Holistic Approach
to Information
Security
Greg Carter, Cisco Security Services Product Manager
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
1
Examining the Threat Landscape
Risk
Risk
Risk
Risk
Source: www.privacyrights.org
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
2
The Twin Information Security Challenges
How to Manage Both with Limited Resources?
 Information security threats
Rapidly evolving threats
Many distinct point solutions
How to best protect IT confidentiality, integrity, and availability
 Information security compliance obligations
Many separate but overlapping standards
Regulatory: SOX, HIPAA, GLBA, state and local
Industry: PCI, HITRUST
Customer: SAS70, ISO 27001
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
3
How Have These Information Security
Challenges Evolved?
IT Risk
IT Security
1990s
IT Compliance
IT Compliance
IT Security
IT Security
2000s
Today
and Future
Enterprise
Focus:
What Happened?
Is There an Audit Trail?
How to Manage Risk?
Enterprise
Response:
Security Products
Siloed Compliance
and Security Programs
Integrated Compliance
and Security Programs
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
4
Organization Continue to Struggle:
Addressing Information
Security Threats
and Compliance
 How to prioritize limited
resources
 How to be most effective
 How to reduce the cost
Most Organizations Have Addressed these Challenges
with Siloed Efforts Resulting in:
High Costs
Fragmented Teams
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
Redundancies
Unknown Risks
5
Solution: Address Information Security
Challenges Through One Program
IT Governance, Risk Management, and Compliance (IT GRC)
 Risk Management: How to determine the likelihood and impact
of business threats and use a systematic approach, based on
an organization's risk tolerance, to prioritizing resources to deal with those
threats
 Governance: How we set policies to achieve our strategic objectives and
address risk and how we set up the organizational structures and
processes to see that the policies are executed successfully
 Compliance: How we establish the controls needed to meet our
governance objectives and how we validate the effectiveness
of those controls
 Common Control Framework: A unified set of controls
that addresses all of an organization's internal and external compliance
objectives simultaneously
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
6
What Does It Mean to Address
Information Security Through IT GRC?
External
Authority Documents
Company Vision
and Strategy
Business Drivers
Implement
Industry
Standards
Risk
Assessment
Common
Control
Framework
International
Standards and
Control Models
Threats
Vulnerabilities
© 2008 Cisco Systems, Inc. All rights reserved.
Operate
Contractual
Requirements
Update
Regulations
Monitor
Asset
Inventory
Cisco Confidential
Security
Compliance
Business
Value
7
Value of the IT GRC Approach
 IT GRC delivers dramatic business value
Revenue: 17% Higher
Loss from loss of customer data: 96% Lower
Profit: 14% Higher
Business disruptions from IT: 50x less likely
Audit costs: 50% Lower
Customer retention: 18% Higher
For companies with the most mature IT GRC Programs
Source: IT Policy Compliance Group 2008
 Maximize reduction in IT security risk with available resources
Risk-based, business-focused decisions and resource prioritization
Raise visibility of comprehensive security posture
Use internationally recognized best practices
 Reduce cost of compliance
One set of controls to implement and manage
One program to govern
Many Compliance standards addressed
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
8
Where Do I Start with IT GRC?
Define
Assess
Define Common
Control
Framework:
Assess Control
Implementation
for Presence
and Effectiveness:
Remediate
Control Gaps:
Maintain Controls
and Framework:
 Define and publish
policies
• Operate and monitor
technical controls
 Policy controls
 Develop processes
 Asset inventory
 Process controls
 Evaluate threats
and vulnerabilities
 Technical controls
 Deploy security
technology
solutions
• Maintain
subscriptions
 Identify compliance
obligations
 Understand
business
requirements
Remediate
 Train employees
Identify and
Prioritize Gaps
Maintain
• Periodic
assessments
• Evolve solutions
as needed
 Risk assessment
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
9
Step One:
Define Common Control Framework
 Inventory IT assets
 Identify threats, vulnerabilities, and associated controls
Best practices: ISO 27002
Compliance: PCI, SOX, HIPAA, GLBA, etc.
Business, legal, contractual
 Assess risk
 Consolidate into a Common Control Framework (CCF)
Map common controls from each source
Eliminate duplication of overlapping controls
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
10
Control Objectives Covered
by ISO 27002
 Security policy
 Network security management
 Asset management
 Vulnerability management
 Information classification
 Email security
 Data loss prevention
 Security event and incident
management
 Identity management
 Security for software
development, deployment
and maintenance
 Access control
 Physical security
 Business continuity
management
 HR security
 Compliance
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
11
Mapping Multiple Control Sources into
a Common Control Framework (CCF)
Best Practice
Frameworks:
COBiT
 COBiT
ISO 27002
ITIL
Controls for IT
governance
 ISO 27002
Subset of IT controls
Focused on security
Mapped to COBiT
controls
 ITIL
Subset of IT controls
Focused on process
Mapped to ISO
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
12
Mapping Multiple Control Sources into
a Common Control Framework (CCF)
Compliance
Standards:
COBiT
 HIPAA, SOX, PCI
ISO 27002
ITIL
HIPAA
PCI
 And others
(this is just
a sample)
 Many overlapping
Controls
De-duplicated
SOX
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
13
Mapping Multiple Control Sources into
a Common Control Framework (CCF)
 Controls required
by specific
business needs
COBiT
ISO 27002
ITIL
Business,
Legal,
Contractual
HIPAA
PCI
SOX
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
14
Mapping Multiple Control Sources into
a Common Control Framework (CCF)
Result—
Customized
CCF:
COBiT
ISO 27002
 Security best
practices
ITIL
Business,
Legal,
Contractual
HIPAA
PCI
 Applicable
compliance
standards
 Business
requirements
SOX
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
15
Step Two:
Assess Control Implementation
Three Types of Controls must Be Assessed for Presence
and Effectiveness
 Policy controls
High level to detailed security policies
 Technical controls
Assessed based on security architecture best practices
Validated with active testing
 Process and employee readiness controls
Are the processes well designed?
Are the processes followed?
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
16
Step Three:
Remediate Control Gaps
Control Gaps Should Be Prioritized for Remediation
Based on Business Risk
 Policy controls
Development of new or enhancement of existing security policies
 Technical controls
Deploy new security technology solutions
Identify controls eligible for outsourcing
Identify needed subscriptions for security intelligence and signatures
 Process and employee readiness controls
Develop processes
Train employees
Design ongoing awareness program
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
17
Step Four:
Maintain Controls
Governance of the Program Is Accomplished Through
Maintaining the Controls and the Framework Itself
 Ongoing maintenance of technical controls
Operate: ongoing monitoring and management
Optimize: tune and evolve security solutions as needed
 Periodic assessments of all controls
For changes in control needs: threats, compliance, business
For control effectiveness: policy, technical, process
 Evolve controls and CCF as needed
Prioritize gaps
Update CFF and controls
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
18
How Can Cisco Help with IT GRC?
Define
IT GRC
• Information
Security Services
Assess
Security Control
Assessment
Services:
 Security Policy
Assessment
 Network Security
Architecture
Assessment
 Security Posture
Assessment
 Security Process
Assessment
Remediate
• Security control
development
and deployment
services
 Security
intelligence
content
subscriptions
 Cisco selfdefending
network
solutions
Maintain
• Security remote
management
services
• Security
optimization
service
• Security control
assessment
and remediation
services
*Services available from Cisco and Cisco certified partners
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
19
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
20