1. Waqas Makhdum (Sr. Product Planner, System Center) Gunjan Jain (Sr. Program Manager, Solution Accelerator Team) Microsoft Corporation SESSION CODE: MGT201

3. Common Challenges in Addressing Risk and Compliance

4. How do we interpret and test IT compliance across a vast enterprise? System Operations Audit Requirements & Design Business Objectives & Policies Regulatory Requirements Regulatory Certification Requirement Definition Auditor Reports System Management Review Log Files, Confirm settings “Each business change brings new IT compliance requirements. 80% are duplicative, but we review it all, delaying response and increasing cost. “Configuring and monitoring local and distributed servers and PCs for compliance is so time consuming” “Make sure that we comply so that we can focus on the business …without an obscene cost” “It’s too hard to interpret new regulations and sort out overlaps to set policy across functions “ “Based on a bewildering collection of reports, I must certify if we are compliant. It’s my butt on the line” “Every quarter I learn how non-compliant we have been last month – it’s like ‘whack a mole’, how do I get ahead of these issues and risk” “Checking log files, re-confirming settings, documenting processes is a waste of time when I have truly critical things to do” “System changes require regulation specific procedures slowing our response … Do we need more software to manage IT compliance?” “These periodic audits kill me. What detail will the auditor want to check up on this time?” Audit Committee CIO/CSO ITDM IT Pro ITDM CIO/CSO Functional VP Board of Dir./CEO Outsourced Compliance & IT Pro

5. Challenge 1: Volume of Regulations EU -MIFID US Sec 17a-3,17c-4 UK FSA email retention Italy AIPA Singapore Corp Governance Electronic signatures in global & national commerce act (e-Sign) US, Insurance 152 for Records Retention A top investment bank agrees to a 15M settlement with SEC over records retention EU data protection act Canada CSOX UK FSA Mortgage CP186 Canada electronic evidence act Japan JSOX Japan Electronic Ledger storage law France NFZ 42-013 Germany GDPdu & GoBS DOD 5015 NASD 3010/3110 One of world’s largest bank faces a FSA enforced complete Operations overhaul after loosing customer data tapes Reg NMS Australia CLERP, Corporate Actions VA: No More Excuses InformationWeek, May 29, 2006 HIPAA UBS: The Threat Within Information Week, June 12, 2006 More E-Mail Problems, More Fines for Morgan Stanley InformationWeek, May 15, 2006 Theft Of Gap Laptop Puts 800,000 Job Applicants At Risk InformationWeek, October 1, 2007 Placeholder InformationWeek, May 29, 2006 Conn. AG Investigating Former Employee Link To Pfizer Data Breach InformationWeek, September 26, 2007 T.J. Maxx Breach Costs Hit $17 Million InformationWeek, May 17, 2007 India SOX SEBI Clause 49 GLBA

6. DYNAMIC DATACENTERDYNAMIC DATACENTER USER-CENTRICITY ANYWHERE ACCESS DYNAMIC APPLICATION LIFECYCLEDYNAMIC APPLICATION LIFECYCLE

7. Winsk3 SP1 moves to SP2 on April 14 2009 Red Hat Linux 9 at End of Support VMM 2008 R2 Beta is now available Windows2008R2 Launches Microsoft Commerce Server 2007 SP1 No longer supported Exchange Ready! Support for 32 bit Servers fast vanishing Microsoft Announces SQL Server 2008 Visual Studio 2008 in Beta VA: No More Excuses InformationWeek, May 29, 2006 SQL 2000 End of life UBS: The Threat Within Information Week, June 12, 2006 More E-Mail Problems, More Fines for Morgan Stanley InformationWeek, May 15, 2006 Theft Of Gap Laptop Puts 800,000 Job Applicants At Risk InformationWeek, October 1, 2007 Placeholder InformationWeek, May 29, 2006 Conn. AG Investigating Former Employee Link To Pfizer Data Breach InformationWeek, September 26, 2007 T.J. Maxx Breach Costs Hit $17 Million InformationWeek, May 17, 2007 Microsoft sets Oct 22 as the W7 Street date Customers upgrading to SAP 6.0 for support Oracle announces End of support for 8i Vmware GSX 3.x at EOS Challenge 3: Technology Churn

8. Addressing Compliance and Risk with System Center

9. Portal Forms Data Warehouse Workflows Configuration Management DB Work Items Config Items Knowle dge Problem Change Incident Asset IT GRC System Center Configuration manager Active Director y System Center Operations manager Opalis Connectors SERVICE MANAGER Partner Solution s

10. Exchange Server Windows Server 2008 Windows 7 Regulatory Documents Significant Percentage of Gross Domestic Product for Most Countries Significant Cost for Each Employee Every Year Remediation Exceptions Reports HARMONIZED CONTROL OBJECTIVES CONTROL ACTIVITIES Regulations and Standards

11. System Center IT GRC Process Management Pack Service Manager Config. Mgr.Ops. Mgr. Forefront Family CMDB Business Objectives & Policies System Operations Systems Management Windows Server Windows 7 MOSS Exchange Non- Microsoft (Partner) SQL Office Compliance Status Audit (Authority Document View) Harmonized Framework Control Objectives IT Compliance Management Library Control Activities and Tests Authority Document Requirements    SOXPCI COBIT EUDPP Internal Policies ISO Comply/ Authority Reports Incident/ Issue Reports Residual Risk Active Directory IT Pro ITDM CIO/CSO Functional VP Board of Dir./CEO Audit Committee CIO/CSO ITDM IT Pro

12. System Center IT GRC Process Management Pack Service Manager Config. Mgr.Ops. Mgr. Forefront Family CMDB Business Objectives & Policies System Operations Systems Management Windows Server Windows 7 MOSS Exchange Non- Microsoft (Partner) SQL Office Compliance Status Audit (Authority Document View) Harmonized Framework Control Objectives IT Compliance Management Library Control Activities and Tests Authority Document Requirements    SOXPCI COBIT EUDPP Internal Policies ISO Comply/ Authority Reports Incident/ Issue Reports Residual Risk Active Directory IT Pro ITDM CIO/CSO Functional VP Board of Dir./CEO Audit Committee CIO/CSO ITDM IT Pro

13. Simplifying Management of Compliance Requirements & Automating Control Monitoring and Validation Gunjan Jain DEMO

14. Scenario: Adding AmEx Controls to PCI-DSS Reports Incident Monitoring IT Implementer Validation Auditor Remediation Compliance Manager Define Control Activities Computer Data HW and SW Inventory DCM Packs Computer Data HW and SW Inventory DCM Packs ConfigMgr Connector Data Warehouse ETL Map Control Objectives Compliance Manager New AmEx Compliance Requirements

15. GRC Program Manager Operations Engineer Managing Compliance Provide Audit Trail Automation Implement Procedure Map Control Objectives Validate Settings Detect Failure Record Result Take Action Activities Process controls Configuration settings Monitoring Activities Process controls Configuration settings Monitoring Reporting Actions Change control GRC incident/issue GRC problem Actions Change control GRC incident/issue GRC problem Audit Trail Compliance Reports Compliance History Audit Trail Compliance Reports Compliance History

16. 2012 H1 2010 2011 H1 H2

17. Roadmap Subject to Change

18. INTEGRATEDEFFICIENTBUSINESS ALIGNED IT Process and Workflow Automation CMDB Leverages Configuration and Operations Manager Service manager provides an integrated IT process and compliance management solution that increases compliance visibility, reduces costs through automation, and simplifies audit process Automates end-to-end Compliance Simplifies Audit Process Out-of-box Compliance knowledge Compliance and risk status visibility Mapping of Business controls with technical standards

19. MGT313: Microsoft System Center Service Manager 2010: Drilldown (Thurs 9:45AM - 11:00AM) MGT310: Implementation, Architecture, and Administration of a Service Manager Deployment (Wed 1:30PM - 2:45PM) MGT07-INT Extending and Customizing Microsoft System Center Service Manager (Thurs 5:00PM - 6:15PM)

20. www.microsoft.com/teched www.microsoft.com/learning http://microsoft.com/technet http://microsoft.com/msdn

22. Sign up for Tech·Ed 2011 and save $500 starting June 8 – June 31 st http://northamerica.msteched.com/registration You can also register at the North America 2011 kiosk located at registration Join us in Atlanta next year