Five Key Elements of

Complete IT Compliance
How bridging the SecOps gap can keep
even the most complex and dynamic
environments fully secure and compliant

The Goal
Comprehensive configuration compliance
Ensuring complete compliance with regulatory requirements and best practices grows more challenging every day. Existing IT processes and organizations
struggle to keep up with the rapid pace of business today, or with the scope of the mandates and threats to be accounted for. Security and compliance
teams need to move fast to reduce risk, but run into conflicts with under-resourced operations teams attempting to control changeleading to a SecOps
gap between audit and remediation. As a result, it takes too long to resolve even known issues where fixes are documented and available, compromising
business requirements for speed and agility.
In the past, the needs of the business have often overruled the requirements of compliance, but in light of recent high-profile security breaches and
compliance failures, this attitude is no longer an option. Organizations must modernize their approach to compliance and close the SecOps gap with a
strategy designed for todays complex, dynamic IT environments. This includes:
Comprehensive discovery of the entire application infrastructure, including both core and non-core systems as well as unofficial shadow IT
applications
Granular, flexible definition of the desired configuration of systems to achieve compliance with regulations and policies
Live comparison of the discovered environment to audit against policies and regulationsand identify changes that may trigger a violation
Drift control to automatically remediate errors, identify exceptions, and bring systems back into compliance as necessary
Integrated change management to govern the compliance process within the same context of control, scheduling, and best practices as any other
configuration changes
Its a common-sense modelbut many IT organizations continue to fall short of this comprehensive approach, relying on disconnected processes and tools
that leave the business at risk.

bmc.com/compliance

Rising Compliance Challengesand Risks

Configuration compliance is becoming more difficult every day. Rapid technological innovation and change make it difficult to capture accurate system
information in real time. Larger, more complex and dynamic IT environmentsincluding expanding use of server, application, desktop, and network
virtualization, private and public cloud, and unsanctioned shadow ITpose new discovery challenges. New industry standards, IT best practices, and
emerging threat models expand the scope of compliance.
Meanwhile, data breaches and other security events raise public awareness and lead to increased pressure from corporate leadership.
In Q1 2014, there were more than 250 major security breaches worldwidetwo-thirds of which were preventable.
The average cost of a data breach for a company has reached $3.5 million USD.1
Violations of PCI DSS governing credit card payments lead to fines up to USD $500,000/incident, $100,000/month, and $90/compromised record.

more than

80

of attacks target known

vulnerabilities2

bmc.com/compliance

79

of vulnerabilities have fixes

available on day of disclosure3

So why do they take

so long to detect and
remediate?

Where Compliance Efforts Fall

Discovery

Remediation

Incomplete data and out-of-date inventories

Changes may introduce new issues

Manual business-IT process mapping cant keep up

IT cant easily verify remediation success or roll back changes

Shadow IT services remain undiscovered

Extensive rework diverts personnel from higher-value work

Definition

Governance

Standards take too much time to develop, implement, and maintain

Compliance efforts lie outside established change management

Incomplete specifications lead to false positives and false negatives

False positives and compliance failures undermine trust

Definitions are disconnected from operational details

Security and operations teams work against each other

Audit
Partial or dated snapshots miss out-of-band changes
Subjective interpretation leads to inconsistencies
Time-consuming annual audits burden IT

Beyond the hard-dollar cost of fines and penalties for compliance failures
A false sense of security breeds complacency, leaving the
business at risk
Recurring problems lead business executives to lose
confidence in IT

Lapses in compliance lead to damaged business

relationships, negative publicity, and operational
disruption
Labor-intensive approaches erode IT effectiveness and
lead to staff frustration and turnover

bmc.com/compliance

The SecOps Gap

Security/audit teams and operations teams both play essential roles in compliance.
Security identifies problemsbut depends on operations to get them fixed. This
collaboration can be undermined by the distinctly different viewpoints they hold.
Security/audit (GRC)

IT operations (ITOM)

Focuses on defining policy and documenting

compliance state

Focuses on stability and availability above all

Knows change is often risky

Requires rapid change for remediation

While this group may in some circumstances

perform audits, it never makes its own
changes. This responsibility remains with the IT
operations group.

The IT operations group, however, is reluctant to

just dive in and start making changes. After all,
one of the first lessons they learn is if its not
broken, dont touch it.

This means that the time between security issue identification and resolution can be a period of weeks or even months.
Any effective approach to compliance must address the SecOps gap head-on. Security needs changes to be made more quickly. IT
needs to ensure that these changes wont create new problems. Both sides need a better way to communicate and collaborate with
each other.

bmc.com/compliance

Operations is also responsible for performance and uptime, not just security, s o it
must compromise between these drivers.

193
up to

days to resolve
security issues4

80

of downtime due to
misconfigurations5

bmc.com/compliance

A More Intelligent Approach

Comprehensive security and compliance depends on
an approach designed to account for:
Rapid innovation and constant changeboth planned and unplanned
Increasingly complex and diverse environments
Shadow IT services and other hard-to-discover systems
Seamless implementation across the entire compliance cycle, including
discovery, definition, audit, remediation, and governance
Continuous monitoring, high visibility, and end-to-end automation to ensure
fast, efficient, and effective compliance processes

bmc.com/compliance

Discover

Define

Capture a complete understanding of

the current state of the environment

Create a reference configuration of the

desired state

Regular automated discovery ensures that compliance efforts cover

all relevant applications and infrastructure. While some approaches to
discovery focus on core systems, the reality is that non-core systems
can provide a bridgehead in the network for attackers. This is even
more true for unofficial systems, which may not be properly patched,
hardened, and updated. Whether a system is managed by IT or not, its
IT who will be held responsible for any breach it allows.

A granular content model allows IT to define the desired compliance

or security state by rule, providing flexibility beyond template-based
approaches. A library of pre-defined policies such as PCI-DSS, HIPAA,
DISA STIG, and SOX, including both audit and remediation capabilities,
can be used as templates or customized and extended to meet individual
requirements. With greater confidence in the accuracy of audit results,
IT can take corrective action more decisively.

With Intelligent Compliance, comprehensive discovery captures an

inventory that includes both unofficial and unmanaged systems as
well as temporary modifications, virtualized assets, and all relevant
dependenciesto ensure that the entire environment can be brought in
compliance.

Benefits:

Benefits:
Escape the high cost and timelines of traditional manual audits

Take advantage of a library of pre-defined content to get up and

running fast
Adapt existing checks to your own organizational and policy
requirements
Create new policies based on real-world reference systems or
abstract requirements.

Eliminate the risks posed by of out-of-band systems and changes

Ensure an up-to-date inventory to support real compliance
coverage

bmc.com/compliance

Audit

Remediate

Compare the discovered environment

to the desired state

Bring systems into compliance while

avoiding unintended consequences

Ongoing audits are performed automatically against the current live

stateof the environmentnot a configuration snapshot taken prior to
the auditto verify compliance. This live audit streamlines the process
by eliminating the need to populate a configuration management
database (CMDB) beforehand. IT gains complete visibility into out-ofband changes to avoid hidden risks. Compatibility with other tools and
even manual configuration management facilitates seamless adoption.

By providing a common context to unify audit and remediation,

Intelligent Compliance closes the SecOps gap. Targeted, specific changes
are made automatically only to the parts of the file that are affected
by the compliance violation, rather than simply replacing the entire
file. Exceptions can be granted on a granular levelper rule or per
server, with an expiration date if desiredand remain fully transparent,
designated as compliant with exceptions rather than simply compliant
or non-compliant.

Benefits:
Audit the full environment, without the limitations of snapshots or
populated reference databases
Eliminate the risk of missing recent changes and out-of-band
changes with full visibility into live configurations
Deliver live audit results that are trustworthy and actionable,
avoiding false positives and negatives

Role-based access control and delegation ensure that only approved

users execute changes. Rollback makes it simple to return to a known
good state if necessary.

Benefits:
Make surgical changes to avoid overwriting other necessary
configurations
Define and document exceptions to guide future audits
Get automated verification that changes have achieved compliance

bmc.com/compliance

Govern
Leverage established change
management systems and processes
Compliance cant come at the expense of business support. IT needs to
make changes with full visibility into their implications for the business,
and govern these processes in a way that minimizes their impactsuch
as not rebooting servers in the middle of a payroll run.
By integrating Intelligent Compliance with helpdesk and ITSM solutions
like BMC Remedy, you can ensure that remediation efforts are subject
to the same change management processes as any other configuration
changes.
Compliance teams can reassure operations and other stakeholders
that compliance remediation will not pose risks to the production
environment or interrupt essential services at inopportune times.

Benefits:
Require human approval for more sensitive changes while
automating more routine changes
Enforce change windows and avoid collisions
Capture full documentation and step-by-step audit trails

bmc.com/compliance

10

What Intelligent Compliance Can Mean to

Your Organization
Bridge the SecOps gap
Build trust between security and operations

Avoid penalties for non-compliance

Ensure more rapid remediation for compliance

Avoid costs (material and reputational) associated with security

breaches

Avoid conflicts and problems from remediation efforts

Improve IT effectiveness
Increase compliance and security coverage and audit frequency
Reassign staff from defensive activities to high-value tasks with
immediate business value
Reposition IT as a driver of differentiation through high-performance
digital business processes

Reduce costs
Achieve compliance goals with less effort
Release and redirect resources previously consumed by compliance

11

Avoid costs

bmc.com/compliance

Achieve full visibility

Capture up-to-date and trustworthy information to guide decisionmaking
Generate compliance documentation for auditors automatically

Real-world Benefits
Major wireless provider

Major consumer brand

Reduced server audit cycle time from 2 months to 5 days.

Reduced time for CIS policy audit on 600 Windows servers

from several months to 2 hours. Achieved 75% time
savings remediating non-compliant servers.

Major international bank

Achieved 100% automation of server build compliance,
reducing staffing needs by 1 FTE for this task alone.

Public sector organization

US healthcare provider
Reduced time to audit and remediate 400 servers from 4
weeks to 10 minutes.

Achieved 95% cost reduction, 98.4% cost avoidance while

saving 46,741 hours/year in labor.

Learn more
Contact your BMC Software representative or go to
to learn more about implementing
Intelligent Compliance to accelerate the value of your compliance initiatives.
Sources:
1. Ponemon Institute. (2014). 2014 Cost of Data Breach: Global Analysis. Retrieved from ponemon.org/blog/ponemon-institute-releases-2014-cost-of-data-breach-global-analysis.
2. F-Secure. (2013). Companies Risking Their Assets with Outdated Software. Retrieved from 2.f-secure.com/en/web/corporation_global/news-info/product-news-offers/view/story/915562/
3. Secunia Research. (2014). The Secunia Vulnerability Report. Retrieved from secunia.com/?action=fetch&filename=PSI-Country-Report-(US)-(2014Q1).pdf
4. WhiteHat Security. (2013). Website Security Statistics Report May 2013. Retrieved from whitehatsec.com/assets/WPstatsReport_052013.pdf
5. Gartner Group. (1999). Making Smart Investments to Reduce Unplanned Downtime. Retrieved from gartner.com/doc/304512/

*461023*