Regulatory compliance looms large on the minds of IT Pros and business decision makers. One mistake could cost you your job, your reputation and maybe your liberty. Compliance is a process that includes people, processes, and documentation — and software. What software can you use to help you reach and maintain regulatory compliance requirements? Here’s a list of software categories and some suggestions of Microsoft software that can help you meet the requirements for each category:
Identity Management Solutions
Being able to identify resources by type and function and employees by their job roles makes compliance much easier. Identity management solutions can manage the provisioning, transfer, and removal of employees from your corporate systems. The chosen system should tie into all other systems as a means to identify all legitimate systems users for a company. This helps in precisely identifying who is involved in each business process. Consider Windows Server 2008 Identity Lifecycle Manager, Active Directory Federation Services and Active Directory for Identity management.
Change Management Solutions
Change management solutions provide a formal means to manage changes to corporate resources. For example, any time a customer record, spending limit, business process, or computer configuration gets modified, it could go through a submission, reviewer, and approver process that is recorded for auditing purposes. In that manner, a company will be able to determine why resources are in the state they are. Consider System Center Operations Manager and System Center Configuration Manager.
Document Management Solutions
Document management solutions manage the life cycle of a document, including such features as change management, access control, versioning, backup, and retention policies. These solutions help companies achieve SOX, HIPAA, and GLBA requirements for restricting access to documents that may contain sensitive customer or financial data. Consider SharePoint Server and Windows Rights Management Services
Risk Management Solutions
A great risk management solution will help companies prioritize and monitor the deployment of compliance projects. Developing corporate policies are valuable only when they are placed into practice. Tracking compliance is key to reducing risks that could negatively affect the company. Check out the Secuirty Risk Management Guide http://www.microsoft.com/technet/security/guidance/complianceandpolicies/secrisk/default.mspx
Business Process Management Solutions
Business process management (BPM) applications help provide end-to-end visibility and control over all segments of complex, multi-step information requests or transactions that involve multiple applications and people in one or more organizations. In terms of regulatory compliance, BPM helps ensure transaction security, reliable service and availability, and service level refinement. Consider BizTalk Server.
Project Management Solutions
Project management solutions apply knowledge, skills, tools, and techniques to a broad range of activities to help meet the requirements of the particular project. Organizations use project management solutions to help implement projects, ensure operation reliability, and maintain compliance programs. Consider Microsoft Project and Project Server.
Network Security Solutions
Network security solutions constitute a broad solution category designed to address the security of all aspects of the network for the organization, including firewalls, servers, clients, routers, switches, and access points. Many regulations require organizations to take steps to provide appropriate security for the IT environment. Because network security is a critical element to overall information security, it is important for regulatory compliance. Consider the ISA Firewall and the IAG SSL VPN Gateway. Also, consider IPSec domain isolation and NAP. Also, Terminal Services Gateway.
Host Control Solutions
Host control solutions control the operating systems in servers and workstations. Host control is fundamental to all of the core security control categories, such as confidentiality, integrity, and availability. Consider Group Policy and System Center Configuration Manager. Also, consider Forefront Client Security.
Malicious Software Prevention Solutions
Malicious software prevention solutions include Antivirus, antispyware and antispam solutions, as well as rootkit detectors. Without applications that you can use to help detect, monitor, and remove malicious software, there is an increased risk that sensitive corporate information in your organization could be compromised or destroyed. Consider Forefront Client Security for centralized management of Antivirus and anti-spyware. Also, consider Forefront Security for Exchange and Forefront Security for SharePoint.
Application Security Solutions
Application security combines good development practices with specific software security and involves key application controls that auditors focus on as they examine critical business systems. Consider the Microsoft SDL http://msdn2.microsoft.com/en-us/library/ms995349.aspx
Messaging and Collaboration Solutions
Messaging and collaboration programs provide a large productivity improvement for teams engaged in achieving compliance objectives, and they add to the overall efficiency of the organization. Collaboration applications can range from integrated document programs, such as Microsoft® Office to portals, instant messaging, online presentation software, and peer-to-peer programs. Consider Outlook 2007 and Exchange 2007
Data Classification and Protection Solutions
Data classification and protection deals with how to apply security classification levels to the data either on a system or in transmission. Data classification is important to compliance because it informs users about what levels indicate the relative importance of the data, how they must handle the data, and how they must safeguard and dispose of it. Consider Chapter 4 of the Regulatory Compliance Planning Guide http://www.microsoft.com/technet/security/guidance/complianceandpolicies/compliance/rcguide/4-11-00.mspx?mfr=true
Authentication, Authorization, and Access Control Solutions
This control objective is critical to helping to meet the requirements of the core security principles of confidentiality, integrity, and availability. Authentication usually involves a user name and a password, but it can include additional methods to demonstrate identity, such as a smart card, retina scan, voice recognition, or fingerprints. Authorization focuses on determining if someone, after the person is identified, is permitted to access requested resources. Access is granted or denied depending on a wide variety of criteria, such as the network address of the client, the time of day, or the browser that the person uses. Consider NTFS and Share Permissions, ADFS, AD DS, ISA Firewalls, IAG SSL VPN gateways, Smartcard support in Windows Vista, ad EFS.
Training Solutions
Regulatory compliance demands that organizations address security and compliance training. Security and compliance training solutions in most organizations are typically modifications of existing training software solutions. This training should cover corporate and departmental compliance. Consider www.mslearning.com
Physical Security Solutions
Physical security solutions secure physical access and control of the systems and workstations in your organization. Consider Brinks Security.
Vulnerability Identification Solutions
Vulnerability identification solutions provide tools that you can use to help test for vulnerabilities in your organization’s information systems. Regularly monitoring computers and servers for vulnerabilities in the organization is extremely important because it provides a controlled platform on which to run business application software. A compromised environment is not under control, making it unsuitable to run business software that is compliant. Consider the MBSA and Forefront Client Security. Also, System Center Operations Manager.
Monitoring and Reporting Solutions
Monitoring and reporting solutions collect and audit logs that result from authentication and access to systems. These solutions are either designed to collect specific information based on compliance to certain regulations, or use existing logs built into operating systems or software packages. Consider System Center Operations Manager.
Disaster Recovery and Failover Solutions
In the event of a natural or man-made disaster, the information systems for the organization must return to an operational state as quickly as possible. Many regulations and standards explicitly require disaster recovery and failover solutions. Consider Windows Server 2008 Failover Clustering and NLB. Also, consider Microsoft Data Protection Manager.
Incident Management and Trouble-Tracking Solutions
Incident management and trouble-tracking solutions use customized systems that manage specific business processes from beginning to end. Several regulations and standards specifically require organizations to use incident management and trouble-tracking solutions. Consider SharePoint Server.
HTH,
Tom
Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)
