Enterprise-Wide Security Transformation to Meet Escalating Regulatory Requirements

Transcription

1 Enterprise-Wide Security Transformation to Meet Escalating Regulatory Requirements Modern corporations are faced with increasingly complex compliance and regulatory demands that require them to respond quickly and effectively to any information security incidents. Now expert assistance is available on an enterprise scale. The Challenge Compliance and regulatory requirements are placing growing demands on the enterprise to effectively monitor, detect, report and respond to new security threats and existing vulnerabilities in corporate systems and applications. In fact, Accenture s High Performance Infrastructure research, conducted with almost 850 senior IT executives across the USA, UK, France, Italy, Germany and Japan, revealed that sixty-seven percent of respondents reported an increase in the number and sophistication of security attacks. At the same time, the number of and scale of corporate information security incidents are steadily increasing. For the enterprise, the size and complexity of the overall challenge are exacerbated by several internal challenges. These include gaps in knowledge, skills, technology, and process and a lack of automation in processes and practices. Knowledge and skill gaps Detecting, prioritizing, and responding to information security incidents, and the vulnerabilities they uncover, are not typically strategic focus areas for the enterprise. Yet there are increasing demands that organizations be able to effectively manage information security driven by industry and governmental regulatory compliance requirements. Developing, training, and retaining such capabilities internally is difficult, time consuming, and expensive. Most corporations suffer from gaps in a number of areas, including personnel, knowledge, experience, processes, organization, technology, budget, and infrastructure. Lacking the depth of such capabilities, an enterprise may be unable to maximize the value of whatever security technology, process, management, and remediation strategies it has already acquired or devised. In addition, in today s hyper-regulated environment, corporate information regulations that are vague and non-prescriptive don t lend themselves to actionable policies and controls. Correcting such problems may be difficult, given that cross-regulation experts are hard to find and in high demand. At the same time, current IT outsourcing agreements may not adequately address information security compliance requirements.

2 Technology and process gaps Corporate information security efforts are often compromised by inadequate or outmoded security technology and processes, in some cases coupled with legacy systems and applications that were never designed with contemporary security objectives in mind. Many new detective and preventive controls that are available require the painful decommissioning or changing of an enterprise s IT infrastructure and processes. In such environments, gaps in compliance skills can widen even further. If an element of an enterprise s IT infrastructure or processes is in need of replacement and is relied upon as an IT control, then the financial audit process itself may be affected. Also, relative to corporate compliance initiatives, individual departments and vendors may be operating in silos, resulting in an even more inconsistent process. Size and complexity issues The size and complexity of information security issues faced by the modern enterprise are daunting. Corporate networks and customer databases are typically huge and by nature complex. Further increasing the enterprise s vulnerability is the sheer number of custom applications and their associated lines of custom code. At the same time, security software is becoming increasingly complicated and modular, involving the integration of many working parts. For organizations with older systems or applications, software may have undetected vulnerabilities because it was not developed to current security standards. The modern enterprise literally depends on a Web of heterogeneous systems, applications, and infrastructure, all supporting geographically dispersed sites and organizational units. This complex interwoven Web adds to the overall difficulty of security preparedness, driving the enterprise s risk exposure ever higher. Lack of automation One of the main challenges to security preparedness is the lack of automated processes. To cost-effectively sustain compliance, automation isn t just a convenience it is required. Organizations that integrate audit practices into their operations can incur fewer material deficiencies. Point audits, for example, are infrequently cost-effective or adequate, and reporting often results in errors when it is fragmented, ad hoc, or manually performed. Intelligent automation, on the other hand, allows for the inclusion of ever-changing control requirements and enables a synchronized, repeatable process that delivers consistent, correct results. The Solution Accenture and Symantec help enterprises in complex environments reframe the way they think about information security. Delivering scale, experience, and a diverse knowledge base with a global footprint, Accenture and Symantec Security Transformation Services provides a comprehensive set of end-to-end security services, and products. These services include compliance transformation, security monitoring and management, and application security services. Compliance Transformation Enterprises need assistance to prove and sustain compliance with multi-regulatory mandates that are often vague and non-prescriptive. Accenture and Symantec Security Transformation Services help clients move from reactive crisis remediation to proactive managed compliance control and reporting processes that are integrated into an overall IT operations strategy. The demand for this type of service is expected to grow dramatically as mandates change and enterprises face increasing pressure to comply. For example, currently only about 15,000

3 public companies in the United States must comply with Sarbanes-Oxley; however, in 2008 public companies with less than US$500 million in earnings will face the same requirement. The compliance transformation services offering is designed to build a comprehensive, sustainable compliance program that reduces the long-term cost and complexity of maintaining compliance. It includes the following components: Compliance Assessment. Evaluates baseline effectiveness against applicable regulations and standards and examines leading practices. Identifies controls required to meet compliance standards and business objectives. Also results in the creation of a prioritized compliance roadmap. Policy Definition. Defines specific policies that are relevant to compliance with key regulations and best-practice frameworks (for example, SOX, GLBA, COBIT, and ISO 17799). Maps policies to regulatory initiatives and helps ensure proper coverage using control architectures. Defines audit automation evidence requirements. Control Implementation. Configures or deploys change management, server hardening, data archiving, access control, and other control infrastructure elements. Integrates custom evidence feeds to automate the audit process. Operational Governance. Refines metrics, collection, and reporting. Mobilizes and tunes operational procedures. Builds self-sustainability through self-assessment, and trains and transfers control to client resources. Security Monitoring and Management Enterprises must be able to quantify a threat s magnitude, assess its effects, and respond quickly in an appropriate, measurable, and repeatable manner. Accenture and Symantec Security Transformation Services offer clients a proven, repeatable, monitored, and managed security solution, in-sourced or co-sourced with the client. These services combine Symantec s technology, global intelligence, processes, and experts with Accenture s experience in driving high performance for their clients through transformation and program management capabilities. In particular, security monitoring and management services include the following: Baseline Operational Assessment. Evaluates IT and information security elements strategy, governance, policy, organization, process, and technology and operational effectiveness. Recommends solution sets, sourcing models, and Service-Level Agreements (SLAs). Nerve Center Implementation. Establishes an appropriately staffed Program Management Office (PMO) and a framework. Creates a detailed design, plan, and staffing model. Builds a nerve center with security controls, and test procedures, technology, and integrations. PMO/CIRT. Implements a PMO providing strategic reporting, analysis, and trends, as well as ongoing governance, planning, and policy maintenance. Builds a Computer Incident Response Team (CIRT) and manages and/or staffs CIRT functions. Nerve Center Operational Management (Run). Provides operations and personnel management, maintenance, and upgrades to the production environment; SLA administration; and operational reporting. Application Security Services Market pressures, increasing complexity, and the high cost of downstream remediation are all resulting in security being baked into the entire software development lifecycle. Using independent third-party assessments, custom development work performed by Accenture, and a portfolio of application outsourcing contracts, Accenture and Symantec Security

4 Transformation Services helps enterprises ensure greater application security. The application security services offering includes the following components: Security Development Lifecycle (SDLC) Transformation. Transforms or builds new SDLC and associated frameworks for clients. Reviews application architecture and design, as well as the development process. Helps with certification criteria, and provides secure-coding and secure-sdlc training. Code Review and Analysis. Performs black box and white box testing for application-level vulnerabilities. Also performs automated testing of the code base, as well as sampled and line-by-line code reviews. Inserts automated scanning tools into the Integrated Development Environment. Maps results and feedback to policy, and delivers a remediation plan and vulnerability details. Code Remediation. Provides competitively priced code remediation services, secure-coding training, and workshops for developers, testers, and managers. Assists or completes project management of code remediation activities and policy ownership updates. Conclusion Working jointly, Accenture and Symantec provide a comprehensive set of transformative security services for enterprises. These services draw on the complementary strengths and experience of two industry leaders, combining Symantec s leading-edge technology, tools, and security expertise with Accenture s in driving high performance through broad industry experience and acclaimed IT and business transformation and program management capabilities. The resulting enterprise preparedness enables swift and effective response to today s information security challenges and threats. Contact To discuss how your company can benefit from Accenture and Symantec Security Transformation Services, contact: jesse.w.bowen@accenture.com or security_transformation_services@symantec.com.

5 About Accenture Accenture is a global management consulting, technology services and outsourcing company. Committed to delivering innovation, Accenture collaborates with its clients to help them become high-performance businesses and governments. With deep industry and business process expertise, broad global resources and a proven track record, Accenture can mobilize the right people, skills and technologies to help clients improve their performance. With more than 133,000 people in 48 countries, the company generated net revenues of US$15.55 billion for the fiscal year ended Aug. 31, Its home page is About Symantec Symantec is the world leader in providing solutions to help individuals and enterprises assure the security, availability, and integrity of their information. Symantec provides a full range of services for assessing, architecting, implementing, supporting, and maintaining an enterprise s security, storage, and infrastructure software solutions. Symantec s global services organization also provides comprehensive maintenance, technical support, and educational services. Copyright 2006 Symantec Corporation. All rights reserved. Symantec and the Symantec logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. Printed in the USA. 10/06 Copyright 2006 Accenture. All rights reserved. Accenture, its logo, and High Performance Delivered are trademarks of Accenture.