Achieving continuous AutomAted compliAnce the BigFix WAy

ACH|V|NC CDN1|NUDU5 AU1DMA1D |1 PDL|C CDMPL|ANC

By Amrit Williams, Chief Technology Offcer, BigFix, Inc.
Organizations face a triple challenge in interpreting vague legal and governance regulations in a meaningful and
defensible way, adhering to multiple compliance standards simultaneously, and improving the organizations secu-
rity posture in the face of the distractions posed by compliance mandates. Moreover, compliance to any regulatory
regime is not a one-time event. It must be achieved and demonstrated quarter after quarter and year after year.
Passing an audit and becoming compliant, however, does not necessarily equal strengthened security or improved
IT processes. Nonetheless, taking a best practices approach to security will facilitate support achievement of com-
pliance objectives. Therefore, organizations need to strive for continuous compliance a state that can be enabled
through real-time visibility and control over continuous IT policy enforcement processes on laptop, desktop, and
servers, whether these assets are directly connected to an enterprise network or roaming in cyberspace.
2 Achieving continuous AutomAted it policy compliAnce
Selecting and Implementing Appropriate Controls for Regulatory Compliance
Regulatory and commercial mandates including Sarbanes-Oxley (SOX), the Health Insurance Portability and Accountability Act
(HIPAA), the Payment Card Industry data Security Standard (PCI-DSS), and the Federal Information Security Management Act
(FISMA) have a common set of tenets regarding accountability, transparency, measurability, and the deployment of processes
and tools to continuously conform to regulations. Regardless of the specifc provisions of a regulation, auditors are almost always
looking for an organizations ability to defne a corporate policy, instantiate the policy as a technical control, audit the environ-
ment against policy, enforce deviations from policy, and provide visibility and accountability through reporting.
Some requirements common to many regulations include:
Establishing comprehensive information security policies and procedures
Ongoing risk assessment
Access control, assigned and segregated responsibilities, identifcation and authentication
Security awareness employee training
Security incident procedures and contingency plans
Audit controls, continuous monitoring, and regular reporting
Confguration and change management
Maintaining system and information integrity
Enforcing specifc policies for workstation and server usage and security (including up-to-date security confguration man-
agement, patch management, password policies, application control, antivirus, anti-spyware, and other host-based security
technologies such as encryption and information leak prevention)
Controlling devices and removable media
Network Access Control (Cisco NAC, Microsoft NAP and other quarantine solutions), and frewall management
Compliance Automation Best Practices
Compliance calls for the operational implementation of IT technical controls. To achieve real improvements in security while devel-
oping controls, processes and automation to pass compliance audits, organizations must implement an effective IT Policy enforce-
ment program that balances process with enabling technology. In addition to improving security and compliance, the choice of
enabling automation technology can also reduce the cost and administrative burden of compliance.
Core capabilities necessary to implementing an effective IT policy enforcement program and achieving compliance include:
Policy defnition The process by which an organization specifes the desired state of elements within their environment. This
can include application usage polices, to security confgurations of desktop, servers, and networking equipment to user prov-
sioning and identity and access management. Essentially the organization must defne a set of policies that allow them to

Figure 1: BigFix solutions help align security and confguration management with IT best practices frameworks.

3 Achieving continuous AutomAted it policy compliAnce

Regulations
SOX
HIPAA
GLBA
FISMA
PCI
UK FSA
Defined
Management Policies
Operational
Technical Controls
Visibility
Reporting
implement technologies and processes for the purpose of auditing and enforcing against a security baseline.
Asset and vulnerability discovery and assessment The process by which an organization assesses their environment against
a database of known vulnerabilities (vulnerability assessment) and against a security confguration baseline (security confgu-
ration management).
Security confguration management The process by which an organization defnes the desired confguration state of
desktops and servers against a security baseline; and the process of auditing the environment for deviations from policy and
remediating noncompliant machines.
Prioritization The process by which an organization prioritizes remediation and mitigation activities. The sheer volume of
documentation from vulnerability assessments and security confguration management actions can be voluminous against
the backdrop of a dynamic and evolving threat environment. In the face of this kind of information overload, organizations
must be prepared to act quickly to protect the right assets against real threats. Understanding the external threat environment,
internal security posture and the classifcation of assets is critical to rapid, effective response.
Shielding and mitigation against external threats The process and technologies by which an organization responds to
threats or policy violations. Over the last several years it has become apparent that rapid patching against Microsoft envi-
ronments alone has failed to secure the enterprise. A proliferation in threats against non-Microsoft elements, an increase
in application layer attacks, and targeted threats against data have proven that organizations must incorporate network and
host-based security technologies as part of their remediation and mitigation activities. Although a patch may not be available
or logistically impossible to deliver quickly, the organization may be able to shield elements from attack by reconfguring host
or network-based frewalls, updating host or network-based intrusion prevention tools or other security technologies. IT must
incorporate all network and security elements into their response to critical vulnerabilities or policy violations, especially
when active exploit code exists as opposed to relying solely on rapid patching.
Remediation Regardless of an organizations initial response to vulnerabilities, exposures, policy violations or non-compli-
ant elements they must move to eliminate the root cause. Generally this requires deployment of a patch, removal of certain
applications or services or upgrading the OS all together. Either way the result is to eliminate the root cause to ensure that the
condition can no longer be exploited, even when preventative measures are applied.
Controlling Compliance Costs
In understanding compliance requirements it is important to note that regardless of the legislation the objective is the same: to
protect data. In the case of Sarbanes Oxley this means safeguarding fnancial data. With the Payment Card Industry corporate
standard this means protecting cardholder data. Likewise, Health Insurance Portability and Accountability Act focuses on shielding
patient data.
In this context, a control is simply a policy, procedure, process, system confguration, system setting, or practice, which serves to
protect critical data as defned by a given regulatory regime.

Figure 2: Regulatory compliance drives policy-driven, pre-incident security measures--aligning compliance with otherwise unre-
lated security risk reduction programs.
4 Achieving continuous AutomAted it policy compliAnce
Compliance is not cost free. Any regulation that generates extra capital, operating expense or labor costs subtracts from an or-
ganizations bottom line. Both industry and audit frms are becoming sensitive to the burden placed on companies to comply with
multiple government regulations. To enable improved compliance and security while reducing the cost burden to companies, many
advocate that companies consolidate controls across com-
pliance initiatives.
To accomplish this, organizations will have to:
Examine each set of control requirements side by side
Identify controls that are common or similar across
compliance initiatives
Determine the core set of common controls that the
organization will rely upon to achieve compliance
Implement systems to automate the monitoring, test-
ing, and reporting of key controls and align this with
the vulnerability management process
Most companies are in the baby-step stages of adopting
the consolidated compliance approach. In the adolescent
stages they will defne and enforce common sets of manual
controls. In the mature stages companies will automate and
optimize compliance.
The beneft of consolidated automated compliance will
come in two areas: (1) signifcantly reduced cost for inter-
nal and external audit fees, and (2) eliminate organizational
disruption caused by compliance processes.
Automating Compliance With BigFix
By choosing the right tools, organizations can convinc-
ingly demonstrate their adherence to a broad spectrum of
regulations; increase the overall security of their business,
information and IT assets; achieve continuous compliance; and lower the cost and complexity of their IT infrastructure. In short,
these technologies and processes have the potential for converting compliance from a diversion to a positive force for IT process
improvement.
BigFix enters the compliance picture by enabling comprehensive IT policy enforcement with a proven, patented, fexible plat-
form for IT governance policy setting, enforcement and reporting. The single, endpoint-resident BigFix Agent and locally enforced
policies help enterprises reduce the cost of delivering effective and effcient IT operations management, security, and compliance.
Complementing the single agent at the endpoint approach, BigFix offers a single, converged infrastructure for compliance that in-
cludes solutions for security threat suppression, IT policy enforcement, and desktop and server management. Graphical, geo-spatial,
web-based, and dashboard reports generated by BigFix offer real-time views of confguration, security, and compliance status.
BigFix enables an organization to address multiple regulatory compliance initiatives through an operational implementation of
technical controls. BigFix endpoint-resident Agents and locally enforced polices enable automated, nearly instantaneous remedia-
tion of clients that may stray from enterprise baselines. Policy baselines enable each BigFix solution administrator to report on the
confguration and compliance posture, provision software, and deploy and enforce policies for each managed computer under that
administrators authority.
The real-time nature of BigFix visibility into managed endpoints also creates opportunities for reporting and enforcing compliance
on a continuous, non-stop basis. Real-time visibility not only gives an up-to-the-minute view of policy compliance status, it changes
compliance reporting from a stop-everything-and-generate-a-report exercise to an automated sampling process where compliance
information consumers--auditors, lawyers, managers, etc.--can view pre-correlated and pre-formatted snapshots of compliance
status information whenever they need it, often without requiring manual intervention by IT staff. Furthermore, installing BigFix
Agents on laptop/notebook computers brings them into the compliance corral on par with desktop and other fxed assets.

BigFix Solution PacksAn Overview

BigFix AntiThreat
Laser focuses the BigFix approach to relieve the top two infor-
mation security pain pointsviruses and spyware, and all forms
of automated malwarewith a dedicated package teaming Big-
Fix AntiPest, BigFix AntiVirus and BigFix Personal Firewall
clients with BigFix Core Services.
BigFix IT Policy Enforcement
Consolidate key security confguration management services
including network access control, patch management, appli-
cation execution controls (white and black lists vulnerability
management, and automated security confguration manage-
ment to cut costs, reduce complexity, lower security risks and
move information security programs from reactive fre-fghting
to proactive, preemptive risk management.
BigFix Desktop and Server Management
Bring BigFix economics and operational excellence to key IT
Operations management functions including asset inventory,
software license management, power management, software
distribution, and patch management, Taking on the most com-
mon IT operational processes, BigFix delivers the highest levels
of automation combined with fne-grained accuracy enabling
your IT organization to focus on strategic tasks rather than rou-
5 Achieving continuous AutomAted it policy compliAnce
2007, BigFic, Inc. BigFix, AntiPest, AntiThreat, AntiVirus and the BigFix Logo are tademarks or registered trademarks of BigFix, Inc. Other trademarks, registered trade-
marks, and service marks are property of their respective owners.
With continuous compliance visibility comes continuous compliance control. IT managers can set up policy compliance baselines,
alarms and triggers that can immediately indicate when managed systems drift our of compliance and need attention. This can
even trigger automated remediation actions--a kind of compliance autopilot capability.
PCI Requirement BigFix Solutions
Install and maintain frewall BigFix AntiThreat Personal Firewall
BigFix Client Manager for Personal Firewall
BigFix Network Access Control

Not use vendor-supplied passwords BigFix IT Policy Enforcement (automates enforcement of

security confguration standards and best practices; includ-
ing password policies)

Encrypt cardholder data on public networks BigFix Client Encryption Manager (2H07)
Develop and maintain secure systems and applications
Patch management
Vulnerability management
BigFix IT Policy Enforcement Includes:
BigFix Security Confguration Management
BigFix Patch Management
BigFix Vulnerability Management

Restrict data access to business need to know BigFix Data Leak Prevention (1H07)
BigFix Security Confguration Management

Unique ID for each computer user BigFix Security Confguration Management

Restrict physical access to cardholder data BigFix Data Leak Prevention (1H07)
BigFix Security Confguration Management

Track, monitor access to network and cardholder data BigFix IT Policy Enforcement
Regularly test systems and processes BigFix IT Policy Enforcement
BigFix Desktop and Server management

Maintain policy addressing information security BigFix IT Policy Enforcement

User-friendly custom policy creation features enable IT departments to create, deploy, and continuously and automatically enforce
organization-specifc regulatory and security compliance policies. Role-based workfow and granular rights management enable
administrators from multiple security, IT operations, and compliance functions to use the single BigFix infrastructure to apply and
enforce policies within their authority. As determined by the administrator, BigFix alerts administrators and managers and archives
reports for later audits based on event triggers and scheduled events.
BigFix includes pre-defned, interactive executive dashboards to provide management-level views and at-a-glance assessment and
management for critical security and operations functions. Additional customized dashboards and web reports can easily be cre-
ated for any BigFix implementation.
Summing Up
BigFix is in a unique position to help customers take advantage of the trend toward common control frameworks. With BigFix, the
same features, functions, policies and reports that strengthen security, improve IT process effectiveness and lower the total cost of
ownership of IT infrastructures; provide tools and techniques that advance compliance initiatives. This transforms compliance from
a distraction orthogonal to the process of IT value generation to a competence aligned with an organizations mission and value
delivery. Doing good by compliance and doing well by stakeholders can become one and the same.
Figure 3: BigFix products and services can offer the dual beneft of supporting compliance programs--in this case the Payment Card
Industry (PCI) standards--while advancing allied security and operational effectiveness goals.