Professional Documents
Culture Documents
SB Controlling Monitoring Change PDF
SB Controlling Monitoring Change PDF
SB Controlling Monitoring Change PDF
and Monitoring
Change Solution Guide
SECURITY CONNECTED
REFERENCE ARCHITECTURE
LEVEL 1 2 3 4 5
SECURITY CONNECTED
REFERENCE ARCHITECTURE
LEVEL 1 2 3 4 5
Security Connected
The Security Connected Minimize Risk and Downtime with Change
framework from McAfee enables
SECURITY
integration ofCONNECTED
multiple products, Management Controls
REFERENCE ARCHITECTURE
services, and partnerships for
centralized, efficient,
1 2and3 Challenges Second, change management controls are
LEVEL 4
effective risk mitigation. Built
5
Organizations continue to face an ever-growing a foundation of many regulatory compliance
on more than two decades of and dynamic landscape of security threats that standards and requirements, including Sarbanes-
proven security practices, the
Security Connected approach
are becoming more targeted and malicious Oxley and PCI-DSS. Many organizations rely on
helps organizations of all in nature. Recent attacks are no longer being manual processes or point technology solutions
sizes and segments—across all launched en masse: rather they are focused and in an attempt to react to change requests and
geographies—improve security sophisticated, with a clear directive to defeat activities across their environment. Reliance
postures, optimize security tactical, reactive security technologies that are on manual controls and reactive processes to
for greater cost effectiveness,
SECURITY CONNECTED
and align security strategically
in place at an organization. Whether an attack validate that unauthorized changes did not
REFERENCE ARCHITECTURE
with business initiatives. The targets a network, an endpoint device, a sensitive occur is extremely ineffective and can leave
Security
LEVEL Connected 1 Reference
2 3 4 5 business application, or even a database, it is a company exposed to significant undue risk.
Architecture provides a important for any organization to have visibility In addition, these inefficient, manual processes
concrete path from ideas to into how these systems are being used and by lead to increased compliance and operational
implementation. Use it to
adapt the Security Connected
whom in order to protect against a catastrophic costs to test, validate, and report on change
concepts to your unique risks, event such as a security breach, system outage, management requirements.
infrastructure, and business risk event, or compliance violation that results
objectives. McAfee is relentlessly
Finally, ineffective change control processes
from an unintentional or unauthorized change to
focused on finding new ways can directly lead to the breakdown of an overall
these systems.
to keep our customers safe. security management program. Overall risk
Organizations have little visibility into the exposure is increased as new vulnerabilities are
effectiveness of their change management introduced across IT, financial, and operational
controls across their IT infrastructure. When systems, and systems require more frequent
change controls are not effectively managed and and updated patches to mitigate these
monitored, the impact of this can be devastating. vulnerabilities. Without direct oversight and
Initially, reduced availability across key corporate, monitoring of change controls across every
The majority of system outages financial, and customer systems can occur if system, device, and application, organizations
occur from a breakdown in unauthorized changes or software updates are cannot holistically protect against internal
the change control process; made, even if these are non-malicious in nature. or external security and risk issues occurring
the ROI on solidifying this These activities can affect key functionality, or throughout their environment.
process can be significant. even bring down complete systems. As systems
must then be taken offline to mitigate a security
issue or simply back out the unauthorized change,
this can cause a dramatic loss of revenue as
capital expenditures are increased to resolve the
issues, and customers cannot access revenue-
producing systems.
Manual change control processes, assessments, and reporting
leave organizations exposed the unauthorized changes that
occur between assessments. Automated enforcement delivers
continuous protection against any unauthorized change.
The value drivers for controlling and monitoring change really reside in an organization’s ability to
manage and make changes to the core IT environment that are controlled and deliberate. This is
achieved by:
• Demonstrating that patching can be accomplished at scheduled intervals instead of turning them
into fire drills, while still maintaining a strong security posture and reducing the personnel time,
QA, testing, and rollouts related to critical device management
• Addressing the question, “Are we secure?” through continuous monitoring and thus ensuring
greater protection and the ability to demonstrate regulatory compliance with greater ease
• Preventingthe exploitation of sensitive structured data stored in databases and avoiding the pitfalls
that other organizations have encountered because of database breaches
• Protecting Information
Level III
• Protecting Databases
For more information about the Security Connected Reference Architecture, visit:
www.mcafee.com/securityconnected.
Dave Anderson is Senior Director of Security and Risk Management for McAfee, responsible for the global
product marketing strategy for the McAfee risk and compliance business unit. Dave has nearly 20 years of
global experience in information security, risk management, and strategy at leading enterprise technology and
services companies, including SAP, ArcSight, KPMG, and VeriSign, where he has developed market and product
solutions that integrate risk, compliance, security and strategy into unified governance and risk frameworks.
Dave’s experience includes implementing and delivering IT governance solutions based on COSO, CobiT, ISO
27001, and ITIL standards. Dave has been published in multiple leading industry and technical journals and is a
frequent speaker on risk management, corporate governance, and security strategy. Dave holds an MBA from
Duke University, specializing in global management and strategy.
dave_anderson@mcafee.com
The information in this document is provided only for educational purposes and for the convenience of McAfee customers. The information
contained herein is subject to change without notice, and is provided “AS IS” without guarantee or warranty as to the accuracy or applicability
of the information to any specific situation or circumstance.
2821 Mission College Boulevard McAfee and the McAfee logo are registered trademarks or trademarks of McAfee, Inc. or its subsidiaries in the United States and other
Santa Clara, CA 95054 countries. Other marks and brands may be claimed as the property of others. The product plans, specifications and descriptions herein are
888 847 8766 provided for information only and subject to change without notice, and are provided without warranty of any kind, express or implied.
www.mcafee.com Copyright © 2011 McAfee, Inc. 36005sg_controlling-monitoring-change-L2_1111_wh