Compliance is a requirement for any company regardless of its size and configuration. Being compliant will generate benefits for your company. Take your customer purchase, sales, and invoice data as an example. Regardless of where this data resides—in an Excel sheet or Customer Relationship Management system—if the server system this data is on is stolen because it was not protected, even by a simple lock, then your company has ended up having multiple problems, and you become non-compliant. In that case:
Your company might not be able to fulfill your customer orders or send quotes, leading to loss of revenue.
If you are not able to regain this information, you will have a reputational issue, as customers will find out about it and not trust you any longer. In the worst-case scenario, they may cancel further work with your business.
Your business is non-compliant because you breached data protection laws which state that sensitive data should be protected.
Being compliant will not only help you to save money in the long term and potentially keep your managers out of jail, it could also lead to competitive advantages.
In recent years, more and more companies have demanded certain certifications or adherence to standards from participants in a tender. So, being compliant with certain standards will provide you with a competitive advantage.
This book will start you on your journey to creating a compliance program and realizing the benefits of implementing this program using Microsoft Security Compliance Manager and the Microsoft System Centre family.
We will start with the basic recipes that you should have as the absolute minimum and, with each chapter, add greater complexity.
Although throughout this book, we refer to System Center 2012, all examples have been tested on System Center 2012 R2.
Chapter 1, Starting the Compliance Process for Small Businesses, covers the initial recommended critical tasks to start a compliance program. It offers hands-on advice on how and where to start at a very basic level. It looks at different regulatory requirements and shows how to interpret them, how to understand the scope, and how to plan for controls.
Chapter 2, Implementing the First Steps of Basic Compliance, discusses and provides steps to start a compliance program with the free Microsoft Security Compliance Manager. Within the Microsoft environment, this tool, in addition to Best Practice Analyzer, offers tremendous help with no additional costs in starting a basic compliance program. The required steps are provided in the chapter.
Chapter 3, Enhancing the Basic Compliance Program Using Microsoft System Center 2012 Configuration Manager, provides task steps to create a GPO compliance baseline using Microsoft System Center 2012 Configuration Manager.
Chapter 4, Monitoring the Basic Compliance Program, provides task steps to monitor for breaches or adherence to your compliance program. Further recipes provide information on implementation and configuration/usage of Audit Collection Services, which is specifically designed for various compliance tasks.
Chapter 5, Starting an Enterprise Compliance Program, focuses on larger businesses that already have at least a basic IT security program in place. It is a planning chapter that provides steps leading to an enterprise-wide compliance program. It also provides explanations and examples while introducing the key steps to a successful implementation.
Chapter 6, Planning a Compliance Program in Microsoft System Center 2012, provides recipes on how to integrate the System Center products. The recipes use hands-on examples to show the required planning and implementation that must be made to align the System Center tools with the compliance process.
Chapter 7, Configuring a Compliance Program in Microsoft System Center 2012 Service Manager, is focused on recipes that aid in the creation of a compliance program using Microsoft System Center 2012 Service Manager. It provides information on how to centralize compliance information within Microsoft SCSM 2012.
Chapter 8, Automating Compliance Processes with Microsoft System Center 2012, focuses on automated centralization of control status information within the System Center family. In addition, it provides information on how to implement steps so that further automation is possible.
Chapter 9, Reporting on Compliance with System Center 2012, provides recipes on report functionalities within the System Center family. The recipes show how to create reports based on the controls created in the previous chapters.
Appendix, Useful Websites and Community Resources, shows that, with the System Center product family being similar to most Microsoft products, all System Center products have an extended solutions partner community. All of them have an extensive active support base on the World Wide Web. This appendix lists some of the sites that provide readymade solutions and extensive real-world dynamic content on System Center. In addition, resources are provided for compliance questions, including official (governmental) websites providing information for small businesses that want to understand their obligations, in addition to focusing resources on more technical security/compliance issues to understand the landscape that a business is working in.
In order to complete all the recipes in this book, you will need a minimum of three virtual or physical servers configured with the following:
Security Compliance Manager 3.0 and System Center 2012 R2 (or 2012) Configuration Manager
System Center 2012 R2 (or 2012) Operations Manager with Microsoft SQL Server
System Center 2012 R2 (or 2012) Service Manager
The following is the list of technologies the recipes depend on and their relevant versions used for this book:
Microsoft Active Directory (Windows Server 2008 R2 and above)
Microsoft SQL Server 2008 SP3 and above (for the System Center products)
The required software and deployment guides of the System Center 2012 R2 product can be found at the official Microsoft website at http://www.microsoft.com/en-us/server-cloud/products/system-center-2012-r2/default.aspx.
The authors recommend using the online Microsoft resource due to the frequency of updates to the product's requirements. Also, note that the dynamic nature of the Internet may require you to search for updated links listed in this book.
The target audience of this book is administrators, security professionals, or IT managers trying trying to understand compliance capabilities. In addition, it targets compliance teams and process owners responsible for designing and implementing compliance and IT security within their businesses.
The recipes in this book start at the beginner's level and add more complexity with each chapter on compliance topics based on System Center. The ultimate goal is to provide the reader with knowledge on how to start the compliance process by understanding regulatory requirements; to enhance their existing skills in System Center with regard to compliance settings; and, most importantly, to share the experience of seasoned technology implementers.
In this book, you will find a number of styles of text that distinguish between different kinds of information. In addition, certain terms are used within this book. As there are no universal unique meanings to them, the most important terms are explained within the next paragraph. After that, examples are provided of the styles used and an explanation of their meaning.
The following are some terms used in the book:
Terms used in book
The laws or industry standards applicable to a business and that are imposed by authorized institutes such as a government.
This is a set of guidelines that details an approach designed to adhere to regulations. It outlines rules to achieve this goal based on the organization's business processes and (internal) controls.
This specifies the requirements that a company must adhere to. They may take different forms such as laws, regulations, industry best practices, customer contracts, or internal policies. It is essential that they are similar to regulatory requirements. Sometimes, certain control objectives are spelled out in them, but most often businesses have to determine those themselves.
Control objectives are most often abstract. They answer the questions '"what" and "why". Therefore, they can be defined by someone who understands compliance but doesn't have an in-depth technological knowledge. For example, the German data protection law specifies that transferred customer data has to be protected. So the control objective would be "data protection".
These are activities to help ensure that requirements, stated in policies to address risks, are met. They answer the questions of "who", "where", "when", and "how." Therefore, they have to be defined by someone who has in-depth technical knowledge. Control activities may take different forms such as approvals, segregation of duties, reviews, and so on. Based on the previous example, the control activity defines who is responsible for protecting the data, which systems to include, and how data should be protected.
A program gives a structure to compliance management. It contains authority documents and their mapping to control objectives, control activities, and documentation for the results of those controls; it might also contain risk assessments and further documentation. Quite often it is tool-assisted.
This is the process of identifying, assessing, and managing risks. Based on company risk level, it includes the decision on whether to minimize, monitor, or control the probability and impact of those risks. Issues with negative outcomes from those risks will be transferred, minimized, or accepted.
Code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles are shown as follows: "The provided path is the default one; please modify it for your configuration. On the destination system, start the
Any command-line input or output is written as follows:
set /a x=1 :Start net use o: \\<Name of a monitored Domain Controller\c$ /User:Administrator hjghkgkjhgkjg set /a x=%x%+1 if %x% NEQ 20 goto Start
New terms and important words are shown in bold. Words that you see on the screen, in menus or dialog boxes for example, appear in the text like this: "Click on the Star button next to the Active Directory Containers label."
Feedback from our readers is always welcome. Let us know what you think about this book—what you liked or may have disliked. Reader feedback is important for us to develop titles that you really get the most out of.
To send us general feedback, simply send an e-mail to
<[email protected]>, and mention the book title via the subject of your message.
If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, see our author guide on www.packtpub.com/authors.
Now that you are the proud owner of a Packt book, we have a number of things to help you to get the most from your purchase.
Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you find a mistake in one of our books—maybe a mistake in the text or the code—we would be grateful if you would report this to us. By doing so, you can save other readers from frustration and help us improve subsequent versions of this book. If you find any errata, please report them by visiting http://www.packtpub.com/support, selecting your book, clicking on the errata submission form link, and entering the details of your errata. Once your errata are verified, your submission will be accepted and the errata will be uploaded on our website, or added to any list of existing errata, under the Errata section of that title. Any existing errata can be viewed by selecting your title from http://www.packtpub.com/support.
Piracy of copyright material on the Internet is an ongoing problem across all media. At Packt, we take the protection of our copyright and licenses very seriously. If you come across any illegal copies of our works, in any form, on the Internet, please provide us with the location address or website name immediately so that we can pursue a remedy.
Please contact us at
<[email protected]> with a link to the suspected pirated material.
We appreciate your help in protecting our authors, and our ability to bring you valuable content.
You can contact us at
<[email protected]> if you are having a problem with any aspect of the book, and we will do our best to address it.