Compliance & information security A (bit of a) rant. Jodie Siganto

Size: px

Start display at page:

Download "Compliance & information security A (bit of a) rant. Jodie Siganto"

Homer Henry
8 years ago
Views:

1 Compliance & information security A (bit of a) rant Jodie Siganto

2 Compliance Definition of compliance : the act of conforming, acquiescing, or yielding. conformity; accordance: in compliance with orders. cooperation or obedience: Compliance with the law is expected of all.

3 Compliance with what? What does compliance mean for information security? For most organisations it should mean conformance with security architecture and policies & procedures But compliance is often based on/bench marked against input from: External (and internal) auditors Consultants Vendors What do they use?

and policies & procedures But compliance is often based on/bench marked

4 Compliance with what? Standards and guides: ISO Information Management System (ISO) Qld Government IS 18: Information Security (State Government) ISM (Commonwealth Government) COBIT (ISACA) Privacy Commissioner s Guide to Protecting Personal Information (Government Regulator) PCI-DSS (Payment Card Industry i.e. Card Issuers) Control lists: SANS Top 20 ASD Top 4/Top 35 ISO Code of Practice: 114 Controls

Security (State Government) ISM (Commonwealth Government) COBIT (ISACA) Privacy Commissioner s Guide to

5 Cert Australia Survey 2013

6 Compliance Interview Results Interviewed 10 information security people Interviewees included: Security Operations Centre Manager Security Architect Governance, Risk & Compliance Consultant IT Risk Manager Security Manager Question: What standard or benchmark do you use to assess security or to determine whether you ve taken reasonable security measures

Compliance Consultant IT Risk Manager Security Manager Question: What standard or

7 Compliance Interview Results Interviewee A: Benchmark I use for information security compliance is PCI DSS, which is pitched at about the right level in terms of its verboseness, its technical detail although for those for do not understand it it becomes very overwhelming Interviewee H: Good sound practice following 27,000 standards and the other related good practice measures in addition to the Information Security Manual Interviewee J: The ISM provides minimum mandatory requirements if I see the opportunity to make it a little more than I will take the opportunity to do that if it's within the scope of what we are doing and it's not going to cost a lot of money.

standards and the other related good practice measures in addition to the Information Security Manual Interviewee J: The ISM provides minimum mandatory requirements if

8 Compliance Interview Results Interviewee B: There s a list of controls you have in your head, which are applied based on a judgment on how strong the control needs to be given the risks that you are facing. Interviewee D: There are guiding principles, which apply depending on the particular circumstances of each organisation. Standards, e.g. PCI DSS and SANS Top 20, are a way of making security information more accessible. Interviewee C: Couldn t recall the specific standard but regarded it as guidance to give a general intent or vibe rather than a prescriptive list of what the organisation can or cannot do.

Interviewee D: There are guiding principles, which apply depending on the particular circumstances of each organisation. Standards, e.g. PCI DSS and SANS Top 20, are a way of making security information more accessible.

9 Compliance Interview Results Interviewee I: Uses Gartner benchmarks and IT maturity levels. Determined what might be reasonable steps to secure the organisation s data based on what was efficient and common-sense.

Determined what might be reasonable steps to secure

10 CERT Australia Survey 2013 Increase in the number of organisations applying IT security standards (from 64% in 2012 to 83% in 2013 Decrease in the number of organisations that do not apply IT security standards (from 25% in 2012 to 13% in 2013). Increase in the number of organisations using ISO from 50% in 2012 to 83% in 2013.

organisations that do not apply IT security standards (from 25% in 2012 to 13% in

11 Compliance & Management Systems ISO created for specialised area of business management other examples include Environmental management Social responsibility management OH&S management New version of ISO aligns requirements with other management disciplines including reliance on: ISO risk management ISO auditing Main purpose of ISM is to provide information security assurance

version of ISO 27001 aligns requirements with other management disciplines including reliance on:

12 Compliance & Assurance Definition of assurance : A feeling of confidence A feeling or attitude of being certain that something is true e.g. He said it with assurance What is the relationship between compliance and assurance? Does compliance lead to assurance i.e. confidence that your systems are secure?

13 Compliance & Assurance Interviewee A: People believe they want security and when they understand that they have a fair amount of work to get there, they just want compliance. I have sat in rooms with managing directors who have said to me, I just want to do the bare minimum if you could tick the box. Which is understandable, right? Interviewee D (referring to an organisation that was certified but which had appalling security ): I just think well you may have fooled the compliance auditor but you just saw that as a compliance journey and that achieved nothing because your processes are stuffed, you've not got it, you've not understood the point. Do you know what I mean? So I guess that's my attitude towards compliance.

Interviewee D (referring to an organisation that was certified but which had appalling security ): I just think well you may have fooled the compliance auditor but you just saw that

14 Compliance, Assurance & Information Security Practitioners Is compliance or assurance recognised as a role for information security practitioners? There are lots of consultants & vendors who think so But

15 (ISC)² Global Information Security Workforce Study (2013) Governance, Risk & Compliance: 2 top activities within the category are: Developing internal security policies, standards & procedures (78%) and Auditing IT security compliance (63%) Security management: 2 top activities within the category are: Inter-departmental activities(64%) and Manage internal security awareness programs(63%)

(78%) and Auditing IT security compliance (63%) Security management: 2 top activities within the

16 Compliance, Assurance & Information Security Practitioners European Committee for Standardization: 23 job profiles in six areas of IT security: business management, technical management, design, development, service and operations, and support. Does not refer to compliance or general assurance

security: business management, technical management, design, development,

17 Compliance The story so far: There is no general understanding of what information security compliance means The main security standard(s) support assurance not compliance Information security people don t believe compliance or certification or audits provide security or assurance Compliance and general assurance aren t seen as a key role for IT Security practitioners although those tasks take up the majority of time of security executives

compliance or certification or audits provide security or assurance Compliance and general assurance aren t

18 Compliance Question: So why is compliance seen as a major driver for security? One [possible] answer: Because it s a way to engage management.

19 Information Security & Management PwC The Global State of Information Security Survey 2015 : Despite the media attention following a series of high-profile retailer breaches, many organisations have not yet elevated information security to a Board-level discussion. Fewer than half (42%) of respondents say their Board actively participates in the overall security strategy and 36% say the Board is involved in security policies. Garry Sidaway, NTT Com Security Many UK execs do not understand need for data security, study shows Nov 2014: Information security and risk management, and data breach headlines, are often seen as constraining and negative so we need to do a better job of showing the business advantages. Protiviti 2014 IT Security and Privacy Survey : Organizations with a high level of board engagement in information security risks have significantly stronger IT security profiles

Fewer than half (42%) of respondents say their Board actively participates in the overall security strategy and 36% say the Board is involved in security policies.

20 Compliance and Management Question: Is lack of management engagement with information security: Real? Reduced to a compliance issue because that it the only way for management to understand security? A result of the poor communication skills/inability of information security people to translate security into business terms?

Reduced to a compliance issue because that it the only way for management to

21 Compliance: Some Questions Things to think about: Auditing (and compliance) may be OK for checking the operation of technical controls but does it provide info about the future and the possible (rather than the probable), the black swan event? Most standard approaches to security use risk. Risk provides a veneer of objective rationality/science to information security but does it work? Is information security risk really a negotiated outcome based (at least in part) on emotion, politics and relationships? Accepted practices set the benchmark for what is reasonable. Identifying those practices relies on interactions with professional bodies. This assumes that there are professionals, experts or a community of practice who can convey those practices. Who is doing this in information security?

22 Compliance & Change We have been doing things the same way for a long time but it s not working Is it time for some new ideas? Our findings of many years following the standardization work of the ISO/IEC family of standards and its results is that in the standards revisions it is very difficult to get out-of-box thinking and to create radically new ideas to the ISM standardization in order to keep up with the general development of business environments and managerial practice. This standardization has been strongly the job of a restricted group of information security experts (mainly consultants) to whom it seems to be difficult to get out of old traditions of the information security discipline. J Antilla Integrating ISO/IEC and other Managerial Discipline Standards with Processes of Management in Organizations (2012)

23 Conclusion Information Security A call for change!

SUPPLY CHAIN ASSURANCE FRAMEWORK: THE SUPPLY CHAIN STANDARDS TRANSLATOR

SUPPLY CHAIN ASSURANCE FRAMEWORK: THE SUPPLY CHAIN STANDARDS TRANSLATOR Michael de Crespigny, CEO Information Security Forum Session ID: GRC R02B Session Classification: General Interest KEY ISSUE Our