DSS ITSEC 2013 Conference 07.11.2013 - ALSO - Guardium INTRO
DSS ITSEC Conference 2012 - RISK & COMPLIANCE
-
Upload
andris-soroka -
Category
Documents
-
view
398 -
download
0
description
Transcript of DSS ITSEC Conference 2012 - RISK & COMPLIANCE
RISK AND COMPLIANCE MANAGEMENT
EXPERIENCES
Dr. Vilius Benetis, CISA, CRISC
Email: [email protected]
2012 11 15 Riga
AFTER THE EVENT….
⎮2
CONTENT
• Reasoning for compliance and risk
• Framework landscape
• Lumension Risk Manager
⎮3
REASONING FOR COMPLIANCE AND RISK
• Regulations from:
– Central Bank, government, Visa/Mastercard
• Compliance – it is a cost.
– how to “optimise it”?
• Risk management –
– Security processes demand risk management
– ..mainly for Investment prioritisation
– ..and it tight integrates into auditing procedures
– Still, subjective analysis
⎮4
FORMALLY COMPLIANT
⎮5
RISK AND COMPLIANCE MATHEMATICS
Risk =
asset value * threat probability * vulnerability impact
Risk of non-compliance =
size of fine * probability to be checked * non-
compliance scope
(Jatin Sehgal, Quality Manager, EY CertifyPoint )
⎮6
A VIEW ON RISK MANAGEMENT
• Probabilities of attack/threat?
• Works (rather) well for hazards
– Due to extrapolation and trending
• Works bad for huge impacts
– Impact size is limited by value of asset
– Human based InfoSec threats are difficult to monitor and predict on medium (maturity, size, monitoring level) organizations
• Benefits of risk management:
– Compliance, audit of information security
⎮7
WHAT MUST BE PROTECTED:
• Commercial sector:
– protects services, products, secrets
• Governments:
– Protects services, citizens data, biometrics
• E-health
– health records
• SCADANote: in red – what can be lost only once
⎮8
LOSSES
• Fraudulent transactions (stealing money)
• Stealing of sensitive data
• Theft of personal identity
• Manipulation of data in databases
• Service disruption
⎮9
FRAMEWORK LANDSCAPE
• ISO 27000 family
• US FISMA family• FIPS 199-200, NIST SP800-53, ...
• Australian DSD Top 35 (and top 4)
• SANS Top 20 Critical Controls
• COBIT 5 (for Information Security)
• PCI DSS
• OWASP family
• Microsoft SDL and related
• National frameworks
• Universal Compliance framework
⎮10
⎮11
⎮12
FUNCTIONALITY
According to Gartner, the core IT GRCM functions are:
• Controls and policy mapping
• Policy distribution and training attestation
• IT control self-assessment and measurement
• IT GRCM asset repository
• Automated general computer control (GCC) collection
• Remediation and exception management
• Basic compliance reporting
• IT compliance dashboards
• IT risk evaluation
Organizations with a primary interest in IT-centric GRCM requirements should be aware that most EGRC platforms balance finance, operational and IT requirements at the expense of IT-centric depth.
⎮13
HOW TO MANAGE SECURITY FRAMEWORK
• How to organize security initiatives?
• How to monitor their success?
• How to build trust in own risk
management?
• How to develop compliance management
as a simple, but efficient and helpful
instrument for everyone in organization?
⎮14
WHAT I LOOK FOR IN THE TOOL
• Method what makes sense
– best practice?
• Automation:
– Evaluation, delegation, review
– History tracking and review
– Reporting
– Change planning
⎮15
⎮1
6
PROPRIETARY & 161616
LRM OverviewBasel II GLBA PCI FISMA OMB06-16 FDCC HIPAA NHS NERC SOX ISO/IEC DPA…
LRM Scoring
Lumension
Patch, Scan &
Configuration
Lumension
Application
& Device
Control
3rd Party
Products
Automated Connectors
Pass
Fail
Partial
N/A Compliance & Risk
Reporting
Business
Interests
Information
& Processes
Assessment Workflow
Web-Based
SurveysAuditor /
Analyst
Attestation
1 Identify
2 Assess
3 Remediate
4 Manage
1717
Product WorkflowHow it gets implemented.
⎮1
8181818
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
» Identify the complete IT environment, how it supports the business, and what inherent risk they are
exposed to.
Enumerate
Business
Applications
Identify
Supported
Business
Interests
Identify
Supporting IT
Infrastructure
Conduct
Business
Impact
Analysis
Complete
Subject Risk
Profiles
Identify High-
Level Threats
Determine
Compliance
Requirements
End Result» Complete picture of all elements of the environment (Subjects)
» Mapping of Subjects to their business role
» Identification of High-Level Threats and Compliance Mandates
Assets
imported via
Connectors
19
» Identify the required controls needed to mitigate risk and satisfy compliance mandates.
Defined
Subjects and
Risk Profiles
Mapping
Rules Define
Required
Controls
Customer /
Pro-Serve
Customizes
Rules
Determine
Required
Controls
End Result» Prescription of controls needed for compliance & risk mitigation
202020
» Automatically assess whether technical, procedural, and physical controls are in place.
Defined
Subjects &
Controls
Connectors
automatically
score tech.
Controls
Create
Assessment
for non-tech
controls
Send surveys
to system
owners
Auditor /
Analysts
directly enter
test results
Delegation /
Approval
Cycles
End Result» Pass / Fail / Partial scores on all subjects, all controls
» Scoring data lives in a single, organized repository
» Assessments get done faster, cheaper, and better
Approve &
Commit
assessment
scores
Receive
survey
responses
212121
» Generate comprehensive reports & metrics, and prioritize remediation based on impact to metrics.
Complete
scores on all
subjects
Generate
Reports &
Metrics
Define
Remediation
Projects
Determine
Impact of
projects on
metrics
End Result» Cover-to-cover compliance reports & metrics
» Risk-based reports & metrics
» Comprehensive operational security reports & metrics
» Prioritized remediation efforts
222222
» One place to collect information
» Workflow and surveys facilitate
assessment of manual controls
» Connectors automate collection
of technical assessment data
» Easily generate comprehensive
reports, metrics
Improve Manual ProcessExcel, Email, Manual work, and Homegrown Apps
THANK YOU!
⎮23