bill lisse & max aulakh - future of information security & grc
TRANSCRIPT
![Page 1: Bill Lisse & Max Aulakh - Future of Information Security & GRC](https://reader033.vdocuments.net/reader033/viewer/2022042520/58ed0fb41a28abe1148b45fd/html5/thumbnails/1.jpg)
Governance, Risk & ComplianceBill Lisse, Global CISO - OCLCMax Aulakh, vCISO - MAFAZO
![Page 2: Bill Lisse & Max Aulakh - Future of Information Security & GRC](https://reader033.vdocuments.net/reader033/viewer/2022042520/58ed0fb41a28abe1148b45fd/html5/thumbnails/2.jpg)
Introductions
Bill Max
![Page 3: Bill Lisse & Max Aulakh - Future of Information Security & GRC](https://reader033.vdocuments.net/reader033/viewer/2022042520/58ed0fb41a28abe1148b45fd/html5/thumbnails/3.jpg)
Background• OCLCs Environment
• Control complexity & various business scenarios
• Multiple global security regulations• US• Canada• European
![Page 4: Bill Lisse & Max Aulakh - Future of Information Security & GRC](https://reader033.vdocuments.net/reader033/viewer/2022042520/58ed0fb41a28abe1148b45fd/html5/thumbnails/4.jpg)
Security Business Case for OCLC• Registered to ISO/IEC 27001:2005• Since 2011
• NIST SP 800-53 Controls mapped to ISO/IEC 27001• Updated to ISO/IEC 27001:2013
![Page 5: Bill Lisse & Max Aulakh - Future of Information Security & GRC](https://reader033.vdocuments.net/reader033/viewer/2022042520/58ed0fb41a28abe1148b45fd/html5/thumbnails/5.jpg)
Shifting Regulatory Landscape
• Executive Order -- Improving Critical Infrastructure Cybersecurity 13636 - February 2013
• OMB Guidance to agencies to implement
• OMB Guidance to contractors to implement
![Page 6: Bill Lisse & Max Aulakh - Future of Information Security & GRC](https://reader033.vdocuments.net/reader033/viewer/2022042520/58ed0fb41a28abe1148b45fd/html5/thumbnails/6.jpg)
Problem Statement• Mapping ISO 27001 to NIST SP 800-53
• No longer acceptable• US SaaS Product must be FedRAMP Accredited through a 3PAO• Short timeline • Talent shortage and staffing problems
• SSP, POAM & FedRAMP documentation takes time• Additionally required SSPs for non-Cloud government customers
![Page 7: Bill Lisse & Max Aulakh - Future of Information Security & GRC](https://reader033.vdocuments.net/reader033/viewer/2022042520/58ed0fb41a28abe1148b45fd/html5/thumbnails/7.jpg)
FedRAMP• Federal Risk and Authorization Management Program
(FedRAMP)• Government-wide program • Standardized approach to security assessment, authorization, and
continuous monitoring for cloud products and services
• Third Party Assessment Organizations (3PAO)• 3PAO is an organization that has been certified to help cloud service
providers and government agencies meet FedRAMP compliance regulations
![Page 8: Bill Lisse & Max Aulakh - Future of Information Security & GRC](https://reader033.vdocuments.net/reader033/viewer/2022042520/58ed0fb41a28abe1148b45fd/html5/thumbnails/8.jpg)
Tryump• OCLC Selected Tryump • Document automation • Documentation & security artifacts management
![Page 9: Bill Lisse & Max Aulakh - Future of Information Security & GRC](https://reader033.vdocuments.net/reader033/viewer/2022042520/58ed0fb41a28abe1148b45fd/html5/thumbnails/9.jpg)
NIST Based Compliance
• NIST SP 800-53• 26 Control Families• 950+ Controls• 1 to 4 Statements per control • 2000 to 3000 total responses required for all controls
• 200+ Control Parameters• 1 SSP can be over 400 Pages• Total document submission package can be 400 to 800 pages
![Page 10: Bill Lisse & Max Aulakh - Future of Information Security & GRC](https://reader033.vdocuments.net/reader033/viewer/2022042520/58ed0fb41a28abe1148b45fd/html5/thumbnails/10.jpg)
Who has to comply• Cloud Computing Providers
• FEDRAMP• IRS Pub 1075• DFARs Federal Contractors• Research & Development Centers
• Healthcare• Universities • Federally Funded Research Institutions
• If you do business with the government!
![Page 11: Bill Lisse & Max Aulakh - Future of Information Security & GRC](https://reader033.vdocuments.net/reader033/viewer/2022042520/58ed0fb41a28abe1148b45fd/html5/thumbnails/11.jpg)
Solving complexity• Built for & by security pros
• Distribute controls to the organization• Inheriting controls from a common catalog of enterprise• Multiple systems management• Develop multiple SSPs