Harmonizing Your Compliance and Security Objectives. Bonnie A. Goins Adjunct Professor, Illinois Institute of Technology

Transcription

1 Harmonizing Your Compliance and Security Objectives Bonnie A. Goins Adjunct Professor, Illinois Institute of Technology

2 Make sure efforts serve multiple purposes Use standards to guide effort Repeatable process

3 Cost Resources Timeline Makes sense

4 Business IT Client relationships Business relationships Audit

5 Senior Executives Vice Presidents and Directors Departmental Managers System Engineers Developers Business Units Internal Audit Legal

6 The real answer? It depends How many compliance and security objectives you re trying to meet How much time you have to work with Degree of harmonization required

7 Plan, plan, plan Engage Senior Management Engage Business Units Identify compliance objectives Identify security objectives Obtain standards, frameworks, tools to assist in the effort

8 Ensure there is Senior Management buy-in Ensure that sufficient dollars, time and resources will be allocated Conduct assessments of your environment so you know what to look at for harmonization Formalize your strategy and project plan

9 Conduct meeting with senior management to determine requirements Obtain a project sponsor Obtain a project champion Obtain approval for the plan

10 Schedule a meeting with the business unit managers to discuss approach and value Obtain buy-in of the business units Obtain business unit liaison for completing the work Obtain approval for the plan

11 Internal Compliance with corporate policy Internal Audit objectives for business and IT External Regulatory Financial Requests from business partners

12 Policy-oriented objectives Management-oriented objectives Operationally-oriented objectives Technically-oriented objectives

13 ISO (27002) ISO ISO BS NIST CobiT Copies of applicable regulations Others

14 SOX (Sarbanes Oxley Act: financial reporting) GLBA (Gramm-Leach-Bliley Act: financials) HIPAA (Health Insurance Portability and Accountability Act of 1996: healthcare) PCI (Payment Card Industry: Visa) North American Electric Reliability (utilities) Government requirements (FISMA et al.)

15 Security policy Personnel Security Access Control Operational Security Business Continuity/Disaster Recovery Incident Response Network Security Security Awareness, Training and Education Physical Security

16 NERC ISO (27002) CIP 2: Risk Assessment CIP 3: Information Protection CIP 4: Security Awareness Training CIP 5: Electronic Security CIP 6: Physical Security CIP 7: Systems Management CIP 8: Business Continuity CIP 9: Incident Response 4.0 Risk Assessment and Treatment (CIP 2) 5.0 Security Policy, 6.0 Organization of Information Security, 7.0 Asset Management (CIP 3) 8.0 Human Resources Security (CIP 4) 10.0 Communication and Operations Management, 11.0 Access Control (electronic), 12.0 Information Systems Acquisition, Development and Maintenance (CIP 5) 9.0 Physical and Environmental Security, 11.0 Access Control (physical) (CIP 6) 10.0 Communication and Operations Management, 12.0 Information Systems Acquisition, Development and Maintenance (CIP 7) 14.0 Business Continuity Management (CIP 8) 13.0 Information Security Incident Management (CIP 9)

17 Conduct and document a formal risk assessment (CIP 2, ISO 4.0) Create, implement, maintain, monitor and enforce a corporate security policy (CIP 3, ISO 5.0) Assess and classify information assets (CIP 3, ISO 7.0) Assign responsibilities for security (CIP 3, ISO 6.0)

18 Create, implement, maintain, monitor and enforce a formal security awareness program (CIP 4, ISO 8.0) Implement, maintain, monitor and enforce network security and monitoring controls (CIP 5, ISO 10.0, 12.0) Implement, maintain, monitor and enforce electronic access controls (CIP 5, ISO 11.0) Implement, maintain, monitor and enforce physical access controls (CIP 6, ISO 11.0)

19 Implement, maintain, monitor and enforce physical security controls (CIP 6, ISO 9.0) Implement technical vulnerability assessment (CIPs 5 and 7, ISO 12.0) Create, implement, maintain, monitor and enforce a formal business continuity plan and strategy (CIP 8, ISO 14.0) Create, implement, maintain, monitor and enforce a formal incident response plan and strategy (CIP 9, ISO 13.0)

20 Completion of the implementation activities prior will also meet regulatory requirements for SOX, GLBA, HIPAA and PCI; activities can be mapped directly to the applicable regulation

21 Create, implement, maintain, monitor and enforce a corporate security policy SOX: protection for financial reporting GLBA: assist with security and privacy provisions HIPAA: Administrative safeguard for implementation of security policy PCI: completion of implementation section for Security Policy

22 Following the guidance in the Information Security Code of Practice (ISO (27002)) can assist an organization in registering with BSI or BVQI (registrars) its Information Security Management System (ISMS: ISO 27001) Registration is viewed more positively abroad, but may be a discriminator here as well

23 Depending upon the size of the organization, it can take anywhere from 6 months to two years to complete a full security program and its corresponding components The timeframe can be jumpstarted with professional, experienced help The cost of enlisting assistance should be weighed against the benefit to the organization

24 Thank You!!