IT Risk Profiling
These features model the relationship between IT assets and business interests to identify IT-borne business risk.
|
IT Asset Catalog with Comprehensive Resource Types
IT Asset repository includes all resource types, including applications, databases, servers, networks, data centers, people, and processes.
|
Ensure Comprehensive Visibility of IT Risk Exposure
Security breaches can occur through many different avenues - servers, applications, data centers, endpoints, stolen/lost USB drives, etc. By cataloging all of these different asset types, you can gain visibility into all of the areas of potential IT risk exposure.
|
Business Interest Mapping
Create a catalog of key information and processes unique to your business that need to be protected from IT risk. Business interests are mapped to assets and risk scenarios to provide a business risk context for IT resources. |
Correlate IT Risk to Business Impact
Ensures risk-based analysis of your IT posture to provide valuable insight into prioritizing security control gaps that should be addressed.
|
Business Impact Analysis through Stakeholder Surveys
Use stakeholder surveys to determine the business impact of a risk scenario that compromises the confidentiality, integrity, or availability of a business interest. |
Automate Survey Workflow
Provides an automated effective means for identifying, capturing and incorporating business stakeholder input into the risk analysis process. |
Risk Profile Surveys
Use automated surveys to allow system owners to set risk profile attributes for assets. |
Automate Previously Manual Tasks
Provides an efficient manner for obtaining system owner input into the risk analysis process. |
Reasonably Anticipated Risks
Automatically enumerate all of the reasonably anticipated risks that should be mitigated for each asset. |
Effective Communication of IT Risks to Business Audience
Natural language IT risk statements enable the security team to clearly communicate IT risks to non-technical audiences. |
Dynamic Groups
Define asset groups with attribute-based criteria. Membership in a group is determined dynamically based on whether an asset’s risk profile matches the group’s criteria. |
Improve Visibility into IT Environment
Provides flexibility and efficiency in metrics and reporting.
|
Patent-Pending Risk Intelligence Engine
Analyzes each assest’s risk profile to automatically identify:
- Risks the asset is exposed to
- Required compliance mandates
- Controls that must be implemented to satisfy both compliance and mitigate risk
|
Optimize IT Resources
Automatic risk profile analysis saves time over manual risk analysis practices. The intelligence-based approach eliminates the need for highly-skilled security experts to spend time performing manual risk analysis.
|
IT Controls Framework
Harmonizes control requirements for compliance mandates and risk mitigation.
|
Controls Framework
Controls Framework includes technical, procedural, and physical controls. |
Comprehensive Controls
Risk and security cover more than just the technical controls you assess. Lumension® Risk Manager’s comprehensive controls model ensures end-to-end visibility of all control activities needed to ensure protection of information. |
Unified Compliance Framework(UCF)
Network Frontiers’ industry-vetted, harmonized mapping of unique controls to compliance regulations is developed and maintained in collaboration with industry experts, legal advisors, and standards-setting bodies across global regulations. |
Support Multiple Compliance Mandates
Automatically harmonizes IT control frameworks with industry regulation requirements to ensure that controls are reasonable and sufficient to satisfy multiple compliance mandates
|
Control Harmonization
Common controls (e.g. “Strong Passwords”) are normalized into a single control, which is cross-referenced to all standards and regulations that call for the requirement. |
Assess Once, Comply with Many
Eliminates overlapping control requirements that result from multiple standards and regulatory requirements.
|
Compliance Library
Over 400 Regulations and Standards documents are included with full cross-references to supporting IT controls. |
Optimize Compliance Workflows
Immediately understand the controls required to implement on Subjects and avoid time spent performing custom cross-walks across multiple requirements documents. |
Internal Compliance and Security Policy / Control Mapping
Import internal compliance and security policies and cross-reference them to the harmonized controls framework. |
Prove Compliance with Internal Policies
Demonstrates compliance with internal policies through a common assessment process. |
Controls Linked to Risk Mitigation
Controls are automatically linked to the risk scenarios they help prevent, detect, or correct. |
Quickly Mitigate IT Risk
Demonstrates how IT controls can mitigate actual business IT risk.
|
IT Controls Assessment
Automated assessment of technical, physical and procedural controls.
|
Workflow for Assessing Physical and Procedural Controls
Automated risk assessment workflow provides structure around the process of collecting scores and evidence for physical and procedural controls. |
Streamline IT Risk Management Workflow
Saves time by organizing the data collection efforts associated with scoring physical and procedural controls into a single view.
|
Automated Self-Assessment Surveys
Send multiple-choice question surveys to system owners to receive up-to-date control implementation status. Once approved, survey responses automatically update scores. |
Automate Previously Manual Tasks
Saves time over in-person interviews and manual data collection methods.
|
Survey Delegation
Survey recipients can delegate surveys to other team members as needed. |
Ensure Effective Survey Workflow
Ensures that survey questions are routed to the appropriate person to answer the question without extensive up-front org-chart discovery by the security team. |
Control Score Aging
Configurable timers track the age of every control score to determine when controls need to be re-assessed. |
Ensure Current Assessment Information
Automatically detects when score information has expired and needs to be updated to keep compliance and risk metrics up-to-date. |
Interfaces to Security Point Products
Built-in connectors to Lumension security solutions and other third party vulnerability scanning tools, with field-configurable connectivity via SQL and automated data import and processing of XML and flat-file data, enable you to synthesize detailed data from disparate security tools. |
Automate Vulnerability and Configuration Assessment
Saves time by eliminating the need to manually parse through technical security reports to update high-level risk and compliance control scores - giving you a single place to access both roll-up and drill-down level reports about your security posture. |
Attachments for Evidence Collection
Attachments on control scores provide evidence of the asserted score. Attachments can be files or URLs (for example, a URL to an internal document repository containing policies). |
Simplified Management
Provides a convenient way to manage the myriad evidence artifacts required to demonstrate the validity of self-assessment scores.
|
Accountability for IT Risk Scores
Every score record contains the UserID corresponding to who made the change. |
Ensure Audit Accountability
Provides accountability for score information.
|
Exception Management
Exception Management includes exception requests, approval/rejection, expiration and notification. |
Enhance Compliance and IT Risk Management
Provides flexibility to mark certain scores as “exempt” for a fixed period of time so that the exception state is visible, but not counted in compliance and IT risk calculations. |
Control Scoring History
All historical control scores are automatically archived. |
Proof of Compliance
Ensures that historical scoring information is available when needed. |
Custom Control Score Status Indicator
Score items within the assessment workflow can be flagged to indicate status. |
Rapid Evaluation of Control Scores
Flagging score status allows for quick triage of scores that require follow-up. |
Auditor Self-Service Scoring Panel
The direct score entry panel is optimized for rapid scoring and data entry of assessment test results. |
Optimize Audit Results Documentation
Allows auditors and security analysts to quickly document the results of their security testing activities. |
Approval-Based Workflow
Scores entered from self-assessment surveys and the auditor self-service panel can be reviewed and approved prior to committing them to the permanent scoring record. |
Ensure Accuracy of Scoring Information
Provides an opportunity for internal quality assurance on scoring information, and ensures that incorrect survey responses don’t affect trend data or scoring history. |
Risk and Compliance Reporting
Generate reports and metrics to satisfy a diverse risk and compliance audience.
|
Compliance Reporting
Compliance reports demonstrate section-by-section status of your compliance with industry regulations, compliance mandates, and your own security policy |
Deliver Comprehensive Reports
Provides detailed reports to satisfy internal and external auditors.
|
IT Risk Reporting
IT Risk reports catalog security gaps and how they could affect key business interests. |
Measure IT Risk to Business Impact
Enables the communication of security gaps in a way that is easily understood by non-technical business stakeholders. |
Operational Security Reporting
Operational security reports provide detailed security gap information for departments within IT operations. |
Deliver Metrics for Rapid Security Enforcement
Enables the communication of security gaps to IT operations teams and sets specific expectations on remediation. |
Risk and Compliance Index
Distill mountains of security gap analysis information into risk and compliance index scores. |
Improve Internal Communication Regarding IT Risk and Compliance
Provides simple metrics that communicate your overall security, risk, and compliance posture. |
Trending Analysis
Metrics on compliance, IT risk, and operational security are trended on a daily basis. |
Quickly Determine Trends
Demonstrate trends of security, risk, and compliance program improvement over time. |
Key Performance Indicators
Track the aggregate score for a user defined subset of controls and subjects against a target value. |
Focus on Metrics Vital to Your Business
Enables you to keep a watchful eye on specific areas of interest with a simplified report-card view of your security posture. |
Customizable Dashboard Views
Combine existing dashboard widgets into a personalized custom view. |
Highlight Metrics that You Need to See
Allows individual users, such as executives, business owners, system owners, external auditors, and security professionals to easily view the key metrics that are important to them. |
Consolidated Findings Analysis
Employ the heuristics engine to effectively analyze control scores to discover patterns, such as a certain group of subjects that contribute disproportionately to a poor compliance score, or a certain type of control that fails across a broad array of subjects. |
Ensure Rapid Remediation for High Priorities
Allows you to quickly spot patterns in scoring information so that you can identify high-value remediation efforts. |
Remediation Tracking to Improve Security Control Deficiencies
Provide assignment and status tracking of remediation projects. Projects can be tracked according to ownership and deadlines. Upon completion of a project, scores can be automatically updated. |
Highlight Improvements in Security Posture
Enables you to prioritize resources to pursue remediation activities that will have the greatest impact to the business and reflect improvement in your security and IT risk metrics. |
Remediation Modeling and Forecasting
Create "what-if" project scenarios to optimize IT resources to see how that project or remediation will improve your risk and compliance metrics. |
Improve Operational Efficiencies
Enables the prioritization of IT resources and remediation efforts based on the impact to metrics, and compare remediation projects by cost and time estimates across all controls. |
Automated E-mail Notificationss
Alerts are configurable to specific users/groups and provide notifications of key conditions and state changes within your security posture. |
Improve Visibility on Changes
Ensures that users are aware of security policy changes and that security administrators are notified of security posture changes, such as a server that is failing a critical control or an application that is overdue on an assessment. |