IIA Conference. September 18, Paige Needling Director, Global Information Security Recall, Inc.

Size: px

Start display at page:

Download "IIA Conference. September 18, 2015. Paige Needling Director, Global Information Security Recall, Inc."

Molly Curtis
8 years ago
Views:

1 IIA Conference September 18, 2015 Paige Needling Director, Global Information Security Recall, Inc.

2 IT SECURITY UMBRELLA Compliance for IT Data Privacy Protection Privacy Risk Assessment Vulnerability Assessment and Management Governance Oversight IT Security Training and Awareness Application Security Cost/Benefits Analysis Policies and Standards Business Continuity Management Incident Response Management 3

Security Training and Awareness Application Security Cost/Benefits Analysis

3 ISO 27001: 2013 ISO 20000: 2011 IT COMPLIANCE / CERTIFICATIONS Payment Card Industry Data Security Standard (PCI DSS v3.0) SOC2 Type 1, SOC2 Type2 Cloud Security Alliance Security Trust & Assurance Registry (CSA STAR) HIPAA Internal Audit NIST / FedRamp 4

0) SOC2 Type 1, SOC2 Type2 Cloud Security Alliance Security

4 COMPLIANCE CHALLENGES Global, Multigenerational, Multicultural Workforce (C) Complexity of GRC Regulatory Environment (M) Increased Reliance on Third Parties (C) Breaking Down Compliance Silos (C) Security/Compliance Budget (M) Achieving and Maintaining Compliance (M) Document, Measure, Repeat, Control (Managing Compliance for the Evolving Workforce May 2015); Microsoft IT Compliance Management Guide; Wikipedia 5

Security/Compliance Budget (M) Achieving and Maintaining Compliance (M) Document, Measure, Repeat, Control

5 CREATE A SECURITY-CENTRIC YET COMPLIANT CULTURE 1. STREAMLINE PROCESSES A secure and compliant culture should not be complicated, too many steps leads to confusion. 2. GAIN COMPLIANCE The law; is the law; is the law. 3. STRENGTHEN KNOWLEDGE Partner with your company s business units to ensure buy-in and understanding of the security/compliance initiatives. 4. INSTILL CULTURE Not everyone will agree with the security or compliance posture of the company. Try to understand their position. 5. EMBRACE CHANGE Change is inevitable, but misery is optional. 6. BUILD PARTNERSHIPS Partner with Security to gain funding for Compliance initiatives and remediation of gaps. 7

STRENGTHEN KNOWLEDGE Partner with your company s business units to ensure buy-in and understanding of the security/compliance initiatives. 4.

6 COMPLIANCE OPPORTUNITIES Improved oversight and effective governance Competitive advantage New business opportunities based on first in show status Privacy Regulation Compliance Builds trust and confidence with customers Improve ROI by integrating Compliance with the Business Move compliance and security to the front of the bus Increased management visibility of IT security/compliance can achieve efficiency gains and cost savings for the business 8

customers Improve ROI by integrating Compliance with the Business Move compliance and security to the front of

7 Components for an Effective IT Security and Compliance Alignment Partnership Audit Remediation Audit Management Effective Policy Management & Reporting Risk Management & Oversight Regulatory & Compliance Management Customer Relationship Management Vendor Oversight

Management & Reporting Risk Management & Oversight Regulatory &

8 Components for an Effective IT Security and Compliance Alignment Partnership Audit Management 1. Be clear about what is in scope and why? 2. Maintain communication between your POC and the progress of the audit 3. Take the time to meet in person and schedule a call cadence early on 4. Discuss finding early on for validation 10

Maintain communication between your POC and the progress of the audit 3.

9 Components for an Effective IT Security and Compliance Alignment Partnership Risk Management & Oversight 1. Ensure risks are proactively managed and communicated as part of the overall audit program. 2. Streamline the risk assessment process by customizing the common set of controls to the organization s environment. 3. Have effective remediation recommendations that are incorporated in the workflow and audit report. 11

Streamline the risk assessment process by customizing the common set of controls to the organization s

10 Components for an Effective IT Security and Compliance Alignment Partnership Vendor Oversight 1. Have an effective solution that allows you to identify, analyze and assess risk presented by third-party vendors. 2. Test annual vendor assessments on 3rd party vendors to ensure they are in compliance with the organization Vendor Policy. 3. Gain the visibility to identify vendors that represent the greatest risk. 12

11 Components for an Effective IT Security and Compliance Alignment Partnership Customer Relationship Management 1. Perform audit as if the customer s customer is standing over your shoulder. 2. Review procedures and make suggestions on efficiencies that can be gained by these reviews. 3. Track and report on the details of the audit and write the audit report as customer facing. 13

Perform audit as if the customer s customer is standing over your shoulder. 2.

12 Components for an Effective IT Security and Compliance Alignment Partnership Regulatory & Compliance Management 1. Have compliance regulations tied to controls and guidelines. 2. If possible, provide updates applied in real-time and reflected within the risk and audit process where applicable. 14

Have compliance regulations tied to controls and guidelines. 2.

13 Components for an Effective IT Security and Compliance Alignment Partnership Effective Policy Management & Reporting 1. Have an effective process that allows you to review and provide feedback as needed across the enterprise. 2. Ask for the centralized repository where materials, policies, procedures, guidelines, checklists and standards are stored and maintained up front so you aren t wasting time waiting for the organization to look for them. 3. Map policies to the organization s controls for auditing. 4. Map the organization s policies to compliance regulations and security frameworks for future audit opportunities. 15

Ask for the centralized repository where materials, policies, procedures, guidelines, checklists and standards are stored and maintained up front so you aren

14 Components for an Effective IT Security and Compliance Alignment Partnership Audit Remediation Efforts 1. Have audit conducted and ensure the results are measured against your controls for risk scoring, have reports submitted to control owners. 2. Leverage audit experience so that you are seen as a partner. 16

Have audit conducted and ensure the results are measured against your

15 Compliance: Don t Wait Until It s Too Late

16 RETAIN & GAIN It is far more expensive to acquire new customers than it is to retain existing ones. Partner early on with the business to gain buy-in and momentum for security and compliance projects. Be VERY clear about what they have to lose if you don t do this. Position yourself as a key player in driving the company s strategy. Show the compliance solutions and security gains early on Money, Money, Money!! - or We don t have any! Resources, Resources, Resources!!! - or We don t have any! 18

Be VERY clear about what they have to lose if you don t do this.

17 Don t Be The Death of The Security Professional

18 20

Paisley Enterprise GRC Audit Profile. Linda Bergs

Paisley Enterprise GRC Audit Profile Linda Bergs Successful Implementation Champion Buy-in Budget Technology Who We Are Paisley is an independent software vendor providing innovative solutions for governance,