- Microsoft Assessment and Planning Toolkit 4.0 Beta Now Available!
-
Windows 7 and Windows Server 2008 R2 will be available in the near future. Are you thinking about deploying these new operating systems? Get a head start with Microsoft Assessment and Planning Toolkit 4.0 Beta. Over 680,000 Microsoft customers and partners including Costco Wholesale Corporation, Continental Airlines, and Banque de Luxembourg have already downloaded and used this toolkit to date.
Introducing Microsoft Assessment and Planning Toolkit
Microsoft Assessment and Planning Toolkit 4.0 is an integrated planning toolkit that makes it easier for Microsoft customers and partners to quickly identify what servers, workstations, and network devices are in their IT environment. This agentless and scalable toolkit has the ability to discover all computers within Active Directory and workgroup environments. It performs key functions that include hardware and device inventory, hardware compatibility analysis, and generation of actionable, environment-specific IT proposals for migration to most major Microsoft technologies.
What’s New with v4.0?
Version 4.0 of this toolkit has the following new features:
· Windows 7 Hardware and Device Compatibility Assessment
· Windows Server 2008 R2 Hardware and Device Compatibility Assessment
· Virtualization Candidates Assessment for Hyper-V R2 Server Consolidation
· Integration with the Microsoft Integrated Virtualization ROI Calculator
· Inventory of VMware Server Hosts and Guests
· User Interface and Proposal Customization for Partner co-branding
· Enhanced Usability and Improved Inventory Performance
Next Steps--How can I get Microsoft Assessment and Planning Toolkit 4.0 Beta?
· Download Microsoft Assessment and Planning Toolkit 4.0 Beta and give us your feedback (Live ID login and registration required)
· View the Webcast on MAP Toolkit 4.0 Beta (use Recording Key: fqX`%3t.X)
· Learn more about this toolkit and read case studies on TechNet
· To provide technical feedback on this Beta, please e-mail at MAPSBETA@microsoft.com
· Get the latest news from the Microsoft Assessment and Planning Toolkit Team Blog
- Microsoft Survey
-
In SAT we value your interest in our work. We would like to ask you to take a few minutes of your day and fill out a quick survey. Tell us how we're doing, and what we can do better.
We want to hear what you think about Solution Accelerators—if you’ve used a Solution Accelerator within your organization, help us by completing this short survey.
- Now Live - TechNet Radio: IT Manager Dialog Series: Governance and Compliance
-
A new technet Radio segment on our work has just been completed, if your interested in hearing a bit more about our work on compliance take a listen to the audio cast.
January 27, 2009
.jpg "TechNet Radio") |
IT Manager Dialog Series: Governance and Compliance
In our monthly IT Manager Dialog Series we open up and talk to the experts both inside and outside of Microsoft about the latest trends impacting IT, and the resources and guidance available to help you plan and deploy the latest Microsoft technologies. The often misunderstood and under-appreciated topic of governance and compliance is at the center of this episode. Joining us from Microsoft is Frank Simorjay, Product Manager for the Solution Accelerators Security and Compliance Team in Redmond.
Length: 0:22:57
WMA | MP3 High | MP3 Low
To save to your computer, right click and choose 'save target as…'. |
Participants
Eric Ostrowski
Your Show Host and TechNet Radio Producer
Wayne Applehans
Audience Marketing Director, Microsoft
Frank Simorjay
Product Manager, Microsoft Solution Accelerators Security and Compliance
Dean Andrews
Program Manager, Microsoft Usability
**More about Technet radio can be found here!**
http://technet.microsoft.com/radio
- Opportunity to participate in a Live meeting.
-
The compliance team would like to invite you to a live meeting where you can share your ideas on compliance. If this interested you please read on.
‘Reduce the cost and effort of configuring and validating Microsoft products to address customer IT GRC requirements.’ - Project Tribeca Team
Does your IT team struggle to cope with the ever-changing demands of domestic and international governance, risk, and compliance (GRC) requirements? Microsoft is working to provide product configuration guidance to help IT professionals achieve compliance with hundreds of GRC authority documents, including SOX, PCI, HIPAA, GLBA, and EUDPD.
Join the Microsoft Project Tribeca team in weekly discussions to help shape content, GRC authority document alignment, and technology configuration guidance that directly affects your organization.
Topics
- GRC Authority Document Scope: U.S., European Union (EU), International
- GRC Control Objectives, Activities, and Tests
Open Questions
- What GRC authority documents affect your organization?
- How does your IT department manage change/configuration for GRC requirements?
- How does your IT department associate required change and configuration management with GRC objectives?
- What types of GRC guidance and tools do you expect or desire from Microsoft?
- Has your organization used the IT Compliance Management Guide?
Meeting Dates
Attend any single or multiple Connect meetings
In addition, three lucky qualified attendee will Win a copies of Windows Vista Business Edition!!!!
- 1/28/09 8 AM PT - What GRC Authority Documents impact your organization?
- 2/04/09 8 AM PT - How does your IT department manage change/configuration for GRC requirements.
Please join us by signing up for the IT governance and Compliance program in Microsoft Connect. Click here to join the program.
After you have joined the program, bookmark the following link to return to the program site and get the latest information about upcoming events:
https://connect.microsoft.com/site/sitehome.aspx?SiteID=657
- Online Services and the Competitive Edge of a GRC Solution
-
If your organization's primary revenue stems from an online services model (SAAS, ASP, etc.), you're intimately familiar with the governance, risk, and compliance (GRC) requirements of your customers. Deals can be won and lost depending on your organization's ability to demonstrably address GRC requirements—which is a daunting endeavor. Chances are that your organization is considerably smaller than that of your customers, resulting in customer demands that your organization might struggle to accommodate. Your customers could also span many industries and locations, and could range from garage startups to pillars of the fortune 100. How does your organization handle these diverse GRC requirements? More importantly, how do you make your organization's GRC Service Management solution a competitive differentiator? You might quickly find that your GRC solution could become a barrier to your competitors and prevent your customers from even considering them as an alternative.
Focus on markets with similar GRC needs
If your organization can identify a market segment that shares similar GRC requirements, a focused compliance effort can result in domination of that market. If your organization steadily raises the compliance bar, it can build a solid GRC solution that forces the competition to follow your lead. More complex GRC markets can then be tackled, easing the organization's compliance burden through paced incorporation of a truly functional and auditable GRC solution. Soon you aren't blindly promising that your customer can trust you, hoping nothing happens. Instead you can let your GRC solution speak for you, while your competition is left scrambling for evidence they can meet the new bar you've set.
Regardless of the size of your organization, your customers will expect its GRC requirements are your GRC requirements. These requirements can quickly overwhelm your organization if you are a small vendor catering to a fortune 100 client. Gather your head of marketing, sales, and your GRC subject matter expert(s) to create a heat map of potential industries, locations, and customer groups that share common GRC requirements that are applicable to your service. This exercise shouldn't take more than a few hours, and you will likely be able to quickly identify customers who share common GRC requirements due to region or industry, for example. Your GRC subject matter expert will also be able to quickly judge the complexity of the regulations that apply to these customer groups. Government and healthcare organizations will top the list of complex GRC requirements. Customers in Europe will top the list of regions with the most complex GRC requirements. Is your organization prepared to handle such complex requirements, or should you aim for less complicated industries and locations with requirements that can immediately be met? International, government, and healthcare industries are lucrative, but they maintain significant and often hidden costs that will be forced onto your organization once a deal is signed.
Tally the cost of customer GRC requirements
Greater GRC expectations include documented business processes, a regularly tested disaster recovery plan, dedicated hardware, security staff, and complex, customized configurations along with regular onsite audits. Beware the executive who dismisses these requirements as mere paperwork or worse, that they limit the liability of non-conformity to the cost of the contract. The costs of non-conformity will not end at the value of a contract, and could potentially dwarf any profit. Your organization's insurance might not cover any breach or failure to apply required controls. Non-compliance could even ruin the reputation of your business through a publically communicated security breach, required under many privacy laws.
Before someone dismisses these costs as inconsequential to the potential profit, you should tally and review all potential costs of the customer's requirements. Passing these costs to the potential customer doesn't work in all situations, especially if the GRC requirement will benefit many or all of your customers once instantiated, or if it requires significantly more investment in the GRC solution than will be realized by the customer. For example, it is doubtful (although possible) that a single customer would pay for a disaster recovery site. Potential profit requires accurate tallying of GRC requirement costs.
Develop a cohesive GRC message
Does your organization manage customer GRC requirements individually, or are the lessons learned from each engagement brought together under a GRC solution? Could the sales staff use a secret weapon to thwart the competition? Gather the sales executives, sales engineers, and deployment team managers together to determine whether GRC requirements are important to your customers. Determine what types of questions come up during demonstrations, RFCs, RFPs, and deployment of the customer's newly purchased solution. Questions don't end when a deal is signed! Determine if a cohesive GRC message could be created that enables the sales team to close deals quickly and confidently. The GRC solution could span from a sales presentation to a repository of answers used to quickly and uniformly fulfill customer RFCs and RFPs. Determine how the competition deals with these issues, and make your solution more professional than any available. Train the sales staff so that they understand why this is a secret weapon, and raise their confidence that your organization has the best solution.
Pace the GRC solution
Your organization cannot certify to every available set of GRC documents, commonly referred to as GRC authority documents. There are more than 400 GRC authority documents, many of which carry certifications. Determine which certifications would close deals, and which are too costly to consider. This determination will lead to new markets and possibly close others. Consult with your GRC subject matter expert to determine the best course of action.
Keep competitors in the rear-view mirror
The competition won't be ready for the bad news when your GRC solution becomes a deal-closing trump card. They also won't be prepared to immediately close the gap. After all, consider how much thought went into the analysis, planning, and execution of your new GRC solution. Consider what questions your customers should ask the competition. Improve and expand those questions as your organization matures, gains certifications, and increases market penetration. You'll be leading the pack, closing deals while others aren't even invited to the table.
Jeffrey Miller
- New TechNet Resource for GRC
-
Today we published a new and improved TechNet site that focuses on governance, risk, and compliance (GRC)! This site will provide you with all kinds of great information about tools and capabilities to help you realize the full potential of your Microsoft GRC investment. If you don't think you have one, take a look at the site; I challenge everyone to look carefully at the job aids provided there. http://technet.microsoft.com/en-us/regulatorycompliance/bb544955.aspx
What are the job aids?
Over the past several years, Microsoft has been steadily building great compliance resources. In the past, one could say that they were sometimes a bit hard to find. However that is now all changed! The job aids provide a one-stop shop of compliance-related resources from across Microsoft. No matter if you're looking for a guide that provide details on Microsoft® SQL Server®2008 compliance or Microsoft Dynamix AX Security capabilities—you can access both resources from one place!
This new site also offers the ability to provide feedback to the Solution Accelerators team. They have posted a short survey that provides you with a chance to be heard: http://go.microsoft.com/fwlink/?LinkID=132579
Looking to participate in a compliance community? Maybe you just want to read up on the latest Microsoft solutions? Visit the TechNet Compliance Site at
http://technet.microsoft.com/en-us/regulatorycompliance/default.aspx.
Take a look at let us know what you think.
Frank
- Address your GRC needs by leveraging your existing Microsoft investment!
-
This Solution Accelerator can save you time and money by shifting your governance, risk, and compliance (GRC) efforts from people to technology. Use its configuration guidance to help efficiently address your organization’s GRC objectives with Microsoft technology you may already own.
This Accelerator helps you better understand how an IT process framework can help you implement GRC controls in your Microsoft infrastructure.
The IT Compliance Management Guide includes a Microsoft® Operations Framework (MOF) 4.0 companion guide that is based on the Regulatory Compliance Planning Guide.
The IT Compliance Management Resources workbook saves you time by bringing together the information you need. It provides an extensive inventory of GRC-related configuration tasks and guidance organized by Microsoft product name.
Numerous resources are available to help address GRC requirements for Microsoft products and solutions.
The IT Compliance Management Guide ships with the IT Compliance Management Resources workbook, which provides job aids to locate these resources and conduct changes to your IT infrastructure.
Views compliance obligations through a 'lens' of 8 authority documents. The example authority documents include SOX, GLBA, HIPAA, EUDPD, PCI DSS, ISO 27002, COBIT 4.1, and AICPA GAPP.
Takes advantage of your current Microsoft investment. Configure Microsoft products in your environment to address GRC objectives.
Reviewed by auditing firm Grant Thornton LLP. "The Microsoft Operations Framework (MOF) referenced in the guide is both a reasonable and extensible framework by which an organization may manage GRC requirements and solutions."
Reduces complexity. Provides guidance to consolidate and address GRC requirements from multiple authority documents such as regulations, publications, and agreements.
Clarifies configuration requirements. Includes a Microsoft Excel® workbook with a detailed inventory list and job aids.
Free. The IT Compliance Management Guide is a free download.
Download it NOW.
- Are Your Clouds Available?
-
Clouds Are on the Rise
Cloud computing has been variously described as utility computing, hosting applications off-premises, on-demand computing, Web-based computing, software-as-a-service, and in many other ways. No matter the description, its implementation generally takes some of the on-premise burden of holding or processing data and puts it to off-premise servers “in the cloud.”
The big attraction of cloud computing has been lowered cost. A business that outsources its server services to the cloud might reduce costs by getting them on-demand and paying for them only when needed. Economies of scale give cloud computing an attractive advantage. Costs are kept down through usage of common hardware and increased rack density. Organizations can simply pay for virtual machines when needed, and shut them down when not needed. Undoubtedly the cost advantage will continue to drive adoption of cloud computing.
With a world-wide economic downturn, the prospects for low-cost overcast skies of cloud computing are increasing. Small and medium-size businesses might especially feel the crunch and look for ways to reduce costs, such as by sourcing some or all of their computing services in the cloud.
Clouds Must be Reasonably Available
Clouds are subject to regulations. The low costs of cloud services help them work well for garden-variety commoditizable IT functional areas such as e-mail, data storage, backup, and CRM. These areas are core to many regulatory compliance controls. As these functions go into the cloud, so does regulatory responsibility. Regulations, risk, and governance principles aren’t eliminated when enterprise servers are turned off and services move to the clouds. In a globalized economy we might see increasing regulation and risk reduction of cloud computing.
Among cloud computing, regulations, risk, and governance concerns (such as security, privacy, backup and recovery, monitoring, reporting, and auditing to name a few) is cloud availability. The low-cost advantage of cloud computing is outweighed when and if unavailable clouds put an organization's business in jeopardy of being shut down or fined by regulators, successfully sued by litigants, or shunned by disgruntled customers. Many regulations allow governments to shut down businesses or levy large fines by government order if businesses fail to comply with regulations that require records to be available. Litigation rules allow unfavorable inferences to be made when records cannot be provided. Customers can quickly become angry when their records are not made available to them. The bottom line is that clouds must be reasonably available.
Servers Are Not Always Available
Cloud servers might not always be available, and there might be instances when we know there will be a drought.
In-house (non-cloud) infrastructure is not immune from outages, either. E-mail outages, for example, do occur in organizations that use internal enterprise servers. Servers do go down from time to time, whether they are in house or in the cloud. The question is not whether clouds will always be available, but instead whether or not organizations can continue in a compliant manner when the cloud is not available.
The best IT operations actually plan for downtime. Software maintenance, new software releases, software upgrades, andr scheduled equipment repairs all can be part of planned downtime during periods of low usage to avoid unplanned downtime during periods of high usage. Downtime can be a good thing. It is ironic that the forecast can call for clear skies and not be a bad forecast.
Still, the business cloud will have to be reasonably available and accountable. Let’s take a look at some specific examples.
Cloud Regulatory Availability Examples
Cloud financial records must be easily readable from a non-rewritable, non-erasable, and duplicated source. Electronics records under SOX must be provided to regulators with “facilities for immediate, easily readable projection or production of electronic storage media images and for producing easily readable images.” Records must be stored on non-rewritable and non-erasable media, and a duplicate copy of records must be stored separately from the original. So for purposes of SOX, the cloud needs to be easily readable, non-rewritable, non-erasable and duplicated. Ouch, that is a complicated cloud.
Cloud medical records must be reviewable and available for copying. Under HIPAA, patients have a right to obtain copies of their medical records within 30 days. That might seem like a long time to make copies available, but some state laws, such as that of California, shorten the time to 5 days for review and 15 days for a copy. Even if a physician has moved, retired, or died, his or her estate has an obligation to retain and make available medical records. Under state law this can be up to 10 years following a last patient visit. Disgruntled patients can file complaints. If a medical care provider decides to maintain medical data in the cloud, then the cloud better be available to provide medical data to patients when they demand it. Patients are also entitled to an accounting of disclosures of health information. That is, they are entitled to know who accessed their health records for a period of six years prior to the request. If medical records are kept in the cloud, accounting of cloud disclosures is required.
Microsoft Cloud Availability
With this big wind-up, let’s take a look at a sampling of what some Microsoft products and services offer in terms of cloud availability. Ultimately, the availability of records in the cloud for purposes of regulatory compliance can be greatly enhanced by the cloud software that houses the data, and Microsoft does a great job making the cloud available.
SharePoint
Microsoft SharePoint Online has a 99.99 percent scheduled uptime backed by a service level agreement. This means that it is down less than an hour per year. Nice! SharePoint is designed to work in conjunction with desktop software. In the event of network outage, critical information is still accessible. This is a big advantage of working with Office and SharePoint over other solutions.
Exchange
Microsoft Exchange Online has a 99.99 percent scheduled uptime backed by a service level agreement.
Business Productivity Online Suite (BPOS)
The Microsoft Business Productivity Online Suite consists of Microsoft Exchange Online, Microsoft Office SharePoint Online, Microsoft Office Live Meeting, Microsoft Office Communications Online, and Microsoft Exchange Hosted Filtering. The suite provides “business-class reliability” to customers and a guaranteed 99.9% service level agreement.
SQL Server Data Services
SQL Server Data Services (SSDS) is built on time-tested and robust SQL Server technologies that help insure business-ready, high availability. SSDS data is provided “reliably virtually anywhere, anytime.” One way that SDSS ensures high availability is by managing multiple copies of data. It maintains a backup of data stored in each data cluster. Partitions are replicated. Copies of data are maintained on servers at different physical locations. Geo-redundancy of data helps ensure business continuity.
Virtual Server and Windows Server 2008 Hyper-V
Organizations can help ensure availability by maintaining master copies of virtual platform images that run on cloud infrastructures. Microsoft has enabled organizations to do this for free with Virtual Server, and now with Microsoft Hyper-V Server 2008 - the “next-generation hypervisor-based server virtualization technology” (also available as a free download). Take a snapshot of your virtual machine while it is running so it can easily revert back to its previous state. Should the cloud ever disappear, such as a vendor going out of business or exorbitantly raising its prices, an organization can simply and easily move the image to another host vendor or even in house. Physical machines can take hours or days to replace. Virtual machines can be replaced in minutes. This kind of increasingly common dynamic scaling is not possible without virtual machines in the cloud.
Hyper-V supports virtual switch capabilities so that the Windows Network Load Balancing (NLB) service can be used to balance loads across virtual machines on different servers. And with Hyper-V, virtual machines can be rapidly migrated while they are running from one physical host machine to another. Now that is high availability!
Microsoft has also made licensing of virtual machines very straightforward. For Windows Server 2008, if you want to run a single virtual machine, choose Standard Edition. If you want to run four virtual machines or fewer, run Enterprise Edition. If you want unlimited virtual machines, run Datacenter Edition. Wow, simple!
Clouds are on the rise, together with regulation, risk, and governance concerns. Among those concerns, availability is critical. Yet cloud computing can be made reliably available. In a world that is increasingly looking to the clouds, several Microsoft technologies are helping make cloud reliably a reality.
- New Compliance Management forum.
-
The Compliance team from Solution Accelerators would like to invite you to join in conversation on our newly minted compliance forum.
Bookmark the forum page :-
http://social.technet.microsoft.com/Forums/en-US/compliancemanagement/threads/
Frank
- Risk Management.
-
Within the Solution Accelerators library, many nuggets get overlooked. One of these nuggets is the Security Risk Management Guide. If your interested in a good simple to follow guide that can help you negotiate the issues around a Qualitative, or Quantitative risk assessment you should take a look at the guide.
- Microsoft Compliance Management Series BETA released
-
The Solution Accelerators - Security and Compliance team has released a beta version of its first set of guides in the Compliance Management Series. This effort expands on the work done in the Regulatory Compliance Planning Guide published in 2006.
Here is a bit of detail on the new Solution Accelerator:
Managing compliance issues imposed by regulations and statutory requirements can be difficult to reconcile with regulations and standards such as PCI DSS, ISO 27002, AICPA GAPP, and COBIT. An additional challenge is the lack of a single source of compliance configuration guidance for Microsoft products.
The Compliance Management Series (a MOF–based expansion of the Regulatory Compliance Planning Guide) provides Standards of Care and simple checklists to help you configure Microsoft products to address Governance, Risk, and Compliance (GRC) requirements.
Standards of Care simplify complex categories such as Asset Management, Compliance Management, and Risk Management, and clarify how to configure Microsoft products quickly and effectively for these categories.
The Series uses Microsoft Operations Framework (MOF) 4.0 to provide you with a structured approach to the planning and delivery of configuration changes in your organization.
The beta release of the Compliance Management Series is now available and will be open thru September 24, 2008 for your review.
https://connect.microsoft.com/InvitationUse.aspx?ProgramID=2404&InvitationID=cmbt-8XBG-PD28&SiteID=657
After you join the program, bookmark the following link to return to the program site and get the latest information about upcoming events:
https://connect.microsoft.com/site/sitehome.aspx?SiteID=657
- What is Zermatt?
-
SOX doesn’t matter as much as a “change of SOX.” HIPAA does not matter as much as a change to HIPAA. Basil I does not matter so much as does Basel II. Current regulations don’t matter as much as the next regulation does.
We live in an endless torrent of new laws, new regulations, changes to older regulations, and new interpretations. The true value of any tool or technology that we use to deal with these regulations is not merely in how well it handles static regulation, but how well it handles the next regulation, or a change to a current regulation. Technology solutions to GRC challenges should be easily adaptable through such things as extension and interoperability. Adaptable technologies permit greater agility in getting ahead of the next big regulatory, risk, or governance challenge.
Zermatt is an example of an adaptable GRC Microsoft technology. Zermatt is a fully supported developer framework that helps developers build claims–aware applications—that is, applications that can handle a set of user attributes like a user’s role and permissions. Zermatt’s model is open and extensible. An identity metasystem transforms claims from one protocol to another (from SAML to WS-Trust, for example).
Identity and access management is a major component of many regulatory controls and is also critical to worker productivity. Businesses want to get workers up and working quickly, but must only allow access to resources by the appropriate people. A business role is typically given access to multiple siloed resources. In a multiple-silo environment, a worker’s identity must be established and access provided in each of the silos. Providing this access can be maddening and painful for administrators. It can also take days or even weeks before workers can start being productive. If an average worker is delayed one week in a company with 1000 employees, the accumulated delay is 1000 weeks or 5000 days (in a 5-day work week), which is almost 14 years of delay. After a worker is on board, they have to sign in and out of each single silo on a daily basis, which is a tremendous drag on productivity.
If a worker could be quickly set up with a simple sign-on to all the appropriate systems, it would take less time for workers to start being productive and overall productivity would be greater. Administrator’s lives would be easier.
A single sign-on to all the siloed resources would be faster, but less secure and more risky. If the single sign-on credentials are compromised, security is broken. So what businesses need is not a single sign-on, but a simple secure sign-on.
Enter Zermatt. Zermatt enables a simple secure sign-on scenario. Each siloed application can continue to maintain its own security while tying into a reusable identity metasystem. This metasystem transforms the credentials supplied by a user to those required by interoperable silos. The user experience is much better. The administration is much simplified.
Let’s say a new regulation requires additional processes by a worker. A new silo is hooked into the metasystem. A new application is developed and added to the worker’s repertoire. If the application uses Zermatt’s identity framework it can plug into the reusable identity metasystem and maintain a secure sign-on that is simple enough for people to easily use, but which is also strong, revocable, and manageable. The worker’s productivity is unimpaired by additional credentials or sign-on requirements. New workers can become productive more quickly.
Many systems today require workers to use a number of credentials, and Zermatt helps us get closer to securely carry and use one set of credentials. We might say that Zermatt offers the potential of both better regulatory compliance in terms of identity and access management and greater agility in terms of worker productivity, both for workers and administrators.
Some of Zermatt’s potential benefits:
- Ease of administration. Potential to reduce the number and complexity of multiple administrator consoles. Easier to reconfigure as regulations change.
- Ease of use for users. Makes possible automated provisioning, which can drastically reduce the amount of time to make new employees productive.
- Improved security. Claims–based systems are recognized as providing a high level of security. Hooking into a centralized identity bus permits better control of workers who no longer should have access to resources.
- Boosted developer productivity. Developers can concentrate on the application logic and leave the identity management to Zermatt and the identity metasystem.
- Externalized authentication capabilities. Authentication is not hard-coded or cohesively joined to the application itself.
- Centralized authentication (and authorization). Access and permissions to multiple siloed resources can be granted or revoked very quickly and accurately.
- Single sign-on capability. A claims–based application can plug into a centralized reusable identity metasystem that can transform claims to different forms required by each silo.
- Ready to federate with other organizations or platforms. The identity metasystem makes federation interfaces available.
- Supports multi-hop delegation. One user can act as another user. Includes an identity selector control that lets users choose which identity they wish to use.
- Reporting. Enables development of fully fledged integrated reporting instead of administrators having to view logs on a per-application basis.
- Has potential to bridge on-premise and hosted solutions.
Joe Scalone Contributing author and partner to SAT Regulation Compliance blog.
- Microsoft Regulatory Compliance Planning Guide Update
-
One of our Solution Acclerator teams is looking for your help, please join us for this great discussion this Wednesday for a Live meeting;
IT personnel often feel unprepared to meet management's need for IT compliance because of myriad definitions and expectations. The small size of some organizations can also complicate an IT manager's approach to the problem by delaying the deployment of more advanced enterprise management technologies. Many questions must be addressed prior to any changes in IT: How does the organization organize its data? Who truly needs access? What IT changes are needed to facilitate compliance? What business processes will be affected? Who will be making these changes? Most importantly to an IT manager, how can this compliance burden be shifted to technology?
Microsoft is working to build upon the guidance provided in the original Regulatory Compliance Planning Guide (RCPG) and will release an updated RCPG document to assist IT managers who are facing compliance configuration issues. The guide will contain regulatory compliance configuration guidance for major Microsoft technologies commonly found within the IT data centers of US organizations. The guidance will reference existing information across Microsoft's many product lines and services in a comprehensive manner. The IT manager will be able to select deployed Microsoft products, select US regulatory and standards requirements applicable to the business, and then review a checklist of configuration guidance points by each listed Microsoft product. Guidance is organized to MOF 4.0, the Microsoft Operations Framework (http://microsoft.com/mof). This approach establishes a life cycle-oriented framework that addresses the planning, development, operations, and management of IT compliance management. Those not familiar with MOF may have exposure to ITIL, but even if you have no prior knowledge of IT frameworks, MOF is designed for anyone who needs to understand and implement a lifecycle solution to IT management.
The RCPG development team is looking for active participation from within the IT community. If the questions in the first paragraph apply to you, we want to hear from you! We have scheduled several Live Meeting sessions to meet with you in the hopes of fine-tuning content and formatting to your needs—head over to the following link to join in the discussions. We sincerely need your feedback to enable everyone to successfully configure IT to its true potential.
We will be holding Live Meeting sessions to present our ideas, and we seek your participation and input. If you participate you will be asked to respond to several questions that relate to GRC.
Please join us by signing up for the OneCompliance program in Microsoft Connect. To join the program, click https://connect.microsoft.com/InvitationUse.aspx?ProgramID=2404&InvitationID=rcpg-C4P9-KR7Q&SiteID=657
Please note that we will not be able to invite you to any Live Meeting sessions if you respond No to the following prompt when you sign up:
“I would like to be contacted about participating in new Microsoft Connect programs, surveys, and events.”
After you have joined the program, bookmark the following link to return to the program site and get the latest information about upcoming events:
https://connect.microsoft.com/site/sitehome.aspx?SiteID=657
-Jeffrey, member of the Microsoft RCPG Development Team
- How to Use AccessChk.exe for Security Compliance Management secguide blog!
-
In a partner secguide article we invited Michael Tan, one of our senior program managers, to introduce a new feature in the recently updated Sysinternals tool called AccessChk. The first part of a two-part article discusses how the new AccessChk feature works and the benefits of using the tool. The second part takes a look at the using the tool with Configuration Manager’s DCM feature, and how the Security Compliance Management toolkit benefits from the efforts.
To read the complete article check out the Security Blog from Security Accelerators.
http://blogs.technet.com/secguide/archive/2008/07/21/how-to-use-accesschk-exe-for-security-compliance-management.aspx
- Health Vault = Compliance
-
I don’t know about you, but for me it's a challenge to keep up with the health information of myself and family. If you haven't seen it yet you should check out HealthVault. The current version allows you to collect, store and share health information with your family.
Ask yourself these questions: When was the last time you got a complete physical? What was the name of that medication (which did not sit well with your stomach) that you were taking last year? Have your kids received all their immunization shots? To which foods does your son have an allergy? When did your kids get their last dental and eye exams? During that trip you have planned next summer, how will medical providers be able access your medical information back home? How are you making sure that your aging mother and father get the treatment that they need? Has your teenage daughter received the HPV vaccine? When was the last time you got a tetanus shot?
HealthVault is a place where you can keep track of health information such as this and share it with your spouse and family. What's more, with something called HealthVault Connection Center you can upload and store data directly from a range of devices such as weight scales, blood pressure monitors, blood glucose monitors and pedometers. Also, the data is very portable. For more information, see http://www.healthvault.com/Devices-Directory.htm?rmproc=true. HealthVault supports such standards as XML, HL7, the ASTM Continuity of Care Record (CCR), Clinical Document Architecture (CDA) and the Common Connectivity Device. The search portion of HealthVault permits you to search and find health information and then store it in a private HealthVault Scrapbook for future use. HealthVault even lets you store health records for your pets!
The best part of HealthVault is that you control who has access to your records. You can choose to share them with hospitals, doctors or other medical care providers. For example, see http://www.healthvault.com/hospitals/. I can view my medical records housed by participating providers and learn about my medical tests and test results.
To me, HealthVault is an example of a Microsoft GRC technology that goes beyond mere regulation compliance. It enables people to engage in better healthcare. It is effectively an extension of preventive medicine.
Knowledge is a powerful thing. A safe and updated storage of knowledge regarding the health of you and your family can help reduce health risks and health care costs.
Joe Scalone
jscalone@microsoft.com
