If you receive errors when attempting to view this white paper, please install the latest version of
Adobe Reader.
"Founded in 2002 and based in San Jose, CA, LogLogic is an innovator and market leader in log management, compliance management and security management solutions designed to improve accountability and lower costs for organizations of all sizes."
Source : LogLogic
10 Steps to Continuous Compliance: Putting in Place an Enterprise-wide Compliance Strategy
Risk Management is also known as :
Risk,
Risk analysis,
Risk Management Information Systems,
Viable System Model,
Vulnerability assessment,
Event chain methodology,
Corporate governance,
Operational risk management,
Optimism bias,
Risk Communication,
Enterprise Risk Management,
Problem analysis,
Business continuity planning,
Risk perception,
Project management.
Understanding the full scope and interdependency of risk in today's complex and distributed business environment is
important for achieving compliance with governmental mandates and industry regulations. However, many companies
have a limited perception of risk and still struggle making compliance an enterprise-wide, integrated process.
Compliance today must include processes for business alignment, performance management and IT risk management
across the organization. Compliance is no longer a one-time, isolated project; it's an ongoing effort.
Older methods of keeping data and the network secure'firewalls, intrusion detection, encryption and patches'are
no longer sufficient to meet compliance requirements. Because of the complexity and sophistication of today's variety
of security breeches, companies need a broader information assurance approach, a more holistic framework that
addresses security, availability and compliance. Unfortunately, homegrown security and risk prevention solutions for
still dominate IT process methodologies in most organizations, and they're simply not enough. The most effective
compliance programs employ a high degree of automation and focus on policies, people, processes and technology.
This paper discusses the challenges faced by today's enterprise IT departments and outlines ten steps for successful
compliance. You'll learn what organizations like yours can do to protect information and comply with regulations, while
enhancing business performance.
Beyond IT security
Today, businesses must think about the integrity of financial information and intellectual property, insider abuse,
industrial espionage, and how to protect and secure business relationships. This involves moving from solving just
the technology problems related to security to addressing data security and information assurance as a larger, more
comprehensive business challenge. Out of necessity, organizations must think beyond IT security and protect assets
using new methods. Rather than being manual and defensive, and responding reactively to threats, new compliance
processes must be automated and proactive, provide protection everywhere, and offer rules-based policy enforcement.
According to Khalid Kark, Principal Analyst, Information Security & Risk Management at Forrester Research Inc.,
"IT Governance is not security or compliance alone; the challenge is to stay secure and complaint while enhancing
business performance."
The need to address compliance as a business issue is underscored by the myriad pressures businesses face today:
political, regulatory, technology, business, economic and geographic pressures. Public policy and foreign relations
come into play, as does the need to meet regulations of multiple jurisdictions. Business relationships are complex
and businesses operate in extended, sometimes restrictive environments. The trend toward outsourcing is creating
distributed operations, and business occurs now in multiple geographic markets. Finally, on the technology front, the
diversity of platforms and applications puts a premium on interconnectivity and flexibility in the infrastructure. IT must
put in place the corporate policies and best practices necessary to respond to these pressures, while still keeping data
secure.
Yet in many organizations, risk management is still accomplished with a siloed approach'there is disconnect between
IT and overall business strategy. Often, different departments or business units will have different approaches to
information security, which leads to duplication, wasted resources and inefficiency. Although some organizations have
implemented best practices like COBIT or ITIL, 46% of companies responding to a recent Forrester Research survey
still use homegrown processes and applications to manage compliance activities. And most lack a primary, over
arching approach for handling compliance.
A better approach is to unify security and risk management with a single, intelligent solution that addresses all four
key areas of compliance:
- Protection for corporate policies and intellectual property
- Meeting legal mandates and governmental regulations
- Meeting industry regulations such as PCI or Basel II
- Employing best practices and standards as a baseline framework
To address all four areas effectively, certain activities are necessary. Forrester identifies the following capabilities as
critical features of a compliance, security and risk management program:
It's important to remember that compliance is not a one-time process, but a continuous effort. A high degree of
automation, such as automatic alerts and report generation, helps companies stay on track once the compliance
program is put in place.
Closing the loop on data management
Getting started with an enterprise-wide strategy for compliance requires an understanding of the requirements
particular to your industry and business. Then, policies must be put in place for collecting, alerting, reporting on,
storing, searching and sharing data from all systems, applications and network elements. This creates a closedloop
process that governs the lifecycle of enterprise data and ensures your compliance program is successful.
Here are the 10 essential steps for implementing a successful enterprise-wide compliance program:
- Understand the requirements
- Understand the IT controls that affect your business
- Identify all in-scope IT components
- Collect fine-grain user and system activities
- Store all logs centrally for the required time period
- Implement regular tasks
- Implement and verify continuous monitoring
- Substantiate reports and alerts
Understand the requirements
The first step is to understand the requirements of the regulations you must meet in your industry. No matter what
industry your company plays in, there are numerous mandates and regulations that apply, as well as frameworks
and controls that help various business units within an organization maintain security and risk management
policies. Failing to follow certain controls can result in lost customers or lost jobs, whereas failure to meet industry
regulations and legal mandates could result in more serious ramifications, such as fines or even imprisonment. A
thorough understanding of the requirements applicable to your industry can prevent unnecessary problems.
Understand the IT controls that affect your business
Putting in place the IT controls and frameworks for meeting compliance helps to govern compliance tasks and
keep companies on track for complying with legal mandates and industry regulations. However, this requires an
understanding of the specific language within those frameworks regarding log data management. The most common
frameworks'COBIT 4, ISO17799, NIST 800-53/FISMA and PCI'all have specific language pertaining to log data
collection and retention. For example, requirement 10 within the PCI standard states that companies must log and
track user activities, automate and secure audit trails, review logs daily and retain the audit trail for at least a year.
Other frameworks have similar requirements for log data collection and retention. It's important that companies not
only implement the frameworks, but really understand what they're asking for.
Define the compliance processes and success criteria
Once you understand the requirements of a given regulation or mandate, determine the scope, configuration, and
mechanism for collecting, alerting on, reporting on and retaining the data necessary to meet satisfy auditors. This
step by step process allows you to define goals and key tasks for successful compliance. For example, when you
determine the scope, your goal should be to identify all system components that are subject to a given regulation.
Then you can define key tasks related to that goal. Once those tasks are complete, you can move to configuring
network elements, systems and applications to generate the required log messages. After configuration, you can move
to defining key tasks for important compliance activities, including the collection and retention of data and setting up
automated alerts and reporting on that data.
Identify all in-scope IT components
It's a misconception that only hardware should be monitored for compliance. In addition to network elements, servers,
applications and homegrown systems should also be monitored. The specific components that need monitoring will
depend on the mandates and regulations that apply to your industry. For example, if PCI applies to your business, all
components that transmit, process or store financial information are in-scope.
Collect fine-grain user and system activities
Log data from IT components across the enterprise provide a fingerprint of user activity. This information includes
failed logon attempts, security breaches, file uploads and downloads, credit card data access, information leaks, user
and system activity, privileges assigned and changed, runaway applications, customer transactions, and email data.
This is the information that auditors will expect you monitor on a daily basis. Log data contains a wealth of information
that provides insight into the health and security of the network; hence, it's critical to collect, store and have access to
all of it.
Store all logs centrally for the required time period
All information from network components (hardware, servers, application and homegrown systems) should be
collected over geographically distributed locations and placed in a central archive. This archive should be stored longterm
for regulatory compliance. Most regulations specify that log data should be stored for 1-7 years:
Implement regular tasks
Although some tasks, such as user activity monitoring, must be completed on a daily basis, others are required on
a weekly, monthly or even as-needed basis. It's important to determine ahead of time how often to perform critical
tasks. IT controls frameworks and best practices provide recommendations for the frequency of specific tasks.
reviewing change management requests. Automated reports ease the hassle of daily and weekly tasks like reviewing
user access logs or configuration changes, or ensuring backups are conducted properly.
Implement and verify continuous monitoring
Alerting mechanisms and scheduled reporting let IT personnel know when a component,
want specific information about incidents that occurred and what was done to mitigate or
resolve the incident. Questions may include:
Demonstrate compliance status to auditors
Using alerts and scheduled reports, you can also demonstrate compliance status to
auditors. Alerts should be set based on compliance with SOX, PCI, ISO17799, HIPAA or
whatever regulation or best practice you are implementing. Then, reporting can be used
to demonstrate compliance. An auditor might want to see the actual report that you are
using for demonstrating the segregation of duties, for example. Log Management and
Intelligence solutions, such as LogLogic, provide report templates that map to common
IT control frameworks to simplify compliance reporting.
Substantiate reports and alerts
Alerting and reporting on logs must be substantiated with immutable log archives. It's critical to store logs centrally
with a long-term archival solution that preserves the integrity of the data. Immutable logs require time stamps, digital
signature, encryption and other precautions to prevent tampering, both during transit of the data from the logging
device to the storage device, as well as during archival.
A cross-functional effort
Compliance is no longer an isolated IT project; it's an enterprise wide endeavor that requires cooperation between
business units and a deep understanding of the requirements, regulations, mandates and IT controls necessary for
your particular industry and business. Compliance must be looked upon as a business issue that requires a cross
functional approach, involving people, processes and technology across the enterprise. Taking the steps necessary
to understand, define and implement the appropriate IT controls and frameworks for your business will simplify
compliance and reduce the costs and resources involved in completing compliance related tasks.
About LogLogic
LogLogic, the market visionary and leader, provides the world's leading enterprise-class platforms for highperformance
aggregation, retention and analysis on 100% of log data from virtually any device, operating system or
application. LogLogic series 3 LX and ST appliances address the compliance and risk mitigation needs of the most
demanding enterprises. LogLogic's ST appliances for high-performance log data capture and storage were named
venture capital firms and serves Fortune and Times 1000 companies globally.
For more information, please visit www.loglogic.com or our blog at blog.loglogic.com.