Presentation on theme: "Agenda What is Compliance? Risk and Compliance Management"— Presentation transcript:
1Agenda What is Compliance? Risk and Compliance Management What is a Framework?ISO 27001/27002 OverviewAudit and RemediateImprove and Automate
2What was Compliance? GLBA HIPAA PCI SB1386 FISMA NERC/FERC SOX FDA 21 CFR Part 11
3What is Compliance?Compliance should be a program based on defined requirementsRequirements are fulfilled by a set of mapped controls solving multiple regulatory compliance issuesThe program is embodied by a frameworkCompliance is more about policy, process and risk management than it is about technology
4Risk & Compliance Mgmt Regulations Control Framework Partners/ CustomersRegulationsControlFrameworkAssessmentsPolicyandAwarenessAuditsTreatRisksImproveControlsAutomateProcessRiskAssessment
5Risk and Compliance Approaches MinimalSustainableOptimizedAnnual / Project-based ApproachMinimal RepeatabilityOnly Use Technologies Where Explicitly Prescribed in Standards and RegulationsMinimal AutomationProactive / Planned ApproachLearning Year over YearUse Technologies to Reduce Human FactorLeverage Controls Automation Whenever PossibleRegulatory Requirements are Mapped to StandardsA Framework is in PlaceCompliance and Enterprise Risk Management are AlignedProcess is Automated
7Managing compliance is fundamentally about managing risk. Identify DriversCompliance is NOT just about regulatory compliance. Regulatory compliance is a driver to the program, controls and framework being put in place.Managing compliance is fundamentally about managing risk.
8Identify Drivers Risk Assessment Partners / Customers Identify unique risks and controls requirementsPartners / CustomersPartners represent potential contractual riskCustomer present privacy concernsRegulations – regulatory risk is considered as part of overall risk
9Develop Program Regulations Control Framework Partners/ Customers PolicyandAwarenessRiskAssessment
10What is a Control?Control is defined as the policies, procedures, practices and organizational structures designed to provide reasonable assurance that business objectives will be achieved and undesired events will be prevented or detected and corrected.*Source: ITGI, COBIT 4.1
11What is a Framework?A framework is a set of controls and/or guidance organized in categories, focused on a particular topic.A framework is a structure upon which to build strategy, reach objectives and monitor performance.
12Why use a framework? Enable effective governance Align with business goalsStandardize process and approachEnable structured audit and/or assessmentControl costComply with external requirements
13Frameworks and Control Sets ISO 27001/27002COBITITILNISTIndustry-specific – i.e. PCICustom
14ISO 27001/27002 Information Security Framework Requirements and guidelines for development of an ISMS (Information Security Management System)Risk Management a key component of ISMSPart of ISO Series of security standards
15Adopted as international standard in 2005 A Brief History of ISO 27001BSCode ofPracticeBSSpecificationAdopted as international standard in 2005ISO/IEC 27001Revised in 2002
16A Brief History of ISO 27002 BS 7799-1 Code of Practice BS 7799-2 Adopted as international standard as ISO in 2000BSCode ofPracticeRevised in 2005Renumbered to in 2007ISO/IEC 27002BSSpecificationInformation TechnologyCode of Practice for Information Security ManagementRevised in 2002
17Shared Control Objectives ISO and 27002ISO 27001RequirementsAuditableCertificationISO/IEC 27001Shared Control ObjectivesISO 27002Best PracticesMore depth in controls guidanceISO/IEC 27002
18ISO – Mgmt FrameworkInformation Security Management Systems – Requirements (ISMS)Process approachUnderstand organization’s information security requirements and the need to establish policyImplement and operate controls to manage risk, in context of business riskMonitor and reviewContinuous improvement
19ISO 27001 Plan Act Do Check Establish ISMS Maintain and Implement and ImproveISMSImplement andOperateISMSActDoMonitor andReviewISMSCheck
20ISO 27002 – Controls Framework ISO Security Control DomainsRisk Assessment and TreatmentSecurity PolicyOrganizing Information SecurityAsset ManagementHuman Resources SecurityPhysical and Environmental SecurityCommunications and Operations ManagementAccess ControlInformation Systems Acquisition, Development and MaintenanceInformation Security Incident ManagementBusiness Continuity ManagementCompliance
21Protected Information Building a FrameworkAssessment &TreatmentRiskSecurityPolicyInformationOrganizingManagementAssetResourcesHumanEnvironmentalPhysical andCommunicationsand OperationsControlAccessDevelopment andMaintenanceIS Acquisition,Security IncidentContinuityBusinessComplianceOperationalControlsTechnicalManagementProtected InformationISO 27002: Code of Practice for Information Security Management
22Practical Uses for Certification RegulatoryCompliance“Best Practice” approach to handling sensitive data and overall security programInternalComplianceImplement security as an integrated part of the business and as a processThird PartyComplianceProvide proof to partners of good practices around data protection. Strengthen SAS 70 approach.
23ISO 27000 Series of Standards ISO/IEC 27000: Overview and vocabularyISO/IEC 27001: RequirementsISO/IEC 27002: Code of PracticeISO/IEC ISMS Implementation Guidance*ISO/IEC Measurement*ISO/IEC 27005: Risk ManagementISO/IEC 27006: Auditor RequirementsISO/IEC ISMS Audit Guidelines**In Development
24Frameworks Comparison StrengthsFocusCOBITStrong mappingsSupport of ISACAAvailabilityIT GovernanceAuditISO 27001/27002Global AcceptanceCertificationInformation Security Management SystemITILIT Service ManagementNISTDetailed, granularTiered controlsFreeInformation SystemsFISMA
25PCI Data Security Standard Controls MappingPCIPCI Data Security Standard1. Install and maintain a firewall configuration to protect data2. Do not use vendor-supplied defaults for system passwords and other security parameters3. Protect stored data4. Encrypt transmission of cardholder data and sensitive information across public networks5. Use and regularly update anti-virus software6. Develop and maintain secure systems and applications7. Restrict access to data by business need to know8. Assign a unique ID to each person with computer access…Corporate PolicySOXFramework of ControlsGLBAPCI
26Controls Mapping Corporate Policy Framework of Controls SOX GLBA PCI
27Controls Mapping Benefits: Alignment of corporate policy PCIGLBASOXPolicyBenefits:Alignment of corporate policyCustom interpretation of regulationsFramework of ControlsSingle assessment effort provides complete view
28Logging and Monitoring PCI – Requirement 10ISO – Section 10.10
29Audit and Remediate Regulations Control Framework Partners/ Customers AssessmentsPolicyandAwarenessAuditsTreatRisksRiskAssessment
30Organization Example IT Service Desk Information Security ITILIT Service DeskISO 27001/27002Information SecurityCMMiSoftware DeliveryInternal AuditCOBIT
31How aligned are your controls? Controls AlignmentHow aligned are your controls?Assessment(Information Security, IT Risk Management)Internal Audit(IT/Financial Audit)External Audit(Regulatory and Non-Regulatory)
32Remediation Priorities Where are our greatest risks?What controls are we fulfilling?How many compliance requirements are we solving?
33Improve and Automate Regulations Control Framework Partners/ Customers AssessmentsPolicyandAwarenessAuditsTreatRisksImproveControlsAutomateProcessRiskAssessment
34Controls Hierarchy Vs. Vs. Manual Automated Detective Preventive Require human interventionVs.Rely on computers to reduce human interventionDetectivePreventiveDesigned to search for and identify errors after they have occurredDesigned to discourage or preempt errors or irregularities from occurringVs.
35Automated and Preventive Logging and MonitoringNot EfficientEfficientReviewing logs for incidentsAn automated method of detecting incidentsNot EffectiveEffectiveMissing the incident due to human errorPreventing the incident from occurring in the first place
36Automate the Process How do you currently measure compliance? Reduce documents, spreadsheets and other forms of manual measurementCreate dashboard approachGovernance, Risk and Compliance toolsets
37GRC Automation Enterprise Multi-Function Single Function Enterprise ScopeHighly ConfigurableMultiple Functions (Risk, Compliance, Policy)Sophisticated WorkflowEnterpriseMulti-FunctionFunctionality More LimitedMore “out of the box”Modest WorkflowSingle FunctionSpecific ProcessSpecific Standard or RegulationSimple Workflow
38Director, Risk and Compliance Management Questions?Evan TegethoffDirector, Risk and Compliance Management