Agenda

• What is Compliance?• Risk and Compliance Management• What is a Framework?• ISO 27001/27002 Overview• Audit and Remediate• Improve and Automate

What was Compliance?

What is Compliance?

• Compliance should be a program based on defined requirements

• Requirements are fulfilled by a set of mapped controls solving multiple regulatory compliance issues

• The program is embodied by a framework• Compliance is more about policy, process

and risk management than it is about technology

Risk & Compliance Mgmt

Partners/Customers

RegulationsControlFramework

Assessments

Policy and

Awareness

AuditsTreat Risks

ImproveControls

AutomateProcess

RiskAssessment

Risk and Compliance Approaches

Minimal Sustainable Optimized• Annual / Project-based

Approach• Minimal Repeatability• Only Use Technologies

Where Explicitly Prescribed in Standards and Regulations

• Minimal Automation

•Proactive / Planned Approach

•Learning Year over Year•Use Technologies to Reduce Human Factor

•Leverage Controls Automation Whenever Possible

•Regulatory Requirements are Mapped to Standards

•A Framework is in Place

•Compliance and Enterprise Risk Management are Aligned

•Process is Automated

Identify Drivers

Partners/Customers

Regulations

RiskAssessment

Identify Drivers

Compliance is NOT just about regulatory compliance. Regulatory compliance is a

driver to the program, controls and framework being put in place.

Managing compliance is fundamentally about managing risk.

Identify Drivers

• Risk Assessment– Identify unique risks and controls

requirements• Partners / Customers

– Partners represent potential contractual risk– Customer present privacy concerns

• Regulations – regulatory risk is considered as part of overall risk

Develop Program

Partners/Customers

RegulationsControlFramework

Policy and

AwarenessRiskAssessment

What is a Control?

*Source: ITGI, COBIT 4.1

Control is defined as the policies, procedures, practices and

organizational structures designed to provide reasonable assurance that

business objectives will be achieved and undesired events will be prevented or

detected and corrected.

What is a Framework?

A framework is a set of controls and/or guidance organized in categories,

focused on a particular topic.

A framework is a structure upon which to build strategy, reach objectives and

monitor performance.

Why use a framework?

• Enable effective governance• Align with business goals• Standardize process and approach• Enable structured audit and/or

assessment• Control cost• Comply with external requirements

Frameworks and Control Sets

• ISO 27001/27002• COBIT• ITIL• NIST• Industry-specific – i.e. PCI• Custom

ISO 27001/27002

• Information Security Framework• Requirements and guidelines for

development of an ISMS (Information Security Management System)

• Risk Management a key component of ISMS

• Part of ISO 27000 Series of security standards

A Brief History of ISO 27001

BS 7799-1

Code of Practice

Adopted as international

standard in 2005

Revised in 2002

BS 7799-2

Specification

A Brief History of ISO 27002

BS 7799-1

Code of Practice

Information Technology

Code of Practice for Information Security Management

Adopted as international

standard as ISO 17799 in 2000

Revised in 2002

BS 7799-2

Specification

Revised in 2005Renumbered to 27002 in 2007

ISO 27001 and 27002

ISO 27001

• Requirements

• Auditable

• Certification

ISO 27002

•Best Practices

•More depth in controls guidance

Shared Control Objectives

ISO 27001 – Mgmt Framework

• Information Security Management Systems – Requirements (ISMS)– Process approach

• Understand organization’s information security requirements and the need to establish policy

• Implement and operate controls to manage risk, in context of business risk

• Monitor and review• Continuous improvement

ISO 27001

Plan

Do

Check

Act

EstablishISMS

Implement and Operate

ISMS

Monitor and ReviewISMS

Maintain andImprove

ISMS

ISO 27002 – Controls Framework

ISO 27002 Security Control Domains

Risk Assessment and TreatmentSecurity PolicyOrganizing Information SecurityAsset Management Human Resources SecurityPhysical and Environmental SecurityCommunications and Operations ManagementAccess ControlInformation Systems Acquisition, Development and MaintenanceInformation Security Incident ManagementBusiness Continuity ManagementCompliance

Building a Framework

Risk Assessm

ent &Treatme

nt Security

PolicyOrganizi

ngInformati

onSecurity

AssetManagement

HumanResourc

esSecurity

Physical and

Environmental

Security

Communicationsand

OperationsManagemen

t

AccessContro

l

IS Acquisition,Developmen

t andMaintenanc

e

InformationSecurity Incident

Management

BusinessContinuity Managem

ent

Compliance

Operational

Controls

Technical

Controls

ManagementControl

s

Protected Information

ISO 27002: Code of Practice for Information Security Management

Practical Uses for Certification

Regulatory Compliance

InternalCompliance

Third PartyCompliance

“Best Practice” approach to handling sensitive data

and overall security program

Implement security as an integrated part of the

business and as a process

Provide proof to partners of good practices around

data protection. Strengthen SAS 70 approach.

ISO 27000 Series of Standards

• ISO/IEC 27000:2009 - Overview and vocabulary• ISO/IEC 27001:2005 - Requirements• ISO/IEC 27002:2005 - Code of Practice• ISO/IEC 27003 - ISMS Implementation Guidance*• ISO/IEC 27004 - Measurement*• ISO/IEC 27005:2008 - Risk Management• ISO/IEC 27006:2007 - Auditor Requirements• ISO/IEC 27007 - ISMS Audit Guidelines*

*In Development

Frameworks Comparison

Framework Strengths Focus

COBIT Strong mappings Support of ISACA

Availability

IT Governance Audit

ISO 27001/27002

Global AcceptanceCertification

Information Security Management System

ITIL IT Service Management Certification

IT Service Management

NIST 800-53 Detailed, granularTiered controls

Free

Information SystemsFISMA

Controls MappingFr

am

ew

ork

of

Contr

ols

PCI

GLBA

SOX

PCI

Corporate Policy

PCI Data Security Standard

1. Install and maintain a firewall configuration to protect data

2. Do not use vendor-supplied defaults for system passwords and other security parameters

3. Protect stored data

4. Encrypt transmission of cardholder data and sensitive information across public networks

5. Use and regularly update anti-virus software

6. Develop and maintain secure systems and applications

7. Restrict access to data by business need to know

8. Assign a unique ID to each person with computer access…

Controls MappingFr

am

ew

ork

of

Contr

ols

PCI

GLBA

SOX

Corporate Policy

GLBA SOX Policy

Controls MappingFr

am

ew

ork

of

Contr

ols

Benefits:

Alignment of corporate policy

Custom interpretation of regulations

PCI GLBA SOX

Single assessment effort provides complete view

Policy

Logging and Monitoring

PCI – Requirement 10

ISO 17799 – Section 10.10

Audit and Remediate

Partners/Customers

RegulationsControlFramework

Assessments

Policy and

Awareness

AuditsTreat Risks

RiskAssessment

Organization Example

Internal Audit

COBIT

ITIL

IT Service Desk

ISO 27001/27002

Information Security

CMMi

Software Delivery

Controls Alignment

How aligned are your controls?

Assessment

(Information Security, IT Risk Management)

Internal Audit

(IT/Financial Audit)

External Audit

(Regulatory and Non-Regulatory)

Remediation Priorities

• Where are our greatest risks?• What controls are we fulfilling?• How many compliance requirements are

we solving?

Improve and Automate

Partners/Customers

RegulationsControlFramework

Assessments

Policy and

Awareness

AuditsTreat Risks

ImproveControls

AutomateProcess

RiskAssessment

Controls Hierarchy

Manual

Require human intervention

Vs.

Automated

Rely on computers to reduce human

intervention

Detective Preventive

Designed to search for and identify errors after they

have occurred

Designed to discourage or preempt errors or irregularities from

occurring

Vs.

Automated and Preventive

Logging and Monitoring

Not Efficient Efficient

Reviewing logs for incidents

An automated method of detecting incidents

Not Effective Effective

Missing the incident due to human error

Preventing the incident from occurring in the first

place

Automate the Process

• How do you currently measure compliance?

• Reduce documents, spreadsheets and other forms of manual measurement

• Create dashboard approach• Governance, Risk and Compliance

toolsets

GRC Automation

Enterprise

Multi-Function

Single Function

•Enterprise Scope

•Highly Configurable

•Multiple Functions (Risk, Compliance, Policy)

•Sophisticated Workflow

•Functionality More Limited

•More “out of the box”

•Modest Workflow

•Specific Process

•Specific Standard or Regulation

•Simple Workflow

Questions?

Evan Tegethoff

Director, Risk and Compliance Management

etegethoff@accuvant.com