SecureGRC TM - Cloud based SaaS

Page | 1

SecureGRC

TM

- Cloud based SaaS

Key Features

 Single repository for regulations and standards

 Centralized repository for compliance related organizational data

 Electronic workflow to speed up communications between various entries  Automated compliance related data gathering from technology sources  Allow for gathering of data from non technology sources such as people  Map compliance data to regulations and standards

 Automate the determination of compliance status based on collected technology and non technology related compliance data

 Allow for generation of reports, export data for use with other systems within an organization  Provide management dashboards for compliance status with the ability to drill down across

departments, geographies etc.

 Allow for creation of custom compliance frameworks or modify existing ones

 Provide reminders to people for addressing compliance related tasks in an optimal manner  Manage exceptions and activities related to compliance

 Provide an exhaustive audit trail for all compliance related actions through the whole process

Compliance logging and secure storage

Logging and storing audit logs is mandated by most regulations for review. While many logging vendors exist today they are expensive, appliance based and do not provide a comprehensive work flow that integrates compliance framework. SecureGRCTM changes the way logging requirement is simplified and unified from cost, scalability, and integrated compliance framework perspective.

 Firewalls and VPNs  IDS/IPS  Vulnerability Scanners  Unix hosts  Windows hosts  Mainframe hosts  IT applications  ERP systems  Databases

Page | 2

 Proprietary systems

 Integrated Case Management

SecureGRCTM is equipped with compliance case management framework which gives end to end visibility to security and compliance cases for the organizations which another example of true integration of Security and IT-GRC management.

Audit Management

What is Audit Management?

Audit management is the overall process of managing the overall audit process. It enables organizations to reduce dependence on paper, perform the functions faster and with fewer resources and provides a trackable audit trail for these functions.

Audit Manager

SecureGRCTM Audit Management feature provides an integrated solution to managing the functions, documents, and tasks associated with audits (IT, Security or Financial) of any organization. In addition, it provides access to the core elements from the SecureGRCTM platform such as Workflow, Document Management, Audit Work paper repository, Fine-grained access control through a secure Web based interface

Key Features

 Single and Centralized repository for all work papers  Version control for all work papers

 Link work papers to controls  Schedule audits

 Assign personnel to audits  Audit trail

 Ability to track audit failures  Dashboards and reports

Vendor Compliance Management

SecureGRCTM Vendor Management solution enables you to manage an effective vendor management process: risk-based vendor selection, centralized document management and remediation management.

What is Vendor Management?

Page | 3 Key Features

 Automate monitoring of controls such as management of sensitive data and technical controls.  Enable vendor managers to manage risk.

 Assess vendor risk using various assessment types and a library of questions based on best-practice standards.

 Derive risk and compliance ratings by type of vendor from assessment results.  Measure vendor compliance to policies and procedures.

 Track and address areas of non-compliance identified in the vendor assessment process.

Merchant Compliance Management

SecureGRC's merchant compliance management helps banks and financial institutes to ensure their merchants comply with the regulations applicable to their business.

What is Merchant Management?

According to VISA,

Acquirers are responsible for ensuring that all of their merchants comply with the PCI Data Security Standard (DSS) requirements

And according to MasterCard,

MasterCard fundamentally views our member Acquirers as owning the acquiring payment channel. Given this perspective, MasterCard works to administer the SDP Program through our Acquirers, working with

merchants to further secure the transaction infrastructure. Please note that acquirers themselves do not need to go through the SDP compliance process but they must manage the SDP process for their merchants. Merchant Management is the process that enables card acquirers to ensure that their merchants are compliant with the PCI Data Security Standard and thereby satisfy the demands of the various card brands. SecureGRC’s merchant management enables organizations (banks, acquirers, service providers etc. ) to manage the compliance of their merchants with the PCI DSS. Merchant management automates many of the manual tasks associated with the merchant compliance process. When organizations are dealing with thousands of merchants, the process of managing compliance could consume an enormous amount of resources, time and money. CMM enables organizations to reduce all of these by providing a single interface to all compliance processes through a universally accessible web based interface.

Key Features

 Automate monitoring of controls such as management of sensitive data and technical controls.  Enable vendor managers to manage risk.

 Assess vendor risk using various assessment types and a library of questions based on best-practice standards.

 Derive risk and compliance ratings by type of vendor from assessment results.  Measure vendor compliance to policies and procedures.

Page | 4

Policy Management

What is Policy Management?

Policy management is the overall process of managing the plethora of policies, procedures, guidelines and other documents that are part of the governance framework and function in any organization.

SecureGRCTM _{Policy Manager}

SecureGRCTM Policy Manager provides an integrated solution to managing all the policies, procedures, guidelines, or standards that are the basis of the governance framework at any organization. Policy Manager allows organizations to consolidate all their policies, store them in a central repository, measure the

compliance with these policies, and view various statistics from a central dashboard.

Policy Manager provides access to the core elements from the SecureGRCTM platform such as Workflow, Document Management, Policy Inventory, Fine-grained access control through a secure Web based interface.

Key Features

 Single and centralized repository for all policies  Version control for all policies and procedures  Monitor acceptance of policies

 Out of the box policy and procedure templates  Ability to link policy and procedures to controls  Dashboards and reports

 Remediation tracking

Asset and Vulnerability Management

What is Asset and Vulnerability Management?

Asset management involves discovering, identifying and classifying assets such as servers, desktops, laptops etc that are part of any organization. Due to the fact that most digital information that forms the basis for any Governance Risk Management and Compliance (GRC) process of any organization resides on assets, it is imperative that organizations manage their assets.

Vulnerability Management consists of the ability to discover the vulnerabilities associated with assets and provide the data and insight necessary to manage the vulnerabilities through the use of direct fixes or application of compensating controls.

SecureGRCTM Asset and Vulnerability Manager provides an integrated solution to managing the functions, data and tasks associated with assets and related vulnerabilities. Asset and Vulnerability Manager uses the core elements from the CC-GRC platform such as Workflow, Document Management, Controls and Asset repository, Fine-grained access control through a secure Web based interface.

Key Features

 Accurate asset discovery

 Single and Centralized repository for all assets and vulnerabilities  Ability to link Assets to controls

Page | 5

 Scan for vulnerabilities remotely

 Map assets and vulnerabilities to regulations  Remediation tracking

 Dashboards and reports

Compliance Scanning

What is Compliance Scanning?

SecureGRC's compliance scanning is a unique feature that allows scanning of data concerned with PCI compliance in various data stores.

Compliance Scanner allows QSAs/Auditors and consultants to streamline and automate the process of evaluating PCI compliance during onsite engagements. Results from leading vulnerability scanners and application scanners, along with cardholder data search features are processed by the Compliance Scanner to pre-populate approximately half the controls of PCI DSS.

Features of Compliance Scanner for QSAs include,

 Easy interview wizard to walk QSAs through the entire process.  Automated search for cardholder data within servers and databases.

 Automated mapping of application/network vulnerabilities (from leading security scanners) to “cardholder” assets and servers.

 Automated firewall rule set analysis and mapping of faulty rule sets to PCI requirements.

 Generation of Report on Compliance with more than half controls pre-populated with accurate data on cardholder systems, their vulnerabilities and misconfigured firewall rule sets.

Key Features

 SecureGRCTM

Compliance Scanner helps QSAs save a significant amount of time and resources to perform PCI assessments.

 It also improves consistency of assessments across people and time and can help demonstrate the quality needed by the PCI Council.

Data Discovery

What is Data Discovery?

Finding credit card data is one of the key and initial steps needed for compliance with the Payment Card Industry (PCI) Data Security Standard (DSS). The standard clearly prohibits storage of card holder data in an unencrypted manner.

Page | 6 Key Features

 Find unencrypted credit card data in ANY type of file - Word Documents, Excel Spreadsheets, PDFs, Access databases. CDD is not constrained by file types, rather it allows you to search the whole hard disk for credit card data

 Find credit card data in network shares

 Find credit card data across the WHOLE network from one location. CDD needs Microsoft Active Directory (AD) or Domain level credentials and using those credentials, you can search for card data on desktops, laptops, servers etc all from one location.

 Convenience of searching from one place, no need to go to each desktop/laptop to search for data  Find credit card data in most popular commercial and open source databases such as Oracle, SQL

Server, and MySQL etc.

 Extremely fast and uses very few resources - network or CPU resources