Please or register.

Compliance Assurance Virtualization Configuration Audit Change Management Configuration Intelligence Security Operational Efficiency Green IT Patch Management Audit ITIL

Customer Quote

"ECM´s out-of-the-box compliance templates, intuitive interface and speed of implementation help us comply with requirements such as HIPAA, GLBA, Sarbanes-Oxley and PCI DSS to name just a few. Configuresoft´s Center for Policy and Compliance templates provides the ability to track changes in regulations and our team can take advantage of Configuresoft´s regulatory expertise."

Convergys - Greg Allender
Director of Global Information Security

Compliance Assurance

Maintaining regulatory compliance has become a necessary and important task for IT operations. Compliance requires organizations to establish measurable controls to protect critical information assets and validate that these controls have been implemented and maintained as systems change over time. As regulations and standards mature and the audit process continues to evolve, auditors are raising the bar and becoming more aggressive in testing and evaluating these controls. Since many regulations and standards are ambiguous and, more often than not, interpreted differently from auditor to auditor, and effective compliance program must continuously monitor for system changes in order to provide evidence to any auditor that the IT infrastructure is secure and protected.

Overview


	Datasheet: ECM & Continuous Compliance
	Datasheet: Center for Policy and Compliance
	Case Study: Red Robin

Configuresoft's compliance assurance solution allows you to dramatically reduce the work it takes to achieve and maintain compliance on a continuous basis. More often than not, IT operations are left with the task of figuring out how to translate ambiguously written regulations and standards and then match this to what the auditor is looking for. Configuresoft's Center for Policy and Compliance (CP&C) team of security and compliance experts deliver compliance toolkits that provide detailed technical controls that are supported by best practices and frameworks including COSO/COBiT, ISO and NIST. These security, regulatory and operational compliance toolkits are a benchmark for how systems should be configured, deployed and managed. They take the legwork out of translating the myriad of compliance rules and recommendations and offer step-by-step strategies to address the multitude of regulations, standards and guidelines.

Configuresoft delivers out-of-the-box compliance toolkits including:

Enterprise Compliance
Dashboard and Trending

Cross Platform Enterprise
Compliance Results

One Click
Enterprise Compliance Audit

Regulations

Industry Standards

International Standards

International Organization for Standardization (ISO) 27001

Directives

Defense Information Systems Agency (DISA) Security Technical Implementation Guide (STIG)

Guidelines

What Used to Take Hours Now Takes Just Minutes

Performing regulatory, security and organizational policy compliance remediation actions within ECM is simple. Whether it's rollback of planned or unplanned changes, deploying a security patch, closing vulnerabilities by enforcing configuration values, or even removing a software application, ECM easily accomplishes the task with a simple right-click fix.

Regulatory & Operational Compliance Assurance - Ensures adherence to Federal mandates and industry best practices – Sarbanes-Oxley, HIPAA, DISA, GLBA, FISMA, NIST, PCI DSS & Microsoft Hardening Guidelines.
Vulnerability Assessment and Remediation - Identifies, analyzes and eliminates compliance risk exposure through proactive security compliance management.
Configuration Management & Control - Centralizes enterprise administration of operational, security and compliance functions across Windows, UNIX and Linux systems.
Change Management - Detects, documents, alerts and continuously maintains shift and drift system configuration resulting from planned and unplanned events.
Risk Prevention and Security Management - Mitigates and manages enterprise exposure through proactive vulnerability and compliance assessment audits, threat remediation and system verification.
System, Process and Cost Optimization - Provides a secure, reliable, responsive and cost-effective infrastructure while ensuring security, regulatory and operational compliance.

PCI DSS


	White Paper: Moving Beyond the PCI DSS Checklist
	Datasheet: ECM for PCI DSS
	Datasheet: Center for Policy and Compliance
	Webinar Archive: Successfully Maintain PCI IT Audit Readiness

Security breaches and the costs associated with these breaches have put increased pressure on organizations to achieve and maintain PCI compliance. In fact, according to Information Security Magazine, in the last 2 years over 100 million proprietary records have been lost or stolen and since 2005, over 226 million data records of U.S. residents have been exposed due to security breaches. This does not include the negative exposure, damage to reputation and potential loss of customers. Although PCI DSS is an excellent standard and security best practice, the goal of implementing any set of security controls is to monitor for change on a continuous basis - compliance is not a snapshot in time.

PCI Cost Savings with ECM

Configuresoft's ECM for PCI DSS quickly discovers, analyzes and automatically remediates PCI DSS non-compliant system configurations for both physical and virtual environments. Out-of-the-box compliance templates are translated by a team of security and compliance experts from the Center for Policy and Compliance (CP&C) and then mapped to security controls. With ECM, organizations have the ability to schedule PCI DSS – or other applicable compliance targets (SOX, GLBA, and HIPAA) - templates to continuously monitor for change. This allows for a continuous state of IT audit readiness and automatically provides organizations with notification on which systems have changed and how.

Using Configuresoft's ECM PCI DSS Compliance Toolkit, organizations can:

Mitigate risk by continuous auditing adherence to PCI DSS security requirements
Centralize PCI accountability and responsibility by centralizing assessment, report, remediate and audit across heterogeneous operating systems with a single role-based solution
Reduce workloads and audit frequency by monitoring and reporting on only enterprise changes that affect ongoing compliance
Lower ongoing IT resource and auditing costs through automated, enforceable compliance enforcement with proven, customizable industry templates

Customer Benefits

Achieve Continuous Compliance - Ongoing configuration management, change tracking and remediation for Windows, UNIX and Linux
Reduce IT Audit Time - Realized savings, 99% reduction in IT audit costs from preparation to execution
Lower Cost of Compliance - Speed to value measured in days not months
Satisfy Multiple Compliance Targets - Regulatory and operational compliance to Sarbanes-Oxley, HIPAA, GLBA, NIST, ISO 17799/27001, FISMA, DISA, PCI DSS, Microsoft Security Hardening Guidelines, and VMware Hardening Guidelines
Secure Enterprise Visibility - Enterprise dashboard reporting, management and compliance trending
Actionable Compliance Content - Center for Policy & Compliance (CP&C) content experts translate regulations and industry standards into actionable content

SOX


	Datasheet: Sarbanes Oxley Compliance
	Case Study: Dollar Thrifty Automotive Group
	Datasheet: ECM & Continuous Compliance
	Datasheet: Center for Policy and Compliance

User access rights and procedures must be standardized and enforced. An automated, continuous compliance solution like ECM ensures that the appropriate employees are given access to the right applications and data; and when an employee's functional role or authorization changes, access to those systems is automatically and immediately adjusted.

This automation not only formalizes and ensures control over your application security processes, it also generates a complete audit trail that demonstrates these processes were followed; a single source where application access and related controls can be tracked to monitor compliance.

ECM offers compliance templates and remediation features to easily and effectively automate and monitor compliance to SOX, and consistently defend compliance requirements to SEC-recognized auditing standards.

With ECM and its "Drop and Deploy" SOX Compliance Toolkit, organizations can:

» Enforce Access Controls

Manage access rights in distributed and networked environments through role-based authority.
Confirm that only authorized users have access to sensitive information and systems.
Control access to multi-user information systems, including elimination of multiple user IDs and accounts.
Manage the allocation of passwords and their selection criteria.
Perform periodical analysis of access rights to shares, files, folders, etc.
Prevent unauthorized access to computer system resources.
Prevent unauthorized access to information held in application systems.

» Ensure Audit Controls

Compile an inventory of assets, including application software, systems software, development tools and utilities.
Document all system configuration settings to prove security policy compliance.
Ensure proper hardware and software installation - including patch management.
Regularly audit all internal system activity including logins, file accesses and security incidents.
Produce and retain logs recording exceptions and security related events.

» Monitor Access Changes

Maintain and monitor access lists to all sensitive data and related applications.
Document all changes to application or system access to assure financial data integrity.
Ensure Application standardization.
Regularly audit all internal application changes and configuration changes.
Produce and retain logs recording exceptions and changes to applications managing fiscal data.

GLBA


	Datasheet: ECM & Continuous Compliance
	Datasheet: Center for Policy and Compliance

ECM automates the task of gathering and analyzing the data, auditing for unwanted change, and re-aligning systems with policy. Because GLBA regulations do not clearly define what "safeguarding" of data means, ECM's predefined compliance templates reflect the recommended best practices from organizations such as Microsoft, NIST and SANS for securing enterprise systems.

With ECM and its "Drop and Deploy" GLBA Compliance Toolkit, organizations can:

Ensure important services are installed and running (Antivirus, Backup, etc.)
Delete potentially dangerous services (Web Service on workstations)
Disable Guest accounts
Check Software versions and settings
Restrict access to Administrative functions
Verify Proper patch levels
Identify file versions and sizes
Audit and remediate:
- Registry settings
- Security Policies
- Antivirus DAT and engine versions
- Operating Systems and Service Pack levels
- Audit configuration
- NTFS Permissions
- Group Memberships
Ensure Proper configuration of Microsoft Back-office applications like SQL Server, SMS, SUS, and IIS

HIPAA


	Datasheet: ECM for HIPAA
	Datasheet: ECM & Continuous Compliance
	Datasheet: Center for Policy and Compliance

ECM is the only continuous compliance tool that can provide an in-depth, enterprise-wide view of every workstation, server and file on your network. With ECM, you can diagnose your level of compliance before you have a problem. Once the problems are identified, you can deploy updates, patches and adjust settings of every machine from one location.

With ECM and its "Drop and Deploy" HIPAA Compliance Toolkit, organizations can:

Address all 9 technical safeguards, including access and audit controls.
Ensure the confidentiality, integrity and availability of EPHI throughout the infrastructure.
Comply with all 23 administrative safeguards, including standards and implementation specifications.
Monitor track and be automatically notified of network modifications when they occur.
Assess your compliance policy efficiency and technical controls by providing centralized visibility to thousands of variables and security settings.
Manage every machine, user and file throughout your Windows, UNIX, and Linux enterprise.

Compliance Toolkits

Center for Policy and Compliance Configuresoft's Center for Policy & Compliance (CP&C) regularly researches and delivers productized security, regulatory, and operational compliance knowledge via Compliance Toolkits. Each toolkit consists of a set of rule-based templates, reports and dashboards which easily plug into ECM to ensure security and operational compliance within a focused area.

Freely available to our customers, CP&C compliance toolkits can be downloaded from our secure customer portal.

CP&C Compliance toolkits include:

PCI DSS

Comprehensive series of automated checks and controls that correlate and map to the requirements for security hardening as defined by VISA, Mastercard, American Express, Diners Club, Discover and JCB. This granular level approach includes access control, audit control and automated access change monitoring, which ensures an organization’s ability to consistently meet their internal standards.

SOX

Comprehensive series of automated checks and controls that correlate and map with the COSO/COBiT framework, supported by best practices as defined by NIST. This granular level approach includes access control, audit control and automated access change monitoring, which ensures an organization's ability to consistently meet the SOX regulation.

HIPAA

Comprehensive series of automated checks and controls that correlate and map to the Department of Human Health and Services, along with best practices as defined by NIST. This granular level approach includes access control, audit control and automated access change monitoring, which ensures an organization’s ability to consistently meet the HIPAA regulation.

GLBA

Comprehensive series of automated checks and controls that correlate and map to technical controls required by Graham-Leach-Bliley. This granular level approach includes access control, audit control and automated access change monitoring, which ensures an organization's ability to consistently meet the GLBA regulation.

NERC/FERC (North America Electric Reliability Corporation)/(Federal Energy Regulatory Commission)

Comprehensive series of automated checks and controls that addresses a number of requirements within the eight CIP standards. This package includes controls specific to file and system-level access controls, security management and asset discovery controls, audit control and automated access change monitoring, which ensures an organization's automated strategy for NERC/FERC compliance will consistently meet the standard.

ISO17799/27001

Compliance template provides organizations with the ability to quickly assess the security configuration of Windows NT4, 2000, 2003, XP and Vista systems against ISO recommended best practices. The template translates the ISO 17799\27001 guidelines into actionable, continuous compliance rules to ensure your actual enterprise security configuration settings correspond with the recommended hardening guidelines.

FISMA Compliance Toolkit for Windows, UNIX/Linux and Virtual Computing

Comprehensive series of automated checks and controls that correlate and map to industry best practices, along with mandates defined by NIST 800-53. This granular level approach includes access control, audit control and automated access change monitoring, which ensures an organization’s ability to consistently meet FISMA compliance.

DISA Compliance Toolkit for Windows, UNIX/Linux and Virtual Computing

The DISA Security Technical Implementation Guides (STIG) template is a comprehensive series of automated checks and controls for security hardening as developed by DISA and the NSA and endorsed and published by NIST. This granular level approach includes access control, audit control and automated access change monitoring, which ensures an organization’s ability to consistently meet their internal standards.

Energy Savings Toolkit

The Green IT Assessment Toolkit is a package of reports that provides visibility into specific system attributes and settings that organizations can use to measure power consumption. This toolkit also includes Compliance templates to enforce power settings to enable monitor power-off, power down computers after shutdown and remove power options icon from the control panel to limit users ability to alter power settings. This package includes reports for processor utilization and server class identification. The server class report leverages IDC definitions for systems as high-end, mid-range, and volume servers; larger servers consume more power than lower-end volume servers.

FDCC Compliance Toolkit for Windows

The Federal Desktop Core Configuration (FDCC) template is a comprehensive series of automated checks and controls for Windows XP and Windows Vista desktop systems that directly aligns with the FDCC mandate defined by the Office of Management and Budget (OMB). This granular level approach includes access control, audit control and automated access change monitoring, which ensures an organization’s ability to consistently meet FDCC compliance.

CIS Benchmarks for Windows

Comprehensive sets of automated checks and controls that address a number of distinct Windows technical security settings for Windows 2000 (Professional and Server), XP, and 2003 Server platforms. The CIS Windows Toolkits are designed to provide Configuresoft customers with the ability to quickly assess the security configuration of Windows systems against CIS best practices by translating the guidelines into actionable, continuous compliance rules. These rules allow you to ensure that your actual enterprise security configuration settings correspond with the recommended hardening values.

CIS VMware ESX Server Benchmark

The CIS VMware ESX Server Benchmark Hardening Toolkit is a compilation of security configuration actions and settings that can be used to lock down, or "harden" VMware ESX Server systems in accordance with the CIS VMware ESX Server Benchmark v1.0, released October 18, 2007. This comprehensive series of controls addresses file permissions, user accounts, kernel settings, and a number of other specific ESX attributes that can be secured as part of an overall security and compliance strategy in virtual server environments.

Microsoft Hardening Guidelines

Compliance template provides organizations with the ability to quickly assess the security configuration of Windows 2000, 2003, XP and Vista systems against Microsoft recommended best practices. The template translates the Microsoft Windows Security and Hardening Guide into actionable, continuous compliance rules to ensure your actual enterprise security configuration settings correspond with the recommended hardening guidelines.

VMware Hardening Guidelines

Comprehensive series of automated checks and controls that correlate and map to VMware Infrastructure 3 Security Hardening guide. Template allows organizations to evaluate access controls, file permissions, networking components, audit and security policy controls, as well as performing automated access change monitoring for virtual machines, VMware Service Console, ESX Server host and VirtualCenter components.