Agenda
• What is Compliance?• Risk and Compliance Management• What is a Framework?• ISO 27001/27002 Overview• Audit and Remediate• Improve and Automate
What was Compliance?
What is Compliance?• Compliance should be a program based on
defined requirements• Requirements are fulfilled by a set of
mapped controls solving multiple regulatory compliance issues
• The program is embodied by a framework• Compliance is more about policy, process
and risk management than it is about technology
Risk & Compliance Mgmt
Partners/Customers
RegulationsControlFramework
Assessments
Policy and
Awareness
AuditsTreat Risks
ImproveControls
AutomateProcess
RiskAssessment
Risk and Compliance Approaches
Minimal Sustainable Optimized• Annual / Project-based
Approach• Minimal Repeatability• Only Use Technologies
Where Explicitly Prescribed in Standards and Regulations
• Minimal Automation
•Proactive / Planned Approach
•Learning Year over Year•Use Technologies to Reduce Human Factor
•Leverage Controls Automation Whenever Possible
•Regulatory Requirements are Mapped to Standards
•A Framework is in Place
•Compliance and Enterprise Risk Management are Aligned
•Process is Automated
Identify Drivers
Partners/Customers
Regulations
RiskAssessment
Identify Drivers
Compliance is NOT just about regulatory compliance. Regulatory compliance is a
driver to the program, controls and framework being put in place.
Managing compliance is fundamentally about managing risk.
Identify Drivers
• Risk Assessment– Identify unique risks and controls
requirements• Partners / Customers
– Partners represent potential contractual risk– Customer present privacy concerns
• Regulations – regulatory risk is considered as part of overall risk
Develop Program
Partners/Customers
RegulationsControlFramework
Policy and
AwarenessRiskAssessment
What is a Control?
*Source: ITGI, COBIT 4.1
Control is defined as the policies, procedures, practices and
organizational structures designed to provide reasonable assurance that
business objectives will be achieved and undesired events will be prevented or
detected and corrected.
What is a Framework?
A framework is a set of controls and/or guidance organized in categories,
focused on a particular topic.
A framework is a structure upon which to build strategy, reach objectives and
monitor performance.
Why use a framework?
• Enable effective governance• Align with business goals• Standardize process and approach• Enable structured audit and/or
assessment• Control cost• Comply with external requirements
Frameworks and Control Sets
• ISO 27001/27002• COBIT• ITIL• NIST• Industry-specific – i.e. PCI• Custom
ISO 27001/27002
• Information Security Framework• Requirements and guidelines for
development of an ISMS (Information Security Management System)
• Risk Management a key component of ISMS
• Part of ISO 27000 Series of security standards
A Brief History of ISO 27001
BS 7799-1
Code of Practice
Adopted as international
standard in 2005
Revised in 2002
BS 7799-2
Specification
A Brief History of ISO 27002
BS 7799-1
Code of Practice
Information TechnologyCode of Practice for Information
Security Management
Adopted as international
standard as ISO 17799 in 2000
Revised in 2002
BS 7799-2
Specification
Revised in 2005Renumbered to 27002 in 2007
ISO 27001 and 27002
ISO 27001• Requirements• Auditable• Certification
ISO 27002•Best Practices
•More depth in controls guidance
Shared Control Objectives
ISO 27001 – Mgmt Framework
• Information Security Management Systems – Requirements (ISMS)– Process approach
• Understand organization’s information security requirements and the need to establish policy
• Implement and operate controls to manage risk, in context of business risk
• Monitor and review• Continuous improvement
ISO 27001
Plan
Do
Check
Act
EstablishISMS
Implement and Operate
ISMS
Monitor and ReviewISMS
Maintain andImprove
ISMS
ISO 27002 – Controls Framework
ISO 27002 Security Control DomainsRisk Assessment and TreatmentSecurity PolicyOrganizing Information SecurityAsset Management Human Resources SecurityPhysical and Environmental SecurityCommunications and Operations ManagementAccess ControlInformation Systems Acquisition, Development and MaintenanceInformation Security Incident ManagementBusiness Continuity ManagementCompliance
Building a FrameworkRisk
Assessment &
Treatment Secur
ity Policy
Organizing
Information
Security
AssetManagement
HumanResourc
esSecurity
Physical and
Environmental
Security
Communicationsand
OperationsManagemen
t
AccessContro
l
IS Acquisition,Developmen
t andMaintenance
InformationSecurity Incident
Management
BusinessContinuity Managem
ent
Compliance
Operational
Controls
Technical
Controls
ManagementControl
s
Protected Information
ISO 27002: Code of Practice for Information Security Management
Practical Uses for Certification
Regulatory Compliance
InternalCompliance
Third PartyCompliance
“Best Practice” approach to handling sensitive data
and overall security program
Implement security as an integrated part of the
business and as a process
Provide proof to partners of good practices around
data protection. Strengthen SAS 70 approach.
ISO 27000 Series of Standards
• ISO/IEC 27000:2009 - Overview and vocabulary• ISO/IEC 27001:2005 - Requirements• ISO/IEC 27002:2005 - Code of Practice• ISO/IEC 27003 - ISMS Implementation Guidance*• ISO/IEC 27004 - Measurement*• ISO/IEC 27005:2008 - Risk Management• ISO/IEC 27006:2007 - Auditor Requirements• ISO/IEC 27007 - ISMS Audit Guidelines*
*In Development
Frameworks Comparison
Framework Strengths FocusCOBIT Strong mappings
Support of ISACAAvailability
IT Governance Audit
ISO 27001/27002
Global AcceptanceCertification
Information Security Management System
ITIL IT Service Management Certification
IT Service Management
NIST 800-53 Detailed, granularTiered controls
Free
Information SystemsFISMA
Controls MappingFr
amew
ork
of C
ontro
ls
PCIGLBASOX
PCI
Corporate Policy
PCI Data Security Standard1. Install and maintain a firewall configuration to protect data2. Do not use vendor-supplied defaults for system passwords and other security parameters3. Protect stored data4. Encrypt transmission of cardholder data and sensitive information across public networks5. Use and regularly update anti-virus software6. Develop and maintain secure systems and applications7. Restrict access to data by business need to know8. Assign a unique ID to each person with computer access…
Controls MappingFr
amew
ork
of C
ontro
ls
PCI
GLBASOX
Corporate Policy
GLBA SOX Policy
Controls MappingFr
amew
ork
of C
ontro
ls
Benefits: Alignment of corporate policyCustom interpretation of regulations
PCI GLBA SOX
Single assessment effort provides complete view
Policy
Logging and MonitoringPCI – Requirement 10
ISO 17799 – Section 10.10
Audit and Remediate
Partners/Customers
RegulationsControlFramework
Assessments
Policy and
Awareness
AuditsTreat Risks
RiskAssessment
Organization Example
Internal Audit
COBIT
ITIL
IT Service Desk
ISO 27001/27002
Information Security
CMMi
Software Delivery
Controls Alignment
How aligned are your controls?
Assessment(Information
Security, IT Risk Management)
Internal Audit(IT/Financial Audit)
External Audit(Regulatory and Non-
Regulatory)
Remediation Priorities
• Where are our greatest risks?• What controls are we fulfilling?• How many compliance requirements are
we solving?
Improve and Automate
Partners/Customers
RegulationsControlFramework
Assessments
Policy and
Awareness
AuditsTreat Risks
ImproveControls
AutomateProcess
RiskAssessment
Controls Hierarchy
Manual
Require human intervention
Vs.
Automated
Rely on computers to reduce human
intervention
Detective Preventive
Designed to search for and identify errors after they
have occurred
Designed to discourage or preempt errors or irregularities from
occurring
Vs.
Automated and PreventiveLogging and Monitoring
Not Efficient Efficient
Reviewing logs for incidents
An automated method of detecting incidents
Not Effective Effective
Missing the incident due to human error
Preventing the incident from occurring in the first
place
Automate the Process
• How do you currently measure compliance?
• Reduce documents, spreadsheets and other forms of manual measurement
• Create dashboard approach• Governance, Risk and Compliance
toolsets
GRC Automation
Enterprise
Multi-Function
Single Function
•Enterprise Scope•Highly Configurable•Multiple Functions (Risk, Compliance, Policy)
•Sophisticated Workflow
•Functionality More Limited•More “out of the box”•Modest Workflow
•Specific Process•Specific Standard or Regulation
•Simple Workflow
Top Related