Presentation on theme: "Regulatory Compliance and You"— Presentation transcript:
1Regulatory Compliance and You Who put all these regulations on me?What is a person to do?Where do I go from here?When did this get so complicated?Why do I have to do this?How Many Federal Regulations are There? According to the Office of the Federal Register, in 1998, the Code of Federal Regulations (CFR), the official listing of all regulations in effect, contained a total of 134,723 pages in 201 volumes that claimed 19 feet of shelf space. In 1970, the CFR totaled only 54,834 pages.The General Accountability Office (GAO) reports that in the four fiscal years from 1996 to 1999, a total of 15,286 new federal regulations went into effect. Ok, that’s Federal Regulations. Now for state…….. contractual, business regulations….So tell me how large is your compliance staff? And naturally these regulations are never updated or overturned or augmented…. It’s a wonder any work can get done…. Hi my name….
3Overview Control Standards Frameworks Regulations Measurement Bringing it all togetherToday we are going to try to make some sense of some of the regulations that you need to followHow to figure out where you are atHow to find out where you need to beHow to measure your progressHow to pull it all togetherAnd how to make this process repeatable
4Control Standards ISO 27001 CoBIT ITIL FISMA NIST CIS-Center for Internet SecurityAES-Advanced Encryption StandardBasel IISECFFIECCISFDCCCOSOSANSBS 1799Today we have so many controls that any business needs to follow. Whether you work in banking, education, manufacturing, healthcare..Doesn’t seem to matter what you do, where you work, there are always several regulations that need to be followed.Heck, I have a friend who is an auctioneer. He sells tack and horses at auction. Because he takes credit cards and deals with the public, he must deal with PCI.e needs to be aware of GLBA, he needs to be aware of privacy laws.Are you kidding me?
5Regulations HIPAA SOX 404/302 PCI-DSS Title IV GLBA US Patriot Act FLSACan SpamFERPARed FlagsHiTECHACHNACHAPII LawsSafe HarborCOPAHIPAA – Healthcare, GLBA-information privacy, PII – personal information,Can Spam – limit on how many s 1 entity can send out. What if you are an emarketing company?Do you handle credit cards? Then you need to deal with PCI-DSS.Do you write software that handles credit cards? Then you need to worry about PCI-PA requirements. You also need to worry about OWASP top 10 standards. It is endless….
6FrameworksArmed robbery, eh? I’m in for being out of compliance with Federal Guidelines.
7ISO 2700*Formally known as ISO/IEC 27001: Information technologySecurity techniquesInformation security management systems – ISMSRequirements, is an information security management system standard published in October 2005 by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). The standard is derived from British standard 1799, and for that reason the standard is frequently cited as ISO It is intended to be used in conjunction with ISO/IEC 27002, the Code of Practice for Information Security Management, which delineates security control objectives and recommends a range of specific security controls.Adopt an all encompassing management process to ensure all information security controls meet info security needs on an ongoing basis.ISO 2700 is an ISMS – Information Security Management System – a management system that is intended to bring information security under management control.Most organizations have a number of information security controls.Without an ISMS however, the controls tend to be somewhat disorganized and disjointed, having been implemented often as point solutions to specific situations or simply as a matter of convention.Maturity models typically refer to this stage as "ad hoc".The security controls in operation typically address certain aspects of IT or data security, specifically, leaving non-IT information assets less well protected. ISO 2700 requires that management:Systematically examine the organization's information security risks, taking account of the threats, vulnerabilities and impacts;Design and implement a coherent and comprehensive suite of information security controls (such as risk avoidance or risk transfer) to address those risks that are deemed unacceptable; andAdopt an all encompassing management process to ensure that the information security controls continue to meet the information security needs on an ongoing basis.
8FISMA-NISTThe Federal Information Security Management Act of 2002 (FISMA) is a Federal law enacted in 2002 as Title III of the E-Government Act of The act was designed to bolster computer and network security within the federal government and affiliated parties (such as recipients of Federal monies and government contractors) by mandating yearly information security audits.FISMA establishes:_ Standards for categorizing information and information systems by mission impact_ Standards for minimum security requirements for information and information systems_ Guidance for selecting appropriate security controls for information systems_Guidance for assessing security controls in information systems_Guidance for security authorization of information systems_Guidance for monitoring the security controls and security authorization of systemsFederal Information Security Management Act (FISMA) is the government’s answer:To promote the development of key security standards and guidelines and to implement and comply with the Federal Information Security Management Act which includes:Standards for categorizing information and information systems by business impactStandards for minimum security requirements for data and information systemsGuidance for selecting appropriate security controlsGuidance for assessing security controls and their effectivenessGuidance for the security authorization of the systemsGuidance for monitoring the security controls and the security authorization of information systems
9NIST ReferencesNIST publications include the following key security-related documents:FIPS Publication 199, Standards for Security Categorization of Federal Information and Information SystemFIPS Publication 200, Minimum Security Requirements for Federal Information and Federal Information SystemsNIST Special Publication , Risk Management Guide for Information Technology SystemsNIST Special Publication , Guide for the Security Certification and Accreditation of Federal Information SystemsNIST Special Publication Revision 1, Guide for Security Authorization of Federal Information Systems: A Security Lifecycle ApproachNIST Special Publication , NIST Risk Management FrameworkNIST Special Publication Revision 2, Recommended Security Controls for Federal Information SystemsNIST Special Publication A, Guide for Assessing the Security Controls in Federal Information SystemsNIST Special Publication , Guide for Identifying an Information System as a National Security SystemNIST Special Publication , Revision 1, Guide for Mapping Types of Information and Information Systems to Security CategoriesHere are a few of the highlighted NIST standards that you may be more familiar with, relevant to this talk.You will receive a copy of this presentation so that you can use it as a reference.
10Payment Card Industry Data Security Standard PCI-DSSPayment Card Industry Data Security StandardPCI DSS is a worldwide security standard established through the Security Standards Council (SSC) in 2006 by:American ExpressDiscover Financial ServicesJCB InternationalMasterCard WorldwideVisaThe PCI security standards are technical and operational requirements placed on organizational entities that process card payments to prevent credit card fraud, and hacking and mitigate other security vulnerabilities/threats.The standards apply to all organizations that store, process or transmit cardholder data, which obviously includes an increasingly larger number of state agencies transacting with businesses, with citizens, and with other government entities.Ok, so I am not sure if I should put PCI-DSS as a regulation or as a framework. It is a contractual regulation, however it also provides somesort of a framework. So we will talk about it now….. PCI DSS version 2.0 is the data security standard that any business of any size must adhere to in order to accept payment cards.This means that if you store, process, or transmit cardholder data.It presents steps that mirror best security practices.But does not always give you a full explanation on exactly what is needed.But if you are not compliant, there are consequences:Compromised data negatively affects consumers, merchants, and financial institutionsJust one incident can severely damage your reputation and your ability to conduct business effectively, for a very long timeAccount data breaches can lead to loss of sales, relationships and depressed share price if you are publically tradedPossible negative consequences also include:LawsuitsInsurance claimsCancelled accountsPayment card issuer finesGovernment fines
11PCI-DSSThe following are the six primary control areas comprising the Payment Card Industry security standard:Build and Maintain a Secure NetworkProtect Cardholder DataMaintain a Vulnerability Management ProgramImplement Strong Access Control MeasuresRegularly Monitor and Test NetworksMaintain an Information Security PolicyThe standard includes 12 requirements which roll-up to these 6 primary controls for any business that stores, processes or transmits payment cardholder data.These requirements specify the framework for a secure payments environment;Their methodology is basically 3 steps: Assess, Remediate and Report.To Assess is to take an inventory of your IT assets and business processes for payment card processing and analyze them for vulnerabilities that could expose cardholder data.To Remediate is the process of fixing those vulnerabilities.To Report entails compiling records required by PCI DSS to validate remediation and submitting compliance reports to the processing bank and global payment brands you do business with.Carrying out these three steps is an ongoing process for continuous compliance with the PCI DSS requirements.
12CoBITControl Objectives for Information and related Technology, COBIT, is an open, international standard originally published in 1996 by the IT Governance Institute and the Information Systems Audit and ControlAssociation (ISACA). COBIT is a set of best practices for information technology designed to provide managers, auditors, and IT users with a set of generally accepted measures, indicators, processes and best practices. It assists in maximizing the benefits derived through the use of information technology and develops appropriate IT governance and control for private-sector companies or public agencies.The COBIT Framework is organized into four domains, thirty-four high-level control objectives, and 318 detailed control objectives. The framework follows a general plan-do-check-act structure.CoBIT is a framework and toolset for IT governance and control that allows you to bridge the gap between control environments, technical issues and business risks.CoBIT emphasizes regulatory compliance, helps organizations to increase the value attained from IT, enables alignment between the business and IT.
13Scheduled to release in 2012, COBIT 5 will consolidate and integrate the COBIT 4.1, Val IT 2.0 and Risk IT frameworks and also draw significantly from the Business Model for Information Security (BMIS) and ITAF
14CoBIT Plan and Organize Acquire and Implement Deliver and Support Monitor and EvaluateCoBIT 4. has 4 specific areas that it addresses. After 15 years it has not changed very much.Each of the areas then divided further by requirements. We are delving into CoBIT a bit so that you can see the breadth of a framework and how large it actually is.You need to take into account IT, as well as the business.Neither group in today’s market can succeed without the support of the other.Strategic planning must align in order for the business to succeed.
15CoBIT-Plan and Organize P01 Define a strategic IT plan.P02 Define the information architecture.P03 Determine technological direction.P04 Define the IT processes, organization, and relationships.P05 Manage the IT investment.P06 Communicate management aims and direction.P07 Manage IT human resources.P08 Manage quality.P09 Assess and manage IT risks.P10 Manage projectsThe Plan and Organize section addresses mainly the management aspects of an organization. It covers everything from budget, strategic planning to managing projects.
16CoBIT-Acquire and Implement AI1 Identify automated solutions.AI2 Acquire and maintain application software.AI3 Acquire and maintain technology infrastructure.AI4 Enable operation and use.AI5 Procure IT resources.AI6 Manage changes.AI7 Install and accredit solutions and changesThe next vital step in an organization is to acquire: solutions, hardware, infrastructure and then implement them.Again CoBIT is a full soup to nuts type of framework that many companies choose to use because of the balancing between business and IT.COSO which was the initial financial review process has broadened to CoBIT to take into consideration the IT controls around the financial controls.
17CoBIT Deliver and Support DS1 Define and manage service levels.DS2 Manage third-party services.DS3 Manage performance and capacity.DS4 Ensure continuous service.DS5 Ensure systems security.DS6 Identify and allocate costs.DS7 Educate and train users.DS8 Manage service desk and incidents.DS9 Manage the configuration.DS10 Manage problems.DS11 Manage Data.DS12 Manage the physical environment.DS13 Manage operationsDelivery is a very important part of the infrastructure, you need to be able to deliver your goods to support the business.You also need to have control over your projects and have a plan in place to keep the business moving forward incase something bad happens.And needless to say that once you deliver a product/project you then need to support your efforts and then measure them.
18CoBIT Monitor and Evaluate ME1 Monitor and evaluate IT performance.ME2 Monitor and evaluate internal control.ME3 Ensure regulatory compliance.ME4 Provide IT governanceNaturally, you need to monitor the processes that you have in place as well as to evaluate the effectiveness of the decisions made.At this point you would also have a lessons learned as part of your evaluation to make sure that you did not leave anything out and if you did that you pick it up on your next go around.This is a circular process. In that it is ever evolving and progressing. It should never stop. As one process retires a new improved process needs to emerge in order to grow and change with your business.In today’s business world the need to change faster and effectively will keep you on your toes.Your methodology needs to be modular enough to keep up with the pace of business and is what gives you the competitive edge.If your methodologies are stagnant or overbearing your ability to compete in today’s ever-changing markets will put you right behind the 8ball and out of market contention. You need to be modular, efficient, open to change, re-evaluation, continuously learning evolving your business, if you don’t someone else will…..
19Regulations I’ve been here for so long I don’t remember what I did, but it had something to do with non-compliance.
20SAS-70Statement on Auditing Standards No. 70 (SAS-70), Service Organizations, is an auditing standard created by the American Institute of Certified Public Accountants (AICPA) in SAS 70 defines standards used by auditors to assess the internal controls of service organizations and prepare service auditor’s reports. Service organizations are entities providing services that impact the control environment of their customers.Examples of service organizations are insurance and medical claims processors, trust companies, hosted data centers, application service providers (ASPs), managed security providers, credit processing organizations and clearinghouses.A SAS-70 is a widely recognized auditing standard developed by the AICPA for service organizations.It basically tests the operational effectiveness of controls deemed important to an organization.The issuance of a service auditor's report prepared in accordance with SAS No. 70 signifies that a service organization has had its control objectives and control activities examined by an independent accounting and auditing firm.The service auditor's report, which includes the service auditor's opinion, is issued to the service organization at the conclusion of a SAS 70 examination.
21SAS-70Auditors follow AICPA standards for fieldwork, quality control and reporting and issue a formal report to the service provider that includes the auditor’s opinion once the audit is completed.SAS-70 audits consist of two types. A Type I audit assesses the service organization’s description of controls placed in operation and the suitability of the design of the controls to achieve the specified control objectives, as the latter are defined by the service provider. A Type II service auditor’s report includes the information contained in a Type I service auditor’s report and also includes the service auditor’s opinion on whether the specific controls were operating effectively during the period under review.Recently replaced by SSAE-16 – 6/2011- more of an international presence, broadly accepted in accordance to ISAE 3402.Ahhhh the SAS-70…. There are 2 types of SAS-70’s. A Type I report is only issued for a particular date. For example, a CPA firm would examine the controls and report on the "controls placed in operation" for a specified point in time.A fair amount of criticism of SAS 70 Type I audits has centered around it’s limited testing period, which many feel is inadequate to gain a sufficient understanding of a service organization’s control environment.As such, Type II audits are considered the viable choice, and they too have fallen under criticism for various reasons.Type I audits are beneficial in many ways, such as laying the framework and foundation for subsequent Type II audits, along with giving the service organization an understanding of expectations and time commitments for regulatory compliance auditing.Please note that completing consecutive Type I audits are typically rare, does not suffice for Section 404 of the Sarbanes-Oxley Act of 2002, and ultimately does not provide user organizations with the assurances they are seeking.Performing a SAS 70 Type I audit is a structured, multi-step process, which includes a number of predefined processes and procedures that must take place to ensure its successful and timely completion.Generally, successfully completing a SAS 70 Type I and then moving towards Type II compliance after that has been found to be the best purpose of a Type IBut alas, the SAS-70 has been replaced by the SSAE-16. SSAE 16 is an enhancement to the current standard for Reporting on Controls at a Service Organization, the SAS70.The changes made to the standard will bring your company, and the rest of the companies in the US, up to date with new international service organization reporting standards, the ISAE The adjustments made from SAS 70 to SSAE 16 will help you compete on an international level.
22HIPAAThe Health Insurance Portability and Accountability Act (HIPAA) was enacted by the Federal government in 1996.Title II of HIPAA, known as the Administrative Simplification (AS) provisions, requires the establishment of national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers, with the overall goals of protecting the privacy and security of health information and promoting the efficiency of the health care industry through use of standardized electronic transactions.Requires covered entities to protect the privacy and security of an individual’s health information.HIPAA – 1996 – Required covered entities to protect the privacy and security if individuals health information.
23HIPAAHIPAA’s Security Rule covers health plans, healthcare clearinghouses, and healthcare providers. Health plans are defined as any individual or group plan that provides or pays the cost of health care, which includes the Medicare and Medicaid programs operated at the state and federal levels.The Rule establishes three types of security safeguards required for compliance: administrative, physical, and technical.For each of these types, various security standards are identified, and for each standard, both required and addressable implementation specifications are delineated.The rule includes eighteen standards that cover thirty-six implementation specifications.HIPAA has 2 rules. The privacy Rule and the security rule which covers health plans, clearing houses and health providers.The Rule establishes 3 types of security safeguards.Administrative, physical and technical.The rule has 18 standards that cover 36 implementation specifications.
24HIPAARequired specifications must be adopted and administered as dictated by the rule. Addressable specifications are more flexible. The Centers for Medicare and Medicaid Services defines the following steps for complying with the Security Rule: Assess current security, risks, and gapsDevelop an implementation planReview the Security Rule standards and specificationsReview addressable implementation specificationsDetermine security measuresImplement solutionsDocument decisionsReassess periodically The security rule required covered entities to be in compliance with the rule no later than April 2005, though smaller health plans were given an additional year to comply.In April of 2005 covered entities to comply with these rules.The steps include: assess your current security risks, develop your implementation plan – remember to put timeframes around them; review the security rule standard to make sure you are meeting your requirements, review implementation specifications – incase something that you are implementing affects other entities within your infrastructure, determine how you are going to measure your success against your own policies, begin to implement your solutions,Don’t forget to document decisions made along the way, an auditor will probably ask why you did something and you will need to tell them, if you don’t write it down, I can pretty much guarantee that you won’t remember why you did it or changed it, then again measure your success and reassess your progress to make sure that things have not changed.
25HIPAA(“Privacy Rule”) establishes, a set of national standards that address the use and disclosure of individuals’ health information—called PHI (Personal Health Information) by organizations called “covered entities” as well as standards for individuals privacy rights to understand and control how their health information is used. Thank you OCR (Office of Civil Rights)A major goal of the Privacy Rule is to assure that PHI is properly protected while permitting appropriate uses of the information protecting the privacy of the individual.The second part of HIPAA is the privacy rule. The major goal of the privacy rule is to protect PHI (personal health information). How your data is collected, how your data is used, how your data is protected and how your data is destroyed.
26HIPAAHIPAA was passed in 1996, it wasn’t until 2/4/2011 the first HIPAA violation occurred and resulted in a $4.3 m fine to Maryland healthcare provider Cignet for the failure to provide 41 patients with copies of their medical records. HIPAA did not have teeth until HiTech came along and provided enforcement and penalties. HIPAA was passed in 1996, however, did not have momentum for enforcement and defined penalties until 2009 when HiTech was passed.Are you kidding me, let’s create yet another requirement and tell people they need to implement it, spend millions of dollars to follow the standard and wait oh say 12+ years to be taken seriously.Cignet was the healthcare provider that was widely publicized for not complying with HIPAA.They not only stalled in cooperating with the OCR, when requested to provide evidence (which took them 2 years to come up with) they provided 59 boxes of medical records including 11 individuals from the OCR itself, (of people who were not even in the discovery phase of the lawsuit) further displaying their mishandling of the health records.All stemming from 41 patients putting in complaints about not receiving their health records. That brings up the conversation on data retention and data destruction, but that is for another discussion.
27FERPAThe Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99) is a Federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education.Schools or public agencies that receive student data may disclose, without consent, “directory” information such as a student’s name, address, telephone number, date and place of birth, honors and awards, and dates of attendance.However, schools or agencies must tell parents and eligible students about directory information and allow parents and eligible students a reasonable amount of time to request that the school not disclose directory information about them. Schools must notify parents and eligible students annually of their rights under FERPA.Education records must not be disclosed and must be protected.FERPA is a regulation on student education records. It breaks down student records into 2 different type of records. Student education records and directory information.It protects student records, who should have access to what data and how the data is to be used.……
28SOXThe Sarbanes-Oxley Act (SOX) was enacted by the Federal government in 2002 in response to a number of major corporate and accounting scandals, most prominently that of the Enron Corporation.SOX establishes new, enhanced standards for all U.S. public companies, and though as such it is not directed at government, it has nonetheless had a significant impact on internal accounting controls in public agencies through its focus on management oversight of how fiscal information within agencies is created, accessed, stored, processed, and transmitted within automated as well as manual record systems.Then there is the ever so famous - Sarbanes Oxley Act of 2002 – Thank you Senator Paul Sarbanes (MD) and Representative Michael Oxley (OH)The bill was enacted as a reaction to several corporate and accounting scandals. Costing investors billions.Remember Enron?????SOX is a measurement of 11 titles which include: auditor independence, corporate governance, internal control assessments and financial disclosures.Any publically traded company must undergo a yearly SOX audit.External auditors must render an opinion on operating effectiveness of the companies financial controls.
29SOX Among the Act’s principal reforms are these elements: _ Creation of an independent public company accounting oversight board_ A heightened level of corporate governance and responsibility measures_ Expanded corporate, financial, and insider disclosure requirements, and_ A range of new penalties for fraud and other violations.Although you are required as a publicly traded company to execute and pass a SOX audit. Today many companies choose to evaluate themselves using the SOX criteria, which isn’t a bad idea it gives you a baseline to follow.It is a standard and does contain a set of standards.And it does include IT and financial controls.
31As-Is Assessment Where do I start? _Come up with the Plan _Assessment What regulations do I need to follow? Where am I today? Where are my gaps? What do I need to do? I need a plan. I need to get started. How do I start? What do I do? How do I do this?_Assessment_ Measurement_Identify Gaps_Plan of AttackWhere do I need to be to pass an audit_Work your plan_ Assessment_Measurement_ Identify Gaps_Readjust your planOk, so here is your project plan…… Don’t laugh it works….Remember this methodology is acicular, so you repeat….repeat….repeat….You refine and tweak as you go.It is never ending, always changing, very flexible and will work for any assessment.Just wish keeping up with the regulations was this easy. Ok, here we go…..
32Plan-ISMS Information Security Management System An information security management system (ISMS) is a set of policies concerned with information security management or IT related risks.The governing principle behind an ISMS is that an organization should design, implement and maintain a solid set of policies, processes and systems to manage risks, ensuring acceptable levels of information security risk.As with all management processes, an ISMS must remain effective and efficient in the long term, adapting to changes in the internal organization and external environment. ISO/IEC therefore incorporates the typical "Plan-Do-Check-Act" (PDCA), approach:The Plan phase is about designing the ISMS, assessing information security risks and selecting appropriate controls.The Do phase involves implementing and operating the controls.The Check phase objective is to review and evaluate the performance (efficiency and effectiveness) of the ISMS.In the Act phase, changes are made where necessary to bring the ISMS back to peak performance.
33Assessment Getting Started _ Choose a tool-SANS, CMS, Big 4, NIST, ISO….OCTAVEOCTAVE® (Operationally Critical Threat, Asset, and Vulnerability EvaluationSM) is a suite of tools, techniques, and methods for risk-based information security strategic assessment and planning.OCTAVE MethodsThere are three OCTAVE methods:the original OCTAVE method, which forms the basis for the OCTAVE body of knowledgeOCTAVE-S, for smaller organizationsOCTAVE-Allegro, a streamlined approach for information security assessment and assuranceOCTAVE methods are founded on the OCTAVE criteria—a standard approach for a risk-driven and practice-based information security evaluation. The OCTAVE criteria establish the fundamental principles and attributes of risk management that are used by the OCTAVE methods.Features and benefits of OCTAVE methodsThe OCTAVE methods areself-directed—Small teams of organizational personnel across business units and IT work together to address the security needs of the organization.flexible—Each method can be tailored to the organization's unique risk environment, security and resiliency objectives, and skill level.evolved—OCTAVE moved the organization toward an operational risk-based view of security and addresses technology in a business context.First thing you need to do is choose a tool. There are many on the market, some that are provided at seminars or training vendors. You have SANS, CMS, Big 4, NIST, ISO or even CMU’s own OCTAVE……I am choosing OCTAVE, you can pick and choose which parts and pieces that fit into your environment and use only what you need to use.It is very modular and adaptable.Then you pull in some industry specific requirements, some security requirements that are relevant to your business and your off and running.
34CMMI ModelCapability Maturity Model Integration (CMMI) is a Process improvement approach whose goal is to help organizations improve their performance. CMMI can be used to guide process improvement across a project, a division, or an entire organization.CMMI in software engineering and organizational development is a process improvement approach that provides organizations with the essential elements for effective process improvement. CMMI is registered in the U.S. Patent and Trademark Office by Carnegie Mellon University. According to the Software Engineering Institute (SEI, 2008), CMMI helps "integrate traditionally separate organizational functions, set process improvement goals and priorities, provide guidance for quality processes, and provide a point of reference for appraising current processes.”You also need a way to measure your risk within your organization.You need to know from your assessment where you are, and how to get to the next level.So you need another tool. Again there are many great tools out there from vendors, security seminars, industry standards and the like.I choose CMMI. It is easy to understand, flexible and gives you predefined measurements and guides on how to achieve the next level.Ok, roll up your sleeves…
35What’s a person to do?To benefit from the standards and guidelines, it is imperative that you:Understand the complexity of overlapping standardsSelect a foundational standard while expecting to reference others as neededStart the “as is” assessment to identify existing gapsIncorporate the standard by reference in your security architectureUnderstand related vertical standards and potential impacts on the enterprise as they evolveDevelop strong working relationships with internal and external auditorsMonitor, test, and quantify compliance levels, to ensure that standards and controls are working and effective (CMMI model already discussed)Work untiringly to educate your enterprise about the role of security standards and their own responsibilities under those standardsYou have some tools, you have a starting point, you have a test plan and you know what regulations you need to follow.You start with 16 million standards or controls that you need to adhere to.What you need to do is to create a matrix which across the top has all of the regulations that you need to follow.Make it simple, let’s start with 8, you can always add to it once you get started.Pick the top 8 regulations.Then down the left hand side of your matrix you put all of the controls that your particular company needs to follow.Using the regulations requirements as your guide.Don’t make it too complicated.Remember if you do not take credit cards you do not need to make sure that you have a PCI zone in your network. Leave it out.If you have last years audits laying around use those as your baseline too.Anyway, you place an “X” in the box for the control that you need to follow for that particular regulation. While creating this matrix you realize that many of these requirements are duplicated.Keep marking your “x’s” in the boxes for each control within each regulation.Once you have this matrix filled in, then you create yet another column called NewCo Best Practices. What is that? It is your companies Regulatory requirements baseline which includes all of the regulations/controls required to be followed by your company. From there you begin your initial assessment.You use this baseline of where you need to be at the end of your adventure.Now, you begin to assess each of these controls and measure using the CMMI model to where you feel you are in the assessment. You must do this for each control against your NewCo baseline.While you are interviewing or meeting with different departments communicate what you are trying to do. Also, don’t forget to tell them that once you have completed your assessment it will be much easier on them for any audit that comes along.You are building a repeatable process to improve the audit experience.
36Pulling “IT” All Together Control ActivityCoBITISO-2700ITILNewCo Best PracticesSOXGLBAPCI-DSSCMSHiTechCreate BackupsXPasswords must be 8 characters longConduct a yearly IT risk assessmentCentralized MonitoringSo let’s take a look at what I was describing to you. The benefit of this process is that no matter what audit you need to adhere to, your process has already been created and your company already adheres to it.If you evaluate passwords yearly, you only need to do that once or twice a year no matter what regulation you follow, so you have a policy that states that the password must be 8 characters long, you “review” this is true for your sampling and place it in a shared area, so that when the auditors need to do a password review, they see you have a repeatable process in place, they rely on your process and do not need to go back to every department every audit to do the same thing every time.You save the auditors time and also the technical admins time to do their real work.You will also be able to identify gaps in your processes, policies or controls before an auditor can write them up, so you can either have the gap identified and remediated or identified and a plan in place before the auditors can write-it-up as a finding.How great will that make your boss feel????Nobody likes audit findings, but no body like to do the same thing everytime the auditor asks. Face it we have more important things to do that repeat process multiple times for multiple audits.This process will cut down your IT staff times as well as make the auditors happy that some of their burden has been offset, by having a repeatable, documented formalized process.You need to measure once correctly and then document correctly.
37Measuring IT Create Backups – CMMI - 2 Passwords 8 characters long –CMMI - 3Yearly IT Risk Assessment – CMMI-2Centralized monitoring – CMMI-1So after your assessment you find out that your backups measure a CMMI level 2. What does that mean?
38MeasurementNo matter what control that you have, no matter what process you have, you can classify it into one of these levels.So you assess, measure, identify gaps, remediate, reassess, measure, identify gaps, remediate……Plan, do, check, act..All the while you move closer and closer to optimizing your processes, always refining, don’t forget, once you get to Level 5, the law or regulation is going to change, but you are ok, just adjust your matrix, and repeat your process.
39Pulling it Together Focus on Relevant Regulations Get Executive Buy-in Assemble the Right TeamDevelop Policies for ComplianceIdentify Common ControlsPerform a Gap AnalysisClassify your DataLook for the Quick WinsStart Small, Go BigEducate Users
40Useful WebsitesCMMI-PCI-DSS V https://www.pcisecuritystandards.org/security_standards/documents.phpCMS - https://www.cms.gov/home/regsguidance.aspHIPAA -HiTech -GLBA-FISMA -NIST – 800 series -CoBIT -OCTAVE -
41ConclusionQuestions?How long do we haveto get in Compliance?