right-sizing risk and compliance for small to mid-size...
TRANSCRIPT
![Page 1: Right-sizing Risk and Compliance for Small to Mid-size Companiessfisaca.org/images/FC14Presentations/S32.pdf · 2014. 10. 6. · Right-sizing Risk and Compliance for Small to Mid-size](https://reader036.vdocuments.net/reader036/viewer/2022071111/5fe613606aaebd61457d5ed8/html5/thumbnails/1.jpg)
Susanne Elizer Practice Director – Accretive Solutions
Professional Strategies – S32
Right-sizing Risk and Compliance for Small to Mid-size Companies
![Page 2: Right-sizing Risk and Compliance for Small to Mid-size Companiessfisaca.org/images/FC14Presentations/S32.pdf · 2014. 10. 6. · Right-sizing Risk and Compliance for Small to Mid-size](https://reader036.vdocuments.net/reader036/viewer/2022071111/5fe613606aaebd61457d5ed8/html5/thumbnails/2.jpg)
Compliance Jeopardy
2014 Fall Conference - "Think Big" 2
Sectors Famous Cases
Intl Enforcers Key
Rqmts Gotchas
![Page 3: Right-sizing Risk and Compliance for Small to Mid-size Companiessfisaca.org/images/FC14Presentations/S32.pdf · 2014. 10. 6. · Right-sizing Risk and Compliance for Small to Mid-size](https://reader036.vdocuments.net/reader036/viewer/2022071111/5fe613606aaebd61457d5ed8/html5/thumbnails/3.jpg)
Agenda
• Risk and Compliance Programs
• Risk and Compliance in Small to Mid-Size Companies
• Figuring Out Where To Start
• Practical Implementation Pointers
2014 Fall Conference - "Think Big" 3
![Page 4: Right-sizing Risk and Compliance for Small to Mid-size Companiessfisaca.org/images/FC14Presentations/S32.pdf · 2014. 10. 6. · Right-sizing Risk and Compliance for Small to Mid-size](https://reader036.vdocuments.net/reader036/viewer/2022071111/5fe613606aaebd61457d5ed8/html5/thumbnails/4.jpg)
Risk and Compliance Programs
![Page 5: Right-sizing Risk and Compliance for Small to Mid-size Companiessfisaca.org/images/FC14Presentations/S32.pdf · 2014. 10. 6. · Right-sizing Risk and Compliance for Small to Mid-size](https://reader036.vdocuments.net/reader036/viewer/2022071111/5fe613606aaebd61457d5ed8/html5/thumbnails/5.jpg)
Large
• US*, Small < $25.5M revenue; Medium < $1B
• European Union*, Small < 50 employees; Medium < 250 employees
Key Definitions: Company Size
Medium Small
•Source: US – Small Business Administration and Ohio State University’s’National Center for the Middle Market; Europe: Organization for Economic Cooperation and Development
![Page 6: Right-sizing Risk and Compliance for Small to Mid-size Companiessfisaca.org/images/FC14Presentations/S32.pdf · 2014. 10. 6. · Right-sizing Risk and Compliance for Small to Mid-size](https://reader036.vdocuments.net/reader036/viewer/2022071111/5fe613606aaebd61457d5ed8/html5/thumbnails/6.jpg)
GOVERNANCE – Management Approach to Decision Making and Control RISK MANAGEMENT – Processes to Anticipate, Identify, Evaluate, and Respond to Risks COMPLIANCE – Meet Stated Requirements from Internal Governance and/or External Regulatory Bodies
Key Definitions: Governance, Risk and Compliance (GRC)
![Page 7: Right-sizing Risk and Compliance for Small to Mid-size Companiessfisaca.org/images/FC14Presentations/S32.pdf · 2014. 10. 6. · Right-sizing Risk and Compliance for Small to Mid-size](https://reader036.vdocuments.net/reader036/viewer/2022071111/5fe613606aaebd61457d5ed8/html5/thumbnails/7.jpg)
• Aligning risk appetite and strategy
• Enhancing risk response decisions
• Reducing operational surprises and losses
• Identifying and managing multiple and cross-enterprise risks
• Seizing opportunities
• Improving deployment of capital
2014 Fall Conference - "Think Big" 7
GRC Benefits – Assurance and Protection
![Page 8: Right-sizing Risk and Compliance for Small to Mid-size Companiessfisaca.org/images/FC14Presentations/S32.pdf · 2014. 10. 6. · Right-sizing Risk and Compliance for Small to Mid-size](https://reader036.vdocuments.net/reader036/viewer/2022071111/5fe613606aaebd61457d5ed8/html5/thumbnails/8.jpg)
2014 Fall Conference - "Think Big" 8
Enterprise Governance, Risk and Compliance Framework
Governance Structure: • Board of Directors • Risk Committee • Risk Council • Office of Risk
Management • Unit Heads • Control Owners • Control Performers
Source: COSO ERM
![Page 9: Right-sizing Risk and Compliance for Small to Mid-size Companiessfisaca.org/images/FC14Presentations/S32.pdf · 2014. 10. 6. · Right-sizing Risk and Compliance for Small to Mid-size](https://reader036.vdocuments.net/reader036/viewer/2022071111/5fe613606aaebd61457d5ed8/html5/thumbnails/9.jpg)
•Proprietary and Confidential – Accretive Solutions, Inc. •3
The Road to Enterprise Risk Management
Security
Compliance
Enterprise Risk Management
Business Continuity and Disaster Recovery
![Page 10: Right-sizing Risk and Compliance for Small to Mid-size Companiessfisaca.org/images/FC14Presentations/S32.pdf · 2014. 10. 6. · Right-sizing Risk and Compliance for Small to Mid-size](https://reader036.vdocuments.net/reader036/viewer/2022071111/5fe613606aaebd61457d5ed8/html5/thumbnails/10.jpg)
Company Awesome – Case Study
• SaaS provider of collaboration and business analytics tools
• 200 people
• Recently acquired enterprise customers
• Strong security mindset
• Moving into new customer segments
2014 Fall Conference - "Think Big" 10
![Page 11: Right-sizing Risk and Compliance for Small to Mid-size Companiessfisaca.org/images/FC14Presentations/S32.pdf · 2014. 10. 6. · Right-sizing Risk and Compliance for Small to Mid-size](https://reader036.vdocuments.net/reader036/viewer/2022071111/5fe613606aaebd61457d5ed8/html5/thumbnails/11.jpg)
Company Awesome – Risk and Compliance Roadmap
2014 Fall Conference - "Think Big" 11
Scope and Implement Data Model Changes
Aug /
Sep-14 Q4‘14 Q1'15 Q2'15 Q3’15 Q4’15 H1-2016 H2-2016 H1-2016
Ris
k
Risk Assessment
BCP/DR
Co
mp
lian
ce
ISO
Readiness
Certification
HIPAA*
Readiness
Certification
SOC 2
Readiness
Certification
Secu
rity
Core Policy
Development
Pen Testing
Threat Modeling
Readiness* Assessment
Critical Path Recommended * - Evaluate ROI before Implementing
![Page 12: Right-sizing Risk and Compliance for Small to Mid-size Companiessfisaca.org/images/FC14Presentations/S32.pdf · 2014. 10. 6. · Right-sizing Risk and Compliance for Small to Mid-size](https://reader036.vdocuments.net/reader036/viewer/2022071111/5fe613606aaebd61457d5ed8/html5/thumbnails/12.jpg)
Compliance Jeopardy
![Page 13: Right-sizing Risk and Compliance for Small to Mid-size Companiessfisaca.org/images/FC14Presentations/S32.pdf · 2014. 10. 6. · Right-sizing Risk and Compliance for Small to Mid-size](https://reader036.vdocuments.net/reader036/viewer/2022071111/5fe613606aaebd61457d5ed8/html5/thumbnails/13.jpg)
Sample Major Compliance Initiatives
2014 Fall Conference - "Think Big" 13
SOX PCI
Privacy Laws SSAE 16
ISO
Broadly Applicable
HIPAA HITECH PSQIA
Healthcare
FISMA FedRAMP
CJIS
Government
GLBA Bank Protection
BITS FFIEC
Financial
EFTA C-TPAT FAST
Financial Transactions
and Trade MRC
Media
Safe Harbor European Union Data Directive
International
![Page 14: Right-sizing Risk and Compliance for Small to Mid-size Companiessfisaca.org/images/FC14Presentations/S32.pdf · 2014. 10. 6. · Right-sizing Risk and Compliance for Small to Mid-size](https://reader036.vdocuments.net/reader036/viewer/2022071111/5fe613606aaebd61457d5ed8/html5/thumbnails/14.jpg)
Compliance Jeopardy
2014 Fall Conference - "Think Big" 14
Sectors Famous Cases
Intl Enforcers Key
Rqmts Gotchas
![Page 15: Right-sizing Risk and Compliance for Small to Mid-size Companiessfisaca.org/images/FC14Presentations/S32.pdf · 2014. 10. 6. · Right-sizing Risk and Compliance for Small to Mid-size](https://reader036.vdocuments.net/reader036/viewer/2022071111/5fe613606aaebd61457d5ed8/html5/thumbnails/15.jpg)
Risk & Compliance in Small to Mid-Size Companies
![Page 16: Right-sizing Risk and Compliance for Small to Mid-size Companiessfisaca.org/images/FC14Presentations/S32.pdf · 2014. 10. 6. · Right-sizing Risk and Compliance for Small to Mid-size](https://reader036.vdocuments.net/reader036/viewer/2022071111/5fe613606aaebd61457d5ed8/html5/thumbnails/16.jpg)
• Key Principles • Drivers • Risk Appetite • Organizational Factors
What Spurs Differences From Large Companies
![Page 17: Right-sizing Risk and Compliance for Small to Mid-size Companiessfisaca.org/images/FC14Presentations/S32.pdf · 2014. 10. 6. · Right-sizing Risk and Compliance for Small to Mid-size](https://reader036.vdocuments.net/reader036/viewer/2022071111/5fe613606aaebd61457d5ed8/html5/thumbnails/17.jpg)
Key Principles
• Adaptable – keep it flexible. Your business is changing
• Efficient – do it once where possible
• Pragmatic – keep it simple
• Alignment – tie to business strategy must be clear and transparent
2014 Fall Conference - "Think Big" 17
![Page 18: Right-sizing Risk and Compliance for Small to Mid-size Companiessfisaca.org/images/FC14Presentations/S32.pdf · 2014. 10. 6. · Right-sizing Risk and Compliance for Small to Mid-size](https://reader036.vdocuments.net/reader036/viewer/2022071111/5fe613606aaebd61457d5ed8/html5/thumbnails/18.jpg)
•Proprietary and Confidential – Accretive Solutions, Inc. •2
Drivers
Growth
Change
Customers/ Regulators
Has your growth outpaced your span of control?
Can you drive change in your organization to address risks?
Are your customers or regulators demanding proof that they can trust your service?
![Page 19: Right-sizing Risk and Compliance for Small to Mid-size Companiessfisaca.org/images/FC14Presentations/S32.pdf · 2014. 10. 6. · Right-sizing Risk and Compliance for Small to Mid-size](https://reader036.vdocuments.net/reader036/viewer/2022071111/5fe613606aaebd61457d5ed8/html5/thumbnails/19.jpg)
2014 Fall Conference - "Think Big" 19
Risk Appetite
Source: ISACA IT Risk Framework
Risk Appetite = amount of risk an organization is willing to take to achieve its objectives
Based on: • Capacity to
absorb loss • Risk culture • Cost/Benefit
![Page 20: Right-sizing Risk and Compliance for Small to Mid-size Companiessfisaca.org/images/FC14Presentations/S32.pdf · 2014. 10. 6. · Right-sizing Risk and Compliance for Small to Mid-size](https://reader036.vdocuments.net/reader036/viewer/2022071111/5fe613606aaebd61457d5ed8/html5/thumbnails/20.jpg)
• Current Maturity
• Time Horizon
• Organizational Complexity (Geography, Size, IT Environment, etc.)
• Pain Points (e.g. breach, inefficiency, etc.)
Organizational Factors
![Page 21: Right-sizing Risk and Compliance for Small to Mid-size Companiessfisaca.org/images/FC14Presentations/S32.pdf · 2014. 10. 6. · Right-sizing Risk and Compliance for Small to Mid-size](https://reader036.vdocuments.net/reader036/viewer/2022071111/5fe613606aaebd61457d5ed8/html5/thumbnails/21.jpg)
Compliance Jeopardy
![Page 22: Right-sizing Risk and Compliance for Small to Mid-size Companiessfisaca.org/images/FC14Presentations/S32.pdf · 2014. 10. 6. · Right-sizing Risk and Compliance for Small to Mid-size](https://reader036.vdocuments.net/reader036/viewer/2022071111/5fe613606aaebd61457d5ed8/html5/thumbnails/22.jpg)
Compliance Jeopardy
2014 Fall Conference - "Think Big" 22
Sectors Famous Cases
Intl Enforcers Key
Rqmts Gotchas
![Page 23: Right-sizing Risk and Compliance for Small to Mid-size Companiessfisaca.org/images/FC14Presentations/S32.pdf · 2014. 10. 6. · Right-sizing Risk and Compliance for Small to Mid-size](https://reader036.vdocuments.net/reader036/viewer/2022071111/5fe613606aaebd61457d5ed8/html5/thumbnails/23.jpg)
Figuring Out Where To Start
![Page 24: Right-sizing Risk and Compliance for Small to Mid-size Companiessfisaca.org/images/FC14Presentations/S32.pdf · 2014. 10. 6. · Right-sizing Risk and Compliance for Small to Mid-size](https://reader036.vdocuments.net/reader036/viewer/2022071111/5fe613606aaebd61457d5ed8/html5/thumbnails/24.jpg)
• Security
• Risk Assessment
• Compliance Strategy
Getting To Priorities
![Page 25: Right-sizing Risk and Compliance for Small to Mid-size Companiessfisaca.org/images/FC14Presentations/S32.pdf · 2014. 10. 6. · Right-sizing Risk and Compliance for Small to Mid-size](https://reader036.vdocuments.net/reader036/viewer/2022071111/5fe613606aaebd61457d5ed8/html5/thumbnails/25.jpg)
Security Early Stages
2014 Fall Conference - "Think Big" 25 Source: BSIMM-V
![Page 26: Right-sizing Risk and Compliance for Small to Mid-size Companiessfisaca.org/images/FC14Presentations/S32.pdf · 2014. 10. 6. · Right-sizing Risk and Compliance for Small to Mid-size](https://reader036.vdocuments.net/reader036/viewer/2022071111/5fe613606aaebd61457d5ed8/html5/thumbnails/26.jpg)
In Later Stages…
2014 Fall Conference - "Think Big" 26
![Page 27: Right-sizing Risk and Compliance for Small to Mid-size Companiessfisaca.org/images/FC14Presentations/S32.pdf · 2014. 10. 6. · Right-sizing Risk and Compliance for Small to Mid-size](https://reader036.vdocuments.net/reader036/viewer/2022071111/5fe613606aaebd61457d5ed8/html5/thumbnails/27.jpg)
2014 Fall Conference - "Think Big" 27
Risk Assessment
Objectives Threats &
Vulnerabilities Impact/
Likelihood Controls
• What are your Company Killers?
![Page 28: Right-sizing Risk and Compliance for Small to Mid-size Companiessfisaca.org/images/FC14Presentations/S32.pdf · 2014. 10. 6. · Right-sizing Risk and Compliance for Small to Mid-size](https://reader036.vdocuments.net/reader036/viewer/2022071111/5fe613606aaebd61457d5ed8/html5/thumbnails/28.jpg)
Sample Risks for Small to Mid-sized Companies
2014 Fall Conference - "Think Big" 28
Strategic • Competition • Market Concentration • Economic Conditions • Reputation • Customer creditworthiness Financial • Cash flow • Fraud
Operational • Founder/Management • Key Employees • Supply Chain • Capacity Planning • Security of data and
intellectual property • Acts of God and
Governments • Litigation • Compliance
What are your Company Killers?
![Page 29: Right-sizing Risk and Compliance for Small to Mid-size Companiessfisaca.org/images/FC14Presentations/S32.pdf · 2014. 10. 6. · Right-sizing Risk and Compliance for Small to Mid-size](https://reader036.vdocuments.net/reader036/viewer/2022071111/5fe613606aaebd61457d5ed8/html5/thumbnails/29.jpg)
Risk-Assessment Exercise
2014 Fall Conference - "Think Big" 29
What are your Company Killers?
![Page 30: Right-sizing Risk and Compliance for Small to Mid-size Companiessfisaca.org/images/FC14Presentations/S32.pdf · 2014. 10. 6. · Right-sizing Risk and Compliance for Small to Mid-size](https://reader036.vdocuments.net/reader036/viewer/2022071111/5fe613606aaebd61457d5ed8/html5/thumbnails/30.jpg)
Security Questionnaires
Cumbersome
30
Compliance Challenges
Compliance Readiness and Audits
Costly and time consuming
(and they can consume you, if you let them!)
![Page 31: Right-sizing Risk and Compliance for Small to Mid-size Companiessfisaca.org/images/FC14Presentations/S32.pdf · 2014. 10. 6. · Right-sizing Risk and Compliance for Small to Mid-size](https://reader036.vdocuments.net/reader036/viewer/2022071111/5fe613606aaebd61457d5ed8/html5/thumbnails/31.jpg)
Pain Points:
Cost of multiple compliance assessments
–Direct monetary cost
–Opportunity cost of internal resource time
Managing multiple service providers
Hiring internal resources with skillsets to manage multiple efforts
Maintaining multiple control lists
– Responding to multiple PBC lists
31
Compliance Pain Points
![Page 32: Right-sizing Risk and Compliance for Small to Mid-size Companiessfisaca.org/images/FC14Presentations/S32.pdf · 2014. 10. 6. · Right-sizing Risk and Compliance for Small to Mid-size](https://reader036.vdocuments.net/reader036/viewer/2022071111/5fe613606aaebd61457d5ed8/html5/thumbnails/32.jpg)
32
Compliance Consistency
Area COBIT HIPAA ISO NIST FedRAMP PCI BITS
Compliance x X x x x x x Data Gov x X x x x x x Facility Security x X x x x x x HR x X x x x x x
Info Sec x X x x x x x Ops Mgmt x X x x x x x
Release Mgmt x x x x x x x Resiliency x x x x x x x Risk Mgmt x x x x x x x Sec Arch x x x x x x x
![Page 33: Right-sizing Risk and Compliance for Small to Mid-size Companiessfisaca.org/images/FC14Presentations/S32.pdf · 2014. 10. 6. · Right-sizing Risk and Compliance for Small to Mid-size](https://reader036.vdocuments.net/reader036/viewer/2022071111/5fe613606aaebd61457d5ed8/html5/thumbnails/33.jpg)
“Test once - comply with many” approach: Enable one test to cover multiple compliance
initiatives
Leverage common requirements across standards
Aligns controls to cover multiple compliance initiatives
Consolidate service providers
Achieve reduction in overall assessment resources for the environment
33
Alleviating the Compliance Burden
![Page 34: Right-sizing Risk and Compliance for Small to Mid-size Companiessfisaca.org/images/FC14Presentations/S32.pdf · 2014. 10. 6. · Right-sizing Risk and Compliance for Small to Mid-size](https://reader036.vdocuments.net/reader036/viewer/2022071111/5fe613606aaebd61457d5ed8/html5/thumbnails/34.jpg)
Exercise: Building Out Your Roadmap
2014 Fall Conference - "Think Big" 34
1. What won’t scale? Where is your company most vulnerable?
2. What are your current products and what’s in the pipeline?
3. Which customer segments are served now? Which ones are planned?
4. What are the compliance requirements for those segments?
5. What’s the cost/benefit to implement?
![Page 35: Right-sizing Risk and Compliance for Small to Mid-size Companiessfisaca.org/images/FC14Presentations/S32.pdf · 2014. 10. 6. · Right-sizing Risk and Compliance for Small to Mid-size](https://reader036.vdocuments.net/reader036/viewer/2022071111/5fe613606aaebd61457d5ed8/html5/thumbnails/35.jpg)
Compliance Jeopardy
![Page 36: Right-sizing Risk and Compliance for Small to Mid-size Companiessfisaca.org/images/FC14Presentations/S32.pdf · 2014. 10. 6. · Right-sizing Risk and Compliance for Small to Mid-size](https://reader036.vdocuments.net/reader036/viewer/2022071111/5fe613606aaebd61457d5ed8/html5/thumbnails/36.jpg)
Compliance Jeopardy
2014 Fall Conference - "Think Big" 36
Sectors Famous Cases
Intl Enforcers Key
Rqmts Gotchas
![Page 37: Right-sizing Risk and Compliance for Small to Mid-size Companiessfisaca.org/images/FC14Presentations/S32.pdf · 2014. 10. 6. · Right-sizing Risk and Compliance for Small to Mid-size](https://reader036.vdocuments.net/reader036/viewer/2022071111/5fe613606aaebd61457d5ed8/html5/thumbnails/37.jpg)
Practical Implementation Considerations
![Page 38: Right-sizing Risk and Compliance for Small to Mid-size Companiessfisaca.org/images/FC14Presentations/S32.pdf · 2014. 10. 6. · Right-sizing Risk and Compliance for Small to Mid-size](https://reader036.vdocuments.net/reader036/viewer/2022071111/5fe613606aaebd61457d5ed8/html5/thumbnails/38.jpg)
Who Owns Governance, Risk and Compliance?
Key factors:
• Maturity
• Organizational Factors (Access to Board, Independence, Guardianship, Skills and Expertise, Strategic Thinking)
• Can Be Person Dependent 2014 Fall Conference - "Think Big" 38
IT Ops Finance Legal Prod Mktg
Exec Other
![Page 39: Right-sizing Risk and Compliance for Small to Mid-size Companiessfisaca.org/images/FC14Presentations/S32.pdf · 2014. 10. 6. · Right-sizing Risk and Compliance for Small to Mid-size](https://reader036.vdocuments.net/reader036/viewer/2022071111/5fe613606aaebd61457d5ed8/html5/thumbnails/39.jpg)
Implementation Resourcing
Decision 1: In-Source or Outsource?
• What skills exist within your organization?
• How regulated is your industry? How regulated are your customers?
• What volume of work do you expect?
Decision 2: Who to Hire?
• What type of organization are you? (e.g. engineering, financial, etc.)
• What are your highest priority GRC needs?
• How much money and time do you have?
• What have peer organizations done?
2014 Fall Conference - "Think Big" 39
![Page 40: Right-sizing Risk and Compliance for Small to Mid-size Companiessfisaca.org/images/FC14Presentations/S32.pdf · 2014. 10. 6. · Right-sizing Risk and Compliance for Small to Mid-size](https://reader036.vdocuments.net/reader036/viewer/2022071111/5fe613606aaebd61457d5ed8/html5/thumbnails/40.jpg)
• Don’t release security info without a mutual NDA
• IT controls are conceptually and fundamentally the same across different compliance initiatives
• Line up the strictest standards and controls that you have to comply, and set your program from those
• Have one provider do as much of your risk and compliance work for you as you can. Check references.
• Save the answers to security questionnaires
• Prepare a Trust Center. Keep it Updated.
• Risk & compliance doesn’t have to be hard
40
Implementation Pointers
![Page 41: Right-sizing Risk and Compliance for Small to Mid-size Companiessfisaca.org/images/FC14Presentations/S32.pdf · 2014. 10. 6. · Right-sizing Risk and Compliance for Small to Mid-size](https://reader036.vdocuments.net/reader036/viewer/2022071111/5fe613606aaebd61457d5ed8/html5/thumbnails/41.jpg)
Compliance Jeopardy
![Page 42: Right-sizing Risk and Compliance for Small to Mid-size Companiessfisaca.org/images/FC14Presentations/S32.pdf · 2014. 10. 6. · Right-sizing Risk and Compliance for Small to Mid-size](https://reader036.vdocuments.net/reader036/viewer/2022071111/5fe613606aaebd61457d5ed8/html5/thumbnails/42.jpg)
Compliance Jeopardy
2014 Fall Conference - "Think Big" 42
Sectors Famous Cases
Intl Enforcers Key
Rqmts Gotchas
![Page 43: Right-sizing Risk and Compliance for Small to Mid-size Companiessfisaca.org/images/FC14Presentations/S32.pdf · 2014. 10. 6. · Right-sizing Risk and Compliance for Small to Mid-size](https://reader036.vdocuments.net/reader036/viewer/2022071111/5fe613606aaebd61457d5ed8/html5/thumbnails/43.jpg)
Appendix
![Page 44: Right-sizing Risk and Compliance for Small to Mid-size Companiessfisaca.org/images/FC14Presentations/S32.pdf · 2014. 10. 6. · Right-sizing Risk and Compliance for Small to Mid-size](https://reader036.vdocuments.net/reader036/viewer/2022071111/5fe613606aaebd61457d5ed8/html5/thumbnails/44.jpg)
Business Size Definition: Wikipedia
2014 Fall Conference - "Think Big" 44
AUS US EU
Minute/Micro 1-2 1-6 <10
Small <15 <250 <50
Medium <200 <500 <250
Large <500 <1000 <1000
Enterprise >500 >1000 >1000
Business Size definitions
![Page 45: Right-sizing Risk and Compliance for Small to Mid-size Companiessfisaca.org/images/FC14Presentations/S32.pdf · 2014. 10. 6. · Right-sizing Risk and Compliance for Small to Mid-size](https://reader036.vdocuments.net/reader036/viewer/2022071111/5fe613606aaebd61457d5ed8/html5/thumbnails/45.jpg)
Password Control
45
PCI SSAE16 / SOC2&3 ISO 27001 SOX
8.2.4 - Change passwords at least every 90 days
8.2.3 - Passwords must be at least seven characters long
8.1.6/8.1.7 - Lockout threshold and duration
8.2.3 - Passwords must contain both alphabetic and numeric characters
8.2.5 - History of at least four passwords remembered
Security Principal 3.2.5
The internal network domain is configured to enforce the following password requirements:
•Maximum Password Age
•Minimum Password Length
•Invalid Password Lockout
•Complexity
•Password History
9.4.1 – Access to information
and application system
functions shall be restricted in
accordance with the access
control policy.
9.4.2 – Where required by the
access control policy, access to
systems and applications shall
be controlled by a secure log-
in procedure.
9.4.3 – Password management
systems shall be interactive
and shall ensure quality
passwords.
Applications and
systems are configured
to comply with
password parameters as
defined in the Safe
Computing Policy.
Practical Example – Compliance Consolidation
![Page 46: Right-sizing Risk and Compliance for Small to Mid-size Companiessfisaca.org/images/FC14Presentations/S32.pdf · 2014. 10. 6. · Right-sizing Risk and Compliance for Small to Mid-size](https://reader036.vdocuments.net/reader036/viewer/2022071111/5fe613606aaebd61457d5ed8/html5/thumbnails/46.jpg)
46
PCI SSAE16 / SOC2&3 ISO 27001 SOX
9.1 - Controls to limit and
monitor physical access -
video cameras and/or access-
control mechanisms in place,
protected from tampering,
monitored/reviewed and
correlated with other entries,
and data stored for at least
three months.
9.3 - Visitors authorized,
distinguishable, badge
expiration controls.
9.4 - Visitor log
Security Principal 3.3.2
Physical access to the
onsite data center is
restricted to authorized
personnel.
11.1.1 – Security
perimeters shall be defined
and used to protect areas
that contain either
sensitive or critical
information and
information processing
facilities.
11.1.2 – Secure areas shall
be protected by
appropriate entry controls
to ensure that only
authorized personnel are
allowed access.
Physical access to the data
center is restricted to
authorized IT Operations
staff only.
Practical Example – Compliance Consolidation
Physical Access to Datacenter
![Page 47: Right-sizing Risk and Compliance for Small to Mid-size Companiessfisaca.org/images/FC14Presentations/S32.pdf · 2014. 10. 6. · Right-sizing Risk and Compliance for Small to Mid-size](https://reader036.vdocuments.net/reader036/viewer/2022071111/5fe613606aaebd61457d5ed8/html5/thumbnails/47.jpg)
47
PCI SSAE16 / SOC2&3 ISO 27001 SOX
5.1 Deploy anti-virus software on all systems
commonly affected by malicious software (particularly
personal computers and servers).
5.1.1 Ensure that anti-virus programs are capable of
detecting, removing, and protecting against all known
types of malicious software.
5.1.2 For systems considered to be not commonly
affected by malicious software, perform periodic
evaluations to identify and evaluate evolving malware
threats in order to confirm whether such systems
continue to not require anti-virus software.
5.2 Ensure that all anti-virus mechanisms are
maintained as follows:
Are kept current
Perform periodic scans
Generate audit logs which are retained per PCI
DSS Requirement 10.7
5.3 Ensure that anti-virus mechanisms are actively
running and cannot be disabled or altered by users,
unless specifically authorized by management on a
case-by-case basis for a limited time period.
3.5.1 - Anti-virus software
with up to date virus
signatures are used to
protect all Company network
devices. Scans are
performed on a daily basis.
3.5.2 -Anti-virus software
security updates are applied
based on automatic update
timelines.
12.2.1 Detection,
prevention and recovery
controls to protect against
malware shall be
implemented, combined
with appropriate user
awareness.
Virus protection software at
the Network/Gateway level
is configured to scan and
filter the incoming and
outgoing network traffic
(Email, HTTP, FTP and other
messaging) for real-time
detection and quarantine of
malicious code.
Practical Example – Anti-virus Protection
![Page 48: Right-sizing Risk and Compliance for Small to Mid-size Companiessfisaca.org/images/FC14Presentations/S32.pdf · 2014. 10. 6. · Right-sizing Risk and Compliance for Small to Mid-size](https://reader036.vdocuments.net/reader036/viewer/2022071111/5fe613606aaebd61457d5ed8/html5/thumbnails/48.jpg)
GRC is a discipline that synchronizes information and activity across governance, risk management and compliance in order to create efficiency, enable more effective information sharing and reporting and avoid wasteful overlaps. Often interpreted differently in various organizations, GRC typically encompasses activities such as corporate governance, enterprise risk management (ERM) and corporate compliance.
IT GOVERNANCE, RISK AND COMPLIANCE (GRC) – Wikipedia Definition
Compliance means conforming
with stated requirements. At an
organizational level, it is achieved
through management processes
which identify the applicable
requirements (defined for
example in laws, regulations,
contracts, strategies and policies),
assess the state of compliance,
assess the risks and potential
costs of non-compliance against
the projected expenses to
achieve compliance, and hence
prioritize, fund and initiate any
corrective actions deemed
necessary.
Governance describes the overall
management approach through
which senior executives direct
and control the entire
organization, using a combination
of management information and
hierarchical management control
structures.
RISK Management is the set of
processes through which
management identifies,
analyzes, and, where necessary,
responds appropriately to risks
that might adversely affect
realization of the organization's
business objectives.
![Page 49: Right-sizing Risk and Compliance for Small to Mid-size Companiessfisaca.org/images/FC14Presentations/S32.pdf · 2014. 10. 6. · Right-sizing Risk and Compliance for Small to Mid-size](https://reader036.vdocuments.net/reader036/viewer/2022071111/5fe613606aaebd61457d5ed8/html5/thumbnails/49.jpg)
Framework vs. a Standard
2014 Fall Conference - "Think Big" 49
Definition
Framework Generally accepted, business-process oriented structure that establishes a common language and enables repeatable business processes
Standard Mandatory requirement, Code of Practice or Specification approved by a recognized external standards organization.
![Page 50: Right-sizing Risk and Compliance for Small to Mid-size Companiessfisaca.org/images/FC14Presentations/S32.pdf · 2014. 10. 6. · Right-sizing Risk and Compliance for Small to Mid-size](https://reader036.vdocuments.net/reader036/viewer/2022071111/5fe613606aaebd61457d5ed8/html5/thumbnails/50.jpg)
Compliance/Risk Maturity Model
Some compliance/risk processes are structured and repeatable but results may be inconsistent. Organizational discipline to process adherence is uneven.
Compliance/risk policies and procedures are defined and documented. Standard processes are established and subject to some degree of improvement over time. Standard processes are adopted by the organization and used as the framework to establish consistency of process performance.
Compliance/risk process metrics are utilized for management to effectively control standard processes and controls. Management can identify ways to fine-tune processes to specific business and operational needs without significant erosion of process and control execution.
Focus is on continually improving compliance/risk process and control performance through incremental/ innovative technology and best practices improvements.
State of dynamic change, tending to be driven in an ad hoc, uncontrolled and reactive manner by users or events - chaotic or unstable environment for the compliance and risk mitigation processes.
MS CONFIDENTIAL – INTERNAL USE ONLY – NOT FOR CIRCULATION.
![Page 51: Right-sizing Risk and Compliance for Small to Mid-size Companiessfisaca.org/images/FC14Presentations/S32.pdf · 2014. 10. 6. · Right-sizing Risk and Compliance for Small to Mid-size](https://reader036.vdocuments.net/reader036/viewer/2022071111/5fe613606aaebd61457d5ed8/html5/thumbnails/51.jpg)
51
Strategy and Governance
Tools Process
GRC in Practice
Information and Communications
Strategic
Operational Financial
Risk Categories
![Page 52: Right-sizing Risk and Compliance for Small to Mid-size Companiessfisaca.org/images/FC14Presentations/S32.pdf · 2014. 10. 6. · Right-sizing Risk and Compliance for Small to Mid-size](https://reader036.vdocuments.net/reader036/viewer/2022071111/5fe613606aaebd61457d5ed8/html5/thumbnails/52.jpg)
Strategy and Governance
• Risk Culture
• Objective Setting
• Decision-making Structure
• Ownership and Accountability
• Strategy and roadmaps:
– Business
– Product
– Compliance
![Page 53: Right-sizing Risk and Compliance for Small to Mid-size Companiessfisaca.org/images/FC14Presentations/S32.pdf · 2014. 10. 6. · Right-sizing Risk and Compliance for Small to Mid-size](https://reader036.vdocuments.net/reader036/viewer/2022071111/5fe613606aaebd61457d5ed8/html5/thumbnails/53.jpg)
• Risk Identification
• Risk Assessment
• Risk Response
• Risk Monitoring
• Compliance Program Management
Process
![Page 54: Right-sizing Risk and Compliance for Small to Mid-size Companiessfisaca.org/images/FC14Presentations/S32.pdf · 2014. 10. 6. · Right-sizing Risk and Compliance for Small to Mid-size](https://reader036.vdocuments.net/reader036/viewer/2022071111/5fe613606aaebd61457d5ed8/html5/thumbnails/54.jpg)
• BCP/DR • Back-up and
Restoration • Security Awareness
and Communications • Risk Assessment • Access &
Authentication • Vendor Mgmt • Incident Mgmt • Privacy
Tools – Policies, SOPs, and Systems
• Asset & Info Classification/Mgmt
• Systems Dev & Mtnce
• Personnel Security
• Configuration Mgmt
• Change Mgmt
• Monitoring Compliance
• Confidentiality
• Security Monitoring
![Page 55: Right-sizing Risk and Compliance for Small to Mid-size Companiessfisaca.org/images/FC14Presentations/S32.pdf · 2014. 10. 6. · Right-sizing Risk and Compliance for Small to Mid-size](https://reader036.vdocuments.net/reader036/viewer/2022071111/5fe613606aaebd61457d5ed8/html5/thumbnails/55.jpg)
• Training • Employee Communications
• Board Reporting and Communications
Information and Communications
![Page 56: Right-sizing Risk and Compliance for Small to Mid-size Companiessfisaca.org/images/FC14Presentations/S32.pdf · 2014. 10. 6. · Right-sizing Risk and Compliance for Small to Mid-size](https://reader036.vdocuments.net/reader036/viewer/2022071111/5fe613606aaebd61457d5ed8/html5/thumbnails/56.jpg)
• Risk categories will vary by industry
• They represent what is most important to an organization and what is most critical to its growth
Risk Categories
![Page 57: Right-sizing Risk and Compliance for Small to Mid-size Companiessfisaca.org/images/FC14Presentations/S32.pdf · 2014. 10. 6. · Right-sizing Risk and Compliance for Small to Mid-size](https://reader036.vdocuments.net/reader036/viewer/2022071111/5fe613606aaebd61457d5ed8/html5/thumbnails/57.jpg)
Regulatory Landscape
2014 Fall Conference - "Think Big" 57
Federal Govt – General and
Sectoral
Self-Regulatory
State Govt