Documente Academic
Documente Profesional
Documente Cultură
• What is Compliance?
• Risk and Compliance Management
• What is a Framework?
• ISO 27001/27002 Overview
• Audit and Remediate
• Improve and Automate
What was Compliance?
What is Compliance?
• Compliance should be a program based on
defined requirements
• Requirements are fulfilled by a set of
mapped controls solving multiple regulatory
compliance issues
• The program is embodied by a framework
• Compliance is more about policy, process
and risk management than it is about
technology
Risk & Compliance Mgmt
Regulations Control
Framework
Partners/
Customers
Policy
Risk and
Assessment Awareness
Automate Assessments
Process
Audits
Improve Treat
Controls Risks
Risk and Compliance Approaches
Regulations
Partners/
Customers
Risk
Assessment
Identify Drivers
• Risk Assessment
– Identify unique risks and controls
requirements
• Partners / Customers
– Partners represent potential contractual risk
– Customer present privacy concerns
• Regulations – regulatory risk is considered
as part of overall risk
Develop Program
Regulations Control
Framework
Partners/
Customers
Policy
Risk and
Assessment Awareness
What is a Control?
• ISO 27001/27002
• COBIT
• ITIL
• NIST
• Industry-specific – i.e. PCI
• Custom
ISO 27001/27002
BS 7799-1
Code of
Practice
BS 7799-2 Adopted as
international
standard in 2005
Specification
Revised in 2002
A Brief History of ISO 27002
Adopted as
international
BS 7799-1 standard as ISO
17799 in 2000
Code of
Practice Revised in 2005
Renumbered to
27002 in 2007
BS 7799-2
Specification
Information Technology
ISO 27002
•Best Practices
•More depth in controls
guidance
ISO 27001 – Mgmt Framework
• Information Security Management
Systems – Requirements (ISMS)
– Process approach
• Understand organization’s information security
requirements and the need to establish policy
• Implement and operate controls to manage risk, in
context of business risk
• Monitor and review
• Continuous improvement
ISO 27001
Plan
Establish
ISMS
Monitor and
Review
ISMS
Check
ISO 27002 – Controls Framework
Business Organizing
Continuity Information
Management Security
Management Operational
Controls Controls
IS Acquisition, Human
Development and
Maintenance
Technical Resources
Security
Controls
Physical and
Access
Environmental
Control ISO 27002: Code of Practice for
Security
Communications Information Security
and Operations Management
Management
Practical Uses for Certification
GLBA
4. Encrypt transmission of cardholder data and
sensitive information across public networks
PCI
5. Use and regularly update anti-virus software
6. Develop and maintain secure systems and
applications
7. Restrict access to data by business need to know
8. Assign a unique ID to each person with computer
access…
Controls Mapping
PCI GLBA SOX Policy
Framework of Controls
Corporate Policy
SOX
GLBA
Controls Mapping
PCI GLBA SOX Policy
Benefits:
Framework of Controls
Alignment of corporate
policy
Custom interpretation of
regulations
Regulations Control
Framework
Partners/
Customers
Policy
Risk and
Assessment Awareness
Assessments
Audits
Treat
Risks
Organization Example
IT Service Desk
Information Security
Regulations Control
Framework
Partners/
Customers
Policy
Risk and
Assessment Awareness
Automate Assessments
Process
Audits
Improve Treat
Controls Risks
Controls Hierarchy
Manual Automated
Detective Preventive
•Specific Process
Single Function •Specific Standard or
Regulation
•Simple Workflow
Questions?
Evan Tegethoff
etegethoff@accuvant.com