Focus Experts Briefing: 7 Ways Compliance Automation Can Secure Your IT Infrastructure

March 28, 2011 topics: Best Practices Data Protection

Expert Content IT Infrastructure

Information Technology IT Security

Compliance Automation

Focus Research 2011

All Rights Reserved

Focus Experts Briefing: 7 Ways Compliance Automation Can Secure Your IT Infrastructure
How can compliance automation help secure my organizations IT infrastructure? March 10, 2011 by Andrew Baker, Kevin Beaver, Anton Chuvakin, Rebecca Herold, Glen Marshall, Scott Wright topics: Best Practices Data Protection Expert Content IT Infrastructure Information Technology IT Security Compliance Automation

Executive Summary From the Federal Information Security Management Act of 2002 and Health Insurance Portability and Accountability Act to the Sarbanes-Oxley Act and ISO/IEC 17799 standards, IT security pros have their hands full complying with laws, standards and rules. And while IT compliance can be a tedious, repetitive and time-consuming task, a security audit can be as much of a threat to your business as a hacker. Fortunately, compliance automation software can ease the burden for IT security professionals while improving IT infrastructure security. In this guide, Focus Experts Andrew Baker, Kevin Beaver, Anton Chuvakin, Rebecca Herold, Glen Marshall and Scott Wright share 7 ways compliance automation can help secure your IT infrastructure. After reading this guide, be sure to check out the entire discussion and join the conversation: http://www.focus.com/questions/information-technology/how-can-compliance-automation-help-secure-my-organizations/.

Expert Advice 1. Compliance automation can free up capital and staff for other security initiatives. 2. Automation software enhances a businesss security posture. 3. Automation tools can speed data collection and parsing. 4. Compliance automation can reduce security vulnerabilities. 5. Compliance automation software can improve security visibility and benchmarking. 6. Automation software can map compliance requirements with related laws. 7. Compliance automation can simplify tasks for auditors and regulators.

Focus Experts Briefing: 7 Ways Compliance Automation Can Secure Your IT Infrastructure

Focus Research 2011

Focus Experts Briefing: 7 Ways Compliance Automation Can Secure Your IT Infrastructure
How can compliance automation help secure my organizations IT infrastructure?

1. Compliance automation can free up capital and staff for other security initiatives.
Organizational security depends on developing and executing a risk management plan, which leads to technical and non-technical risk mitigations and assurance activities. Compliance automation may reduce some of the risk mitigation cost, thus opening-up additional spending opportunities to strengthen other mitigations. (Marshall) To the extent that a tool set removes the tedium from tracking and ensuring compliance, such a tool set can aid in maintaining a better security posture. (Baker) Compliance automation can reduce IT operational expenses and remove a vast amount of control duplication (harmonizing compliance). (Wright)

2. Automation software enhances a businesss security posture.

Some compliance automation tools can greatly enhance the security posture within small organizations with limited human resources in many ways. For example, by providing the tasks and framework necessary for them to follow to ensure they do not overlook something important as a result of little time and expertise. Automation tools can greatly enhance the security posture of medium and large organizations that have complex systems, networks and applications, and/or that are scattered across multiple geographic locations. Automation can keep complexity manageable, giving security pros insights into their security posture that they would not otherwise be able to determine on their own. (Herold) By enabling an organization to quickly set/manage policies, identify discrepancies, report on compliance status, and remediate failures, such tools can aid security-minded organizations in making changes that would otherwise impact their security posture. In other words, if you and your organization are security-minded, then tools which reduce the time and effort to track compliance status, can be used to aid in improving security as well, by shining a spotlight on outstanding issues, and allowing you to be alerted to changes. (Baker)

3. Automation tools can speed data collection and parsing.

Good, effective compliance automation tools can also help all information security in all types of businesses by collecting huge amounts of data and more quickly synthesizing that data into meaningful reports about security risks in ways that would be hard-to-impossible to accomplish through the use of one or more sets of human eyes alone. (Herold)

4. Compliance automation can reduce security vulnerabilities.

Compliance automationhelps with security, as automating usually leads to things being done faster and better. Faster and better technical control validation/enforcement means fewer holes for the attackers to exploit, thus better security. (Chuvakin)

Focus Experts Briefing: 7 Ways Compliance Automation Can Secure Your IT Infrastructure

Focus Research 2011

5. Compliance automation software can improve security visibility and benchmarking.

Compliance automation can provide a more realistic benchmark by making the assurance process repeatable. (Wright) Information security and compliance are all about visibility and control. If youre going to have any semblance of either, you have to automate wherever you can. Otherwise youll drive yourself nuts and end up spinning your wheels. (Beaver)

6. Automation software can map compliance requirements with related laws.

Automation software can provide guidance to information security and privacy practitioners by linking and mapping their activities in ways that improve information security to the associated compliance requirements, such as for HIPAA and HITECH, to help ensure that they do not have any gaps. Logging activities that support compliance requirements also reveal security incidents, breaches and policy noncompliance. (Herold) Compliance automation can provide concrete mapping of relevant authority documents (e.g., SOX, HIPPA, PCI) citations to internal practices. (Wright) Tools which help to automate system, network and application configuration management, alerting, event collection, and reporting (among other things), as they pertain to compliance standards, can be a huge help to organizations that wish to do more than simply follow the letter of the compliance law. (Baker) Automating technical controls, operational controls, user awareness/training and even disaster recovery and incident response to the extent possible helps you to enforce your documented policies and helps you carry out your specific procedures. (Beaver)

7. Compliance automation can simplify tasks for auditors and regulators.

Compliance automation sets your users, your information systems and your business up for success by ensuring everythings kept in check. The end result is that itll make your auditors jobs easier and youll keep the regulators happy; everyone wins. (Beaver)

Read the entire discussion, and join the conversation:

http://www.focus.com/questions/information-technology/how-can-compliance-automation-help-secure-my-organizations/

Focus Experts Briefing: 7 Ways Compliance Automation Can Secure Your IT Infrastructure

Focus Research 2011

Contributing Experts

Andrew Baker

Director, Service Operations, SWN Communications Inc. www.focus.com/profiles/andrew-baker/public/

Kevin Beaver

Independent Information Security Consultant, Author, Witness and Speaker, Principle Logic, LLC www.focus.com/profiles/kevin-beaver/public/

Anton Chuvakin

Consultant, Security Warrior Consulting www.focus.com/profiles/anton-chuvakin/public/

Rebecca Herold

Owner & CEO, Rebecca Herold & Assoc, LLC aka The Privacy Professor www.focus.com/profiles/rebecca-herold/public/

Glen Marshall

Principal, Grok-A-Lot, LLC www.focus.com/profiles/glen-marshall/public/

Scott Wright

CTO, GRMC Group www.focus.com/profiles/scott-wright/public/

About this Report Focus Experts Briefings are sourced from Focus Experts who have exhibited expertise in the particular topic. Focus Experts Briefings are designed to be practical, easy to consume and actionable. About Focus Focus.com makes the worlds business expertise available to everyone. At the heart of Focus is a network of thousands of leading business and technology experts who are thought leaders, veteran practitioners and upstart innovators in hundreds of different topics and markets. You can connect with the Focus experts in three primary ways: Q&A, Research and Events. Personalize your Focus.com experience by following specific topics and experts and receive the Q&A, research and events of interest to you. Focus is easy to use and freely available to anyone who wants help making better business decisions.

Disclosures This briefing was originally commissioned by Tripwire. Tripwire had input into selecting the topic, but had no editorial control over the final content selections.

Focus Experts Briefing: 7 Ways Compliance Automation Can Secure Your IT Infrastructure

Focus Research 2011