Lumension® Risk Manager

Lumension® Risk Manager automates IT risk management and compliance workflows and provides enterprise-wide visibility to ensure effective measurement of your security posture

IT Risk Management and Assessment: Business Issues & Challenges

Most organizations have implemented a variety of operational and security controls to address today’s dynamic threats, but they lack the means to assimilate security data from multiple sources and continuously measure their security posture. Enterprise-wide visibility of IT risk posed by applications, devices, business processes, and users engaging with data is vital to ensuring continuous protection of critical business systems and information.

The ability to manage IT risk across the organization has traditionally been challenging, due to the inability to correlate data across disparate security products in the environment. Another challenge is the inability to identify, prioritize and communicate key IT risk and security metrics to senior management and line-of-business executives in a consistent and straightforward manner.

The failure to understand and communicate the business impact of IT risk across the organization can lead to business disruption, loss of sensitive information and non-compliance with both internal policies and external regulations. By aligning IT risk with business decision-making, IT and business leaders can effectively reduce business risk, minimize brand and reputation loss, and address initiatives that improve the business.

Overview
Features & Benefits
Requirements

Overview

Lumension® Risk Manager, a component of the Lumension® Compliance and IT Risk Management solution, enables IT security professionals and business leaders to collaborate in the effective creation and measurement of IT risk to protect critical business systems and information and to ensure continuous compliance with internal policies and external mandates.

Lumension® Risk Manager provides comprehensive, real-time trending views across the organization to display continuous measurement of your security posture through the following capabilities:

Measuring Security Posture: Lumension® Risk Manager consolidates multiple sources of IT risk information from 3rd party vulnerability scans, antivirus solutions and more and correlates this assessment data across all of the IT assets in the organization, providing trending analysis and security posture scores at any time.
Identifying and Prioritizing IT Risk: Easily model the relationship between your IT assets and business processes to identify IT-borne business risk. Lumension® Risk Manager categorizes areas of IT risk into technology, people and processes, and then develops a powerful risk profile through its patent-pending risk intelligence engine. The risk profile information is automatically correlated with internal policy and external compliance requirements and suggests mitigating IT controls to address critical risk to the business.
Streamlining Controls and Assessment: - Leveraging the industry-standard Unified Compliance Framework (UCF), Lumension® Risk Manager harmonizes controls across hundreds of different regulations including PCI DSS, HITECH, HIPAA, SOX, FISMA, NERC, CobiT, NIST, ISO frameworks, and many more, along with internal policy controls. This means that no control is ever duplicated in your assessments and the structure and language of each control follows the same predictable format. Lumension® Risk Manager also enables you to streamline and automate the workflow for assessing technical, physical and procedural controls by interfacing to either Lumension security solutions or third party point products such as vulnerability scanners. Utilize automated surveys to complete your assessment of physical and procedural controls.
Demonstrating Compliance: Generate reports to highlight compliance with both internal policies as well as with external regulations such as PCI DSS, HIPAA, HITECH, FISMA, and more. Lumension® Risk Manager enables you to continuously demonstrate compliance with key metrics to satisfy a diverse IT risk and compliance audience through compliance and IT risk reporting, operational security reporting and remediation modeling and forecasting. Create “what-if” scenarios to better estimate how a project or remediation effort will improve your IT risk and compliance posture. Assign and track remediation projects to measure and reflect improvement in compliance and IT risk metrics.
Reducing IT Security and Compliance Time and Expense: In a challenging economic climate, reducing cost is always top of mind for CISOs. By streamlining visibility and measurement as well as IT risk management workflows; Lumension® Risk Manager enables organizations to reduce audit preparation, cost and reporting of the compliance and security posture.

	Key Product Features	Benefit
IT Risk Profiling These features model the relationship between IT assets and business interests to identify IT-borne business risk.	IT Asset Catalog with Comprehensive Resource Types IT Asset repository includes all resource types, including applications, databases, servers, networks, data centers, people, and processes.	Ensure Comprehensive Visibility of IT Risk Exposure Security breaches can occur through many different avenues - servers, applications, data centers, endpoints, stolen/lost USB drives, etc. By cataloging all of these different asset types, you can gain visibility into all of the areas of potential IT risk exposure.
	Business Interest Mapping Create a catalog of key information and processes unique to your business that need to be protected from IT risk. Business interests are mapped to assets and risk scenarios to provide a business risk context for IT resources.	Correlate IT Risk to Business Impact Ensures risk-based analysis of your IT posture to provide valuable insight into prioritizing security control gaps that should be addressed.
	Business Impact Analysis through Stakeholder Surveys Use stakeholder surveys to determine the business impact of a risk scenario that compromises the confidentiality, integrity, or availability of a business interest.	Automate Survey Workflow Provides an automated effective means for identifying, capturing and incorporating business stakeholder input into the risk analysis process.
	Risk Profile Surveys Use automated surveys to allow system owners to set risk profile attributes for assets.	Automate Previously Manual Tasks Provides an efficient manner for obtaining system owner input into the risk analysis process.
	Reasonably Anticipated Risks Automatically enumerate all of the reasonably anticipated risks that should be mitigated for each asset.	Effective Communication of IT Risks to Business Audience Natural language IT risk statements enable the security team to clearly communicate IT risks to non-technical audiences.
	Dynamic Groups Define asset groups with attribute-based criteria. Membership in a group is determined dynamically based on whether an asset’s risk profile matches the group’s criteria.	Improve Visibility into IT Environment Provides flexibility and efficiency in metrics and reporting.
	Patent-Pending Risk Intelligence Engine Analyzes each assest’s risk profile to automatically identify: Risks the asset is exposed to Required compliance mandates Controls that must be implemented to satisfy both compliance and mitigate risk	Optimize IT Resources Automatic risk profile analysis saves time over manual risk analysis practices. The intelligence-based approach eliminates the need for highly-skilled security experts to spend time performing manual risk analysis.
IT Controls Framework Harmonizes control requirements for compliance mandates and risk mitigation.	Controls Framework Controls Framework includes technical, procedural, and physical controls.	Comprehensive Controls Risk and security cover more than just the technical controls you assess. Lumension® Risk Manager’s comprehensive controls model ensures end-to-end visibility of all control activities needed to ensure protection of information.
	Unified Compliance Framework(UCF) Network Frontiers’ industry-vetted, harmonized mapping of unique controls to compliance regulations is developed and maintained in collaboration with industry experts, legal advisors, and standards-setting bodies across global regulations.	Support Multiple Compliance Mandates Automatically harmonizes IT control frameworks with industry regulation requirements to ensure that controls are reasonable and sufficient to satisfy multiple compliance mandates
	Control Harmonization Common controls (e.g. “Strong Passwords”) are normalized into a single control, which is cross-referenced to all standards and regulations that call for the requirement.	Assess Once, Comply with Many Eliminates overlapping control requirements that result from multiple standards and regulatory requirements.
	Compliance Library Over 400 Regulations and Standards documents are included with full cross-references to supporting IT controls.	Optimize Compliance Workflows Immediately understand the controls required to implement on Subjects and avoid time spent performing custom cross-walks across multiple requirements documents.
	Internal Compliance and Security Policy / Control Mapping Import internal compliance and security policies and cross-reference them to the harmonized controls framework.	Prove Compliance with Internal Policies Demonstrates compliance with internal policies through a common assessment process.
	Controls Linked to Risk Mitigation Controls are automatically linked to the risk scenarios they help prevent, detect, or correct.	Quickly Mitigate IT Risk Demonstrates how IT controls can mitigate actual business IT risk.
IT Controls Assessment Automated assessment of technical, physical and procedural controls.	Workflow for Assessing Physical and Procedural Controls Automated risk assessment workflow provides structure around the process of collecting scores and evidence for physical and procedural controls.	Streamline IT Risk Management Workflow Saves time by organizing the data collection efforts associated with scoring physical and procedural controls into a single view.
	Automated Self-Assessment Surveys Send multiple-choice question surveys to system owners to receive up-to-date control implementation status. Once approved, survey responses automatically update scores.	Automate Previously Manual Tasks Saves time over in-person interviews and manual data collection methods.
	Survey Delegation Survey recipients can delegate surveys to other team members as needed.	Ensure Effective Survey Workflow Ensures that survey questions are routed to the appropriate person to answer the question without extensive up-front org-chart discovery by the security team.
	Control Score Aging Configurable timers track the age of every control score to determine when controls need to be re-assessed.	Ensure Current Assessment Information Automatically detects when score information has expired and needs to be updated to keep compliance and risk metrics up-to-date.
	Interfaces to Security Point Products Built-in connectors to Lumension security solutions and other third party vulnerability scanning tools, with field-configurable connectivity via SQL and automated data import and processing of XML and flat-file data, enable you to synthesize detailed data from disparate security tools.	Automate Vulnerability and Configuration Assessment Saves time by eliminating the need to manually parse through technical security reports to update high-level risk and compliance control scores - giving you a single place to access both roll-up and drill-down level reports about your security posture.
	Attachments for Evidence Collection Attachments on control scores provide evidence of the asserted score. Attachments can be files or URLs (for example, a URL to an internal document repository containing policies).	Simplified Management Provides a convenient way to manage the myriad evidence artifacts required to demonstrate the validity of self-assessment scores.
	Accountability for IT Risk Scores Every score record contains the UserID corresponding to who made the change.	Ensure Audit Accountability Provides accountability for score information.
	Exception Management Exception Management includes exception requests, approval/rejection, expiration and notification.	Enhance Compliance and IT Risk Management Provides flexibility to mark certain scores as “exempt” for a fixed period of time so that the exception state is visible, but not counted in compliance and IT risk calculations.
	Control Scoring History All historical control scores are automatically archived.	Proof of Compliance Ensures that historical scoring information is available when needed.
	Custom Control Score Status Indicator Score items within the assessment workflow can be flagged to indicate status.	Rapid Evaluation of Control Scores Flagging score status allows for quick triage of scores that require follow-up.
	Auditor Self-Service Scoring Panel The direct score entry panel is optimized for rapid scoring and data entry of assessment test results.	Optimize Audit Results Documentation Allows auditors and security analysts to quickly document the results of their security testing activities.
	Approval-Based Workflow Scores entered from self-assessment surveys and the auditor self-service panel can be reviewed and approved prior to committing them to the permanent scoring record.	Ensure Accuracy of Scoring Information Provides an opportunity for internal quality assurance on scoring information, and ensures that incorrect survey responses don’t affect trend data or scoring history.
Risk and Compliance Reporting Generate reports and metrics to satisfy a diverse risk and compliance audience.	Compliance Reporting Compliance reports demonstrate section-by-section status of your compliance with industry regulations, compliance mandates, and your own security policy	Deliver Comprehensive Reports Provides detailed reports to satisfy internal and external auditors.
	IT Risk Reporting IT Risk reports catalog security gaps and how they could affect key business interests.	Measure IT Risk to Business Impact Enables the communication of security gaps in a way that is easily understood by non-technical business stakeholders.
	Operational Security Reporting Operational security reports provide detailed security gap information for departments within IT operations.	Deliver Metrics for Rapid Security Enforcement Enables the communication of security gaps to IT operations teams and sets specific expectations on remediation.
	Risk and Compliance Index Distill mountains of security gap analysis information into risk and compliance index scores.	Improve Internal Communication Regarding IT Risk and Compliance Provides simple metrics that communicate your overall security, risk, and compliance posture.
	Trending Analysis Metrics on compliance, IT risk, and operational security are trended on a daily basis.	Quickly Determine Trends Demonstrate trends of security, risk, and compliance program improvement over time.
	Key Performance Indicators Track the aggregate score for a user defined subset of controls and subjects against a target value.	Focus on Metrics Vital to Your Business Enables you to keep a watchful eye on specific areas of interest with a simplified report-card view of your security posture.
	Customizable Dashboard Views Combine existing dashboard widgets into a personalized custom view.	Highlight Metrics that You Need to See Allows individual users, such as executives, business owners, system owners, external auditors, and security professionals to easily view the key metrics that are important to them.
	Consolidated Findings Analysis Employ the heuristics engine to effectively analyze control scores to discover patterns, such as a certain group of subjects that contribute disproportionately to a poor compliance score, or a certain type of control that fails across a broad array of subjects.	Ensure Rapid Remediation for High Priorities Allows you to quickly spot patterns in scoring information so that you can identify high-value remediation efforts.
	Remediation Tracking to Improve Security Control Deficiencies Provide assignment and status tracking of remediation projects. Projects can be tracked according to ownership and deadlines. Upon completion of a project, scores can be automatically updated.	Highlight Improvements in Security Posture Enables you to prioritize resources to pursue remediation activities that will have the greatest impact to the business and reflect improvement in your security and IT risk metrics.
	Remediation Modeling and Forecasting Create "what-if" project scenarios to optimize IT resources to see how that project or remediation will improve your risk and compliance metrics.	Improve Operational Efficiencies Enables the prioritization of IT resources and remediation efforts based on the impact to metrics, and compare remediation projects by cost and time estimates across all controls.
	Automated E-mail Notificationss Alerts are configurable to specific users/groups and provide notifications of key conditions and state changes within your security posture.	Improve Visibility on Changes Ensures that users are aware of security policy changes and that security administrators are notified of security posture changes, such as a server that is failing a critical control or an application that is overdue on an assessment.

Requirements	Version
Hardware	Dedicated Server Dual-Core Processor preferred, single core processor is suitable 2GB RAM 50 GB of available disk space 7200 RPM Drive and/or RAID configuration preferred A single 100 Mbps network connection (with access to the Internet)
Operating System	Microsoft Windows Server 2003 / 2005 / 2008
SQL Server	Microsoft SQL Server 2005/2008 – can be installed locally or on a remote database server. Microsoft SQL Server 2005 Express Edition
Internet Browser	Firefox 3 or higher Microsoft Internet Explorer 7 or higher Safari 3 or higher

Next Steps

Newest Resources

Products

Live Chat by LivePerson

Don't Miss This...

Forrester Webcast Security or Compliance - What Comes First?

When organizations assign resources and workflows to adhere to increasing regulatory requirements, they must ask whether being compliant equals security.

On-Demand »

Lumension® Risk Manager