6. PCI DSS, PA DSS, 27001, CoBiT, NERC, Basel
II, SOX, ... … … …
7. Mounting External Compliance Regulations
3 out 4 organizations must comply with two or PII Security
Standards
more regulations and corresponding audits.
Sarbanes-Oxley,
Section 404
43% of organizations comply with 3 or more PCI Data Security PCI Data Security
Standards (DSS) Standards (DSS)
regulations.
Basel II Basel II
SB1386 SB1386 SB1386
(CA Privacy Act) (CA Privacy Act) (CA Privacy Act)
USA Patriot Act USA Patriot Act USA Patriot Act USA Patriot Act
Gramm Leach Gramm Leach Gramm Leach Gramm Leach Gramm Leach
Bliley (GLBA) Bliley (GLBA) Bliley (GLBA) Bliley (GLBA) Bliley (GLBA)
21CFR11 21CFR11 21CFR11 21CFR11 21CFR11 21CFR11
HIPAA HIPAA HIPAA HIPAA HIPAA HIPAA HIPAA
EU Directive EU Directive EU Directive EU Directive EU Directive EU Directive EU Directive EU Directive
*The Struggle to Manage Security Compliance for Multiple Regulations”..SecurityCompliance.com
Time
7
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
8. Today Organizations Spend 30-50%
More On Compliance Than They Should
Our IT Networks Were Never Designed With
Compliance In Mind
9. Compliance & IT Risk Management Challenges
ry
ulato
f Reg
La ck o wledge
Kno
HIPAA Excel
SOX Database Business
Security Processes
Policy
PCI Manual IT
Surveys Resources
Password Length
Special Characters
Non Standardized
Processes
Functional Silos Disparate
Data Collection
9
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
13. Assess
Technical Controls:
Automatically assess technical
controls through integration to
Lumension and 3rd party tools
Procedural & Physical Controls:
Utilize automated workflow
based surveys
13
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
14. Standardized & IT Risk Mgmt. Framework
Regulation Authority Documents
GLBA PCI FISMA HIPAA NHS NERC SOX ISO/IEC…
Business Interests Corporate Policies
Business Processes
Revenue Streams
Trade Secrets IT Assets
Profile Risk Attributes
Open to the Internet
Contains Credit Card
Information
Contains Customer Data
Applicable Controls Pass/Fail Regulation Assessment
Password Length
Data Encryption
Power Save
Corp-Policy ISO 27001 PCI NERC
100% 65% 65% 30%
15. Automation of Assessment Data
Consolidated Assessment Data supports a holistic view of
compliance and IT risk posture
Technical Controls Procedural & Physical Controls
Automated Connectors Automated Assessment Workflow
Lumension Lumension 3rd Party
Patch, Scan & Application & Web-Based Auditor / Analyst
Products Surveys Attestation
Configuration Device
Control
15
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
16. Connector …
16
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
17. Connector …
17
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
18. Connector …
18
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
19. Connector …
19
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
20. Remediate
Remediate: Prioritize remediation
efforts based on impact to overall
organizational IT risk &
compliance posture
20
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
21. Manage
Manage: Create operational and
strategic visibility across
compliance, IT risk postures
21
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
24. Lumension Risk Manager - summary
Give you better visibility into your
compliance and risk posture.
Help you save time & money in your
security management process.
24
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
25. Global Headquarters
15880 N. Greenway-Hayden Loop
Suite 100
Scottsdale, AZ 85260
1.888.725.7828
info@lumension.com
thomas.wendrich@lumension.com
www.lumension.com/itgrc-software