Presentation is loading. Please wait.

Presentation is loading. Please wait.

Agenda What is Compliance? Risk and Compliance Management

Published byJoshua Matteson Modified over 10 years ago

Similar presentations

Presentation on theme: "Agenda What is Compliance? Risk and Compliance Management"— Presentation transcript:

1 Agenda What is Compliance? Risk and Compliance Management
What is a Framework? ISO 27001/27002 Overview Audit and Remediate Improve and Automate

2 What was Compliance? GLBA HIPAA PCI SB1386 FISMA NERC/FERC SOX
FDA 21 CFR Part 11

3 What is Compliance? Compliance should be a program based on defined requirements Requirements are fulfilled by a set of mapped controls solving multiple regulatory compliance issues The program is embodied by a framework Compliance is more about policy, process and risk management than it is about technology

4 Risk & Compliance Mgmt Regulations Control Framework Partners/
Customers Regulations Control Framework Assessments Policy and Awareness Audits Treat Risks Improve Controls Automate Process Risk Assessment

5 Risk and Compliance Approaches
Minimal Sustainable Optimized Annual / Project-based Approach Minimal Repeatability Only Use Technologies Where Explicitly Prescribed in Standards and Regulations Minimal Automation Proactive / Planned Approach Learning Year over Year Use Technologies to Reduce Human Factor Leverage Controls Automation Whenever Possible Regulatory Requirements are Mapped to Standards A Framework is in Place Compliance and Enterprise Risk Management are Aligned Process is Automated

6 Identify Drivers Partners/ Customers Regulations Risk Assessment

7 Managing compliance is fundamentally about managing risk.
Identify Drivers Compliance is NOT just about regulatory compliance. Regulatory compliance is a driver to the program, controls and framework being put in place. Managing compliance is fundamentally about managing risk.

8 Identify Drivers Risk Assessment Partners / Customers
Identify unique risks and controls requirements Partners / Customers Partners represent potential contractual risk Customer present privacy concerns Regulations – regulatory risk is considered as part of overall risk

9 Develop Program Regulations Control Framework Partners/ Customers
Policy and Awareness Risk Assessment

10 What is a Control? Control is defined as the policies, procedures, practices and organizational structures designed to provide reasonable assurance that business objectives will be achieved and undesired events will be prevented or detected and corrected. *Source: ITGI, COBIT 4.1

11 What is a Framework? A framework is a set of controls and/or guidance organized in categories, focused on a particular topic. A framework is a structure upon which to build strategy, reach objectives and monitor performance.

12 Why use a framework? Enable effective governance
Align with business goals Standardize process and approach Enable structured audit and/or assessment Control cost Comply with external requirements

13 Frameworks and Control Sets
ISO 27001/27002 COBIT ITIL NIST Industry-specific – i.e. PCI Custom

14 ISO 27001/27002 Information Security Framework
Requirements and guidelines for development of an ISMS (Information Security Management System) Risk Management a key component of ISMS Part of ISO Series of security standards

15 Adopted as international standard in 2005
A Brief History of ISO 27001 BS Code of Practice BS Specification Adopted as international standard in 2005 ISO/IEC 27001 Revised in 2002

16 A Brief History of ISO 27002 BS 7799-1 Code of Practice BS 7799-2
Adopted as international standard as ISO in 2000 BS Code of Practice Revised in 2005 Renumbered to in 2007 ISO/IEC 27002 BS Specification Information Technology Code of Practice for Information Security Management Revised in 2002

17 Shared Control Objectives
ISO and 27002 ISO 27001 Requirements Auditable Certification ISO/IEC 27001 Shared Control Objectives ISO 27002 Best Practices More depth in controls guidance ISO/IEC 27002

18 ISO – Mgmt Framework Information Security Management Systems – Requirements (ISMS) Process approach Understand organization’s information security requirements and the need to establish policy Implement and operate controls to manage risk, in context of business risk Monitor and review Continuous improvement

19 ISO 27001 Plan Act Do Check Establish ISMS Maintain and Implement and
Improve ISMS Implement and Operate ISMS Act Do Monitor and Review ISMS Check

20 ISO 27002 – Controls Framework
ISO Security Control Domains Risk Assessment and Treatment Security Policy Organizing Information Security Asset Management Human Resources Security Physical and Environmental Security Communications and Operations Management Access Control Information Systems Acquisition, Development and Maintenance Information Security Incident Management Business Continuity Management Compliance

21 Protected Information
Building a Framework Assessment & Treatment Risk Security Policy Information Organizing Management Asset Resources Human Environmental Physical and Communications and Operations Control Access Development and Maintenance IS Acquisition, Security Incident Continuity Business Compliance Operational Controls Technical Management Protected Information ISO 27002: Code of Practice for Information Security Management

22 Practical Uses for Certification
Regulatory Compliance “Best Practice” approach to handling sensitive data and overall security program Internal Compliance Implement security as an integrated part of the business and as a process Third Party Compliance Provide proof to partners of good practices around data protection. Strengthen SAS 70 approach.

23 ISO 27000 Series of Standards
ISO/IEC 27000: Overview and vocabulary ISO/IEC 27001: Requirements ISO/IEC 27002: Code of Practice ISO/IEC ISMS Implementation Guidance* ISO/IEC Measurement* ISO/IEC 27005: Risk Management ISO/IEC 27006: Auditor Requirements ISO/IEC ISMS Audit Guidelines* *In Development

24 Frameworks Comparison
Strengths Focus COBIT Strong mappings Support of ISACA Availability IT Governance Audit ISO 27001/27002 Global Acceptance Certification Information Security Management System ITIL IT Service Management NIST Detailed, granular Tiered controls Free Information Systems FISMA

25 PCI Data Security Standard
Controls Mapping PCI PCI Data Security Standard 1. Install and maintain a firewall configuration to protect data 2. Do not use vendor-supplied defaults for system passwords and other security parameters 3. Protect stored data 4. Encrypt transmission of cardholder data and sensitive information across public networks 5. Use and regularly update anti-virus software 6. Develop and maintain secure systems and applications 7. Restrict access to data by business need to know 8. Assign a unique ID to each person with computer access… Corporate Policy SOX Framework of Controls GLBA PCI

26 Controls Mapping Corporate Policy Framework of Controls SOX GLBA PCI

27 Controls Mapping Benefits: Alignment of corporate policy
PCI GLBA SOX Policy Benefits: Alignment of corporate policy Custom interpretation of regulations Framework of Controls Single assessment effort provides complete view

28 Logging and Monitoring
PCI – Requirement 10 ISO – Section 10.10

29 Audit and Remediate Regulations Control Framework Partners/ Customers
Assessments Policy and Awareness Audits Treat Risks Risk Assessment

30 Organization Example IT Service Desk Information Security
ITIL IT Service Desk ISO 27001/27002 Information Security CMMi Software Delivery Internal Audit COBIT

31 How aligned are your controls?
Controls Alignment How aligned are your controls? Assessment (Information Security, IT Risk Management) Internal Audit (IT/Financial Audit) External Audit (Regulatory and Non-Regulatory)

32 Remediation Priorities
Where are our greatest risks? What controls are we fulfilling? How many compliance requirements are we solving?

33 Improve and Automate Regulations Control Framework Partners/ Customers
Assessments Policy and Awareness Audits Treat Risks Improve Controls Automate Process Risk Assessment

34 Controls Hierarchy Vs. Vs. Manual Automated Detective Preventive
Require human intervention Vs. Rely on computers to reduce human intervention Detective Preventive Designed to search for and identify errors after they have occurred Designed to discourage or preempt errors or irregularities from occurring Vs.

35 Automated and Preventive
Logging and Monitoring Not Efficient Efficient Reviewing logs for incidents An automated method of detecting incidents Not Effective Effective Missing the incident due to human error Preventing the incident from occurring in the first place

36 Automate the Process How do you currently measure compliance?
Reduce documents, spreadsheets and other forms of manual measurement Create dashboard approach Governance, Risk and Compliance toolsets

37 GRC Automation Enterprise Multi-Function Single Function
Enterprise Scope Highly Configurable Multiple Functions (Risk, Compliance, Policy) Sophisticated Workflow Enterprise Multi-Function Functionality More Limited More “out of the box” Modest Workflow Single Function Specific Process Specific Standard or Regulation Simple Workflow

38 Director, Risk and Compliance Management
Questions? Evan Tegethoff Director, Risk and Compliance Management

Download ppt "Agenda What is Compliance? Risk and Compliance Management"

Similar presentations

Security Frameworks Robert M. Slade, MSc, CISSP

Security Frameworks Robert M. Slade, MSc, CISSP
Dr Lami Kaya LamiKaya@gmail.com ISO 27001 Information Security Management System (ISMS) Certification Overview Dr Lami Kaya LamiKaya@gmail.com.

Dr Lami Kaya ISO Information Security Management System (ISMS) Certification Overview Dr Lami Kaya
2 3 Global Foundation Services Security Global Delivery Sustainability Infrastructure.

2 3 Global Foundation Services Security Global Delivery Sustainability Infrastructure.
Developing a Risk-Based Information Security Program

Developing a Risk-Based Information Security Program
Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.

Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.
Presentation by Rachel Su’a

Presentation by Rachel Su’a
Massachusetts Digital Government Summit October 19, 2009 IT Management Frameworks An Overview of ISO 27001:2005.

Massachusetts Digital Government Summit October 19, 2009 IT Management Frameworks An Overview of ISO 27001:2005.
Introduction to ISO and the 27x extended range standards

Introduction to ISO and the 27x extended range standards
Secure Systems Research Group - FAU Process Standards (and Process Improvement)

Secure Systems Research Group - FAU Process Standards (and Process Improvement)
© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.
Chapter 10 Accounting Information Systems and Internal Controls

Chapter 10 Accounting Information Systems and Internal Controls
JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.

JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.
ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.

ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.
Agenda COBIT 5 Product Family Information Security COBIT 5 content

Agenda COBIT 5 Product Family Information Security COBIT 5 content
© 2006 Industry Direct Ltd. All Rights Reserved. 1 This entire 21 screen presentation is copyright IDL 2006 all rights reserved & no reproduction or presentation.

© 2006 Industry Direct Ltd. All Rights Reserved. 1 This entire 21 screen presentation is copyright IDL 2006 all rights reserved & no reproduction or presentation.
Security Controls – What Works

Security Controls – What Works
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.

Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.
1 Copyright © 2010 M. E. Kabay. All rights reserved. Security Audits, Standards, & Inspections CSH5 Chapter 54 “Security Audits, Standards and Inspections”

1 Copyright © 2010 M. E. Kabay. All rights reserved. Security Audits, Standards, & Inspections CSH5 Chapter 54 “Security Audits, Standards and Inspections”
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Internal Control Concepts Knowledge. Best Practices for IT Governance IT Governance Structure of Relationship Audit Role in IT Governance.

Internal Control Concepts Knowledge. Best Practices for IT Governance IT Governance Structure of Relationship Audit Role in IT Governance.

Similar presentations

Ads by Google