Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 1 Risk Management: How to Comply with Everything July 11, 2013.

Published byKassidy Space Modified over 9 years ago

Similar presentations

Presentation on theme: "1 1 Risk Management: How to Comply with Everything July 11, 2013."— Presentation transcript:

1 1 1 Risk Management: How to Comply with Everything July 11, 2013

2 2 2 Introduction Chris Cronin – Principal Consultant, Halock Security Labs – GCIH, ISO 27001 Auditor – Recent GSNA Gold – 15+ years experience IT operations, audit, consulting and incident response

3 3 3 What You Will Learn Finding the Investment Sweet Spot How much security does the organization really need? On Common Ground Meeting the agendas of the Executive Suite Ease Their Pain Conflict-free audits Ask and You Shall Receive Bullet proof risk treatment planning & approvals How to Comply with Everything Why risk management is the compliance keystone

4 4 4 Presentation Layout What is risk management? Who benefits? How to bust the myths.

5 5 5 What is Risk Management?

6 6 6 Asset

7 7 7 Control

8 8 8 Vulnerability

9 9 9 Threat

10 10 Likelihood

11 11 Impact to Your Mission

12 12 Risk Risk = Likelihood x Impact

13 13 Risk Treatment

14 14 The Risk Register

15 15 The Risk Register

16 16 What Risk Management Isn’t

17 17 Gap Assessment

18 18 What Keeps You Up At Night?

19 19 Predicting the Future

20 20 What Risk Management Is

21 21 Risk Management in Regulations HIPAA Security Rule – “Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information...” – “Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level…” – “Security measures implemented to comply with standards and implementation specifications …must be reviewed and modified as needed to continue provision of reasonable and appropriate protection of [EPHI]”

22 22 Risk Management in Regulations HIPAA Security Rule – “Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information...” – “Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level…” – “Security measures implemented to comply with standards and implementation specifications …must be reviewed and modified as needed to continue provision of reasonable and appropriate protection of [EPHI]”

23 23 Risk Management in Regulations Massachusetts 201 CMR 17.00 – “Every person that owns or licenses personal information about a resident of the Commonwealth shall develop, implement, and maintain a comprehensive information security program” – “Identifying and assessing reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing personal information…” – “…evaluating and improving, where necessary, the effectiveness of the current safeguards for limiting such risks…”

24 24 Risk Management in Regulations Massachusetts 201 CMR 17.00 – “Every person that owns or licenses personal information about a resident of the Commonwealth shall develop, implement, and maintain a comprehensive information security program” – “Identifying and assessing reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing personal information…” – “…evaluating and improving, where necessary, the effectiveness of the current safeguards for limiting such risks…”

25 25 Components of Risk Management Risk Management Assessment Oversight Identity Risks Propose Controls Implement Controls Test Effectiveness Improve Ineffective Controls

26 26 Information Risk Management: The Standard of Care Required by laws and regulations – SOX (Audit Standard 5) – HIPAA Security Rule / Meaningful Use – Massachusetts 201 CMR 17.00 – Gramm Leach Bliley – FISMA – Federal Trade Commission Rulings

27 27 Information Risk Management: The Standard of Care Required by Security Standards – PCI DSS 2.0 – ISO 27001/ISO 27002 – CobiT – NIST Special Publications

28 28 Who is Benefiting from Risk Management?

29 29 A Real-Life Case Study An organization that needed to improve their information compliance and security program Multiple roles that each had something at stake Multiple regulations apply to them

30 30 Whose Jobs are Getting Easier With Risk Management? Chief Financial Officer Auditor Chief Information Security Officer General CounselChief Information Officer IT Staff

31 31 Their Risk Register

32 32 Their Risk Calculations Risk = Likelihood x Impact Likelihood values: 1-5 Impact values: 1-5 Risk rating range: 1-25 Acceptable Risk = Below 8

33 33 Lesson 1: Finding the Investment Sweet Spot Risk : – Local administrator passwords on end-user systems are identical. They allow a “pass-the- hash” breach. Roles : – CIO : Needs to balance business and compliance requirements – IT Staff : Need an easy way to support desktops – CISO : Needs to be sure requirements are met – General Counsel: Needs to balance business and compliance while addressing liability

34 34 Lesson 1: “Pass-the-Hash” Risk

35 35 Lesson 1: “Pass-the-Hash” Risk

36 36 Finding the Sweet Spot

37 37 Lesson 2: Finding Common Ground Risk : – Lack of secure web application coding practices have created vulnerable applications. Roles : – CIO : Needs to balance demands for new secure applications with many other demands – CFO : Needs controlled applications for financial reporting. Needs to control costs. – CISO : Needs to be sure requirements are met – General Counsel: Needs to balance business and compliance while addressing liability

38 38 Lesson 2: Unsecured Applications Risk

39 39 Lesson 2: Unsecured Applications Risk

40 40 Lesson 3: Ease Their Pain Risk : – Client auditor demanding “hard tokens” rather than “soft tokens” for two-factor authentication. Roles : – Auditor : Needs to demonstrate whether controls are met (while maintaining independence) – CIO : Needs to respond truthfully to auditor (while balancing business with compliance) – CISO : Needs to ensure compliance

41 41 Lesson 3: Two-Factor Token Risk

42 42 Lesson 3: Two-Factor Token Risk

43 43 Lesson 4: Ask and You Shall Receive If you ask for something that reduces a risk to the mission of the organization, and the cost is reasonable for reducing the impact … then you will get it.

44 44 Lesson 5: How to Comply with Everything Risk Mgt HIPAA CMR 17.00 PCI DSS FTCCFPB ISO 27001

45 45 Lesson 5: How to Comply with Everything

46 46 How to Bust Risk Assessment Myths

47 47 “We need actuarial tables” Actuarial tables are not used for risk assessments! Information risk assessments are standard, straight-forward processes. They require no statistical skills.

48 48 “We can’t predict the future” Risk assessments are not intended to be predictions, but should be “due care” considerations of what could go wrong.

49 49

50 50 “Risk assessments take too much time” Because risk assessments help determine reasonable control levels, less time and cost is invested to get compliant Risk management reduces liability even before full compliance is met.

51 51 “Reasonable means ‘what our competitors do.’” You don’t know what your competitors do. The regulations and statutes tell you to arrive at “reasonable and appropriate” using risk analysis

52 52 “We can never agree on asset values” Risk assessment methodologies often state the need to assess the asset value. That is often more difficult than what you need. Try assessing the impact instead.

53 53 “We did a gap assessment. That’s good enough” Your first gap will be “We didn’t conduct a risk assessment.” Risk assessments are the standard of care for laws, regulations and information security standards.

54 54 Questions Chris Cronin: ccronin@halock.comccronin@halock.com

Download ppt "1 1 Risk Management: How to Comply with Everything July 11, 2013."

Similar presentations

IT Security Policy Framework

IT Security Policy Framework
Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.

Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.

1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.

Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.
HIPAA Regulations What do you need to know?.

HIPAA Regulations What do you need to know?.
Navigating Compliance Requirements DCM 6.2 Regs and Codes linford & co llp.

Navigating Compliance Requirements DCM 6.2 Regs and Codes linford & co llp.
CSF Support for HIPAA and NIST Implementation and Compliance Presented By Bryan S. Cline, Ph.D. Presented For HITRUST.

CSF Support for HIPAA and NIST Implementation and Compliance Presented By Bryan S. Cline, Ph.D. Presented For HITRUST.
The Financial Modernization Act of 1999, also known as the Gramm-Leach-Bliley Act (GLBA) UNDERSTANDING AND DEVELOPING A STRATEGIC PLAN TO BECOME COMPLIANT.

The Financial Modernization Act of 1999, also known as the Gramm-Leach-Bliley Act (GLBA) UNDERSTANDING AND DEVELOPING A STRATEGIC PLAN TO BECOME COMPLIANT.
Outcomes focused regulation and compliance in practice Peter Scott Peter Scott Consulting www.peterscottconsult.co.uk.

Outcomes focused regulation and compliance in practice Peter Scott Peter Scott Consulting
ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.

ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.
1 Sarbanes-Oxley Section 404 June 29, 2005. 2  SOX 404 Background 3  SOX 404 Goals 4  SOX 404 Requirements 5  SOX 404 Assertions 6  SOX 404 Compliance.

1 Sarbanes-Oxley Section 404 June 29,  SOX 404 Background 3  SOX 404 Goals 4  SOX 404 Requirements 5  SOX 404 Assertions 6  SOX 404 Compliance.
Information Security Policies Larry Conrad September 29, 2009.

Information Security Policies Larry Conrad September 29, 2009.
Security Controls – What Works

Security Controls – What Works
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.

© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.
Office of Inspector General (OIG) Internal Audit

Office of Inspector General (OIG) Internal Audit
The University of California Strengthening Business Practices: The Language of Our Control Environment Dan Sampson Assistant Vice President Financial Services.

The University of California Strengthening Business Practices: The Language of Our Control Environment Dan Sampson Assistant Vice President Financial Services.
Chapter 7 Database Auditing Models

Chapter 7 Database Auditing Models

Similar presentations

Ads by Google