Over View of Spectra a Compliance Spectrum Product
Presented by:
Novalis & Partners November 2007
About the Mission of Compliance Spectrum Provide IT Governance, Risk and Compliance solutions, that automate the compliance lifecycle from policy identification to implementation and remediation. Dramatically lower the cost of compliance and reducing business risk.
2 2007 © Compliance Spectrum. All rights reserved.
Spectra Function Overview • Compliance Mapping – Identify gaps between controls and evidence – Link to existing system, network and security management systems – Record manual or paper-based processes
• Policy Management – Extensive database of regulations, best practice frameworks and control statements – Workflow management for coordination, dissemination of policies
• Audit Management
– Plan and manage issues and close audits – Cross-organization resource planning
2007 © Compliance Spectrum. All rights reserved.
Function Overview • Reporting – Pre-formatted reports available – User defined reports
• Task Management – User generated, with email notification – System generated email notification for Policy, Audits, and Compliance Evidence
• User Administration – Role Based Access Control – User defined access and work groups
2007 © Compliance Spectrum. All rights reserved.
Spectra Lite Architecture
Create a single, centralized control and policy repository… using your own framework and content
…a comprehensive compliance evidence ‘locker’...
Attestations
Assessments
Policy Awareness Tracking
Control and Policy Library
Automated mapping Continuous monitoring Compliance Evidence Repository
IAM tools
SIEM tools
Network VA tools
Host VA tools
Change / config mgmt tools
5 2007 © Compliance Spectrum. All rights reserved.
Planning compliance management Planning Identify Relevant Regulatory Requirements Define Confidential Information
Identify Critical Business Processes
Identify Critical Business Applications
Identify relevant federal or international legislation, industry standards, or national, state, and local directives affecting Company Identify information that is considered sensitive due to compliance, legal, or competitive reasons Understand from a Risk perspective which business processes are essential to the Company’s revenue and continuing operations and may contain sensitive information
Identify which information systems or technologies support the critical business processes
2007 © Compliance Spectrum. All rights reserved.
Spectra Compliance Management Framing Select Framework
For multi-regulatory environments, a common or underlying framework is recommended: • ISO 17799 ©, COBiT©, ITIL, etc Selection of a framework will be influenced by: • Type of Industry • Legal Requirements • Regulatory Requirements
Select Relevant Regulations
Identify Compliance Maps
Identify Relevant Regulations and Sections based on the risk tolerance of the organization A compliance map is equivalent to a matrix that defines the appropriate controls and associates the proof of implementation of those controls. A compliance map can represent the controls applicable to a business process or unit, an application, a facility, a regulation, or a specific role. Map scope is influenced by: • Critical business processes, size of organization, modus operandi, culture, size of staff to manage compliance 2007 © Compliance Spectrum. All rights reserved.
Building •
Relevant policy, procedures, or standards are those existing and approved documents that support the safeguards or controls identified in the compliance map(s)
•
Evidence is proof of implementation and is correlated to relevant controls. Controls and evidence should be based on risk
•
Identify gaps (1) between existing policy and framework and (2) between policy and proof of implementation
•
Review outstanding audit findings to:
Identify Relevant Policy
Map Evidence to Compliance Map Controls
Identify Gaps in Compliance Maps
Identify Relevant Audit Findings
Prioritize which ‘gaps’ to fill first Assist in determining appropriate controls and evidence
2007 © Compliance Spectrum. All rights reserved.
Finishing and Monitoring • Create/Update Policy
•
Create or Schedule Missing Evidence
• •
Continuously Monitor
•
Finishing means filling in the gaps, by creating new policy, updating existing policy, or adding required procedures, standards, or guidelines Evidence is policy, procedures, standards, attestations, reports from existing security event monitoring tools, vulnerability assessments, board minutes, awareness presentations, etc. This is information collected from the user’s environment Collection of evidence should be conducted on a routine basis. Spectra identifies evidence that is overdue and requires updating or refreshing. Continuous monitoring is critical to maintaining compliance. Evidence that is not current or missing may indicate non-compliance Associating a risk impact with a control or piece of evidence will aid in determining the level of noncompliance and in achieving continuous monitoring
2007 © Compliance Spectrum. All rights reserved.
Spectra Development Platform Applications
The Web
Incident and Problem
GLIDE TCP/IP
(USER INTERFACE)
Configuration and Asset
RDBMS Application Data CMDB Data
Release Mgt
Platforms
Win
Spectra Extensions to GLIDE Stack
MID Server
Servlet Container Apache/Tomcat Server Win Linux
UNIX z/OS 2007 © Compliance Spectrum. All rights reserved.
HTTP SSL
Linux UNIX z/OS
Auto-Discovery OSI Layers 2-7