Protect what you value.
w
_m
a
P
W
.
4
5001
#
N
O
I
VERS
08
1
0
6
0
Seven Simple Steps that
Slash the IT Audit Burden
Maximizing your efficiency gains from McAfee Policy Auditor 5.0
Seven Simple Steps that Slash the IT Audit Burden
www.mcafee.com
Table of Contents
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Audit Fatigue. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Tackle Tedium and Disruption. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Step 1: Policy Definition. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Policy definition with McAfee. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Step 3: Policy Implementation and Policy Lifecycle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Policy management with McAfee. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Step 3: Data Capture to Validate Policy and Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Data collection with McAfee. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Step 4: Monitoring, Issue, and Patch Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Issue management with McAfee. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Step 5: Measurement and Scoring. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Measurement with McAfee. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Step 6: Waiver Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Waiver management with McAfee. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Step 7: Reporting Against Key Mandates and Internal Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Reporting with McAfee. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Consider the Distinctive Design Inside . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Standards. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Management efficiency. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Security tool integration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Take Seven Simple Steps and Sustain Compliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Get Started. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
About McAfee, Inc.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Seven Simple Steps that Slash the IT Audit Burden
www.mcafee.com
Seven Simple Steps that
Slash the IT Audit Burden
Although IT audits are inevitable—and increasing—they no longer have to be expensive.
Auditing systems and system management technologies have matured. Now key control and
validation processes can be integrated, streamlined, and automated. You can increase timeliness and accuracy of audit data while reducing IT audit effort, disruption, and cost.
Audit Fatigue
The audit spotlight now shines on IT. After years of
regulation and embarrassing data breaches, the highest
levels of management now comfortably discuss IT controls
and audit results. However, their quality expectations are
rising.
Where IT once performed audits annually, many now
support quarterly, monthly, and ad hoc exercises. Each audit
expands the scope of the technologies assessed, measured,
and proven compliant. Broader scope means more
complexity and more work.
50%
manage 10 or more regulations. Multiple regulations
compound effort and complicate both policy and control
decisions.3
Manual data collection precedes manual consolidation
of data into multiple graphical views that non-technical
executives and auditors can easily digest. No wonder there's
an epidemic of Audit Fatigue.
Automated workflow system
Compliance/governance
technology platform
Predominantly spreadsheets
to collect and organize audit
40%
Combination of tools listed above
30%
20%
No specific tools
10%
0%
20%
40%
60%
0%
Ad-hoc
Quarterly
More than 5,000 employees
Semi-annual
Annual
Less than 5,000 employees
How often audits are conducted1
In addition to being more frequent, audit demands have
also become more specific. Audits must include granular
information on controls, metrics, trend lines, and industry
benchmarks. Yet over 51 percent of respondents in a recent
survey used spreadsheets or no tools at all.2
Already over-burdened IT and security teams struggle
to collect, organize, and disseminate the required data.
If administrators spend three to five hours each week
supporting audits, that is a 10 percent tax against
productivity. Further, more than half of larger organizations
Less than 5,000 employees
More than 5,000 employees
Type of automated tools organizations use to prepare reports4
To minimize the operational and organizational toll of
audits, McAfee® Policy Auditor 5.0 brings together audit
and systems security management processes. Through
innovative technology and process integration, it reduces
the number of tools required to audit accurately. IT teams
can regain control over spiraling audit demands0 while
delivering the visibility and accountability required for
increasingly skeptical executives.
1 Source: Internet Research Group
2, 3 Internet Research Group survey of 400 audit-related professionals, Audit Effectiveness,
July 2008.
4 Source: Internet Research Group
3
Seven Simple Steps that Slash the IT Audit Burden
A bonus: this increased efficiency and sustainability actually
improves security. Repeatable, measurable controls built on
best practices fulfill the intention of most governance and
compliance initiatives: confidentiality, integrity, availability,
and—at least for Sarbanes-Oxley—transparency.
Tackle Tedium and Disruption
At most sites, audits rival log reviews for on-the-job
frustration. Administrators say "I spent years training
for this?" and "I have real work to do." However, with
regulatory compliance penalties, they can't say "No."
For the purpose-built McAfee Policy Auditor, we decided
to target audit and reporting inefficiencies directly. We
considered each phase of the IT audit process and looked
for steps that could be improved, eliminated, or converted
to automation. The most susceptible activities were:
1.Policy definition
2.Policy implementation and lifecycle management
3.Data collection to validate policies and configurations
4.Monitoring, issue, and patch management
5.Measurement and scoring to document non-compliance
6.Waiver management
7.Reporting against key mandates and internal policies
Step 1: Policy Definition
Most regulated organizations already have defined policies.
The challenge comes from change. Users spend hours
evaluating refinements in regulatory and industry guidance
and then adjusting policies. Considerations include:
• Mapping vague, industry-specific paper policies and
requirements into actionable technical controls and
repeatable processes
• Policies must align across multiple inputs—a single
financial company might have SOX, GLBA, SB 1386, PCI
DSS, and internal governance controls.
• Different experts have different interpretations, yet the
resulting policies must be shown to match industry best
practices for each regulation and fulfill the intent of
governance committees
Most IT and security teams do not have the expertise and
confidence to define and maintain these policies without
expensive consultants. The workload and costs increase as
regulations expand and guidance becomes more complex.
www.mcafee.com
Policy definition with McAfee
To reduce these variables, McAfee has made it easy to
incorporate expert guidance and industry benchmarks
within live technical controls. A wizard guides authoring
and tailoring of benchmarks and policies. This wizard
provides flexibility to match the policy definition models at
different size organizations. You implement policies as a set
of rules that activate specific checks on each system.
Policy Auditor lightens the burden in several ways:
• Eliminates paper policies—McAfee combines the actual
text of a regulation or best practice document with the
security checks used to measure its compliance. This detail
provides context for each security check at every level
of the policy. The human world of text documents and
computer world of binary controls are now seamlessly
integrated.
• Tailors content templates provided by McAfee experts—
As a quick-start baseline, McAfee provides content in
the form of rules templates, called benchmarks, for
key regulations and best practices (PCI DSS, SOX, GLBA,
HIPAA, FISMA, ISO 27001, and COBIT). Each benchmark
includes multiple rules, and an editor lets you easily
tune recommendations to suit the specific needs and
preferences of your business.
Unlike IT administrators with systems to maintain, content
developers from McAfee® Avert® Labs focus full time on
analyzing regulations and developing rules and checks.
They compare regulations with security best practices
and test, document, and release appropriate controls in
templates. They release updates as needed to keep content
current.
• Import best practices—Support for the SCAP (Secure
Content Adaptation Protocol) family of protocols allows
upload of authoritative benchmarks from sources such
as the National Institute of Standards and Technology
(NIST) and Red Hat. McAfee converts this XML input into
editable policies, which you can then compare to your
own.
In this way, you can map policy violations to a range of
industry standards, aligning your organization‘s controls
with industry guidelines. If you decide to match the
recommendations, the wizard helps you turn on or turn off
the rules that activate specific checks.
SCAP provides a set of open standards for defining
benchmark checks and configuration settings, as well as
4
Seven Simple Steps that Slash the IT Audit Burden
an industry-recognized policy format. The SCAP protocols
supported include:
•eXtensible Checklist Configuration Description Format
(XCCDF)
•Open Vulnerability and Assessment Language (OVAL)
•Common Configuration Enumeration (CCE)
•Common Platform Enumeration (CPE)
•Common Vulnerabilities and Exposures (CVE)
•Common Vulnerability Scoring System (CVSS)
www.mcafee.com
can gain your greatest operational savings, and boost your
consistency.
First, McAfee automates implementation of policies across
systems. Policy Auditor 5.0 tightly integrates with the
proven McAfee ePolicy Orchestrator® (ePO™) single-agent,
single-console infrastructure. You can:
• Easily group and manage systems to reflect risks and
regulations—Since different assets require different scans
and assessments, you can build on Active Directory entries
and ePO system identifications to create tags and groups
that include or exclude specific systems in audits
With this model, it is simple to create specific profiles
for classes of systems, usage types, or data types, then
reorganize and update affected systems as policies
change. You can organize these profiles by platform type,
applications, function, geography, and even by regulation
or policy.
This approach improves the consistency of policy
application while eliminating repetitive, error-prone system
administration tasks.
User rights management offers important control over policy
authoring and other tasks throughout the policy life cycle
Step 2: Policy Implementation and Policy
Lifecycle Management
Once you know the policies you would like to audit, you
must consider the process and workflow around maintaining policies over time.
Lifecycle management allows policies to respond to
evolving threats, regulations, and risk postures. It also
helps as you change the types and number of systems, their
configurations and applications, and policies.
For example, what if you needed to change password
requirements from eight characters to six characters for all
of your Windows, UNIX, and Mac systems? Which policies
and which rules would you need to change?
In addition, separation of duties requires an overlay of
planning and role-based access controls. Unfortunately,
each distinct step and interface provides an opportunity for
data-entry error and inconsistent implementation.
Policy management with McAfee
McAfee helps you maintain an efficient, structured
workflow throughout the policy lifecycle. In this way, you
• Support repeatable policy management—Security policies
are not carved in stone. Requirements, regulations, and
standards evolve over time, and require a manageable,
repeatable process for tailoring, reviewing, and
publishing policy revisions. Policy Auditor provides the
embedded workflow and roles-based access needed
to manage this process cleanly. This ensures that audit
results always reflect current business requirements.
New policies go into a “received” state. They can then
be “duplicated,” “edited,” or “tailored.” As an option, a
person other than the policy creator can be required to
“review” the policy. It is then “published.” Old policies are
“archived.”
• Separation of duties—Large organizations strictly enforce
who has access to what data, controls, and systems. For
instance, the role of IT operations has different objectives
than those of IT audit. IT operations‘ main concern is
maximum availability of its servers. IT audit’s primary
concern is to pass an upcoming audit.
To satisfy the needs of both roles, McAfee has implemented
an innovative model that “makes the computer do the
work.” IT Operations simply sets the white-in and blackout
scan windows for the systems using ePO policies. IT audit
then determines the policies to run and defines how the
5
Seven Simple Steps that Slash the IT Audit Burden
www.mcafee.com
patch status, file permissions, and the active presence of
mitigating controls, such as encryption and restricted file
access.
data currency parameters. Policy Auditor does the rest,
making sure not to scan systems during peak usage hours.
In addition, you can assign granular permission sets to the
various roles to determine what they can and cannot do.
For example, define who can create edit, view, or publish a
policy; who can run an audit; who can view the results; and
who can approve a waiver.
Tabbed dashboards organize audits, waivers, benchmarks,
and checks.
Tabbed dashboards organize audits, waivers,
benchmarks, and checks
• Deploy rules automatically—Policy Auditor sends rules
and updates through the ePO agents and the Policy
Auditor plug-in to targeted desktops, laptops, and
servers. Four ePO dashboards help you monitor status of
the rollout.
Step 3: Data Capture to Validate Policy and
Configurations
• Audit heterogeneous and distributed hosts with a single
process—With Policy Auditor running on each system,
including Windows, HP-UX, Linux, Solaris, and Mac OS
X, it takes just one tool to generate data for each audit
request. Leveraging tags and groups, the ePO query and
reporting engine can poll all the systems under review,
capturing and time-stamping data without manual
collation.
• Schedule in advance or audit continuously—Instead of
manual, ad hoc polling, you can program automated
scanning of any size group, implemented consistently by
the agent using data currency thresholds and blackout
windows. Careful scheduling increases the accuracy of
data, reducing emergency data collection and rework.
Although participants may change, the data and checks
remain reliable.
Tactically, scheduling helps limit network congestion and
ensure timely data capture despite large numbers of
systems. It also limits potential performance or process
effects on business-critical servers.
Audits are all about evidence. To prove compliance, data
must be accurate, timely, and specific. However, data quality
comes into question when different tools produce data in
different formats. Furthermore, each auditor wants their
unique information on their schedule, with data reflecting
a consistent point in time.
Given these demands, data collection has become laborintensive. It can be tedious to find and decisively document
the details you need on a large number of distributed
systems. Where there are multiple data sources and
interfaces, it takes manual collation: a painful model that
does not scale well.
Data collection with McAfee
Policy Auditor replaces this manual process with several
authoritative ways to verify enforcement of policy controls.
Each of these options reduces the effort involved and builds
confidence with external auditors.
• Ensure accurate checks—System scans use the industry’s
most extensive check library to validate technical controls
and assess the security state of common applications, such
as Office, SQL Server, and Apache. Checks can document
Blackout periods protect business processes
Strategically, you strengthen the control environment
with more frequent audits that automate risk-based
controls. If there are control breakdowns or policy
violations, you can detect them immediately to minimize
risk of loss or damage.
• Use roles and dashboards to streamline analysis—Each
audit role—network, system, and security operations;
internal and external auditors; or senior managers—can
define and save custom dashboards. This flexibility lets
multiple participants aggregate and view different sets of
data.
Dashboards simplify navigation between policies, checks,
and system data, presenting data graphically where
possible for better absorption. You can also share queries
and data views with collaborators.
6
Seven Simple Steps that Slash the IT Audit Burden
www.mcafee.com
• Transparently initiate and close trouble tickets—Optional
integrations generate tickets when an audit discovers
a misconfiguration. They will later mark issues when
resolved. Policy Auditor connectors support BMC Remedy
and HP OpenView systems.
• Export data to remediation tools—To guide remediation
and patching. McAfee Remediation Manager and other
SCAP-compliant systems can import audit and system scan
result data
Step 5: Measurement and Scoring
Custom dashboards help you deliver pertinent data for each
audience and enable immediate action
Sometimes, auditor requests may seem random.
Dashboards help you guide the process. You can group
and present specific controls that match policies,
regulations, and security objectives. As everyone learns
the details that matter, you can preempt requests for
tweaked data by giving auditors read-only access to more
extensive findings.
Step 4: Monitoring, Issue, and Patch
Management
The previous steps have been necessary to put policy
auditing in place. Using this infrastructure, you then need
to identify and manage violations as they emerge, despite
changes in systems and rules and the increasing diversity
and complexity of infrastructure. Naturally, existing help
desk operations and trouble ticketing systems play a central
role in issue management.
Your audit tools can help you find violations, prioritize
remediations, and document the right details, but only if
they can communicate with the people and systems that do
these jobs.
Issue management with McAfee
Policy Auditor enables this step by scanning systems
and generating data on rules, checks, audit status, and
violations. It can also use ePO for quick access to threat and
system information as well as overall risk.
• Assess the damage quickly—Web-based dashboard views
let you drill down into specific tasks and click directly
through to investigate noncompliant systems
The bar keeps rising. Audit teams, regulators, and
governance committees are more perceptive and less
patient after years of experience. Beyond data snapshots,
they want to see trends and detect progress, as well as
demonstrate parity with industry norms. Executives want
data to let them adjust investments and manage risk more
proactively as threats and policies evolve.
IT audit teams can support these requirements by
establishing practical metrics and time-stamped baselines
that they can legitimately compare over time. The data
should not only be accurate but presented in useful and
actionable reports.
Measurement with McAfee
Once mitigating controls are in place, Policy Auditor
becomes a measurement tool. You can initiate and maintain
metrics by attaching numeric values to audit results. Each
rule can have adjustable scores and weights.
• Customize scoring—Guide attention by applying custom
weighting to important sections of policy, ensuring that
the most critical audit findings get the focus they deserve
• Link scores with risk—Direct your organization‘s
investment in protections by assigning criticality based
on perceived asset value. Content guidance from McAfee
includes an expert assessment of violations or rules that
are likely to be most critical.
• Compare with industry best practice—Templates help
you measure compliance against ISO27001 and COBIT
frameworks. After beginning with a broad, best-practices
compliance program, most organizations can easily take
a step back to measure themselves against more targeted
standards, such as PCI DSS.
7
Seven Simple Steps that Slash the IT Audit Burden
www.mcafee.com
Step 6: Waiver Management
The dynamic nature of compliance benchmarks and
business infrastructure means that no group is ever 100
percent compliant. That is acceptable if you document and
justify discrepancies, prevent abuse, and show you have a
plan in place to manage your exceptions over time. This
precision increases accountability, makes policies more
accurate, and supports consistent implementation while
enabling business workflows.
Step 7: Reporting Against Key Mandates and
Internal Policies
The most important deliverable from any audit is credible
proof of compliance. You must offer this proof at multiple
levels for different audiences and, ideally, support
established processes and systems. However, manual
redundant processes and their errors slow this final step.
Costs rise as demands increase.
Reporting with McAfee
Waiver management with McAfee
McAfee allows you to assign waivers conveniently to
individual systems, groups of assets, or policy rules.
• Control privileges—Only users with appropriate authority
can define, grant, and document waiver conditions
• Define flexible waiver conditions—Exemption, exception,
and suppression options let you determine how to handle
a specific issue. For example, exemptions can prohibit
audits during quarter-end processing on critical servers.
• Set expiration dates—Waivers require a start and end
date to automatically limit exposure
• Attestation—Comments can be added to explain use of
compensating controls and remind auditors why the noncompliance state was waived
The advanced ePO reporting system helps you easily find
and aggregate data and present it in an infinite variety of
reports. Reuse the role-based dashboards built previously to
find and present data at different levels of abstraction, or
build new reports from scratch.
• Save repeated queries and tasks—Store common queries
and create linked, automated tasks to repeat audits and
reports with precision, easily show changes against audit
baselines, and proactively generate updated data
• Create executive and auditor views—Executives are
primarily interested in compliance status; aggregate this
information across business or operational units or subdivide for greater relevance. Let auditors see information
by specific regulation.
• Enable quick action—Drill into dashboards and webbased reports for details and next steps
Thrid Party Ticketing System
McAfee
Service Desk
Remedy
ePO
Ticketing
Policy Auditor
Content
Policy Auditor
Agent Server
Policy Templates,
Scheduled Scans,
Audit Results
End Point
McAfee Agent
ePO Assets,
Policies, Events
Scans to perform sent ot agent
Scan results sent back to server
Issues mapped
to tickets
PA Plug-in
Policy Auditor takes full advantage of the ePolicy Orchestrator infrastructure
8
Seven Simple Steps that Slash the IT Audit Burden
• Export to portals or reporting tools—The XCCDF and
OVAL standards allow you to integrate audit results data
into existing auditor and executive portals. You can also
transfer data through CSV, XML, HTML, and PDF formats.
• Consolidate audit and endpoint data—Speed decisionmaking with scan and system information in the
same report, including details like patch levels and
countermeasures that are in place
• Distribute reports automatically—For convenient, reliable
notification, send full reports or just alerts on specific
concerns via email to predefined lists of users. Archive
copies automatically for consistent reference points.
Consider the Distinctive Design Inside
With the market energy propelled by regulatory
compliance, multiple commercial solutions address each
of these seven steps separately. Some companies have
deployed as many as six tools in their race to comply.
However, it takes standards support, management
efficiency, and security tool integration to make audit
processes efficient, consistent, and convenient.
Standards
Through open standards, Policy Auditor lets you import
industry best practices and benchmark guidance to inform
policy definition. As you identify issues, you can export
scan and audit results into your IT remediation and audit
processes. Not just convenient, this transparency raises
confidence in the relevance and utility of audit data. Policy
Auditor supports SCAP, CSV, HTML, and PDF.
Management efficiency
Policy Auditor 5.0 integrates completely within the
management console of ePolicy Orchestrator. With 155
million users worldwide and a single deployment at over
5 million users, ePO provides a rock-solid foundation for
implementing and maintaining policy infrastructure.
• Four tabs within the ePO console—benchmarks, checks,
audits, and waivers—ease monitoring and navigation.
Drilldown menus make it easy to act.
• The same ePO System Tree used to manage systems for
anti-virus is used to audit for policy compliance
• Advanced query and reporting help every audit
participant locate and share critical information
• ePO supports separation of duties with user rights
management; audit teams can specify what the controls
www.mcafee.com
need to be and IT operations can select the reports.
Seven unique permission sets, each with multiple rules,
restrict access controls. You can segregate rights to
modify, run, and view results. Use our examples or easily
create your own.
• Automation and scheduling options increase consistency
and reduce process burdens
• Through the single agent, single console design, each
McAfee or third party product that uses ePO extends the
operational savings. You eliminate extra management
agents and consoles and reduce learning, deployment,
and maintenance costs.
Security tool integration
McAfee Total Protection for Endpoint and McAfee Total
Protection for Data use the same ePO infrastructure for
their policy and function updates. Because of this single
agent, audits can include system and data protection
countermeasures as well as policy violations. (Note: McAfee
Total Protection for Endpoint—Advanced includes Policy
Auditor for use on client workstations.)
For example, ePO can help enforce endpoint compliance
to mandated security configurations, such as “every system
must have up-to-date anti-virus installed.“
Similarly, when you use Policy Auditor with McAfee
Network Access Control, you can assess and enforce SCAPbased policies before granting network access. Should
assets fall out of compliance while on the network, you can
automatically quarantine them until they meet policies.
McAfee solutions leverage the same security and
compliance tasks and processes, including reporting, to
minimize the learning curve. By pulling from a single ePO
database, tools get consistent, up-to-date data. Third-party
tools can integrate with ePO's open interfaces to streamline
operations further.
Through these integrations, you gain a complete, reliable
understanding on which to make decisions. You can
efficiently consider both security and compliance activities
within your standard procedures and prioritize the actions
that minimize effort and maximize protection.
Take Seven Simple Steps and Sustain
Compliance
At most organizations, compliance and security tools are
multiplying irresponsibly as threats evolve. Through McAfee
Policy Auditor 5.0 and its integration with ePO, you can rein
9
Seven Simple Steps that Slash the IT Audit Burden
in implementation and management costs. You can
exert control, despite increasing complexity, and avoid
Audit Fatigue.
Looking for proof? An Insight Express survey of ePO
and non-ePO customers found that “integrated security
management results in a 44 percent reduction in IT
costs and 36 percent improvement in efficiency.” Large
enterprises using ePO reduced their total number of
administrators by an average of almost 12 people.
Estimate your savings
When an organization can cut a dozen administrators
with salaries of $100,000, their annual savings is $1.2
million dollars. Estimate your own savings through an
ROI calculator created by Forrester: www.mcafee.com/us/
enterprise/products/tools/ad/roi
Get Started
As a purpose-built product, Policy Auditor provides
consistent, authoritative validation of compliance.
Across the seven steps of auditing, you can meet audit
requirements while minimizing cost and effort:
1.Policy definition—Build and customize policies based on
expert content, open standards, and industry benchmarks
2.Policy implementation and lifecycle management—
Eliminate manual efforts that threaten accuracy and tax
IT and security teams
www.mcafee.com
6.Waiver management—Use audit processes to accurately
reflect workflow and reduce business disruption
7.Reporting against key mandates and internal policies—
Deliver efficient, relevant reports with automated data
collection, display, and distribution
Policy Auditor 5.0 introduces effective auditing of
technical controls on top of the security and compliance
management system of ePO. This powerful combination,
closely integrated to become a single tool, makes day-today audit operations straightforward. With each added
audit cycle, regulation, and system, you can achieve greater
economies of scale and efficiencies of operation.
Learn more at www.mcafee.com/grc
About McAfee, Inc.
McAfee, Inc., headquartered in Santa Clara, California, is
the world’s largest dedicated security technology company.
It delivers proactive and proven solutions and services
that secure systems and networks around the world,
allowing users to browse and shop the web securely.
With its unmatched security expertise and commitment to
innovation, McAfee empowers home users, businesses, the
public sector, and service providers by enabling them to
comply with regulations, protect data, prevent disruptions,
identify vulnerabilities, and continuously monitor and
improve their security. http://www.mcafee.com
3.Data collection to validate policies and configurations—
Use one tool across systems for scheduled and continuous
audits
4.Monitoring, issue, and patch management—Simplify
actions with custom dashboards and roles and open
interfaces between tools
5.Measurement and scoring to document noncompliance—
Weight rules to match business realities and build
meaningful metrics
McAfee and/or additional marks herein are registered trademarks or
McAfee, Inc.
3965 Freedom Circle
Santa Clara, CA 95054,
888.847.8766
www.mcafee.com
trademarks of McAfee, Inc. and/or its affiliates in the United States and/
or other countries. McAfee Red in connection with security is distinctive
of McAfee brand products. All other registered and unregistered
trademarks herein are the sole property of their respective owners.
© 2008 McAfee, Inc. All rights reserved.
1-na-cor-grc-wp-001-1008
doc-id-goes-here
10