MICROSOFT CONFIDENTIAL Presentation Goals Excel Server 2007 Bit Locker Compliance and Risk Self Service Incident and Problem Knowledge Base CMDB IT Business Intelligence Asset Management Change Data Warehouse Workflows CONNECTORS Automate and Deploy Capacity and Utilization Inventory Active Directory Alert and Usage Management MICROSOFT CONFIDENTIAL Terminology Example GRC Authority Document Unified Compliance Framework SOX, HIPAA, PCI, EUDPD, ISO, GLBA, corporate policy, etc Program Logical grouping containing compliance data (COs/CAs), risks, automated tests, and applicable scope of assets. Includes remediation and reporting across program. Control Objective (CO) Control Activity (CA) Control Activity Test Library (Reusable) Hierarchical Framework that harmonizes (consolidates) compliance requirements from hundreds of Authority documents into the smallest possible set of unique requirements Ex: East Coast Sarbanes Oxley Program A harmonized statement of expectations from GRC Authority Documents containing requirements. These can be people, process or Technology controls. Basically “What” needs to be accomplished. Ex: CO 04544: Synchronize system clocks Guidance containing instructions and parameters to meet expectations of Control Objectives. Usually, specific to a technology, business process, or organization. Ex: CCA: Configure Windows Time Service OCA: Monitor Windows Time Service PCA: Network Time Protocol Policy Windows Foundation Workflows that apply parameters, thresholds, and scope to data collected with System Center products to validate that associated CAs remain within expected parameters. These can be manual or automated. Ex: • Ensure the Windows Time Service is running • Ensure the NtpClient has an accurate source of time • Ensure the required policy has been specified and remains available Compliance information stored as templates which can be instantiated with specific values and parameters in a program Ex: Microsoft Control Activity Library.XML (Management Pack) Program Policy Churn Tech Churn $1 Trillion (US) ~ 350 Authority Docs in UCF GRC Authority Docs ~24K Requirements (Requirements – Sox, eSox PCI, ITIL, HIPAA, Cobit, etc) Business Risks & Objectives Harmonized Framework ~ 2400 (The What/Requiremente.g. Complex Password) MS and Non-MS Technology Technical Goal Unique Controls System Center WS 2008 Windows 7 Control Activities (The How) Validation Reporting & Corrective Actions ~139 Satisfied by WS Test Automation GRC Report GRC Incident/ Issue GRC Dashboard Continuous Monitoring & Reporting Control activities in the library are like templates, they are copied and customized by the customer. Copies apply to a collection of hosts or services in their environment. GRC Management Suite Architecture Svc Mgr Console Compliance Managers GRC Mgmt Packs GRC LOB Packs SM Data Warehouse Control Activity Library Policy Library Test Automation Framework Risk Library Compliance and Risk Process Management Pack Knowledge Library UCF Control Library Incident Management MS, Customer Partner Knowledge & Partner Libraries Knowledge Libraries Problem Management Document Management Control Management GRC Incident Management Doc Types: Authority Docs Policy Docs Risk Management Program Management Change Management Compliance and Risk Reports Configuration Management Connector GRC Infra Packs Compliance Users IT Compliance Management Library (MS, customer or partner) Connectors (Linking Fx) Target Hosts GRC Config Packs SharePoint Portal System Center C&R PMP IT Library Currently in Public Beta Based on Service Manager Beta 2 Future Release Candidate - April 2010 RTW Target –60 days after Service Manager RTM (CY2010-Q3) 1. Download and Evaluate Solution https://connect.microsoft.com/SelfNomination.aspx?ProgramID=27 33&pageType=1&SiteID=446 2. Join the RDP early adopter program Contact Jerry Leishman (jerryle@microsoft.com) 3. Become a GRC Partner (ISV, SI, Consultant, Trainer) Contact Jerry Leishman (jerryle@microsoft.com)