.com/compliance
Rising Compliance Challengesand Risks Configuration compliance is becoming more difficult every day. Rapid technological innovation and change make it difficult to capture accurate system information in real time. Larger, more complex and dynamic IT environmentsincluding expanding use of server, application, desktop, and network virtualization, private and public cloud, and unsanctioned shadow ITpose new discovery challenges. New industry standards, IT best practices, and emerging threat models expand the scope of compliance.
Meanwhile, data breaches and other security events raise public awareness and lead to increased pressure from corporate leadership.
In Q1 2014, there were more than 250 major security breaches worldwidetwo-thirds of which were preventable.
The average cost of a data breach for a company has reached $3.5 million USD.1
Violations of PCI DSS governing credit card payments lead to fines up to USD $500,000/incident, $100,000/month, and $90/compromised record.
So why do they take so long to detect and
remediate?80%more than
of attacks target known vulnerabilities2
of vulnerabilities have fixes available on day of disclosure3
79%
-
4bmc.com/compliance
Discovery Incomplete data and out-of-date inventories
Manual business-IT process mapping cant keep up
Shadow IT services remain undiscovered
Definition Standards take too much time to develop, implement, and maintain
Incomplete specifications lead to false positives and false negatives
Definitions are disconnected from operational details
Audit Partial or dated snapshots miss out-of-band changes
Subjective interpretation leads to inconsistencies
Time-consuming annual audits burden IT
Remediation Changes may introduce new issues
IT cant easily verify remediation success or roll back changes
Extensive rework diverts personnel from higher-value work
Governance Compliance efforts lie outside established change management
False positives and compliance failures undermine trust
Security and operations teams work against each other
Beyond the hard-dollar cost of fines and penalties for compliance failuresA false sense of security breeds complacency, leaving the business at risk
Recurring problems lead business executives to lose confidence in IT
Lapses in compliance lead to damaged business relationships, negative publicity, and operational disruption
Labor-intensive approaches erode IT effectiveness and lead to staff frustration and turnover
Where Compliance Efforts Fall
-
5 bmc.com/compliance
This means that the time between security issue identification and resolution can be a period of weeks or even months.
Any effective approach to compliance must address the SecOps gap head-on. Security needs changes to be made more quickly. IT needs to ensure that these changes wont create new problems. Both sides need a better way to communicate and collaborate with each other.
The SecOps GapSecurity/audit teams and operations teams both play essential roles in compliance. Security identifies problemsbut depends on operations to get them fixed. This collaboration can be undermined by the distinctly different viewpoints they hold.
Security/audit (GRC) Focuses on defining policy and documenting
compliance state
Requires rapid change for remediation
IT operations (ITOM) Focuses on stability and availability above all
Knows change is often risky
While this group may in some circumstances perform audits, it never makes its own changes. This responsibility remains with the IT operations group.
The IT operations group, however, is reluctant to just dive in and start making changes. After all, one of the first lessons they learn is if its not broken, dont touch it.
-
6 bmc.com/compliance
193 80%days to resolve security issues4
up to
of downtime due to misconfigurations5
Operations is also responsible for performance and uptime, not just security, so it must compromise between these drivers.
-
7 bmc.com/compliance
A More Intelligent Approach Comprehensive security and compliance depends on an approach designed to account for:
Rapid innovation and constant changeboth planned and unplanned
Increasingly complex and diverse environments
Shadow IT services and other hard-to-discover systems
Seamless implementation across the entire compliance cycle, including discovery, definition, audit, remediation, and governance
Continuous monitoring, high visibility, and end-to-end automation to ensure fast, efficient, and effective compliance processes
-
8 bmc.com/compliance
DiscoverCapture a complete understanding of the current state of the environmentRegular automated discovery ensures that compliance efforts cover all relevant applications and infrastructure. While some approaches to discovery focus on core systems, the reality is that non-core systems can provide a bridgehead in the network for attackers. This is even more true for unofficial systems, which may not be properly patched, hardened, and updated. Whether a system is managed by IT or not, its IT who will be held responsible for any breach it allows.
With Intelligent Compliance, comprehensive discovery captures an inventory that includes both unofficial and unmanaged systems as well as temporary modifications, virtualized assets, and all relevant dependenciesto ensure that the entire environment can be brought in compliance.
Benefits: Escape the high cost and timelines of traditional manual audits
Eliminate the risks posed by of out-of-band systems and changes
Ensure an up-to-date inventory to support real compliance coverage
DefineCreate a reference configuration of the desired stateA granular content model allows IT to define the desired compliance or security state by rule, providing flexibility beyond template-based approaches. A library of pre-defined policies such as PCI-DSS, HIPAA, DISA STIG, and SOX, including both audit and remediation capabilities, can be used as templates or customized and extended to meet individual requirements. With greater confidence in the accuracy of audit results, IT can take corrective action more decisively.
Benefits: Take advantage of a library of pre-defined content to get up and
running fast
Adapt existing checks to your own organizational and policy requirements
Create new policies based on real-world reference systems or abstract requirements.
-
9 bmc.com/compliance
AuditCompare the discovered environment to the desired stateOngoing audits are performed automatically against the current live state of the environmentnot a configuration snapshot taken prior to the auditto verify compliance. This live audit streamlines the process by eliminating the need to populate a configuration management database (CMDB) beforehand. IT gains complete visibility into out-of-band changes to avoid hidden risks. Compatibility with other tools and even manual configuration management facilitates seamless adoption.
Benefits: Audit the full environment, without the limitations of snapshots or
populated reference databases
Eliminate the risk of missing recent changes and out-of-band changes with full visibility into live configurations
Deliver live audit results that are trustworthy and actionable, avoiding false positives and negatives
RemediateBring systems into compliance while avoiding unintended consequencesBy providing a common context to unify audit and remediation, Intelligent Compliance closes the SecOps gap. Targeted, specific changes are made automatically only to the parts of the file that are affected by the compliance violation, rather than simply replacing the entire file. Exceptions can be granted on a granular levelper rule or per server, with an expiration date if desiredand remain fully transparent, designated as compliant with exceptions rather than simply compliant or non-compliant.
Role-based access control and delegation ensure that only approved users execute changes. Rollback makes it simple to return to a known good state if necessary.
Benefits: Make surgical changes to avoid overwriting other necessary
configurations
Define and document exceptions to guide future audits
Get automated verification that changes have achieved compliance
-
10 bmc.com/compliance
GovernLeverage established change management systems and processesCompliance cant come at the expense of business support. IT needs to make changes with full visibility into their implications for the business, and govern these processes in a way that minimizes their impactsuch as not rebooting servers in the middle of a payroll run.
By integrating Intelligent Compliance with helpdesk and ITSM solutions like BMC Remedy, you can ensure that remediation efforts are subject to the same change management processes as any other configuration changes.
Compliance teams can reassure operations and other stakeholders that compliance remediation will not pose risks to the production environment or interrupt essential services at inopportune times.
Benefits: Require human approval for more sensitive changes while
automating more routine changes
Enforce change windows and avoid collisions
Capture full documentation and step-by-step audit trails
-
11 bmc.com/compliance
What Intelligent Compliance Can Mean to Your OrganizationBridge the SecOps gap
Build trust between security and operations
Ensure more rapid remediation for compliance
Avoid conflicts and problems from remediation efforts
Improve IT effectiveness Increase compliance and security coverage and audit frequency
Reassign staff from defensive activities to high-value tasks with immediate business value
Reposition IT as a driver of differentiation through high-performance digital business processes
Reduce costs Achieve compliance goals with less effort
Release and redirect resources previously consumed by compliance
Avoid costs Avoid penalties for non-compliance
Avoid costs (material and reputational) associated with security breaches
Achieve full visibility Capture up-to-date and trustworthy information to guide decision-
making
Generate compliance documentation for auditors automatically
-
Real-world Benefits
Major wireless provider Reduced server audit cycle time from 2 months to 5 days.
Major international bankAchieved 100% automation of server build compliance, reducing staffing needs by 1 FTE for this task alone.
Public sector organizationAchieved 95% cost reduction, 98.4% cost avoidance while saving 46,741 hours/year in labor.
Major consumer brandReduced time for CIS policy audit on 600 Windows servers from several months to 2 hours. Achieved 75% time savings remediating non-compliant servers.
US healthcare providerReduced time to audit and remediate 400 servers from 4 weeks to 10 minutes.
Learn moreContact your BMC Software representative or go to to learn more about implementing Intelligent Compliance to accelerate the value of your compliance initiatives.
Sources:1. Ponemon Institute. (2014). 2014 Cost of Data Breach: Global Analysis. Retrieved from ponemon.org/blog/ponemon-institute-releases-2014-cost-of-data-breach-global-analysis.2. F-Secure. (2013). Companies Risking Their Assets with Outdated Software. Retrieved from 2.f-secure.com/en/web/corporation_global/news-info/product-news-offers/view/story/915562/3. Secunia Research. (2014). The Secunia Vulnerability Report. Retrieved from secunia.com/?action=fetch&filename=PSI-Country-Report-(US)-(2014Q1).pdf 4. WhiteHat Security. (2013). Website Security Statistics Report May 2013. Retrieved from whitehatsec.com/assets/WPstatsReport_052013.pdf5. Gartner Group. (1999). Making Smart Investments to Reduce Unplanned Downtime. Retrieved from gartner.com/doc/304512/
*461023*