Five Key Elements of Complete IT Compliance

Five Key Elements of Complete IT ComplianceHow bridging the SecOps gap can keep even the most complex and dynamic environments fully secure and compliant

2bmc.com/compliance

The Goal Comprehensive configuration complianceEnsuring complete compliance with regulatory requirements and best practices grows more challenging every day. Existing IT processes and organizations struggle to keep up with the rapid pace of business today, or with the scope of the mandates and threats to be accounted for. Security and compliance teams need to move fast to reduce risk, but run into conflicts with under-resourced operations teams attempting to control changeleading to a SecOps gap between audit and remediation. As a result, it takes too long to resolve even known issues where fixes are documented and available, compromising business requirements for speed and agility.

In the past, the needs of the business have often overruled the requirements of compliance, but in light of recent high-profile security breaches and compliance failures, this attitude is no longer an option. Organizations must modernize their approach to compliance and close the SecOps gap with a strategy designed for todays complex, dynamic IT environments. This includes:

Comprehensive discovery of the entire application infrastructure, including both core and non-core systems as well as unofficial shadow IT applications

Granular, flexible definition of the desired configuration of systems to achieve compliance with regulations and policies

Live comparison of the discovered environment to audit against policies and regulations and identify changes that may trigger a violation

Drift control to automatically remediate errors, identify exceptions, and bring systems back into compliance as necessary

Integrated change management to govern the compliance process within the same context of control, scheduling, and best practices as any other configuration changes

Its a common-sense modelbut many IT organizations continue to fall short of this comprehensive approach, relying on disconnected processes and tools that leave the business at risk.

3 bmc.com/compliance

Rising Compliance Challengesand Risks Configuration compliance is becoming more difficult every day. Rapid technological innovation and change make it difficult to capture accurate system information in real time. Larger, more complex and dynamic IT environmentsincluding expanding use of server, application, desktop, and network virtualization, private and public cloud, and unsanctioned shadow ITpose new discovery challenges. New industry standards, IT best practices, and emerging threat models expand the scope of compliance.

Meanwhile, data breaches and other security events raise public awareness and lead to increased pressure from corporate leadership.

In Q1 2014, there were more than 250 major security breaches worldwidetwo-thirds of which were preventable.

The average cost of a data breach for a company has reached $3.5 million USD.1

Violations of PCI DSS governing credit card payments lead to fines up to USD $500,000/incident, $100,000/month, and $90/compromised record.

So why do they take so long to detect and

remediate?80%more than

of attacks target known vulnerabilities2

of vulnerabilities have fixes available on day of disclosure3

79%

4bmc.com/compliance

Discovery Incomplete data and out-of-date inventories

Manual business-IT process mapping cant keep up

Shadow IT services remain undiscovered

Definition Standards take too much time to develop, implement, and maintain

Incomplete specifications lead to false positives and false negatives

Definitions are disconnected from operational details

Audit Partial or dated snapshots miss out-of-band changes

Subjective interpretation leads to inconsistencies

Time-consuming annual audits burden IT

Remediation Changes may introduce new issues

IT cant easily verify remediation success or roll back changes

Extensive rework diverts personnel from higher-value work

Governance Compliance efforts lie outside established change management

False positives and compliance failures undermine trust

Security and operations teams work against each other

Beyond the hard-dollar cost of fines and penalties for compliance failuresA false sense of security breeds complacency, leaving the business at risk

Recurring problems lead business executives to lose confidence in IT

Lapses in compliance lead to damaged business relationships, negative publicity, and operational disruption

Labor-intensive approaches erode IT effectiveness and lead to staff frustration and turnover

Where Compliance Efforts Fall


This means that the time between security issue identification and resolution can be a period of weeks or even months.

Any effective approach to compliance must address the SecOps gap head-on. Security needs changes to be made more quickly. IT needs to ensure that these changes wont create new problems. Both sides need a better way to communicate and collaborate with each other.

The SecOps GapSecurity/audit teams and operations teams both play essential roles in compliance. Security identifies problemsbut depends on operations to get them fixed. This collaboration can be undermined by the distinctly different viewpoints they hold.

Security/audit (GRC) Focuses on defining policy and documenting

compliance state

Requires rapid change for remediation

IT operations (ITOM) Focuses on stability and availability above all

Knows change is often risky

While this group may in some circumstances perform audits, it never makes its own changes. This responsibility remains with the IT operations group.

The IT operations group, however, is reluctant to just dive in and start making changes. After all, one of the first lessons they learn is if its not broken, dont touch it.


193 80%days to resolve security issues4

up to

of downtime due to misconfigurations5

Operations is also responsible for performance and uptime, not just security, so it must compromise between these drivers.


A More Intelligent Approach Comprehensive security and compliance depends on an approach designed to account for:

Rapid innovation and constant changeboth planned and unplanned

Increasingly complex and diverse environments

Shadow IT services and other hard-to-discover systems

Seamless implementation across the entire compliance cycle, including discovery, definition, audit, remediation, and governance

Continuous monitoring, high visibility, and end-to-end automation to ensure fast, efficient, and effective compliance processes


DiscoverCapture a complete understanding of the current state of the environmentRegular automated discovery ensures that compliance efforts cover all relevant applications and infrastructure. While some approaches to discovery focus on core systems, the reality is that non-core systems can provide a bridgehead in the network for attackers. This is even more true for unofficial systems, which may not be properly patched, hardened, and updated. Whether a system is managed by IT or not, its IT who will be held responsible for any breach it allows.

With Intelligent Compliance, comprehensive discovery captures an inventory that includes both unofficial and unmanaged systems as well as temporary modifications, virtualized assets, and all relevant dependenciesto ensure that the entire environment can be brought in compliance.

Benefits: Escape the high cost and timelines of traditional manual audits

Eliminate the risks posed by of out-of-band systems and changes

Ensure an up-to-date inventory to support real compliance coverage

DefineCreate a reference configuration of the desired stateA granular content model allows IT to define the desired compliance or security state by rule, providing flexibility beyond template-based approaches. A library of pre-defined policies such as PCI-DSS, HIPAA, DISA STIG, and SOX, including both audit and remediation capabilities, can be used as templates or customized and extended to meet individual requirements. With greater confidence in the accuracy of audit results, IT can take corrective action more decisively.

Benefits: Take advantage of a library of pre-defined content to get up and

running fast

Adapt existing checks to your own organizational and policy requirements

Create new policies based on real-world reference systems or abstract requirements.


AuditCompare the discovered environment to the desired stateOngoing audits are performed automatically against the current live state of the environmentnot a configuration snapshot taken prior to the auditto verify compliance. This live audit streamlines the process by eliminating the need to populate a configuration management database (CMDB) beforehand. IT gains complete visibility into out-of-band changes to avoid hidden risks. Compatibility with other tools and even manual configuration management facilitates seamless adoption.

Benefits: Audit the full environment, without the limitations of snapshots or

populated reference databases

Eliminate the risk of missing recent changes and out-of-band changes with full visibility into live configurations

Deliver live audit results that are trustworthy and actionable, avoiding false positives and negatives

RemediateBring systems into compliance while avoiding unintended consequencesBy providing a common context to unify audit and remediation, Intelligent Compliance closes the SecOps gap. Targeted, specific changes are made automatically only to the parts of the file that are affected by the compliance violation, rather than simply replacing the entire file. Exceptions can be granted on a granular levelper rule or per server, with an expiration date if desiredand remain fully transparent, designated as compliant with exceptions rather than simply compliant or non-compliant.

Role-based access control and delegation ensure that only approved users execute changes. Rollback makes it simple to return to a known good state if necessary.

Benefits: Make surgical changes to avoid overwriting other necessary

configurations

Define and document exceptions to guide future audits

Get automated verification that changes have achieved compliance


GovernLeverage established change management systems and processesCompliance cant come at the expense of business support. IT needs to make changes with full visibility into their implications for the business, and govern these processes in a way that minimizes their impactsuch as not rebooting servers in the middle of a payroll run.

By integrating Intelligent Compliance with helpdesk and ITSM solutions like BMC Remedy, you can ensure that remediation efforts are subject to the same change management processes as any other configuration changes.

Compliance teams can reassure operations and other stakeholders that compliance remediation will not pose risks to the production environment or interrupt essential services at inopportune times.

Benefits: Require human approval for more sensitive changes while

automating more routine changes

Enforce change windows and avoid collisions

Capture full documentation and step-by-step audit trails


What Intelligent Compliance Can Mean to Your OrganizationBridge the SecOps gap

Build trust between security and operations

Ensure more rapid remediation for compliance

Avoid conflicts and problems from remediation efforts

Improve IT effectiveness Increase compliance and security coverage and audit frequency

Reassign staff from defensive activities to high-value tasks with immediate business value

Reposition IT as a driver of differentiation through high-performance digital business processes

Reduce costs Achieve compliance goals with less effort

Release and redirect resources previously consumed by compliance

Avoid costs Avoid penalties for non-compliance

Avoid costs (material and reputational) associated with security breaches

Achieve full visibility Capture up-to-date and trustworthy information to guide decision-

making

Generate compliance documentation for auditors automatically

Real-world Benefits

Major wireless provider Reduced server audit cycle time from 2 months to 5 days.

Major international bankAchieved 100% automation of server build compliance, reducing staffing needs by 1 FTE for this task alone.

Public sector organizationAchieved 95% cost reduction, 98.4% cost avoidance while saving 46,741 hours/year in labor.

Major consumer brandReduced time for CIS policy audit on 600 Windows servers from several months to 2 hours. Achieved 75% time savings remediating non-compliant servers.

US healthcare providerReduced time to audit and remediate 400 servers from 4 weeks to 10 minutes.

Learn moreContact your BMC Software representative or go to to learn more about implementing Intelligent Compliance to accelerate the value of your compliance initiatives.

Sources:1. Ponemon Institute. (2014). 2014 Cost of Data Breach: Global Analysis. Retrieved from ponemon.org/blog/ponemon-institute-releases-2014-cost-of-data-breach-global-analysis.2. F-Secure. (2013). Companies Risking Their Assets with Outdated Software. Retrieved from 2.f-secure.com/en/web/corporation_global/news-info/product-news-offers/view/story/915562/3. Secunia Research. (2014). The Secunia Vulnerability Report. Retrieved from secunia.com/?action=fetch&filename=PSI-Country-Report-(US)-(2014Q1).pdf 4. WhiteHat Security. (2013). Website Security Statistics Report May 2013. Retrieved from whitehatsec.com/assets/WPstatsReport_052013.pdf5. Gartner Group. (1999). Making Smart Investments to Reduce Unplanned Downtime. Retrieved from gartner.com/doc/304512/

*461023*

Documents

Five Key Elements of Complete IT Compliance