For businesses today, managing IT security risk and meeting compliance requirements is paramount.
The past decade has seen an unprecedented wave of security breaches that have compromised the integrity of company-owned information – resulting in substantial financial and operational loss while devastating the confidence of customers, business partners, and stakeholders. This tide of events has led to the establishment of technical standards, IT governance frameworks, and laws such as HIPAA, GLBA, PCI DSS, Sarbanes-Oxely, FISMA and Basel II designed to improve and enforce security – creating further pressure for organizations to define, control, and govern their IT infrastructure more effectively.
Operationalize IT Security and Compliance - On Demand
IT security organizations are under constant pressure to help the business comply with these regulations and meet the demands of internal and external auditors. In addition, many regulations contain requirements pertaining specifically to the integrity and security of the IT environment. As a result, an auditor wants to see: policies that describe how an organization will provide security and integrity; proof that the policies have been operationalized; and documented evidence that the organization has discovered and fixed any policy compliance lapses.
An effective vulnerability and compliance management program can make an organization more effective and efficient in reducing the risk of internal and external threats, while at the same time providing proof of compliance demanded by auditors across multiple compliance initiatives.
Policy Compliance Workflow
An efficient workflow allows compliance professionals to define policies that describe how an organization will provide security and integrity; provide proof that the policies have been operationalized; and give evidence that the organization can discover and fix policy compliance lapses.
- Author policies from a Control Library that provides default polices so users can easily import and customize their auditing needs.
- Assign policies to assets.
- Run compliance scans on hosts via authenticated credentials to collect data points from hosts.
- Generate Compliance reports to review results, fix configuration issues and document compliance.
- Manage exceptions and approval process. Auditors can approve exceptions and review compliance reports.
Solution: QualysGuard Policy Compliance
QualysGuard® Policy Compliance extends the global scanning capabilities of QualysGuard Vulnerability Management to collect OS Configuration and Application Access controls from hosts and other assets within the enterprise, and maps this information to user-defined policies in order to accurately document compliance with security regulations and business mandates.
QualysGuard Policy Compliance features:
Simplified Compliance Management — Customers can set automated compliance scans with controls based on CIS and NIST standards, while mapping to major industry regulations, including CobIT, ISO, NIST, Sarbanes-Oxley, HIPAA, GLBA, Basel II and others.
Automated Compliance Reporting — Security and business managers can map compliance to policy by asset group or by host, allowing them to meet the reporting requirements of an individual internal policy or regulation. They also can create and manage exceptions based on a new workflow and enterprise role—Auditor.
Seamless Integration — Policy Compliance 1.0 integrates seamlessly with QualysGuard Vulnerability Management, leveraging the same safe, reliable and secure SaaS infrastructure relied upon by thousands of organizations worldwide.
QualysGuard Policy Compliance customer benefits:
A Trusted Third Party that yields reliable data. Because all host compliance data and policies are securely stored by QualysGuard and not subject to manipulation, auditors trust the integrity and accuracy of the information and resulting QualysGuard reports.
Deployment and Scalability — is extremely important when diverse compliance teams are scattered across the globe. SaaS is best suited to support geographically dispersed teams that may be responsible for compliance for the entire enterprise or only one small part. Scheduled compliance scans can be run against specific parts of the enterprise at specific times, allowing for continuous scanning for compliance issues. SaaS removes scalability as a total cost of ownership (TCO)
Agent-less solutions speed deployment and cost less to manage over time. Remediating configuration compliance issues is not complicated by having to remediate problems with the software agents that collect compliance data. Hosts that have malfunctioning software agents cannot be considered in compliance reports.
Subscription-based SaaS model allows the customer to control the compliance solution without the "sunk-costs" associated with purchasing, licensing and supporting software based products. The entire service is priced per host and there are no hidden costs. This is in stark contrast to solutions that comprise a management console, data collection agents, databases, add-on modules for compliance reporting and in some cases, a separate product that manages selective compliance policies. Simplified deployment, a reliable gold-standard of reporting, and overall lower TCO are primary benefits of the subscription-based SaaS approach.
Role-based Access to data is critical to an organization made up of IT teams that all have some role to play in the compliance process. The roles played by all compliance teams—IT operations, security and vulnerability management, internal audit and policy management—need to be supported. Even an external audit firm could be granted a view of compliance reports to gauge compliance status over time and streamline the consulting engagement.
