Viewtrust software overview This presentation is a brief overview of Virtustream Viewtrust risk management and compliance monitoring software. Viewtrust software overview Risk management and compliance monitoring

challenges Need a proactive view of risks across my cloud and non-cloud assets due to Cyber, Compliance, and IT Operations on a continuous and automated basis. How do I…. Get a unified view of security and compliance risk across all IT assets (e.g. enterprise, cloud, hybrid-cloud)? Reduce cost and complexity of managing compliances with shrinking budgets? Become proactive rather than reactive in dealing with enterprise and mission risks? Perform continuous monitoring of risk with ever increasing volume of data? Create a single 360° operational view of enterprise risk and prioritize mitigations? Informational assets, security tools, and technologies deployed within enterprise may be within the cloud or outside the cloud within the data center or collocated with another hosting provider. Whatever the deployment model, the goal is to have a single unified view of all assets and their specific risks. This presents a tremendous amount of challenge because anyone of those assets in anyone of those environments could present an entry point for a compromise. Another challenge that enterprises have is the need to meet requirements for compliance regulation in the environment of shrinking budgets. The different controls from IT governance to information assurance controls organizations are expected to comply with is very complex and very expensive.   Threats from cyber are daily, hourly, and minute-by-minute and the threat surface in any environment is continuously changing. What’s also changing is the threat vectors which are essentially the threats from the multiple sources whether they are state, enterprises, criminals or just they are hackers, who are doing it for fun. All of these risks elements need to be addressed. It is a requirement to meet all the regulatory and compliance requirements for standards and controls. But at the same time we know that compliance is a snapshot in time exercise. In order for this exercise to be actually effective on a continuous basis, you have to be able to continuously monitor and assess the risks across the enterprise assets and to prioritize fixes or mitigations.

Viewtrust continuous risk monitoring Viewtrust provides continuous monitoring of risks across enterprise hybrid cloud as well as non-cloud environments to proactively address risks due to Cyber, Compliance, and IT Operations. Enterprise Risk Management Cyber Risk Compliance Risk IT Operational Risk Virtustream Viewtrust creates a single 360 degree  view of the entire threat topology by collecting data from a multiple enterprise sensors (information sources), enabling reporting and presenting this information on a single dashboard for common operational view and actionable risk management.  Enterprise Risk Management is a strategic business discipline that supports the achievement of an organization’s objectives by addressing the full spectrum of its risks and managing the combined impact of those risks as an interrelated risk portfolio. As a defined by industry analysts, it covers the three key areas: Cyber Risk Compliance Risk IT Operational Risk Viewtrust focuses on the three areas: cyber risk situational awareness which is shown in the red box, compliance risk shown in the gold box, and IT operational risk as shown in the blue box.

Automated risk and compliance management Provides a unified view of enterprise risk on a single dashboard Automates compliance and risk management for private or hybrid clouds Provides continuous risk analysis with heat maps for proactive view Collaborative and workflow driven for compliance automation and documentation Scales with Big Data analysis and analytics engine Provides mission risk view to address what is critical to business Cyber Risk Compliance Risk IT Operational Risk Viewtrust enables customers to gain cost efficiency through automation of their compliance/risk management and monitoring while responding to the challenge of their ever growing compliance and information systems requirements. Customers benefit from a single view and a management platform for their enterprise risk, governance, and compliance on a continuous monitoring basis Viewtrust also enables customers to have more secure systems by being more proactive with their enterprise compliance and risk management. Customers have a collaborative single platform that breaks down existing silos with tools, people, and processes in the organization

Viewtrust addresses regulated markets Viewtrust provides a scalable solution to address regulatory and industry standards requirements in a modular architecture Federal Financial Healthcare Energy Retail Enterprise Risk Management ✔ Cyber Situational Awareness Regulatory Compliance FISMA/ FedRAMP GLBA SOX HIPAA HITECH NERC CIP PCI Cyber Risk | Compliance Risk | IT & Operational Risk Presentation and Data Analytics Dashboard Viewtrust is a multipurpose solution in the sense that it has core analysis and analytics engine and plugins available for different market verticals and their requirements or across different use cases as shown in this chart. For example, for Federal industry, Viewtrust offers FedRAMP and FISMA plugins to perform analysis based on NIST risk management framework using IA catalogs such as NIST 800-53. Viewtrust also offers a plugin in support of PCI compliance, as another example. Updates to these standards are added on an on-going basis, and can be stacked on-top of each other.  The product is licensed in such a way that each standard or control catalog can build on, or map back to, one another. Viewtrust provides cross-mapping, with the ability to generate multiple regulatory compliance documents efficiently. Input once and generate multiple outputs as required. The data itself can be used to create Enterprise view or Cyber situational view or Compliance view – depending on the use case the output can be customized.

Continuous compliance for hybrid cloud Enterprise Risk Management Virtual Datacenter / SDDC Unified View + Public/ Managed Cloud Private Cloud As previously stated, Viewtrust supports multiple cloud scenarios. In this example, the diagram shows a hybrid setup where the cloud-based infrastructure can provide the cloud-based compliance as a service component at different levels of the stack within a cloud as an infrastructure-as-a-service (IaaS), platform-as-a-service (PaaS), or a software-as-a-service (SaaS). Through the inheritance capability, enterprises can inherit the underlying controls from the service providers and be able to create their own packages and then used that information for audit and compliance in a overall information system audit and compliance effort as well as the risk management effort. Automated Continuous Assessment for Risk and Compliance Automation of common SAP administrative functions improves service delivery while simultaneously reducing the human and physical resources required to perform those tasks

Viewtrust rapid roi Reduce compliance costs via efficiency through automation: Automate entire compliance lifecycle Facilitate efficient, collaborative, and consistent audit practice Support multiple compliance frameworks unified in one tool Reduce enterprise security tool TCO: Unify existing security tools and break data silos Automate risk analysis based on threat and impact analysis Automate identification and remediation of risk through workflow management Viewtrust provides a rapid return on investment made possible via automation. This includes: Automation in terms of data ingest, data analysis, quantitative risk analysis. Automation in terms of processing of large amount of data. Automation in terms of compliance, life cycle automation with a collaborative interface, build-in task management and workflow management that brings a high degree of efficiency. Also, the ability to generate different flavors of compliance audit and the risk view reports with a single click using built in mappings the product provides allows this view to be created by a singular input, but multiple outputs and the controls. Controls inheritance reduces the data input requirement by as much as 50% to 60% The templates provide the ability to maintain and update documents, and artifacts on an ongoing basis for both compliance and risks

Thank you.

Glossary Term Definition BIA Business impact analysis (BIA) is a systematic process to determine and evaluate the potential effects of an interruption to critical business operations as a result of a disaster, accident, or emergency. ERM Enterprise Risk Management (ERM) is a strategic business discipline that supports the achievement of an organization's objectives by addressing the full spectrum of its risks and managing the combined impact of those risks as an interrelated risk portfolio. GRC Governance, risk management, and compliance (GRC) is the umbrella term covering an organization's approach across these three areas: Governance, risk management, and compliance Sensors Informational sources capable of providing reports based on the data its collected provided in any given format. (e.g. Tenable Security Center, McAfee ePO, Symantec CS) SIEM Security information and event management (SIEM) is an approach to security management that seeks to provide a holistic view of an organization's information technology (IT) security. This slide lists a few common terms used in Viewtrust risk management and compliance conversations.