MetaCompliance Enterprise™

Product Overview

MetaCompliance Enterprise Version 3.1 is a comprehensive solution that helps organizations simplify, achieve, and sustain IT security and compliance across the enterprise. MetaCompliance enables compliance and security managers to automate the creation and control of business and IT policies, implement industry mandated compliance initiatives and manage and monitor acceptance among geographies, business units and personnel.

A major regulatory and legislative requirement surrounding compliance and governance is to measure the security posture of the organisation, document security policy and promote awareness of that policy among employees. MetaCompliance Enterprise version 3.1 automates the development, distribution and deployment of risk assessments and compliance policies across the enterprise.

Self Certification and Risk Assessment Enforcement

Staff awareness of governance and the risks of IT security failure is the cornerstone of all the major regulatory directives.The number of policies that an organisation must design, manage and monitor to become compliant with these directives has increased in recent years. Existing mechanisms for managing these, such as email and intranet, have proved ineffective in dealing with the main issue - demonstrating compliance. Organisations simply cannot prove that a user received, read or understood any given policy.



At the heart of the MetaCompliance intelligent policy management engine is the unique ability to enforce user self certification and validate user understanding in order to ensure employee accountability and demonstrate compliance. Put simply, MetaCompliance allows organisations to force a response to policies, policy surveys and risk assessments, clearly demonstrating regulatory best practice.

"Define Policies: MetaCompliance helps organisations to create or revise policies quickly and accurately by transforming existing electronic policies into the MetaCompliance intelligent policy database."

Compliance Reporting

MetaCompliance Enterprise Version 3.1 provides a critical step to meeting the general due care and IT controls for compliance mandates. The software provides greater productivity and flexibility for managing the delivery of risk assessments and policies to the diversity of user that exists within the modern enterprise.

Joiners and Leavers

Compliance work flows will show significant activity surrounding employees during both the beginning and end of their career with an organisation. The latter is particularly true if the employee is leaving as a result of disciplinary action.

MetaCompliance assists in automating and managing this critical aspect of the compliance process, ensuring the agreement and understanding of company policy right through the career lifecycle of the employee.

Agentless Employee Interface

Access to created policies is provided via an intuitive web interface. This functionality allows employees and managers to access, on a permission basis, audit reports for policies and risk assessments.

Integration Into Other Risk Management Platforms

Using the power of the Microsoft .Net Framework, MetaCompliance has the capability to integrate into other risk management platforms and IT security software suites. This functionality allows managers to access a central compliance and IT security management console to manage all of their responsibilities, such as the creation, dissemination managing and reporting of policies and risk assessments.

Global Compliance Frameworks

MetaCompliance provides the best, most practical and cost effective solution to help organisations manage policies and demonstrate compliance with both new and existing regulations. In particular, the software provides an excellent back drop for the commonly adopted best practice methodologies such as CoBIT, ITIL and ISO 27001. These IT governance frameworks provide an accepted, proven and sustainable way of dealing with the need to protect the integrity of the IT Infrastructure upon which the organisation is built.

MetaCompliance helps deal with a key demand of these directives, which is to document security policy and promote awareness of that policy to employees across your organisation.

Security and Risk Committee Optimisation

The approvals process for compliance and IT security policies is a bottleneck in many organisations. Given the priority for self regulation within enterprises, it is imperative that this process is not impeded.

MetaCompliance improves the efficiency of compliance policy approvals by automating this business process. Through the adoption of a self certification process for Risk and Audit Committees, MetaCompliance greatly improves the effectiveness and output for IT security and compliance managers.

"Demonstrate Due Care: MetaCompliance reporting allows for the measurement and monitoring of the compliance interface between the employee and the organisation, thus providing evidence of due care to all stakeholders. Configurable reports and analyses demonstrate compliance at various levels, including geographical, departmental and single user."

Multi Site Capability

Regulation is increasingly becoming a global challenge for organisations. Multi-jurisdictional regulatory mandates such as PCI DSS compliance and Sarbanes-Oxley require a multinational and multilingual approach to ensuring the organisation is meeting governance obligations. MetaCompliance has been architected to allow global organisations to have a guaranteed method of ensuring the worldwide management and distribution of security and compliance policy documentation from a centralised point of enforcement.

Third Party Relationship Compliance

The single biggest challenge to the self regulation of an enterprise is the threat from within. A key source of this threat arises from trusted third parties. These might be within the firewall or have limited access to corporate data as a result of contractual arrangements or outsourcing. Whilst the typical compliance areas such as data protection and confidentiality are covered in the text of third party contracts, in reality it is difficult to ensure that internally held governance standards are communicated and adhered to by third party staff on a day to day basis.

MetaCompliance uses specific functionality that allows organisations to enforce the ongoing certification of potential new employees and third parties to company policies and risk assessments. By automating this often overlooked area of governance, MetaCompliance assists organisations in achieving a total view of their compliance posture.

Authentication Integration

In specific circumstances, it is imperative to prove that a particular user read and electronically signed a policy or took a risk assessment. MetaCompliance allows the compliance or IT security manager to leverage the organisations internal authentication methods such as password, login or authentication solutions from companies like RSA.

This functionality will require the user to input their login credentials or a unique identifier which will be then validated against the authentication server. The policy or risk assessment can only be submitted to the MetaCompliance policy administration server when this validation has happened.

MetaCompliance Policy Exchange

Many customers have invested in working solutions that contain their policies or indeed are a partial solution to self certification. Examples include document management systems, intranets, human resource applications and other security products. However the majority of these systems do not have the enforcement or compliance demonstration capabilities of MetaCompliance.

MetaCompliance Policy Exchange allows real time integration with other manufacturer’s applications or in-house document management solutions, to ensure ROI on existing investment. Based upon Microsoft’s BizTalk integration software, the MetaCompliance Policy Exchange functionality provides the link mechanism into other policy data stores that will allow the required self certification of users to create employee accountability.

Mobile Users

MetaCompliance has been carefully architected to ensure our solution adds value to your existing technology investments and, indeed, can improve the governance capabilities of these technologies. The solution integrates seamlessly into your IT infrastructure and allows you to obtain user self certification across multiple platforms, including desktops, Laptops, PDA’s and smart phones.

Native Citrix integration

A number of large organisations have integrated the Citrix access solution within their IT Infrastructure strategy; in fact some companies are heavily dependant upon this technology for branch networks and remote access for users. MetaCompliance has been heavily field tested using Citrix and Microsoft Terminal Services. This has ensured that the Citrix user obtains the same policy delivery experience as a user on a PC desktop.

"Manage Compliance: MetaCompliance automates the translation of regulations such as PCI DSS and Governance frameworks like CoBIT, ISO 27001, and ITIL into IT security controls that help assess and demonstrate compliance. The organisation can then meet the key demand of these regulations, the documentation of policies and procedures, and can also enforce specific user response and implement remediation as appropriate."

Benefits

• Lower the cost of the Policy Lifecycle
• Manage the risk of Insider Threat
• Demonstrate repeatable compliance
• Deliver visibility of the Policy Lifecycle
• Reduce management time and increase policy effectiveness
• Enforce Policy activity and obtain user understanding
• Intelligent Policy engine allows flexibility of policy deployment

Major features and characteristics.

Create	Browse and point to existing policies. Create new policies from scratch Bring all policies together – ISO17799, Health & Safety, Fire regulations. Automatic policy versioning
Review	Optional approvals procedure. Enforce review of policy. Configurable workflow
Target	Specify user and groups to receive policy. Determine options available for the user – Defer/Later, Mandate acceptance etc. Configure outcomes for non acceptance – Log off, application lock-out etc. Determine when users obtain policy – Log in, application launch etc. Display clause, section or policy.
Schedule	Extensive scheduling capability Determine duration of time for policy presentation. Schedule frequency of delivery. Ensure policies are phased to avoid policy dump following leave.
Survey	Determine user understanding. Configurable multiple choice test generator. Enforcement functionality available for survey. Identification of user difficulty with survey questions. Compliance assessment workflows.
Secure Audit	User activity is stored in a secure database. Full querying and search capability. Demonstrate compliance with audit trail functionality. Full revision control over policies.
Library	Full policy history recorded. Single store for all company policies and procedures. Policy library by user and by group. Access integrity means policy history cannot be changed.
Reporting	Policy adoption reports User issue reporting User understanding analysis. Compliance reporting Policy scheduling reports.
Enforcement	Unavoidable presentation of policies and notices to the user. CTRL ALT DEL use by the user defeated. Mandatory policies ensured user response. Non agreement with policy results in log off or application lock-out.
Resilience	Resilience built into solution to avoid enforcement failure.
Small IT footprint	Integration with the user designed with minimal presence on the desktop. Application optimized for low bandwidth usage.
Non IT users	Barcode functionality available for non computer users Integrated into Policy Communicator audit and Library capability.
Scalability	The use of distributed application framework architecture (Service Orientated Application) allows for flexible deployment options and scaling for the enterprise. Using the interoperability capability of the Microsoft .NET framework, integration with legacy and desktop applications is straight forward.
Unattended installation	Installation is accomplished through MS ClickOnce technology as part of MS .NET 2.0, installation can also be done via SMS packages, MSI installs, Active Directory Group Policy install, scripting install.
Disconnected/Remote Computer	MPE integrates seamlessly with MetaCompliance Laptop. This is software that resides on the disconnected PC or Laptop and which ensures the communication of remote working and laptop policies when the device is not connected to the office domain. The audit file on the laptop is then synchronized with MPE once the computer reenters the network.
Microsoft .Net Framework based	MetaCompliance Enterprise has been developed using the Microsoft .NET framework. Not only does this mean that MetaCompliance runs fast but the .NET framework includes the most widely accepted integration development environment. Using Microsoft as a strategic partner has mean that MetaCompliance can implement rich user interfaces into desktop applications and supports ASP.NET, Windows clients and Rich Client interfaces. MetaCompliance Enterprise is a Service-Oriented Application which uses all of the scalability of the .NET unified framework. This distributed application framework provides:   Interoperability & Integration   Secure, Reliable, Transacted Messaging   Decoupled, Dynamic Applications MetaCompliance Enterprise is Microsoft Vista ready.
Active Directory and eDirectory support	Map access rights to users or user groups of an existing Active Directory Domain and Novell eDirectory objects.