Tackle Your Security and Compliance Challenges

Tackle Your Security and Compliance Challenges

Expanding regulatory compliance and heightened security mean companies must adopt a strategic approach to security risk management.

The status quo has changed. For years, organizations took a tactical approach to security. IT detected vulnerabilities and threats and reacted to attacks. But today, companies realize that they can't cost-effectively protect themselves from every single security threat. Expanding regulatory pressures means organizations must demonstrate the steps they have taken to reduce risks. Organizations must decide on an acceptable level of risk that meets their business needs and ensures compliance with regulations.

"IT security organizations must transition from the old model of protecting the company as much as possible with the available funding, to the new risk management model in which conscious risk trade-offs are made based on requirements," advises Gartner Research in its "Risk Assessment Approaches for IT Security Risk Management" report written in January 2006. "Companies must accept that they can't protect themselves from everything, so they have to make decisions about what they can protect themselves from," the analysts conclude.

Take the Easier Way
Most companies have taken the hard way. They have approached individual regulations and threats as separate projects. Every update and new law means revisiting the entire process. Every new vulnerability means a new defense. It puts a strain on corporate resources.

Instead, companies should take the easier way and tackle compliance and security together. Organizations that take a security risk management (SRM) approach can reduce their risks of non-compliance and increase their efficiency.

Security risk management is a process, not a product. "Security risk management is a way of doing business that helps organizations proactively identify and eliminate exposures, block attacks, manage compliance, and implement remediation strategies," says Michelle Johnson Cobb, group product marketing manager at McAfee, Inc.

Companies take a number of steps when they adopt a security risk management strategy. They evaluate the relationship between IT security risk levels and business costs. They define an acceptable level of risk for their organization. They look at their different security tools that provide risk information. They weigh the value of their risk information against the cost to get and analyze that information from different security tools.

"Most IT teams must analyze a mountain of data from many different security tools. They map this information by hand against the company's security policies and controls," says Cobb. The challenge is to turn a meaningless stream of data into information about risk levels. From there, companies can have a clear view of what it would cost to support various IT investments.

Companies must effectively communicate their IT risk information to executives to support corporate audits, ROI analysis, and resource commitments. Establishing risk metrics can help companies align their security initiatives with business objectives, which will simplify security management. Finally, they should quantify the business risks associated with security breaches to justify the need for enhanced IT security solutions.

Organizations should define a risk management strategy that provides early notification of new vulnerabilities. They must be able to discover assets and determine the most critical assets to the business. They must be able to determine which assets are vulnerable. They must be able to prioritize their remediation activities based on security policies. Then they must be able to monitor compliance with their security risk management strategy. And finally, they need the tools to help them communicate risk levels and costs to business executives.

An Integrated Approach
"McAfee is the only company that provides a comprehensive approach to security risk management. Our approach integrates threat prevention and compliance management," says Cobb.

McAfee's integrated approach to security and compliance helps you protect your assets against threats. It also helps you comply with internal policies and industry regulations. For example, you can make sure that your users' computers are up to your company's security standards before they can use the network. McAfee® Policy Enforcer network access control integrates with the McAfee ePolicy Orchestrator® (ePO™) agent on users' computers to determine if a computer meets standards. If the computer is not compliant, it cannot access the network until the problem is fixed.

Companies use vulnerability management tools to assess the impact of software vulnerabilities on their networks and systems. And they use intrusion prevention systems (IPS) to identify and block attacks. But vulnerability management tools lack the power to stop attacks. And IPS blocks attacks without knowing whether the attack actually threatens the company's networks and systems. McAfee has integrated McAfee Foundstone® vulnerability management with McAfee IntruShield® IPS for a "better together" solution. They work hand-in-glove to provide you the relevancy of an attack and then automatically block it.

McAfee is also integrating its product line to provide advanced reporting on policy compliance. You can import McAfee Foundstone data into McAfee Preventsys products. You can link corporate security policies and standards to specific Foundstone checks, so you can make sure policies are adhered to across the network.

Additional Resources:

Click here to learn more about McAfee's security risk management approach.

McAfee and/or additional marks herein are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. McAfee Red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners. © 2006 McAfee, Inc. All rights reserved.