Uploaded by tanjavier05

Lecture 1 - Laws, Regulations and GRC

advertisement
GDP
L
E
C
T
U
R
E
1
Laws/Regulations
and GRC
Governance & Data Protection
Diploma in CSF
Year 3 Semester 5
Official (Closed) - Non Sensitive
Objectives
At the end of this, you will get to know more about:
 Laws & Regulations
 International
 Local
 Governance, Risk, and Compliance (GRC)
 GRC Tools
Diploma in CSF
Year 3, Semester 5
Last update: 19 July 2024
slide2
Official (Closed) - Non Sensitive
Businesses face many challenges
Aligning IT
with Business
Requirements
Value/Cost
Managing
Complexity
Regulatory Compliance
Security
Diploma in CSF
Year 3, Semester 5
Last update: 19 July 2024
slide3
Official (Closed) - Non Sensitive
Risks are everywhere
Diploma in CSF
Year 3, Semester 5
Last update: 19 July 2024
slide4
Official (Closed) - Non Sensitive
Risks are everywhere
Information security is not only a technical issue, but also a
business and governance challenge.
Organizations require a structured approach to manage these
challenges.
Organisational culture was to blame for some of the missteps. "One must not lose sight of the fact that the
treatment of cyber-security issues and incidents by staff and middle management is very much shaped by
organisational culture,"
“Responses following the cyber attack must go beyond technical measures and include solutions to tackle
human errors.”
“It must also include the human dimension of cyber hygiene and cyber security such as proper governance,
processes and situational awareness. And this human dimension has to pervade organisations down to the
last soldier,”
“Organisations should arm themselves with security solutions that enable them to detect and respond early to
threats”
(SingHealth Data Breach – July 2018)
Diploma in CSF
Year 3, Semester 5
Last update: 19 July 2024
slide5
Official (Closed) - Non Sensitive
Laws & Regulations
 A variety of laws and regulations have surfaced over the past
decade in an attempt to strengthen the security of information stored
within the companies.
 As a results, various security control “standards” and “frameworks”
have evolved to meet the requirement of the laws.
 Laws and regulations are developed at a higher “what needs to
happen” level
 Standards and control frameworks are needed to ensure security is
planned, organized, implemented, tested, and monitored.
Diploma in CSF
Year 3, Semester 5
Last update: 19 July 2024
slide6
Official (Closed) - Non Sensitive
Laws & Regulations
 Different sectors have different regulatory
requirements
 E.g. Finance, credit card, healthcare etc.
 Government vs private sector
 It is a requirement for government sector to comply with IM8
 Regulated industry (power plant, transportation,
medicine, banks etc.) has more regulations
Diploma in CSF
Year 3, Semester 5
Last update: 19 July 2024
slide7
Official (Closed) - Non Sensitive
Laws & Regulations - Finance
 Sarbanes-Oxley Act of 2002 (SOX)
 An act passed by U.S. Congress in 2002 to protect investors from
the possibility of fraudulent accounting activities by corporations.
http://www.soxlaw.com/s302.htm
Diploma in CSF
Year 3, Semester 5
Last update: 19 July 2024
slide8
Official (Closed) - Non Sensitive
Laws & Regulations - Healthcare
 A United States legislation that provides data privacy and security
provisions for safeguarding medical information.
 HIPAA Privacy rule:
 Focuses on limiting the use and disclosure of sensitive PHI.
 Seeks to protect the privacy of patients -- by requiring doctors to provide
patients an account of each entity to which the doctor discloses Protected
Health Information (PHI) for billing and administrative purposes -- while still
allowing relevant health information to flow through the proper channels.
 Gives patients the right to access their own medical records.
 HIPAA Security rule:
 Establishes national standards to protect individuals’ electronic personal health
information that is created, received, used, or maintained by a covered entity.
 Requires appropriate administrative, physical and technical safeguards to
ensure the confidentiality, integrity, and security of electronic protected health
information.
Diploma in CSF
Year 3, Semester 5
Last update: 19 July 2024
slide9
Official (Closed) - Non Sensitive
Laws & Regulations – Credit Card
 The Payment Card Industry (PCI) has taken steps to prevent credit
card fraud and protect cardholders against identity theft.
 The PCI Security Standards Council (PCI SSC) requires all entities
that want to hold, process, or transfer cardholder information to
comply with the PCI Data Security Standard (PCI DSS).
 The Payment Card Industry Data Security Standard (PCI DSS) is a
widely accepted set of policies and procedures intended to optimize
the security of credit, debit and cash card transactions and protect
cardholders against misuse of their personal information.
 The PCI DSS was created jointly in 2004 by four major credit-card
companies: Visa, MasterCard, Discover and American Express.
Diploma in CSF
Year 3, Semester 5
Last update: 19 July 2024
slide10
Official (Closed) - Non Sensitive
6 Steps to PCI DSS Compliant
Diploma in CSF
Year 3, Semester 5
Last update: 19 July 2024
slide11
Official (Closed) - Non Sensitive
Local Laws/Regulations
Diploma in CSF
Year 3, Semester 5
Last update: 19 July 2024
slide12
Official (Closed) - Non Sensitive
Local Laws/Regulations
“Instruction Manual (IM) 8” specifies
government policies, standards, regulations and
codes of practice for IT security implemented by
government agencies, that private vendors serving
the government would also need to comply with.
All IMs are mandatory for compliance by
government agencies and subject to regular audit and
assessment for enforcement purposes.
We will re-visit this
Diploma in CSF
Year 3, Semester 5
Last update: 19 July 2024
slide13
Official (Closed) - Non Sensitive
Governance, Risk, and Compliance (GRC)
 Governance, Risk, and Compliance (GRC) is embraced
primarily by vendors in recognition that companies are
struggling with controls to be implemented to meet
extensive requirements of laws and regulations.
 (GRC) refers to a strategy for managing an organization's
overall governance, enterprise risk management and
compliance with regulations.
 GRC aims to protect corporate assets.
What is GRC - YouTube
Diploma in CSF
Year 3, Semester 5
Last update: 19 July 2024
slide14
Official (Closed) - Non Sensitive
Governance, Risk, and Compliance (GRC)
Diploma in CSF
Year 3, Semester 5
Last update: 19 July 2024
slide15
Official (Closed) - Non Sensitive
Class notes
 Identify Assets, threats and vulnerabilities
 Then Accesses them
 Finally control them by applying policies
 Law/Reg is mandatory, and affects the
companies strategy of identify, access and
control
Diploma in CSF
Year 3, Semester 5
Last update: 19 July 2024
slide16
Official (Closed) - Non Sensitive
Governance, Risk, and Compliance (GRC)
 Governance
 The structure, policies, and practices that are put in place by
the organization to ensure that the controls are adequately
communicated, carried out, and enforced by engaging direction
and support at the appropriate organizational level.
 Risk
 The act of making informed decisions about the losses that the
company is willing to accept given a breach of security and
building the appropriate mitigating risk strategies to reduce the
risk to acceptable levels defined by the business.
Diploma in CSF
Year 3, Semester 5
Last update: 19 July 2024
slide17
Official (Closed) - Non Sensitive
Governance, Risk, and Compliance (GRC)
 Compliance
 Conforming with stated requirements set out internally (policies), or through
extrinsic requirements like laws, regulations,
etc.
 Ensuring that the controls are being
adhered to on an ongoing basis, thereby
increasing the likelihood of a reduction of a
risk and increased adherence to the
governance intended by the organization.
 Compliance video:
https://www.youtube.com/watch?v=uo9NVNJXTEY
Diploma in CSF
Year 3, Semester 5
Last update: 19 July 2024
slide18
Official (Closed) - Non Sensitive
Examples of GRC Tools
 Archer (commercial tool by RSA)
 Practical Threat Analysis (PTA) (free tool)
 Open Risk & Compliance Framework and Tool (ORICO)
(open source)
 GPLI (open source)
 STREAM (by Acuity Risk Management)
 Simple Risk Open Source
 ERAMBA
Diploma in CSF
Year 3, Semester 5
Last update: 19 July 2024
slide19
Official (Closed) - Non Sensitive
Summary
 Businesses need to comply with the laws, regulations, and
policies to reduce risks.
 There are local and international laws and regulations for
each industry.
 GRC is embraced in recognition that companies are
struggling with controls to be implemented to meet
extensive requirements of laws and regulations.
 GRC tools are used to help companies achieve
compliance.
Diploma in CSF
Year 3, Semester 5
Last update: 19 July 2024
slide20
Official (Closed) - Non Sensitive
Reference Books
 Todd Fitzgerald, Information Security Governance
Simplified: From the Boardroom to the Keyboard,
CRC Press (Taylor & Francis Group)
Diploma in CSF
Year 3, Semester 5
Last update: 19 July 2024
slide21
Download