Compliance Management Forum

With what GRC authority documents must your organization comply?

Tue, 23 Jun 2009 16:56:38 Z

Whether you're part of a private/public, European/Asian, small/large organization... your organization usually must comply with international, domestic, industry, and other compliance requirements. These requirements are usually written in the form of governance, risk, and compliance (GRC) authority documents. They may take the form of law, regulations, industry practices, customer contracts, and other documentation applicable to your organization.

With what GRC authority documents must your organization comply?

Security Compliance Toolkit - Server 2008 R2?

Tue, 01 Dec 2009 05:24:32 Z

Hi guys - any proposed release date on this? Or can we do the duplicate the baseline trick and change the OS version in DCM?

IT Compliance Management Series for Windows - Beta Review Program Now Available

Tue, 10 Nov 2009 16:45:25 Z

Download the IT Compliance Management Series for Windows

We've just kicked off the new IT Compliance Management Series with the Beta Review program of its first two releases:

· IT Compliance Management for Windows Server 2008 and Windows Server 2008 R2

· IT Compliance Management for Windows 7

For more information about these releases, check out the new post in the announcements section above. Please stay tuned for additional forthcoming releases to the series, and in the meantime, we’d love to receive your feedback on these.

Thank you!

Jason Osborne

GRC Program Manager

PDF Download: Benefits of Regulatory Requirements with respect to Business Optimization - An IT-Infrastructure Compliance Maturity Model for Management, Compliance and IT Stakeholders

Sun, 28 Jun 2009 14:47:48 Z

Microsoft Germany (Author: Michael Kranawetter (Xing-Profile)) published in cooperation with Experton Group a whitepaper, in English language and as well in German language: Benefits of Regulatory Requirements with respect to Business Optimization - An IT-Infrastructure Compliance Maturity Model for Management, Compliance and IT Stakeholders
This document describes an approach that – like the Pareto principle – takes the phenomenon of distribution of effort into account. Keeping track of the fundamental issues and focusing on solving those takes us far closer to our goal – compliance. The focus here will be on aspects of infrastructure compliance, which are naturally very closely linked to the topics of availability, trust, and integrity, and thus build a bridge to information security. Does this mean that the document is for security experts only? On the contrary: At the end of the day, the aim is to create a communications basis for mutual understanding that allows the reader to gain a foothold in the field of compliance at various levels and from various viewpoints using a variety of approaches. The document can be read by managers, technical decision makers and IT experts alike. Start where you feel most at home.

You could find the PDF-Document in this Blog-Article: Download: Issue: IT-Compliance [PDF Deutsch / English]
Furthermore, you could switch the language with the Microsoft Translator Widget on the site.
But sure, you could scrolling down and you will find at the end of the site the englisch Download-Hyperlink.

Best wishes,
Kay

http://www.giza-blog.de/

What's on your compliance wishlist for Windows Server 2008?

Tue, 23 Jun 2009 16:46:52 Z

Are you an IT professional that has been assigned the task of 'making Windows Server compliant' with your organization's governance, risk, and compliance (GRC) requirements? Are you the IT professional auditors grill for compliance configuration answers? If so, we need your feedback!

1. Where do you go for GRC information pertaining to Windows Server 2008 and other Microsoft products?
2. What Windows Server 2008 settings and features would make compliance easier for your organization?

Question for IT Staff: What IT compliance configuration problems plague IT staff most?

Tue, 23 Jun 2009 16:40:09 Z

Often IT is called upon by management to 'make IT compliant' with governance, risk, and compliance requirements. All to often the organization has not aligned business and IT goals, making the problem more difficult to address. If you have ever been assigned compliance management duties or tasks in any IT environment, we would like your responses to the following questions.

1. How are governance, risk, and compliance (GRC) requirements communicated to the IT department?
2. How does your IT department plan and implement a GRC compliance program?
3. Where does your IT department search for GRC related information on Microsoft product configuration and operation?

Forum or portal for questions about Security Accelerators

Sat, 13 Jun 2009 17:13:27 Z

Hi,

I'm trying to find a place to ask questions specifically about the Security Solution Accelerators and their use.
Where can I do that or is there such a place yet?

FAQ: Will the Compliance Planning Guide map every GRC authority document?

Tue, 04 Nov 2008 19:49:27 Z

Summary

(this post is subject to modification at any time)

This FAQ explains the GRC authority document mapping strategy within the Compliance Planning Guide. Many will ask why a specific authority document was not included, or why more specific guidance was not provided for GRC requirements within mapped authority documents.

Short Answer:

The Compliance Planning Guide includes information pertaining to eight GRC authority documents that represent a broad range of GRC subject matter. GRC authority documents were chosen for their general applicability to world-wide business, GRC subject matter coverage, and breadth of deployment. Future revisions of guidance may include additional mappings to other GRC authority documents, but there are no plans to map every authority document. Consult the forum for GRC authority document-specific postings. We expect to manage GRC authority document-specific guidance through this forum, as it allows others to share their experiences.

Frequently Asked Questions:

1. Will you be mapping to regulation X or standard Y within the published guidance?
2. How often will you update mappings when the authority documents inevitably change?
3. How were the eight example GRC authority documents chosen?
4. Will more GRC authority documents be included in the guidance?
5. I understand the idea of GRC authority document examples, but you missed a key component that isn't covered in your example authority documents. How can I let you know so the next revision of guidance can be improved?

Answers:

1. Will you be mapping to regulation X or standard Y within the published guidance?

Additional GRC authority documents will not be mapped within the published guidance. The eight authority documents presently mapped are meant to provide examples of GRC requirements, and how these requirements may be managed through existing or new business process and technology deployments.

This forum will provide a communication and reference point for all IT professionals interested in the GRC experiences and expectations of others when dealing with GRC subject matter far beyond the provided guidance. Postings may address any one of the 400+ existing GRC authority documents, experiences of IT professionals, and postings from auditors. It is expected that this forum will become as valuable a resource (if not more so) than the published guidance.

If you have a GRC authority document related question, post it in the forum.

2. How often will you update mappings when the authority documents inevitably change?

Each GRC authority document represented within the published guidance refers to the current version of each GRC authority document at the time of publication. If a new version of a represented GRC authority document is released in the future, an announcement will be published in this forum.

3. How were the eight example GRC authority documents chosen?

GRC authority documents were chosen for their applicability to world-wide business, representation of GRC focus, and breadth of deployment. Chances are high that the GRC requirements within these authority documents are shared with other authority documents applicable to your organization. Consult your GRC subject matter expert to determine where these commonalities exist.

4. Will more GRC authority documents be included in the guidance?

Additional GRC authority documents may be included within the next version of guidance, depending upon customer needs. The guidance is not meant to map all GRC authority documents, but rather demonstrate an effective method by which an organization can manage any GRC authority documents applicable to the organization.

5. I understand the idea of GRC authority document examples, but you missed a key component or requirements that isn't covered in your example authority documents. How can I let you know so the next revision of guidance can be improved?

Post in the forum! We really want to understand how technology can relieve the burden of compliance. There is no better way than hearing from you. You may be a GRC expert, or new to this material. Whatever your level, your experiences are immensely valuable to the community. You are definitely not alone, and a dedicated team at Microsoft wants to hear what you have to say. Your comments can result in significant changes to one or more Microsoft products, and personal recognition in future guidance.

2009 Cybersecurity Act

Sat, 04 Apr 2009 20:29:22 Z

A worthwhile read. An annuity if it passes and you have the right credentials. http://cdt.org/security/CYBERSEC4.pdf

Training

Wed, 26 Nov 2008 00:22:08 Z

Any plans regarding providing end user training for the Compliance product line? Do you see any tie-in to the System Center product line which has a lot of MOF running through it.

Ted Dziekanowski

Techcenters

Tue, 09 Dec 2008 18:47:42 Z

Here is a general question to eveyone.

Do you use techcenters/technet as a primary means of getting technical information from Microsoft?

For instance, are you aware of www.technet.com/regulatorycompliance as a compliance technet site?

Frank

Enterprise Compliance Solution

Thu, 13 Nov 2008 14:06:19 Z

Frank,

I was interested to hear about the compliance solution you are working on. We have a SAAS solution built in .NET and SQL Server that addresses big chunks of the governance, risk and compliance headaches companies face. I am wondering if there are ways we could extend it to integrate into some of the management and security features that are in various Microsoft products or perhaps into this new solution you are working on so that it could better solve our client's problems. Have you guys published any details on your solution yet? Please let me know if there are ways to get involved.

Thanks.

David McCormick
VP Software Development
TruArx

WISH: One Tool to map and track controls from various compliance standards

Sun, 19 Oct 2008 22:06:08 Z

It would be great is a tool could track and map the verious controls across different standards, e.g. COBIT, ISO 27001, PCI DSS, BS 25999. This tracking tool can then ensure we do not reinvent the wheel for new compliance projects.

For example if I have implemented a number of COBIT controls for SOX compliance and I then need to ensure I am compliant with PCI DSS and then later with ISO 27001, having a repository to map the various controls will help me better plan projects and identify what is in place already thus saving time and money.

The IT Compliance Management Guide is now available!

Thu, 30 Oct 2008 22:15:41 Z

The Microsoft IT Compliance Management Guide is now available!

This Solution Accelerator can save you time and money by shifting your governance, risk, and compliance (GRC) efforts from people to technology. Use its configuration guidance to help efficiently address your organization’s GRC objectives with Microsoft technology you may already own.

This Accelerator helps you better understand how an IT process framework can help you implement GRC controls in your Microsoft infrastructure.

The IT Compliance Management Guide includes a Microsoft® Operations Framework (MOF) 4.0 companion guide that is based on the Regulatory Compliance Planning Guide.

The IT Compliance Management Resources workbook saves you time by bringing together the information you need. It provides an extensive inventory of GRC-related configuration tasks and guidance organized by Microsoft product name.

WISH: Managing and reporting on "Who has access to what?"

Tue, 04 Nov 2008 00:26:13 Z

Please pile on and tell us if this Wish is important to you or not.

Several people have told us that this area is important - and that managing and reporting on who has access to what can be challenging.

With that in mind - we'd like to know some more details:

Which regulations and standards drive this need the most for you?
How do you manage "who has access to what" today? (Process + software)
Which systems are most affected by this need - does it apply to everything or only some systems?
What are the specific questions your auditors ask related to "who has access to what?"

Thanks,

Derick

- "Shifting the effort of compliance from people to technology"

Help us improve Solution Accelerators for you!

Mon, 03 Nov 2008 22:32:11 Z

We want to hear what you think about Solution Accelerators - such as the Microsoft Operations Framework, the IT Compliance Management Guide, and our Security Guides – so we can make improvements and build better products.

Have you tried a Solution Accelerator? If so, please share your experience with us by completing this short survey: http://go.microsoft.com/fwlink/?LinkID=132579 (less than ten minutes).

Thanks,

Derick

- "Shifting the effort of compliance from people to technology"

clients report not detected using DCM and the security compliance management packs for vista

Tue, 21 Oct 2008 10:58:10 Z

I have downloaded the sollution accelerator imported the baseline templates in sscm 2007 sp1 and enabled the agent.

The reports show at every item not detected.

Is this sollution accelerator (the vista-enterprise-desktop) not compatible with Vista enterprise SP1?

I have left all default no changed made to the templates and yes I have assigned the templates to a collection

Wish: What's on your Compliance Wish List?

Mon, 29 Sep 2008 17:25:24 Z

Many of you have heard of Solution Accelerators before - but did you know that the Solution Accelerators team is also responsible for driving significant improvements into Microsoft product lines?

On the Security and Compliance team, we'd like to hear from you - what software do you want to see from Microsoft that will help you with your Governance, Risk, and Compliance (GRC) needs?

Let us know what you want. Simply create a new discussion here in this forum, and start your subject line with "Wish: " (no quotes).

When you see a Wish that you agree with - jump on the discussion! Add your own thoughts, offer alternatives, and suggest improvements. Feel free to describe how you're fulfilling the need today to give others a hand. You can also talk about the regulatory or GRC reasons behind the wish - what's really driving this particular need?

Wishes may be for additional features or changes to existing products, or may be new products that Microsoft does not offer today. Don't constrain yourself - be creative!

Our team will be triaging all the wishes we receive, and working to drive the most important ones into the company as part of our GRC Mobilization effort. We'll make sure these ideas are heard!

Thanks for helping out,

Derick Campbell \| Group Program Manager Solution Accelerators - Security and Compliance	SOLUTIONACCELERATORS Did you know? Over half of the top 30 security downloads on Microsoft.com are from our team.
- "Shifting the effort of compliance from people to technology"