Pharmaceuticals firm Novartis has developed software to
automatically monitor and report on the security of more than 150
critical web servers, firewalls and switches to help meet its
compliance obligations under Sarbanes-Oxley and other
regulations.
The company has worked with a Swiss software specialist to
develop Setrasys, a set of tools that gives external auditors an
up-to-date snapshot of security vulnerabilities in its systems,
including how long the vulnerabilities were present and how long
they took to fix.
The system, which went live last year, has significantly cut
down the time needed by auditors to confirm regulatory compliance,
and is enabling Novartis to respond rapidly to any auditing
queries.
“For us, the benefit is we don’t have any unexpected surprises.
If suddenly an auditor finds something wrong, the cost of the
follow-up work is enormously high. If we can show and prove what
happened, the surprise factor is gone,” said Andreas Wuchner, head
of global IT security at the firm.
Setrasys is designed to give auditors confidence that Novartis’
IT staff are patching critical security vulnerabilities as rapidly
as possible. It analyses servers with external internet
connections, which fall under Sarbanes-Oxley.
The software generates auditor-ready outputs after running the
Qualys vulnerability scanning engine. It scans all computers on the
network to identify those that are affected by the latest security
vulnerabilities within 24 hours of their discovery. It then issues
IT staff with job tickets and target fixing times based on the
severity of the problem.
From a single terminal, the system also gives auditors a
complete view of the security history of all the critical servers
on the network, said Wuchner.
The company runs a separate vulnerability scanning system,
Kaizen, also based on the Qualys scanning engine, to monitor
security vulnerabilities in its internal networks, which covers
more than 10,000 PCs and thousands of servers.
Novartis first began work with its external auditors to find a
way of automating compliance audits of its IT systems three years
ago.
It worked with a Swiss integrator to develop the system, which
is written in Java, and uses a SQL database to match
vulnerabilities identified by the Qualys scanning technology to
Novartis’ networked devices and infrastructure.