Integrated Risk Management:

bloatdecorumΛογισμικό & κατασκευή λογ/κού

30 Οκτ 2013 (πριν από 3 χρόνια και 9 μήνες)

108 εμφανίσεις

www.modulo.com

Integrated Risk Management:
Providing an Actionable view of IT and
Operational Risk to the C
-
Suite

ISACA 2012 North America Information
Security and Risk Management Conference


Las Vegas November 14
-
15, 2012

www.modulo.com

Company

Company

Offering

Profile

Sample Customers

Modulo is a premier global
provider of Security and Risk
Management solutions across
IT/
eGRC
, operations,
infrastructure and mobile/social
domain


Global presence: North and
South America, EMEA, APAC


400+ employees


80+ partners in 25+ countries


Integration capability with 40+
products


Version 8 scheduled for Q1 2013


Platform and modules including
16 distinct solutions covering
Risk, Compliance, Enterprise, BCP,
Ops, Physical, Mobile


431+ Knowledge bases with
18,095+ controls and 3,145+
built
-
in data collectors

www.modulo.com

www.modulo.com

Risk Management: challenges


Progress
-
tracking and monitoring with
“messy” spreadsheets and emails


Prioritizing and remediating findings


Harmonizing risk scores from many
sources


R
eporting risk assessment results across
LOB’s & applications


www.modulo.com

Solutions:
a
ssessment framework,
a
ggregation framework


Automate key elements of risk
assessment


Marry real business relevance with IT
assets, compliance needs, and findings


Capture data and harmonize findings from
multiple risk management tools


Rapid and complete reporting on results
of
enterprise IT & Compliance checks



www.modulo.com

Integrated Risk Management Platform

www.modulo.com

Automated Risk Management

Risk Data Collection

Uses
:
Map compensatory controls; incorporate
v
ulnerabilities,

app
-
scan results, and more
; map
application configuration data to risk findings

R
eports

Uses
:
Integrated risk &
compliance dashboard;
reports for audit; policy
management

Assessments

Uses
:
automated
collections; surveys;
questionnaires with
guidelines on meeting
control requirements

M
onitoring & Planning

Uses
:
Continuous monitoring;
build long
-
term business plans
to maintain ongoing
compliance and reduce risk

www.modulo.com

ISO 27001
Certification

PCI Assessment

Incident & Remediation
Management

Policy Management

Compliance
Management

NERC
-

SCADA

Vendor Management

Build a comprehensive GRC program

Vulnerability

Management

SAP ABAP Code

Continuous Monitoring

Risk

Management

HIPAA Compliance

www.modulo.com

Integrations facilitate all stages of
r
isk

management & assessment

INVENTORY

ANALYSIS

TREATMENT

EVALUATION

www.modulo.com

www.modulo.com

Active Directory
Import

RM Project Manager

RM@client.com

Crucial Server

End User

eu@client.co
m

Automatically import & manually input your assets

Controls & Legal

Frameworks

www.modulo.com

Identify

assets

in
scope

www.modulo.com

Technologies

Cisco Router

Oracle

Microsoft SQL Server

Unix Solaris

Microsoft
IIS

SAP

Apache

Windows

Linux

Access Point
-

WLAN

Application System in Production

Check Point VPN 1/Firewall 1 NG

IBM Lotus Notes R5

Microsoft ISA Server

PDA

Firewalls

Physical Controls

Datacenter

Office


Processes

HIPAA


NIST 800
-
66

HITECH

Change
Management

Data and System Backup

Systems Continuity Management

Contracts with Vendors

Business Process Information Flow

IT Security Organization

ISO 27001

CobiT

4.1
-

IT Process Maturity

FISMA


NIST 800
-
53

PCI Data Security Standard

BITs
-

FISAP


AUP and
SIG

People

IT Technician

Senior Manager

Security Officers

Area or Process Manager

End User



Select

relevant

frameworks &
controls

www.modulo.com

Legal Framework

Process Level

Application Level

Database Level

OS Level

Virtualization

Network level

User
-
defined
project
scoping


Map

legal frameworks

to

controls

www.modulo.com

Report

assets

in
scope

Dashboard: Organizational overview of assets, type (OS, Vendor, Network, Database, etc.)
& quantity

www.modulo.com

Map asset locations

www.modulo.com

Assign Business Relevance to Assets, Apps, &
Departments

Security
Officer

Windows 2008

Oracle 10 G

CFO

Windows 7

End User

IT

Department

Finance

Health
Records

Risk

Manager

IT
Laws

Customer

Service

Order

Entry

Legal Requirements

www.modulo.com

Report risk findings on the fly

www.modulo.com

www.modulo.com

Data collection processes

1. Questionnaires

2. Surveys


3. Automated collections

4. Vulnerabilities

5.
Mobile applications

Options for automated data collection speed & improve analysis

www.modulo.com

1. Questionnaires

Security Officer

HIPAA project manager

www.modulo.com

CISO

2. Surveys

Security Officer

End User

www.modulo.com

3. Agent
-
less Automated Collectors


M
odulo
O
pen
D
istributed
SCAP

I
nfrastructure
C
ollector
(modSIC): Open Source
collection and assessment
service for technology assets
based on the open SCAP
(Security Content Automation
Protocol) standard.

www.modulo.com

4. Vulnerability Scanner Integration

www.modulo.com

5. Mobile Apps

www.modulo.com

Tools for monitoring & efficient project management

Keep track of assessment status

Quickly identify lagging assessment efforts

www.modulo.com

www.modulo.com

Compliance

levels

Dashboard: Snapshot of level of compliance to HIPAA & other
frameworks

www.modulo.com

Risk

Levels

Dashboard: Gauge risk by department, process, and threat

www.modulo.com

Prioritize Risk

Crucial Server

HIPAA Requirements

Crucial Server

Human Resources

Set appropriate remediation priorities by business relevance

www.modulo.com

Relevance

Probability

Severity

Control
-
related

(Defaults from Security Lab)


Risk

Risk Calculation

Business
-
related

(Get from Mgmt)

www.modulo.com

Prioritize remediation efforts


Control

Risk


Lack of access control procedure and
documentation

Very High


Poor security awareness campaign

High


Lack two factors authentication at
datacenter entrance.

Medium


Minimal password length equal 5

Low


Guest user at server A


Very Low


RISK

APPETITE

CONTROL

Treat

Accept

www.modulo.com

Track assessment status

Review gap analysis

Quickly view progress of evaluation

www.modulo.com

www.modulo.com

Monitor Workflow

Dashboard: Manage workflow by open events, cost of fix, event status, event type,
relevance, and more

www.modulo.com

End User

CFO

End User

Flexible remediation
w
orkflow


Security Officer

$$$ Added

Add extra
steps …

www.modulo.com

Workflow Gateway

Security Officer

www.modulo.com

Closely Monitor the Remediation Activities

www.modulo.com

High priority on
the treatment

Should be
evaluated
carefully

Mitigation Cost $

Risk

Opportunities
to accept or
create an
exception

Event

19

Event

14

Event

42

Event

7

Event

1

Event

5

Event

8

Event

12

Event

5

Event

2

Event

28

Opportunities
for remediation
and

reduction

of

overall risk

Events x Mitigation Cost

www.modulo.com

www.modulo.com

Variety of reporting options integrated
throughout assessment

Word Templates

Geographic
Reports

Dashboards

Detail Excel Grids

Integrated Overview

www.modulo.com

Create reports for management groups & audit

www.modulo.com

#
Controls

&
Laws

# Assets

ISO2700x

COBIT

PCI

Internal

Policies

State


Federal

Build on assessments for complete GRC solution

www.modulo.com

ISO27001

COBIT


PCI

State


Internal

Policies

?

#
Controls

&
Laws

# Assets

Risk

Security

Compliance

Transparency and sharing across projects

www.modulo.com

Manual Risk Management Process











15%

3
5%

25%

25%

www.modulo.com

Automated Process First Year













15%

3
5%

5%

4
5%

www.modulo.com

Automated Process Second Year





























5%

25%

5%

65%

www.modulo.com

Thank You


Arti Raman

arti.raman@modulo.com

Portia Mills

portia.mills@modulo.com

www.modulo.com