USING QUALYSGUARD TO MEET SOX COMPLIANCE & IT CONTROL OBJECTIVES

Similar documents
locuz.com SOC Services

Certified Information Security Manager (CISM) Course Overview

IT General Controls and Why We Need Them -Dennis McLaughlin, CISA (Cyber AIT) Dennis McLaughlin - Cyber AIT 1

WITH ACTIVEWATCH EXPERT BACKED, DETECTION AND THREAT RESPONSE BENEFITS HOW THREAT MANAGER WORKS SOLUTION OVERVIEW:

AUDIT UNITED NATIONS VOLUNTEERS PROGRAMME INFORMATION AND COMMUNICATION TECHNOLOGY. Report No Issue Date: 8 January 2014

Overview: Compliance and Security Management PCI-DSS Control Compliance Suite Overview

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

Automating the Top 20 CIS Critical Security Controls

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

eguide: Designing a Continuous Response Architecture 5 Steps to Reduce the Complexity of PCI Security Assessments

ISO/IEC overview

COBIT 5 With COSO 2013

The Future of IT Internal Controls Automation: A Game Changer. January Risk Advisory

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

Information Security Risk Strategies. By

354 & Index Board of Directors Responsibilities Audit Committee and Risk Committee Coordination, 244 Audit Committee Functions and Responsibilities, 2

MIS Week 9 Host Hardening

REPORT 2015/149 INTERNAL AUDIT DIVISION

Best Practices & Lesson Learned from 100+ ITGRC Implementations

WHITEPAPER. THE INGRES DATABASE AND COMPLIANCE Ensuring your business most valuable assets are secure

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

Symantec Security Monitoring Services

External Supplier Control Obligations. Cyber Security

University of Pittsburgh Security Assessment Questionnaire (v1.7)

The HITRUST CSF. A Revolutionary Way to Protect Electronic Health Information

Best Practices in Securing a Multicloud World

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

One Hospital s Cybersecurity Journey

RSA Solution Brief. The RSA Solution for VMware. Key Manager RSA. RSA Solution Brief

Governance, Risk, and Compliance: A Practical Guide to Points of Entry

ISACA Arizona May 2016 Chapter Meeting

The Convergence of Security and Compliance

ForeScout Extended Module for Qualys VM

Risk: Security s New Compliance. Torsten George VP Worldwide Marketing and Products, Agiliance Professional Strategies - S23

<< Practice Test Demo - 2PassEasy >> Exam Questions CISM. Certified Information Security Manager.

What is Penetration Testing?

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

Mapping PCI DSS v2.0 With COBIT 4.1 By Pritam Bankar, CISA, CISM, and Sharad Verma

GDPR Processor Security Controls. GDPR Toolkit Version 1 Datagator Ltd

Balancing Between Risk and Compliance

Isaca EXAM - CISM. Certified Information Security Manager. Buy Full Product.

SYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security

Data Protection. Plugging the gap. Gary Comiskey 26 February 2010

SIEMLESS THREAT DETECTION FOR AWS

Avanade s Approach to Client Data Protection

Chapter 8: SDLC Reviews and Audit Learning objectives Introduction Role of IS Auditor in SDLC

Gujarat Forensic Sciences University

Solution Pack. Managed Services Virtual Private Cloud Security Features Selections and Prerequisites

QuickBooks Online Security White Paper July 2017

Six Weeks to Security Operations The AMP Story. Mike Byrne Cyber Security AMP

ITSM20F_Umang. Number: ITSM20F Passing Score: 800 Time Limit: 120 min File Version: 4.0. Exin ITSM20F

Exam Requirements v4.1

PROFESSIONAL SERVICES (Solution Brief)

Effective COBIT Learning Solutions Information package Corporate customers

A company built on security

Securing an IT. Governance, Risk. Management, and Audit

Bilgi Teknolojileri Yönetişim ve Denetim Konferansı BTYD 2010

CISM Certified Information Security Manager

01.0 Policy Responsibilities and Oversight

VMware vcloud Air Accelerator Service

Assurance through the ISO27002 Standard and the US NIST Cybersecurity Framework. Keith Price Principal Consultant

In 2017, the Auditor General initiated an audit of the City s information technology infrastructure and assets.

FDIC InTREx What Documentation Are You Expected to Have?

What every IT professional needs to know about penetration tests

Exam4Tests. Latest exam questions & answers help you to pass IT exam test easily

Table of Contents. Preface xvii PART ONE: FOUNDATIONS OF MODERN INTERNAL AUDITING

Introduction to ISO/IEC 27001:2005

Sarbanes-Oxley and Its Impact on IT Organizations

Data Sheet The PCI DSS

Cyber Security Requirements for Supply Chain. June 17, 2015

PCI Policy Compliance Using Information Security Policies Made Easy. PCI Policy Compliance Information Shield Page 1

Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA?

ISO / IEC 27001:2005. A brief introduction. Dimitris Petropoulos Managing Director ENCODE Middle East September 2006

Information Technology General Control Review

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

The Convergence of Security and Compliance. How Next Generation Endpoint Security Manages 5 Core Compliance Controls

Manchester Metropolitan University Information Security Strategy

Global Security Consulting Services, compliancy and risk asessment services

Internet Scanner 7.0 Service Pack 2 Frequently Asked Questions

Data Center Management and Automation Strategic Briefing

Ponemon Institute s 2018 Cost of a Data Breach Study

INTELLIGENCE DRIVEN GRC FOR SECURITY

INFORMATION SECURITY. One line heading. > One line subheading. A briefing on the information security controls at Computershare

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

Streamlined FISMA Compliance For Hosted Information Systems

Complete document security

Mapping BeyondTrust Solutions to

Technical Review Managing Risk, Complexity, and Cost with SanerNow Endpoint Security and Management Platform

Network Instruments white paper

Overview. Business value

IBM Internet Security Systems October Market Intelligence Brief

GOVERNANCE, RISK MANAGEMENT AND COMPLIANCE TRENDS BY FCPAK ERIC KIMANI

26 February Office of the Secretary Public Company Accounting Oversight Board 1666 K Street, NW Washington, DC

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

Rethinking Information Security Risk Management CRM002

INTO THE CLOUD WHAT YOU NEED TO KNOW ABOUT ADOPTION AND ENSURING COMPLIANCE

AT FIRST VIEW C U R R I C U L U M V I T A E. Diplom-Betriebswirt (FH) Peter Konrad. Executive Partner Senior Consultant

Demystifying Governance, Risk, and Compliance (GRC) with 4 Simple Use Cases. Gen Fields Senior Solution Consultant, Federal Government ServiceNow

ISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION

Tripwire State of Cyber Hygiene Report

Transcription:

WHITE PAPER USING QUALYSGUARD TO MEET SOX COMPLIANCE & IT CONTROL OBJECTIVES Table of Contents I. Overview II. COSO to CobIT III. CobIT / COSO Objectives met by using QualysGuard 2 3 4

Using QualysGuard To Meet SOX Compliance and IT Objectives page 2 CobIT 4.0 is a significant improvement on the third release, making it more relevant, filling some gaps and adding clarity. Most importantly, it better aligns with good and best practices in the management of IT and so increases the possibility that its use will result in a better-managed IT environment and, specifically, improve risk management. Therefore, we continue to recommend that enterprises use it to challenge their established IT governance procedures and to improve the controls they have in place. CobIT 4.0 Is a Good Step Forward Simon Mingay 29 December 2005 I. Overview It can be a struggle for a company to adhere to new compliance regulations and responsibilities. The concerns about where do I start? and can I leverage existing processes to meet these new requirements? are obvious questions with not-so-obvious answers. Sarbanes-Oxley (SOX) compliance section 404 is not explicit in terms of where to begin to get answers to these key questions. As guidance and a framework for SOX compliance, the US Securities and Exchange Commission (SEC) has mandated that affected organizations use a recognized internal control framework. The SEC makes specific reference to the recommendations of the Committee of the Sponsoring Organizations of the Treadway Commission (COSO). While there are many sections within the Sarbanes-Oxley Act, the focus here is on section 404, which addresses internal control over financial reporting. This section requires the management of public companies to assess the effectiveness of the organization s internal control over financial reporting and annually report the result of that assessment. Meeting the COSO objective means compliance with SOX section 404. The Sarbanes-Oxley Act has fundamentally changed the business and regulatory environment. The Act aims to enhance corporate governance through measures that will strengthen internal checks and balances and, ultimately, strengthen corporate accountability. However, it is important to emphasize that section 404 does not require senior management and business process owners merely to establish and maintain an adequate internal control structure, but also to assess its effectiveness on an annual basis. This distinction is significant. Most would agree that the reliability of financial reporting is heavily dependent on a well-controlled IT environment. Accordingly, organizations must consider addressing IT controls in a financial reporting context. The QualysGuard Vulnerability Management Service maps to many of these controls. The Sarbanes-Oxley Act requires organizations to select and implement a suitable internal control framework. COSO, Internal Integrated Framework as discussed earlier, has become the most commonly adopted framework. CobIT, administered by the Information Systems Audit and Foundation (ISACA), is a comprehensive framework for managing risk and control of IT, comprising four domains, 34 IT processes and 318 detailed control objectives. Unlike COSO, CobIT includes controls that address operational and compliance objectives, but only those related to financial reporting have been used to develop this document. CobIT provides the actionable framework allowing for compliance with COSO and as a consequence with SOX. II. COSO to CobIT The table below on the following page outlines the mapping of COSO to CobIT.

Using QualysGuard To Meet SOX Compliance and IT Objectives page 3 COSO Component Company Level Activity Level Information & CobIT Area Plan and Organize (IT ) IT strategic planning Information architecture Determine technological direction IT organization relationships Manage the IT investment of management aims and direction Management of human resources Compliance with external requirements of risks Manage projects Management of quality Acquire and Implement (Program Development and Program Change) Identify automated solutions Acquire or develop application software Acquire technology infrastructure Develop and maintain policies and procedures Install & test application software & technology infrastructure Manage changes Deliver and Support (Computer Operations and Access to Programs and Data) Define and manage service levels Manage third-party services Manage performance and capacity Ensure continuous service Ensure systems security Identify and allocate costs Educate and train users Assist and advise customers Manage the configuration Manage problems and incidents Manage data Manage facilities Manage operations Monitor and Evaluate (IT ) Adequacy of internal controls Independent assurance Internal audit

Using QualysGuard To Meet SOX Compliance and IT Objectives page 4 The following tables outline the specific activities in CobIT and COSO and maps the QualysGuard vulnerability management service benefit to each section. PO3 for example represents one of the 34 CobIT IT processes. III. CobIT / COSO Objectives met by using QualysGuard CobIT Domain - Planning and Organization P03 Determine Technological Direction QualysGuard can help to determine the needs for other additional products in the in the security architecture. P04 Define the IT organization and relationships QualysGuard defines the relationships between security teams (VM to Desktop Support) through the use of the remediation capabilities. P05 Manage the IT Investment Trending Information from QualysGuard can help to determine the need for IT investment (system or software upgrades) over time. P08 Insure Compliance with external organizations QualysGuard reports can assist organizations in meeting compliance with SOX, GLB, and HIPAA among other regulations by finding mis-configured devices on the network. P09 Assess s QualysGuard can allow customer to asses risks to their environment based on CVSS and by allowing customer to create a value matrix for devices in the architecture. CobIT Domain - Acquisition A14 Develop and Maintain procedures QualysGuard introduces a structure (our six step approach) to management vulnerabilities from discovery to remediation. These steps are the groundwork for organization process and procedure A15 Install and accredit systems The QualysGuard solution allows for the creation of a gold standard for the security of a particular host. This can be used to accredit a system prior to deployment. A16 Manage Changes The remediation features in the QualysGuard solution can be used for the management of changes (such as patches) to network or host devices.

Using QualysGuard To Meet SOX Compliance and IT Objectives page 5 CobIT Domain - Delivery & Support DS5 Ensure System Security DS9 Manage the Configuration DS10 Manage Problems and Incidents Understanding what systems are vulnerable and remediating vulnerabilities on systems can help to insure system security. QualysGuard scans can indicate host misconfigurations that may compromise system security. QualysGuard s built in ticket remediation system can assist the enterprise in managing problems and getting to the root cause of security incidents. CobIT Domain - DS5 Ensure System Security DS9 Manage the Configuration DS10 Manage Problems and Incidents Understanding what systems are vulnerable and remediating vulnerabilities on systems can help to insure system security. QualysGuard scans can indicate host misconfigurations that may compromise system security. QualysGuard s built in ticket remediation system can assist the enterprise in managing problems and getting to the root cause of security incidents. In addition to its use as a vulnerability management and remediation tool, QualysGuard maps to many of the areas of the COSO framework and can be used to demonstrate compliance with Sarbanes-Oxley section 404. For those who are using the CobIT 4.0 framework for overall IT governance, QualysGuard functionality provides a way of meeting specific CobIT governance requirements. The table below outlines the QualysGuard capabilities that map to the specific control objectives.

Using QualysGuard To Meet SOX Compliance and IT Objectives page 6 CobIT 4.0 s CobIT Sub- QualysGuard Capabilities PO 9 Assess and Manage IT s AI6 Manage Changes DS2 Manage Third-party Services DS5 Ensure Systems Security DS8 Manage Service Desk and Incidents DS9 Manage the Configuration DS10 Manage Problems ME2 Monitor and Evaluate Internal ME3 Ensure Regulatory Compliance PO9.3 Event Identification Identifies vulnerabilities Asses support for CVSS Identifies device misconfigurations Information available on demand AI6.4 Change Status Tracking The incorporation of a remediation management system within QualysGuard allows for and Reporting tracking of changes to systems Action logs available for viewing and (with QG 4.7) download for tracking changes to QualysGuard Scan and report notifications available via email AI6.5 Change Closure and Action logs available for viewing and (with QG 4.7) download Documentation Multi role support segregation of duties (SoD) Scan and report notifications available via email DS2.4 Supplier Performance Many customers have purchased Qualys to monitor third party service providers. Audits SLA compliance for those who ve outsourced IT infrastructure patching maintenance. DS5.4 User Account QualysGuard can assist in meeting this requirement by auditing for unused accounts Management (QID 105234). QualysGuard can provide audits of user rights and privileges DS5.5 Security Testing, Automated QualysGuard scans using credentialed access can test for compliance and Surveillance and accreditation of systems. This can be accomplished through the use of specific templates containing level 1 and 2 vulnerabilities DS5.6 Security Incident QualysGuard threat, impact and solution data is well defined as part of Qualys reporting. Definition CVSS is supported for indicating impact level. DS5.9 Malicious Software Report templates containing specific Qualys QIDs represent and identify Trojans, Prevention, Detection and back-doors, key loggers and rootkits on systems and can be used as part of an overall strategy for DS5.9 Correction DS8.3 Incident Escalation QualysGuard Remediation specifically supports all DS8 controls allowing for DS8.4 Incident Closure vulnerability remediation assignment and control. DS8.5 Trend Analysis Reports are available to support remediation trend analysis. Export to third part ticketing system is supported. DS9.3 Configuration Integrity Specific Qualys QIDs represent system configuration detections that include software Review inventories. These can be compared to user defined baselines. QualysGuard can perform system software audits. DS10.1 Identification and QualysGuard Remediation specifically supports all DS10 controls allowing for vulnerability remediation assignment and control. Classification of Problems DS10.2 Problem Tracking and Reports are available to support remediation trend analysis. Resolution Export to third part ticketing system is supported. DS10.3 Problem Closure DS10.4 Integration of Change, Configuration and Problem Management ME2.1 of Internal QualysGuard supports vulnerability trending and benchmarking reports to control the Framework IT environment. ME2.1 of Internal QualysGuard supports exception control through the ignore vulnerability function on a Framework host-by host basis. This information can be made available across users. QualysGuard provides subscription based timely security notifications about emergency threat detections ME2.7 Remedial Actions Qualys supports remediation change management and process control Remediation can be assigned specific individuals Tracking reports are available ME3.3 Evaluation of Information gathered through QualysGuard scans can assist with compliance with Compliance With Regulatory many regulatory compliances. Requirements User access rights to files and folders, File permissions, Patches, Malicious Software, Host event log settings, and other security setting information is relevant for HIPAA, Sarbanes-Oxley, NIST 800-53, and other regulatory compliances

Using QualysGuard To Meet SOX Compliance and IT Objectives page 7 About Qualys Qualys, Inc. is the leading provider of on demand security risk and compliance management solutions. Qualys is the only security company that delivers these solutions through a single software-as-a-service platform. QualysGuard allows organizations to strengthen the security of their networks and conduct automated security audits to ensure compliance with policies and regulations. As a scalable and open platform, QualysGuard enables partners to broaden their managed security offerings and expand their consulting services. Qualys on demand solutions are deployed in a matter of hours anywhere in the world, providing customers an immediate view of their security and compliance posture. QualysGuard is the widest deployed security on demand solution in the world, performing over 150 million IP audits per year. For more information, please visit www.qualys.com. www.qualys.com USA Qualys, Inc. 1600 Bridge Parkway Redwood Shores CA 94065 T: 1 (650) 801 6100 sales@qualys.com UK Qualys, Ltd. 224 Berwick Avenue Slough, Berkshire SL1 4QT T: +44 (0) 1753 872101 Germany Qualys GmbH München Airport Terminalstrasse Mitte 18 85356 München T: +49 (0) 89 97007 146 France Qualys Technologies Maison de la Défense 7 Place de la Défense 92400 Courbevoie T: +33 (0) 1 41 97 35 70 Qualys, the Qualys logo and QualysGuard are registered trademarks of Qualys, Inc. All other trademarks are the property of their respective owners. 1/07

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback