White Paper. February McAfee Protection-in-Depth Strategy. Issues in Risk Management: Sarbanes-Oxley Compliance and IT Security.
|
|
- June Neal
- 6 years ago
- Views:
Transcription
1 White Paper February 2005 McAfee Protection-in-Depth Strategy Issues in Risk Management:
2 2 Table of Contents Background 3 Will SOX Initiatives Deliver a Return on Investment? 3 Who Should Be Concerned about SOX? 4 SOX and IT Security 4 Table I: Common Vulnerabilities in IT Infrastructure 5 A Model for Internal Control 5 Table II: The COSO Framework and the Foundstone/McAfee Approach 5 Tools for Securing the IT Infrastructure 6 Table III: Summary of McAfee Control Tools 6 Prioritizing Risk A Key Strength 7 Meeting the Needs of SOX and Enterprise Risk Management 8 McAfee PrimeSupport 9 Conclusion 9 0
3 3 Background The off-balance-sheet corporate accounting misdeeds of Enron, Worldcom, and other companies during the 1990s were pivotal events that set the stage for SEC and investor outrage and the passage of H.R. 3763, also known as the Sarbanes-Oxley (SOX) Act of This landmark legislation sought to restore confidence in the governance of public companies following a number of widely publicized financial scandals, and resulted in the most stringent guidelines ever for assuring the accuracy and completeness of corporate financial reports. The goal of SOX, of course, is to bring greater accuracy, visibility, and transparency to corporate financial reporting. To do this, the legislation seeks to: Eliminate the incentives for falsifying financial data by combining direct executive accountability with the threat of prosecution Eliminate the opportunities for manipulating financial data by requiring the establishment and certification of adequate and auditable internal controls Section 302 of the legislation establishes direct executive accountability for financial reporting. It states that the CEO and CFO of issuing companies must prepare a statement to accompany its financial reports certifying the appropriateness of the financial statements and disclosures contained in the periodic report, and that those financial statements and disclosures fairly present, in all material respects, the operations and financial condition of the issuer. Any officer who knowingly and intentionally violates this section can be liable for up to $5 million in fines and/or twenty years imprisonment. Among other things, Section 302 requires a company to attest: 1. The signing officers have reviewed the report. 2. The report does not contain any material untrue statements or material omissions, or could be considered misleading. 3. The signing officers are responsible for and have evaluated the company s internal controls within the previous ninety days, and have reported their findings. 4. A list of all deficiencies in the internal controls and information on any fraud that involves employees who are involved in internal activities is reported. 5. Any significant changes in internal controls or related factors that could have a negative impact on the internal controls are reported. Section 404 of SOX broadly sets forth the responsibility of management for establishing and maintaining an adequate internal control structure for financial reporting. It further requires management to conduct an annual self-assessment stating the effectiveness of the internal control structure and procedures for financial reporting, and requires an auditor to attest to and report on management s assessment. Although Section 404 offers little specific guidance as to the kinds of internal controls and procedures it covers, most companies have interpreted Section 404 to encompass all corporate policies, business processes, reporting, computer systems, and networks that feed into their financial reporting. This breadth of coverage, coupled with a lack of specific guidelines, is what has made Section 404 so challenging for companies to address. Will SOX Initiatives Deliver a Return on Investment? While some companies may regard SOX as an example of a few bad apples spoiling things for the whole bunch, many also recognize that SOX brings long-needed discipline to financial reporting, as well as to the business processes and digital assets that are essential to it. These companies understand that by extending SOX initiatives strategically throughout the business, they stand to gain significant ancillary benefits, such as: Improved operational efficiency Better control over information Enhanced ability to manage risk Increased investor confidence Easier accesss to capital through improved corporate governance Even considering that compliance initiatives are still in their early stages, some companies have already reported a positive ROI from the changes brought about by Sarbanes-Oxley. In one recent survey, * more than a quarter of all respondents said that they had seen a positive return on investment from the internal controls mandated by SOX. (Of the remaining respondents, 10 percent considered their SOX investment a break-even; 49 percent said it was too early to gauge SOX ROI; and 17 percent saw no measurable benefit beyond compliance.) As companies gain greater experience in imple- *Source: CMP Media, Compliance Pipeline Quick Poll, January 2005.
4 4 menting and measuring the impact of internal controls, we would expect to see even higher recognition of positive ROI. As you ll see in this paper, Foundstone and McAfee offer numerous technologies that help your company rapidly and thoroughly address the most difficult aspects of Section 404 compliance. More important, these same tools and technologies will enable you to move beyond compliance to broader risk management initiatives, allowing your company to operate more securely, efficiently, and profitably. Who Should Be Concerned about SOX? All SEC-registered companies are required to comply with the SOX legislation. That means not just companies whose shares trade on a public exchange, but also companies that have floated public debt. Chances are, if you are one of these companies you already know that SOX applies to you. What you may not know is that SOX compliance also may be an issue for companies that: Are considering SEC registration in the future Are vendors to SEC-registered companies that may require others to show compliance in support of their own compliance efforts Are seeking to gain a competitive advantage by implementing best practices in financial reporting Entities not often considered include: Savings associations Small-Business Issuers Final rules apply to all companies that file Exchange Act periodic reports, regardless of their size Non-U.S. Companies Foreign issuers (including Canadian issuers) must comply Unlisted Companies Any unlisted companies with public debt must comply with the SEC s reporting requirements, including executive certification and internal control reporting requirements Municipal Utilities or Universities Any entity that must file a Form 10-K or 10-Q SOX and IT Security Section 404 of the Sarbanes-Oxley Act requires companies to perform a detailed self-assessment of the risks affecting their financial reporting systems, and to implement and maintain internal controls to mitigate these risks. Section 404 doesn t specifically mention IT security when it discusses assessing and maintaining internal controls. But there s no question that computer and network security are at the heart of compliance. That s because nearly all corporate financial information is stored on and accessed from the applications, networks, and computer systems within an organization s IT infrastructure. As a result, these networks, devices, and applications become an integral part of financial reporting. Senior management will demand assurances that the financial reporting process and its systems are bulletproof before they sign on the dotted line and certify their annual and interim reports. To do this, they will need to answer several important questions: What data is used to create our financial reports? Where does the data come from? What business processes and applications are involved? What networks are used to transmit the data? Who has access to the networks, applications, and systems used to create the reports? What inherent vulnerabilities exist in the networks, applications, and systems used? What vulnerabilities exist in the business processes and policies? What controls are used to ensure that none of the networks, applications, systems, or business processes can be compromised? Are the controls effective and adequate to the purpose? By what method do we assess the adequacy of our internal controls, and will this method satisfy our auditor s requirements? Under the law, companies must identify vulnerabilities in the network or systems that are related to financial reporting, assess their severity, remedy material weaknesses, and implement controls to monitor vulnerabilities and protect against future exploits. This is no simple task, since vulnerabilities are legion in today s networks and applications. And those who seek to exploit these vulnerabilities are as likely (if not more likely) to come from inside the company as from outside. Table 1 shows some of the more common areas of vulnerability:
5 5 Table I: Common Vulnerabilities in IT Infrastructure System Component Network Firewall Network Routers, Gateways Host Operating Systems Applications Data-Access Controls Vulnerabilities Arising from: Open ports for VPNs, Web access, remote workers Misconfiguration, default passwords used Known bugs, out-of-date patches, root access poorly controlled Known bugs, non-authorized (rogue) applications in use, viruses, trojans, and other malicious code Departed and reassigned employees, newly created databases, no separation of duties between data administrator and users A Model for Internal Control There are many frameworks and approaches to internal control, particularly in the context of IT infrastructure. Most are based on the widely accepted framework of processes and principles developed by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) and laid out in its document, Internal Control Integrated Framework. The COSO framework was originally created to help organizations assess and enhance their internal control systems and has become the basis for SOX compliance initiatives. It was recently expanded and refined to create a sister document, Enterprise Risk Management Integrated Framework. Because the COSO framework is intended to provide high-level general guidance, other organizations (such as the ISACA, ITGI, and the ISO) have issued even more detailed guidance on internal controls. The details of these frameworks are beyond the scope of this paper, but each of them recognizes the centrality of IT security in establishing and monitoring internal control. They also agree that effective internal control is a multi-faceted problem with several components that can only be addressed through a combination of policy, process, and technology. McAfee has helped companies achieve Section 404 compliance using a simple ten-step process for effectively dealing with network and system vulnerabilities that can affect financial reporting. Our process closely mirrors the five major components of the COSO framework, as shown in the table below. Table II: The COSO Framework and the McAfee Approach COSO Framework Control Environment Risk Assessment Control Activities Information and Communication Monitoring McAfee Process 1. Policy Establish the process, standards, and guidelines 2. Inventory Discover all assets across the network 3. Prioritize Assign business value to assets 4. Vulnerabilities Determine vulnerabilities on assets 5. Threats View potential threats 6. Risk Determine risk level 7. Shield Stop intrusions in real time 8. Remediation Proactively fix vulnerabilities 9. Measure Measure the impact of security decisions 10. Compliance Review for policy compliance
6 6 Note that a number of the steps in the McAfee process relate to essentially human processes, such as establishing policy, prioritizing assets, determining acceptable risk levels, measuring the impact of security decisions, and reviewing for compliance. Other steps in the table relate to processes that are ideally suited to technology, such as discovering assets across the network, determining vulnerabilities, viewing potential threats, preventing threats in real time, and remediating vulnerabilities. In the next section, we will look more closely at how McAfee helps you address the technology-based processes and also provide vital data needed to support human decisions. Foundstone Professional Services also offer extensive risk assessment services, penetration testing, and other services that are beneficial to SOX compliance. McAfee products and services are aimed at reducing risk. We can help reduce regulatory risk of noncompliance with Sarbanes-Oxley and the SEC s regulations through welldocumented processes and controls that provide a credible body of evidence that the certifying officers have established effective internal control over financial reporting. We also help reduce risk by identifying key risk areas and control points that enable the certifying officers to better manage processes and drive accountability throughout the organization. One final difference to note between the COSO model and the McAfee process is that McAfee takes a more granular view of risk assessment. Risk is a composite of three variables that can be expressed: Risk = Assets x Vulnerabilities x Threats (R = AxVxT) In any given situation, each of these variables (assets, vulnerabilities, and threats) has a unique value. The organization s policy determines which values carry more weight and what sum of all values is considered tolerable (i.e., the organization s risk tolerance). This is a good thing, because not all risks are equal and, as a practical matter, it would be unreasonably expensive and counter-productive to eliminate all risk. Tools for Securing the IT Infrastructure McAfee offers a wide range of technologies and tools to help companies address all phases of internal control and IT security to meet the demands of Sarbanes-Oxley and overall enterprise risk management. We enable companies to quickly assess their vulnerability to risk; implement controls to mitigate, prevent, or remediate risk; and to manage and document their internal control processes. Some of our most important enterprise-class internal control solutions are listed in Table III. Table III: Summary of McAfee Control Tools Solution Area Tool or Technology Scope Threat Monitoring Foundstone Enterprise, (System, Network) McAfee VirusScan 8.0i Prior to incident Vulnerability Detection, Monitoring, and Remediation Network Intrusion Prevention Foundstone Enterprise (misconfigurations, unapplied patches, open ports, rogue systems and devices, default passwords, etc.) McAfee IntruShield (network device monitoring), McAfee WebShield (Web content monitoring) (Network) Prior to incident (Network) During incident Host Intrusion Prevention McAfee Entercept (System Root) Prior to incident Client Intrusion Prevention McAfee Desktop Firewall (Client) Prior to incident Anti-Virus Scanning and Removal Documenting Internal Controls and Incidents McAfee VirusScan 8.0i (application and system activity monitoring) McAfee epolicy Orchestrator, Entercept Management System (System) During incident (Policy, System, Network) Post incident Information Security Management Foundstone Professional Services Risk Assessment, Policy Review and Development
7 7 Foundstone Enterprise A comprehensive vulnerability management solution engineered to manage and mitigate the business risks associated with digital vulnerabilities. It is the most accurate, flexible, and scalable vulnerability management system available today and offers network infrastructure protection through asset discovery, inventory, and prioritization; threat intelligence and correlation; and remediation tracking and reporting. With its extensive capabilities, Foundstone Enterprise helps organizations manage multiple aspects of SOX compliance, including risk assessment, internal control implementation and measurement, and compliance monitoring. Further, it provides extensive flexibility and customization options so organizations can tailor their vulnerability management processes to meet specific network, compliance, and business requirements. Foundstone Enterprise provides tools to: Rapidly discover and map the entire global network Pinpoint and prioritize your most valuable information assets Relentlessly probe for vulnerabilities and determine risk Provide threat intelligence alerts for quick response to fast-spreading attacks Facilitate strategic protection of critical assets, according to business requirements, policies, and rules Assign, manage, and validate remediation Track and measure progress and improvements, and cost/benefits By 2005, more than 40 percent of G2000 firms will adopt Risk Management and a balanced risk/reward reporting process, improving portfolio investment decisions (build, buy, retire, table, postpone) based on defined and accepted RM analyses. Paul Proctor, META Group Prioritizing Risk A Key Strength Because risk is a mult-faceted problem, Foundstone and McAfee compliance solutions allow companies to easily prioritize and address risk based on the value of its component variables. This is particularly advantageous in the case of SOX compliance because it lets companies meet their immediate need for identifying and controlling risks related to financial reporting without embarking on more lengthy and expensive IT security initiatives. In short, Foundstone and McAfee solutions let you start small and move incrementally toward overall enterprise risk management, according to your budgets and business priorities. McAfee Entercept A host intrusion prevention system that proactively defends enterprises from the full range of known, zero-day, DoS, and encrypted attacks. Unlike intrusion detection solutions, which merely detect these costly exploits, Entercept prevents them before they occur. In addition to the enterprise version, other versions of Entercept are available to meet the special requirements of database servers and Web servers. For SOX compliance, Entercept provides an effective control point for one of the most vital areas of IT vulnerability. Working in tandem with Entercept, the McAfee Entercept Management System provides comprehensive, enterpriseclass management for all Entercept products. The single management server and geographically distributed consoles reduce security complexity and supply a scalable, robust, and highly available infrastructure. With centralized policy administration and support for multiple platforms, the Entercept Management System enables consistent, reliable security for heterogeneous servers and desktops, and support for SOX-specific security policies. McAfee IntruShield A family of pioneering intrusion prevention appliances that redefine the deployment of network security by enabling the most comprehensive intrusion prevention for advanced threat protection against known, zero-day, encrypted, and DoS attacks. IntruShield s IPS technology provides unparalleled prevention accuracy, centralized management, enterprise-class bandwidth scalability, and mission-critical performance in all network environments. IntruShield appliances are available to meet the specific needs of remote/branch offices, the enterprise network perimeter, and the enterprise network core (or data centers), at up to multi-gigabit speeds. Using high-speed sensors and patented threat detection techniques, IntruShield provides reliable control points offering accurate, comprehensive realtime threat detection and prevention.
8 8 McAfee also offers IntruShield Global Manager for administering IntruShield sensor appliance deployments of up to several hundred sensors. Integrating a comprehensive set of security management functions, the IntruShield system dramatically simplifies and streamlines the complex tasks associated with intrusion prevention system (IPS) configuration, policy compliance, and threat and response management. McAfee VirusScan 8.0i A highly advanced anti-virus application, integrating elements of intrusion prevention and firewall technology into a single solution for PCs and file servers. This powerful combination delivers truly proactive protection from the newest of today s threats including buffer-overflow exploits, spyware, and blended attacks and features advanced outbreak management responses to reduce the damage and costs of outbreaks. VirusScan 8.0i is an essential component of a SOX-compliant internal control strategy, with award-winning virus-scanning technology and the ability to identify previously unknown viruses. This suite of protection can be centrally managed by McAfee epolicy Orchestrator or ProtectionPilot for scalable security policy compliance and graphical reporting. McAfee Webshield Configure-and-forget appliances designed to protect important financial data and other digital assets at the Internet gateway, scanning inbound and outbound traffic for SMTP, HTTP, FTP, and POP3 protocols. The Webshield appliances offer unmatched performance, detection, and cleaning of viruses and protection against unwanted mail in the form of spam and unwelcome content for companies of any size. McAfee Desktop Firewall Proactively protects network desktop clients against new threats that anti-virus software cannot defeat alone. Combining comprehensive network and application firewall capabilities with intrusion detection, Desktop Firewall prevents clients from sending or receiving traffic- or application-borne threats. It also precludes trusted applications from being used to spread attacks across the network. Desktop Firewall integrates with McAfee epolicy Orchestrator for scalable, centralized management and reporting. McAfee epolicy Orchestrator The industry-leading system security management solution, and a key tool for implementing control policies, protecting against threats, and monitoring compliance. McAfee epolicy Orchestrator delivers a coordinated, proactive defense against malicious threats and attacks for the enterprise. As the central hub of McAfee System Protection Solutions, administrators can mitigate the risk of rogue, non-compliant systems, keep protection up-to-date, configure and enforce protection policies, and monitor security status, 24/7, from one centralized, enterprise-scalable console. A vital tool for documenting and monitoring internal controls. Foundstone Professional Services Technology can help you address a specific component of meeting Sarbanes- Oxley compliance, however a professional services engagement can help to fill the remaining gaps and ensure compliance. Foundstone Professional Services offer risk assessment services in line with FFIEC, ISO17799, and NIST guidelines, to help comply with risk assessment requirements. Foundstone Professional Services can also help organizations to assess the current state of their information security policies, and develop policies that comply with regulations such as Sarbanes-Oxley. Internal control is most effective when controls are built into the entity s infrastructure and are a part of the essence of the enterprise. Built-in controls support quality and empowerment initiatives, avoid unnecessary costs, and enable quick response to changing conditions. COSO, Executive Summary of Internal Control Integrated Framework Meeting the Needs of SOX and Enterprise Risk Management Clearly, for SEC-registrants, the issue is not if, but when and how to go about the process of complying with Section 404. Simply gauging the scope of financial reporting and the need for internal control has proven to be a time- and resource-consuming effort for many companies, and some are further down this road than others. But McAfee can make this job far more manageable for companies by powerful, scalable suites of solutions that can be implemented in the short timeframe that SOX allows, and interoperate with your current IT and security infrastructure. Our solutions can help you: Enforce policies for internal control Inventory and value digital information assets Identify and manage vulnerabilities throughout your infrastructure (network, application, host) Implement auditable internal controls Establish a control baseline and a process for measuring and reporting on ongoing improvements Provide comprehensive reports for auditing
9 9 McAfee PrimeSupport McAfee has pursued a strategy of providing best-of-breed technology for each type of security and performance management application but the Protection-in-Depth Strategy is more than just deploying and implementing bestof-breed solutions today. Prevention is certainly our first priority, but inevitably, you will have to react to a problem. The McAfee PrimeSupport program is essential for making the most of your investment in McAfee System and Network Protection Solutions. McAfee s PrimeSupport team has all the right resources and is ready to deliver your needed service solution. PrimeSupport resources include: delivering authorization to access all available maintenance releases and product upgrades, access to a comprehensive suite of additional online self-support capabilities, live telephone support accessible 24/7/365, available assigned support account managers, and a range of software and hardware support solutions that can be tailored to meet your needs. Conclusion Looking beyond the requirements of Sarbanes-Oxley, our tools will also help you improve overall corporate governance, reduce risk throughout your organization, and reduce costs over time. Better risk management and financial controls can also help you gain improved visibility into business operations, build your company s market value, and enhance your ability to secure capital. For additional information on McAfee compliance solutions, visit:. McAfee, Inc Freedom Circle, Santa Clara, CA 95054, , McAfee products denote years of experience and commitment to customer satisfaction. The McAfee PrimeSupport team of responsive, highly skilled support technicians provides tailored solutions, delivering detailed technical assistance in managing the success of mission-critical projects all with service levels to meet the needs of every customer organization. McAfee Research, a world leader in information systems and security research, continues to spearhead innovation in the development and refinement of all our technologies. McAfee, Foundstone, VirusScan, IntruShield, WebShield, Entercept, Desktop Firewall, epolicy Orchestrator, Protection-in-Depth, and PrimeSupport are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. The color red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners McAfee, Inc. All Rights Reserved. 6-sps-sox
White Paper April McAfee Protection-in-Depth. The Risk Management Lifecycle Protecting Critical Business Assets.
White Paper April 2005 McAfee Protection-in-Depth The Risk Management Lifecycle Protecting Critical Business Assets Protecting Critical Business Assets 2 Table of Contents Overview 3 Diagram (10 Step Lifecycle)
More informationIBM Global Technology Services Provide around-the-clock expertise and protect against Internet threats.
IBM Global Technology Services Provide around-the-clock expertise and protect against Internet threats. Enhancing cost to serve and pricing maturity Keeping up with quickly evolving ` Internet threats
More informationSYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security
SYMANTEC: SECURITY ADVISORY SERVICES Symantec Security Advisory Services The World Leader in Information Security Knowledge, as the saying goes, is power. At Symantec we couldn t agree more. And when it
More informationUSING QUALYSGUARD TO MEET SOX COMPLIANCE & IT CONTROL OBJECTIVES
WHITE PAPER USING QUALYSGUARD TO MEET SOX COMPLIANCE & IT CONTROL OBJECTIVES Table of Contents I. Overview II. COSO to CobIT III. CobIT / COSO Objectives met by using QualysGuard 2 3 4 Using QualysGuard
More informationNetwork Instruments white paper
Network Instruments white paper SOX AND IT How the Observer Performance Management Platform can help IT Professionals comply with the data practices components of Sarbanes-Oxley. EXECUTIVE SUMMARY U.S.
More informationNERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS
NERC CIP VERSION 6 COMPLIANCE BACKGROUND The North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Reliability Standards define a comprehensive set of requirements
More informationCA Security Management
CA Security CA Security CA Security In today s business environment, security remains one of the most pressing IT concerns. Most organizations are struggling to protect an increasing amount of disparate
More informationEnhancing the Cybersecurity of Federal Information and Assets through CSIP
TECH BRIEF How BeyondTrust Helps Government Agencies Address Privileged Access Management to Improve Security Contents Introduction... 2 Achieving CSIP Objectives... 2 Steps to improve protection... 3
More informationCA Host-Based Intrusion Prevention System r8
PRODUCT BRIEF: CA HOST-BASED INTRUSION PREVENTION SYSTEM CA Host-Based Intrusion Prevention System r8 CA HOST-BASED INTRUSION PREVENTION SYSTEM (CA HIPS) BLENDS A STAND-ALONE FIREWALL WITH INTRUSION DETECTION
More informationTotal Protection for Compliance: Unified IT Policy Auditing
Total Protection for Compliance: Unified IT Policy Auditing McAfee Total Protection for Compliance Regulations and standards are growing in number, and IT audits are increasing in complexity and cost.
More informationWhite Paper February McAfee Network Protection Solutions. Encrypted Threat Protection Network IPS for SSL Encrypted Traffic.
White Paper February 2005 McAfee Network Protection Solutions Encrypted Threat Protection Network IPS for SSL Encrypted Traffic Network IPS for SSL Encrypted Traffic 2 Introduction SSL Encryption Overview
More informationData Sheet: Endpoint Security Symantec Multi-tier Protection Trusted protection for endpoints and messaging environments
Trusted protection for endpoints and messaging environments Overview creates a protected endpoint and messaging environment that is secure against today s complex data loss, malware, and spam threats controlling
More informationMcAfee IntruShield Network IPS Sensor Pioneering and Industry-Leading, Next-Generation Network Intrusion Prevention Solution
Data Sheet McAfee Network Protection Solutions McAfee IntruShield Network IPS Sensor Network Intrusion Prevention Solution The Challenge The risks to enterprise and service provider security continue to
More informationSecuring Your Microsoft Azure Virtual Networks
Securing Your Microsoft Azure Virtual Networks IPS security for public cloud deployments It s no surprise that public cloud infrastructure has experienced fast adoption. It is quick and easy to spin up
More informationProtecting your data. EY s approach to data privacy and information security
Protecting your data EY s approach to data privacy and information security Digital networks are a key enabler in the globalization of business. They dramatically enhance our ability to communicate, share
More informationAutomating the Top 20 CIS Critical Security Controls
20 Automating the Top 20 CIS Critical Security Controls SUMMARY It s not easy being today s CISO or CIO. With the advent of cloud computing, Shadow IT, and mobility, the risk surface area for enterprises
More informationCCISO Blueprint v1. EC-Council
CCISO Blueprint v1 EC-Council Categories Topics Covered Weightage 1. Governance (Policy, Legal, & Compliance) & Risk Management 1.1 Define, implement, manage and maintain an information security governance
More informationAssessment and Compliance with Sarbanes-Oxley (SOX) Requirements DataGuardZ Whitepaper
Assessment and Compliance with Sarbanes-Oxley (SOX) Requirements DataGuardZ Whitepaper What is the history behind Sarbanes-Oxley Act (SOX)? In 2002, the U.S. Senate added the Sarbanes-Oxley Act (SOX) to
More informationSustainable Security Operations
Sustainable Security Operations Optimize processes and tools to make the most of your team s time and talent The number and types of security incidents organizations face daily are steadily increasing,
More informationSymantec Security Monitoring Services
24x7 real-time security monitoring and protection Protect corporate assets from malicious global threat activity before it impacts your network. Partnering with Symantec skilled and experienced analysts
More informationMcAfee Public Cloud Server Security Suite
McAfee Public Cloud Server Security Suite Comprehensive security for AWS and Azure cloud workloads As enterprises shift their data center strategy to include and often lead with public cloud server instances,
More informationSecuring Your Amazon Web Services Virtual Networks
Securing Your Amazon Web Services s IPS security for public cloud deployments It s no surprise that public cloud infrastructure has experienced fast adoption. It is quick and easy to spin up a workload,
More informationForeScout CounterACT. Continuous Monitoring and Mitigation. Real-time Visibility. Network Access Control. Endpoint Compliance.
Real-time Visibility Network Access Control Endpoint Compliance Mobile Security ForeScout CounterACT Continuous Monitoring and Mitigation Rapid Threat Response Benefits Rethink IT Security Security Do
More informationMcAfee epolicy Orchestrator
McAfee epolicy Orchestrator Centrally get, visualize, share, and act on security insights Security management requires cumbersome juggling between tools and data. This puts the adversary at an advantage
More informationMcAfee Total Protection for Data Loss Prevention
McAfee Total Protection for Data Loss Prevention Protect data leaks. Stay ahead of threats. Manage with ease. Key Advantages As regulations and corporate standards place increasing demands on IT to ensure
More informationAccelerate Your Enterprise Private Cloud Initiative
Cisco Cloud Comprehensive, enterprise cloud enablement services help you realize a secure, agile, and highly automated infrastructure-as-a-service (IaaS) environment for cost-effective, rapid IT service
More informationSOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT
RSA ARCHER IT & SECURITY RISK MANAGEMENT INTRODUCTION Organizations battle growing security challenges by building layer upon layer of defenses: firewalls, antivirus, intrusion prevention systems, intrusion
More informationThe Honest Advantage
The Honest Advantage READY TO CHALLENGE THE STATUS QUO GSA Security Policy and PCI Guidelines The GreenStar Alliance 2017 2017 GreenStar Alliance All Rights Reserved Table of Contents Table of Contents
More informationSAS 70 Audit Concepts. and Benefits JAYACHANDRAN.B,CISA,CISM. August 2010
JAYACHANDRAN.B,CISA,CISM jb@esecurityaudit.com August 2010 SAS 70 Audit Concepts and Benefits Agenda Compliance requirements Overview Business Environment IT Governance and Compliance Management Vendor
More informationSymantec Network Access Control Starter Edition
Simplified endpoint compliance Overview makes it easy to begin implementing a network access control solution. It offers a subset of Symantec Network Access Control functionality that can be completely
More informationInternet Scanner 7.0 Service Pack 2 Frequently Asked Questions
Frequently Asked Questions Internet Scanner 7.0 Service Pack 2 Frequently Asked Questions April 2005 6303 Barfield Road Atlanta, GA 30328 Tel: 404.236.2600 Fax: 404.236.2626 Internet Security Systems (ISS)
More informationSymantec Network Access Control Starter Edition
Symantec Network Access Control Starter Edition Simplified endpoint compliance Overview makes it easy to begin implementing a network access control solution. It offers a subset of Symantec Network Access
More informationSymantec Client Security. Integrated protection for network and remote clients.
Symantec Client Security Integrated protection for network and remote clients. Complex Internet threats require comprehensive security. Today's complex threats require comprehensive security solutions
More informationData Sheet: Endpoint Security Symantec Network Access Control Starter Edition Simplified endpoint enforcement
Simplified endpoint enforcement Overview makes it easy to begin implementing a network access control solution. It offers a subset of Symantec Network Access Control functionality that can be completely
More informationISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002
ISO 27002 COMPLIANCE GUIDE How Rapid7 Can Help You Achieve Compliance with ISO 27002 A CONTENTS Introduction 2 Detailed Controls Mapping 3 About Rapid7 8 rapid7.com ISO 27002 Compliance Guide 1 INTRODUCTION
More informationSymantec Enterprise Support Services Manage IT Risk. Maximize IT Performance.
Symantec Enterprise Support Services Manage IT Risk. Maximize IT Performance. Symantec Global Services Confidence in a connected world. The demands on your IT environment continue to reach new levels.
More informationSymantec Network Access Control Starter Edition
Simplified endpoint compliance Overview makes it easy to begin implementing a network access control solution. It offers a subset of Symantec Network Access Control functionality that can be completely
More informationThe SANS Institute Top 20 Critical Security Controls. Compliance Guide
The SANS Institute Top 20 Critical Security Controls Compliance Guide February 2014 The Need for a Risk-Based Approach A common factor across many recent security breaches is that the targeted enterprise
More informationTRUE SECURITY-AS-A-SERVICE
TRUE SECURITY-AS-A-SERVICE To effectively defend against today s cybercriminals, organizations must look at ways to expand their ability to secure and maintain compliance across their evolving IT infrastructure.
More informationTransforming Security from Defense in Depth to Comprehensive Security Assurance
Transforming Security from Defense in Depth to Comprehensive Security Assurance February 28, 2016 Revision #3 Table of Contents Introduction... 3 The problem: defense in depth is not working... 3 The new
More informationlocuz.com SOC Services
locuz.com SOC Services 1 Locuz IT Security Lifecycle services combine people, processes and technologies to provide secure access to business applications, over any network and from any device. Our security
More informationOverview. Business value
PRODUCT SHEET CA Top Secret for z/vse CA Top Secret for z/vse CA Top Secret for z/vse provides innovative and comprehensive security for business transaction environments which enable your business to
More informationManaging Privacy Risk & Compliance in Financial Services. Brett Hamilton Advisory Solutions Consultant ServiceNow
Managing Privacy Risk & Compliance in Financial Services Brett Hamilton Advisory Solutions Consultant ServiceNow 1 Speaker Introduction INSERT PHOTO Name: Brett Hamilton Title: Advisory Solutions Consultant
More informationINSIDE. Symantec AntiVirus for Microsoft Internet Security and Acceleration (ISA) Server. Enhanced virus protection for Web and SMTP traffic
Virus Protection & Content Filtering TECHNOLOGY BRIEF Symantec AntiVirus for Microsoft Internet Security and Acceleration (ISA) Server Enhanced virus protection for Web and SMTP traffic INSIDE The need
More informationSecurity Threats & Trends Arvind Sahay, Enterprise Manager India, McAfee
7/26/2005 Security Threats & Trends Arvind Sahay, Enterprise Manager India, McAfee 7/26/2005 Page 2 Outline Some Threats Current Trends Corporate Dilemma Challenges Security solutions available Q&A 7/26/2005
More informationInformation Technology General Control Review
Information Technology General Control Review David L. Shissler, Senior IT Auditor, CPA, CISA, CISSP Office of Internal Audit and Risk Assessment September 15, 2016 Background Presenter Senior IT Auditor
More informationSECURITY & PRIVACY DOCUMENTATION
Okta s Commitment to Security & Privacy SECURITY & PRIVACY DOCUMENTATION (last updated September 15, 2017) Okta is committed to achieving and preserving the trust of our customers, by providing a comprehensive
More informationSpecialized Security Services, Inc. REDUCE RISK WITH CONFIDENCE. s3security.com
Specialized Security Services, Inc. REDUCE RISK WITH CONFIDENCE s3security.com Security Professional Services S3 offers security services through its Security Professional Services (SPS) group, the security-consulting
More informationUnderstanding Network Access Control: What it means for your enterprise
Understanding Network Access Control: What it means for your enterprise Network access control is a term that is highly used, but not clearly defined. By understanding the reasons for pursuing a network
More informationEnsuring Desktop Central Compliance to Payment Card Industry (PCI) Data Security Standard
Ensuring Desktop Central Compliance to Payment Card Industry (PCI) Data Security Standard Introduction Manage Engine Desktop Central is part of ManageEngine family that represents entire IT infrastructure
More informationWhite Paper February McAfee Policy Enforcer. Securing your endpoints for network access with McAfee Policy Enforcer.
White Paper February 2006 McAfee Policy Enforcer Securing your endpoints for network access with McAfee Policy Enforcer White Paper February 2006 Page 2 Table of Contents Executive Summary 3 Enforcing
More informationFuture-ready security for small and mid-size enterprises
First line of defense for your network Quick Heal Terminator (UTM) (Unified Threat Management Solution) Data Sheet Future-ready security for small and mid-size enterprises Quick Heal Terminator is a high-performance,
More informationeguide: Designing a Continuous Response Architecture 5 Steps to Reduce the Complexity of PCI Security Assessments
eguide: Designing a Continuous Response Architecture 5 Steps to Reduce the Complexity of PCI Security Assessments Today s PCI compliance landscape is one of continuing change and scrutiny. Given the number
More informationSymantec Enterprise Solution Product Guide
SOLUTION BRIEF: SYMANTEC ENTERPRISE SOLUTION PRODUCT GUIDE........................................ Symantec Enterprise Solution Product Guide Who should read this paper Businesses participating in the
More informationIncentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO
White Paper Incentives for IoT Security May 2018 Author: Dr. Cédric LEVY-BENCHETON, CEO Table of Content Defining the IoT 5 Insecurity by design... 5 But why are IoT systems so vulnerable?... 5 Integrating
More informationBuilding Resilience in a Digital Enterprise
Building Resilience in a Digital Enterprise Top five steps to help reduce the risk of advanced targeted attacks To be successful in business today, an enterprise must operate securely in the cyberdomain.
More informationINTELLIGENCE DRIVEN GRC FOR SECURITY
INTELLIGENCE DRIVEN GRC FOR SECURITY OVERVIEW Organizations today strive to keep their business and technology infrastructure organized, controllable, and understandable, not only to have the ability to
More informationIntroduction. Deployment Models. IBM Watson on the IBM Cloud Security Overview
IBM Watson on the IBM Cloud Security Overview Introduction IBM Watson on the IBM Cloud helps to transform businesses, enhancing competitive advantage and disrupting industries by unlocking the potential
More informationComprehensive Database Security
Comprehensive Database Security Safeguard against internal and external threats In today s enterprises, databases house some of the most highly sensitive, tightly regulated data the very data that is sought
More informationPREPARING FOR SOC CHANGES. AN ARMANINO WHITE PAPER By Liam Collins, Partner-In-Charge, SOC Audit Practice
PREPARING FOR SOC CHANGES AN ARMANINO WHITE PAPER By Liam Collins, Partner-In-Charge, SOC Audit Practice On May 1, 2017, SSAE 18 went into effect and superseded SSAE 16. The following information is here
More informationSIEMLESS THREAT DETECTION FOR AWS
SOLUTION OVERVIEW: ALERT LOGIC FOR AMAZON WEB SERVICES (AWS) SIEMLESS THREAT DETECTION FOR AWS Few things are as important to your business as maintaining the security of your sensitive data. Protecting
More informationEscaping PCI purgatory.
Security April 2008 Escaping PCI purgatory. Compliance roadblocks and stories of real-world successes Page 2 Contents 2 Executive summary 2 Navigating the road to PCI DSS compliance 3 Getting unstuck 6
More informationPosition Title: IT Security Specialist
Position Title: IT Security Specialist SASRIA SOC LIMITED Sasria, a state-owned company, is the only short-term insurer in South Africa that provides affordable voluntary cover against special risks such
More informationNetwork Security Whitepaper. Good Security Policy Ensures Payoff from Your Security Technology Investment
Network Security Whitepaper Good Security Policy Ensures Payoff from Your Security Technology Investment Version: 1.00 Release date: June 2, 2004 Author: Alan Radding Table of Contents Security breach!
More informationRisk: Security s New Compliance. Torsten George VP Worldwide Marketing and Products, Agiliance Professional Strategies - S23
Risk: Security s New Compliance Torsten George VP Worldwide Marketing and Products, Agiliance Professional Strategies - S23 Agenda Market Dynamics Organizational Challenges Risk: Security s New Compliance
More informationVulnerability Assessments and Penetration Testing
CYBERSECURITY Vulnerability Assessments and Penetration Testing A guide to understanding vulnerability assessments and penetration tests. OVERVIEW When organizations begin developing a strategy to analyze
More informationRSA Solution Brief. The RSA Solution for Cloud Security and Compliance
The RSA Solution for Cloud Security and Compliance The RSA Solution for Cloud Security and Compliance enables enduser organizations and service providers to orchestrate and visualize the security of their
More informationSIEM: Five Requirements that Solve the Bigger Business Issues
SIEM: Five Requirements that Solve the Bigger Business Issues After more than a decade functioning in production environments, security information and event management (SIEM) solutions are now considered
More informationEffective Cyber Incident Response in Insurance Companies
August 2017 Effective Cyber Incident Response in Insurance Companies An article by Raj K. Chaudhary, CRISC, CGEIT; Troy M. La Huis; and Lucas J. Morris, CISSP Audit / Tax / Advisory / Risk / Performance
More informationRSA INCIDENT RESPONSE SERVICES
RSA INCIDENT RESPONSE SERVICES Enabling early detection and rapid response EXECUTIVE SUMMARY Technical forensic analysis services RSA Incident Response services are for organizations that need rapid access
More informationThreat Control and Containment in Intelligent Networks. Philippe Roggeband - Product Manager, Security, Emerging Markets
Threat Control and Containment in Intelligent Networks Philippe Roggeband - proggeba@cisco.com Product Manager, Security, Emerging Markets 1 Agenda Threat Control and Containment Trends in motivation The
More informationMcAfee Embedded Control
McAfee Embedded Control System integrity, change control, and policy compliance in one solution McAfee Embedded Control maintains the integrity of your system by only allowing authorized code to run and
More informationSIEM Solutions from McAfee
SIEM Solutions from McAfee Monitor. Prioritize. Investigate. Respond. Today s security information and event management (SIEM) solutions need to be able to identify and defend against attacks within an
More informationCyber Security Audit & Roadmap Business Process and
Cyber Security Audit & Roadmap Business Process and Organizations planning for a security assessment have to juggle many competing priorities. They are struggling to become compliant, and stay compliant,
More informationQuickBooks Online Security White Paper July 2017
QuickBooks Online Security White Paper July 2017 Page 1 of 6 Introduction At Intuit QuickBooks Online (QBO), we consider the security of your information as well as your customers and employees data a
More informationRMS(one) Solutions PROGRESSIVE SECURITY FOR MISSION CRITICAL SOLUTIONS
RMS(one) Solutions PROGRESSIVE SECURITY FOR MISSION CRITICAL SOLUTIONS RMS REPORT PAGE 1 Confidentiality Notice Recipients of this documentation and materials contained herein are subject to the restrictions
More informationVirtustream Cloud and Managed Services Solutions for US State & Local Governments and Education
Data Sheet Virtustream Cloud and Managed Services Solutions for US State & Local Governments and Education Available through NASPO ValuePoint Cloud Services VIRTUSTREAM CLOUD AND MANAGED SERVICES SOLUTIONS
More informationSkybox Security Vulnerability Management Survey 2012
Skybox Security Vulnerability Management Survey 2012 Notice: This document contains a summary of the responses to a June 2012 survey of 100 medium to large enterprise organizations about their Vulnerability
More informationGDPR: An Opportunity to Transform Your Security Operations
GDPR: An Opportunity to Transform Your Security Operations McAfee SIEM solutions improve breach detection and response Is your security operations GDPR ready? General Data Protection Regulation (GDPR)
More informationXerox and Cisco Identity Services Engine (ISE) White Paper
Xerox and Cisco Identity Services Engine (ISE) White Paper Contents Securing Your Networked Printing Devices... 1 Providing Security in an Internet of Things World... 1 Cisco ISE: A Powerful, Simple and
More informationKenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data
Kenna Platform Security A technical overview of the comprehensive security measures Kenna uses to protect your data V3.0, MAY 2017 Multiple Layers of Protection Overview Password Salted-Hash Thank you
More informationSymantec Data Center Transformation
Symantec Data Center Transformation A holistic framework for IT evolution As enterprises become increasingly dependent on information technology, the complexity, cost, and performance of IT environments
More informationMeeting PCI DSS 3.2 Compliance with RiskSense Solutions
Meeting PCI DSS 3.2 Compliance with Solutions Platform the industry s most comprehensive, intelligent platform for managing cyber risk. 2018, Inc. What s Changing with PCI DSS? Summary of PCI Business
More informationalign security instill confidence
align security instill confidence cyber security Securing data has become a top priority across all industries. High-profile data breaches and the proliferation of advanced persistent threats have changed
More informationAT&T Endpoint Security
AT&T Endpoint Security November 2016 Security Drivers Market Drivers Online business 24 x 7, Always on Globalization Virtual Enterprise Business Process / IT Alignment Financial Drivers CapEx / OpEx Reduction
More informationEducation Network Security
Education Network Security RECOMMENDATIONS CHECKLIST Learn INSTITUTE Education Network Security Recommendations Checklist This checklist is designed to assist in a quick review of your K-12 district or
More informationA SERVICE ORGANIZATION S GUIDE SOC 1, 2, & 3 REPORTS
A SERVICE ORGANIZATION S GUIDE SOC 1, 2, & 3 REPORTS Introduction If you re a growing service organization, whether a technology provider, financial services corporation, healthcare company, or professional
More informationSTAFF REPORT. January 26, Audit Committee. Information Security Framework. Purpose:
STAFF REPORT January 26, 2001 To: From: Subject: Audit Committee City Auditor Information Security Framework Purpose: To review the adequacy of the Information Security Framework governing the security
More informationRun the business. Not the risks.
Run the business. Not the risks. RISK-RESILIENCE FOR THE DIGITAL BUSINESS Cyber-attacks are a known risk to business. Today, with enterprises becoming pervasively digital, these risks have grown multifold.
More informationSymantec Endpoint Protection 14
Symantec Endpoint Protection Cloud Security Made Simple Symantec Endpoint Protection 14 Data Data Sheet: Sheet: Endpoint Endpoint Security Security Overview Last year, we saw 431 million new malware variants,
More informationSecuring the Virtualized Environment: Meeting a New Class of Challenges with Check Point Security Gateway Virtual Edition
Securing the Virtualized Environment: Meeting a New Class of Challenges with Check Point Security Gateway Virtual Edition An ENTERPRISE MANAGEMENT ASSOCIATES (EMA ) White Paper Prepared for Check Point
More information10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS
10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS WHITE PAPER INTRODUCTION BANKS ARE A COMMON TARGET FOR CYBER CRIMINALS AND OVER THE LAST YEAR, FIREEYE HAS BEEN HELPING CUSTOMERS RESPOND
More informationGrow Your Services Business
Grow Your Services Business Cisco Services Channel Program One Experience. Expanding Opportunities. Expand Your Services Practice More Profitably Together with Cisco Our customers face tough business
More informationSarbanes-Oxley Act (SOX)
Sarbanes-Oxley Act (SOX) Introduction The Sarbanes-Oxley (SOX) Act was introduced in 2002 to protect shareholders and the general public from fraudulent accounting activities by bringing greater accountability
More informationSymantec Business Continuity Solutions for Operational Risk Management
Symantec Business Continuity Solutions for Operational Risk Management Manage key elements of operational risk across your enterprise to keep critical processes running and your business moving forward.
More informationDigital Wind Cyber Security from GE Renewable Energy
Digital Wind Cyber Security from GE Renewable Energy BUSINESS CHALLENGES The impact of a cyber attack to power generation operations has the potential to be catastrophic to the renewables industry as well
More informationGujarat Forensic Sciences University
Gujarat Forensic Sciences University Knowledge Wisdom Fulfilment Cyber Security Consulting Services Secure Software Engineering Infrastructure Security Digital Forensics SDLC Assurance Review & Threat
More informationINFORMATION SECURITY. One line heading. > One line subheading. A briefing on the information security controls at Computershare
INFORMATION SECURITY A briefing on the information security controls at Computershare One line heading > One line subheading INTRODUCTION Information is critical to all of our clients and is therefore
More informationTRACKVIA SECURITY OVERVIEW
TRACKVIA SECURITY OVERVIEW TrackVia s customers rely on our service for many mission-critical applications, as well as for applications that have various compliance and regulatory obligations. At all times
More informationSecurity by Default: Enabling Transformation Through Cyber Resilience
Security by Default: Enabling Transformation Through Cyber Resilience FIVE Steps TO Better Security Hygiene Solution Guide Introduction Government is undergoing a transformation. The global economic condition,
More information