MICROSOFT CONFIDENTIAL
Presentation Goals
Excel Server 2007
Bit Locker
Compliance and
Risk
Self Service
Incident and Problem
Knowledge
Base
CMDB
IT Business
Intelligence
Asset
Management
Change
Data Warehouse
Workflows
CONNECTORS
Automate
and Deploy
Capacity and
Utilization
Inventory Active Directory
Alert
and Usage
Management
MICROSOFT CONFIDENTIAL
Terminology
Example
GRC Authority
Document
Unified Compliance
Framework
SOX, HIPAA, PCI, EUDPD, ISO, GLBA, corporate policy, etc
Program
Logical grouping containing compliance data (COs/CAs), risks,
automated tests, and applicable scope of assets. Includes
remediation and reporting across program.
Control Objective (CO)
Control Activity (CA)
Control Activity Test
Library (Reusable)
Hierarchical Framework that harmonizes (consolidates) compliance
requirements from hundreds of Authority documents into the
smallest possible set of unique requirements
Ex: East Coast Sarbanes Oxley Program
A harmonized statement of expectations from GRC Authority
Documents containing requirements. These can be people, process
or Technology controls. Basically “What” needs to be accomplished.
Ex: CO 04544: Synchronize system clocks
Guidance containing instructions and parameters to meet
expectations of Control Objectives. Usually, specific to a technology,
business process, or organization.
Ex:
CCA: Configure Windows Time Service
OCA: Monitor Windows Time Service
PCA: Network Time Protocol Policy
Windows Foundation Workflows that apply parameters, thresholds,
and scope to data collected with System Center products to validate
that associated CAs remain within expected parameters. These can
be manual or automated.
Ex:
• Ensure the Windows Time Service is running
• Ensure the NtpClient has an accurate source of time
• Ensure the required policy has been specified and remains
available
Compliance information stored as templates which can be
instantiated with specific values and parameters in a program
Ex: Microsoft Control Activity Library.XML (Management Pack)
Program
Policy Churn
Tech Churn
$1 Trillion (US)
~ 350 Authority Docs in UCF
GRC Authority Docs
~24K Requirements
(Requirements – Sox, eSox PCI,
ITIL, HIPAA, Cobit, etc)
Business Risks &
Objectives
Harmonized Framework
~ 2400
(The What/Requiremente.g. Complex Password)
MS and Non-MS
Technology
Technical Goal
Unique Controls
System
Center
WS 2008
Windows 7
Control Activities
(The How)
Validation
Reporting &
Corrective Actions
~139
Satisfied by WS
Test Automation
GRC
Report
GRC
Incident/
Issue
GRC
Dashboard
Continuous Monitoring
& Reporting
Control activities in the library are like templates, they are copied
and customized by the customer. Copies apply to a collection of
hosts or services in their environment.
GRC Management Suite Architecture
Svc Mgr Console
Compliance Managers
GRC
Mgmt
Packs
GRC
LOB
Packs
SM Data
Warehouse
Control Activity Library
Policy Library
Test Automation Framework
Risk Library
Compliance and Risk Process Management Pack
Knowledge Library
UCF
Control
Library
Incident
Management
MS,
Customer
Partner
Knowledge
&
Partner
Libraries
Knowledge
Libraries
Problem
Management
Document
Management
Control
Management
GRC Incident
Management
Doc Types:
Authority Docs
Policy Docs
Risk
Management
Program
Management
Change
Management
Compliance
and Risk
Reports
Configuration
Management
Connector
GRC
Infra
Packs
Compliance Users
IT Compliance Management Library (MS, customer or partner)
Connectors (Linking Fx)
Target Hosts
GRC
Config
Packs
SharePoint Portal
System Center
C&R PMP
IT Library
Currently in Public Beta
Based on Service Manager Beta 2
Future
Release Candidate - April 2010
RTW Target –60 days after Service Manager RTM
(CY2010-Q3)
1. Download and Evaluate Solution

https://connect.microsoft.com/SelfNomination.aspx?ProgramID=27
33&pageType=1&SiteID=446
2. Join the RDP early adopter program

Contact Jerry Leishman (jerryle@microsoft.com)
3. Become a GRC Partner (ISV, SI, Consultant,
Trainer)

Contact Jerry Leishman (jerryle@microsoft.com)