GDP L E C T U R E 1 Laws/Regulations and GRC Governance & Data Protection Diploma in CSF Year 3 Semester 5 Official (Closed) - Non Sensitive Objectives At the end of this, you will get to know more about: Laws & Regulations International Local Governance, Risk, and Compliance (GRC) GRC Tools Diploma in CSF Year 3, Semester 5 Last update: 19 July 2024 slide2 Official (Closed) - Non Sensitive Businesses face many challenges Aligning IT with Business Requirements Value/Cost Managing Complexity Regulatory Compliance Security Diploma in CSF Year 3, Semester 5 Last update: 19 July 2024 slide3 Official (Closed) - Non Sensitive Risks are everywhere Diploma in CSF Year 3, Semester 5 Last update: 19 July 2024 slide4 Official (Closed) - Non Sensitive Risks are everywhere Information security is not only a technical issue, but also a business and governance challenge. Organizations require a structured approach to manage these challenges. Organisational culture was to blame for some of the missteps. "One must not lose sight of the fact that the treatment of cyber-security issues and incidents by staff and middle management is very much shaped by organisational culture," “Responses following the cyber attack must go beyond technical measures and include solutions to tackle human errors.” “It must also include the human dimension of cyber hygiene and cyber security such as proper governance, processes and situational awareness. And this human dimension has to pervade organisations down to the last soldier,” “Organisations should arm themselves with security solutions that enable them to detect and respond early to threats” (SingHealth Data Breach – July 2018) Diploma in CSF Year 3, Semester 5 Last update: 19 July 2024 slide5 Official (Closed) - Non Sensitive Laws & Regulations A variety of laws and regulations have surfaced over the past decade in an attempt to strengthen the security of information stored within the companies. As a results, various security control “standards” and “frameworks” have evolved to meet the requirement of the laws. Laws and regulations are developed at a higher “what needs to happen” level Standards and control frameworks are needed to ensure security is planned, organized, implemented, tested, and monitored. Diploma in CSF Year 3, Semester 5 Last update: 19 July 2024 slide6 Official (Closed) - Non Sensitive Laws & Regulations Different sectors have different regulatory requirements E.g. Finance, credit card, healthcare etc. Government vs private sector It is a requirement for government sector to comply with IM8 Regulated industry (power plant, transportation, medicine, banks etc.) has more regulations Diploma in CSF Year 3, Semester 5 Last update: 19 July 2024 slide7 Official (Closed) - Non Sensitive Laws & Regulations - Finance Sarbanes-Oxley Act of 2002 (SOX) An act passed by U.S. Congress in 2002 to protect investors from the possibility of fraudulent accounting activities by corporations. http://www.soxlaw.com/s302.htm Diploma in CSF Year 3, Semester 5 Last update: 19 July 2024 slide8 Official (Closed) - Non Sensitive Laws & Regulations - Healthcare A United States legislation that provides data privacy and security provisions for safeguarding medical information. HIPAA Privacy rule: Focuses on limiting the use and disclosure of sensitive PHI. Seeks to protect the privacy of patients -- by requiring doctors to provide patients an account of each entity to which the doctor discloses Protected Health Information (PHI) for billing and administrative purposes -- while still allowing relevant health information to flow through the proper channels. Gives patients the right to access their own medical records. HIPAA Security rule: Establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. Requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information. Diploma in CSF Year 3, Semester 5 Last update: 19 July 2024 slide9 Official (Closed) - Non Sensitive Laws & Regulations – Credit Card The Payment Card Industry (PCI) has taken steps to prevent credit card fraud and protect cardholders against identity theft. The PCI Security Standards Council (PCI SSC) requires all entities that want to hold, process, or transfer cardholder information to comply with the PCI Data Security Standard (PCI DSS). The Payment Card Industry Data Security Standard (PCI DSS) is a widely accepted set of policies and procedures intended to optimize the security of credit, debit and cash card transactions and protect cardholders against misuse of their personal information. The PCI DSS was created jointly in 2004 by four major credit-card companies: Visa, MasterCard, Discover and American Express. Diploma in CSF Year 3, Semester 5 Last update: 19 July 2024 slide10 Official (Closed) - Non Sensitive 6 Steps to PCI DSS Compliant Diploma in CSF Year 3, Semester 5 Last update: 19 July 2024 slide11 Official (Closed) - Non Sensitive Local Laws/Regulations Diploma in CSF Year 3, Semester 5 Last update: 19 July 2024 slide12 Official (Closed) - Non Sensitive Local Laws/Regulations “Instruction Manual (IM) 8” specifies government policies, standards, regulations and codes of practice for IT security implemented by government agencies, that private vendors serving the government would also need to comply with. All IMs are mandatory for compliance by government agencies and subject to regular audit and assessment for enforcement purposes. We will re-visit this Diploma in CSF Year 3, Semester 5 Last update: 19 July 2024 slide13 Official (Closed) - Non Sensitive Governance, Risk, and Compliance (GRC) Governance, Risk, and Compliance (GRC) is embraced primarily by vendors in recognition that companies are struggling with controls to be implemented to meet extensive requirements of laws and regulations. (GRC) refers to a strategy for managing an organization's overall governance, enterprise risk management and compliance with regulations. GRC aims to protect corporate assets. What is GRC - YouTube Diploma in CSF Year 3, Semester 5 Last update: 19 July 2024 slide14 Official (Closed) - Non Sensitive Governance, Risk, and Compliance (GRC) Diploma in CSF Year 3, Semester 5 Last update: 19 July 2024 slide15 Official (Closed) - Non Sensitive Class notes Identify Assets, threats and vulnerabilities Then Accesses them Finally control them by applying policies Law/Reg is mandatory, and affects the companies strategy of identify, access and control Diploma in CSF Year 3, Semester 5 Last update: 19 July 2024 slide16 Official (Closed) - Non Sensitive Governance, Risk, and Compliance (GRC) Governance The structure, policies, and practices that are put in place by the organization to ensure that the controls are adequately communicated, carried out, and enforced by engaging direction and support at the appropriate organizational level. Risk The act of making informed decisions about the losses that the company is willing to accept given a breach of security and building the appropriate mitigating risk strategies to reduce the risk to acceptable levels defined by the business. Diploma in CSF Year 3, Semester 5 Last update: 19 July 2024 slide17 Official (Closed) - Non Sensitive Governance, Risk, and Compliance (GRC) Compliance Conforming with stated requirements set out internally (policies), or through extrinsic requirements like laws, regulations, etc. Ensuring that the controls are being adhered to on an ongoing basis, thereby increasing the likelihood of a reduction of a risk and increased adherence to the governance intended by the organization. Compliance video: https://www.youtube.com/watch?v=uo9NVNJXTEY Diploma in CSF Year 3, Semester 5 Last update: 19 July 2024 slide18 Official (Closed) - Non Sensitive Examples of GRC Tools Archer (commercial tool by RSA) Practical Threat Analysis (PTA) (free tool) Open Risk & Compliance Framework and Tool (ORICO) (open source) GPLI (open source) STREAM (by Acuity Risk Management) Simple Risk Open Source ERAMBA Diploma in CSF Year 3, Semester 5 Last update: 19 July 2024 slide19 Official (Closed) - Non Sensitive Summary Businesses need to comply with the laws, regulations, and policies to reduce risks. There are local and international laws and regulations for each industry. GRC is embraced in recognition that companies are struggling with controls to be implemented to meet extensive requirements of laws and regulations. GRC tools are used to help companies achieve compliance. Diploma in CSF Year 3, Semester 5 Last update: 19 July 2024 slide20 Official (Closed) - Non Sensitive Reference Books Todd Fitzgerald, Information Security Governance Simplified: From the Boardroom to the Keyboard, CRC Press (Taylor & Francis Group) Diploma in CSF Year 3, Semester 5 Last update: 19 July 2024 slide21