Trace Security Compliance Manager

Why does an organization need an ongoing Information Security Program?

A basic Information Security Program is needed in order to meet many of the regulatory requirements facing an organization, as well as an important first step in protecting its critical information. However, because the people, processes and technology of an organization are continually changing, the security threats to that organization are also changing. Therefore, in order to identify new threats and prevent a security breach, an organization must have an ONGOING Information Security Program.

“Before, because the bank had outsourced IT, it left a time gap for holes to appear, whereas with TraceSecurity Compliance Manager, it’s like having a full-time staff doing nothing but looking for vulnerabilities and showing me what I need to do to fix them.” IT Director, Large National Bank in Georgia

What is the business risk associated with an Information Security Program breach?

An effective and ongoing Information Security Program will protect against unauthorized access to an organization’s confidential information. It will also protect the integrity and availability of the organization’s information. The risk of a security breach to an organization includes the following:

  • Loss of business, including members/customers
  • Negative reputation that reduces the number of new customers
  • Direct cost of incident response (response / notification / investigation / repair)
  • System restoration costs
  • Cost of down time
  • Fines and lawsuits

What is involved in an ongoing Information Security Program?

An ongoing Information Security Program should include the following components:

  • Regular testing for network vulnerabilities, including infrastructure, servers and workstations.
  • Proactively identify the latest network vulnerabilities that could impact the organization.
  • Monitor compliance with existing and new regulatory requirements.
  • Develop, implement and update Information Security Policies and Procedures.
  • Train users on Information Security Policies and Procedures.
  • Test employees for understanding of Information Security Policies and Procedures.
  • Identify unauthorized changes to web pages or critical files.
  • Report to management, board of directors, and auditors.

How does TraceSecurity Compliance Manager enable an organization to create an effective ongoing Information Security Program?

TraceSecurity Compliance Manager (TSCM) is the only solution that provides a portal to manage all of the Information Security Program components. TSCM is a modular solution making it customizable to meet individual organization needs. It is also a Software-as-a-Service (SaaS) solution, which means that the application is hosted and managed by TraceSecurity and is accessed via a web browser.

The SaaS solution provides the following benefits:

  • Minimizes implementation and management costs to the organization.
  • Reduces deployment time of the solution.
  • Reduces the employee time associated with the deployment.
  • Makes the solution available to any authorized user, anytime and anywhere, with an internet connection.
  • Eliminates the impact on the organization’s network utilization.
“[TraceSecurity] truly understands the requirements for compliance, and they package their products and services so that you get everything you need on a continuous level — not just a one-time visit and ‘we’re out the door’ like the other companies.’”IT Director, Financial Institution in Georgia
“The Compliance Manager is simple as pie. It’s a URL address that I bookmark as a favorite. Compliance Manager gives me everything when I want it. I can access it anytime and I don’t have to have a stack of papers on my desk.”Vice President of Information Services, Financial Instition in Illinois
“My Board just wants to know where we stack up in comparison to others and that compliance is taking place […] that’s what the executive summary does. Now, my network administrator is going to want to see the detail of what vulnerabilities there are. I can get an executive summary, a compliance summary, or a vulnerability summary. I can also get compliance detail, vulnerability detail, and last but not least, the entire report. We like that.”Vice President of Information Services, Financial Instition in Illinois

TraceSecurity Compliance Manager is a SaaS solution that includes the following modules:

TCSM Module Benefits
Dashboard The Customizable Dashboard provides a snapshot view into vulnerability status, policy acceptance, compliance statistics, etc.
TraceAssess Allows the organization to conduct unlimited, on-demand network vulnerability scanning.
TraceAlert Vulnerability and patch alerting system specific to company’s hardware and software.
TraceComply Allows the organization to facilitate an ongoing review of its compliance with relevant industry security requirements.
TracePolicy Reduces cost and effort in creating and distributing policies and reporting on acceptance of those policies.
TraceTrain Allows the creation of internal training of employees on policies, security and other topics, resulting in reduced training costs.
TraceMonitor Monitor files and URLs for modification.
TraceReport Provides on-demand board, management, auditor, and technical reporting for all TSCM modules.

TraceSecurity uses TSCM to deliver its security assessments, providing a foundation for the organization to build its ongoing self assessment program. Regulatory requirements insist on independent Security Assessments and ongoing security testing programs that include self assessments. With TraceSecurity’s Comprehensive Security Assessments and TSCM, customers leverage our independent services and benefit from the same tool set that TraceSecurity engineers use to facilitate the ongoing security program.

TraceAssess

An information security program should include ongoing network vulnerability testing. The TraceAssess module of TSCM is an automated vulnerability assessment utility that evaluates a network for security risks. The TraceAssess scanner is delivered through a VMware Player eliminating the need to purchase a hardware appliance. The interface to TraceAssess is through the SaaS based TSCM portal making it available anywhere.

Key Features and Benefits of TraceAssess include:

  • Template based scan configurations for consistent, repeatable process
    • Port scan, vulnerability scan or simultaneous scan
    • Test Single IP address or a range if IP addresses
    • User definable “exclude” IP address list
    • Network Discovery option
    • Configurable Signature Scanning
      • Single Vulnerability
      • User defined group of vulnerabilities
      • Predefined “safe” signatures
      • Predefined “dangerous” signatures
  • False Positive Management
  • Template Groups to combine multiple templates
  • Scheduler
    • Frequency (once, daily, weekly, biweekly, monthly, bimonthly, quarterly, yearly)
    • Date and Time
    • Pause Schedule
    • Email notification
    • “Allow” schedule to facilitate real-time scanning during off peak hours.
  • Filter Results based on
    • Risk Level
    • Classification
    • Status (Resolved, unresolved, false positive)
    • Operation System
    • Assignee
    • Templates

TraceAssess can be used as a standalone solution or integrated with other TSCM modules. Summary dashboard reporting provides a quick view of vulnerability data to allow for immediate awareness of network vulnerabilities. In-depth reporting is available for system administrators, managers, board of directors and auditors.

“TraceSecurity gives you the keys to the candy store. They don’t just give you periodic scans, they give you a system so you can run your own scans at your own leisure, in between the scheduled analysis that they perform […] that’s big.” Vice President of Information Services, Financial Instition in Illinois
“I can’t say what the cost would be if we didn’t identify and remediate [vulnerabilities]. We work hard to make sure no one can access our internal network. However, if someone was to get on our internal network, obtain our member information and expose it, there would be a great cost. We would lose the trust of this community and we wouldn’t be able to do business here anymore.” Assistant Vice President of IT, Major Credit Union in Illinois

TraceAlert

TraceAlert, a module of TSCM, is a vulnerability and patch alerting service that compares known vulnerabilities against your company's hardware and software (assets). TraceAlert provides a proactive single source of information regarding new vulnerabilities that may affect an organization based on a user defined hardware and software.

Key Features and Benefits of TraceAlert include:

  • Filter Results based on
    • Risk Level
    • Classification
    • Status (Resolved, unresolved)
  • Configurable Email alerts
  • Exportable Reports

TraceAlert can be used as a standalone solution or integrated with other TSCM modules. Summary dashboard reporting provides a quick view of vulnerability data to allow for immediate awareness of vulnerabilities and exploits. Online or printed reporting is available.

TraceComply

A proper Information Security Program should be in compliance with applicable Regulatory and Best Practices requirements. Common issues with preventing compliance with these requirements include: lack of expertise and understanding of the regulations, employee time involved reporting on compliance, and monitoring new or modified requirements.

TraceSecurity has developed TraceComply, a module of TSCM that facilitates security compliance tracking and reporting. Through TraceComply an organization can choose applicable regulations and/or best practices to monitor and self assess for compliance.

Key Features and Benefits of TraceComply include:

  • Online regulatory self assessment solution
    • Choose regulations and/or best practices applicable to the organization.
    • A single answer addresses all regulations with similar requirements–reducing employee time requirements.
    • Responses include “Compliant,” “Not Compliant,” “Partially Compliant,” “Not Applicable.”
    • Note fields to provide explanation.
    • Results can be saved for later completion.
  • Customizable compliance reporting
    • Management, board of directors, and auditor reports.
    • Filter for laws, guidelines or standards.
    • Dashboard detailed and summary reporting.
    • Printable reports.
  • Online database for up-to-date regulations and best practices.
  • Customizable alerting to new or modified regulations and/or best practices.
  • Utilizes “Assets” and “Vendors” to provide segmentation of compliance at the Asset or Vendor Level (e.g., Compliance for Strong Passwords can be recorded at the asset level, where).
  • Includes information on the regulations, code, related policy and other reference materials.

TraceComply can be used as a standalone solution or integrated with other TSCM modules. Summary dashboard reporting provides a quick view of compliance data to allow for immediate awareness of gaps in compliance. In-depth reporting is available for managers, board of directors and auditors.

“The other major driver in choosing TraceSecurity was the whole area of compliance … the fact that TraceSecurity has software that provides questions that, when answered, reveal where you stand on compliance. Before, we were just doing periodic scans; that’s a commodity in this business. We didn’t even know if we were compliant.”Vice President of Information Services, Financial Instition in Illinois
“The auditing firm wouldn’t list all the areas where we were non-compliant and they wouldn’t ask all the questions because it takes an inordinate amount of time.”Assistant Vice President of IT, Financial Instition in Illinois

TracePolicy

To effectively implement an Information Security Program, the organization must address vulnerabilities associated not only with its technology, but also with its people and processes. The “people” vulnerabilities are one of the largest risks associated with an Information Security Program, and also, one of the most overlooked areas. A 2006 study by the Computing Technology Industry Association indicated that human error was responsible for nearly 60% of data breaches, as opposed to hardware or software vulnerabilities (see “The People Problem" Whitepaper).

Despite all the time, effort, and money invested in the acquisition, deployment and ongoing management of security technology, an organization must address the “people” risk. Organizations must therefore implement best practices that help prevent employees from engaging in behaviors that can compromise sensitive data.

These best practices include:

  • Defining appropriate policies and procedures governing employee behavior in regards to information security
  • Educating employees about the policies and procedures relevant to them
  • Verifying their understanding of relevant policies and procedures
  • Managing change over time — including changes in staff, changes in the IT environment, and changes in the nature of present threats

TraceSecurity has developed TracePolicy, a module of TSCM, to facilitate an organization’s Information Security Program by specifically addressing the “people” vulnerability issues.

Key Features and Benefits of TracePolicy include:

  • Develop Information Security Policies.
  • Templated questionnaires that facilitate the creation of policies to meet applicable regulations.
  • Additional Best Practices templates as needed

Upload/Modify Existing Policies

  • Upload all existing organizational policies for one centralized database.
  • Modify existing policies and update employees on the current policy.

Disseminate Policies

  • Simplified policy distribution through email notification.
  • Online employee policy review.
  • Online policy acceptance.
  • Ability to group employees to only receive policies that are applicable to the specific group.

Centralized, online policy management and reporting accessible by authorized users from any location at anytime.

  • Eliminates paper based systems
    • Online policy database
    • Online employee policy acceptance database
    • Online policy approval
    • Track creation date
    • Acceptance reporting including date accepted
  • Automatic email alerts for employees that have not accepted policies
  • Printable policies and reports

While TracePolicy was originally designed to facilitate an Information Security Program, the solution should be used by all organizational departments, including Human Resources, to efficiently manage all departmental policies. This allows an organization to have a centralized policy management system for all organizational policies.

TracePolicy can be used as a standalone solution or integrated with other TSCM modules. Summary dashboard reporting provides quick view of policy data to allow for immediate awareness of gaps in policy acceptance. In-depth reporting is available for managers, board of directors and auditors.

The use of TracePolicy and TraceTrain together is extremely valuable. “I can upload training on passwords, network security, and loan policies — whichever topic I choose — and select which individuals I want to train. TracePolicy sends those employees an email giving them access to online documentation that they must read and sign off on, and then I can test them on it through TraceTrain. TraceSecurity is proactive. They thought of how to facilitate the training to make sure it gets done, so I can sit back and focus on the things I need to do in the bank knowing that the training is taken care of."IT Director, Financial Instition in Georgia

TraceTrain

To effectively implement an Information Security Program, the organization must address vulnerabilities associated not only with its technology, but also with its people and processes. The “people” vulnerabilities are one of the largest risks associated with an Information Security Program, and also, one of the most overlooked areas. A 2006 study by the Computing Technology Industry Association indicated that human error was responsible for nearly 60% of data breaches, as opposed to hardware or software vulnerabilities (see “The People Problem" Whitepaper).

Despite all the time, effort, and money invested in the acquisition, deployment and ongoing management of security technology, an organization must address the “people” risk. An organization must implement an employee training program designed to help prevent behaviors that can compromise sensitive data.

The training program should:

  • Educate employees on the Information Security policies and procedures
  • Manage training requirements related to:
    • Change to staff
    • Changes to IT environment
    • Changes to organizational risk
    • Changes in policies and procedures
  • Verify the employees’ understanding of relevant policies and procedures

TraceSecurity has developed TraceTrain, a module of TSCM, to efficiently facilitate an organization’s Information Security Training Program.

Key Features and Benefits of TraceTrain include:

Description:

  • Customizable training relevant to an organization’s Information Security Program
    • Administrator defined Courses
    • Compatible with third party web based training
  • Create Training Groups
    • Facilitates automatic email notification of required training
    • Deliver training applicable to specific employees
  • Centralized, Online Training Management and Reporting
    • Reduces business impact related to live training classes
    • On-demand training provides flexible training times
    • Email alerting on required training
    • Track Training status by user or department
  • “Taken/Not Taken”
  • Date Taken
    • Printable training materials
    • Printable reporting
  • Test employees’ understanding of training courses
    • Customizable testing applicable to each training course
    • Track Testing status by user or department
  • “Passed/Failed”
  • “Taken/Not Taken”
  • Date Completed

While TraceTrain was originally designed to facilitate an Information Security Program, the solution should be used by all organizational departments, including Human Resources, to efficiently manage all departmental training. This allows an organization to have a centralized training program for all organizational training.

TraceTrain can be used as a standalone solution or integrated with other TSCM modules. Summary dashboard reporting provides quick view of training and testing data to allow for immediate awareness of gaps in employee security awareness. In-depth reporting is available for managers, board of directors and auditors.

The use of TracePolicy and TraceTrain together is extremely valuable. “I can upload training on passwords, network security, loan policies — whichever topic I choose — and select which individuals I want to train. TracePolicy sends those employees an email giving them access to online documentation that they must read and sign off on, and then I can test them on it through TraceTrain. TraceSecurity is proactive. They thought of how to facilitate the training to make sure it gets done, so I can sit back and focus on the things I need to do in the bank knowing that the training is taken care of.” IT Director, Financial Instition in Georgia

Trace Monitor

Unapproved changes to critical files or WebPages can be a first sign of malicious activity. TraceSecurity has developed TraceMonitor, a module of TSCM that allows you to monitor for changes to any type of file, including web files. If changes are detected, TraceMonitor can alert you immediately, before others are affected. As an additional feature, TraceMonitor can be set up to recognize the presence of certain words appearing on your web pages. This enables you to monitor for website errors. Early notification will help you decrease downtime, increase customer satisfaction, and reduce potential revenue loss.

Key Features and Benefits include:

  • Monitor network or HTTP files in real time
  • Easily manage file list
  • Monitor keywords on websites
  • Monitor ANY type of file
  • Simple, easy-to-use set up
  • Managed from a central console
  • Multiple methods of notification
    • Email
    • Text Messages
  • Multi-platform support
  • Java based
  • Detect/prevent website defacement
  • Detect website errors or unannounced content changes
  • Early notification of unauthorized changes can help:
  • Decrease downtime
  • Increase customer satisfaction
  • Reduce potential revenue loss

TraceMonitor can be used as a standalone solution or integrated with other TSCM modules. The module that is included with TSCM is limited to five files. Summary dashboard reporting provides quick view of training and testing data to allow for immediate awareness of gaps in employee security awareness. In-depth reporting is available for managers, board of directors and auditors.

About TraceSecurity

TraceSecurity is a leading provider of security compliance and risk management solutions. With over 900 customers, TraceSecurity supports the security and risk management efforts of organizations in financial services, healthcare, insurance, government and other regulated sectors. The company helps organizations of all sizes to achieve, maintain and demonstrate security compliance while significantly improving their security posture. Key to TraceSecurity’s success is the company’s comprehensive patent-pending methodology that helps clients address all critical components of a successful security compliance program, including people, process and technology.

TraceSecurity delivers its solutions through an integrated Software-as-a-Service (SaaS) platform backed by expert professional services and comprehensive security awareness programs. The company’s flagship offering, TraceCompliance Manager, is the first comprehensive solution to integrate and automate regulatory compliance audits, policy management and dissemination, vulnerability assessment, vulnerability alerting, employee education and testing, and file/URL integrity monitoring. In addition, TraceSecurity has developed separate Risk Management and IT Audit Management solutions that can be seamlessly integrated into the Compliance Manager.

The company’s expert professionals provide comprehensive security assessments that include vulnerability assessments, penetration testing, application layer testing, IT audits and risk assessments. The team also provides security policy development, security awareness training and social engineering assessments.