CONNECTORSCONNECTORS Asset Management Self Service IT Business Intelligence Automate and Deploy Capacity and Utilization Inventory and Usage Alert Management Workflows Knowledge Base Data Warehouse CMDB Active Directory Change Compliance and Risk MICROSOFT CONFIDENTIAL
TerminologyExample GRC Authority Document SOX, HIPAA, PCI, EUDPD, ISO, GLBA, corporate policy, etc Unified Compliance Framework Hierarchical Framework that harmonizes (consolidates) compliance requirements from hundreds of Authority documents into the smallest possible set of unique requirements ProgramLogical grouping containing compliance data (COs/CAs), risks, automated tests, and applicable scope of assets. Includes remediation and reporting across program. Ex: East Coast Sarbanes Oxley Program Control Objective (CO)A harmonized statement of expectations from GRC Authority Documents containing requirements. These can be people, process or Technology controls. Basically “What” needs to be accomplished. Ex: CO 04544: Synchronize system clocksCO 04544 Control Activity (CA)Guidance containing instructions and parameters to meet expectations of Control Objectives. Usually, specific to a technology, business process, or organization. Ex: CCA: Configure Windows Time Service OCA: Monitor Windows Time Service PCA: Network Time Protocol Policy Control Activity TestWindows Foundation Workflows that apply parameters, thresholds, and scope to data collected with System Center products to validate that associated CAs remain within expected parameters. These can be manual or automated. Ex: Ensure the Windows Time Service is running Ensure the NtpClient has an accurate source of time Ensure the required policy has been specified and remains available Library (Reusable)Compliance information stored as templates which can be instantiated with specific values and parameters in a program Ex: Microsoft Control Activity Library.XML (Management Pack) Program
System Center WS 2008 Windows 7 GRC Authority Docs (Requirements – Sox, eSox PCI, ITIL, HIPAA, Cobit, etc) Control Activities Test Automation GRC Incident/ Issue GRC Dashboard GRC Report Reporting & Corrective Actions Harmonized Framework Policy Churn Tech Churn $1 Trillion (US) Business Risks & Objectives (The What/Requirement- e.g. Complex Password) Technical Goal (The How) Validation MS and Non-MS Technology ~ 350 Authority Docs in UCF ~24K Requirements ~ 2400 Unique Controls ~139 Satisfied by WS Continuous Monitoring & Reporting
Control activities in the library are like templates, they are copied and customized by the customer. Copies apply to a collection of hosts or services in their environment.
SM Data Warehouse Compliance and Risk Process Management Pack IT Compliance Management Library (MS, customer or partner) Configuration Management Change Management Problem Management Incident Management Compliance Managers Svc Mgr Console Risk Management Program Management C&R PMP IT Library Knowledge Library UCF Control Library UCF Control Library System Center Document Management Doc Types: Authority Docs Policy Docs Document Management Doc Types: Authority Docs Policy Docs GRC Incident Management Control Management Partner Knowledge Libraries MS, Customer & Partner Knowledge Libraries MS, Customer & Partner Knowledge Libraries Connectors (Linking Fx) Target Hosts GRC Config Packs GRC Config Packs GRC Mgmt Packs GRC Mgmt Packs SharePoint Portal Compliance Users Compliance and Risk Reports Control Activity Library Test Automation Framework Policy Library Risk Library GRC Management Suite Architecture GRC LOB Packs GRC LOB Packs GRC Infra Packs GRC Infra Packs Connector Risk Library
1.Download and Evaluate Solution https://connect.microsoft.com/SelfNomination.aspx?ProgramID=27 33&pageType=1&SiteID=446 https://connect.microsoft.com/SelfNomination.aspx?ProgramID=27 33&pageType=1&SiteID=446 2.Join the RDP early adopter program Contact Jerry Leishman (firstname.lastname@example.org)email@example.com 3.Become a GRC Partner (ISV, SI, Consultant, Trainer) Contact Jerry Leishman (firstname.lastname@example.org)email@example.com