Agenda

• What is Compliance?
• Risk and Compliance Management
• What is a Framework?
• ISO 27001/27002 Overview
• Audit and Remediate
• Improve and Automate
What was Compliance?
 What is Compliance?
• Compliance should be a program based on
defined requirements
• Requirements are fulfilled by a set of
mapped controls solving multiple regulatory
compliance issues
• The program is embodied by a framework
• Compliance is more about policy, process
and risk management than it is about
technology
Risk & Compliance Mgmt

Regulations Control
Framework
Partners/
Customers
Policy
Risk and
Assessment Awareness

Automate Assessments
Process
Audits
Improve Treat
Controls Risks
 Risk and Compliance Approaches

Minimal Sustainable Optimized

• Annual / Project-based • Proactive / Planned • Regulatory
Approach Approach Requirements are
• Minimal Repeatability • Learning Year over Year Mapped to Standards
• Only Use Technologies • Use Technologies to • A Framework is in
Where Explicitly Reduce Human Factor Place
Prescribed in • Leverage Controls • Compliance and
Standards and Automation Whenever Enterprise Risk
Regulations Possible Management are
• Minimal Automation Aligned
• Process is Automated
Identify Drivers

Regulations
Partners/
Customers
Risk
Assessment
 Identify Drivers

Compliance is NOT just about regulatory

compliance. Regulatory compliance is a
driver to the program, controls and
framework being put in place.

Managing compliance is fundamentally

about managing risk.
 Identify Drivers

• Risk Assessment
– Identify unique risks and controls
requirements
• Partners / Customers
– Partners represent potential contractual risk
– Customer present privacy concerns
• Regulations – regulatory risk is considered
as part of overall risk
Develop Program

Regulations Control
Framework
Partners/
Customers
Policy
Risk and
Assessment Awareness
 What is a Control?

Control is defined as the policies,

procedures, practices and
organizational structures designed to
provide reasonable assurance that
business objectives will be achieved and
undesired events will be prevented or
detected and corrected.

*Source: ITGI, COBIT 4.1

 What is a Framework?

A framework is a set of controls and/or

guidance organized in categories,
focused on a particular topic.

A framework is a structure upon which

to build strategy, reach objectives and
monitor performance.
 Why use a framework?

• Enable effective governance

• Align with business goals
• Standardize process and approach
• Enable structured audit and/or
assessment
• Control cost
• Comply with external requirements
 Frameworks and Control Sets

• ISO 27001/27002
• COBIT
• ITIL
• NIST
• Industry-specific – i.e. PCI
• Custom
 ISO 27001/27002

• Information Security Framework

• Requirements and guidelines for
development of an ISMS (Information
Security Management System)
• Risk Management a key component of
ISMS
• Part of ISO 27000 Series of security
standards
 A Brief History of ISO 27001

BS 7799-1

Code of
Practice

BS 7799-2 Adopted as
international
standard in 2005
Specification

Revised in 2002
 A Brief History of ISO 27002
Adopted as
international
BS 7799-1 standard as ISO
17799 in 2000
Code of
Practice Revised in 2005
Renumbered to
27002 in 2007

BS 7799-2

Specification
Information Technology

Revised in 2002 Code of Practice for Information

Security Management
ISO 27001 and 27002
ISO 27001
•Requirements
•Auditable
•Certification

Shared Control Objectives

ISO 27002
•Best Practices
•More depth in controls
guidance
 ISO 27001 – Mgmt Framework
• Information Security Management
Systems – Requirements (ISMS)
– Process approach
• Understand organization’s information security
requirements and the need to establish policy
• Implement and operate controls to manage risk, in
context of business risk
• Monitor and review
• Continuous improvement
 ISO 27001
Plan
Establish
ISMS

Maintain and Implement and

Act Improve Operate Do
ISMS ISMS

Monitor and
Review
ISMS

Check
 ISO 27002 – Controls Framework

ISO 27002 Security Control Domains

Risk Assessment and Treatment
Security Policy
Organizing Information Security
Asset Management
Human Resources Security
Physical and Environmental Security
Communications and Operations Management
Access Control
Information Systems Acquisition, Development and Maintenance
Information Security Incident Management
Business Continuity Management
Compliance
Building a Framework
Risk
Assessment &
Treatment
Security
Compliance
Policy

Business Organizing
Continuity Information
Management Security

Management Operational
Controls Controls

Information Protected Asset

Security Incident
Management Information Management

IS Acquisition, Human
Development and
Maintenance
Technical Resources
Security

Controls

Physical and
Access
Environmental
Control ISO 27002: Code of Practice for
Security
Communications Information Security
and Operations Management
Management
 Practical Uses for Certification

“Best Practice” approach

Regulatory to handling sensitive data
Compliance and overall security
program

Internal Implement security as an

Compliance integrated part of the
business and as a process

Provide proof to partners

Third Party of good practices around
Compliance data protection. Strengthen
SAS 70 approach.
 ISO 27000 Series of Standards

• ISO/IEC 27000:2009 - Overview and vocabulary

• ISO/IEC 27001:2005 - Requirements
• ISO/IEC 27002:2005 - Code of Practice
• ISO/IEC 27003 - ISMS Implementation Guidance*
• ISO/IEC 27004 - Measurement*
• ISO/IEC 27005:2008 - Risk Management
• ISO/IEC 27006:2007 - Auditor Requirements
• ISO/IEC 27007 - ISMS Audit Guidelines*
*In Development
 Frameworks Comparison

Framework Strengths Focus

COBIT Strong mappings IT Governance
Support of ISACA Audit
Availability
ISO Global Acceptance Information Security
27001/27002 Certification Management System
ITIL IT Service Management IT Service
Certification Management
NIST 800-53 Detailed, granular Information Systems
Tiered controls FISMA
Free
 Controls Mapping
PCI
PCI Data Security Standard
Framework of Controls

1. Install and maintain a firewall configuration to

protect data
Corporate Policy
2. Do not use vendor-supplied defaults for system
passwords and other security parameters
SOX
3. Protect stored data

GLBA
4. Encrypt transmission of cardholder data and
sensitive information across public networks

PCI
5. Use and regularly update anti-virus software
6. Develop and maintain secure systems and
applications
7. Restrict access to data by business need to know
8. Assign a unique ID to each person with computer
access…
 Controls Mapping
PCI GLBA SOX Policy
Framework of Controls

Corporate Policy
SOX
GLBA
 Controls Mapping
PCI GLBA SOX Policy
Benefits:
Framework of Controls

Alignment of corporate
policy
Custom interpretation of
regulations

Single assessment effort

provides complete view
 Logging and Monitoring
PCI – Requirement 10

ISO 17799 – Section 10.10

Audit and Remediate

Regulations Control
Framework
Partners/
Customers
Policy
Risk and
Assessment Awareness

Assessments

Audits
Treat
Risks
 Organization Example
IT Service Desk

Information Security

ITIL ISO 27001/27002

Software Delivery Internal

Audit
CMMi
COBIT
 Controls Alignment

How aligned are your controls?

Assessment Internal Audit External Audit

(Information (IT/Financial Audit) (Regulatory and

Security, IT Risk Non-Regulatory)
Management)
 Remediation Priorities

• Where are our greatest risks?

• What controls are we fulfilling?
• How many compliance requirements are
we solving?
Improve and Automate

Regulations Control
Framework
Partners/
Customers
Policy
Risk and
Assessment Awareness

Automate Assessments
Process
Audits
Improve Treat
Controls Risks
 Controls Hierarchy

Manual Automated

Require human Vs. Rely on computers to

intervention reduce human
intervention

Detective Preventive

Designed to search for and Designed to discourage or

identify errors after they Vs. preempt errors or
have occurred irregularities from
occurring
 Automated and Preventive
Logging and Monitoring

Not Efficient Efficient

Reviewing logs for An automated method of

incidents detecting incidents

Not Effective Effective

Missing the incident due to Preventing the incident

human error from occurring in the first
place
 Automate the Process

• How do you currently measure

compliance?
• Reduce documents, spreadsheets and
other forms of manual measurement
• Create dashboard approach
• Governance, Risk and Compliance
toolsets
 GRC Automation
•Enterprise Scope
•Highly Configurable
Enterprise •Multiple Functions (Risk,
Compliance, Policy)
•Sophisticated Workflow

•Functionality More Limited

Multi-Function •More “out of the box”
•Modest Workflow

•Specific Process
Single Function •Specific Standard or
Regulation
•Simple Workflow
Questions?

Evan Tegethoff

Director, Risk and Compliance

Management

etegethoff@accuvant.com