Presented by: Novalis & Partners

Compliance Mapping. – Identify ... represent the controls applicable to a business process or unit, an ... Critical business processes, size of organization, modus.
Télécharger le PDF
456KB taille 0 téléchargements 356 vues
commentaire
Report
Over View of Spectra a Compliance Spectrum Product

Presented by:

Novalis & Partners November 2007

About the Mission of Compliance Spectrum Provide IT Governance, Risk and Compliance solutions, that automate the compliance lifecycle from policy identification to implementation and remediation. Dramatically lower the cost of compliance and reducing business risk.

2 2007 © Compliance Spectrum. All rights reserved.

Spectra Function Overview • Compliance Mapping – Identify gaps between controls and evidence – Link to existing system, network and security management systems – Record manual or paper-based processes

• Policy Management – Extensive database of regulations, best practice frameworks and control statements – Workflow management for coordination, dissemination of policies

• Audit Management

– Plan and manage issues and close audits – Cross-organization resource planning

2007 © Compliance Spectrum. All rights reserved.

Function Overview • Reporting – Pre-formatted reports available – User defined reports

• Task Management – User generated, with email notification – System generated email notification for Policy, Audits, and Compliance Evidence

• User Administration – Role Based Access Control – User defined access and work groups

2007 © Compliance Spectrum. All rights reserved.

Spectra Lite Architecture

Create a single, centralized control and policy repository… using your own framework and content

…a comprehensive compliance evidence ‘locker’...

Attestations

Assessments

Policy Awareness Tracking

Control and Policy Library

Automated mapping Continuous monitoring Compliance Evidence Repository

IAM tools

SIEM tools

Network VA tools

Host VA tools

Change / config mgmt tools

5 2007 © Compliance Spectrum. All rights reserved.

Planning compliance management Planning Identify Relevant Regulatory Requirements Define Confidential Information

Identify Critical Business Processes

Identify Critical Business Applications

Identify relevant federal or international legislation, industry standards, or national, state, and local directives affecting Company Identify information that is considered sensitive due to compliance, legal, or competitive reasons Understand from a Risk perspective which business processes are essential to the Company’s revenue and continuing operations and may contain sensitive information

Identify which information systems or technologies support the critical business processes

2007 © Compliance Spectrum. All rights reserved.

Spectra Compliance Management Framing Select Framework

For multi-regulatory environments, a common or underlying framework is recommended: • ISO 17799 ©, COBiT©, ITIL, etc Selection of a framework will be influenced by: • Type of Industry • Legal Requirements • Regulatory Requirements

Select Relevant Regulations

Identify Compliance Maps

Identify Relevant Regulations and Sections based on the risk tolerance of the organization A compliance map is equivalent to a matrix that defines the appropriate controls and associates the proof of implementation of those controls. A compliance map can represent the controls applicable to a business process or unit, an application, a facility, a regulation, or a specific role. Map scope is influenced by: • Critical business processes, size of organization, modus operandi, culture, size of staff to manage compliance 2007 © Compliance Spectrum. All rights reserved.

Building •

Relevant policy, procedures, or standards are those existing and approved documents that support the safeguards or controls identified in the compliance map(s)



Evidence is proof of implementation and is correlated to relevant controls. Controls and evidence should be based on risk



Identify gaps (1) between existing policy and framework and (2) between policy and proof of implementation



Review outstanding audit findings to:

Identify Relevant Policy

Map Evidence to Compliance Map Controls

Identify Gaps in Compliance Maps

Identify Relevant Audit Findings

 Prioritize which ‘gaps’ to fill first  Assist in determining appropriate controls and evidence

2007 © Compliance Spectrum. All rights reserved.

Finishing and Monitoring • Create/Update Policy



Create or Schedule Missing Evidence

• •

Continuously Monitor



Finishing means filling in the gaps, by creating new policy, updating existing policy, or adding required procedures, standards, or guidelines Evidence is policy, procedures, standards, attestations, reports from existing security event monitoring tools, vulnerability assessments, board minutes, awareness presentations, etc. This is information collected from the user’s environment Collection of evidence should be conducted on a routine basis. Spectra identifies evidence that is overdue and requires updating or refreshing. Continuous monitoring is critical to maintaining compliance. Evidence that is not current or missing may indicate non-compliance Associating a risk impact with a control or piece of evidence will aid in determining the level of noncompliance and in achieving continuous monitoring

2007 © Compliance Spectrum. All rights reserved.

Spectra Development Platform Applications

The Web

Incident and Problem

GLIDE TCP/IP

(USER INTERFACE)

Configuration and Asset

RDBMS  Application Data  CMDB Data

Release Mgt

Platforms

Win

Spectra Extensions to GLIDE Stack

MID Server

Servlet Container Apache/Tomcat Server  Win  Linux

 UNIX  z/OS 2007 © Compliance Spectrum. All rights reserved.

HTTP SSL

Linux UNIX z/OS

Auto-Discovery OSI Layers 2-7