We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published byCeline Dallam
Modified about 1 year ago
© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security Services Product Manager
© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 2 14854_10_2008_c1 Examining the Threat Landscape Risk Source: www.privacyrights.org
© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 3 14854_10_2008_c1 The Twin Information Security Challenges How to Manage Both with Limited Resources? Information security threats Rapidly evolving threats Many distinct point solutions How to best protect IT confidentiality, integrity, and availability Information security compliance obligations Many separate but overlapping standards Regulatory: SOX, HIPAA, GLBA, state and local Industry: PCI, HITRUST Customer: SAS70, ISO 27001
© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 4 14854_10_2008_c1 How Have These Information Security Challenges Evolved? IT Compliance IT Risk IT Security Today and Future How to Manage Risk? IT Security 2000s Is There an Audit Trail? 1990s What Happened? Enterprise Focus: Enterprise Response: Integrated Compliance and Security Programs Siloed Compliance and Security Programs Security Products IT Security IT Compliance
© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 5 14854_10_2008_c1 Organization Continue to Struggle: Addressing Information Security Threats and Compliance How to prioritize limited resources How to be most effective How to reduce the cost Most Organizations Have Addressed these Challenges with Siloed Efforts Resulting in: High CostsFragmented TeamsRedundanciesUnknown Risks
© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 6 14854_10_2008_c1 Solution: Address Information Security Challenges Through One Program Risk Management: How to determine the likelihood and impact of business threats and use a systematic approach, based on an organization's risk tolerance, to prioritizing resources to deal with those threats Governance: How we set policies to achieve our strategic objectives and address risk and how we set up the organizational structures and processes to see that the policies are executed successfully Compliance: How we establish the controls needed to meet our governance objectives and how we validate the effectiveness of those controls Common Control Framework: A unified set of controls that addresses all of an organization's internal and external compliance objectives simultaneously IT Governance, Risk Management, and Compliance (IT GRC)
© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 7 14854_10_2008_c1 Implement Monitor Common Control Framework Update Operate Risk Assessment Contractual Requirements Company Vision and Strategy Business Drivers Regulations Industry Standards External Authority Documents International Standards and Control Models Asset Inventory SecurityCompliance Threats Vulnerabilities What Does It Mean to Address Information Security Through IT GRC? Business Value
© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 8 14854_10_2008_c1 Value of the IT GRC Approach IT GRC delivers dramatic business value Revenue: 17% HigherLoss from loss of customer data: 96% Lower Profit: 14% HigherBusiness disruptions from IT: 50x less likely Audit costs: 50% Lower Customer retention: 18% Higher For companies with the most mature IT GRC Programs Source: IT Policy Compliance Group 2008 Maximize reduction in IT security risk with available resources Risk-based, business-focused decisions and resource prioritization Raise visibility of comprehensive security posture Use internationally recognized best practices Reduce cost of compliance One set of controls to implement and manage One program to govern Many Compliance standards addressed
© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 9 14854_10_2008_c1 Where Do I Start with IT GRC? Identify and Prioritize Gaps Define Common Control Framework: Identify compliance obligations Asset inventory Evaluate threats and vulnerabilities Understand business requirements Risk assessment Assess Control Implementation for Presence and Effectiveness: Policy controls Process controls Technical controls Remediate Control Gaps: Define and publish policies Develop processes Deploy security technology solutions Train employees Maintain Controls and Framework: Operate and monitor technical controls Maintain subscriptions Periodic assessments Evolve solutions as needed AssessDefine MaintainRemediate
© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 10 14854_10_2008_c1 Step One: Define Common Control Framework Inventory IT assets Identify threats, vulnerabilities, and associated controls Best practices: ISO 27002 Compliance: PCI, SOX, HIPAA, GLBA, etc. Business, legal, contractual Assess risk Consolidate into a Common Control Framework (CCF) Map common controls from each source Eliminate duplication of overlapping controls
© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 11 14854_10_2008_c1 Control Objectives Covered by ISO 27002 Security policy Asset management Information classification Data loss prevention Identity management Access control Physical security HR security Network security management Vulnerability management Email security Security event and incident management Security for software development, deployment and maintenance Business continuity management Compliance
© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 12 14854_10_2008_c1 Mapping Multiple Control Sources into a Common Control Framework (CCF) Best Practice Frameworks: COBiT Controls for IT governance ISO 27002 Subset of IT controls Focused on security Mapped to COBiT controls ITIL Subset of IT controls Focused on process Mapped to ISO COBiT ISO 27002 ITIL
© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 13 14854_10_2008_c1 Mapping Multiple Control Sources into a Common Control Framework (CCF) Compliance Standards: HIPAA, SOX, PCI And others (this is just a sample) Many overlapping Controls De-duplicated COBiT ISO 27002 HIPAA SOX PCI ITIL
© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14 14854_10_2008_c1 Mapping Multiple Control Sources into a Common Control Framework (CCF) Controls required by specific business needs COBiT ISO 27002 ITIL HIPAA SOX Business, Legal, Contractual PCI
© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 15 14854_10_2008_c1 COBiT ISO 27002 ITIL HIPAA SOX Business, Legal, Contractual PCI Mapping Multiple Control Sources into a Common Control Framework (CCF) ITIL HIPAA Result— Customized CCF: Security best practices Applicable compliance standards Business requirements
© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 16 14854_10_2008_c1 Step Two: Assess Control Implementation Three Types of Controls must Be Assessed for Presence and Effectiveness Policy controls High level to detailed security policies Technical controls Assessed based on security architecture best practices Validated with active testing Process and employee readiness controls Are the processes well designed? Are the processes followed?
© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 17 14854_10_2008_c1 Step Three: Remediate Control Gaps Control Gaps Should Be Prioritized for Remediation Based on Business Risk Policy controls Development of new or enhancement of existing security policies Technical controls Deploy new security technology solutions Identify controls eligible for outsourcing Identify needed subscriptions for security intelligence and signatures Process and employee readiness controls Develop processes Train employees Design ongoing awareness program
© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 18 14854_10_2008_c1 Step Four: Maintain Controls Governance of the Program Is Accomplished Through Maintaining the Controls and the Framework Itself Ongoing maintenance of technical controls Operate: ongoing monitoring and management Optimize: tune and evolve security solutions as needed Periodic assessments of all controls For changes in control needs: threats, compliance, business For control effectiveness: policy, technical, process Evolve controls and CCF as needed Prioritize gaps Update CFF and controls
© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 19 14854_10_2008_c1 How Can Cisco Help with IT GRC? IT GRC Information Security Services Security Control Assessment Services: Security Policy Assessment Network Security Architecture Assessment Security Posture Assessment Security Process Assessment Security control development and deployment services Security intelligence content subscriptions Cisco self- defending network solutions Security remote management services Security optimization service Security control assessment and remediation services *Services available from Cisco and Cisco certified partners Remediate AssessDefine Maintain
© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 20 14854_10_2008_c1
1© Copyright 2016 EMC Corporation. All rights reserved. VIEWTRUST SOFTWARE OVERVIEW RISK MANAGEMENT AND COMPLIANCE MONITORING.
Security Controls – What Works Southside Virginia Community College: Security Awareness.
Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
Jamuna Swamy Head-Information Security Hexaware Technologies Ltd Jan 09 1 Hexaware Technologies Ltd.
What Keeps You Awake at Night Compliance Corporate Governance Critical Infrastructure Are there regulatory risks? Do employees respect and adhere to internal.
Click to add text © 2010 IBM Corporation OpenPages Solution Overview Mark Dinning Principal Solutions Consultant.
1 Consultancy. 2 Quality Management System (QMS) IT Governance Information Security Management System (ISMS) ISO 9001/ 27001/ BS25999 Implementation Risk.
Information Security Framework Regulatory Compliance and Reporting Auditing and Validation Metrics Definition and Collection Reporting (management, regulatory,
ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.
Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.
Roadmap to Maturity FISMA and ISO 2700x. Technical Controls Data IntegritySDLC & Change Management Operations Management Authentication, Authorization.
Enterprise Risk Management & IT Compliance March 30, 2010 Presented by: Ken Rowe, Director Enterprise Systems Assurance & Chief Security Officer University.
© 2014 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.
Financial Advisory & Litigation Consulting Services Risk Management 2006 September 14-15, 2006 The Metropolitan Club, New York, NY Workshop B: Information.
Everyone’s Been Hacked Now What?. OakRidge What happened?
Bill McClanahan – Principal Business Consultant LPS Integration.
Chapter © 2009 Pearson Education, Inc. Publishing as Prentice Hall.
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
GRC - GOVERNANCE, RISK MANAGEMENT, AND COMPLIANCE.
Presenter Gene Geiger, A-LIGN Partner -HITRUST Practitioner -CPA -CISSP -CCSK -QSA -PCIP -ISO 27K LA.
ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:
IT Governance: COBIT, ISO17799 & ITIL. Introduction COBIT ITIL ISO17799Others.
Privileged and Confidential Strategic Approach to Asset Management Presented to October Urban Water Council Regional Seminar.
Operational Resilience DR’s Big Data Dilemma September 16, 2015 Datalink IT Resiliency Practice.
Chapter 10 Accounting Information Systems and Internal Controls Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution.
Information Systems Controls for System Reliability -Information Security-
Compliance Primer Shekar Ayyar SVP BindView Corporation.
Why Information Governance….instead of Records & Information Management? Angela Fares, RHIA, CRM, CISA, CGEIT, CRISC, CISM or
Dr. Mark Gaynor, Dr. Feliciano Yu, Bryan Duepner.
© 2012 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.
Copyright © 2015 Pearson Education, Inc. Control and Accounting Information Systems Chapter
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch February 4, 2010.
ERP For Payments Presented by: Greg Midtbo Oracle Corporation Industry Vice President Financial Services.
CBIZ RISK & ADVISORY SERVICES BUSINESS CONTINUITY PLANNING Developing a Readiness Strategy that Mitigates Risk and is Actionable and Easy to Implement.
Copyright © 2007 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net 1 Juniper Security Threat Response Manager (STRM)
Screening activities Mike E. Farrell James E. Bartlett and Ghislaine C.Y. Gillessen Munich, January 2014.
April 14, A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.
Security Governance Technology Executive Club Patti Suarez, CISSP Global Information Security Manager Wm. Wrigley Jr. Company.
The Business of Information Security Introducing the RSA Security Practice of EMC Consulting Dennis Pinkerton March 17, 2010 Happy St. Patrick’s Day.
Copyright © 2012 Accenture & Symantec. All rights reserved. This Sales Accelerator presentation is intended to provide sales teams fast facts on solutions.
Agenda What is Compliance? Risk and Compliance Management What is a Framework? ISO 27001/27002 Overview Audit and Remediate Improve and Automate.
Microsoft Operations Framework (MOF) 4.0 microsoft.com/MOF.
Windows 2000 Security Policies & Practices: How to build your plan Mandy Andress, CISSP President ArcSec Technologies.
Information Security Governance and Risk Chapter 2 Part 1 Pages 21 to 69.
© 2017 SlidePlayer.com Inc. All rights reserved.