120 likes | 231 Views
"Compliance: What It Is and Why It Matters to You". Panel: Moderator: Michele Iversen Guest Experts: Dr. Ron Ross, Rod Beckstrom, Bob Wandell. What is Compliance ?.
E N D
"Compliance: What It Is and Why It Matters to You" Panel: Moderator: Michele Iversen Guest Experts: Dr. Ron Ross, Rod Beckstrom, Bob Wandell
What is Compliance? • Adhering to laws, regulations, standards, best practices, and contractual requirements (collectively referred to as “mandates”) • Includes the PROCESS of becoming and remaining compliant • Ongoing state of continuous improvement that requires discipline across the enterprise, over the business and product lifecycle • It contributes to achieving Risk Management objectives • Mechanism for controlling and managing risk • Protects nonpublic, sensitive information • Establishes standards for information security • Deters cybercriminals, including insiders • Holds corporate boards and senior executives accountable Risk management has industry standards that cross industries and geographies; they can be quite complex !
Compliance Frameworks which have impact on IT and Security Companies Federal Government Banking & Finance Sarbanes-Oxley Act (SOX) National Automated Clearing House Association (NACHA ) Electronic Payments Association Electronic Data Interchange (EDI) Payment Card Industry Data Security Standard (PCI DSS) • Federal Information Security Management Act (FISMA) • Federal Risk and Authorization Management Program (FedRAMP) • FIPS Standards • Common Criteria • Security Technical Implementation Guides (STIGS) • U.S. Rehabilitation Act & Section 508 • Communications Assistance for Law Enforcement Act (CALEA) Health Care • Health Insurance Portability and Accountability Act (HIPAA) • HIGHTECH • Meaningful Use • Health Level Seven International (HL7) Standards Development Organization Privacy • New York State Privacy Law • California Privacy and Identity Management Law • And other States! • Europe and other countries
FISMA Overview • Federal Information Systems Management Act (FISMA) • Federal law enacted in 2002 as Title III of the E-Government Act, which recognizes the importance of information security to the economic and national security interests of the U.S. • Provides a framework for ensuring the effectiveness of information security controls over information resources supporting federal operations. • Requires that agencies identify and provide information security protections commensurate with the risk and magnitude of harm resulting from the unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems. • States that the head of each agency is responsible for providing information security protections.
STRATEGIC RISK FOCUS TACTICAL RISK FOCUS Enterprise-Wide Risk Management • Multi-tiered Risk Management Approach • Implemented by the Risk Executive Function • Enterprise Architecture and SDLC Focus • Information Security Architecture • Flexible and Agile Implementation • Threat Aware TIER 1 Organization (Governance) TIER 2 Mission / Business Process (Information and Information Flows) TIER 3 Information System (Environment of Operation) National Institute of Standards and Technology
Starting Point FIPS 199 / SP 800-60 FIPS 200 / SP 800-53 CATEGORIZEInformation System SELECT Security Controls SP 800-137 Define criticality/sensitivity of information system according to potential worst-case, adverse impact to mission/business. MONITOR Security State Select baseline security controls; apply tailoring guidance and supplement controls as needed based on risk assessment. Continuously track changes to the information system that may affect security controls and reassess control effectiveness. Security Life Cycle SP 800-39 SP 800-37 AUTHORIZE Information System SP 800-53A SP 800-70 / SP 800-160 Implement security controls within enterprise architecture using sound systems engineering practices; apply security configuration settings. Determine risk to organizational operations and assets, individuals, other organizations, and the Nation; if acceptable, authorize operation. ASSESS Security Controls IMPLEMENT Security Controls Determine security control effectiveness (i.e., controls implemented correctly, operating as intended, meeting security requirements for information system). Risk Management Framework National Institute of Standards and Technology
How long does the FISMA process take? • The length of the FISMA compliance process is highly variable, depending on several factors such as: • The Security Category (FIPS 199 Low, Moderate, High) • The availability of resources with skills and spare time to manage the process • The current level of security controls • The total number of users in a project • The complexity of the computing environment.
FedRAMP • The Federal Risk and Authorization Management Program (FedRAMP) provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. • FedRAMP is mandatory for federal agency cloud deployments and service models at low- and moderate-risk impact levels. • To initiate the process, a cloud service provider (CSP) or federal agency submits a completed FedRAMP request form and Federal Information Process Standards (FIPS) 1999 worksheet to FedRAMP. • The FedRAMP Joint Authorization Board reviews the risk posture of cloud systems and provides “provisional authorizations” based on the submitted security package.
FEDRAMP Documentation Requirements(Authorization Package) 2 of 2
General Steps to Facilitate the Risk Management and Compliance Process • Understand the mandates: both how your product meets the applicable compliance framework requirements and/or how your product helps your customer meet them. • Identify and documentyour baseline state of compliance; develop a requirements traceability matrix as appropriate. • Validate compliance through third party audits– have documentation that you’re willing to share • Identify gaps and plan for remediation