简化企业IT合规审计.ppt

1、简化企业IT合规审计RSA enVision帮您降低企业内部控制成本，提升安全,总在不断变化的合规环境,PCI DSS,HIPAA,Internal Policy,GLBA,HSPD 12,CSB 1386,Country Privacy Laws,SOX,EU CDR,UK RIPA,FISMA,COCOM,Data Security Act,FACTA,EU Data Privacy,FFIEC,BASEL II,C-SOX,IRS 97-22,NERC,NISPOM,Partner Rules,ACSI 33,NIST 800,State Privacy Laws,纷繁的&昂贵的IT合规

2、,PCI DSS Compliance,Basel II Compliance,Internal Policy Compliance,Data Privacy Regulation Compliance,Partner Policy Compliance,Network,Endpoint,App / DB,Storage,FS/CMS,Access Control,Log Management,Access Control,Monitoring,Gartner评估认为 一个接一个的规章制度，企业连续投入的资源相当与 合规平均投入的150%， 很大程度上是由于重复劳动! “Gartner for

3、 IT Leaders Overview: The IT Compliance Professional.” French Caldwell. October 22, 2007,基于框架的安全（Framework-Based Security）消除您安全管理中的漏缝,Framework Based Solutions 全面的检查清单 控制手段 安全整体视图,财务 资料,个人 信息,补丁式解决方案,信用卡 数据,基于框架的安全信息风险管理实现,Endpoint,Network,Apps/DB,FS/CMS,Storage,Sensitive Information,Security Incide

4、nts,Business Initiatives,IT Systems,企业范围的 控制框架,Framework-based security ensures your organization is prepared to comprehensively mitigate and manage information risk,持续一致 提供安全基础，实现对数据类似的安全风险采用类似的控制手段进行保护,全面整合 确保企业能够采用适当的控制手段进行全面的风险管理以减低风险,经济高效 缩减冗余控制手段，获取技术投入的最大回报,Network,Endpoint,App / DB,Storage,F

5、S/CMS,加密密钥管理,数据防丢失,监控, 报表, 审计,PCI DSS Compliance,Basel II Compliance,Internal Policy Compliance,Data Privacy Regulation Compliance,Partner Policy Compliance,身份认证,访问控制,基于框架的安全合规实现经济、高效的合规,适用于合规的内控安全框架流程,根据合规要求，确定IT内控范围 根据内控范围进行资产盘点和风险评估 执行内部IT审计 内控审计报告,基于框架的合规流程 RSA & EMC Solutions,监控，管理 & 提升,RSA Inf

6、ormation and Event Management RSA Professional Services RSA Partners,RSA enVision3合1的信息事件管理平台,日志管理,Any enterprise IP device Universal Device Support (UDS) No filtering, normalizing, or data reduction Security events & operational information No agents required,简化合规,Access Control Configuration Contr

7、ol Malicious Software Policy Enforcements User Monitoring & Management Environmental & Transmission Security,提升安全 降低风险,Access Control Enforcement SLA Compliance Monitoring False Positive Reduction Real-time Alerts Unauthorized Network Service Detection Privileged User Monitoring,优化IT运营,Monitor netwo

8、rk assets Troubleshoot network issues Assist with Helpdesk operations Optimize network performance Gain visibility into user behavior Build baseline of normal network activity,All the DATA,安全审计的目的是：对重要数据的有效系统控制,An auditor will want to see all the critical paths towards financial accounting informati

9、on,IDS/IDP logs,VPN logs,Firewall logs,Client & file server logs,Windows domain logins,Oracle Financial Logs,SAN file Access Logs,Mainframe logs,Database Logs,VA Scan logs,Switch logs,3 in 1日志管理平台简化合规Robust Alerting & Reporting,内置超过1400+报表模板 易于定制 已根据标准进行分组, 如国家法律 (SOX, Basel II, JSOX), 行业标准 (PCI), 最

10、佳实践和标准 (ISO 27002, ITIL),3 in 1日志管理平台提高安全Support the 3 key aspects of Security Operations,将实时事件，如安全威胁信息，转换成可执行的数据,SIEM technology provides real-time event management and historical analysis of security data from a wide set of heterogeneous sources. This technology is used to filter incident informat

11、ion into data that can be acted on for the purposes of incident response and forensic analysis. Mark Nicolette, Gartner,3 in 1日志管理平台优化IT和网络运行异常识别, 易于排错,EMC Celerra,System Shutdown,System Failure,企业内控合规报表审计,RSA enVision Report: 密码变更和过期,RSA enVision Report: 操作变更控制,RSA enVision Report: 禁用帐号报表,Complianc

12、e Packages,RSA enVision内置提供了以下10大类的合规审计报表模板: BASEL II- International Convergence of Capital Measurement and Capital Standards Bill 198 Federal Information Security Management Act (FISMA) Gramm-Leach-Billey Act (GLBA) Health Insurance Portability and Accountability Act (HIPAA) ISO 27002 NERC National

13、 Industrial Security Program Operating Manual (NISPOM) Payment Card Industry (PCI) Data Security Standard Statement on Auditing Standards No. 70 (SAS 70) Sarbanes-Oxley Act (SOX),RSA enVision3合1的日志管理平台,日志管理,Any enterprise IP device Universal Device Support (UDS) No filtering, normalizing, or data re

14、duction Security events & operational information No agents required,简化合规,Access Control Configuration Control Malicious Software Policy Enforcements User Monitoring & Management Environmental & Transmission Security,提升安全 降低风险,Access Control Enforcement SLA Compliance Monitoring False Positive Reduction Real-time Alerts Unauthorized Network Service Detection Privileged User Monitoring,优化IT运营,Monitor netwo