NetIQ Secure Configuration Manager helps you protect your IT infrastructure and meet compliance requirements in the IT controls areas of entitlement reporting and segregation of duties. This holds across many different platforms, none more important than Unix and Linux.
With NetIQ Secure Configuration Manager, companies can implement and manage controls, which make compliance programs sustainable and repeatable, while gaining visibility into sources of vulnerability and risk exposure on Unix systems.
A ‘Unified Compliance’ Approach
There are several information security control frameworks available to help you get started in creating IT controls for assessment and reporting to meet compliance requirements: ISO17799 from the International Standards Organization in Europe, CobiT from the Information Systems Assurance and Control Association (ISACA) and the IT Infrastructure Library.
However, because these are attempts at universal control sets for organizations of all sizes, locations, and industries, it will still be necessary to customize to meet your unique needs. The major challenges that customers face in these efforts include those listed in the following sections.
Breaking Down Regulations into Standards and Best Practices
Most regulations today provide general overviews without providing detailed instructions on requirements and checklists. For example, the Gramm-Leach-Bliley Act states that financial institutions must ensure the confidentiality and integrity of consumer information, but provides no specifics on how to achieve this. Customers need solutions that break down regulations into standards, best practices, and policies. Administrators look for guidelines and best practices that add bulk and definition to vague regulation requirements.
The frameworks mentioned above can provide assistance in this area, as well as guidance provided by regulatory agencies, industry associations, and consultants. To drill down even further and provide specific guidance on recommended system configurations, organizations such as Center for Internet Security (CIS) and National Institute of Science and Technology’s Computer Security Resource Center (NIST CSRC) provide more detail.
Automating the Compliance Process to Make it Sustainable
Organizations have spent huge amounts of money in meeting initial compliance requirements for Sarbanes-Oxley and other regulations. In order to make the whole compliance process repeatable and sustainable, companies need solutions that can automate IT control areas that when performed manually are time-consuming and error-prone.
Implementing, Managing, and Documenting Controls
A compliance architecture supports the integration of controls into an organization by centralizing many IT controls and using technology to help enforce process controls. While there are areas of commonality across various standards and guidelines, the major controls can be grouped under three main categories.
Organizational Controls
Organizational controls can be thought of as activities such as budget processes, business strategy, organization charts, legal processes, and policies and procedures. These controls are part of the structure of the entire organization, not just part of IT and are often explicitly required by the regulations.
Management Controls
Management controls can be thought of as security processes such as risk assessment, continuity planning, incident response, and auditing/compliance reporting. They are more specific to IT than Organizational Controls, but apply to the governance of the entire IT environment. Most IT regulations will specify at least some of these controls.
Technical Controls
Technical controls can be thought of as specific IT procedures that ensure an organization’s information is secure. They are very specific to the world of IT and often require specialized training to perform. Rarely are technical controls explicit within a regulation – organizations and practitioners usually are left to interpret what procedures to implement to achieve compliance. Examples of technical controls include encryption levels and key management, audit log management, identification and authentication, service level agreements, change control, intrusion detection, antivirus, and many others.
Implementing Unified Compliance with NetIQ
IT compliance programs cover disciplines ranging from physical security to HR processes, and from system continuity planning to identification and authentication. Most information security controls frameworks have somewhere between 8 and 12 distinct domains, with some as high as 32. These domains can break down in to hundreds of controls – an impossible range of coverage for any one vendor. Indeed, many of the controls are process-oriented, requiring no additional technology. However, some controls are extremely labor-intensive, and almost impossible to perform manually. NetIQ offers the broadest range of automated compliance solutions. Some specific examples of controls we can help you implement and automate are explored within.
