Here at IRM, during the unprecedented and uncertain times we find ourselves in, we have been actively working towards developing solutions to ease the pressure on the security and compliance of assets within an organisation. We realise that many organisations are affected by key staff who are away from the business either on sick leave or on furlough. This absence has created a much greater need for automation around the way organisations keep their critical assets up-to-date, secure and compliant.
What challenges are we facing?
The purpose of any governance, risk and compliance tool is to enable the users to create a holistic view of their organisation’s risks. Despite this, asset security and compliance are two areas where the ‘single source of truth’ is not always easily achievable. Why is this?
Tools & processes used to capture & manage application, system, network & physical assets are typically adopted in isolation and based on need.
Lack of visibility
There is often disparities in data model and usage (data consistency) and system integration/reporting between these tools/processes are inevitable, impacting an organisation’s ability to view and report on any aspect of their assets in a consolidated manner.
Gaps in results
This is compounded by the varied methods by which assets are assessed. Industry-standard assessment approaches (such as hardening/vulnerability scans or compliance self-assessments/audits) have similar disparities in terms of results output. This further confounds attempts to tie results up into actionable reports for your critical assets.
Furthermore, scale presents a challenge of its own. The manual overheads necessary to reconcile tens of thousands of assets with potentially hundreds of thousands of distinct test results or assessment outcomes constitutes a significant commitment of effort, and effectively precludes this being undertaken as a BAU activity.
The SYNERGi platform can provide a ‘single source of truth’ for assets through the use of the ‘Modelling’ module. This is one of the first steps of an
implementation, allowing an organisation to be modelled as a hierarchy – from the macro level, right down to individual attack surfaces.
This model can then be populated with assets via integration (manual or automated) with external asset repositories. Bespoke data mapping can be used to ensure that data is integrated into the SYNERGi model at the correct level of hierarchy, and integrated change control can be used to manage the update process if required (or if data quality is suspect). This serves to consolidate all asset data into a hierarchical model, which can then be rolled up into on-demand per-department/BU reporting on your assets & critical assets.
With assets consolidated in SYNERGi, there is now a single location where assessment activity can be issued and tracked; this can be achieved through leveraging other modules within the SYNERGi platform:
- Regulatory compliance can be ascertained through the auto-assignment of regulatory controls and the issue of compliance self-assessments using SYNERGi’s Collaborative Questionnaires
- Hardening compliance can be ascertained through the import of tool output from platforms such as Symantec CCS; results will automatically pair with assets based on commonalities in data such as IP or Host and used to populate test results & an overall pass-rate
- Vulnerabilities against a given Asset can be identified through the import of Vulnerability Scan output from tools such as Qualys, Tripwire, etc.
Follow-up activities can also be tracked & managed within the SYNERGi platform: remediation activity can be raised, tracked and chased through the use of Remediation Actions, and any resultant Risks can be raised, tracked & mitigated/remediated within SYNERGi’s Risk Management module.