Simplified IT Compliance Frameworks to Reduce Costs and Strengthen Security

1
Simplified IT ComplianceFrameworks to Reduce
Costs and Strengthen Security
David Simmons, Security Solution Consultant RSA,
The Security Division of EMC
2
Why is Information Security So Difficult?because
sensitive information is always moving,
transforming
Business Analytics
Back up tape
Customer Portal
Disk storage
Back up disk
Outsourced Development
Enterprise email
Endpoint
Storage
3
Why is Information Security So Difficult?and
every movement and transformation has unique risks
Device Theft
Media Theft
UnauthorizedActivity
Media Loss
Business Analytics
UnauthorizedAccess
Intercept
UnauthorizedAccess
Back up tape
Unavailability
Takeover
Fraud
Customer portal
Production Data
Disk storage
Corruption
Eavesdropping
Unintentional Distribution
Back up disk
Data Theft
Outsourced Development
Data Loss
UnauthorizedActivity
Device Loss
Enterprise email
DOS
Endpoint
Storage
4
Understanding Risk
Risk is the combination of the probability of an
event and its consequences. (ISO definition)
Assets (Information, infrastructure, etc.)
Threats (Sources, Objectives Methods)
Vulnerabilities (People, Process Technology)
Managing Risk
Avoid Eliminate the source of the risk
Control Implement controls to reduce risk
Accept Be aware but take no action
Ignore Refuse to acknowledge risk
Transfer Assign risk to other agency
5
Risk Aligns Security Investments to Compliance
Requirements
Sensitive Information
What information is important to the business?
What bad things can happen?
Where does it go?
Security Incidents
Network
Endpoint
App / DB
Storage
FS/CMS
6
Todays Agenda

• Compliance Landscape
• Frameworks for Security and Compliance
• Examples Frameworks in Action
• Solutions for Simplified IT Compliance

7
Why Were Here Today

• Organizations worldwide
• Spend heavily on compliance
• Dont see expected security improvements
• Have shrinking budgets
• Need to get better value out of investments they
  do make
• RSA has an approach to help
• Reduce costs
• Simplify compliance
• Improve security
• Be proactive, instead of reactive

• Compliance landscape
• Industry groups
• Business partners
• Customers
• Internal policy
• Governmental
• Ernst Young
• In 2007, compliance remained the number one
  driver of information security.

8
Framework-Based SecurityPreparing for
Ever-Changing Compliance
PCI DSS
HIPAA
Internal Policy
GLBA
HSPD 12
CSB 1386
Country Privacy Laws
SOX
EU CDR
UK RIPA
FISMA
COCOM
Data Security Act
FACTA
EU Data Privacy
FFIEC
BASEL II
J-SOX
IRS 97-22
NERC
NISPOM
Partner Rules
ACSI 33
NIST 800
State Privacy Laws
9
Reactive Expensive IT Compliance
PCI DSS Compliance
Basel II Compliance
Internal Policy Compliance
Data Privacy Regulation Compliance
Partner Policy Compliance
Network
Endpoint
App / DB
Storage
FS/CMS
Access Control
Monitoring
Access Control
Gartner estimates that allocating resources on a
regulation-by- regulation basis means that
enterprises spend an average of 150 more on
compliance, largely due to duplication of
effort! Gartner for IT Leaders Overview The IT
Compliance Professional. French Caldwell.
October 22, 2007
Log Management
10
Framework-Based Compliance SecurityEnabling
Cost-Effective Compliance
PCI DSS Compliance
Basel II Compliance
Internal Policy Compliance
Data Privacy Regulation Compliance
Partner Policy Compliance
Network
Endpoint
App / DB
Storage
FS/CMS
Monitor, Report, Audit
Authentication
Access Control
Encryption Key Management
Data Loss Prevention
11
The Solution Framework-based Security
Compliance

• Security controls framework is
• A comprehensive set of security controls
  (policies, procedures and technologies)
• Based upon industry-wide best practices
• Ideal for defining controls that should be
  applied in proactive manner
• Integrated into an organizations IT security
  policy
• Applied based upon how data are classified within
  your organization
• Security controls framework helps
• Drive you to think about all security
  requirements needed
• Eliminate gaps in your security programs
• Enable more cost-effective compliance
• Execute your Information Risk Management strategy

Most CISOs have realized that a
principles-based framework can help them not only
address multiple regulations simultaneously, but
also get a more comprehensive grasp on the
security universe they are responsible
for. Khalid Kark Forrester Research
12
Framework-Based Compliance SecurityLaying A
Foundation for Policy Controls
ISO 27002 Clauses

• Many references
• ISO 27002
• Information Technology Infrastructure Library
  (ITIL)
• Control Objectives for Information Technology
  (CoBIT)
• Committee of Sponsoring Organizations of the
  Treadway Commission (COSO)

ISO 27002 Clauses

• Risk Assessment and Treatment
• Security Policy
• Organization of Information Security
• Asset Management
• Human Resources Security
• Physical Security
• Communications and Ops Management
• Access Control
• Information Systems Acquisition, Development,
  Maintenance
• Information Security Incident management
• Business Continuity
• Compliance

ISO 27002 is generally acknowledged to be the
golden standard for coverage of security domain
information. (Burton Group)
13
ISO 27002 Compliance Alignment
14
ISO 27002 Compliance Alignment

• Key Best Practices
• Security policy (ISO 27002 5)
• Inventory of assets (ISO 27002 7.1.1)
• Information classification (ISO 27002 7.2)
• Physical entry control (ISO 27002 9.1.2)
• Segregation of duties (ISO 27002 10.1.3)
• Audit logging (ISO 27002 10.10.1)
• Monitoring system use (ISO 27002 10.10.2)
• User access management (ISO 27002 11.2)
• User identification and authentication (ISO
  11.5.2)
• Teleworking protection (ISO 27002 11.7.2)
• Cryptographic controls (ISO 27002 12.3.1)
• Data leakage prevention (ISO 27002 12.5.4)
• Compliance monitoring (ISO 27002 15.2)

Sarbanes Oxley
15
Framework-Based SecurityCommunicating Security
to Partners Customers

• ISO 27001 and ISO 27002
• Delivering a common language communicating
  security on a global basis
• Customers
• Outsourcers
• Business Partners
• Regulators
• Auditors
• Non-security staff

16
Framework-Based SecurityEliminating Gaps in Your
Security Program
Financial Records
Personal Information
Credit Card Data
Framework Based Solutions Comprehensive
checklist Controls Holistic View of Security
Patchwork Solutions
17
Aligning ComplianceCase Study Large Telco
Result Save Money, Time By Deploying Repeatable
Controls for Multiple Requirements
Other Controls Policies, Procedures and
Technologies
4) Apply Controls in a Consistent and Repeatable
Manner to Mitigate Risk Manage Compliance
Access Control
Logging
Encryption
Authentication
3) Discover Data, Assess Risk
Discover Data and Assets, and Assess Risk Based
on Policy
Internal Framework of Policies, Procedures
Technologies
2) Build a Framework of Best Practices Based
Upon ISO 27002
1) Identify Sensitive Data Types
18
Components of Framework Based
Compliance Security Programs