Lumension® Compliance and IT Risk Management

Reduce Your Total Cost of Compliance and Manage the IT Risk That Matters Most with a Comprehensive IT-GRC Solution.

IT Risk and Compliance Business Drivers & Challenges

In today’s highly regulated business environment, many organizations are struggling with the rising cost of achieving compliance and the growing audit burden.

Download the Solution Brief

A multitude of internal and external requirements, including PCI, HIPAA, NERC, FISMA, SOX and others, and frameworks such as COBIT and ISO27002, are addressed within organizational silos, leading to redundant workflows and an inefficient allocation of resources. Audit workflows are often performed manually, with data captured in numerous disjointed spreadsheets allowing for more error and higher costs. And to compensate for the lack of compliance understanding visibility across the organization, expensive third-party consulting resources are often used to validate compliance and control requirements.

The result is a projected spend of 30 to 50 percent more on compliance than what is necessary¹. And many organizations still don’t know how compliant they really are. A recent survey found that 43 percent of existing access rights were either excessive or should have been retired ².

To demonstrate compliance and stay competitive in this business environment, organizations leverage a IT-GRC software solution that centralizes, streamlines and automates their compliance and IT risk management workflows.

Overview
Supported Regulations and Frameworks
Key Capabilities & Benefits

Overview

Lumension® Compliance and IT Risk Management, comprised of Lumension® Risk Manager and Lumension® Enterprise Reporting, automates the compliance and IT risk management workflow to reduce the cost of supporting numerous compliance requirements, and ensures that IT risks are prioritized by their potential impact on the business. Key capabilities include risk profiling of IT assets and business interests, use of the Unified Compliance Framework (UCF), which harmonizes IT controls across numerous compliance mandates, automated assessment of technical, physical and procedural controls, and continuous monitoring and reporting to satisfy a diverse IT risk and compliance audience.

By enabling you to intelligently understand and manage your IT risk exposure, optimize IT resources, and ensure the proper measurement against regulations and corporate governance requirements Lumension Compliance and IT Risk Management helps you demonstrate value to the bottom line.

With Lumension Compliance and IT Risk Management, you can:

1. Identify: Identify the criticality of IT assets and their role in the support of key business processes, and associate IT risk with key resources.
2. Assess: Assess your technical and procedural controls for compliance with interfaces to Lumension and third-party tools and Web-based surveys.
3. Remediate: Prioritize and address technical and procedural control deficiencies.
4. Manage: Create operational and strategic visibility compliance and IT risk posture across the organization. across compliance, IT risk and control environments with role-based and dashboard reporting.

Supported Regulations and Frameworks

Lumension® Compliance and IT Risk Management enables organizations to demonstrate compliance across more than 400 regulations and best-practice frameworks through integration with the Unified Compliance Framework (UCF). Below are just a few examples:

Financial Services Regulations

Basel II - Global: Basel II establishes minimum capital requirements for banking organizations to reduce operational risks.

Gramm-Leach-Bliley Act (GLBA) - US: GLBA seeks to protect the personal information of consumers stored in financial institutions by requiring all financial institutions to implement and maintain security measures to protect customer information and prevent unauthorized access and use of customer records.

Payment Card Industry (PCI) Security Standard - Global: PCI Security Standard seeks to ensure consistency of security standards for credit card issuers, and to assure cardholders that their account information is secure, regardless of where the card was used for payment.

Government/Public Sector Regulations

Federal Information Security Management Act (FISMA) - US: The Federal Information Security Management Act was established to bolster computer and network security within the Federal Government and affiliated parties (such as government contractors) by mandating yearly audits.

Office of Management and Budget (OMB) M-06-16 Mandate - US: OMB M-06-16 Mandate requires agencies to establish safeguards for sensitive agency data on laptops and workstations.

Federal Desktop Core Configuration (FDCC) – US: The Federal Desktop Core Configuration provides a set of security configuration standards by which all federal agencies must adhere to as mandated by the Office of Management and Budget and which is now part of FISMA reporting.

201 CMR 17.00: Standards for The Protection of Personal Information of Residents of the Commonwealth - US: By March 2010, Massachusetts will require businesses that collect information about that state’s residents to follow comprehensive information security requirements. The new state data security regulations apply to both in-state and out-of-state companies with operations or customers in Massachusetts.

Data Handling Procedures in UK Government - UK: The Data Handling Procedures in Government report (“the Report”) published in June 2008 sets out clear and mandatory procedures to be followed by all government employees that have access to and responsibility for citizen data.

Healthcare Regulations

Health Insurance Portability and Accountability Act (HIPAA) - US: HIPAA was established in 1996 to protect medical records by establishing transaction standards for the exchange of health information, security standards and privacy standards for the use and disclosure of individually identifiable health information. To achieve compliance with HIPAA requirements, organizations must establish and enforce policies that safeguard the integrity and availability of confidential electronic information.

Utilities Regulations

North American Electric Reliability Corporation (NERC) – North America: The North American Electric Reliability Corporation (NERC) is a non-profit corporation chartered to ensure that the bulk electric system in North America is reliable, adequate and secure. As the federally designated Electric Reliability Organization (ERO) in North America, NERC maintains comprehensive reliability standards that define requirements for planning and operating the collective bulk power system. Among these are the Critical Infrastructure Protection (CIP) Cyber Security Standards, commonly referred to as the NERC CIP Standards 002-009, which are designed to ensure the protection of the Critical Cyber Assets which control or affect the reliability of North America’s bulk electricity systems. NERC CIP standards and guidelines apply to all Responsible Entities (REs) within the bulk-power system, which are required to retain 12 months of auditable data, documents and records on their information security controls and specific logs for 90 days in order to be compliant with the new CIP standards

Cross-Industry Regulations and Frameworks

Sarbanes-Oxley Act (SOX) - US: SOX was developed in 2002 to protect investors by improving the accuracy and reliability of corporate disclosure.

BS ISO/IEC 27002 Compliance - Global: The BS ISO/IEC 27002 standard provides a comprehensive set of controls comprising best practices in information security, intended to serve as a single reference point for identifying the range of controls needed for most situations where information systems are used in industry and commerce, and to be used by large, medium and small profit and non-profit organizations.

CobiT - Global: The Control Objectives for Information and related Technology was first released in 1996 by ISACA with the goal of providing an authoritative, up-to-date, international set of generally accepted information technology control objectives for day-to-day use by business managers and auditors. CobiT 4.1 has 34 high level processes that cover 210 control objectives categorized in four domains: Planning and Organization, Acquisition and Implementation, Delivery and Support, and Monitoring and Evaluation.

Data Protection Act (DPA) - UK: The Data Protection Act was implemented in 1998 with the purpose of safeguarding the fundamental rights of individuals with regard to the processing of personal data and the free movement of such data.

Key Capabilities & Benefits

Solution Capability	Benefit
Map Business Interests to IT Resources Align business structure including, company organization, revenue centers, key business processes and critical business information, with IT resources including IT assets, business applications, responsible people/roles and core IT processes.	Aligns IT with Business Strategy Ensures that business strategy is always in alignment with IT resources including servers, applications, facilities and personnel.
Identify IT Control Assignments Identify required IT controls, including technical, procedural and physical, across various IT assets necessary to support internal and external regulations and control standards.	Understand Necessary Controls to Ensure Compliance Ensures that controls across people, process and technology are identified to support specific requirements that an organization must address.
Harmonize Multiple IT Controls and Compliance Requirements Leverage the UCF to map multiple regulations to the required IT controls – more than 400 regulations covered in total.	Streamline Compliance Efforts Harmonizes multiple internal and external compliance mandates into one framework to reduce the time, resources and costs needed to address multiple IT audits.
Identify and Prioritize IT Risks Identify the criticality of anticipated IT risks in support of business interests and compliance requirements. Supports “what if” analysis.	Focus on What Matters Most Enables IT resources to be prioritized to mitigate the greatest amount of risk to the organization in support of critical regulatory and internal policy requirements.
Automate the Assessment of Technical Controls Automatically assess technical controls across a broad IT landscape and correlate these assessments for IT risk identification and prioritization, internal and external compliance and IT control adherence. Integrates with Lumension security products as well as third party vulnerability assessment tools.	Streamline IT Operations Reduces time and resources required to perform technical control assessment across the organization.
Centralized Knowledge Repository Centralize all compliance and assessment data into a single knowledgebase for prioritization and optimization of IT risk remediation efforts.	Consolidate Assessment Data Reduces disparate collection of data and streamlines IT audit processes.
Automated Web-based Assessment Workflow-based surveys collect, monitor and track information on procedural controls.	Reduce Time to Assess Procedural Controls Streamlines the assessment and ongoing monitoring of procedural processes and controls.
Prioritization of Remediation Deficiencies Identify critical remediation tasks based on risk to the organization and in support of requirements. Utilize Lumension’s award-winning security solutions to effectively and efficiency address technical control deficiencies.	Optimize IT Resources Prioritizes remediation tasks to support critical internal and external compliance requirements.
Supporting Evidence Documentation Append supporting documentation and evidence across workflow-based surveys.	Limit Your Liability Ensures proof of compliance for procedural controls.
Assign and Manage Remediation Responsibility Identify roles and individuals responsible for remediating technical and procedural controls.	Ensure Proper Resources Address Technical and Procedural Controls Improves audit and compliance workflows by ensuring the right resources are responsible for fixing controls in support of requirements.
Measure and Report on Multiple Regulations Deliver measurement and reporting on numerous compliance mandates across industry, government, and internal compliance requirements and best-practice frameworks.	Reduce Time to Report on Compliance Reports across multiple requirements and frameworks to provide holistic measurement across the entire organization.
Compliance and IT Risk Dashboard Reporting Customize and deliver top down metrics and executive reporting across operational security, IT risk and compliance postures.	Demonstrate Compliance Provides customized dashboard reports that deliver the necessary metrics by audience.
Role-Based Reporting Produce reports for diverse audiences throughout the organization, including auditors, management and IT operations.	Ensure Visibility for All Stakeholders Delivers reports that satisfy internal and external auditors and communicate security gaps to IT operations teams as well as to non-technical business stakeholders.

Sources:

IT Policy Compliance, Managing Spend on IT Security and Audit for Better Results, February 2009
Forrester, Enterprise Management Associates Survey of IT Governance Risk & Control, 2008