530 likes | 635 Views
Risk Management: How to Comply with Everything. July 11, 2013. Introduction. Chris Cronin Principal Consultant, Halock Security Labs GCIH, ISO 27001 Auditor Recent GSNA Gold 15+ years experience IT operations, audit, consulting and incident response. What You Will Learn.
E N D
Risk Management:How to Comply with Everything July 11, 2013
Introduction • Chris Cronin • Principal Consultant, Halock Security Labs • GCIH, ISO 27001 Auditor • Recent GSNA Gold • 15+ years experience IT operations, audit, consulting and incident response
What You Will Learn Finding the Investment Sweet Spot How much security does the organization really need? On Common Ground Meeting the agendas of the Executive Suite Ease Their PainConflict-free audits Ask and You Shall Receive Bullet proof risk treatment planning & approvals How to Comply with Everything Why risk management is the compliance keystone
Presentation Layout • What is risk management? Who benefits? • How to bust the myths.
Risk Risk = Likelihood x Impact
Risk Management in Regulations • HIPAA Security Rule • “Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information...” • “Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level…” • “Security measures implemented to comply with standards and implementation specifications …mustbe reviewedandmodifiedas needed to continue provision of reasonable and appropriate protection of [EPHI]”
Risk Management in Regulations • HIPAA Security Rule • “Conduct an accurate and thorough assessmentof the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information...” • “Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level…” • “Security measures implemented to comply with standards and implementation specifications …mustbe reviewed andmodifiedas needed to continue provision of reasonable and appropriate protection of [EPHI]”
Risk Management in Regulations • Massachusetts 201 CMR 17.00 • “Every person that owns or licenses personal information about a resident of the Commonwealth shall develop, implement, and maintain a comprehensive information security program” • “Identifying and assessing reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing personal information…” • “…evaluating and improving, where necessary, the effectiveness of the current safeguards for limiting such risks…”
Risk Management in Regulations • Massachusetts 201 CMR 17.00 • “Every person that owns or licenses personal information about a resident of the Commonwealth shall develop, implement, and maintain a comprehensive information security program” • “Identifying and assessing reasonably foreseeable internal and external risksto the security, confidentiality, and/or integrity of any electronic, paper or other records containing personal information…” • “…evaluating and improving, where necessary, the effectiveness of the current safeguards for limiting such risks…”
Components of Risk Management Risk Management Oversight Assessment Propose Controls Implement Controls Test Effectiveness Identity Risks Improve Ineffective Controls
Information Risk Management: The Standard of Care • Required by laws and regulations • SOX (Audit Standard 5) • HIPAA Security Rule / Meaningful Use • Massachusetts 201 CMR 17.00 • Gramm Leach Bliley • FISMA • Federal Trade Commission Rulings
Information Risk Management: The Standard of Care • Required by Security Standards • PCI DSS 2.0 • ISO 27001/ISO 27002 • CobiT • NIST Special Publications
A Real-Life Case Study • An organization that needed to improve their information compliance and security program • Multiple roles that each had something at stake • Multiple regulations apply to them
Whose Jobs are Getting Easier With Risk Management? • Chief Information Security Officer • Chief Financial Officer • Auditor • General Counsel • Chief Information Officer • IT Staff
Their Risk Calculations • Risk = Likelihood x Impact • Likelihood values: 1-5 • Impact values: 1-5 • Risk rating range: 1-25 • Acceptable Risk = Below 8
Lesson 1: Finding the Investment Sweet Spot • Risk: • Local administrator passwords on end-user systems are identical. They allow a “pass-the-hash” breach. • Roles: • CIO: Needs to balance business and compliance requirements • IT Staff: Need an easy way to support desktops • CISO: Needs to be sure requirements are met • General Counsel: Needs to balance business and compliance while addressing liability
Lesson 2: Finding Common Ground • Risk: • Lack of secure web application coding practices have created vulnerable applications. • Roles: • CIO: Needs to balance demands for new secure applications with many other demands • CFO: Needs controlled applications for financial reporting. Needs to control costs. • CISO: Needs to be sure requirements are met • General Counsel: Needs to balance business and compliance while addressing liability
Lesson 3: Ease Their Pain • Risk: • Client auditor demanding “hard tokens” rather than “soft tokens” for two-factor authentication. • Roles: • Auditor: Needs to demonstrate whether controls are met (while maintaining independence) • CIO: Needs to respond truthfully to auditor (while balancing business with compliance) • CISO: Needs to ensure compliance
Lesson 4: Ask and You Shall Receive If you ask for something that reduces a risk to the mission of the organization, and the cost is reasonable for reducing the impact … then you will get it.
“We need actuarial tables” Actuarial tables are not used for risk assessments! Information risk assessments are standard, straight-forward processes. They require no statistical skills.
“We can’t predict the future” Risk assessments are not intended to be predictions, but should be “due care” considerations of what could go wrong.
“Risk assessments take too much time” Because risk assessments help determine reasonable control levels, less time and cost is invested to get compliant Risk management reduces liability even before full compliance is met.
“Reasonable means ‘what our competitors do.’” You don’t know what your competitors do. The regulations and statutes tell you to arrive at “reasonable and appropriate” using risk analysis