Consolida9ng Compliance Audits in Order to Improve Efficiency and Improve Risk and Compliance Posture Andrew Williams, Lead, Coalfire

Similar documents

Beyond Strategy: Building Your Mobile Capabili6es

Project Management Introduc1on

Compliance, Security and Risk Management Relationship Advice. Andrew Hicks, Director Coalfire

Marke&ng Managed Services Provider. Managed Web Search Lead Program

Stream Deployments in the Real World: Enhance Opera?onal Intelligence Across Applica?on Delivery, IT Ops, Security, and More

Introduc)on to the IoT- A methodology

What can HITRUST do for me?

How To Use Splunk For Android (Windows) With A Mobile App On A Microsoft Tablet (Windows 8) For Free (Windows 7) For A Limited Time (Windows 10) For $99.99) For Two Years (Windows 9

Gyrus: A Framework for User- Intent Monitoring of Text- Based Networked ApplicaAons

PCI DSS READINESS AND RESPONSE

Introduc4on 6/29/12. Welcome to the SAFEGUARD PROPERTIES VENDOR CONFERENCE 2012

Vulnerability Management

Ensuring Contract Compliance through integration of Ariba Contracts and SAP ECC Michael Chavez and Sean Rhoades, Deloitte Consulting LLP

Doing Big Data Projects: What s the Best Team Process Methology?

In the Cloud Risk Assessments in the Great Unknown

Case Study. The SACM Journey at the Ontario Government

The LCC Network Integrated Data Management Network GREAT NORTHERN LCC STEERING COMMITTEE MEETING MORAN, WY 25 SEPTEMBER 2011

Guide to Going Paperless in the Cloud. IDEAL.com, Parklawn Drive, Rockville, MD IDEAL -

JSR proposal: Enhanced Hybrid APIs

HIPAA and HITRUST - FAQ

What s Driving Adop2on of IT Governance? ISACA North Texas Chapter. Aus2n Hu@on Hu@on Consul2ng October 11, 2012

CDW PARTNER REVIEW GUIDE SOFTWARE LICENSE MANAGEMENT

Founda'onal IT Governance A Founda'onal Framework for Governing Enterprise IT Adapted from the ISACA COBIT 5 Framework

Effec%ve AX 2012 Upgrade Project Planning and Microso< Sure Step. Arbela Technologies

The Sumo Logic Solution: Security and Compliance

Aalborg Universitet. Cloud Governance Berthing, Hans Henrik Aabenhus. Publication date: Document Version Preprint (usually an early version)

Mobile Device Security Risks and RemediaAon Approaches

CMMI for High-Performance with TSP/PSP

VENDOR MANAGEMENT Presented By:

How To Perform a SaaS Applica7on Inventory in. 5Simple Steps. A Guide for Informa7on Security Professionals. Share this ebook

Top Practices in Health IT Compliance. Data Breach & Leading Program Prac3ces

Capital Markets and Financing State of the Industry

How Predic+ve Opera+onal Performance Can Transform a Services Organiza+on

ediscovery and Search Challenges in the De-centralized Global Enterprise

Gyrus: A Framework for User- Intent Monitoring of Text- Based Networked ApplicaAons

Integra(ng Data Analy(cs into a Risk- Based Audit Plan. Presented by: Andrew Simpson, MBA, Chief Operating Officer, CaseWare Analytics

University of Utah WAN Firewall Presenta6on

IIA Conference. September 18, Paige Needling Director, Global Information Security Recall, Inc.

Building your cloud porbolio APS Connect

PCI-DSS Penetration Testing

IMPROVING RISK VISIBILITY AND SECURITY POSTURE WITH IDENTITY INTELLIGENCE

Architec;ng Splunk for High Availability and Disaster Recovery

Security Compliance and Data Governance: Dual problems, single solution CON8015

Computer Security Incident Handling Detec6on and Analysis

MAXIMIZING THE SUCCESS OF YOUR E-PROCUREMENT TECHNOLOGY INVESTMENT. How to Drive Adop.on, Efficiency, and ROI for the Long Term

Fixed Scope Offering (FSO) for Oracle SRM

Developing a Full- Spectrum Security Training Program

How to manage IT Risks and IT Compliance as a Service

REALIZING MAXIMUM BENEFITS FROM GOVERNANCE, RISKS AND COMPLIANCE (GRC) TOOLS

Project Overview. Collabora'on Mee'ng with Op'mis, Sept. 2011, Rome

Best Practices for Information Security and IT Governance. A Management Perspective

Unlock the full potential of data centre virtualisation with micro-segmentation. Making software-defined security (SDS) work for your data centre

Expert strategies for data center consolidation

San Francisco Chapter. Presented by Mike O. Villegas, CISA, CISSP

WORKSHOP People Change Management Strategy

What You Need to Know About CLOUD INFORMATION PROTECTION SOLUTIONS

COBIT 5: A New Governance Framework for Managing & Auditing the Technology Environment CS 6-7: Tuesday, July 7 3:30-4:30

San Jacinto College Banner & Enterprise Applica5on Review Task Force Report. November 01, 2011 FINAL

The Data Reservoir. 10 th September Mandy Chessell FREng CEng FBCS Dis4nguished Engineer, Master Inventor Chief Architect, Informa4on Solu4ons

Copyright Soleran, Inc. esalestrack On-Demand CRM. Trademarks and all rights reserved. esalestrack is a Soleran product Privacy Statement

Cloud Security Panel: Real World GRC Experiences. ISACA Atlanta s 2013 Annual Geek Week

Cloud Compu)ng in Educa)on and Research

Update on the Cloud Demonstration Project

GRC Program Best Practices & Lessons Learned

Building an Effec.ve Cloud Security Program

PES Has The Sustainable Solu2on For Chronic Care Management

1. Introduc+on and Background. 2. Service Overview. 3. Your Requirements. Cloud Services so far Feasibility Study Next Steps Procurement, POC

Graduate Systems Engineering Programs: Report on Outcomes and Objec:ves

Driving Working Capital Op1miza1on from AP - rather than Treasury

How To Protect Yourself From A Hacker Attack

Selling Hosted MS Exchange 2010 & SharePoint

Compliance and Cloud Computing

Update on the Cloud Demonstration Project

ALP Replica,on Research Project: Implica,ons for ALP Ini,a,ves in Michigan

Investor Newsletter. Storage Made Easy Cloud Appliance High Availability Options WHAT IS THE CLOUD APPLIANCE?

Best Prac*ces in Corporate Card Expense Management May 2012

Delivering Customer Delight... One Field Agent at a Time!

A CPA recounts exponential growth in Compliance. Mary Ellen McLaughlin

STAYING SAFE IN THE CLOUD ADDRESSING SECURITY CONCERNS WITH CLOUD-BASED DATA SYSTEMS

Delivering Field Service Management... on the Microsoft Dynamics Platform

Certificate in Management Consulting Essentials. Course Overview Accredited with the Institute of Business Consulting

Trend Micro VMware Solution Guide Summary for Payment Card Industry Data Security Standard

CS 91: Cloud Systems & Datacenter Networks Failures & Replica=on

Privileged Administra0on Best Prac0ces :: September 1, 2015

8 Key Requirements of an IT Governance, Risk and Compliance Solution

Saas vs. Traditional ERP: Which is Right for You?

CONNECTING ACCESS GOVERNANCE AND PRIVILEGED ACCESS MANAGEMENT

PCI VERSION 2.0 AND RISK MANAGEMENT. Doug Landoll, CISSP, CISA, QSA, MBA Practice Director Risk and Compliance Management

FULLY INTEGRATED GOVERNANCE, RISK MANAGEMENT, COMPLIANCE AND AUDIT SOFTWARE

How to write an effec-ve DIGITAL MARKETING STRATEGY. Secrets from the professionals

10 Essential reasons to upgrade your CRM Now

Leveraging SANS and NIST to Evaluate New Security Tools

Information Security Management System (ISMS) Overview. Arhnel Klyde S. Terroza

Introduction to QualysGuard IT Compliance SaaS Services. Marek Skalicky, CISM, CRISC Regional Account Manager for Central & Adriatic Eastern Europe

Mapping COBIT 5 with IT Governance, Risk and Compliance at Ecopetrol S.A. By Alberto León Lozano, CISA, CGEIT, CIA, CRMA

BENCHMARKING V ISUALIZATION TOOL

Auditing After a Cyber Attack JAX IIA Chapter Meeting Cybersecurity and Law Enforcement

Cloud Computing Security Audit

Big Data. The Big Picture. Our flexible and efficient Big Data solu9ons open the door to new opportuni9es and new business areas

Risky Business. Is Your Cybersecurity in Cruise Control? ISACA Austin Chapter Meeting May 5, 2015

Transcription:

Consolida9ng Compliance Audits in Order to Improve Efficiency and Improve Risk and Compliance Posture Andrew Williams, Lead, Coalfire Professional Strategies S11 2013 Fall Conference Sail to Success CRISC CGEIT CISM CISA

Agenda Introduc9on Quick Background Trends in Industry Challenges Presented by these Trends How Coalfire has Responded in the Past Our Lessons Learned What We ve SeWled On 2

Introduc9on Not a new issue: the concept of a company combining different compliance objec9ves and risk management into an integrated program has been around for some 9me Tradi9onally, this has been very difficult to do Today, I ll share how we ve responded in the past, why we sewled on our current process, and some of our lessons learned 3

Quick Background At Coalfire, our push for consolida9on was ini9ally born out of a quest for efficiency We were also having trouble effec9vely providing clients advice on how to leverage compliance to address system- wide risk, not just framework risk We began to see several other trends that make program integra9on a must- do for many companies 4

First Trend: Check Boxes In the past, many enterprise, cloud and on premise IT programs have thought of compliance as a check box Breaches across the IT landscape have changed the game Complying with PCI is not the same as securing customer data. Challenge #1: Compliance Security 5

Second Trend: Risk Visibility Customers oden contract us to help with a specific compliance objec9ve, and then ask the ques9on What can I do to make myself secure? Challenge #2: Working with a given compliance framework only provides a par9al or specific context for system risks. 6

Third Trend: Cloud Compliance in the Cloud becomes an issue of differen9a9on AWemp9ng to keep up with compliance coverage of compe9tors can result in missed expecta9ons and immense overhead. Challenge #3: Compliance programs are hard to scale efficiently 7

Three Challenges Challenge #1: Compliance Security Challenge #2: Working with a given compliance framework only provides a par9al or specific context to external risks. Challenge #3: Compliance programs are hard to scale efficiently 8

Different Responses In response to these trends, Coalfire went in several different direc9ons (and our clients tend to do the same): #1 Head in the sand #2 Compliance Framework Mappings #3 Enterprise GRC Tool Deployment 9

Response #2: Control Mapping Pros: Excellent thought exercise to iden9fy common compliance and security concerns Effec9ve tool for comparing coverage Cons Legally Defensible is hard to ensure Hard to scale, quickly become unmanageable 10

Response #3: GRC Tools Pros Provide extremely powerful audit and risk management tools Feasible to use opera9onally Cons Oden extremely expensive Rendered ineffec9ve if deployed or managed incorrectly, which seems to happen oden 11

What s the answer? In response to these trends, Coalfire went in several different direc9ons (and our clients tend to do the same): #1 Head in the sand #2 Compliance Framework Mappings #3 Enterprise GRC Tool Deployment #4 Ar9fact and Cadence- based Approach 12

Our Current Approach At Coalfire, we have moved from a control- based workflow for integrated assessments to an ar9fact and cadence- based workflow for integrated programs Same deliverables and findings, but different methodology 13

Current Approach (cont.) At its core, the issue boils down to one of project management Impossible to project manage based on seman9cs and shaky legal ground (control mappings) Unfeasible to project manage by throwing money at the problem (GRC enterprise tools) 14

Current Approach (cont.) We started by iden9fying the least common denominators Evidence Program / framework level discovery limita9ons Control cadence Iterated a few 9mes, and We had a program! In hindsight, an easily replicable process. 15

Results We have been able to leverage this approach to respond much more effec9vely to the trends we see Helps us move past an issue that been an obstacle for us for a long 9me Refocuses us (and by extension our clients) on risk and security posture, instead of worries about compliance overhead and barriers to entry 16

Three Challenges Challenge #1: Compliance Security Challenge #2: Working with a given compliance framework only provides a par9al or specific context to external risks. Challenge #3: Integrated programs are hard to scale efficiently 17

Ques9ons? 18