Agenda

What is Compliance?
Risk and Compliance Management
What is a Framework?
ISO 27001/27002 Overview
Audit and Remediate
Improve and Automate

What was Compliance?

GLBA

PCI

HIPAA
FISMA

SB1386

NERC/FERC
SOX
FDA 21 CFR Part 11

What is Compliance?
Compliance should be a program based on
defined requirements
Requirements are fulfilled by a set of
mapped controls solving multiple regulatory
compliance issues
The program is embodied by a framework
Compliance is more about policy, process
and risk management than it is about
technology

Risk & Compliance Mgmt

Regulations Control
Framework
Partners/
Customers
Policy
and
Risk
Awareness
Assessment
Automate
Process
Improve Treat
Controls Risks

Assessments
Audits

Risk and Compliance Approaches

Minimal
Annual / Project-based
Approach
Minimal Repeatability
Only Use Technologies
Where Explicitly
Prescribed in
Standards and
Regulations
Minimal Automation

Sustainable

Optimized

Proactive / Planned
Regulatory
Approach
Requirements are
Learning Year over Year Mapped to Standards
A Framework is in Place
Use Technologies to
Reduce Human Factor Compliance and
Enterprise Risk
Leverage Controls
Management are
Automation Whenever
Aligned
Possible
Process is Automated

Identify Drivers

Regulations
Partners/
Customers
Risk
Assessment

Identify Drivers
Compliance is NOT just about regulatory
compliance. Regulatory compliance is a
driver to the program, controls and
framework being put in place.
Managing compliance is fundamentally
about managing risk.

Identify Drivers
Risk Assessment
Identify unique risks and controls
requirements

Partners / Customers
Partners represent potential contractual risk
Customer present privacy concerns

Regulations regulatory risk is considered

as part of overall risk

Develop Program

Regulations Control
Framework
Partners/
Customers
Policy
and
Risk
Awareness
Assessment

What is a Control?
Control is defined as the policies,
procedures, practices and
organizational structures designed to
provide reasonable assurance that
business objectives will be achieved and
undesired events will be prevented or
detected and corrected.
*Source: ITGI, COBIT 4.1

What is a Framework?
A framework is a set of controls and/or
guidance organized in categories,
focused on a particular topic.
A framework is a structure upon which
to build strategy, reach objectives and
monitor performance.

Why use a framework?

Enable effective governance
Align with business goals
Standardize process and approach
Enable structured audit and/or
assessment
Control cost
Comply with external requirements

Frameworks and Control Sets

ISO 27001/27002
COBIT
ITIL
NIST
Industry-specific i.e. PCI
Custom

ISO 27001/27002
Information Security Framework
Requirements and guidelines for
development of an ISMS (Information
Security Management System)
Risk Management a key component of
ISMS
Part of ISO 27000 Series of security
standards

A Brief History of ISO 27001

BS 7799-1
Code of
Practice

01

Revised in 2002

0
27

Specification

Adopted as
international
standard in 2005

C
IE
O/
IS

BS 7799-2

A Brief History of ISO 27002

BS 7799-1

Revised in 2002

02

Specification

0
27

BS 7799-2

Revised in 2005
Renumbered to
27002 in 2007

C
IE
O/
IS

Code of
Practice

Adopted as
international
standard as ISO
17799 in 2000

Information Technology
Code of Practice for Information
Security Management

ISO 27001 and 27002

ISO 27001
C
IE
O/
IS

Requirements

0
27

Auditable

01

Certification

Shared Control Objectives

C
IE
O/
IS

ISO 27002
Best Practices

0
27
02

More depth in controls

guidance

ISO 27001 Mgmt Framework

Information Security Management
Systems Requirements (ISMS)
Process approach
Understand organizations information security
requirements and the need to establish policy
Implement and operate controls to manage risk, in
context of business risk
Monitor and review
Continuous improvement

ISO 27001
Plan
Establish
ISMS

Act

Implement and
Operate
ISMS

Maintain and
Improve
ISMS
Monitor and
Review
ISMS

Check

Do

ISO 27002 Controls Framework

ISO 27002 Security Control Domains
Risk Assessment and Treatment
Security Policy
Organizing Information Security
Asset Management
Human Resources Security
Physical and Environmental Security
Communications and Operations Management
Access Control
Information Systems Acquisition, Development and Maintenance
Information Security Incident Management
Business Continuity Management
Compliance

Building a Framework

Protected
Information

ISO 27002: Code of Practice for

Information Security
Management

Practical Uses for Certification

Regulatory
Compliance

Internal
Compliance

Third Party
Compliance

Best Practice approach

to handling sensitive data
and overall security
program

Implement security as an
integrated part of the
business and as a process
Provide proof to partners
of good practices around
data protection. Strengthen
SAS 70 approach.

ISO 27000 Series of Standards

ISO/IEC 27000:2009 - Overview and vocabulary

ISO/IEC 27001:2005 - Requirements
ISO/IEC 27002:2005 - Code of Practice
ISO/IEC 27003 - ISMS Implementation Guidance*
ISO/IEC 27004 - Measurement*
ISO/IEC 27005:2008 - Risk Management
ISO/IEC 27006:2007 - Auditor Requirements
ISO/IEC 27007 - ISMS Audit Guidelines*
*In Development

Frameworks Comparison
Framework
COBIT

ISO
27001/27002
ITIL
NIST 800-53

Strengths

Focus

Strong mappings
Support of ISACA
Availability

IT Governance
Audit

Global Acceptance
Certification

Information Security
Management System

IT Service Management
Certification
Detailed, granular
Tiered controls
Free

IT Service
Management
Information Systems
FISMA

Controls Mapping
PCI

Framework of Controls

PCI Data Security Standard

1. Install and maintain a firewall configuration
to protect data

Corporate Policy

2. Do not use vendor-supplied defaults for

system passwords and other security
parameters

SOX

3. Protect stored data

GLBA

4. Encrypt transmission of cardholder data

and sensitive information across public
networks

PCI

5. Use and regularly update anti-virus

software
6. Develop and maintain secure systems and
applications
7. Restrict access to data by business need to
know

Controls Mapping
Framework of Controls

PCI GLBA SOX Policy

Corporate Policy
SOX
GLBA

Controls Mapping
Framework of Controls

PCI GLBA SOX Policy

Benefits:
Alignment of
corporate policy
Custom interpretation
of regulations
Single assessment
effort provides
complete view

Logging and Monitoring

PCI Requirement 10

ISO 17799 Section 10.10

Audit and Remediate

Regulations Control
Framework
Partners/
Customers
Policy
and
Risk
Awareness
Assessment
Assessments
Treat
Risks

Audits

Organization Example
IT Service Desk
Information Security
ITIL

Software Delivery

ISO 27001/27002

Internal
Audit

CMMi
COBIT

Controls Alignment
How aligned are your controls?

Assessment

Internal Audit

External Audit

(Information
Security, IT Risk
Management)

(IT/Financial Audit)

(Regulatory and
Non-Regulatory)

Remediation Priorities
Where are our greatest risks?
What controls are we fulfilling?
How many compliance requirements are
we solving?

Improve and Automate

Regulations Control
Framework
Partners/
Customers
Policy
and
Risk
Awareness
Assessment
Automate
Process
Improve Treat
Controls Risks

Assessments
Audits

Controls Hierarchy
Manual
Require human
intervention

Automated

Vs.

Rely on computers to
reduce human
intervention

Detective

Preventive

Designed to search for and

identify errors after they
have occurred

Designed to discourage or
preempt errors or
irregularities from
occurring

Vs.

Automated and Preventive

Logging and Monitoring
Not Efficient

Efficient

Reviewing logs for

incidents

An automated method of
detecting incidents

Not Effective

Effective

Missing the incident due to

human error

Preventing the incident

from occurring in the first
place

Automate the Process

How do you currently measure
compliance?
Reduce documents, spreadsheets and
other forms of manual measurement
Create dashboard approach
Governance, Risk and Compliance
toolsets

GRC Automation

Enterprise

Multi-Function

Enterprise Scope
Highly Configurable
Multiple Functions (Risk,
Compliance, Policy)
Sophisticated Workflow
Functionality More Limited
More out of the box
Modest Workflow
Specific Process

Single Function

Specific Standard or
Regulation
Simple Workflow

Questions?

Evan Tegethof
Director, Risk and Compliance
Management
etegethoff@accuvant.com