Pharmaceuticals firm Novartis has developed software to automatically monitor and report on the security of more than 150 critical web servers, firewalls and switches to help meet its compliance obligations under Sarbanes-Oxley and other regulations.
The company has worked with a Swiss software specialist to develop Setrasys, a set of tools that gives external auditors an up-to-date snapshot of security vulnerabilities in its systems, including how long the vulnerabilities were present and how long they took to fix.
The system, which went live last year, has significantly cut down the time needed by auditors to confirm regulatory compliance, and is enabling Novartis to respond rapidly to any auditing queries.
“For us, the benefit is we don’t have any unexpected surprises. If suddenly an auditor finds something wrong, the cost of the follow-up work is enormously high. If we can show and prove what happened, the surprise factor is gone,” said Andreas Wuchner, head of global IT security at the firm.
Setrasys is designed to give auditors confidence that Novartis’ IT staff are patching critical security vulnerabilities as rapidly as possible. It analyses servers with external internet connections, which fall under Sarbanes-Oxley.
The software generates auditor-ready outputs after running the Qualys vulnerability scanning engine. It scans all computers on the network to identify those that are affected by the latest security vulnerabilities within 24 hours of their discovery. It then issues IT staff with job tickets and target fixing times based on the severity of the problem.
From a single terminal, the system also gives auditors a complete view of the security history of all the critical servers on the network, said Wuchner.
The company runs a separate vulnerability scanning system, Kaizen, also based on the Qualys scanning engine, to monitor security vulnerabilities in its internal networks, which covers more than 10,000 PCs and thousands of servers.
Novartis first began work with its external auditors to find a way of automating compliance audits of its IT systems three years ago.
It worked with a Swiss integrator to develop the system, which is written in Java, and uses a SQL database to match vulnerabilities identified by the Qualys scanning technology to Novartis’ networked devices and infrastructure.