Agenda • • • • • • What is Compliance? Risk and Compliance Management What is a Framework? ISO 27001/27002 Overview Audit and Remediate Improve and Automate What was Compliance? What is Compliance? • Compliance should be a program based on defined requirements • Requirements are fulfilled by a set of mapped controls solving multiple regulatory compliance issues • The program is embodied by a framework • Compliance is more about policy, process and risk management than it is about technology Risk & Compliance Mgmt Regulations Control Framework Partners/ Customers Policy and Risk Awareness Assessment Automate Process Improve Treat Controls Risks Assessments Audits Risk and Compliance Approaches Minimal • Annual / Project-based Approach • Minimal Repeatability • Only Use Technologies Where Explicitly Prescribed in Standards and Regulations • Minimal Automation Sustainable Optimized • Proactive / Planned • Regulatory Approach Requirements are • Learning Year over Year Mapped to Standards • A Framework is in • Use Technologies to Place Reduce Human Factor • Compliance and • Leverage Controls Enterprise Risk Automation Whenever Management are Possible Aligned • Process is Automated Identify Drivers Regulations Partners/ Customers Risk Assessment Identify Drivers Compliance is NOT just about regulatory compliance. Regulatory compliance is a driver to the program, controls and framework being put in place. Managing compliance is fundamentally about managing risk. Identify Drivers • Risk Assessment – Identify unique risks and controls requirements • Partners / Customers – Partners represent potential contractual risk – Customer present privacy concerns • Regulations – regulatory risk is considered as part of overall risk Develop Program Regulations Control Framework Partners/ Customers Policy and Risk Awareness Assessment What is a Control? Control is defined as the policies, procedures, practices and organizational structures designed to provide reasonable assurance that business objectives will be achieved and undesired events will be prevented or detected and corrected. *Source: ITGI, COBIT 4.1 What is a Framework? A framework is a set of controls and/or guidance organized in categories, focused on a particular topic. A framework is a structure upon which to build strategy, reach objectives and monitor performance. Why use a framework? • • • • Enable effective governance Align with business goals Standardize process and approach Enable structured audit and/or assessment • Control cost • Comply with external requirements Frameworks and Control Sets • • • • • • ISO 27001/27002 COBIT ITIL NIST Industry-specific – i.e. PCI Custom ISO 27001/27002 • Information Security Framework • Requirements and guidelines for development of an ISMS (Information Security Management System) • Risk Management a key component of ISMS • Part of ISO 27000 Series of security standards A Brief History of ISO 27001 BS 7799-1 Code of Practice BS 7799-2 Specification Revised in 2002 Adopted as international standard in 2005 A Brief History of ISO 27002 BS 7799-1 Code of Practice Adopted as international standard as ISO 17799 in 2000 Revised in 2005 Renumbered to 27002 in 2007 BS 7799-2 Specification Revised in 2002 Information Technology Code of Practice for Information Security Management ISO 27001 and 27002 ISO 27001 •Requirements •Auditable •Certification Shared Control Objectives ISO 27002 •Best Practices •More depth in controls guidance ISO 27001 – Mgmt Framework • Information Security Management Systems – Requirements (ISMS) – Process approach • Understand organization’s information security requirements and the need to establish policy • Implement and operate controls to manage risk, in context of business risk • Monitor and review • Continuous improvement ISO 27001 Plan Establish ISMS Act Implement and Operate ISMS Maintain and Improve ISMS Monitor and Review ISMS Check Do ISO 27002 – Controls Framework ISO 27002 Security Control Domains Risk Assessment and Treatment Security Policy Organizing Information Security Asset Management Human Resources Security Physical and Environmental Security Communications and Operations Management Access Control Information Systems Acquisition, Development and Maintenance Information Security Incident Management Business Continuity Management Compliance Building a Framework Risk Assessment & Treatment Security Policy Compliance Business Continuity Management Organizing Information Security Protected Information Information Security Incident Management Asset Management IS Acquisition, Development and Maintenance Human Resources Security Physical and Environmental Security Access Control Communications and Operations Management ISO 27002: Code of Practice for Information Security Management Practical Uses for Certification Regulatory Compliance Internal Compliance Third Party Compliance “Best Practice” approach to handling sensitive data and overall security program Implement security as an integrated part of the business and as a process Provide proof to partners of good practices around data protection. Strengthen SAS 70 approach. ISO 27000 Series of Standards • • • • • • • • ISO/IEC 27000:2009 - Overview and vocabulary ISO/IEC 27001:2005 - Requirements ISO/IEC 27002:2005 - Code of Practice ISO/IEC 27003 - ISMS Implementation Guidance* ISO/IEC 27004 - Measurement* ISO/IEC 27005:2008 - Risk Management ISO/IEC 27006:2007 - Auditor Requirements ISO/IEC 27007 - ISMS Audit Guidelines* *In Development Frameworks Comparison Framework COBIT ISO 27001/27002 ITIL NIST 800-53 Strengths Focus Strong mappings Support of ISACA Availability IT Governance Audit Global Acceptance Certification Information Security Management System IT Service Management Certification Detailed, granular Tiered controls Free IT Service Management Information Systems FISMA Controls Mapping Framework of Controls PCI PCI Data Security Standard 1. Install and maintain a firewall configuration to protect data Corporate Policy 2. Do not use vendor-supplied defaults for system passwords and other security parameters 3. Protect stored data SOX GLBA 4. Encrypt transmission of cardholder data and sensitive information across public networks PCI 5. Use and regularly update anti-virus software 6. Develop and maintain secure systems and applications 7. Restrict access to data by business need to know 8. Assign a unique ID to each person with computer access… Controls Mapping Framework of Controls PCI GLBA SOX Policy Corporate Policy SOX GLBA Controls Mapping Framework of Controls PCI GLBA SOX Policy Benefits: Alignment of corporate policy Custom interpretation of regulations Single assessment effort provides complete view Logging and Monitoring PCI – Requirement 10 ISO 17799 – Section 10.10 Audit and Remediate Regulations Control Framework Partners/ Customers Policy and Risk Awareness Assessment Assessments Audits Treat Risks Organization Example IT Service Desk Information Security ITIL Software Delivery ISO 27001/27002 Internal Audit CMMi COBIT Controls Alignment How aligned are your controls? Assessment Internal Audit External Audit (Information Security, IT Risk Management) (IT/Financial Audit) (Regulatory and Non-Regulatory) Remediation Priorities • Where are our greatest risks? • What controls are we fulfilling? • How many compliance requirements are we solving? Improve and Automate Regulations Control Framework Partners/ Customers Policy and Risk Awareness Assessment Automate Process Improve Treat Controls Risks Assessments Audits Controls Hierarchy Manual Require human intervention Automated Vs. Rely on computers to reduce human intervention Detective Preventive Designed to search for and identify errors after they have occurred Designed to discourage or preempt errors or irregularities from occurring Vs. Automated and Preventive Logging and Monitoring Not Efficient Efficient Reviewing logs for incidents An automated method of detecting incidents Not Effective Effective Missing the incident due to human error Preventing the incident from occurring in the first place Automate the Process • How do you currently measure compliance? • Reduce documents, spreadsheets and other forms of manual measurement • Create dashboard approach • Governance, Risk and Compliance toolsets GRC Automation Enterprise Multi-Function Single Function •Enterprise Scope •Highly Configurable •Multiple Functions (Risk, Compliance, Policy) •Sophisticated Workflow •Functionality More Limited •More “out of the box” •Modest Workflow •Specific Process •Specific Standard or Regulation •Simple Workflow Questions? Evan Tegethoff Director, Risk and Compliance Management etegethoff@accuvant.com