Customizing Your Compliance Program with Tripwire Enterprise

Most large-scale entities need to prove compliance with multiple regulatory standards. Whether it be finance companies, retailers, manufacturers, or hospitality firms; meeting compliance mandates can be a major drain on time and resources, if you let it. On top of that, it’s not uncommon to have an internally-created compliance standard that demands enforcement. These require the same level of monitoring as the regulatory policies and necessitate adoption across the same, often varied and dispersed, IT infrastructure. The truth is that many businesses end up with an excess of tools applied piecemeal across their estate.

There are many reasons why businesses may be required to supplement their current compliance program with additional policies down the road. It is important, therefore, to use a solution that is designed to shift dynamically as corporate needs expand or change. For instance, if a company enhances its product or service offerings, they may need to think about adhering to additional policies to meet new regulatory commitments. Likewise, when companies merge or acquire additional businesses, they often need to augment their current grouping of policies.

Consolidate Vendors While Expanding Compliance

Rather than sink the resources into managing and maintaining different vendors for different compliance requirements, Tripwire® Enterprise allows you to apply one tool across your entire IT environment with a customized combination of policies tailored specifically to you. You can augment the template with your own internal policies so that you can report back to your leadership and board members about how you are aligning to internal standards. For example, you may need to be able to prove continuous compliance with PCI-DSS (the Payment Card Industry Data Security Standard) and ISO 27001 (the International Organization for Standardization) in addition to an internally-created corporate compliance standard. By using Tripwire Enterprise, you can create a bespoke compliance program to apply each of these policies from one unified console. Even if your business wished to start with a best practice framework such as the Center for Internet Security’s CIS standard, you could quickly diversify as your needs change.

Over 2,000 Platform and Policy Combinations Available

Tripwire Enterprise establishes and maintains consistent compliance agent-based and agentless continuous configuration assessment against thousands of combinations of platforms and security and compliance policies, standards, regulations, and vendor guidelines. Tripwire offers the widest selection of policy combinations on the market. Enhance, standardize, and mix and match your own internally-created compliance policies alongside those required by industry standards.

Each policy will have the following four key components:

• Tests that check the state of a specific configuration setting
• Scores that measure the overall conformity of a system or device
• Weights that indicate the relative importance of a test
• Thresholds that separate the most urgent failures from the rest

Tripwire Enterprise also allows for complete policy customization, waiver and exception management, automated remediation options, and prioritized policy scoring with thresholds, weights, and severities. It does all this while providing auditors with evidence of compliance and making policy status highly visible and actionable for compliance teams. This is conducted by Tripwire Policy Manager, a component of Tripwire Enterprise.

Continuous Instead of Periodic Compliance Monitoring

Can you pinpoint your exact level of alignment to a given regulatory standard at any given time? Using security configuration management (SCM), Tripwire Enterprise establishes compliance intelligence on a continuous basis.

SCM is also about helping you continuously maintain a compliant system state post-audit rather than a mere snapshot of compliance for a specific moment in time. It’s not enough to know that you were aligned with your compliance mandates under the scrutiny of an auditor. The goal should be having the ability to know your exact compliance level at any point in time—audit or not.

When new assets are deployed and hardened, the confidence in the functionality of those assets is usually high. But as users and administrators interact with it—as software and operating systems are upgraded, and settings are changed—that confidence degrades over time.

The continuous monitoring provided by an SCM solution like Tripwire Enterprise, however, tracks these changes as they’re made. That means you can immediately see when changes take your organization out of compliance and then take steps to remediate back to your baseline state. That way, you can maintain a consistently higher level of confidence in those assets over time.

Apply Different Policies to Different Assets

Larger enterprises are complex and have many layers. The customization available within Tripwire Enterprise can reflect that complexity to get the best actionable information out of your environment. You may have your company divided into location, system owner, business owner, application, and so on. Being able to tag your assets by the logical schema that maps your organization allows you to better report on your compliance.

Summary

Creating a bespoke compliance policy combination with Tripwire Enterprise enables tool consolidation, increases efficiency by freeing up time and resources, and allows you to roll out your own custom hardening standards. Being able to use a standard template and add bespoke policies based on your company’s culture (and direction) gives you confidence in your continuous compliance state and saves substantial time and effort.