 |
Prove It to the Auditors with McAfee's Innovative and Efficient Solutions
Evelyn De Souza, Senior Manager, Risk and Compliance Solutions and Chris Parkerson, Group Manager, Data Protection Solutions
So many regulations, so little time and so few resources. That sums up the compliance scenario for many large and medium organizations in this day of proliferating mandates and requirements. In addition to the heavy investment companies are required to put into implementing and enforcing controls to achieve compliance, organizations are also finding themselves dedicating a hefty amount of time and resources proving it at audit time. Enterprises are under increasing pressure not only to be compliant, but also to be able to demonstrate it within the context of established compliance frameworks.
For many medium and large enterprises, it’s a big stretch to prove compliance to the mounting number of government and industry regulations and even their own internal policies. Data breaches across nearly all private and public sectors around the world have given rise to more mandates and tougher compliance requirements. Each year, in the U.S. alone, more than 2,000 new compliance laws are passed, most of which focus on data protection and many of which overlap.
Come audit time, IT and security departments all over the world get the jitters from the shear enormity of the tasks they have to face. IT departments are depleted and worn out from the tedious, time-consuming, and resource-intensive manual processes that are involved in proving that every “i” is dotted and every “t” is crossed.
Why Audits Mean Long, Late Nights for IT and Security Staff
One of the reasons companies resort to processes like filling out spreadsheet after spreadsheet with manually gathered data is that enterprises tend to use multiple, disparate security technologies. Timely and accurate data collection is a protracted, manual endeavor largely because proprietary interfaces for point products prevent data integration, even if the reporting capabilities of the products are automated. This lack of operational efficiency puts a huge strain on IT departments, robbing them of the time they need to maintain the organization’s security posture. And needless to say, responding to audits in this way is expensive.
The audit process is not only long and painful, it’s also recurring. Some audits, like Sarbanes-Oxley (SOX) occur quarterly, while others are annual events. Regardless of how often audits take place, it takes a village. Most audits require numerous key players, including:
The Chief Information Officer (CIO), who is involved from an operational efficiency standpoint
The Chief Information Security Officer (CISO), who participates in the implementation and design of controls and builds frameworks to optimize compliance posture
Audit officers who make sure that audits are run according to industry standards
Risk officers who analyze the justification for prioritizing risks and mitigating them
Privacy officers who protect confidential data for the company, an especially important role for companies in sectors such as entertainment, technology, healthcare, pharmaceuticals, and ecommerce that are required to comply with HIPAA, state and national data privacy regulations, and PCI DSS
What exactly do IT audits entail?
The first step is the internal audit, which is done in preparation for external audits. The internal audit gives organizations an opportunity to gather their data, check their performance against controls and policies, and make remediations before the external auditor comes to call. The processes for both audits are actually very similar.
Some enterprises use a standard framework, such as International Organization for Standardization (ISO) 27001 or International Technology Infrastructure Library (ITIL), to cross map IT controls against multiple regulations. This can help consolidate the number of separate audits they may face. More mature organizations often have well-built frameworks and map their processes against a maturity model. Typically, however, audit security teams spend long hours collating data from multiple disparate security tools. It may take weeks to prepare for audits. In the meantime, with IT and security personnel buried in audit tasks, there may be serious lapses in enterprise security posture. More mature organizations will seek tools that are integrated and that can help automate the processes and reporting required for compliance.
After the internal audit is completed, the corporate internal audit department reviews the results and prepares reports. The appropriate parties are then notified and asked to remediate any issues. The final step is to repeat the whole process again for the external audit according to the number of regulations and standards with which they have to comply.
McAfee Compliance Solutions: Integration + Innovation = Efficiency
McAfee solutions ease the burden of preparing for compliance audits with three key technologies: McAfee Total Protection for Data, which includes strong data and device encryption; McAfee Policy Auditor; and, at the helm, McAfee ePolicy Orchestrator.
McAfee ePolicy Orchestrator
With McAfee’s centralized management console McAfee ePolicy Orchestrator® (ePO™), organizations work from a single management platform that provides data integration and reporting, reducing the frustrations associated with disparate products. In addition to collaborating with other McAfee products, including McAfee Data Loss Prevention, McAfee Endpoint Encryption, and McAfee Policy Auditor, ePO also integrates with third-party products. In fact, the McAfee Security Innovation Alliance (SIA) program is designed to help vendors develop interfaces to ePO using a Software Development Kit (SDK), so that customers can leverage their existing security products.
Implementing a management system like ePO can win points and bigger budgets for IT. In an eWeek article published in 2007, Cameron Sturdevant observes: “IT managers can win funding for compliance projects by selecting compliance tools that collect once and report often … drastically reducing the amount of staff time needed to satisfy auditors.”
Encryption and Oversight with McAfee Total Protection for Data
According to a survey conducted by Merrill Lynch last year, data protection is the number one priority for CISOs. The issue has bubbled up to the surface for a number of reasons: the explosive growth of difficult-to-control mobile devices used by a growing population of mobile professionals, escalating privacy regulations—statewide and countrywide—and the loss of credibility and disclosure costs that result from data breaches.
Once again, throwing point products at the problem is not a viable solution. And there’s a whole litany of reasons why this approach doesn’t work:
High management costs: When faced with administering myriad point products, security and non-security staff feel like one-handed jugglers. It’s almost impossible not to drop the ball at some point.
No alignment to policy: Because of the management complexities, companies find it difficult to match controls to security policy requirements
Life cycle vulnerabilities: It becomes virtually impossible to maintain processes when individual systems and solutions go their own way
Increased risk of data loss: Lack of centralized monitoring and auditing opens up vulnerabilities that could lead to breaches
McAfee Total Protection for Data integrates various technologies for a comprehensive data protection solution, including:
McAfee Data Loss Prevention for complete control and absolute visibility over user behavior
McAfee Endpoint Encryption for full-disk, mobile device, and file folder encryption coupled with strong authentication
McAfee Device Control to prevent unauthorized use of removable media devices
McAfee Encrypted USB to secure portable external storage devices
ePO gathers the data from all of these technologies to help companies measure controls against compliance mandates. Let’s take a look at how ePO collaborates with McAfee encryption as an example. With enhanced oversight capabilities via ePO integration, organizations can prove that assets were encrypted even if the encryption did not originate with McAfee. Reports that can be displayed include encryption status of systems, drives and partitions, and endpoint encryption installation. From the report, an administrator can directly deploy McAfee Endpoint Encryption to quickly remediate the problem. And, they can easily monitor and enforce user behavior with event details and evidence information.
Policy Auditor Raises Productivity, Lowers Costs
McAfee Policy Auditor is very tightly integrated into the ePO infrastructure and is built on the Secure Content Automation Protocol (SCAP) family to automate the processes required for IT audits. SCAP standardizes the types of information that are communicated among products and services for asset, vulnerability, and compliance management.
Here’s how McAfee Policy Auditor takes advantage of its seamless ePO integration and it how it implements SCAP as a way of streamlining and simplifying compliance:
From a single dashboard, ePO displays an organization’s overall security status, including compliance posture. McAfee has mapped IT controls to specific mandates and provides out-of-the box templates, which can also be customized. Policy Auditor maps all of these checks to common, industry-standard protocols (for example, passwords should be at least eight characters long). Because Policy Auditor is built on the SCAP protocols, organizations can import an external benchmarks audit and run both internal and external audits against those benchmarks. That way, misinterpretation between external auditors and the internal audit team is kept to a minimum.
Policy Auditor provides a continuous audit model. Auditors can specify the freshness of the data they want to look at: day-old data, two-day-data, one-week-old data, and so on. Since this is an automated function, the task of manually producing current reports is offloaded from security and audit teams. Plus, to prevent business disruptions, IT departments can specify when audit data is collected
Waiver management helps justify deviations from policy to auditors. Policy Auditor now includes suppressions, exceptions, and exemptions to enable organizations to account for deviations from policy while meeting their compliance requirements.
ePO’s flexible dashboards satisfy the board, C-level executives, auditors, and compliance teams. Customizable dashboards provide executive summary views along with drill-down reporting for auditors who want to dig deeper. Internal compliance teams can see why something has failed and take appropriate measures. In the case of encryption, they can determine which systems were encrypted properly and which ones were not and then apply remediation.
Conclusion
Armed with McAfee’s innovative compliance auditing and reporting technologies, organizations will feel more empowered when facing the prospect of internal and external audits. Once onerous tasks that were previously tackled manually with little guarantee of accuracy or currency have given way to integrated, automated processes that support industry standards, make data gathering seamless, provide flexible reporting options, and positively impact the bottom line. The end result is a confident response to the question, “Can you prove it?”, and fewer long, sleepless nights spent poring over spreadsheets for hardworking IT and security staff members.
|
 |
