©2016 Avanade Inc. All Rights Reserved.
Wayne Anderson11 November 2016
©2016 Avanade Inc. All Rights Reserved.
©2016 Avanade Inc. All Rights Reserved.
Wayne Anderson
@NoCo_Architect
GSLC, CISM, MCSE: Security, Security+, etc.
Avanade delivers innovative solutions on the Microsoft platformfor thousands of enterprise clients around the world.
I focus on our readiness to meet those clients’ information security and privacy needs.
I am not an attorney. Nothing in this presentation is legal advice on whether you are or are not compliant. Please engage appropriate counsel and/or subject matter experts on the specific conditions of your program.
©2016 Avanade Inc. All Rights Reserved.
Director, Global Client Information SecurityAvanade
©2016 Avanade Inc. All Rights Reserved.©2016 Avanade Inc. All Rights Reserved.
©2016 Avanade Inc. All Rights Reserved.
Business Tension is High
79%
50%
X
60%
Market FragmentationCEOs consistently see a fragmented marketplace, which
requires meeting MANY standards to access clients.Figure 4. PWC 2016 Annual Global CEO Survey
Complexity is Challenging Business
79% of CEOs identified “over-regulation” as a key concern for organizational growth prospects.
Figure 1. PWC 2016 Annual Global CEO Survey
Technology Discussion is Beyond ITBy 2020, large enterprises with digital business
aspirations will see business unit IT spending increase to 50% of enterprise IT spending.
Gartner. Full Transparency for Enterprise Technology Spending is a Fundamental Strategy for CIOs and CFOs.
Security is hard in Digital WorkplaceBy 2020, 60% of digital businesses will suffer failures
due to inability of security to manage digital risk.
Gartner. The Four Steps to Manage Risk and Security in Bimodal IT
©2016 Avanade Inc. All Rights Reserved.
Control RequirementsObligations for “reasonable” business.US CA AG, US FTC, GDPR, HIPAA, cPPP
Detection and ResponseIdentification of high risk events, and
appropriate response capabilities to limit impact to the organization.
Regulatory ReviewsAudits, scoring, regulatory fines.
ENISA, FFIEC, FISMA, GDPR, AU Banking
Privacy ObligationsRights of the individual vs system functionGDPR, HIPAA, US FTC, JP PPC, AU Privacy Act
Data GovernanceEnsuring data flows are understood, identified, classified, and associated controls are applied to assets which interact with the data.
Technology and OperationsOperating the digital perimeter, networks,
and endpoints which provide the day to day foundation of cyber security incident prevention and detection capability.
Six Degrees of Security Operations
©2016 Avanade Inc. All Rights Reserved.
Control RequirementsObligations for “reasonable” business.US CA AG, US FTC, GDPR, HIPAA, cPPP
Detection and ResponseIdentification of high risk events, and
appropriate response capabilities to limit impact to the organization.
Regulatory ReviewsAudits, scoring, regulatory fines.
ENISA, FFIEC, FISMA, GDPR, AU Banking
Privacy ObligationsRights of the individual vs system functionGDPR, HIPAA, US FTC, JP PPC, AU Privacy Act
Data GovernanceEnsuring data flows are understood, identified, classified, and associated controls are applied to assets which interact with the data.
Technology and OperationsOperating the digital perimeter, networks,
and endpoints which provide the day to day foundation of cyber security incident prevention and detection capability.
A line between compliance and security cannot exist.
©2016 Avanade Inc. All Rights Reserved.
Control RequirementsObligations for “reasonable” business.US CA AG, US FTC, GDPR, HIPAA, cPPP
Detection and ResponseIdentification of high risk events, and
appropriate response capabilities to limit impact to the organization.
Regulatory ReviewsAudits, scoring, regulatory fines.
ENISA, FFIEC, FISMA, GDPR, AU Banking
Privacy ObligationsRights of the individual vs system functionGDPR, HIPAA, US FTC, JP PPC, AU Privacy Act
Data GovernanceEnsuring data flows are understood, identified, classified, and associated controls are applied to assets which interact with the data.
Technology and OperationsOperating the digital perimeter, networks,
and endpoints which provide the day to day foundation of cyber security incident prevention and detection capability.
Efficiency in regulatory controls is practical security.
©2016 Avanade Inc. All Rights Reserved.
Business > Compliance > Intelligence
First and Foremost, Align to Business.
Our budgets, our people, our focus as security
professionals exist for a reason. Know that reason. Know that we exist to help
the organization do something.
Know what you Do. Intimately.
How does your business impact the complexity of
your asset set? What data do you handle? Where? Is
some of it optional? What happens to the business in
negative events?
Build the Sum of your Obligations.
The obligations of the modern business actually
form a fairly comprehensive control map for most
organizations!
Modify based on Treatment and Intel.
Risk tolerance and intelligence / modelling of
specific threats to your business will modify how you
prioritize and invest in controls.
Mission Context Compliance Risk
©2016 Avanade Inc. All Rights Reserved.
Start by Prioritizing your Obligations
Keys to Compliance
#1: Build a positive relationship with your legal team.
#2: A security leader must be focused on and understand the business.
#3: Prioritize your obligations.
CIS Top 20applies to entire business
as a basic subset of controls
GDPRoversight of holding
subject data
Country Regulation
provides more granular guidance for local
systems and locations
PCI DSSreadiness to accept and work with payment cards
ENISAguidance to operate as a European financial institution
Example: European Bank
Additive Control Set: Most foundational controls are prioritized highest.
©2016 Avanade Inc. All Rights Reserved.
Map your Control Set
Keys to Compliance
#4: Map your Control Sethint: choose a base framework
#5: Use published audit rubrics for internal validation
ISO 27001 Controls A 5 A 5.1 A 6 A 6.1 A 6.2 A 7 A 7.1 A 7.2 A 7.3 A 8 A 8.1 A 8.2
Country Regulation
ENISA
GDPR
PCI DSS
CIS Top 20
Whatever
Use your base framework.
Add your programs. Hint: Include regulatory rules and case law.
©2016 Avanade Inc. All Rights Reserved.
Map your Control Set
Keys to Compliance
#4: Map your Control Sethint: choose a base framework
#5: Use published audit rubrics for internal validation
Make use of consulting, advisory, and industry resources
Gartner, Forrester, Nymity, BloombergUnified Compliance Framework Common Controls Hub
EU Office of Data Protection Commissioner Guide to Audit ProcessEU Directive EC 95/46 Personal Data protection Audit FrameworkUS Health Human Services Audit Protocol
Consider whether outside counsel or consultants are of value to your organization’s needs.
Do you have the trusted in-house expertise necessary to change direction?
©2016 Avanade Inc. All Rights Reserved.
Regulatory Changes are part of your Intelligence
Keys to Compliance
#6: Invest in regulatory management tools
#7: Feeds for security and privacy changes are as necessary as malware and email intel.Threat Intelligence
LegislationAre you subject to new laws? GDPR is coming in May 2018, do you know what is different? HIPAA was updated this year. Did your program update?
Organizational UpdatesAs international organizations like ISO,
ISACA, CIS, and others update guidance – your business needs to
understand the changes, they often reflect the state of industry
expectations.
Block Lists
Network and CIRT
Enforcement Actions
The track record of how judges and agencies interpret those rules is very important for the day to day guidance of how to operate and document the security program.
Are you leveraging knowledge sharing platforms? Interflow, Threat Central, Confer, ThreatConnect, etc.
©2016 Avanade Inc. All Rights Reserved.
Risk Management
Keys to Compliance
#8: The law is not optional.
#9: Keep good records. Look for inconsistency.
#10: Risk decisions require competency.
ISO 27001 Controls A 5 A 5.1 A 6 A 6.1 A 6.2 A 7 A 7.1 A 7.2 A 7.3 A 8 A 8.1 A 8.2
Country Regulation
ENISA
GDPR
PCI DSS
CIS Top 20
Use control origins in your risk assessments.Law: Prioritize up. Market-Only with low exposure: Prioritize down.
©2016 Avanade Inc. All Rights Reserved.
Risk Management
Keys to Compliance
#8: The law is not optional.
#9: Keep good records. Look for inconsistency.
#10: Risk decisions require competency.
ISO 27001 Controls A 5 A 5.1 A 6 A 6.1 A 6.2 A 7 A 7.1 A 7.2 A 7.3 A 8 A 8.1 A 8.2
Country Regulation
ENISA
GDPR
PCI DSS
CIS Top 20
Use control origins in your risk assessments.Law: Prioritize up. Market-Only with low exposure: Prioritize down.
It is easy to say “everything applies.”
Your risk scale and criteria should have sufficient range to provide differentiation in priority and impact among “required” controls.
©2016 Avanade Inc. All Rights Reserved.
1. Build a positive relationship with your legal team.2. A security leader must be focused on and understand the
business.3. Prioritize your obligations.4. Map your Control Set5. Use published audit rubrics for internal validation6. Invest in regulatory management tools7. Feeds for security and privacy changes are as necessary as
malware and email intel.8. The law is not optional.9. Keep good records. Look for inconsistency.10. Risk decisions require competency.
Translating Compliance to Practical Security
©2016 Avanade Inc. All Rights Reserved.
Questions?
Want to see more like this? Let us know you liked it:Rate this session: oreillysecuritycon.com/eu
Top Related