Compliance does not equal security
-
Upload
recallholdings -
Category
Technology
-
view
511 -
download
1
Transcript of Compliance does not equal security
© 2015 Recall Corporation. Proprietary & Confidential
Compliance does not equal security.
Paige NeedlingDirector, Global Information Security
© 2015 Recall Corporation. Proprietary & Confidential 2
IT security umbrella
Compliance for IT
Data privacy protection
Privacy risk assessment
Vulnerability assessment and management
Governance oversight
IT security training and awareness
Application security
Cost/Benefits analysis
Policies and standards
Business continuity management
Incident response management
© 2015 Recall Corporation. Proprietary & Confidential 3
IT compliance/certifications
♦ ISO 27001: 2013
♦ ISO 20000: 2011
♦ Payment Card Industry Data Security Standard (PCI DSS v3.0)
♦ SOC2 Type 1, SOC2 Type2
♦ Cloud Security Alliance Security Trust & Assurance Registry (CSA STAR)
♦ HIPAA
♦ ITIL
♦ NIST
♦ NAID
© 2015 Recall Corporation. Proprietary & Confidential 4
Common misconceptions
Security and compliance are NOT the same
♦ Meeting compliance requirements results in minimal baseline protection – the IT equivalent of earning a grade of “C”
♦ Focusing on compliance first is like putting the cart before the horse – compliance should be byproduct of a solid security program, not the source of it
VS.
COMPLIANCE SECURITY
Security and Compliance by Kurt Hagerman 4/29/14
© 2015 Recall Corporation. Proprietary & Confidential 5
Compliance challenges
♦ Global, multigenerational, multicultural workforce (C)
♦ Complexity of GRC regulatory environment (M)
♦ Increased reliance on third parties (C)
♦ Breaking down compliance silos (C)
♦ Security/Compliance budget (M)
♦ Achieving and maintaining compliance (M)─ Document, measure, repeat, control
www.complianceweek.com (Managing Compliance for the Evolving Workforce May 2015); Microsoft IT Compliance Management Guide; Wikipedia
© 2015 Recall Corporation. Proprietary & Confidential 6
If you have a metal chain on your gate, but it is held together with a ribbon…
…what good does it do?
© 2015 Recall Corporation. Proprietary & Confidential 7
Create a security-centric yet compliant culture
1 Streamline processes
7 Build partnerships
6 Embrace change
5 Instill culture
4 Strengthen knowledge
3 Gain compliance
2 Conduct training
A secure and compliant culture should not be complicated, too many steps leads to confusion
Help people understand the risks by providing relevant and current Security Awareness Training
The law; is the law; is the law
Partner with your company’s business units to ensure buy-in and understanding of the security/compliance initiatives
Not everyone will agree with the security or compliance posture of the company…. Try to understand their position
“Change is inevitable, but misery is optional”
Partner with Compliance to gain funding for Security initiatives and remediation of gaps
© 2015 Recall Corporation. Proprietary & Confidential 8
Be mission-centric
It is not enough to simply ask…
Have the proper technologies been implemented to protect the company and our customers?
The questions you should ask first are…
1. Have we identified the largest vulnerabilities within the organization?
2. How do we prioritize risk mitigation efforts?
3. Who is the enemy?
4. Is our Incident Response sufficient enough to handle a breach?
5. Are proper processes and strategies implemented to sustain a breach?
6. Is our compliance program effective?
© 2015 Recall Corporation. Proprietary & Confidential 9
Mission-centric
Protecting the perimeter is no longer enough
♦ Security and Compliance must have three main areas of focus:
1. Protection
2. Due Diligence─ Having the capability to identify emerging threats and reduce detection
time
3. Recovery ─ How quickly can your organization respond to a breach?
─ Does your Incident Response Policy address both natural and manmade breaches and incidents?
─ Does your company have a plan and the necessary resources/budget/culture to quickly recover when normal services are disrupted?
© 2015 Recall Corporation. Proprietary & Confidential 10
Noncompliance consequences
♦ Reputation degradation
♦ Loss of market share if competitors comply and your organization does not
♦ Loss of focus business strategic direction
♦ Personal and organizational fines
♦ Personal liability and even incarceration for extreme offenses
♦ Limited access to capital markets and loss of listing in the stock markets
♦ Diminished credit ratings
♦ Limited abilities to do business in specific jurisdictions
♦ Increased regulatory oversight
© 2015 Recall Corporation. Proprietary & Confidential 11
Compliance opportunities
♦ Improved oversight and effective governance
♦ Competitive advantage─ New business opportunities based on first in show
status
♦ Privacy regulation compliance─ Builds trust and confidence with customers
♦ Improve ROI by integrating IT with the business─ Move compliance and security to the front of the bus
♦ Increased management visibility of IT security/compliance can achieve efficiency gains and cost savings for the business
© 2015 Recall Corporation. Proprietary & Confidential 12
Components for an effective IT security and compliance alignment partnership
IT Security& Compliance
! Risk Management & Oversight
Vendor OversightRegulatory & Compliance Management
Effective Policy Management & Reporting
Effective Incident Response
Vulnerability Scanning & Patching ManagementAudit Management
© 2015 Recall Corporation. Proprietary & Confidential 13
Components for an effective IT security and compliance alignment partnership
Vulnerability scanning & patching management
1. Have an active scanning schedule against network assets and verify results are in compliance with the security policy
2. Maintain constant oversight of vulnerable systems and devices
3. Deploy patches as soon as they become available based on the Change Management schedule
4. Test patches before pushing to all machines on your network
© 2015 Recall Corporation. Proprietary & Confidential 14
Components for an effective IT security and compliance alignment partnership
Risk management & oversight
1. Ensure risks are proactively managed as part of the overall information security program. It is the catalyst to identify your assets, threats and controls, and then mitigate and manage risk with the right controls.
2. Streamline the risk assessment process by customizing the common set of assets, threats and controls to your organization environment
3. Have an effective remediation plan that is incorporated in the workflow and ticketing process
!
© 2015 Recall Corporation. Proprietary & Confidential 15
Components for an effective IT security and compliance alignment partnership
Vendor oversight
1. Have an effective solution that allows you to identify, analyze and mitigate risk presented by third-party vendors
2. Perform annual vendor assessments on 3rd party vendors to ensure they are in compliance with the organization Vendor Policy
3. Gain the visibility to identify vendors that represent the greatest risk
© 2015 Recall Corporation. Proprietary & Confidential 16
Components for an effective IT security and compliance alignment partnership
Effective incident response
1. Perform annual testing capabilities and prove your organization has the capacity to recover in the event that a cyber-breach should occur
2. Review procedures annually, perform testing and train employees on a scheduled basis
3. Track and report on the details of your information security incidents, including what was affected, incident categorization, severity of disruption, date and time of detection, declaration of disclosure and resolution
© 2015 Recall Corporation. Proprietary & Confidential 17
Components for an effective IT security and compliance alignment partnership
Regulatory & compliance management
1. Have compliance regulations tied to controls and guidelines
2. If possible, have critical updates applied in real-time and reflected within the risk and audit process where applicable
© 2015 Recall Corporation. Proprietary & Confidential 18
Components for an effective IT security and compliance alignment partnership
Effective policy management & reporting
1. Have an effective process that allows you to review, update and implement polices as needed across the enterprise
2. Have a centralized repository where materials, policies, procedures, guidelines, checklists and standards are stored and maintained
3. Map policies to your organization’s controls for tracking and proper implementation
4. Ensure proper training is conducted to for policy understanding across the organization
5. Have a distribution process to deliver policies and updates to the appropriate individuals for tracking, review, testing and sign-off
6. Map your organization’s policies to your compliance regulations and security frameworks
© 2015 Recall Corporation. Proprietary & Confidential 19
Components for an effective IT security and compliance alignment partnership
Audit management
1. Have audit conducted and ensure the results are measured against your controls for risk scoring, have reports submitted to control owners
2. Leverage surveys that integrate data collection to asset risks
© 2015 Recall Corporation. Proprietary & Confidential 20
Retain & gain
♦ It is far more expensive to acquire new customers than it is to retain existing ones
♦ Partner early on with the business to gain buy-in and momentum for security and compliance projects
♦ Be VERY clear about what you have to lose if you don’t do this…
♦ Position yourself as a key player in driving the company’s strategy
♦ Show the compliance solutions and security gains early on
♦ Money, Money, Money!! - or we don’t have any!
♦ Resources, Resources, Resources!!! - or we don’t have any!
© 2015 Recall Corporation. Proprietary & Confidential 21
Q & A
© 2015 Recall Corporation. Proprietary & Confidential
Thank you.