Proactive Compliance Through Information Systems Risk Management (166345700)

7/29/2019 Proactive Compliance Through Information Systems Risk Management (166345700)

http://slidepdf.com/reader/full/proactive-compliance-through-information-systems-risk-management-166345700 1/22

Proactive Compliance throughInformation Systems Risk Management

Michele Dickinson & Jon Hanny | January 12, 2010



Michele L. Dickinson Information Security Officer CISA, MSIS Widener University

Jonathan Hanny Application Security Specialist CISSP, GSLC, CRISC The George Washington University

PRESENTERS:

Proactive Compliance Through Information Systems RiskManagement



Definitions


Compliance Compliance is the process of ensuring adherence to security policies*.

These policies can be internal, legislative or regulatory.

Information Systems Risk Management Information Systems Risk Management is the process of identifying

vulnerabilities and threats to the information resources used by an

organization in achieving business objectives, and deciding what

countermeasures, if any, to take in reducing risk to an acceptable level,based on the value of the information resource to the organization.



Objectives


What is Information Systems Risk Management?

Why is ISRM needed?

How can ISRM impact compliance

requirements?

How can ISRM impact Proactive security?

Where does ISRM fit?

How do I im lement ISRM?




What is Information Systems Risk

Management?



Isrm Overview


CategorizeInformation

System FIPS

199/SP 800-60

Starting Point

SelectSecurity Controls

FIPS 200/SP 800-53

SupplementSecurity Controls

SP 800-53/SP

800-30

DocumentSecurity Controls

SP 800-18

ImplementSecurity Controls

SP 800-70

AssessSecurity Controls

SP 800-53

AuthorizeSecurity Controls

SP 800-37

Monitor Security Controls

SP 800-37/SP

800-60

Risk Managem ent

Framework

Security Life CycleNIST SP 800-53 rev2



Considerations


Consider your organizations needs

Consider regulatory requirements

Consider existing best practices

Consider your staffing and budget

Consider your geographic location




Why is ISRM necessary?



ISRM IS NEEDED


To meet regulatory compliance requirements

To support the Risk Appetite of theorganization

To prevent the loss of PII

To prevent a security incident and loss of

“consumer confidence”

To prevent negative press




How can ISRM impact compliancerequirements?



ISRM & Compliance


Security policies drive implementation Based on legislative or regulatory requirements

Definition of Critical data

Evaluation of current business processes

Continuous monitoring and risk assessments



Compliance Intersections


Policy Access Controls

Confidential data defined

Physical security over confidentialdata

Network segmentation

Security over 3rdparties

Data Classification Training

Incident Response

•HIPAA

•GLBA

•Identity Theft

•PCI-DSS

•Mass. Identity Theft




How can ISRM impact Proactive Security?




Security Approaches




Risk Management Framework

Characteristics Near real-time risk management …through the

implementation of robust continuous monitoring

processes Provides emphasis on the selection, implementation,

assessment, and monitoring of security controls, and

the authorization of information systems

Establishes responsibility and accountability for

security controls

i C li h h f i S i k




Starting Points

Identify governance Security committee with executive oversight

Perform risk assessment

Establish a proactive security model for visibility

and continuous assessment

P i C li Th h I f i S Ri k




Where does ISRM fit?

P ti C li Th h I f ti S t Ri k



Integrate into SDLC






How do I implement ISRM?




How to implement isrm


Executive buy-in is a “Must have”

Identify stakeholders & ISRM committee

Categorize Information

Clearly define Policies, Processes, &Procedures to support the Organization

Promote ISRM as a valuable service to the

entire organization




What did you think?


Your input is important to us!

Click on “Evaluate This Session” on the Mid-

Atlantic Regional program page.

Thank you!

M. L. DickinsonInformation Security Officer

Widener University

[email protected]

(610) 499-1044

Jonathan Hanny Application Security Specialist

The George Washington University

[email protected]

(703) 726-4469

Presenter Contact Information:

mailto:[email protected]






THANK YOU

Proactive Compliance Through Information Systems Risk Management (166345700)

Documents

Transcript of Proactive Compliance Through Information Systems Risk Management (166345700)