Lumension® Risk Manager

Lumension Risk Manager automates compliance and IT risk management workflows and provides necessary visibility of people, processes and technology across the entire organization.

Security Compliance Business Issues & Challenges

In today’s business environment, organizations face the challenge of complying with numerous regulations but still employ manual and improvised IT audit processes that incur high costs with inaccurate results.

Download the Datasheet

Overview
Features & Benefits
Requirements

Overview

Organizations have struggled with as many as 40,000 spreadsheets for a single compliance purpose¹. Measuring compliance with a spreadsheet is a surefire way to extend the cost, time and resources needed to complete any regulatory IT audit. This approach is often error-prone and does not allow a company to fully view the business relationships between risks and necessary controls. Additionally, the reliability and timeliness of such an approach are limited.

And the process starts over for each individual regulation or standard that must be assessed during an audit.

The failure to understand the business impact of IT assets also hampers true risk assessment. Many organizations have blind spots regarding their level of IT risk and degree of compliance, lacking the necessary tools to gain visibility and ultimately achieve compliance for multiple regulations and standards in an automated fashion.

Lumension Risk Manager, a component of Lumension® Compliance and IT Risk Management, provides comprehensive security compliance software that enables organizations to streamline and automate audit and IT risk management workflows thereby reducing the cost of compliance.

Lumension Risk Manager provides a comprehensive view across hundreds of global regulations, mandates and internal policies improving the efficiency of controls and reducing risk. Lumension Risk Manager provides flexibility to easily accommodate evolving requirements and enable real-time visibility of the level of compliance achieved. Lumension enables visibility for compliance and risk through four key capabilities:

How It Works

1. Risk Profiling - Easily model the relationship between your IT assets and business interests to identify IT-borne business risk. Lumension categorizes an organization’s resource types including technology, people and processes, and then develops a powerful risk profile through its patent-pending risk intelligence engine. The risk profile information is automatically correlated with internal and external compliance requirements to suggest mitigating IT controls and address potential regulatory and IT risk exposure.
2. Controls Framework - Leveraging the industry-standard Unified Compliance Framework (UCF), Lumension Risk Manager harmonizes controls across hundreds of different regulations including PCI, SOX, FISMA, HIPAA, NERC, CobiT, NIST and many more. This means that no control is ever duplicated and the structure and language of each control follows the same predictable format.
3. Controls Assessment - Streamline and automate the workflow for assessing technical, physical and procedural controls by interfacing to either Lumension security solutions or third party point products such as vulnerability scanners. Utilize automated surveys to complete your assessment of physical and procedural controls.
4. Risk & Compliance Reporting - Generate reports with key metrics to satisfy a diverse IT risk and compliance audience through compliance and IT risk reporting, operational security reporting and remediation modeling and forecasting. Create "what-if" scenarios to better estimate how a project or remediation effort will improve your IT risk and compliance posture.

	Key Product Features	Benefit
IT Risk Profiling These features model the relationship between IT assets and business interests to identify IT-borne business risk.	IT Asset Catalog with Comprehensive Resource Types IT Asset repository includes all resource types, including applications, databases, servers, networks, data centers, people, and processes.	Ensure Comprehensive Visibility of IT Risk Exposure Provides visibility into all areas of potential IT risk exposure including IT assets, people and processes.
	Business Interest Mapping Create a catalog of key information and processes unique to your business that need to be protected from IT risk. Business Interests are mapped to Subjects (assets) to provide a business risk context for IT resources.	Correlate IT Risk to Business Impact Ensures risk-based analysis of your IT posture.
	Business Impact Analysis through Stakeholder Surveys Use stakeholder surveys to determine the business impact of a risk scenario that compromises the Confidentiality, Integrity, or Availability of a Business Interest.	Automate Survey Workflow Provides an automated effective means for identifying, capturing and incorporating business stakeholder input into the risk analysis process.
	Risk Profile Surveys Use automated surveys to allow system owners to set risk profile attributes for Subjects.	Automate Previously Manual Tasks Provides an efficient manner for obtaining system owner input into the risk analysis process.
	Reasonably Anticipated Risks Automatically enumerate all of the reasonably anticipated risks that should be mitigated for each Subject.	Effective Communication of IT Risks to Business Audience Natural language IT risk statements enable the security team to clearly communicate IT risks to non-technical audiences.
	Dynamic Groups Define Subject groups with attribute-based criteria. Membership in a group is determined dynamically based on whether a Subject’s risk profile matches the group’s criteria.	Improve Visibility into IT Environment Provides flexibility and efficiency in metrics and reporting.
	Patent-Pending Risk Intelligence Engine Analyzes each Subject’s risk profile to automatically identify: Risks the subject is exposed to Required compliance mandates Controls that must be implemented to satisfy both compliance and mitigate risk	Optimize IT Resources Automatic risk profile analysis saves time over manual risk analysis practices. The intelligence-based approach eliminates the need for highly-skilled security experts to spend time performing manual risk analysis.
IT Controls Framework Harmonizes control requirements for compliance mandates and risk mitigation.	Controls Framework Controls Framework includes technical, procedural, and physical controls.	Comprehensive Controls Ensures comprehensive coverage and definition of all control activities needed to ensure compliance and mitigate IT risk.
	Unified Compliance Framework(UCF) Network Frontiers’ industry-vetted, harmonized mapping of unique controls to compliance regulations is developed and maintained in collaboration with industry experts, legal advisors, and standards-setting bodies across global regulations.	Support Multiple Compliance Mandates Automatically harmonizes IT control frameworks with industry regulation requirements to ensure that controls are reasonable and sufficient to satisfy multiple compliance mandates
	Control Harmonization Common controls (e.g. “Strong Passwords”) are normalized into a single control, which is cross-referenced to all standards and regulations that call for the requirement.	Assess Once, Comply with Many Eliminates overlapping control requirements that result from multiple standards and regulatory requirements.
	Compliance Library Over 400 Regulations and Standards documents are included with full cross-references to supporting IT controls.	Optimize Compliance Workflows Immediately understand the controls required to implement on Subjects and avoid time spent performing custom cross-walks across multiple requirements documents.
	Internal Compliance and Security Policy / Control Mapping Import internal compliance and security policies and cross-reference them to the harmonized controls framework.	Prove Compliance with Internal Policies Demonstrates compliance with internal policies through a common assessment process.
	Controls Linked to Risk Mitigation Controls are automatically linked to the risk scenarios they help prevent, detect, or correct.	Quickly Mitigate IT Risk Demonstrates how IT controls can mitigate actual business IT risk.
IT Controls Assessment Automated assessment of technical, physical and procedural controls.	Workflow for Assessing Physical and Procedural Controls Automated risk assessment workflow provides structure around the process of collecting scores and evidence for physical and procedural controls.	Streamline IT Risk Management Workflow Saves time by organizing the data collection efforts associated with scoring physical and procedural controls into a single view.
	Automated Self-Assessment Surveys Send multiple-choice question surveys to system owners to receive up-to-date control implementation status. Once approved, survey responses automatically update scores.	Automate Previously Manual Tasks Saves time over in-person interviews and manual data collection methods.
	Survey Delegation Survey recipients can delegate surveys to other team members as needed.	Ensure Effective Survey Workflow Ensures that survey questions are routed to the appropriate person to answer the question without extensive up-front org-chart discovery by the security team.
	Control Score Aging Configurable timers track the age of every control score to determine when controls need to be re-assessed.	Ensure Current Assessment Information Automatically detects when score information has expired and needs to be updated to keep compliance and risk metrics up-to-date.
	Interfaces to Security Point Products Built-in connectors to Lumension security solutions and other third party vulnerability scanning tools collect operational security data to automatically update control scores.	Automate Vulnerability and Configuration Assessment Saves time by eliminating the need to manually parse through technical security reports to update high-level risk and compliance control scores.
	Attachments for Evidence Collection Attachments on control scores provide evidence of the asserted score. Attachments can be files or URLs (for example, a URL to an internal document repository containing policies).	Simplified Management Provides a convenient way to manage the myriad evidence artifacts required to demonstrate the validity of self-assessment scores.
	Accountability for IT Risk Scores Every score record contains the UserID corresponding to who made the change.	Ensure Audit Accountability Provides accountability for score information.
	Control Scoring History All historical control scores are automatically archived.	Proof of Compliance Ensures that historical scoring information is available when needed.
	Custom Control Score Status Indicator Score items within the assessment workflow can be flagged to indicate status.	Rapid Evaluation of Control Scores Flagging score status allows for quick triage of scores that require follow-up.
	Auditor Self-Service Scoring Panel The direct score entry panel is optimized for rapid scoring and data entry of assessment test results.	Optimize Audit Results Documentation Allows auditors and security analysts to quickly document the results of their security testing activities.
	Approval-Based Workflow Scores entered from self-assessment surveys and the auditor self-service panel can be reviewed and approved prior to committing them to the permanent scoring record.	Ensure Accuracy of Scoring Information Provides an opportunity for internal quality assurance on scoring information, and ensures that incorrect survey responses don’t affect trend data or scoring history.
Risk and Compliance Reporting Generate reports and metrics to satisfy a diverse risk and compliance audience.	Compliance Reporting Compliance reports demonstrate section-by-section status of your compliance with industry regulations, compliance mandates, and your own security policy	Deliver Comprehensive Reports Provide detailed reports to satisfy internal and external auditors.
	IT Risk Reporting IT Risk reports catalog security gaps and how they could affect key business interests.	Measure IT Risk to Business Impact Communicate security gaps in a way that is easily understood by non-technical business stakeholders.
	Operational Security Reporting Operational security reports provide detailed security gap information for departments within IT operations.	Deliver Metrics for Rapid Security Enforcement Communicate security gaps to IT operations teams and set specific expectations on remediation.
	Risk and Compliance Index Distill mountains of security gap analysis information into risk and compliance index scores.	Improve Internal Communication Regarding IT Risk and Compliance Provide simple metrics that communicate your overall security, risk, and compliance posture.
	Trending Analysis Metrics on compliance, IT risk, and operational security are trended on a daily basis.	Quickly Determine Trends Demonstrate trends of security, risk, and compliance program improvement over time.
	Key Performance Indicators Track the aggregate score for a user defined subset of controls and subjects against a target value.	Focus on Metrics Vital to Your Business Keep a watchful eye on specific areas of interest with a simplified report-card view of your security posture.
	Customizable Dashboard Views Combine existing dashboard widgets into a personalized custom view.	Highlight Metrics that You Need to See Allows individual users to easily view the key metrics that are important to them.
	Consolidated Findings Analysis Employ the heuristics engine to effectively analyze control scores to discover patterns, such as a certain group of subjects that contribute disproportionately to a poor compliance score, or a certain type of control that fails across a broad array of subjects..	Ensure Rapid Remediation for High Priorities Quickly spot patterns in scoring information that allow you to identify high-value remediation efforts.
	Remediation Modeling and Forecasting Create "what-if" project scenarios to optimize IT resources to see how that project or remediation will improve your risk and compliance metrics.	Improve Operational Efficiencies Prioritize IT resources and remediation efforts based on the impact to metrics, and compare remediation projects by cost and time estimates across all controls.

Requirements	Version
Hardware	Dedicated Server Dual-Core Processor preferred, single core processor is suitable 2GB RAM 50 GB of available disk space 7200 RPM Drive and/or RAID configuration preferred A single 100 Mbps network connection (with access to the Internet)
Operating System	Microsoft Windows Server 2003 / 2005 / 2008
SQL Server	Microsoft SQL Server 2005/2008 – can be installed locally or on a remote database server. Microsoft SQL Server 2005 Express Edition
Internet Browser	Firefox 3 or higher Microsoft Internet Explorer 7 or higher Safari 3 or higher

Source:

Corporate Integrity, LLC, Foundations of GRC: Streamlining Compliance, May 2009

Lumension® Risk Manager