Recently in Customers in the News Category

The greater Los Angeles metropolitan area has noticed and rewarded First Federal by helping it grow to the fourth largest Los Angeles-based financial institution, with thirty-nine branches and assets exceeding $6 billion.

To ensure that its systems are both secure from breaches and always available to its customers, the bank's IT and security team relies on QualysGuard.

"QualysGuard is accurate and easy-to-use," says Brian Rodeck, vice president, technical services manager at First Fed. "We wanted to have as current and as accurate a view of the status of our systems as possible, and that requires automated assessments and an up-to-date database."

"QualysGuard's reports help us to focus on the areas we need to. For instance, we can generate reports that give business managers the information they need to know, or we can create reports that will help us to focus on any critical, pressing vulnerabilities. It helps us know what matters right now," says Thomas Tse, network security officer at First Fed. "When QualysGuard finds a vulnerability, it doesn't just kick out an alert that states 'you have this vulnerability' -- it details how that vulnerability can be secured."

Click here to read more about how First Federal assesses its vulnerabilities with QualysGuard.

Since 1997, online payroll and HR services provider Paylocity has delivered innovative payroll services and human resource software to employees and businesses throughout the country. Paylocity now serves nearly 5,000 clients and maintains an enviable 97 percent client retention rate.

Previously, to keep systems secure, Palyocity relied on a number of manual vulnerability scanners. But, as the number of systems and the complexity of applications grew, those scanners could not keep pace.

"They required a lot of updating and maintenance. And there were too many false positives for us to deal with," recalls Edward Fortune, director of information technology at Paylocity. "I read about Qualys in an article that listed the top 10 vulnerability assessment tools, and QualysGuard was high on the list." After conducting the first assessment, Fortune was impressed. "I was simply amazed by how many items QualysGuard was able to accurately identify," he says.

"The information QualysGuard provides is something that normally would take me an entire day, or even a week, depending on how many vulnerabilities we're managing, if I were to research all of that manually," he says. "Now, it's done in hours. And I understand everything: the problem, the potential exposure, and all of the available fixes. This is a significant amount of time savings, month after month, especially when you consider the amount of effort it takes to manually identify vulnerabilities and research the potential impact of vulnerabilities on your system. It's just tremendous."

Click here to read more about how Paylocity efficiently and effectively maintains the security of their systems.

Originally founded in 1999 as the Web portal Furniture.com, the company quickly became the furniture industry's leading e-commerce destination. Building on that success, Blueport Commerce took its decade of experience and developed an e-commerce platform designed for big ticket retailers including furniture, flooring and lighting, to help them deliver increased profits. Blueport Commence now services more than 2,000 stores that represent more the $8 billion in sales.

Every day, Blueport Commerce processes credit card transactions made on its customers' sites, so it must comply with the Payment Card Industry Data Security Standard (PCI DSS). Additionally, its retail customers need the assurance that Blueport Commerce's systems meet the highest security standards.

"Contending with security and compliance is a by-product of being an e-commerce company, and is an ever-growing concern," says Morgan Woodruff, chief operating officer at Blueport Commerce. "Compliance and security are must-haves in our market segment, so we have to do our best to meet, and even exceed, rules and regulations."

"We scan our entire public IP network every night," explains Fotios Magoufis, director of IT operations at Blueport Commerce. "Through automated, segmented scans we are constantly assessing the infrastructure. We're very pleased with our decision - Qualys has lived up to its reputation for being the best security and compliance product on the market."

Click here to read more about how Blueport Commerce remains compliant with PCI DSS and assures their customers that its systems operation to the highest security standard. 

Ranked as one of the oldest and largest top public research universities in the nation, University of Utah's IT infrastructure consists of thousands of servers and tens of thousands of endpoints totaling more than 30,000 individual IP addresses.  

Like most regulated organizations, the university's IT security and compliance teams are always under pressure to ensure that the business is running both secure and within compliance.

The network assessment tools the university had relied on were not only inaccurate, but wouldn't enable functional automated scan cycles. They'd also, often times, crash the systems being evaluated.

"Our security program is finally getting to the point we wanted to reach all along: where the vulnerability scans are transparent, said David Feyler, manager of information security operations for the University of Utah. "It's as if there was this angst when the security team showed up before, and, 'oh no, we are going to get scanned again. That's all gone now."

Click here to read more about how QualysGuard was able to reduce the University of Utah's IT risks associated with system misconfigurations and vulnerabilities and achieve automation, accuracy, and transparency.

Moving away from manual network assessments to an automated vulnerability management program, OfficeMax Mexico, which manages 78 OfficeMax Superstores throughout the country, streamlined PCI DSS compliance and also improved the accuracy of its assessment scans.

"QualysGuard has been easy for us to deploy, and makes it possible for us to secure our systems, save time, and maintain PCI compliance more easily," said Ricardo Rodriguez, Information Security Manager for OfficeMax Mexico.

QualysGuard provides OfficeMax Mexico a proactive way to protect the company's network throughout the entire vulnerability management lifecycle, including asset discovery, asset prioritization, vulnerability assessment, and analysis, remediation, and fix verification. And its highly flexible, on-demand architecture means that it's easy for each of OfficeMax's team members to successfully meet their individual security responsibilities.

Click here to read more about how OfficeMax Mexico streamlined PCI DSS compliance and improved the accuracy of its assessment scans.

Keeping organizational IT security risks low requires careful planning, diligence, continuous execution of a risk management program, and the support of every employee. One of the most important aspects of ING Singapore's security management program has everything to do with keeping every employee informed, through an ambitious security awareness program.  ING Singapore invests significant effort to make sure its networks and systems are configured properly and protected by various layers of defenses, which include anti-virus applications, intrusion detection and prevention systems, and data leakage applications.

"Vulnerability assessment is an important activity within our security management framework," says Mangaraja Saut Martua, Manager, Information Protection and Business Continuity Management for ING Singapore. "It's how we find systems that are not in policy, locate those that need software patches, and then verify that our patches have been installed properly." For ING Singapore, with 1,000 systems, that's no small task. For vulnerability assessments, Martua uses QualysGuard, from Qualys Inc. "QualysGuard provides us with very precise reports on which we can act quickly."

Click here to read more about how ING Singapore assesses its vulnerabilities with QualysGuard.

With more than 900 staff, and a production cycle that sees plays staged across three theatres, the National Theatre has a demanding audience to please. But while the quality of its productions is the key to attracting customers, National Theatre bosses are aware that with £18m coming in through online ticket sales each year, processing those transactions securely is vital to maintaining its reputation.

To comply with the payment card industry data security standards (PCI DSS), the National Theatre recently decided to deploy Qualys' on-demand security suite, QualysGuard. Previously, the National Theatre had tried to achieve compliance by employing external penetration (pen) testers and auditing companies.

"When you examine the amount of man hours QualysGuard saves us in our own manual scans and the cost of hiring external third parties, the return on investment is clear," says Richard Bevan, the National Theatre's IT security manager. The National Theatre has about 60 servers, 1,000 networked workstations, its own datacentre and disaster recovery site, and hosts and manages its own web site. The use of on-demand security systems has made it easier to secure the infrastructure when changes are made. "[QualysGuard PCI] is also used to check the security of its web applications, along with testing third-party code. For our own peace of mind, we also use web application firewalls. From my point of view, the fact that Qualys is always updating the functionality of the system is another significant plus point, so you're always getting new features," adds Bevan.

Read More

With its six casinos offering more than 340,000 square feet of gaming space outfitted with 7,000 slot machines and 400 gaming tables, 1,416 guest rooms, meeting space and conference rooms, needed to find the most, efficient way to discover and fix system vulnerabilities, and to maintain regulatory compliance. 

Central to running its enterprise and IT infrastructure is making sure Foxwoods casino's financial, ERP, guest management, and Web site stay up and running free from viruses, spyware, and criminal hacks. Also, because Foxwoods accepts reservations online, and even runs its own online shopping site - it must comply with the Payment Card Industry Data Security Standard (PCI DSS).

"QualysGuard is our main tool for PCI compliance. It's fully automated and helps with many of the tasks associated with PCI, from assessing relevant systems to providing full reports to the acquiring bank," says Leonard A. Szczygiel, Network Engineer, at Foxwoods. "And we needed a clear way to quantify the security information we were telling our management about. We would discuss the risks of not patching certain systems, and management wouldn't really get what we were trying to explain to them.  Now thanks to the QualysGuard, they do." 

Click here to read more about how Foxwoods Resort Casino assesses and report its PCI

compliance.

Ignite Media Solutions, a marketing services firm, collects and processes Level 1 payment information for its clients. With multi millions of transactions annually, Ignite must remain compliant to the Payment Card Industry Data Security Standard (PCI DSS).

In order to operationalize its IT security and PCI compliance program, Ignite deployed network monitoring, log management, and file integrity monitoring software while the central solution to these efforts is managing proactively all of the software vulnerabilities, configurations, and security policies of its IT systems.

"The quality of Qualys' PCI DSS certification documentation set it apart from its competition," said Mike DeMatteo, PCI Compliance Administrator for Ignite Media Solutions. "The documentation makes applying QualysGuard to the PCI requirements a no-brainer. The other companies I researched didn't do this; it was like pulling teeth to just find out what PCI requirements the others actually covered. Qualys just pulls it all together, making it so easy that one doesn't have to be an information security expert to attain PCI compliance. It's easy to use, does network discovery and mapping, and its dashboard provides the information we need."

Security executives and thought leaders from leading organizations presented their security and compliance best practices at the Qualys booth during RSA '09. Each speaker discussed how they are using Qualys' security-as-a-service suite to secure their organization and comply with industry regulations. Full presentations can be seen here:

• Best Practices for a Successful VM Program
  Tim Proffitt, Technology Security and Risk Compliance Specialist, Administaff
• Deploying VM and PC Solutions at Cisco
  Doug Dexter, Audit Lead, Cisco
• Building a Full Life Cycle Program for Security and Compliance
  Kam Golpariani, Director of Security Operations, First Advantage
• Using CVSS to Monitor Risk and Prioritize Remediation in a Healthcare Organization
  Rich Seiersen, Principle Solutions Engineer, Kaiser Permanente

With the goal of improving and enhancing the Ohio Dominican University IT security and risk management program, Ohio Dominican began a year-long journey to build an optimized set of security management processes. Some of the initial enhancements included creating a security awareness program and streamlining the university's vulnerability management process, as well as gaining more near real-time insight into network security events.

"We chose QualysGuard as it not only helps us to secure our systems better, but it adds value because it makes us more efficient. It streamlines our vulnerability management efforts so that we can focus better on innovative IT initiatives that add value to the university," stated Mike Young, CIO.

Click here to read more about how Mike Young and his team added 100 improvements to the university's IT security program.

For on-demand Web Content Management (WCM) provider Clickability, the benefits of Software-as-a-Service (SaaS) and Infrastructure-as-a-Service (IaaS) offer more efficiency and affordably than traditional software. In an effort to reduce its carbon footprint and create a greener enterprise, Clickability supports the reliability and sustainability of the green SaaS model. In fact, the company runs its entire business via SaaS delivered solutions.

When Clickability sought a way to secure its infrastructure - which houses and delivers content for a spectrum of global brands in financial services, technology, broadcasting, and publishing, it turned to Qualys and its on-demand SaaS IT risk and compliance management platform, QualysGuard.

"Qualys is the most accurate [vulnerability assessment solution] we've used, and the SaaS solution makes it easy and transparent because we don't have to maintain the server or the software, or manage the updates." Tom Cignarella, VP of Technical Operations, Clickability. "And, because Qualys is the leading vulnerability assessment provider, most of our customers are familiar with QualysGuard's reputation and are happy to know that it's part of how we keep their information secure."

Click here to read more about how Clickabitlity's easily manages, builds and maintains its secure infrastructure.

With the rising need to secure employee and student data and increased regulatory compliance demands, University of Idaho sought a way to enhance the effectiveness of its vulnerability and risk management program.

"QualysGuard is accurate and easy to use. We didn't trust the open source tool we were using, and we couldn't get consistent results. Each time someone ran a scan, the settings and the results were different. With QualysGuard, anyone on my team can use it, and its results are accurate and consistent," says Dave Lien, Networks and Systems Manager, University of Idaho.

In addition, because Qualys is an approved PCI scanning vendor, the university is able to scan and validate the security and PCI compliance of the systems that serves as gateways to their credit card processors. "Using QualysGuard, anyone can quickly complete and submit the PCI self-assessment questionnaire, and perform pre-defined PCI scans on all relevant systems to identify and resolve network and system vulnerabilities," added Dave.

Click here to read more about how University of Idaho restructured its approach to PCI compliance.

SC Magazine speaks with Isabelle Theisen, CSO of First Advantage (FADV). Theisen shares how QualysGuard has enabled FADV, with more than 4,500 employees spread across the globe, to prioritize their security threats and risks.

"A technical solution like Qualys provides us with a real-time scorecard of vulnerabilities existing in our IT environment, and then allows us take immediate measures against these vulnerabilities based on risks. QualysGuard identifies vulnerabilities on FADV systems. This can be a very time-consuming activity to perform without an automated solution. Also, the Qualys tool helps FADV assess these vulnerabilities based on specific risks. That is, it allows the IT staff to prioritize the remediation action items in "buckets," starting with high-risks action items - instead of trying to resolve everything at once."

"With Qualys, we are able to assess vulnerabilities following a two-tier approach: vulnerabilities are assigned an 'inherent' risk based on the operating system vendors' suggested risk rankings, and vulnerabilities are assigned a 'customized' risk based on the relevancy of the vulnerability for the company and the criticality of the systems impacted."

"Qualys has always been an integral component within our security risk management program for our high-and medium-risk computer systems (we have implemented a methodology to calculate the risks of our systems). "With Qualys, we have a 'living' baseline of security levels for our systems across multiple locations with minimal time and labor from the security department and IT department."

Click here to read full interview.

As an honoree of Information Security's Security 7 award, Michael Mucha addresses Security for the Masses highlighting his team's attention to secure collaboration and proactive investments in SaaS and other outsourcing ventures enabling focus on risks specific to the Stanford Hospital environment.

Read Essay

Hear what Qualys customers have to say about their experience with QualysGuard®.

To view the full-length interviews, visit:
http://www.qualys.com/customers/testimonials/

Doug Spaw, network engineer for VSR Financial Services, wanted to achieve effective and efficient IT security and risk mitigation while ensuring regulatory compliance for the organizations 80,000+ clients and 300+ registered users.  

"We selected QualysGuard because of the simplicity of its SaaS model. You set it up, and it just works," stated Doug.  "We rely on QualysGuard Express to scan more than 128 IP addresses, which includes our internal servers and systems as well as all of the company's Internet-facing devices. The reports from these assessments are very detailed, which helps us to resolve any issues we find quickly."

QualysGuard will also keep VSR Financial Services prepared for all possible future regulations that will affect the broker/dealer industry. To read more about how Doug addresses threats without the substantial cost, resource demands, and deployment hassles associated with traditional software scanners, visit:
http://www.qualys.com/docs/customers/casestud/VSR.pdf

Information Security reporter, Neil Roiter speaks with the director of the information security architecture group, Victor Hsiang of TransUnion.  Victor shares how the Qualys Software-as-a-Service (SaaS) model has enabled TransUnion, a global consumer credit reporting bureau, to streamline and easily extend its vulnerability management program to many locations.

"The product approach requires individual purchases of the license at each location, purchasing a platform to load licenses on and administration of that platform, then the care and feeding of it," says Victor Hsiang, director of TransUnion's information security architecture group. "With the service approach, from a corporate perspective, we can pick up the cost of Qualys and absorb the business units into the whole process."

Hsiang will beta test the Policy Compliance module at TransUnion, and expects it to integrate with his group's program of using the vulnerability management service and a central database to certify systems through a cycle of vulnerability scanning, ticketing and remediation.

"We won't have to reinvent the wheel; the compliance module fits into the architecture we've developed for tracking and fixing vulnerabilities," says Hsiang.

Click here to read full interview.

"The biggest thing we focus on with all of this is control of the data," says Michael Mucha, chief information security officer for Stanford Hospital in Palo Alto, Calif., which uses several clinical applications that are delivered as a service, including transcription, and radiology and analysis systems. Given that health care is by far the most regulated industry he has worked in, Mucha has created a standardized checklist for his technical assessment of any application delivered via the SaaS model. Among the most critical of those items include whether or not the service provider complies with SAS 112 audit requirements (which applies to nonprofits), how it documents its procedures for handling a security breach, and how it handles requests for changes and customized features, Mucha says.

Even more important will be the simple policies that a SaaS provider uses among its staff to protect your data. "We have complete access to the data, and we are the only ones with control of the authentication," Mucha says. "The point is that you need a consistent approach to all these situations."

"SaaS opened our eyes to a new way of doing things. With QualysGuard, we didn't need to install any software or infrastructure. QualysGuard runs on Qualys' own secure global infrastructure, so we run security audits on-demand over the Internet with a standard Web browser. The application automatically finds all vulnerabilities on our local and remote network, provides directions to our IT staff for remediation, and submits PCI audit reports to our acquiring banks."