Free Newsletter
Register for our Free Newsletters
Access Control
Deutsche Zone (German Zone)
Education, Training and Professional Services
Government Programmes
Guarding, Equipment and Enforcement
Industrial Computing Security
IT Security
Physical Security
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor

Automated Risk and Compliance Management

InfoSecurity Europe : 19 February, 2009  (Special Report)
Gidi Cohen of Skybox Security examine IT Risk and Compliance Management and how it can be managed in a more automated fashion
See our events guide listing for more details

As organisations rely more heavily on IT infrastructure to support critical business applications and processes, a Perfect Storm has emerged for IT Risk and Compliance Management. It is formed due to intensification of three colliding drivers:

Business Exposure:

* Achieve and maintain compliance with internal best practices or regulatory mandates.

* Proactively reduce IT risk exposure - despite thousands of new and highly sophisticated cyber threats and vulnerabilities.

* Proactive reduce availability exposures - despite daily network configuration changes.

Resource Constraints:

* Reduce resource dependency - due to financial pressures or inability to find skilled resources, achieving operational efficiency is now mandatory.

IT Complexity:

* Manage increasing IT complexity - due to the number of systems, diversification of vendors, inefficient processes, and new technologies.

According to industry experts, these three drivers will continue to intensify. The Perfect Storm is here to stay as long as IT Risk and Compliance Management is addressed through inefficient and costly manual processes.

One way to find safe harbour is emerging, however, through the deployment of a proactive, automated, and cost-effective approach.

The Perfect Storm can be completely circumvented through the deployment of ARCM solutions. Since 2004, ARCM has aimed to move away from reactive security and compliance programs to more proactive, measurable, and predicable best practices. Some of the largest and most security-conscious organisations with large, complex, constantly-changing global networks have saved time and money through ARCM. These organisations can identify IT risk, threats and vulnerabilities as well as compliance exposures in minutes versus days or weeks. And ROI is often realised in a few months despite increased complexity and rapid change.

ARCM solutions should contain four key technical capabilities:

* Modelling
* Analytics
* Predictive or What-if Capability
* End-to-end Automation

The benefits are:

* Modelling allows organisations to conduct proactive analysis, assessment and management of risk and compliance exposures without affecting the IT environment.

* Modelling, analytics and predictive capability enables an in-depth understanding of the past, present, and future.

* Automation enables fewer resources to drive complex decisions based on facts rather than subjective assessments. Risk and compliance exposures and their business impact can be quickly assessed in a few minutes - a process that today can take hours, days and even weeks.

* Fewer resources required to get the job done - even within complex and heterogeneous IT environments.

These benefits produce meaningful and measurable business results:

* Annual process savings of 80%-95%
* Reduce staff load and rework
* Improved IT security and availability -continuously verified
* Compliance assurance - despite rapid change

According to organisations that have deployed ARCM, there is no other way to accomplish the above, even with unlimited human resources. The characteristics of ARCM solutions are:

* Used each day to solve complex operational challenges
* Should not add another layer of security or information silo
* Establish a unified view whose intelligence can be quickly analysed to drive critical decisions
* Should seamlessly integrate with existing IT infrastructure and perform all analysis off-line so that the production environment and business applications are not disrupted

With so much noise surrounding IT GRC, many organisations have become confused as to what does IT GRC really means and how it fits. According to industry research reports, the IT GRC market space will be composed of strategic business frameworks (aka: Framework vendors) and tactical operational solutions (aka: Risk and Compliance Management vendors) each designed to address different business challenges.

IT GRC business frameworks substantially help organisations implement CobIT, COSO, ITIL, ISO or other control frameworks. They aggregate IT control-related information across IT programs and periodically report the organisation's governance status. IT programs include, but are not limited to, identity management, risk management, compliance management, change management, configuration management, and more.

The goal is to help organisations report with a systematic and enterprise-wide approach on IT controls and governance initiatives. Therefore, they can help:

1 Define IT policies, processes and controls based on best practices
2 Map policies to technical controls
3 Report on control framework implementation status and effectiveness
4 Automate the governance of these elements

On the other hand, risk and compliance management solutions are used in an operational role on a daily basis by the security team and IT operations to identify, measure, or manage technical security controls necessary to reduce IT risk or compliance exposure. These solutions collect configuration and log information from network devices and other IT information systems such as patch management, vulnerability management, and asset management.

Automation is usually incorporated to enable the organisation to demonstrate a measurable, repeatable and efficient methodology for IT risk and compliance management:

1 Identify, measure, and manage security risk, threat or vulnerability exposures
2 Assess the effectiveness of technical security controls
3 Support the change management process
4 Automate the processes of these elements

The benefits are:

* Improve IT security and verify if technical controls are compliant with corporate policies
* Maximise existing IT investments
* Scale to meet current and future needs
* Reduce resource dependency - saving time and money

ARCM solutions provide critical information to the IT GRC framework solutions in support of a broader IT GRC mandate.

ARCM solutions are now turning the talk of proactive and cost effective IT risk and compliance management into reality - and helping organisations safely navigate the Perfect Storm. Looking into the future, ARCM will evolve to: Automate many processes throughout the entire IT stack; serve as a much needed "Database of Record" for the state of IT security and compliance; and Integrate within the organisational IT and security management system.

SkyBox Security is exhibiting at Infosecurity Europe 2009, the No. 1 industry event in Europe held on 28th - 30th April in its new venue Earl's Court, London. The event provides an unrivalled free education programme, exhibitors showcasing new and emerging technologies and offering practical and professional expertise.

Bookmark and Share
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
   © 2012
Netgains Logo