Download
1 / 27
270 likes | 273 Vues
This informative session discusses regulatory compliance in the business world, focusing on the role individuals play in compliance and the importance of understanding and managing compliance globally. It covers laws, regulations, and related standards, as well as the impact of compliance on IT. The session provides guidance on mapping legal requirements to IT, assigning responsibilities, and implementing appropriate controls.
E N D
Lunch was: • Great • So-so • Ick • Who’s the genius who decided we should talk about regulation after lunch?
What role do you play in compliance? • I have the direct responsibility (Compliance Officer) • I have some direct responsibility • I have little direct responsibility • I know we’re supposed to be compliant but I have no idea what that means
The regulation I care about the most • Sarbanes-Oxley • HIPAA • GLBA • FISMA • Privacy (Safe Harbor, SB 1386, Identity theft) • Other
Business and Technology Scenario • Many want to manage compliance globally, but are often stuck in a local/regional mode • Scope, applicability, urgency, and impact vary tremendously • Firms should understand compliance globally to develop and leverage an enterprise IT plan
Laws, Regulations, and Related Standards xx 7799 CC/EAL Homeland Security • Corporate governance, privacy • Critical infrastructure, cybercrime • Encryption laws • Industry-specific Privacy Corporate Governance SEC Rule 17a-4 SEI-CMM 95/46/EC KonTraG Basel II 18 USC 2701 FFIEC 99/93/EC HIPAA DPA NIIPA BDSG ISF USA PATRIOT Act Sarbanes-Oxley IAS PA&PAA 02/58/EC SAS 70 FDA 21 CFR Part 11 SB1386 Turnbull GLBA Spam King II NPP PIPEDA CRAMM RIP FERC Safe Harbor FRAP ITIL Risk Management Encryption Laws WorldCom, Enron, Parmalat, spam: Legislation follows public awareness
Bank for International Settlements in Basel • US • Federal law, state law, industry regulation, presidential directive, published guidance • Europe and EU • Treaty, regulation, directive, decision, recommendation, opinion, national laws • International • OECD, Council of Europe, BIS Figure out which “requirements” apply to your organization
Keep records Notify of events Report regularly Get approval from internal or external parties Protect against unauthorized access Disclose information Document activities Use best practice Processing not allowed Make available continuously Perform assessment General Legal Requirements Specific requirements can be found in implementing provisions and guidance
Consolidate apps Identity management Additional processing Protective controls Audit controls Guarantee authenticity Increase bandwidth Increase storage Provide redundancy Reconfigure Speed up processing Identify processing errors Store separately Centralize management Use methods and standards General Impacts on IT While legislation varies, the impact on IT is often very similar
Roles and Responsibilities Map: Law and Role • Assemble a multidisciplinary team • Assign lead responsibility • Identify external parties (PCAOB, DPA, CERTs, FERC, public) • Clarify role and responsibility of service providers • Identify counterparts in different geographies Assigned responsibility is a key control
Mapping Legal Requirements to IT Impact High/Medium/Low Impact on IT Many IT changes satisfy several legal requirements — identify them
North America EU Australia Russia/China World The 55 Strategy 5 Regions Document Protect Communicate Audit Sign off Accounting Corporate governance Protect infrastructure Regulated industry Privacy 5 Topics 5 Requirements Define scope Assign responsibility Identify requirements Evaluate impact Implement solutions Focus Control access Extend processing Increase capacity Authenticate Legal Security Privacy InfoTech Management 5 Roles 5 Actions The META Group 5-minute compliance takeaway
Security Maturity - 2004 BLISSFULL AWARENESS CORRECTIVE OPERATIONS IGNORANCE PHASE PHASE EXCELLENCE PHASE 5% Conclude Catch - Up Projects Continuous Process Improvement Design Maturity Track Technology and 15% Architecture 50% Business Change Institute Processes Develop New Policy Set Review Status Quo Initiate Strategic Program 30% (Re - ) Establish Security Team time NOTE: Population distributions represent typical, large G2000 type organizations
Selecting Appropriate Controls • Identify reasonable anticipated risks using an on-going risk assessment • Identify a reasonable and appropriate set of security controls • Create a defensible case to support your decisions • Develop a proactive, process oriented security program Organizations need to build a defensible case for their control set and implementation decisions
Step 1 –Risk Assessment Building blocks • Heavy formal methods are Not recommended • Light, fast, scalable methods are Recommended • Most critical: Define reasonably anticipated risks! • Prioritize risks by: • Criticality • Likelihood of occurrence Reasonably anticipated risks will guide the selection of appropriate controls
Step 2: Effective Controls • Regulations recognize that organizations are like snowflakes so there is built-in flexibility • Selection Criteria can include • Size of organization • Complexity of organization • Capabilities of organization • Cost can be used (carefully!) as a control selection criteria Match Controls to reasonably anticipated threats!
Step 3: Building a Defensible Case Key to Success • Develop a defensible case for all audiences. • Data owners • Internal auditors • External auditors • Regulatory enforcement bodies • Control the discussion by establishing a strong case for “reasonable and appropriate” • Risk assessment • Metrics to show a track record of improvement • Third-party influence
Step 4: Create a Proactive Security Program Governance Annual Plan Security Operations Process Maturity Foundation Enforcement Security Architecture Awareness Risk Management Plan Build Run V3.3 draft 2
So How Far Should You Go? • Judging how much security is enough has become one of the greatest challenges organizations face. • If a regulation requires auditing, how much auditing is enough? • If a regulation requires encryption, how much encryption is enough? • Many organizations have established requirements that have overshot the bounds of reasonable and appropriate • based on what their peers are doing and what is possible given the maturity of security solutions today.
What is the focus of your monitoring? • Real-time analysis of network security events (firewalls, IDS, routers, etc) • General user activity • Privileged user activity • I just centralize logs because the auditors required it, we don’t actually look at that stuff!
Example: Rightsizing Log Monitoring • Clearly stated set of detection requirements and appropriate event logging policy on monitored systems that supports those requirements. • Apply a reasonable diligence (commensurate with the value of the data) to detect required behavior/events and linkage to the detection and response process when warranted. • It is more important to have a documented and reasonable process (manual or automated) to analyze this data than fully automated centralization and analysis. • Most logs have little value beyond a few important indicators so retention should be justified away to as little as possible. • Some auditors will require inordinate retention requirements • Argue volume, complexity and value vs. effort.
Example: Rightsizing Log Monitoring Log monitoring should not be implemented wholesale across hundreds of systems and devices but in the following priority order. • Login and Logouts on critical systems (this is not necessarily useful but several regulations require it explicitly) • Perimeter security devices (i.e. Firewalls, IPS, IDS, etc) • Failed access to critical data • Successful accesses to critical data • Internal security devices (i.e. Firewalls, IPS, IDS, etc) • Other network devices (i.e. routers) deemed to have value against detection requirements • Host-based security software (Personal FW/IPS)
Effective Controls • Accountability provides for tying actions to people and assigning necessary responsibility in a decent governance framework. • Transparency makes the operations of an organization more auditable by increasing visibility into core processes. • Measurability provides the basis for continuous improvement and allows for the creation of a baseline that can be compared. Effective controls embody these characteristics
The Control Environment • Configuration and change management. • Separate development, test and production environments • Segregation of Duties (SOD) • Identification and Authentication • Clearly defined roles and responsibilities • Service level agreements (SLA) • Enforce the principle of least privilege. • Monitor, measure, report. • Compliance enforcement. • Documentation • Redirect Culture towards • Process • Formalization • Measurability • Control • There’s no official list and little guidance
Understand regulatory requirements and standards • Use legal expertise, multidisciplinary teams, and a pragmatic approach • Prepare a program for future regulations and ongoing legal changes • Determine the impact on IT • Help to bundle and focus enterprisewide compliance efforts • Rightsize implementation within the flexibility of the regulations • Use “reasonable and appropriate” guided by risk assessment Get out ahead of current and future regulations
Audience Response Question?
