Security & IT Governance - ISACA · • Established the Common Security Framework ... Create Plan...
Transcript of Security & IT Governance - ISACA · • Established the Common Security Framework ... Create Plan...
© 2010 Protiviti Inc. An Equal Opportunity Employer.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Outside View of Increased Regulatory Requirements
• Regulatory compliance is often seen as “sand in the gears” requirements that
increase cost, introduce friction into the business processes, and have little or
no payback.
• Introduction of multiple standards and an increasingly complex regulatory
environment has disrupted IT Governance focus on improving process
efficiencies
• Limited awareness of unified mapping of new standards and requirements has
resulted in duplication of efforts
• Shifts in technology usage, such as the use of Cloud Computing, has
introduced new risks to businesses and introduced uncertainty on how to
mitigate these risks while continuing to meet new requirements
1
Source: Gartner Research
© 2010 Protiviti Inc. An Equal Opportunity Employer.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
2
Modern
Enterprise
Increased
Boards & Executives
AccountabilityUncertainty
Variability
Liability
Speed
Spiraling
Compliance
Costs
Multiple
Diverse
Risks
Globalization
Pressures on Business Today
© 2010 Protiviti Inc. An Equal Opportunity Employer.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Governance Requirements
4
Legislative & Mandated
• SOX
• HIPAA/HITECH
• PCI
• NIST
• Red Flag Rules
• eDiscovery
External & non-mandated
• ISO 27001/2
• SLA
• HITRUST
• COSO
• COBIT
Internal
• SAS 70
• Internal SLAs
• Business Continuity
• Customer Requirements
Understand the external and internal governance expectations of IT,
and the common controls and objectives.
© 2010 Protiviti Inc. An Equal Opportunity Employer.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Governance Requirements
ISO 27001 Compliance
• Examines the organization's information security risks, taking account of the threats,
vulnerabilities and impacts
• Requires the organization to design and implement a coherent and comprehensive suite
of information security controls
• Brings information security under explicit management control
PCI Compliance
• Prevents credit card fraud through increased controls around data and its exposure to
compromise.
• The standard applies to all organizations which hold, process, or pass cardholder
information
SOX
• Established corporate governance standards for public companies.
• Placed responsibility on boards of directors, CEOs and CFOs to design and implement
appropriate corporate governance processes.
5
© 2010 Protiviti Inc. An Equal Opportunity Employer.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Governance Requirements
HIPAA/HITECH
• Outlines information security requirements for health information systems and
exchanges.
• Established the Common Security Framework (CSF), a certifiable framework that can be
used by any and all organizations that create, access, store or exchange personal health
and financial information.
• The CSF harmonizes the requirements of existing standards and regulations, including
federal (HIPAA, HITECH), third party (PCI, COBIT) and government (NIST, FTC).
Business Continuity
• Prepares an organization to respond to events that disrupt normal and on-going
operations.
• Risk management is an essential element of business continuity.
and many more…
6
© 2010 Protiviti Inc. An Equal Opportunity Employer.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
7
© 2010 Protiviti Inc. An Equal Opportunity Employer.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Governance RequirementsTypical Challenges
8
Managed in silos
Mostly reactionary
projects
Handled separately from
mainstream processes
and decision making
Humans utilized as
middleware
Limited and fragmented
use of technology
… leading to
• Greater risks
• More complexity
• Lower
confidence
• Higher cost
© 2010 Protiviti Inc. An Equal Opportunity Employer.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Governance RequirementsCommon Elements - One Framework, Multiple Standards
Compliance frameworks have been developed to simultaneously cover a wide range of
standards:
• ISACA COBIT – ISACA has and continues to invest efforts in mapping COBIT
framework with ISO/IEC 27002, SOX, etc. to improve control environment
efficiencies.
• Unified Compliance Framework (UCF) – One of the first and largest independent
initiatives to map IT controls across international regulations, standards, and best
practices.
• HITRUST Common Security Framework (CSF) – Unifies all targeted frameworks
and standards (COBIT, ISO, PCI, HIPAA, etc.) relevant to health care. Many
portions of the framework can also aid non-health care related organizations.
9
© 2010 Protiviti Inc. An Equal Opportunity Employer.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
What is HITRUST?
• The Health Information Trust Alliance (HITRUST) was born out of the
belief that information security should be a core pillar of the broad adoption
of health information systems and exchanges.
• Industry-based collaboration among healthcare, business, technology and
information security leaders, has established the Common Security
Framework (CSF), a certifiable framework that can be used by any and all
organizations that create, access, store or exchange personal health and
financial information.
• The CSF is an information security framework that harmonizes the
requirements of existing standards and regulations, including federal
(HIPAA, HITECH), third party (PCI, COBIT) and government (NIST, FTC).
As a framework, the CSF provides organizations with the needed
structure, detail and clarity relating to information security tailored to the
healthcare industry.
• Beyond the establishment of the CSF, HITRUST is also driving adoption
and widespread confidence in the framework and sound risk management
practices through education, advocacy and other outreach activities.
Ultimately, an organization's adoption of the CSF will establish confidence
in its ability to ensure the security of personal health information.
Executive Committee
© 2010 Protiviti Inc. An Equal Opportunity Employer.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Governance Requirements Common Elements - One Framework, Multiple Standards
11
ISO 27001/2
PCI
COBIT
NIST
HIPAA
Security
HITECH
Act
Meaningful
Use States
ISO 27001/2
PCI
COBIT
NIST
HIPAA
Security
HITECH
Act
Meaningful
Use States
HITRUST CSF
The HITRUST Common Security Framework (CSF) provides a valuable method to assess the
security controls in a healthcare environment – and provide a path for continuous
improvement. Because it was developed leveraging multiple security standards and
regulations, the model provides a convenient single model to leverage for many of your
security governance requirements.
© 2010 Protiviti Inc. An Equal Opportunity Employer.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
HITRUST Common Security Framework (CSF)
• The HITRUST Common Security
Framework is a viable alternative to
developing a custom framework
• HITRUST unifies all targeted
frameworks and standards relevant to
health care
• HITRUST is constantly revised to
ensure currency and relevance
• Control practices tailored to the health
care environment
• Self-assessment criteria for control and
supporting control practice compliance
© 2009 HITRUST LLC, Frisco, TX. All Rights Reserved.
12
© 2010 Protiviti Inc. An Equal Opportunity Employer.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
14
Productivity
IT Governance vs. Compliance
IT Processes
• Val IT
• ITIL
• ISO
• Best Practices
“Do it better”
Performance
Value Adding
Compliance
• Sox
• Banking Regs
• National Regs
• Other Regs
“Do it or else”
Check & Balance
Transparency
Risk
Management
• CobiT
• Operation Risk Mgmt
• IT Security
• IT Risk Mgmt
“Do it to protect”
Mitigation
Value Preserving
Control
Objectives
(statements)
Process Regulation Controls
Practices
IT Governance
Reporting & Metrics
“Do it right”
Strategy
Value Defining
Policy Standards
© 2010 Protiviti Inc. An Equal Opportunity Employer.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
The Protiviti Governance Model
15
• Effective IT governance aids in
addressing and mitigating some of the
overall risks faced by an organization
• By implementing effective governance
practices mechanisms are established
for IT to:
Understand and manage all IT-
related risks
Optimize returns on IT-related
business investments
Deliver value from IT expenditure
Maximize opportunities for
business use of IT
Provide appropriate IT
capabilities
Address legal and regulatory
compliance
Provide transparency and
assurance that IT objectives are
being achieved
The value of effective governance is improved business performance and outcomes.
© 2010 Protiviti Inc. An Equal Opportunity Employer.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Envisioning the Future State IT Governance is defined as the ability for the enterprise’s IT function to sustain and extend the
organization’s strategies and objectives.
Understand & Scope
Identify your organization’s internal & external
requirements.
Establish Desired Structure
Assess Business and IT strategy to determine the proper
alignment of business activities and controls.
Determine Existing Capabilities
Evaluate the existing formal and informal management
practices within IT. Assess how these align with the
desired structure of the governance program.
Create Plan to Enhance Existing Processes & Controls
Create a plan to enhance and formalize existing
management processes.
16
Sustain
Measure process throughput via KPIs, monitor process
performance and identify workflow constraints.
© 2010 Protiviti Inc. An Equal Opportunity Employer.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Common Governance Implementation Strategy
17
• Security Policy &
Program
• Security Strategy &
Architecture
• Security
Implementation &
Deployment
• Security Metrics
• Incident Response
• Awareness &
Training
• Access Mgmt
Policy &
Standards
• IDAM Design &
Implementation
• Identity Credential
Selection Services
• Identity Federation
Strategy &
Implementation
• Data Classification
• Data Leakage Services
• Encryption & Storage
Strategy & Implementation
• Privacy Management &
Implementation
• PCI Planning, Readiness
& Compliance
• HITRUST Planning,
Readiness & Compliance
• Other Data Compliance
• Vendor Due Diligence
• Other Data Security &
Privacy Management
• Infrastructure
Vulnerability
• Application
Vulnerability
• Network
Vulnerability
• Database
Vulnerability
Program• Policy
• Standards
• Alignment
• Metrics
• Awareness
• Training
Data Centric• Discovery
• Classification
• Data Leakage
• Encryption
• Privacy
• Compliance
• PCI, HITRUST
• Vendor Mgmt
Strength• Servers
• Network
• Application
• Database
ID Mgmt• Policy
• Implementation
– SSO, RBAC
• Federation
• Trusted Credentials
• Open Identities
© 2010 Protiviti Inc. An Equal Opportunity Employer.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Envisioning the Future State
18
What is to be measured:
• Your specific control requirements must be integrated into existing
management processes.
• Consider what KPIs are needed to measure compliance? Process
Performance? Resource productivity?
• How can our KPIs be categorized into how IT manages demand and service?
What IT processes will be impacted:
• Determine the processes that will influence IT’s new KPIs?
- Security Administration
- Asset Management
- Project Management
- Security Monitoring
- Incident Management
• Establish an organizational structure and performance expectations that
support the objectives
© 2010 Protiviti Inc. An Equal Opportunity Employer.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
19
© 2010 Protiviti Inc. An Equal Opportunity Employer.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Future State Outcomes
20
• Organizational Transparency
• Ongoing collaboration with the entire organization to determine current compliance
requirements, overlaps amongst these requirements, and opportunities for control
consolidation to improve efficiencies.
• Communication on a regular basis between IT teams to maintain standardized
processes
• Integration, Streamlined Processes, and Common Dialog
• Understanding business needs, the current IT landscape – including people,
processes, and technology, and the required future state
• Development of solid risk management strategies capable of identifying high-risk
processes and control requirements to mitigate these risks
• Integration and standardization of activities among the entire IT team – from Help
Desk to Infrastructure Support
© 2010 Protiviti Inc. An Equal Opportunity Employer.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Future State Outcomes
21
• Integration, Streamlined Processes, and Common Dialog (continued)
• Proactive monitoring of Public Policy and the current Regulatory Environment in
order to meet new and existing regulatory requirements
• Automation of compliance efforts through Governance, Risk, and Compliance
platforms
• Security and Resource Efficiencies
• Controls driven by business process vs. compliance
• Improvement in security and monitoring from streamlined control sets
• Increased resource efficiencies and cost savings through effectively defined roles
© 2010 Protiviti Inc. An Equal Opportunity Employer.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Summary
22
• Identify and assess all of your external and internal governance
requirements.
• Build a single common control framework specific to your
organization – leverage existing frameworks as a starting point.
• Determine the KPIs that could be used to measure adherence.
• Identify the IT management processes that influence your
control and KPI requirements.
• Determine how you can formalize and enhance those existing
processes.
• Build sustainability through active management, link
performance objectives to organizational objectives.
Compliance should be a byproduct of a good governance process
© 2010 Protiviti Inc. An Equal Opportunity Employer.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Darren Jones
One PPG Place, Suite 2350
Pittsburgh, PA 15222
Direct: 412.402.1747
Mobile: 412.302.2978
Fax: 412.402.1764
Powerful Insights. Proven Delivery.™
Contact Us
For additional information or to receive a copy of this slide deck, please
contact the presentation team:
23
Timothy Maloney
One PPG Place, Suite 2350
Pittsburgh, PA 15222
Direct: 412.402.1720
Mobile: 412.303.6338
Fax: 412.402.1791
Powerful Insights. Proven Delivery.™