Agenda

Agenda
•
•
•
•
•
•
What is Compliance?
Risk and Compliance Management
What is a Framework?
ISO 27001/27002 Overview
Audit and Remediate
Improve and Automate
What was Compliance?
What is Compliance?
• Compliance should be a program based on
defined requirements
• Requirements are fulfilled by a set of
mapped controls solving multiple regulatory
compliance issues
• The program is embodied by a framework
• Compliance is more about policy, process
and risk management than it is about
technology
Risk & Compliance Mgmt
Regulations Control
Framework
Partners/
Customers
Policy
and
Risk
Awareness
Assessment
Automate
Process
Improve Treat
Controls Risks
Assessments
Audits
Risk and Compliance Approaches
Minimal
• Annual / Project-based
Approach
• Minimal Repeatability
• Only Use Technologies
Where Explicitly
Prescribed in
Standards and
Regulations
• Minimal Automation
Sustainable
Optimized
• Proactive / Planned
• Regulatory
Approach
Requirements are
• Learning Year over Year Mapped to Standards
• A Framework is in
• Use Technologies to
Place
Reduce Human Factor
• Compliance and
• Leverage Controls
Enterprise Risk
Automation Whenever
Management are
Possible
Aligned
• Process is Automated
Identify Drivers
Regulations
Partners/
Customers
Risk
Assessment
Identify Drivers
Compliance is NOT just about regulatory
compliance. Regulatory compliance is a
driver to the program, controls and
framework being put in place.
Managing compliance is fundamentally
about managing risk.
Identify Drivers
• Risk Assessment
– Identify unique risks and controls
requirements
• Partners / Customers
– Partners represent potential contractual risk
– Customer present privacy concerns
• Regulations – regulatory risk is considered
as part of overall risk
Develop Program
Regulations Control
Framework
Partners/
Customers
Policy
and
Risk
Awareness
Assessment
What is a Control?
Control is defined as the policies,
procedures, practices and
organizational structures designed to
provide reasonable assurance that
business objectives will be achieved and
undesired events will be prevented or
detected and corrected.
*Source: ITGI, COBIT 4.1
What is a Framework?
A framework is a set of controls and/or
guidance organized in categories,
focused on a particular topic.
A framework is a structure upon which
to build strategy, reach objectives and
monitor performance.
Why use a framework?
•
•
•
•
Enable effective governance
Align with business goals
Standardize process and approach
Enable structured audit and/or
assessment
• Control cost
• Comply with external requirements
Frameworks and Control Sets
•
•
•
•
•
•
ISO 27001/27002
COBIT
ITIL
NIST
Industry-specific – i.e. PCI
Custom
ISO 27001/27002
• Information Security Framework
• Requirements and guidelines for
development of an ISMS (Information
Security Management System)
• Risk Management a key component of
ISMS
• Part of ISO 27000 Series of security
standards
A Brief History of ISO 27001
BS 7799-1
Code of
Practice
BS 7799-2
Specification
Revised in 2002
Adopted as
international
standard in 2005
A Brief History of ISO 27002
BS 7799-1
Code of
Practice
Adopted as
international
standard as ISO
17799 in 2000
Revised in 2005
Renumbered to
27002 in 2007
BS 7799-2
Specification
Revised in 2002
Information Technology
Code of Practice for Information
Security Management
ISO 27001 and 27002
ISO 27001
•Requirements
•Auditable
•Certification
Shared Control Objectives
ISO 27002
•Best Practices
•More depth in controls
guidance
ISO 27001 – Mgmt Framework
• Information Security Management
Systems – Requirements (ISMS)
– Process approach
• Understand organization’s information security
requirements and the need to establish policy
• Implement and operate controls to manage risk, in
context of business risk
• Monitor and review
• Continuous improvement
ISO 27001
Plan
Establish
ISMS
Act
Implement and
Operate
ISMS
Maintain and
Improve
ISMS
Monitor and
Review
ISMS
Check
Do
ISO 27002 – Controls Framework
ISO 27002 Security Control Domains
Risk Assessment and Treatment
Security Policy
Organizing Information Security
Asset Management
Human Resources Security
Physical and Environmental Security
Communications and Operations Management
Access Control
Information Systems Acquisition, Development and Maintenance
Information Security Incident Management
Business Continuity Management
Compliance
Building a Framework
Risk
Assessment &
Treatment
Security
Policy
Compliance
Business
Continuity
Management
Organizing
Information
Security
Protected
Information
Information
Security Incident
Management
Asset
Management
IS Acquisition,
Development and
Maintenance
Human
Resources
Security
Physical and
Environmental
Security
Access
Control
Communications
and Operations
Management
ISO 27002: Code of Practice for
Information Security
Management
Practical Uses for Certification
Regulatory
Compliance
Internal
Compliance
Third Party
Compliance
“Best Practice” approach
to handling sensitive data
and overall security
program
Implement security as an
integrated part of the
business and as a process
Provide proof to partners
of good practices around
data protection. Strengthen
SAS 70 approach.
ISO 27000 Series of Standards
•
•
•
•
•
•
•
•
ISO/IEC 27000:2009 - Overview and vocabulary
ISO/IEC 27001:2005 - Requirements
ISO/IEC 27002:2005 - Code of Practice
ISO/IEC 27003 - ISMS Implementation Guidance*
ISO/IEC 27004 - Measurement*
ISO/IEC 27005:2008 - Risk Management
ISO/IEC 27006:2007 - Auditor Requirements
ISO/IEC 27007 - ISMS Audit Guidelines*
*In Development
Frameworks Comparison
Framework
COBIT
ISO
27001/27002
ITIL
NIST 800-53
Strengths
Focus
Strong mappings
Support of ISACA
Availability
IT Governance
Audit
Global Acceptance
Certification
Information Security
Management System
IT Service Management
Certification
Detailed, granular
Tiered controls
Free
IT Service
Management
Information Systems
FISMA
Controls Mapping
Framework of Controls
PCI
PCI Data Security Standard
1. Install and maintain a firewall configuration to
protect data
Corporate Policy
2. Do not use vendor-supplied defaults for system
passwords and other security parameters
3. Protect stored data
SOX
GLBA
4. Encrypt transmission of cardholder data and
sensitive information across public networks
PCI
5. Use and regularly update anti-virus software
6. Develop and maintain secure systems and
applications
7. Restrict access to data by business need to know
8. Assign a unique ID to each person with computer
access…
Controls Mapping
Framework of Controls
PCI GLBA SOX
Policy
Corporate Policy
SOX
GLBA
Controls Mapping
Framework of Controls
PCI GLBA SOX Policy
Benefits:
Alignment of corporate
policy
Custom interpretation of
regulations
Single assessment effort
provides complete view
Logging and Monitoring
PCI – Requirement 10
ISO 17799 – Section 10.10
Audit and Remediate
Regulations Control
Framework
Partners/
Customers
Policy
and
Risk
Awareness
Assessment
Assessments
Audits
Treat
Risks
Organization Example
IT Service Desk
Information Security
ITIL
Software Delivery
ISO 27001/27002
Internal
Audit
CMMi
COBIT
Controls Alignment
How aligned are your controls?
Assessment
Internal Audit
External Audit
(Information
Security, IT Risk
Management)
(IT/Financial Audit)
(Regulatory and
Non-Regulatory)
Remediation Priorities
• Where are our greatest risks?
• What controls are we fulfilling?
• How many compliance requirements are
we solving?
Improve and Automate
Regulations Control
Framework
Partners/
Customers
Policy
and
Risk
Awareness
Assessment
Automate
Process
Improve Treat
Controls Risks
Assessments
Audits
Controls Hierarchy
Manual
Require human
intervention
Automated
Vs.
Rely on computers to
reduce human
intervention
Detective
Preventive
Designed to search for and
identify errors after they
have occurred
Designed to discourage or
preempt errors or
irregularities from
occurring
Vs.
Automated and Preventive
Logging and Monitoring
Not Efficient
Efficient
Reviewing logs for
incidents
An automated method of
detecting incidents
Not Effective
Effective
Missing the incident due to
human error
Preventing the incident
from occurring in the first
place
Automate the Process
• How do you currently measure
compliance?
• Reduce documents, spreadsheets and
other forms of manual measurement
• Create dashboard approach
• Governance, Risk and Compliance
toolsets
GRC Automation
Enterprise
Multi-Function
Single Function
•Enterprise Scope
•Highly Configurable
•Multiple Functions (Risk,
Compliance, Policy)
•Sophisticated Workflow
•Functionality More Limited
•More “out of the box”
•Modest Workflow
•Specific Process
•Specific Standard or
Regulation
•Simple Workflow
Questions?
Evan Tegethoff
Director, Risk and Compliance
Management
[email protected]