Service Manager: Simplifying IT Governance, Risk and Compliance

Service Manager: Simplifying IT Governance, Risk and Compliance

Service Manager: Simplifying IT Governance, Risk and Compliance Sean Christensen Senior Technical Product Manager Microsoft Corporation Agenda for this session Goals for today What Successful GRC involves Special Guest Interview Demos of GRC solutions What I want you to walk away knowing . . . GRC is part of your business that will not go away so how do we make things easier for ourselves. GRC solutions should be flexible enough to re-use across groups eliminating duplicate efforts and cost. Greater awareness of Microsoft solutions available to drive GRC implementations within your org to better prepare for audits. Successful GRC should focus on . . . Build & Automate for

the Future Leverage Familiar & Flexible tools Build End to End into the Every Day Security Compliance & Hardening Regulatory Compliance Data Governance future-state risk and compliance blueprints Automation in current and future state blueprints Build & Automate for the Future

Understand how technology influences risk and compliance Leverage Best Practices & Industry Standards apply CoBIT controls at the Windows Server Level!!! Partner with Finance and Compliance groups and show them how Get proactive about compliance Case Study Microsoft Streamlinesserver Compliance Provision a SOXITcompliant http://msdn.microsoft.com/en-us/library/dd537744.asp Source: PRIMA, 2010 Maximizing existing tools and investments

for risk & compliance Drive efficiency and productivity in risk management compliance tasks Familiar + Flexible = Efficient Leverage Familiarity of existing investments Reuse for new programs Eliminate duplicate efforts Reduce costs We dont want to be this guy Question: Will the tools I use show me compliance AND operational information. Im going to show you how

System Center can help you do this! Embed simpler risk and compliance controls in everyday activities Empower risk and compliance culture by focusing on last-mile End to End in the Every Day GRC from Strategy to End-point GRC begins to provide greater value to the organization when its embedded into the existing management systems. You can map it back up to GRC regulations.

Compliance Reaching all parts of the organization Make sure that we comply so that we can focus on Board of Dir./ CEO Audit Committee the business without an obscene cost Board of Dir./CEO Audit Committee Regulatory Certification Based on a bewildering that collection ofgets reports, I mustBoard Regulatory Compliance & Governance requirements

Its too hard to interpret new regulations and sort Requirements certify if we are compliant. Its my butt on the line out overlaps to set policy across functions members sent to jail. CIO/CSO Business Objectives & Policies Every quarter I learn how non-compliant we have Each business change brings new IT compliance been last month its like whack a mole, how do I get requirements. 80% are duplicative, but we review it

ahead of these issues and risk Auditor Reports CIO/CSO all, delaying response and increasing cost. Requirement Definition System changes require regulation specific ITDM periodic audits kill me. What detail will the What causes us pain These and confusion auditor want to check up on this time? Audit Requirements & Design ITDM

procedures slowing our response Do we need more System Management IT Pro System Operations software to manage IT compliance? Checking log files, re-confirming settings, Configuring and monitoring local and distributed documenting processes is a waste of time when I have servers and PCs for compliance is so time consuming truly critical things to do The stuff we do every day! How do we interpret and test IT compliance across a vast enterprise?

8 IT Pro Review Log Files, Confirm settings IT Pro Lost in Translation An Example 8-609.a(3), NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006] Maintain user accounts for all systems and access management for those users. Lost In Translation An Example COBIT 4.1 DS5.3 HIPAA 164.308 (a) (5) (ii) (D) ISO 27002 11.2.3 Procedures for managing passwords Lost in Translation Embedding GRC into the every day requires translation between the regulations the board cares

about and the servers, applications and infrastructure that IT manages and brining the two together for an audit. Server Applicatio n Database Regulatio ns Sarbox CoBiT Get through the confusion Compliance: What Architects Must Know http:// msdn.microsoft.com/en-us/library/bb421526.aspx Chase Carpenter Interview Principal Product Unit Manager Microsoft Solution Accelerator Team

Examples of Microsoft GRC solutions (at the moment!!!) Security Compliance Manager Best Practices to harden your infrastructure What is the Security Compliance Manager? The Microsoft Security Compliance Manager (SCM) tool provides Microsoft best-practice guidance, security settings, and automated tools to make migration, security configuration, and security compliance faster and easier. Accelerate your organizations ability to efficiently manage the security and compliance process for the most widely used Microsoft technologies. How it Helps, How it Works SCM enables you to: 1.Download the latest security configuration settings from Microsoft. 2.Customize these

baselines to create your own Gold Master security baseline. 3.Share baselines in the formats you require. 4.Manage baselines from a central console. Security Compliance Manager demo Data Classification Toolkit Driving Data Governance into your unstructured data Data Classification Toolkit Identify, classify, and protect data to enable data compliance for Windows File Servers Reporting Example: File Classification

Infrastructure & Identify and protect sensitive documents on file servers RMS Compliment manual RMS protection with automated server side IT policies for complete ownership of security infrastructure and prevention of inadvertent data leakage 2 3 4 1 c FCI FCI Classify Classify Mgmt Mgmt Task: Task: RMS RMS Protect Protect 5

c User creates a file marketing.docx on Windows server 2008 R2 file server File Classification Infrastructure (FCI) classifies file as sensitive based on content including Confidential and Internal only Full Time Employee can access marketing.docx Automated File Management Task invokes RMS protection to restrict access to Full Time Employees only A malicious user getting access to the file through unintentional leak is not able to access file content Information Governance (File Servers)

Data Classification Toolkit (Knowledge + Multiple File Server) IT GRC Process Management Pack File Server Classification (File Server) 21 New Control Activity libraries added into the IT GRC solution inside Service Manager Data Classification Toolkit library contains specific control activity guidance on how rules

are established and validated through DCM CAB files IT Governance Risk & Compliance Rolling up to demonstrating compliance with regulatory obligations through embedded knowledge. A Systems view of Compliance Translating Regulations to Action Board of Dir./CEO Audit Committee Compliance Requirements SOX

COBIT PCI EUDPP ISO Board of Dir./CEO Internal Policies Audit Committee IT GRC Process Management Pack CIO/CSO Business Objectives & Policies

Microsoft Control library Control Objectives CIO/CSO Control Activities Compliance Control Testing Procedures Status ITDM ITDM System Management Operational Systems CMDB DW IT Pro

Active Directory Comply/ Comply/ Authority Authority Reports Reports Incident/ Incident/ Issue Issue Reports Reports Residual Residual Risk Risk Audit (Authority Document IT Pro

System Operations NonNonMicrosoft Microsoft (Partner) (Partner) View) Available Available Roadmap Roadmap Partner System Center Service Manager for IT GRC The Power is in the Integration Simplification Visibility CIO/CSO

I have visibility into our cross organizational compliance programs and status ITDM IT Pro We have simplified our IT compliance processes and reduced cost and burden of audits I have automated configuration and monitoring testing and focus on higher value activities Compliance and Risk Management Incident and Problem Change Workflows Compliance SERVICE MANAGER PLATFORM Knowledge Base

CMDB Data Warehouse Program Management and Automation (Risks, Controls, Assertions, & Reports) GRC Incident Management (Remediation) Excel integration (data migration & bulk updates) Knowledge: Over 400 WW Authority Docs supported based on UCF Control Objectives mapped to Authority Docs Control Activities (Manual & Automated) Win 7, Win 2008, Win 2008 R2, & System Center CONNECTORS CONNECTORS Partners Automation Active Directory Extensibility:

Customization - Forms, data, & reports Interoperability Microsoft products and IT Services Partners extensions (e.g. SAP, Linux, etc) GRC Architecture Overview Svc Mgr Console Compliance Managers Partner Partner GRC GRC LOB LOB Packs Packs Partner Partner GRC GRC Infra Infra

Packs Packs Linux, Unix, Etc Control Activity Library Control Activity Library Test Automation Framework Test Automation Framework SM Data Warehouse Policy Library Policy Library

Risk Library Risk Library IT GRC Process Management Pack Document Document Management Management Knowledge Library Microsoft Microsoft Control Control Library Library Incident Incident Management Management Connector Connector SAP, Oracle,

etc Compliance Users IT Compliance Management Library (Microsoft & Partner Products) IT Compliance Management Library (Microsoft Products) Connectors Connectors (Linking (Linking Fx) Fx) Target Target Hosts Hosts (Computers) (Computers) MS

MS GRC GRC Config Config Packs Packs SharePoint Portal Control Control Activity Activity Libraries Libraries Problem Problem Management Management Doc Doc Types: Types: Authority Authority Docs Docs

Policy Policy Docs Docs Change Change Management Management Control Control Management GRC GRC Incident Incident Management Risk Risk Management Management Program Program Management Management

Compliance and Risk Reports Configuration Configuration Management Management System Center IT GRC PMP MS IT CML Library Partner Library Regulatory Governance IT GRC Process Management Pack Compliance Management Library IT GRC Solution Accelerator demo

Bringing It All Together Security Compliance & Hardening with SCM Regulatory Compliance with IT GRC PMP & CML Data Governance with Project Rook Bringing It All Together Go Download Security Compliance Manager and start using it. Go Download Service Manager and the IT GRC PMP. Watch for and when available, download the Data Classification Toolkit. MMS Sessions to check out for more . . . Day Tuesday Wednesday Wednesday Wednesday Thursday Thursday Monday Thursday Wednesday Tuesday

Time 2:15pm 11:45am 10:15am 10:15am 10:15am 10:15am 4:30pm 2:30pm 4:00pm 10:15am Labs Session Title BB13 Simplifying and Automating IT Governance, Risk & Compliance BB14 System Center Service Manager: A Deep Dive into Automating ITIL an d MOF System Center Service Manager 2010 R2 Overview BB15 BB20 Monitoring IT as a Service with System Center BB25 System Center Service Manager 2010: Troubleshooting and Notes fro m theField BB32

Showtime for System Center: Management of the Common Platform BB34 System Center Service Manager: Intro to Implementing your IT Proces ses BB35 Extending System Center Service Manager: Modeling your Business Pr ocess BB52 Service Manager & Opalis Automation and Compliance in Action BG01 Using System Center Service Manager for Incident, Change & Problem Management IB09 ILL: Automating IT Processes on Service Manager 2010 IB10 ILL: Incident and Change Management in Service Manager 2010 IB11 ILL: Service Manager 2010 Data Warehousing and Reporting LB09 HOL: Automating IT Processes on Service Manager 2010 LB11 HOL: Service Manager 2010 Data Warehouse and Reporting LB12 HOL: Service Manager Integration with System Center LB13 HOL: IT Governance, Risk & Compliance Configuration in Service Mana ger 2010 Questions? [email protected] @Seanc_msft 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Recently Viewed Presentations

  • What Does Research Tell Us About Effective Writing ...

    What Does Research Tell Us About Effective Writing ...

    What Does Research Tell Us About Effective Writing Instruction for Students with Learning Disabilities? Sara Mills, George Mason University Abstract There is mounting concern about the writing skills of students at the national level (Rogers & Graham, 2008) prompting a...
  • Short Story Unit A: "How to Tell a True War Story" "Battle ...

    Short Story Unit A: "How to Tell a True War Story" "Battle ...

    Concepts to be Learned: Main focus-- 1.Genre and Text Structure- What elements make up an effective short story?What is the structure used within the short story? How does diction and syntax play an integral part in creating atmosphere, mood, and/or...
  • The Simpsons is an American animated sitcom created

    The Simpsons is an American animated sitcom created

    Marge is the moralistic force in her family and often provides a grounding voice in the midst of her family's antics by trying to maintain order in the Simpson household. Bartholomew JoJo "Bart" Simpson: Ten year old Bart is the...
  • Uncompromising Faith In the Face of the Fiery

    Uncompromising Faith In the Face of the Fiery

    Title Slide: Uncompromising Faith—In the Face of the Fiery Furnace! Daniel 3:1 "Nebuchadnezzar the king made an image of gold, whose height was sixty cubits and its width six cubits. He set it up in the plain of Dura, in...
  • Heat Energy - Singletarytopia

    Heat Energy - Singletarytopia

    The habitats found across the state are: Georgia's Habitats Mountains Piedmont Marshes/ Swamps Atlantic Ocean Coast Table of Contents Georgia's Mountains Rugged mountains, ridges, and rivers are found in the Appalachian, Blue Ridge, and Ridge and Valley regions of Georgia.
  • Chem. 253  5/6 Lecture Announcements  Return HW and

    Chem. 253 5/6 Lecture Announcements Return HW and

    Return HW and Group Assignments. Turn in Green Chemistry HW. Today's Group Assignment mostly on Green Chemistry. Today: completion of Biofuels and then on Toxicology (some part will be covered next week) Reading for Toxicology - Girard, Principles of Environmental...
  • Introduction to Psychology

    Introduction to Psychology

    Yes, often due to CULTURAL BIAS Chitling Test, Australian Aboriginie Test examples Stereotype Threat A self-confirming concern that one will be evaluated based on a negative stereotype Example: Women score higher on math tests when no male test-takers are in...
  • Porter's Five Forces - CA Sri Lanka

    Porter's Five Forces - CA Sri Lanka

    Buyer presents a credible threat of backward integration. Product unimportant to quality. Bargaining Power of Customers . 18. Porter's Five Forces . Market Profitability . Intensity of Current Competition . Threat of Substitute Products .