Professional Documents
Culture Documents
What is Compliance?
Risk and Compliance Management
What is a Framework?
ISO 27001/27002 Overview
Audit and Remediate
Improve and Automate
PCI
HIPAA
FISMA
SB1386
NERC/FERC
SOX
FDA 21 CFR Part 11
What is Compliance?
Compliance should be a program based on
defined requirements
Requirements are fulfilled by a set of
mapped controls solving multiple regulatory
compliance issues
The program is embodied by a framework
Compliance is more about policy, process
and risk management than it is about
technology
Regulations Control
Framework
Partners/
Customers
Policy
and
Risk
Awareness
Assessment
Automate
Process
Improve Treat
Controls Risks
Assessments
Audits
Sustainable
Optimized
Proactive / Planned
Regulatory
Approach
Requirements are
Learning Year over Year Mapped to Standards
A Framework is in Place
Use Technologies to
Reduce Human Factor Compliance and
Enterprise Risk
Leverage Controls
Management are
Automation Whenever
Aligned
Possible
Process is Automated
Identify Drivers
Regulations
Partners/
Customers
Risk
Assessment
Identify Drivers
Compliance is NOT just about regulatory
compliance. Regulatory compliance is a
driver to the program, controls and
framework being put in place.
Managing compliance is fundamentally
about managing risk.
Identify Drivers
Risk Assessment
Identify unique risks and controls
requirements
Partners / Customers
Partners represent potential contractual risk
Customer present privacy concerns
Develop Program
Regulations Control
Framework
Partners/
Customers
Policy
and
Risk
Awareness
Assessment
What is a Control?
Control is defined as the policies,
procedures, practices and
organizational structures designed to
provide reasonable assurance that
business objectives will be achieved and
undesired events will be prevented or
detected and corrected.
*Source: ITGI, COBIT 4.1
What is a Framework?
A framework is a set of controls and/or
guidance organized in categories,
focused on a particular topic.
A framework is a structure upon which
to build strategy, reach objectives and
monitor performance.
ISO 27001/27002
COBIT
ITIL
NIST
Industry-specific i.e. PCI
Custom
ISO 27001/27002
Information Security Framework
Requirements and guidelines for
development of an ISMS (Information
Security Management System)
Risk Management a key component of
ISMS
Part of ISO 27000 Series of security
standards
01
Revised in 2002
0
27
Specification
Adopted as
international
standard in 2005
C
IE
O/
IS
BS 7799-2
Revised in 2002
02
Specification
0
27
BS 7799-2
Revised in 2005
Renumbered to
27002 in 2007
C
IE
O/
IS
Code of
Practice
Adopted as
international
standard as ISO
17799 in 2000
Information Technology
Code of Practice for Information
Security Management
Requirements
0
27
Auditable
01
Certification
C
IE
O/
IS
ISO 27002
Best Practices
0
27
02
ISO 27001
Plan
Establish
ISMS
Act
Implement and
Operate
ISMS
Maintain and
Improve
ISMS
Monitor and
Review
ISMS
Check
Do
Building a Framework
Protected
Information
Internal
Compliance
Third Party
Compliance
Implement security as an
integrated part of the
business and as a process
Provide proof to partners
of good practices around
data protection. Strengthen
SAS 70 approach.
Frameworks Comparison
Framework
COBIT
ISO
27001/27002
ITIL
NIST 800-53
Strengths
Focus
Strong mappings
Support of ISACA
Availability
IT Governance
Audit
Global Acceptance
Certification
Information Security
Management System
IT Service Management
Certification
Detailed, granular
Tiered controls
Free
IT Service
Management
Information Systems
FISMA
Controls Mapping
PCI
Framework of Controls
Corporate Policy
SOX
GLBA
PCI
Controls Mapping
Framework of Controls
Corporate Policy
SOX
GLBA
Controls Mapping
Framework of Controls
Benefits:
Alignment of
corporate policy
Custom interpretation
of regulations
Single assessment
effort provides
complete view
Regulations Control
Framework
Partners/
Customers
Policy
and
Risk
Awareness
Assessment
Assessments
Treat
Risks
Audits
Organization Example
IT Service Desk
Information Security
ITIL
Software Delivery
ISO 27001/27002
Internal
Audit
CMMi
COBIT
Controls Alignment
How aligned are your controls?
Assessment
Internal Audit
External Audit
(Information
Security, IT Risk
Management)
(IT/Financial Audit)
(Regulatory and
Non-Regulatory)
Remediation Priorities
Where are our greatest risks?
What controls are we fulfilling?
How many compliance requirements are
we solving?
Regulations Control
Framework
Partners/
Customers
Policy
and
Risk
Awareness
Assessment
Automate
Process
Improve Treat
Controls Risks
Assessments
Audits
Controls Hierarchy
Manual
Require human
intervention
Automated
Vs.
Rely on computers to
reduce human
intervention
Detective
Preventive
Designed to discourage or
preempt errors or
irregularities from
occurring
Vs.
Efficient
An automated method of
detecting incidents
Not Effective
Effective
GRC Automation
Enterprise
Multi-Function
Enterprise Scope
Highly Configurable
Multiple Functions (Risk,
Compliance, Policy)
Sophisticated Workflow
Functionality More Limited
More out of the box
Modest Workflow
Specific Process
Single Function
Specific Standard or
Regulation
Simple Workflow
Questions?
Evan Tegethof
Director, Risk and Compliance
Management
etegethoff@accuvant.com