RSA, the Security Division of EMC, Delivers Standards-Based Approach to Help Simplify Compliance

BEDFORD, Mass., May 6 /PRNewswire/ -- RSA, The Security Division of EMC , today announced the findings of a new research paper that details the benefits organizations may gain -- including reduced costs and improved security -- by implementing a standards-based framework of security controls. The paper also details the ability of comprehensive security frameworks to help companies more easily comply with a variety of security requirements handed down by regulatory bodies, industry groups, partners, customers and internal policies.

In addition, RSA announced new reports within the RSA enVision(R) security information and event management solution that are designed to enable organizations to more easily report on key aspects of the ISO 27002 standard -- a global code of practice for information security management which is useful in defining an effective set of best practice security controls as part of a compliance framework.

In March 2008, RSA commissioned Michael Rasmussen, industry analyst and President of Corporate Integrity, to undertake a research paper based on what it means to develop a "sustainable and cost-effective IT compliance program." The key findings of this project are that the typical approach to compliance -- responding on a regulation-by-regulation basis without an integrated IT compliance management program -- escalates costs, reduces visibility of the control environment overall, wastes resources, and leads to unnecessary complexity, inflexibility, vulnerability and exposure.

"A proactive approach to IT compliance allows organizations to look confidently to the future while also mitigating risk in the course of business," said Mr. Rasmussen. "An effective IT compliance program should be centered on a comprehensive framework, based on industry-wide standards -- such as ISO 27002."

Security Frameworks-Based Programs to Simplify IT Compliance

As organizations worldwide struggle to both comply with a plethora of compliance requirements and improve enterprise-wide security, a framework-based approach founded upon best practices and controls helps customers to build a proactive security program that may effectively break down the walls that often isolate organizational compliance silos. By driving compliance holistically, rather than on a requirement-by-requirement basis, companies may reduce costs by both avoiding redundant technology controls and easing the process of managing compliance. In addition, leveraging international standards such ISO 27002 as the foundation of an IT security and compliance program helps organizations align efforts to comply with key portions of many global regulations, including: the Payment Card Industry (PCI) Data Security Standard (DSS), HIPPA, Sarbanes-Oxley, the European Union's Data Protection requirements and regional data privacy laws.

"Our forward-thinking customers are using framework-based security and compliance programs to cost-effectively satisfy multiple requirements and manage information risk," said Steven Preston, Senior Director, Solutions Marketing at RSA, The Security Division of EMC. "This goal can be achieved through the application of a consistent, holistic set of repeatable, scalable, enterprise-wide controls, which are centered upon recognized IT security best practices."

RSA Solutions to Establish Security Frameworks for Simplified Compliance

RSA's portfolio of technology solutions offers key security controls that help organizations establish frameworks based upon global best practices and standards. Key controls delivered by RSA's solutions include:

-- Authentication: -- RSA SecurID(R) Authenticators and RSA(R) Authentication Manager comprise the market-leading solution for providing strong authentication of users accessing network resources remotely. The RSA SecurID solution is also designed to integrate with hundreds of network devices and software platforms to enable strong authentication for administrative access, and to enable strong user authentication to operating systems. RSA SecurID technology also is engineered to support efforts to control access to mobile devices, such as laptops. In addition, RSA SecurID technology is built to enable organizations to restrict access to sensitive data by de-provisioning the RSA SecurID credential. -- In addition, RSA(R) Digital Certificate Solutions, RSA(R) Smart Cards and RSA(R) Adaptive Authentication are built to provide a variety of flexible controls for effective user authentication. -- Data Loss Prevention: -- RSA(R) Data Loss Prevention (DLP) Suite is designed to provide unified, seamless data policy orchestration across the enterprise, allowing customers to discover and monitor sensitive data and apply the appropriate enforcement mechanisms to secure sensitive data across the IT stack. In addition, the RSA DLP Suite is engineered both to regularly scan your environment to detect content that is out of compliance with defined policies and to notify administrators or take action -- such as quarantining sensitive data -- depending upon the rules established by the organization. The RSA DLP Suite is also built to enable organizations to continuously monitor all incoming and outgoing messaging communications via e-mail or via the web to help ensure that no data transfers take place that violate requirements. The RSA DLP Suite is also designed to control what information may move onto and off endpoint devices, such as laptops, providing complete control over how sensitive data may travel into and out of an organization. -- Encryption & Encryption Key Management: -- RSA(R) File Security Manager is designed to protect sensitive data on Microsoft(R) Windows(R) operating systems and Linux(R) servers at the file- and directory-level by providing transparent encryption and access control capabilities, which help ensure that administrators can continue to perform their responsibilities without actually viewing sensitive information. -- RSA(R) Key Manager is engineered to offer organizations enterprise key management for a wide variety of EMC, RSA and third-party encryption solutions. RSA Key Manager with Application Encryption is designed to offer encryption at the application layer so that sensitive data can be encrypted at the point of capture. RSA Key Manager for the Datacenter is built to support encryption solutions from EMC, Cisco, Oracle and RSA at the database, file, disk and tape level. The RSA Key Manager Server is designed to securely distribute, vault and provide lifecycle management for encryption keys. -- Logging, Monitoring and Reporting -- RSA enVision(R) technology is a market-leading log management solution for simplifying compliance, enhancing security operations and optimizing IT & network operations. The RSA enVision platform is engineered to provide the foundation for companies to enact a successful ISO 27002-based framework for security, compliance and IT operations. The RSA enVision platform is designed to provide the core capabilities necessary to institute an ISO 27002-based program, including the monitoring of IT components managed by third parties, the correlation of events across the infrastructure, the monitoring of network components and business information systems for security incidents and events, the management and protection of event logs, the detection of security events, and the ability to alert administrators to such threats.

New Reporting Capabilities Within the RSA enVision Platform for ISO 27002-based Security and Compliance Programs

The RSA enVision platform is designed to offer a comprehensive suite of out-of-the box reports, which help enable organizations to effectively monitor their ISO 27002-based security and compliance program. These reports are prepared to align directly with the ISO 27002 standard, and help enable organizations to effectively demonstrate compliance with critical areas of the specification. Reports within RSA enVision platform related to ISO 27002 focus on areas such as computer account logon activity, computer account status, control of collected evidence, control of human resources data, malicious software activity, password changes and expirations and source code access.

Information Security Services to support Framework-based Compliance Initiatives

In addition to delivering a broad range of security controls, various EMC information-centric security consulting services -- leveraging solutions from RSA -- help enable organizations to effectively enact framework-based compliance programs. These include:

-- Information Risk Assessment is designed to provide a systematic overview of enterprise security capabilities and a roadmap for remediation by assessing governance, policy, data protection, authentication, access, and other security controls. -- Information Security Policy Development helps ensure compliance with internal and external mandates by defining and mapping policies to best practices, business requirements, and appropriate regulations. -- Information Security Program Development is designed to align an enterprise security posture with business objectives and helps meet requirements for regulatory compliance by providing guidance to improve the maturity of security capabilities, policies, organization, and controls. -- RSA Data Loss Prevention RiskAdvisor is engineered to provide automated discovery of unprotected sensitive information along with remediation processes and policy recommendations. -- Assessment Service for Storage Security helps improve protection of business-critical information by assessing security and prioritizing remedial actions for enterprise storage infrastructures including storage systems, storage switches, and management consoles. -- Classification for Information Security is an existing service that is engineered to provide the basis for the implementation of appropriate security controls by cataloging and identifying the value, sensitivity, and protection requirements of critical business information. -- RSA Design & Implementation Services help guide customers through the design and implementation of a solution, helping to ensure a lasting return on technology investment. More information may be found at http://www.rsa.com/compliance. About RSA

RSA, The Security Division of EMC, is the premier provider of security solutions for business acceleration, helping the world's leading organizations succeed by solving their most complex and sensitive security challenges. RSA's information-centric approach to security guards the integrity and confidentiality of information throughout its lifecycle -- no matter where it moves, who accesses it or how it is used.

RSA offers industry-leading solutions in identity assurance & access control, encryption & key management, compliance & security information management and fraud protection. These solutions bring trust to millions of user identities, the transactions that they perform, and the data that is generated. For more information, please visit http://www.rsa.com/ and http://www.emc.com/.

RSA, SecurID, enVision, is a registered trademark and/or trademark of RSA Security Inc. in the U.S. and/or other countries. EMC is a registered trademark of EMC Corporation. Microsoft and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Linux is a registered trademark of Linus Torvalds. All other products and/or services mentioned are trademarks of their respective companies.