Maximizing Vulnerability Management and Regulatory Compliance
By moving away from manual network assessments to an automated vulnerability management program, OfficeMax Mexico is now able to more efficiently maintain a secure infrastructure and regulatory compliance.
If you run a business in North America, chances are OfficeMax has supplied your organization with the essentials needed to operate: from business services to paper, pens, forms, organizers, furniture, and technology. OfficeMax is one of the largest office supply businesses in North America and operates approximately 1,025 superstores in the U.S., Mexico, Puerto Rico, and the US Virgin Islands.
The business-technology systems needed to run this international retailer are substantial and encompass dozens of mainframes, thousands of servers, and tens of thousands of PCs. With much of its $8.3 billion in annual revenue flowing through credit card transactions, both online and in-person, keeping those systems secure and in compliance with the Payment Card Industry Data Security Standard (PCI DSS) is critical.
The Need: Centralized, Accurate, and Automated Vulnerability Assessments
Consider the efforts of OfficeMax Mexico, which manages 78 OfficeMax Superstores throughout the country. For some time, the security group at OfficeMax Mexico relied on open source vulnerability scanners toanalyze its IT infrastructure to find and eliminate the flaws and vulnerabilities that place those systems at risk, and out of policy compliance.
Unfortunately, those tools brought a high number of false positives and failed to provide the detailed information the security and operation teams needed for effective remediation.
"The results and the reports were not as effective as we needed, and we spent too much time trying to determine what flaws were the most severe," explains Ricardo Rodriguez, information security manager at OfficeMax Mexico.
In addition, because of the inability of the vulnerability scanners to provide centralized management, so that various groups could conduct their own assessments and access their own reports, many of the scan result reports didn't make it to the operations team for remediation. Facing these challenges, it became clear that OfficeMax Mexico needed a way to conduct automated security audits and ensure compliance with internal policies and external regulations, such as PCI DSS.
Why OfficeMax Mexico chose Qualys:
- Automated on-demand security and vulnerability audits.
- Ability to manage vulnerability management process for multiple IT operations teams.
- Qualys is an approved PCI scanning vendor.
- Highly accurate vulnerability and configuration scans.
- Easy to deploy, manage, and operate.
- Scalable enough to secure international network.
- Comprehensive reporting capabilities.
Toward Proactive IT Security, Policy Compliance, and Efficient Workflow
To bring more accuracy and automation to its IT security and regulatory compliance assessments, OfficeMax Mexico turned to Qualys. Qualys provides OfficeMax Mexico a proactive way to protect the company's network throughout the entire vulnerability management lifecycle, including asset discovery, asset prioritization, vulnerability assessment, and analysis, remediation, and fix verification. And its highly flexible, on-demand architecture means that it's easy for each of OfficeMax's team members to meet their individual security responsibilities successfully.
As a direct result of Qualys’ on-demand architecture, there are no additional operational or administrative burdens for OfficeMax Mexico—once the appliance is deployed, all system maintenance, vulnerability signature updates, and software enhancements are deployed directly from Qualys’ Secure Operations Center. That means OfficeMax Mexico, and every one of Qualys’ 2,500+ customers automatically run the latest version of Qualys, and the most-up-to-date, comprehensive database of security checks in the industry.
The improved accuracy of OfficeMax's assessment scans has proven extremely beneficial for the security team. Previously, the slightest errors in assessment reports multiplied the amount of time security analysts needed to spend eliminating false-positives from actual vulnerabilities in the company's infrastructure. Rodriguez explains that the false positives would add hours to the amount of time security management had to spend analyzing reports.
Additionally, Qualys solved one of OfficeMax Mexico's most pressing challenges: the inability to have centralized assessment and remedial workflow. Qualys’ integrated remediation and trouble-ticketing workflow system ended those days. Now, OfficeMax can generate remediation tickets based on its specific policy rules and track each ticket until successful patch deployment has been verified.
Each remediation ticket is assigned a unique number and includes all of the details necessary, including general vulnerability data, remediation history, and actions conducted. And on subsequent assessments, Qualys automatically verifies that vulnerabilities are fixed and tickets are automatically closed. "Now, with Qualys, the ticket system automatically assigns tickets to the operations people who actually will be applying the updates," says Rodriguez.
“Qualys has been easy for us to deploy, and makes it possible for us to secure our systems, save time, and maintain PCI compliance more easily.”
Ricardo Rodriguez
Information Security Manager, OfficeMax Mexico
Streamlined PCI DSS Compliance
For OfficeMax, managing PCI DSS compliance is a global effort. For its part, OfficeMax Mexico uses Qualys PCI to conduct its PCI DSS assessments to both make sure its systems remain within compliance and to ready its systems for the mandated quarterly PCI DSS assessment and report filing.
Qualys PCI, which delivers much of the same functionality as Qualys, provides OfficeMax Mexico the easiest, most cost-effective, and highly-automated way meet its PCI DSS compliance mandate. Qualys PCI draws upon the same highly accurate scanning infrastructure and technology as Qualys Vulnerability Management and is optimized for PCI DSS to conduct the required scans, answer the integrated self-assessment questionnaire, and provide compliance report submissions for online certification. Additionally, Qualys is an approved PCI DSS vendor.
"Qualys has been easy for us to deploy, and makes it possible for us to secure our systems, save time, and maintain PCI compliance more easily," adds Rodriguez.