Escolar Documentos
Profissional Documentos
Cultura Documentos
Complete IT Compliance
How bridging the SecOps gap can keep
even the most complex and dynamic
environments fully secure and compliant
The Goal
Comprehensive configuration compliance
Ensuring complete compliance with regulatory requirements and best practices grows more challenging every day. Existing IT processes and organizations
struggle to keep up with the rapid pace of business today, or with the scope of the mandates and threats to be accounted for. Security and compliance
teams need to move fast to reduce risk, but run into conflicts with under-resourced operations teams attempting to control changeleading to a SecOps
gap between audit and remediation. As a result, it takes too long to resolve even known issues where fixes are documented and available, compromising
business requirements for speed and agility.
In the past, the needs of the business have often overruled the requirements of compliance, but in light of recent high-profile security breaches and
compliance failures, this attitude is no longer an option. Organizations must modernize their approach to compliance and close the SecOps gap with a
strategy designed for todays complex, dynamic IT environments. This includes:
Comprehensive discovery of the entire application infrastructure, including both core and non-core systems as well as unofficial shadow IT
applications
Granular, flexible definition of the desired configuration of systems to achieve compliance with regulations and policies
Live comparison of the discovered environment to audit against policies and regulationsand identify changes that may trigger a violation
Drift control to automatically remediate errors, identify exceptions, and bring systems back into compliance as necessary
Integrated change management to govern the compliance process within the same context of control, scheduling, and best practices as any other
configuration changes
Its a common-sense modelbut many IT organizations continue to fall short of this comprehensive approach, relying on disconnected processes and tools
that leave the business at risk.
bmc.com/compliance
more than
80
bmc.com/compliance
79
Remediation
Definition
Governance
Audit
Partial or dated snapshots miss out-of-band changes
Subjective interpretation leads to inconsistencies
Time-consuming annual audits burden IT
Beyond the hard-dollar cost of fines and penalties for compliance failures
A false sense of security breeds complacency, leaving the
business at risk
Recurring problems lead business executives to lose
confidence in IT
bmc.com/compliance
IT operations (ITOM)
This means that the time between security issue identification and resolution can be a period of weeks or even months.
Any effective approach to compliance must address the SecOps gap head-on. Security needs changes to be made more quickly. IT
needs to ensure that these changes wont create new problems. Both sides need a better way to communicate and collaborate with
each other.
bmc.com/compliance
Operations is also responsible for performance and uptime, not just security, s o it
must compromise between these drivers.
193
up to
days to resolve
security issues4
80
of downtime due to
misconfigurations5
bmc.com/compliance
bmc.com/compliance
Discover
Define
Benefits:
Benefits:
Escape the high cost and timelines of traditional manual audits
bmc.com/compliance
Audit
Remediate
Benefits:
Audit the full environment, without the limitations of snapshots or
populated reference databases
Eliminate the risk of missing recent changes and out-of-band
changes with full visibility into live configurations
Deliver live audit results that are trustworthy and actionable,
avoiding false positives and negatives
Benefits:
Make surgical changes to avoid overwriting other necessary
configurations
Define and document exceptions to guide future audits
Get automated verification that changes have achieved compliance
bmc.com/compliance
Govern
Leverage established change
management systems and processes
Compliance cant come at the expense of business support. IT needs to
make changes with full visibility into their implications for the business,
and govern these processes in a way that minimizes their impactsuch
as not rebooting servers in the middle of a payroll run.
By integrating Intelligent Compliance with helpdesk and ITSM solutions
like BMC Remedy, you can ensure that remediation efforts are subject
to the same change management processes as any other configuration
changes.
Compliance teams can reassure operations and other stakeholders
that compliance remediation will not pose risks to the production
environment or interrupt essential services at inopportune times.
Benefits:
Require human approval for more sensitive changes while
automating more routine changes
Enforce change windows and avoid collisions
Capture full documentation and step-by-step audit trails
bmc.com/compliance
10
Improve IT effectiveness
Increase compliance and security coverage and audit frequency
Reassign staff from defensive activities to high-value tasks with
immediate business value
Reposition IT as a driver of differentiation through high-performance
digital business processes
Reduce costs
Achieve compliance goals with less effort
Release and redirect resources previously consumed by compliance
11
Avoid costs
bmc.com/compliance
Real-world Benefits
Major wireless provider
US healthcare provider
Reduced time to audit and remediate 400 servers from 4
weeks to 10 minutes.
Learn more
Contact your BMC Software representative or go to
to learn more about implementing
Intelligent Compliance to accelerate the value of your compliance initiatives.
Sources:
1. Ponemon Institute. (2014). 2014 Cost of Data Breach: Global Analysis. Retrieved from ponemon.org/blog/ponemon-institute-releases-2014-cost-of-data-breach-global-analysis.
2. F-Secure. (2013). Companies Risking Their Assets with Outdated Software. Retrieved from 2.f-secure.com/en/web/corporation_global/news-info/product-news-offers/view/story/915562/
3. Secunia Research. (2014). The Secunia Vulnerability Report. Retrieved from secunia.com/?action=fetch&filename=PSI-Country-Report-(US)-(2014Q1).pdf
4. WhiteHat Security. (2013). Website Security Statistics Report May 2013. Retrieved from whitehatsec.com/assets/WPstatsReport_052013.pdf
5. Gartner Group. (1999). Making Smart Investments to Reduce Unplanned Downtime. Retrieved from gartner.com/doc/304512/
*461023*