1 / 38

Agenda

Agenda. What is Compliance? Risk and Compliance Management What is a Framework? ISO 27001/27002 Overview Audit and Remediate Improve and Automate. What was Compliance?. GLBA. HIPAA. PCI. SB1386. FISMA. NERC/FERC. SOX. FDA 21 CFR Part 11. What is Compliance?.

jerold
Download Presentation

Agenda

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Agenda • What is Compliance? • Risk and Compliance Management • What is a Framework? • ISO 27001/27002 Overview • Audit and Remediate • Improve and Automate

  2. What was Compliance? GLBA HIPAA PCI SB1386 FISMA NERC/FERC SOX FDA 21 CFR Part 11

  3. What is Compliance? • Compliance should be a program based on defined requirements • Requirements are fulfilled by a set of mapped controls solving multiple regulatory compliance issues • The program is embodied by a framework • Compliance is more about policy, process and risk management than it is about technology

  4. Risk & Compliance Mgmt Regulations Control Framework Partners/ Customers Policy and Awareness Risk Assessment Assessments Automate Process Audits Improve Controls Treat Risks

  5. Risk and Compliance Approaches

  6. Identify Drivers Regulations Partners/ Customers Risk Assessment

  7. Identify Drivers Compliance is NOT just about regulatory compliance. Regulatory compliance is a driver to the program, controls and framework being put in place. Managing compliance is fundamentally about managing risk.

  8. Identify Drivers • Risk Assessment • Identify unique risks and controls requirements • Partners / Customers • Partners represent potential contractual risk • Customer present privacy concerns • Regulations – regulatory risk is considered as part of overall risk

  9. Develop Program Regulations Control Framework Partners/ Customers Policy and Awareness Risk Assessment

  10. What is a Control? Control is defined as the policies, procedures, practices and organizational structures designed to provide reasonable assurance that business objectives will be achieved and undesired events will be prevented or detected and corrected. *Source: ITGI, COBIT 4.1

  11. What is a Framework? A frameworkis a set of controls and/or guidance organized in categories, focused on a particular topic. A framework is a structure upon which to build strategy, reach objectives and monitor performance.

  12. Why use a framework? • Enable effective governance • Align with business goals • Standardize process and approach • Enable structured audit and/or assessment • Control cost • Comply with external requirements

  13. Frameworks and Control Sets • ISO 27001/27002 • COBIT • ITIL • NIST • Industry-specific – i.e. PCI • Custom

  14. ISO 27001/27002 • Information Security Framework • Requirements and guidelines for development of an ISMS (Information Security Management System) • Risk Management a key component of ISMS • Part of ISO 27000 Series of security standards

  15. A Brief History of ISO 27001 BS 7799-1 Code of Practice BS 7799-2 Specification Adopted as international standard in 2005 ISO/IEC 27001 Revised in 2002

  16. A Brief History of ISO 27002 Adopted as international standard as ISO 17799 in 2000 BS 7799-1 Code of Practice Revised in 2005 Renumbered to 27002 in 2007 ISO/IEC 27002 BS 7799-2 Specification Information Technology Code of Practice for Information Security Management Revised in 2002

  17. ISO 27001 and 27002 • ISO 27001 • Requirements • Auditable • Certification ISO/IEC 27001 Shared Control Objectives • ISO 27002 • Best Practices • More depth in controls guidance ISO/IEC 27002

  18. ISO 27001 – Mgmt Framework • Information Security Management Systems – Requirements (ISMS) • Process approach • Understand organization’s information security requirements and the need to establish policy • Implement and operate controls to manage risk, in context of business risk • Monitor and review • Continuous improvement

  19. ISO 27001 Plan Establish ISMS Implement and Operate ISMS Maintain and Improve ISMS Act Do Monitor and Review ISMS Check

  20. ISO 27002 – Controls Framework

  21. Protected Information Building a Framework ISO 27002: Code of Practice for Information Security Management

  22. Practical Uses for Certification Regulatory Compliance “Best Practice” approach to handling sensitive data and overall security program Internal Compliance Implement security as an integrated part of the business and as a process Third Party Compliance Provide proof to partners of good practices around data protection. Strengthen SAS 70 approach.

  23. ISO 27000 Series of Standards • ISO/IEC 27000:2009 - Overview and vocabulary • ISO/IEC 27001:2005 - Requirements • ISO/IEC 27002:2005 - Code of Practice • ISO/IEC 27003 - ISMS Implementation Guidance* • ISO/IEC 27004 - Measurement* • ISO/IEC 27005:2008 - Risk Management • ISO/IEC 27006:2007 - Auditor Requirements • ISO/IEC 27007 - ISMS Audit Guidelines* *In Development

  24. Frameworks Comparison

  25. Controls Mapping PCI PCI Data Security Standard 1. Install and maintain a firewall configuration to protect data 2. Do not use vendor-supplied defaults for system passwords and other security parameters 3. Protect stored data 4. Encrypt transmission of cardholder data and sensitive information across public networks 5. Use and regularly update anti-virus software 6. Develop and maintain secure systems and applications 7. Restrict access to data by business need to know 8. Assign a unique ID to each person with computer access… Corporate Policy SOX Framework of Controls GLBA PCI

  26. Controls Mapping PCI GLBA SOX Policy Corporate Policy SOX Framework of Controls GLBA

  27. Controls Mapping PCI GLBA SOX Policy Benefits: Alignment of corporate policy Custom interpretation of regulations Framework of Controls Single assessment effort provides complete view

  28. Logging and Monitoring PCI – Requirement 10 ISO 17799 – Section 10.10

  29. Audit and Remediate Regulations Control Framework Partners/ Customers Policy and Awareness Risk Assessment Assessments Audits Treat Risks

  30. Organization Example Software Delivery CMMi IT Service Desk Internal Audit ITIL COBIT Information Security ISO 27001/27002

  31. Controls Alignment How aligned are your controls? Internal Audit (IT/Financial Audit) External Audit (Regulatory and Non-Regulatory) Assessment (Information Security, IT Risk Management)

  32. Remediation Priorities • Where are our greatest risks? • What controls are we fulfilling? • How many compliance requirements are we solving?

  33. Improve and Automate Regulations Control Framework Partners/ Customers Policy and Awareness Risk Assessment Assessments Automate Process Audits Improve Controls Treat Risks

  34. Controls Hierarchy Manual Automated Require human intervention Rely on computers to reduce human intervention Vs. Detective Preventive Designed to search for and identify errors after they have occurred Designed to discourage or preempt errors or irregularities from occurring Vs.

  35. Automated and Preventive Logging and Monitoring Not Efficient Efficient Reviewing logs for incidents An automated method of detecting incidents Not Effective Effective Preventing the incident from occurring in the first place Missing the incident due to human error

  36. Automate the Process • How do you currently measure compliance? • Reduce documents, spreadsheets and other forms of manual measurement • Create dashboard approach • Governance, Risk and Compliance toolsets

  37. GRC Automation • Enterprise Scope • Highly Configurable • Multiple Functions (Risk, Compliance, Policy) • Sophisticated Workflow Enterprise Multi-Function • Functionality More Limited • More “out of the box” • Modest Workflow Single Function • Specific Process • Specific Standard or Regulation • Simple Workflow

  38. Questions? Evan Tegethoff Director, Risk and Compliance Management etegethoff@accuvant.com

More Related