Managing Compliance for All Departments Building a Common Control Framework for everybody! Michael D’Arezzo, CISSP, CISA Director of Security Services

Agenda What is a common control framework? Where do I begin? Where can I get help?

What is a common control framework? A simplified set on security and risk controls Lowest/ Highest “common denominator” for rules and requirements Simplification for communicating requirements to the organization Example - NIST Cyber Security Framework

Regulatory Compliance FFIEC HIPAA PCI SOX 404 FERPA

Pull it together! Shared controls across frameworks Required policies Quarterly Requirements Annual Requirements Required policies Easier to manage Everyone on the same page!

Breathe – this is a journey, not a destination! Where to begin – Step 1 Breathe – this is a journey, not a destination! This process will take at least 3- 6 months to finish Will require constant update! Will require interaction from many people!

Communicate to the entire organization you are collecting! Where to begin – Step 2 Communicate to the entire organization you are collecting! Utilize the subject matter experts around the organization Look at previous years submitted documentations Research Websites for help! http://www.higheredcompliance.org/matrix/

Higher Education Compliance Alliance Website

Collect all regulatory requirements Where to begin – Step 3 Collect all regulatory requirements Title 4/9 FERPA PCI HIPAA

Find the common controls Where to begin – Step 4 Find the common controls Password controls Vulnerability Scanning/ “Testing” requirements Documentation/ policy requirements

Lay out the controls in to containers Where to begin – Step 5 Lay out the controls in to containers Data Classification requirements Access Controls Asset Management Third Party Risk

Where to begin – Step 6 Where is the overlap? Are the password requirements similar, more/less restrictive? Are the reporting requirements the same for asset management? Are documented policy requirements similar, more/less restrictive?

PCI Compliance Requirement 1 Install and maintain a firewall Requirement 2 Default vendor passwords Requirement 3 Protect Cardholder data Requirement 4 Encrypt data transmission Requirement 5 Protect all systems Requirement 6 Develop secure systems / applications Requirement 7 Restrict access to cardholder data Requirement 8 Identify and authenticate access Requirement 9 Restrict physical access to data Requirement 10 Track and monitor all access to network and data Requirement 11 Deploy a change-detection mechanism Requirement 12 Maintain a policy for information security

HIPAA Requirement 308 (a 1 i) Security Management Process Requirement 308 (a 2) Assigned Security Responsibility Requirement 308 (a 3 i) Workforce Security Requirement 308 (a 4) Information Access Management Requirement 308 (a 5) Security Awareness Training Requirement 308 (a 6) Security Incident Procedures Requirement 308 (a 7) Contingency Plan Requirement 308 (a 8) Evaluation Requirement 308 (b 1) Business Associate Contracts and Other Arrangements Requirement 310 (a 2 i) Facility Security Plan Requirement 310(b) Workstation Use Requirement 310 (c) Workstation Security Requirement 310 (d 1) Device and Media Controls Requirement312 (a 1) Access Control Requirement 312 (b) Audit Controls Requirement 312 (c ) Integrity Requirement 312 (d) Person or Entity Authentication Requirement 312 (e) Transmission Security

Common Control Framework Sample Control Categories Awareness Training Access Controls Third Party Risk Secure Transmission of Data Asset Management

Common Control Calendar Compliance Framework Annual Audit Q1 Deliverables Q2 Deliverables Q3 Deliverables Q4 Deliverables Higher Education Opp Act Section 488 Preparation of report PCI SAQ C Internal Vuln Scan Internal and External Scan HIPAA SRA Selection of 3rd party audit Risk Assessment Remediation Title IV Peer Review for Year 10 IRS Annual Tax

Tips and Tricks Don’t make the controls too open or too restrictive Make sure the controls make sense to everyone Don’t try to make controls fit together if they don’t REVIEW AND UPDATE QUARTERLY!

Security Frameworks Available COBIT – available through ISACA organization NIST Cyber Security Framework – available free from your tax dollars! CIS (SANS) Critical Controls – available for free to review

Q & A

Schedule Security Through Intel or “Learning from other people’s mistakes” Thursday 9am – 10am – Mike D’Arezzo Building an Incident Response Plan Thursday 4:15 PM – 5:15 PM – Don Murdoch Penetration Testing for the everyday security analyst Friday 9am – 10am – Mike D’Arezzo Portable NFAT Tools, Techniques, and System Build 11:30 – 12:30 – Don Murdoch

SLAIT Security Offerings Governance Prevention Response Risk Assessment Policy and Procedure PCI Prep HIPAA Gap Analysis Audit Preparation Assistance Security Organization Review Security Checkup Managed Firewall and Endpoint Secure Infrastructure Design & Review vISO Program Awareness Training Assessment Vulnerability Scanning Penetration Testing Phishing Exercises ThreatRecon Pre-breach Preparation ThreatManage Breach Response Cyber Forensics Technology Partners

References Ellen Ng “Integrated IT Control Framework” presentation http://www.ciosummits.com/media/presentations/cloud-2011/Ella-Ng.pdf Higher Education Compliance http://www.higheredcompliance.org/matrix/ NIST Cybersecurity Framework COBIT - https://cobitonline.isaca.org/ CIS Top 20 Critical Controls - https://www.cisecurity.org/critical- controls.cfm