Strategic Objective
The primary objective of ConfigScan is to streamline and standardize network risks assessments resulting in significant cost reduction in both time and labor. ConfigScan will provide an automated network evaluation that will produce a detailed network assessments and remediation recommendations quickly.
| 360 GRC's Innovative Dashboard, which reports on |
 |
- One view for all regulatory compliance needs
- Summary view of top 5 non-compliant locations, devices, categories, audit rules, inventory models and networking vendor
- Each summary view can be represented graphically, tabular format, trendline or detailed view
|
| 360 GRC's Compliance view reports on |
 |
- All network device non-compliance
- Audit summary - tabular view on failed items - rated as High, Medium or Low risk
- Audit visualization - customizable graphical view (area chart, bar chart, column chart, line chart, pie chart, plot card)
- Audit Trend - Trend compliance risk (High, Medium or Low) over time and view prior reports with an easily manageable timeline.
- Audit Detail - Complelety customizable to add or remove columns to provide CSV, PDF reports
|
| 360 GRC's Root-cause analysis reports on |
 |
- The first in the industry with propreitary features
- Provide configuration view and line-by-line root-cause analysis
- Provide detailed root-cause at command level for non-compliance
- Each command line can be mapped to multiple regulatory standards
- For each non-compliance provide recommendations on how to remediation the risk
- Provide detailed rating and weighting to assess compliance and governance
|
| 360 GRC's inventory management |
 |
|
Slice and dice network inventory to report by:
- Vendor, platform and operating version details
- Device location
- Device Category
- Customizable to add and report on any hardware feature
|
| Paper Report |
 |
- Ability to create customizable reports
- Ability to create adhoc queries based on any compliance risk or inventory management
|
Understanding the Issue
A manual audit either in a 'freeform' capacity or based on a template presupposes that the template being used is complete and accurate. If freeform, it must be assumed that the auditor is familiar will all aspects of the unique and specific regulatory requirements for the network. Furthermore, the level of expertise to understand and audit a six-hundred-line configuration falls into a specific skill set that the 'big four' charge premium rates.
When we encounter a configuration with thousands of lines, it is easy to see that human error can easily be introduced and, depending upon the compliance law, monetary penalties can accrue for failing. The cost of a manual audit for an organization can become astronomical. A sampling method of the network configurations can be accomplished, but the risk of a breach due to non-compliant configurations that were not part of the sample could damage the organization - even if the audit is successful with the sample.
For the template-based products, there are two significant drawbacks. First, most of the tools require expect knowledge in networking to allow a company to develop the template. Second, the technical expert either needs to understand several different compliance laws and exactly which areas in these laws are properly configured. A significant drawback of a manual audit is the assurance that the testing is sustainable over a period of time. Another drawback on a template audit is that the template may not include specific items that may recently been enacted under new law or, that the template itself contains errors or omissions.
To summarize the above, the two forms of auditing (manual or template) have been the only approaches to network device audits. The time required to complete a single device audit can take many hours or days depending upon the skills of the auditor. Multiplying the time it takes to complete one device by the number of devices within the current sample provides the amount of time required. If an external firm is retained, the time for the sample size multiplied by the hourly rate provides the total cost. This cost multiplied by the total number of audits and samples increases the total audit costs almost exponentially. Coupled with the inherent human error, not only can the costs become exorbitant, the results may not be sustainable, repeatable or ultimately reliable. The following table provides the out-of-the-box regulations and best practices currently shipping with the product.
