Lumension Compliance and IT Risk Management

Overview:

Organizations face a myriad of regulations and mandates and increasing IT risk, but rely upon ad hoc and disjointed compliance processes which increase the cost of compliance by 30 to 50 percent more than what is necessary.* Lumension Compliance and IT Risk Management reduces costs by harmonizing multiple compliance requirements and IT controls while automating the audit and IT risk management workflows.

Lumension Compliance and IT Risk Management
OnDemand Demo (Pop-up Window will open)

Compliance and IT Risk Management Business Drivers & Challenges

In today’s highly regulated business environment, many organizations are struggling with the rising cost of compliance and the growing audit burden. In fact, a Financial Executives International survey of public companies found that total costs for the first year of SOX Section 404 compliance average $4.36 million per organization.

A multitude of internal and external requirements, including PCI, SOX, HIPAA and others, are addressed within organizational silos, leading to redundant workflows and an inefficient allocation of resources. Audit workflows are often performed manually, with data captured in numerous disjointed spreadsheets. To compensate for the lack of compliance visibility across the organization, expensive third-party audit resources are used to validate compliance and control requirements.

And many organizations still don’t know how compliant they really are. A recent survey found that 43 percent of existing access rights were either excessive or should have been retired.**

To demonstrate compliance and stay competitive in this business environment, organizations must be able to centralize, streamline and automate their compliance and IT risk management workflows.

Assess Once. Simultaneously Comply with a Wide Range of Regulations and Policies.

Lumension Compliance and IT Risk Management enables you to adopt a comprehensive and continuous audit approach by aggregating and correlating data from multiple internal and external compliance regulations with best-practice IT controls — all within one solution, allowing you to:

Measure and report on multiple regulations and policies simultaneously
Automate IT risk assessment and remediation through integration with Lumension or third-party tools (i.e. vulnerability scanners, etc.)
Streamline the audit process by automating survey generation and data collection
Prioritize potential risk by correlating IT assets to critical business processes

How Lumension Compliance and IT Risk Management Works

Lumension’s comprehensive Compliance and IT Risk Management Solution first aligns business interests, such as revenue centers, key business processes and critical information, together with IT resources, including servers, applications, facilities and personnel.

Lumension then uses the Unified Compliance Framework (UCF) to harmonize IT controls, IT assets and internal and regulatory requirements into a single framework, so you can cost effectively prioritize your compliance and IT risk management efforts.

Automation across the Compliance and IT Risk Management workflow is enhanced through integration into Lumension’s award-winning security solutions as well as other third party products. Additional efficiencies are gained through a patentpending Risk Intelligence Engine (RIE), which correlates assessment information with compliance requirements and automatically identifies mitigating IT controls to address any potential regulatory and IT risk exposure.

Lumension delivers operational and strategic visibility across functional areas so compliance and IT risk priorities are easily identified. Dashboard style reporting allows organizations to customize and deliver top down metrics and generate multiple compliance reports with just a click.

Lumension Compliance and IT Risk Management Workflow

1. Identify: Identify the criticality of IT assets and their support of key business processes to define an IT risk profile.

2. Assess: Automatically assess your technical and procedural controls for compliance with interfaces to Lumension and third-party tools and Web-based surveys.

3. Remediate: Prioritize and address technical and procedural control deficiencies.

4. Manage: Create operational and strategic visibility across compliance, IT risk and control environments with role-based and dashboard reporting.

With Lumension Compliance and IT Risk Management, organizations will achieve greater visibility across their IT assets while optimizing their resources to intelligently address IT risk exposure and achieve effective compliance through strong security practices.

Reduce Your IT Audit Burden

By automating your compliance and IT risk management workflow, you can comply with numerous regulations and standards using one solution, ultimately reducing your cost of demonstrating compliance.

Sources:
*IT Policy Compliance, Managing Spend on IT Security and Audit for Better Results, February 2009
**Forrester, Enterprise Management Associates Survey of IT Governance Risk & Control, 2008

Key Features:

Map Business Interests to IT Resources Align business structure including, company organization, revenue centers, key business processes and critical business information, with IT resources including IT assets, business applications, responsible people/roles and core IT processes.	Aligns IT with Business Strategy Ensures that business strategy is always in alignment with IT resources including servers, applications, facilities and personnel.
Identify IT Control Assignments Identify required IT controls, including technical, procedural and physical, across various IT assets necessary to support internal and external regulations and control standards.	Understand Necessary Controls to Ensure Compliance Ensures that controls across people, process and technology are identified to support specific requirements that an organization must address.
Harmonize Multiple IT Controls and Compliance Requirements Leverage the UCF to map multiple regulations to the required IT controls – more than 400 regulations covered in total.	Streamline Compliance Efforts Harmonizes multiple internal and external compliance mandates into one framework to reduce the time, resources and costs needed to address multiple IT audits.
Identify and Prioritize IT Risks Identify the criticality of anticipated IT risks in support of business interests and compliance requirements. Supports “what if” analysis.	Focus on What Matters Most Enables IT resources to be prioritized to mitigate the greatest amount of risk to the organization in support of critical regulatory and internal policy requirements.
Automate the Assessment of Technical Controls Automatically assess technical controls across a broad IT landscape and correlate these assessments for IT risk identification and prioritization, internal and external compliance and IT control adherence. Integrates with Lumension security products as well as third party vulnerability assessment tools.	Streamline IT Operations Reduces time and resources required to perform technical control assessment across the organization.
Centralized Knowledge Repository Centralize all compliance and assessment data into a single knowledgebase for prioritization and optimization of IT risk remediation efforts.	Consolidate Assessment Data Reduces disparate collection of data and streamlines IT audit processes.
Automated Web-based Assessment Workflow-based surveys collect, monitor and track information on procedural controls.	Reduce Time to Assess Procedural Controls Streamlines the assessment and ongoing monitoring of procedural processes and controls.
Prioritization of Remediation Deficiencies Identify critical remediation tasks based on risk to the organization and in support of requirements. Utilize Lumension’s award-winning security solutions to effectively and efficiency address technical control deficiencies.	Optimize IT Resources Prioritizes remediation tasks to support critical internal and external compliance requirements.
Supporting Evidence Documentation Append supporting documentation and evidence across workflow-based surveys.	Limit Your Liability Ensures proof of compliance for procedural controls.
Assign and Manage Remediation Responsibility Identify roles and individuals responsible for remediating technical and procedural controls.	Ensure Proper Resources Address Technical and Procedural Controls Improves audit and compliance workflows by ensuring the right resources are responsible for fixing controls in support of requirements.
Measure and Report on Multiple Regulations Deliver measurement and reporting on numerous compliance mandates across industry, government, and internal compliance requirements and best-practice frameworks.	Reduce Time to Report on Compliance Reports across multiple requirements and frameworks to provide holistic measurement across the entire organization.
Compliance and IT Risk Dashboard Reporting Customize and deliver top down metrics and executive reporting across operational security, IT risk and compliance postures.	Demonstrate Compliance Provides customized dashboard reports that deliver the necessary metrics by audience.
Role-Based Reporting Produce reports for diverse audiences throughout the organization, including auditors, management and IT operations.	Ensure Visibility for All Stakeholders Delivers reports that satisfy internal and external auditors and communicate security gaps to IT operations teams as well as to non-technical business stakeholders.

Supported Regulations and Frameworks:

Lumension Compliance and IT Risk Management enables organizations to demonstrate compliance across more than 400 regulations and best-practice frameworks through integration with the Unified Compliance Framework (UCF). Below are just a few examples:

Financial Services Regulations

Basel II - Global: Basel II establishes minimum capital requirements for banking organizations to reduce operational risks.
Gramm-Leach-Bliley Act (GLBA) - US: GLBA seeks to protect the personal information of consumers stored in financial institutions by requiring all financial institutions to implement and maintain security measures to protect customer information and prevent unauthorized access and use of customer records.
Payment Card Industry (PCI) Security Standard - Global: PCI Security Standard seeks to ensure consistency of security standards for credit card issuers, and to assure cardholders that their account information is secure, regardless of where the card was used for payment.

Government/Public Sector Regulations

Federal Information Security Management Act (FISMA) - US: The Federal Information Security Management Act was established to bolster computer and network security within the Federal Government and affiliated parties (such as government contractors) by mandating yearly audits.
Office of Management and Budget (OMB) M-06-16 Mandate - US: OMB M-06-16 Mandate requires agencies to establish safeguards for sensitive agency data on laptops and workstations.
Federal Desktop Core Configuration (FDCC) – US: The Federal Desktop Core Configuration provides a set of security configuration standards by which all federal agencies must adhere to as mandated by the Office of Management and Budget and which is now part of FISMA reporting.
201 CMR 17.00: Standards for The Protection of Personal Information of Residents of the Commonwealth - US: By January 2010, Massachusetts will require businesses that collect information about that state’s residents to follow comprehensive information security requirements. The new state data security regulations apply to both in-state and out-of-state companies with operations or customers in Massachusetts.
Data Handling Procedures in UK Government - UK: The Data Handling Procedures in Government report (“the Report”) published in June 2008 sets out clear and mandatory procedures to be followed by all government employees that have access to and responsibility for citizen data.

Healthcare Regulations

Health Insurance Portability and Accountability Act (HIPAA) - US: HIPAA was established in 1996 to protect medical records by establishing transaction standards for the exchange of health information, security standards and privacy standards for the use and disclosure of individually identifiable health information. To achieve compliance with HIPAA requirements, organizations must establish and enforce policies that safeguard the integrity and availability of confidential electronic information.

Utilities Regulations

North American Electric Reliability Corporation (NERC) – North America: The North American Electric Reliability Corporation (NERC) is a non-profit corporation chartered to ensure that the bulk electric system in North America is reliable, adequate and secure. As the federally designated Electric Reliability Organization (ERO) in North America, NERC maintains comprehensive reliability standards that define requirements for planning and operating the collective bulk power system. Among these are the Critical Infrastructure Protection (CIP) Cyber Security Standards, commonly referred to as the NERC CIP Standards 002-009, which are designed to ensure the protection of the Critical Cyber Assets which control or affect the reliability of North America’s bulk electricity systems. NERC CIP standards and guidelines apply to all Responsible Entities (REs) within the bulk-power system, which are required to retain 12 months of auditable data, documents and records on their information security controls and specific logs for 90 days in order to be compliant with the new CIP standards

Cross-Industry Regulations and Frameworks

Sarbanes-Oxley Act (SOX) - US: SOX was developed in 2002 to protect investors by improving the accuracy and reliability of corporate disclosure.
BS ISO/IEC 27002 Compliance - Global: The BS ISO/IEC 27002 standard provides a comprehensive set of controls comprising best practices in information security, intended to serve as a single reference point for identifying the range of controls needed for most situations where information systems are used in industry and commerce, and to be used by large, medium and small profit and non-profit organizations.
CobiT - Global: The Control Objectives for Information and related Technology was first released in 1996 by ISACA with the goal of providing an authoritative, up-to-date, international set of generally accepted information technology control objectives for day-to-day use by business managers and auditors. CobiT 4.1 has 34 high level processes that cover 210 control objectives categorized in four domains: Planning and Organization, Acquisition and Implementation, Delivery and Support, and Monitoring and Evaluation.
Data Protection Act (DPA) - UK: The Data Protection Act was implemented in 1998 with the purpose of safeguarding the fundamental rights of individuals with regard to the processing of personal data and the free movement of such data.

Documentation:

Download the Lumension Compliance and IT Risk Management Datasheet (PDF).