Sunteți pe pagina 1din 22

Proactive Compliance through Information Systems Risk Management

Michele Dickinson & Jon Hanny | January 12, 2010

Proactive Compliance Through Information Systems Risk Management

PRESENTERS:

Michele L. Dickinson
Information Security Officer CISA, MSIS Widener University

Jonathan Hanny
Application Security Specialist CISSP, GSLC, CRISC The George Washington University

Proactive Compliance Through Information Systems Risk Management

Definitions

Compliance

Compliance is the process of ensuring adherence to security policies*. These policies can be internal, legislative or regulatory.

Information Systems Risk Management

Information Systems Risk Management is the process of identifying vulnerabilities and threats to the information resources used by an organization in achieving business objectives, and deciding what countermeasures, if any, to take in reducing risk to an acceptable level, based on the value of the information resource to the organization.

Proactive Compliance Through Information Systems Risk Management

Objectives
What is Information Systems Risk Management? Why is ISRM needed? How can ISRM impact compliance requirements? How can ISRM impact Proactive security? Where does ISRM fit? How do I implement ISRM?

Proactive Compliance Through Information Systems Risk Management

What is Information Systems Risk Management?

Proactive Compliance Through Information Systems Risk Management

Isrm Overview
Security Controls SP 800-37/SP 800-60

Monitor

Starting Point Categorize


Information System FIPS 199/SP 800-60

Security Controls FIPS 200/SP 800-53

Select

Security Controls SP 800-37

Authorize

Risk Management Framework


Security Life Cycle
NIST SP 800-53 rev2

Security Controls SP 800-53/SP 800-30

Supplement

Security Controls SP 800-53

Assess

Security Controls SP 800-70

Implement

Security Controls SP 800-18

Document

Proactive Compliance Through Information Systems Risk Management

Considerations
Consider your organizations needs Consider regulatory requirements Consider existing best practices Consider your staffing and budget Consider your geographic location

Proactive Compliance Through Information Systems Risk Management

Why is ISRM necessary?

Proactive Compliance Through Information Systems Risk Management

ISRM IS NEEDED
To meet regulatory compliance requirements To support the Risk Appetite of the organization To prevent the loss of PII To prevent a security incident and loss of consumer confidence To prevent negative press

Proactive Compliance Through Information Systems Risk Management

How can ISRM impact compliance requirements?

Proactive Compliance Through Information Systems Risk Management

ISRM & Compliance

Security policies drive implementation

Based on legislative or regulatory requirements

Definition of Critical data Evaluation of current business processes Continuous monitoring and risk assessments

Proactive Compliance Through Information Systems Risk Management

Compliance Intersections

Policy Access Controls Confidential data defined Physical security over confidential data Network segmentation Security over 3rdparties Data Classification Training Incident Response

HIPAA GLBA Identity Theft PCI-DSS Mass. Identity Theft

Proactive Compliance Through Information Systems Risk Management

How can ISRM impact Proactive Security?

Proactive Compliance Through Information Systems Risk Management

Security Approaches

Proactive Compliance Through Information Systems Risk Management

Risk Management Framework Characteristics

Near real-time risk management through the implementation of robust continuous monitoring processes Provides emphasis on the selection, implementation, assessment, and monitoring of security controls, and the authorization of information systems Establishes responsibility and accountability for security controls

Proactive Compliance Through Information Systems Risk Management

Starting Points

Identify governance

Security committee with executive oversight

Perform risk assessment Establish a proactive security model for visibility and continuous assessment

Proactive Compliance Through Information Systems Risk Management

Where does ISRM fit?

Proactive Compliance Through Information Systems Risk Management

Integrate into SDLC

Proactive Compliance Through Information Systems Risk Management

How do I implement ISRM?

Proactive Compliance Through Information Systems Risk Management

How to implement isrm


Executive buy-in is a Must have Identify stakeholders & ISRM committee Categorize Information Clearly define Policies, Processes, & Procedures to support the Organization Promote ISRM as a valuable service to the entire organization

Proactive Compliance Through Information Systems Risk Management

What did you think?


Your input is important to us! Click on Evaluate This Session on the MidAtlantic Regional program page. Thank you! Presenter Contact Information:
M. L. Dickinson
Information Security Officer Widener University mldickinson@widener.edu (610) 499-1044

Jonathan Hanny
Application Security Specialist The George Washington University jehanny@gwu.edu (703) 726-4469

THANK YOU