Agenda
•
What is Compliance?
•
Risk and Compliance Management
•
What is a Framework?
•
ISO 27001/27002 Overview
•
Audit and Remediate
•
Improve and Automate
What was Compliance?
What is Compliance?
•
Compliance should be a
program
based on
defined
requirements
•
Requirements are fulfilled by a set of
mapped
controls
solving multiple regulatory
compliance issues
•
The program is embodied by a
framework
•
Compliance is more about
policy
,
process
and
risk management
than it is about
technology
Risk & Compliance Mgmt
Partners/
Customers
Regulations
Control
Framework
Assessments
Policy
and
Awareness
Audits
Treat
Risks
Improve
Controls
Automate
Process
Risk
Assessment
Risk and Compliance Approaches
Minimal
Sustainable
Optimized
•
Annual / Project
-
based
Approach
•
Minimal Repeatability
•
Only Use Technologies
Where Explicitly
Prescribed in
Standards and
Regulations
•
Minimal Automation
•
Proactive / Planned
Approach
•
Learning Year over Year
•
Use Technologies to
Reduce Human Factor
•
Leverage Controls
Automation Whenever
Possible
•
Regulatory
Requirements are
Mapped to Standards
•
A Framework is in
Place
•
Compliance and
Enterprise Risk
Management are
Aligned
•
Process is Automated
Identify Drivers
Partners/
Customers
Regulations
Risk
Assessment
Identify Drivers
Compliance is
NOT
just about regulatory
compliance. Regulatory compliance is a
driver to the
program
,
controls
and
framework
being put in place.
Managing compliance is fundamentally
about managing risk.
Identify Drivers
•
Risk Assessment
–
Identify unique risks and controls
requirements
•
Partners / Customers
–
Partners represent potential contractual risk
–
Customer present privacy concerns
•
Regulations
–
regulatory risk is considered
as part of overall risk
Develop Program
Partners/
Customers
Regulations
Control
Framework
Policy
and
Awareness
Risk
Assessment
What is a Control?
*Source: ITGI, COBIT 4.1
Control
is defined as the
policies
,
procedures
,
practices
and
organizational structures
designed to
provide reasonable assurance that
business objectives will be achieved and
undesired events will be prevented or
detected and corrected.
What is a Framework?
A framework
is a set of
controls
and/or
guidance
organized in
categories,
focused on a particular topic
.
A framework is a
structure
upon which
to build
strategy
, reach
objectives
and
monitor
performance
.
Why use a framework?
•
Enable effective governance
•
Align with business goals
•
Standardize process and approach
•
Enable structured audit and/or
assessment
•
Control cost
•
Comply with external requirements
Frameworks and Control Sets
•
ISO 27001/27002
•
COBIT
•
ITIL
•
NIST
•
Industry
-
specific
–
i.e. PCI
•
Custom
ISO 27001/27002
•
Information Security Framework
•
Requirements and guidelines for
development of an ISMS (Information
Security Management System)
•
Risk Management a key component of
ISMS
•
Part of ISO 27000 Series of security
standards
A Brief History of ISO 27001
BS 7799
-
1
Code of
Practice
Adopted as
international
standard in 2005
Revised in 2002
BS 7799
-
2
Specification
A Brief History of ISO 27002
BS 7799
-
1
Code of
Practice
Information Technology
Code of Practice for Information
Security Management
Adopted as
international
standard as ISO
17799 in 2000
Revised in 2002
BS 7799
-
2
Specification
Revised in 2005
Renumbered to
27002 in 2007
ISO 27001 and 27002
ISO 27001
•
Requirements
•
Auditable
•
Certification
ISO 27002
•
Best Practices
•
More depth in controls
guidance
Shared Control Objectives
ISO 27001
–
Mgmt Framework
•
Information Security Management
Systems
–
Requirements (ISMS)
–
Process approach
•
Understand organization’s information security
requirements and the need to establish policy
•
Implement and operate controls to manage risk, in
context of business risk
•
Monitor and review
•
Continuous improvement
ISO 27001
Plan
Do
Check
Act
Establish
ISMS
Implement and
Operate
ISMS
Monitor and
Review
ISMS
Maintain and
Improve
ISMS
ISO 27002
–
Controls Framework
ISO 27002 Security Control Domains
Risk Assessment and Treatment
Security Policy
Organizing Information Security
Asset Management
Human Resources Security
Physical and Environmental Security
Communications and Operations Management
Access Control
Information Systems Acquisition, Development and Maintenance
Information Security Incident Management
Business Continuity Management
Compliance
Building a Framework
Risk
Assessment &
Treatment
Security
Policy
Organizing
Information
Security
Asset
Management
Human
Resources
Security
Physical and
Environmental
Security
Communications
and Operations
Management
Access
Control
IS
Acquisition,
Development and
Maintenance
Information
Security Incident
Management
Business
Continuity
Management
Compliance
Operational
Controls
Technical
Controls
Management
Controls
Protected
Information
ISO 27002: Code of Practice for
Information Security
Management
Practical Uses for Certification
Regulatory
Compliance
Internal
Compliance
Third Party
Compliance
“Best Practice” approach
to handling sensitive data
and overall security
program
Implement security as an
integrated part of the
business and as a process
Provide proof to partners
of good practices around
data protection. Strengthen
SAS 70 approach.
ISO 27000 Series of Standards
•
ISO/IEC 27000:2009
-
Overview and vocabulary
•
ISO/IEC 27001:2005
-
Requirements
•
ISO/IEC 27002:2005
-
Code of Practice
•
ISO/IEC 27003
-
ISMS Implementation Guidance*
•
ISO/IEC 27004
-
Measurement*
•
ISO/IEC 27005:2008
-
Risk Management
•
ISO/IEC 27006:2007
-
Auditor Requirements
•
ISO/IEC 27007
-
ISMS Audit Guidelines*
*In Development
Frameworks Comparison
Framework
Strengths
Focus
COBIT
Strong mappings
Support of ISACA
Availability
IT Governance
Audit
ISO
27001/27002
Global Acceptance
Certification
Information Security
Management System
ITIL
IT Service Management
Certification
IT Service
Management
NIST 800
-
53
Detailed, granular
Tiered controls
Free
Information Systems
FISMA
Controls Mapping
Framework of Controls
PCI
GLBA
SOX
PCI
Corporate Policy
PCI Data Security Standard
1. Install and maintain a firewall configuration to
protect data
2. Do not use vendor
-
supplied defaults for system
passwords and other security parameters
3. Protect stored data
4. Encrypt transmission of cardholder data and
sensitive information across public networks
5. Use and regularly update anti
-
virus software
6. Develop and maintain secure systems and
applications
7. Restrict access to data by business need to know
8. Assign a unique ID to each person with computer
access…
Controls Mapping
Framework of Controls
PCI
GLBA
SOX
Corporate Policy
GLBA
SOX
Policy
Controls Mapping
Framework of Controls
Benefits:
Alignment of corporate
policy
Custom interpretation of
regulations
PCI
GLBA
SOX
Single assessment effort
provides complete view
Policy
Logging and Monitoring
PCI
–
Requirement 10
ISO 17799
–
Section 10.10
Audit and Remediate
Partners/
Customers
Regulations
Control
Framework
Assessments
Policy
and
Awareness
Audits
Treat
Risks
Risk
Assessment
Organization Example
Internal
Audit
COBIT
ITIL
IT Service Desk
ISO 27001/27002
Information Security
CMMi
Software Delivery
Controls Alignment
How aligned are your controls?
Assessment
(Information
Security, IT Risk
Management)
Internal Audit
(IT/Financial Audit)
External Audit
(Regulatory and
Non
-
Regulatory)
Remediation Priorities
•
Where are our greatest
risks
?
•
What
controls
are we fulfilling?
•
How many compliance
requirements
are
we solving?
Improve and Automate
Partners/
Customers
Regulations
Control
Framework
Assessments
Policy
and
Awareness
Audits
Treat
Risks
Improve
Controls
Automate
Process
Risk
Assessment
Controls Hierarchy
Manual
Require human
intervention
Vs.
Automated
Rely on computers to
reduce human
intervention
Detective
Preventive
Designed to search for and
identify errors after they
have occurred
Designed to discourage or
preempt errors or
irregularities from
occurring
Vs.
Automated and Preventive
Logging and Monitoring
Not Efficient
Efficient
Reviewing logs for
incidents
An
automated
method of
detecting incidents
Not Effective
Effective
Missing the incident due to
human error
Preventing
the incident
from occurring in the first
place
Automate the Process
•
How do you currently measure
compliance?
•
Reduce documents, spreadsheets and
other forms of manual measurement
•
Create dashboard approach
•
Governance, Risk and Compliance
toolsets
GRC Automation
Enterprise
Multi
-
Function
Single Function
•
Enterprise Scope
•
Highly Configurable
•
Multiple Functions (Risk,
Compliance, Policy)
•
Sophisticated Workflow
•
Functionality More Limited
•
More “out of the box”
•
Modest Workflow
•
Specific Process
•
Specific Standard or
Regulation
•
Simple Workflow
Questions?
Evan Tegethoff
Director, Risk and Compliance
Management
etegethoff@accuvant.com
Enter the password to open this PDF file:
File name:
-
File size:
-
Title:
-
Author:
-
Subject:
-
Keywords:
-
Creation Date:
-
Modification Date:
-
Creator:
-
PDF Producer:
-
PDF Version:
-
Page Count:
-
Preparing document for printing…
0%
Σχόλια 0
Συνδεθείτε για να κοινοποιήσετε σχόλιο