Control Compliance Suite takes control of IT-GRC

* Symantec has been in the IT-GRC space for a while, now it's in the game with CCS 9.0

Over the past several years, numerous vendors have gotten into the IT Governance, Risk Management and Compliance (IT-GRC) space. They've been driven there by customers who are seeking automation to help them achieve, sustain and prove compliance with regulations such as Sarbanes-Oxley, HIPAA, PCI and others. The best IT-GRC products are those that holistically look at an organization - not just IT automated controls. Symantec's latest release of Control Compliance Suite has entered the elite status of a corporate platform for IT-GRC.

Over the past several years, numerous vendors have gotten into the IT Governance, Risk Management and Compliance (IT-GRC) space. They’ve been driven there by customers who are seeking automation to help them achieve, sustain and prove compliance with regulations such as Sarbanes-Oxley, HIPAA, PCI and others. The best IT-GRC products are those that holistically look at an organization – not just IT automated controls. This helps assure alignment between IT and the overall corporate governance and risk management.

By virtue of its acquisition of BindView in 2005, Symantec has been in the IT-GRC space for a while. Now the company just released a new version of its Control Compliance Suite (CCS 9.0), and this release puts Symantec in the game. If you already use Symantec products, and you’re shopping for an IT-GRC solution, you owe it to yourself to look at CCS 9.0.

CCS 9.0 is an integrated suite of products providing compliance management services across multiple regulations and an architecture that is open to an assortment of technologies distributed throughout an enterprise. The main functionality to support an organization’s compliance requirements includes:

Policy Management Assessment and Reporting – With today’s multitude of regulations and compliance mandates, many organizations have to juggle numerous control objectives and policies to assure compliance. CCS Policy Manager help ease this burden in the following ways:

* Ships with sample / best practice policy templates to help organizations customize and map policies to specific regulations and governance needs.

* Automates the workflow associated with policy distribution, end user acceptance, and exceptions management.

* Identifies overlaps in control objectives, thus reducing redundant processes and assessment efforts.

* Collects evidence of compliance through integration with other CCS modules..

* Provides numerous visual dashboard tools and reports to assess policy compliance (and violations).

Access / Entitlement Management – Believe it or not, many organizations cannot easily determine which users have access to specific applications and regulated data. CCS 9.0 helps mitigate this challenge through its Entitlement Manager (EM) with the following functions:

* Discovers access and permissions from a wide range of systems and data stores across an organization’s infrastructure.

* Presents information in a fashion for various job roles, from the non-technical business manager to the security administrators and compliance auditors.

* Helps organizations lower operating costs and avoid compliance issues as well as other costly mistakes by automating the access / entitlement approval processes.

Technical Controls / Standards Management – Today compliance relies on the enforcement of a vast number of continually changing IT controls that range from database to server configuration. CCS Standards Manager provides security best practices for IT assets like servers, databases, and security devices. Key features include:

* Prepackaged technical standards that define detailed best practices for securing servers and databases.

* Automated discovery of deviations from technical standards and remediation of potential misconfigurations by providing detailed instructions to correct deviations.

* Integration with trouble ticketing and CMDBs so that controls violations are corrected quickly following formal change management methodologies.

Security Information Management – Like access/entitlement management, log data and threat detection and remediation are additional thorns in the side of the enterprise. CCS 9.0 helps address this by fully integrating with Symantec Security Information Manager to:

* Collect and normalize vast amounts of log data and correlate the potential impact based on the business criticality and level of compliance to mandates / internal policies.

* Monitor and respond to events to help assure conformity to organizational IT risk and compliance requirements.

* Provide central workflow and reporting for IT operations.

Risk Assessment Management – A large portion of any IT-GRC activity is assessing risk of systemic as well as manual controls. This can be a burdensome task. The CCS Response Assessment module helps organizations automate the assessment of manual controls which make up a majority of the control objectives established in regulations and control framework. Important features include:

* Prepackaged questionnaires based on popular standards and frameworks from COBIT to SOX.

* Eliminates the need for the costly and time consuming paper-based risk assessments by managing the creation of questionnaires, distribution and their analysis.

* Integrates with CCS to provide the complete view of both manual and automated controls.

We spoke with Joel, a long-time user of the BindView predecessor of CCS. Joel is an analyst responsible for compliance oversight for a major energy retailer. His company operates under many regulations, including SOX and NERC. He’s been beta testing CCS 9.0 for months, and he’s very impressed. Joel says the product is adding value to his IT organization, and to his company overall.

Though the changes between Versions 8.6 and 9.0 of CCS are incremental, Joel says they are huge steps. From his perspective, CCS 9.0 will eliminate the need to generate special reports for the auditors. Organizations now have the ability to allow auditors (and other compliance users) to ascertain for themselves everything from current risk state to demonstration of policy acceptance to an individual employee’s activities. “In essence, CCS 9.0 makes our compliance data much more consumable and ‘world viewable’ via reporting and the exportable dashboards. The Reporting feature is a great time-saver. We no longer have to dedicate a resource to generate audit reports,” says Joel.

Another huge benefit is the ability to plug directly into service management tools such as Remedy and to automatically generate tickets for compliance exceptions. “We now have CCS generating compliance exception tickets within Remedy, which enhances our workflow and accountability. We expect that fewer items will fall through the cracks,” according to Joel.

As for managing access control and entitlement, Joel says the Entitlement Manager module will eliminate the cumbersome manual processes surrounding the company’s quarterly reconciliation process. Entitlement Manager automatically aggregates accesses from Active Directory, databases, and file-shares. This will eliminate an entire day’s worth of work for this organization, which is significant to them.

Joel says that once they have mastered the core functionality of CCS and fully integrated it into their processes, they will introduce the Risk Assessment Module sometime next year. “We fully expect it to also greatly reduce our manual activities related to risk survey management and attestation.” Joel tells us that CCS 9.0 provides a holistic view into his company’s overall control/risk management activities due to CCS’s ability to share data between modules. “Overall we are more than pleased with what we have accomplished with CCS and more importantly the entire organization is seeing real value in this product. It provides the various business functions insight into how IT is managing the risks associated with their functions.” (Compare Network Auditing and Compliance products)

Copyright © 2008 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022