Presentation is loading. Please wait.

Presentation is loading. Please wait.

Agenda What is Compliance? Risk and Compliance Management What is a Framework? ISO 27001/27002 Overview Audit and Remediate Improve and Automate.

Similar presentations


Presentation on theme: "Agenda What is Compliance? Risk and Compliance Management What is a Framework? ISO 27001/27002 Overview Audit and Remediate Improve and Automate."— Presentation transcript:

1 Agenda What is Compliance? Risk and Compliance Management What is a Framework? ISO 27001/27002 Overview Audit and Remediate Improve and Automate

2 What was Compliance?

3 What is Compliance? Compliance should be a program based on defined requirements Requirements are fulfilled by a set of mapped controls solving multiple regulatory compliance issues The program is embodied by a framework Compliance is more about policy, process and risk management than it is about technology

4 Risk & Compliance Mgmt Partners/ Customers Regulations Control Framework Assessments Policy and Awareness Audits Treat Risks Improve Controls Automate Process Risk Assessment

5 Risk and Compliance Approaches MinimalSustainableOptimized Annual / Project-based Approach Minimal Repeatability Only Use Technologies Where Explicitly Prescribed in Standards and Regulations Minimal Automation Proactive / Planned Approach Learning Year over Year Use Technologies to Reduce Human Factor Leverage Controls Automation Whenever Possible Regulatory Requirements are Mapped to Standards A Framework is in Place Compliance and Enterprise Risk Management are Aligned Process is Automated

6 Identify Drivers Partners/ Customers Regulations Risk Assessment

7 Identify Drivers Compliance is NOT just about regulatory compliance. Regulatory compliance is a driver to the program, controls and framework being put in place. Managing compliance is fundamentally about managing risk.

8 Identify Drivers Risk Assessment –Identify unique risks and controls requirements Partners / Customers –Partners represent potential contractual risk –Customer present privacy concerns Regulations – regulatory risk is considered as part of overall risk

9 Develop Program Partners/ Customers Regulations Control Framework Policy and Awareness Risk Assessment

10 What is a Control? *Source: ITGI, COBIT 4.1 Control is defined as the policies, procedures, practices and organizational structures designed to provide reasonable assurance that business objectives will be achieved and undesired events will be prevented or detected and corrected.

11 What is a Framework? A framework is a set of controls and/or guidance organized in categories, focused on a particular topic. A framework is a structure upon which to build strategy, reach objectives and monitor performance.

12 Why use a framework? Enable effective governance Align with business goals Standardize process and approach Enable structured audit and/or assessment Control cost Comply with external requirements

13 Frameworks and Control Sets ISO 27001/27002 COBIT ITIL NIST Industry-specific – i.e. PCI Custom

14 ISO 27001/27002 Information Security Framework Requirements and guidelines for development of an ISMS (Information Security Management System) Risk Management a key component of ISMS Part of ISO Series of security standards

15 A Brief History of ISO BS Code of Practice Adopted as international standard in 2005 Revised in 2002 BS Specification

16 A Brief History of ISO BS Code of Practice Information Technology Code of Practice for Information Security Management Adopted as international standard as ISO in 2000 Revised in 2002 BS Specification Revised in 2005 Renumbered to in 2007

17 ISO and ISO Requirements Auditable Certification ISO Best Practices More depth in controls guidance Shared Control Objectives

18 ISO – Mgmt Framework Information Security Management Systems – Requirements (ISMS) –Process approach Understand organizations information security requirements and the need to establish policy Implement and operate controls to manage risk, in context of business risk Monitor and review Continuous improvement

19 ISO Plan Do Check Act Establish ISMS Implement and Operate ISMS Monitor and Review ISMS Maintain and Improve ISMS

20 ISO – Controls Framework ISO Security Control Domains Risk Assessment and Treatment Security Policy Organizing Information Security Asset Management Human Resources Security Physical and Environmental Security Communications and Operations Management Access Control Information Systems Acquisition, Development and Maintenance Information Security Incident Management Business Continuity Management Compliance

21 Building a Framework Risk Assessment & Treatment Security Policy Organizing Information Security Asset Management Human Resources Security Physical and Environmental Security Communications and Operations Management Access Control IS Acquisition, Development and Maintenance Information Security Incident Management Business Continuity Management Compliance Protected Information ISO 27002: Code of Practice for Information Security Management

22 Practical Uses for Certification Regulatory Compliance Internal Compliance Third Party Compliance Best Practice approach to handling sensitive data and overall security program Implement security as an integrated part of the business and as a process Provide proof to partners of good practices around data protection. Strengthen SAS 70 approach.

23 ISO Series of Standards ISO/IEC 27000: Overview and vocabulary ISO/IEC 27001: Requirements ISO/IEC 27002: Code of Practice ISO/IEC ISMS Implementation Guidance* ISO/IEC Measurement* ISO/IEC 27005: Risk Management ISO/IEC 27006: Auditor Requirements ISO/IEC ISMS Audit Guidelines* *In Development

24 Frameworks Comparison FrameworkStrengthsFocus COBITStrong mappings Support of ISACA Availability IT Governance Audit ISO 27001/27002 Global Acceptance Certification Information Security Management System ITILIT Service Management Certification IT Service Management NIST Detailed, granular Tiered controls Free Information Systems FISMA

25 Controls Mapping Framework of Controls PCI GLBA SOX PCI Corporate Policy PCI Data Security Standard 1. Install and maintain a firewall configuration to protect data 2. Do not use vendor-supplied defaults for system passwords and other security parameters 3. Protect stored data 4. Encrypt transmission of cardholder data and sensitive information across public networks 5. Use and regularly update anti-virus software 6. Develop and maintain secure systems and applications 7. Restrict access to data by business need to know 8. Assign a unique ID to each person with computer access…

26 Controls Mapping Framework of Controls PCI GLBA SOX Corporate Policy GLBASOXPolicy

27 Controls Mapping Framework of Controls Benefits: Alignment of corporate policy Custom interpretation of regulations PCIGLBASOX Single assessment effort provides complete view Policy

28 Logging and Monitoring PCI – Requirement 10 ISO – Section 10.10

29 Audit and Remediate Partners/ Customers Regulations Control Framework Assessments Policy and Awareness Audits Treat Risks Risk Assessment

30 Organization Example Internal Audit COBIT ITIL IT Service Desk ISO 27001/27002 Information Security CMMi Software Delivery

31 Controls Alignment How aligned are your controls? Assessment (Information Security, IT Risk Management) Internal Audit (IT/Financial Audit) External Audit (Regulatory and Non-Regulatory)

32 Remediation Priorities Where are our greatest risks? What controls are we fulfilling? How many compliance requirements are we solving?

33 Improve and Automate Partners/ Customers Regulations Control Framework Assessments Policy and Awareness Audits Treat Risks Improve Controls Automate Process Risk Assessment

34 Controls Hierarchy Manual Require human intervention Vs. Automated Rely on computers to reduce human intervention Detective Preventive Designed to search for and identify errors after they have occurred Designed to discourage or preempt errors or irregularities from occurring Vs.

35 Automated and Preventive Logging and Monitoring Not Efficient Efficient Reviewing logs for incidents automated An automated method of detecting incidents Not EffectiveEffective Missing the incident due to human error Preventing Preventing the incident from occurring in the first place

36 Automate the Process How do you currently measure compliance? Reduce documents, spreadsheets and other forms of manual measurement Create dashboard approach Governance, Risk and Compliance toolsets

37 GRC Automation Enterprise Multi-Function Single Function Enterprise Scope Highly Configurable Multiple Functions (Risk, Compliance, Policy) Sophisticated Workflow Functionality More Limited More out of the box Modest Workflow Specific Process Specific Standard or Regulation Simple Workflow

38 Questions? Evan Tegethoff Director, Risk and Compliance Management


Download ppt "Agenda What is Compliance? Risk and Compliance Management What is a Framework? ISO 27001/27002 Overview Audit and Remediate Improve and Automate."

Similar presentations


Ads by Google