Holistic Approach to Information Security Greg Carter, Cisco Security Services Product Manager © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 1 Examining the Threat Landscape Risk Risk Risk Risk Source: www.privacyrights.org © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 2 The Twin Information Security Challenges How to Manage Both with Limited Resources? Information security threats Rapidly evolving threats Many distinct point solutions How to best protect IT confidentiality, integrity, and availability Information security compliance obligations Many separate but overlapping standards Regulatory: SOX, HIPAA, GLBA, state and local Industry: PCI, HITRUST Customer: SAS70, ISO 27001 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 3 How Have These Information Security Challenges Evolved? IT Risk IT Security 1990s IT Compliance IT Compliance IT Security IT Security 2000s Today and Future Enterprise Focus: What Happened? Is There an Audit Trail? How to Manage Risk? Enterprise Response: Security Products Siloed Compliance and Security Programs Integrated Compliance and Security Programs © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 4 Organization Continue to Struggle: Addressing Information Security Threats and Compliance How to prioritize limited resources How to be most effective How to reduce the cost Most Organizations Have Addressed these Challenges with Siloed Efforts Resulting in: High Costs Fragmented Teams © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Redundancies Unknown Risks 5 Solution: Address Information Security Challenges Through One Program IT Governance, Risk Management, and Compliance (IT GRC) Risk Management: How to determine the likelihood and impact of business threats and use a systematic approach, based on an organization's risk tolerance, to prioritizing resources to deal with those threats Governance: How we set policies to achieve our strategic objectives and address risk and how we set up the organizational structures and processes to see that the policies are executed successfully Compliance: How we establish the controls needed to meet our governance objectives and how we validate the effectiveness of those controls Common Control Framework: A unified set of controls that addresses all of an organization's internal and external compliance objectives simultaneously © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 6 What Does It Mean to Address Information Security Through IT GRC? External Authority Documents Company Vision and Strategy Business Drivers Implement Industry Standards Risk Assessment Common Control Framework International Standards and Control Models Threats Vulnerabilities © 2008 Cisco Systems, Inc. All rights reserved. Operate Contractual Requirements Update Regulations Monitor Asset Inventory Cisco Confidential Security Compliance Business Value 7 Value of the IT GRC Approach IT GRC delivers dramatic business value Revenue: 17% Higher Loss from loss of customer data: 96% Lower Profit: 14% Higher Business disruptions from IT: 50x less likely Audit costs: 50% Lower Customer retention: 18% Higher For companies with the most mature IT GRC Programs Source: IT Policy Compliance Group 2008 Maximize reduction in IT security risk with available resources Risk-based, business-focused decisions and resource prioritization Raise visibility of comprehensive security posture Use internationally recognized best practices Reduce cost of compliance One set of controls to implement and manage One program to govern Many Compliance standards addressed © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 8 Where Do I Start with IT GRC? Define Assess Define Common Control Framework: Assess Control Implementation for Presence and Effectiveness: Remediate Control Gaps: Maintain Controls and Framework: Define and publish policies • Operate and monitor technical controls Policy controls Develop processes Asset inventory Process controls Evaluate threats and vulnerabilities Technical controls Deploy security technology solutions • Maintain subscriptions Identify compliance obligations Understand business requirements Remediate Train employees Identify and Prioritize Gaps Maintain • Periodic assessments • Evolve solutions as needed Risk assessment © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 9 Step One: Define Common Control Framework Inventory IT assets Identify threats, vulnerabilities, and associated controls Best practices: ISO 27002 Compliance: PCI, SOX, HIPAA, GLBA, etc. Business, legal, contractual Assess risk Consolidate into a Common Control Framework (CCF) Map common controls from each source Eliminate duplication of overlapping controls © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 10 Control Objectives Covered by ISO 27002 Security policy Network security management Asset management Vulnerability management Information classification Email security Data loss prevention Security event and incident management Identity management Security for software development, deployment and maintenance Access control Physical security Business continuity management HR security Compliance © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 11 Mapping Multiple Control Sources into a Common Control Framework (CCF) Best Practice Frameworks: COBiT COBiT ISO 27002 ITIL Controls for IT governance ISO 27002 Subset of IT controls Focused on security Mapped to COBiT controls ITIL Subset of IT controls Focused on process Mapped to ISO © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 12 Mapping Multiple Control Sources into a Common Control Framework (CCF) Compliance Standards: COBiT HIPAA, SOX, PCI ISO 27002 ITIL HIPAA PCI And others (this is just a sample) Many overlapping Controls De-duplicated SOX © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 13 Mapping Multiple Control Sources into a Common Control Framework (CCF) Controls required by specific business needs COBiT ISO 27002 ITIL Business, Legal, Contractual HIPAA PCI SOX © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 14 Mapping Multiple Control Sources into a Common Control Framework (CCF) Result— Customized CCF: COBiT ISO 27002 Security best practices ITIL Business, Legal, Contractual HIPAA PCI Applicable compliance standards Business requirements SOX © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 15 Step Two: Assess Control Implementation Three Types of Controls must Be Assessed for Presence and Effectiveness Policy controls High level to detailed security policies Technical controls Assessed based on security architecture best practices Validated with active testing Process and employee readiness controls Are the processes well designed? Are the processes followed? © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 16 Step Three: Remediate Control Gaps Control Gaps Should Be Prioritized for Remediation Based on Business Risk Policy controls Development of new or enhancement of existing security policies Technical controls Deploy new security technology solutions Identify controls eligible for outsourcing Identify needed subscriptions for security intelligence and signatures Process and employee readiness controls Develop processes Train employees Design ongoing awareness program © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 17 Step Four: Maintain Controls Governance of the Program Is Accomplished Through Maintaining the Controls and the Framework Itself Ongoing maintenance of technical controls Operate: ongoing monitoring and management Optimize: tune and evolve security solutions as needed Periodic assessments of all controls For changes in control needs: threats, compliance, business For control effectiveness: policy, technical, process Evolve controls and CCF as needed Prioritize gaps Update CFF and controls © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 18 How Can Cisco Help with IT GRC? Define IT GRC • Information Security Services Assess Security Control Assessment Services: Security Policy Assessment Network Security Architecture Assessment Security Posture Assessment Security Process Assessment Remediate • Security control development and deployment services Security intelligence content subscriptions Cisco selfdefending network solutions Maintain • Security remote management services • Security optimization service • Security control assessment and remediation services *Services available from Cisco and Cisco certified partners © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 19 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 20