Consolida9ng Compliance Audits in Order to Improve Efficiency and Improve Risk and Compliance Posture Andrew Williams, Lead, Coalfire

Size: px

Start display at page:

Download "Consolida9ng Compliance Audits in Order to Improve Efficiency and Improve Risk and Compliance Posture Andrew Williams, Lead, Coalfire"

Jacob Wilkerson
8 years ago
Views:

1 Consolida9ng Compliance Audits in Order to Improve Efficiency and Improve Risk and Compliance Posture Andrew Williams, Lead, Coalfire Professional Strategies S Fall Conference Sail to Success CRISC CGEIT CISM CISA

Andrew Williams, Lead, Coalfire Professional

2 Agenda Introduc9on Quick Background Trends in Industry Challenges Presented by these Trends How Coalfire has Responded in the Past Our Lessons Learned What We ve SeWled On 2

3 Introduc9on Not a new issue: the concept of a company combining different compliance objec9ves and risk management into an integrated program has been around for some 9me Tradi9onally, this has been very difficult to do Today, I ll share how we ve responded in the past, why we sewled on our current process, and some of our lessons learned 3

Tradi9onally, this has been very difficult to do Today, I ll share how we ve

4 Quick Background At Coalfire, our push for consolida9on was ini9ally born out of a quest for efficiency We were also having trouble effec9vely providing clients advice on how to leverage compliance to address system- wide risk, not just framework risk We began to see several other trends that make program integra9on a must- do for many companies 4

how to leverage compliance to address system- wide risk, not just framework risk We

5 First Trend: Check Boxes In the past, many enterprise, cloud and on premise IT programs have thought of compliance as a check box Breaches across the IT landscape have changed the game Complying with PCI is not the same as securing customer data. Challenge #1: Compliance Security 5

across the IT landscape have changed the game Complying with PCI is

6 Second Trend: Risk Visibility Customers oden contract us to help with a specific compliance objec9ve, and then ask the ques9on What can I do to make myself secure? Challenge #2: Working with a given compliance framework only provides a par9al or specific context for system risks. 6

7 Third Trend: Cloud Compliance in the Cloud becomes an issue of differen9a9on AWemp9ng to keep up with compliance coverage of compe9tors can result in missed expecta9ons and immense overhead. Challenge #3: Compliance programs are hard to scale efficiently 7

compe9tors can result in missed expecta9ons and immense

8 Three Challenges Challenge #1: Compliance Security Challenge #2: Working with a given compliance framework only provides a par9al or specific context to external risks. Challenge #3: Compliance programs are hard to scale efficiently 8

only provides a par9al or specific context to external

9 Different Responses In response to these trends, Coalfire went in several different direc9ons (and our clients tend to do the same): #1 Head in the sand #2 Compliance Framework Mappings #3 Enterprise GRC Tool Deployment 9

clients tend to do the same): #1 Head in the sand #2

10 Response #2: Control Mapping Pros: Excellent thought exercise to iden9fy common compliance and security concerns Effec9ve tool for comparing coverage Cons Legally Defensible is hard to ensure Hard to scale, quickly become unmanageable 10

Effec9ve tool for comparing coverage Cons Legally

11 Response #3: GRC Tools Pros Provide extremely powerful audit and risk management tools Feasible to use opera9onally Cons Oden extremely expensive Rendered ineffec9ve if deployed or managed incorrectly, which seems to happen oden 11

opera9onally Cons Oden extremely expensive Rendered

12 What s the answer? In response to these trends, Coalfire went in several different direc9ons (and our clients tend to do the same): #1 Head in the sand #2 Compliance Framework Mappings #3 Enterprise GRC Tool Deployment #4 Ar9fact and Cadence- based Approach 12

13 Our Current Approach At Coalfire, we have moved from a control- based workflow for integrated assessments to an ar9fact and cadence- based workflow for integrated programs Same deliverables and findings, but different methodology 13

ar9fact and cadence- based workflow for integrated

14 Current Approach (cont.) At its core, the issue boils down to one of project management Impossible to project manage based on seman9cs and shaky legal ground (control mappings) Unfeasible to project manage by throwing money at the problem (GRC enterprise tools) 14

Impossible to project manage based on seman9cs and shaky legal

15 Current Approach (cont.) We started by iden9fying the least common denominators Evidence Program / framework level discovery limita9ons Control cadence Iterated a few 9mes, and We had a program! In hindsight, an easily replicable process. 15

16 Results We have been able to leverage this approach to respond much more effec9vely to the trends we see Helps us move past an issue that been an obstacle for us for a long 9me Refocuses us (and by extension our clients) on risk and security posture, instead of worries about compliance overhead and barriers to entry 16

obstacle for us for a long 9me Refocuses us (and by extension our clients) on

17 Three Challenges Challenge #1: Compliance Security Challenge #2: Working with a given compliance framework only provides a par9al or specific context to external risks. Challenge #3: Integrated programs are hard to scale efficiently 17

18 Ques9ons? 18

Beyond Strategy: Building Your Mobile Capabili6es

Beyond Strategy: Building Your Mobile Capabili6es TASSCC Technology Educa6on Conference April 10, 2015 Presented by: Raj Polikepa6 Director of App Development Texas.gov Agenda ê Objec6ves of Mobile Strategy