introduction to qualysguard it compliance … to qualysguard it compliance saas services marek...
TRANSCRIPT
Introduction to QualysGuard
IT Compliance SaaS Services
Marek Skalicky, CISM, CRISC
Regional Account Manager for Central & Adriatic Eastern Europe
A Unified and Continuous View of
ICT Security, Risks and Compliance
2
Device & Application Security The QualysGuard Cloud Platform and suite of integrated
applications allows enterprises to discover and catalog all
IT assets, and provides them with a continuous view of their
security and compliance posture on a global scale.
Benefits Fully automated continuous asset discovery, security &
compliance assessments.
Up-to-date security intelligence with no software
to install and maintain.
A Unified and Continuous View of
ICT Security, Risks and Compliance
3
IT-GRC Automation The QualysGuard Cloud Platform and suite
of integrated applications automates the collection
of security and compliance data with customizable policies,
questionnaires and workflows, helping organizations to
automate and expedite compliance
Benefits Automated & Agent-less compliance auditing supporting multiple
regulatory mandates.
Customizable questionnaires and business workflows to
evaluate controls, gather evidence & validate compliance.
Seamless integration with enterprise GRC solutions.
QualysGuard® SaaS Applications
QualysGuard SaaS Technology Platform
Scanners & Collectors Open APIs, Web Services & Integrations
Enterprise SMB Freemium Services
QualysGuard On Demand Portal
Analyze
Vulnerability Mgmt.
Web App Scan
Malware Detection
SSL Labs
Zero days analyzer
Monitor
Web Application Logs
Botnet Detection*
Comply
Policy Compliance
PCI Compliance
Qualys Seal
SCAP / FDCC
Compliance Mgmt*
Prevent
Web App. Firewall*
QualysGuard Suite of Security
& Compliance Applications
5
Qualys Policy Compliance Management
Audits and documents compliance against external regulations & company internal policies
Supports major security frameworks & regulations
Controls library pre-mapped to frameworks such as CIS, COBIT, ISO27001:2005, HIPAA, ITIL, etc.
Agent-less – 100% SaaS
2300+ controls over 50 platforms
User defined controls for Win/Unix
QualysGuard Policy Compliance Module Introduction
Government
Regulations
– National
Legislation
– International
Legislation
Industry
Regulations
– PCI-DSS
– BASEL II
– SOX
Company
Security Polices
– Global Company
Security Policy
– Internal Security
Standards
Regulations &
Corporate
Objectives
COBIT 4.0/4.1 CIS NIST-SP800-53
ISO 17799/27001
Control
Objectives based
on Frameworks
& Standards
Non-technological
– Physical Security
Controls
– Personal Security
Controls
ICT-technological
– OS Configuration
Controls
– Application Access
Controls
Process Controls
– Change Mgmt
Controls
– HR Recruit
Controls
Set of relevant
IT Controls &
Specific Polices
QualysGuard Policy Compliance Policy Compliance process lifecycle workflow
External & Int. company Security Policies
Map to QG Compliance Controls Catalogue
OS and Application Security Standards
Create Policies Based on
Compliance Needs
Assign Policy To
Relevant Assets
Create
Compliance
Policy Reports
Compliance Scan
Create/Manage
Exceptions
Company sec.
policy
structure
QualysGuard Policy Compliance Compliance
Categories, Frameworks and Technologies
Compliance Categories
− Security Management
− Authentication
− Access Control
− Services
− Network Security
− Antivirus/Malware
− Integrity/Availability
− Application Control
− Encryption
Technologies
− Win XP, Vista, Windows 7, Win2000, 2003,2008 Server, RedHat , SUSE, CentOS, AIX, HPUX, Solaris, VMWare ESX Oracle, Ms SQL, CISCO, ...
Frameworks − CIS, COBIT 4.0/4.1, ISO 17799 / 27002:2005,
NIST SP800-53, ITIL 2,3
Compliance Regulations
− PCI-DSS, HIPAA, FFIEC, SoX 440 via Cobit mapping
QualysGuard Policy Compliance Control anatomy and categorization
http://www.qualys.com/forms/questionnaires/
Customizable Questionnaires for PC Beta available
11
Custom Questionnaires Enables customers to easily build
questionnaires using the Unified Compliance
Framework (UCF), as well as leverage
existing business process workflows to
evaluate controls, gather documents and
evidence and validate compliance.
Benefits Automation of manual assessments
Ability to define/customize audit work flow
Industry leading policy repository of nearly
1000 standards and regulations via UCF
Qualys PCI-DSS Compliance
PCI Council ASV certified
Used by 65% of ASVs and 49% of QSAs certified companies
Automates PCI Compliance Periodic network discovery scans Periodic external scans for vulnerabilities Complete annual “Self-Assessment Questionnaire”
Generates proof of PCI Compliance & attestation to submit to acquiring banks
Delivers full ASV service ASV certified quarterly reports
ASV support and insurance False-negative priority handling
QG PCI Compliance module Introduction
PCI DSS = Payment Card Industry Data Security Standard
QualysGuard PCI is certified by PCI Council with cert. number 3728-01-02
− PCI for Merchants portal GUI
− PCI for Acquiring Banks portal GUI
QualysGuard PCI deployment – fully accepted by QSA and Card Brands
− From 161 certified PCI QSA – 79 uses Qualys (49%)
− From 147 certified PCI ASV – 98 uses Qualys (67%)
− +1500 customers is testing 500.000 IPs for PCI-DSS compliance
QG PCI Compliance Workflow
Qualys provide full ASV service:
Network mapping & Vulnerability scanning attestation
ASV Scan Final Certification report (Executive and Technical)
PCI Self Assessment Questionnaire
ASV insurance
ASV support
QG PCI Compliance GUI
QG PCI Interactive Reporting (Web 2.0)
QG PCI - SAQ
QG PCI Compliance SAQ - Import Evidence Capability
Users can now upload and attach evidence to support SAQ validation
in multiple formats including PDF, ZIP, DOC and images
Same evidence file can be attached to multiple questionnaires' and
requirements
PCI Report Templates
Downloadable & Online
C O N F I D E N T I A L
20
QualysGuard PCI - Acquiring Bank GUI Compliant Questionnaire and No Scan
Consolidated view of all Merchants and their Compliance Status regardless of Qualys Partner
Submit Date and Next Due Date available by clicking Compliance Details
Download Questionnaire Report
Download Report on all Merchants
Audit implementation of
SSL protocol on you Web
• Certificate Validity and Trust
• SSL Protocol version support
• Encryption Cipher Strength
• Encryption Key Exchange
• SOLUTION description
• Risk of Attack description
Free SSL Lab Audit Service
Register here: http://www.ssllabs.com
Qualys Global Community Join us at https://community.qualys.com
22
0
500
1000
1500
2000
2500
3000
3500
4000
4500
24
.júl.
24
.au
g.
24
.sze
pt.
24
.okt
.
24
.no
v.
24
.de
c.
24
.jan
.
24
.feb
r.
24
.már
c.
24
.áp
r.
24
.máj
.
24
.jún
.
24
.júl.
24
.au
g.
24
.sze
pt.
24
.okt
.
24
.no
v.
24
.de
c.
Total Members
http://www.csointerchange.org
CSO Interchange Events Coming to a City Near You
23
http://www.qualys.com/qsc
Qualys Security Conferences ‘12 Las Vegas, Munich, London and Paris
24
Thank You [email protected]