Holistic Approach to Information Security

1. Holistic Approach to Information Security Greg Carter, Cisco Security Services Product Manager

2. Examining the Threat Landscape Risk Risk Risk Risk Source: www.privacyrights.org

3. The Twin Information Security ChallengesHow to Manage Both with Limited Resources? • Information security threats • Rapidly evolving threats • Many distinct point solutions • How to best protect IT confidentiality, integrity, and availability • Information security compliance obligations • Many separate but overlapping standards • Regulatory: SOX, HIPAA, GLBA, state and local • Industry: PCI, HITRUST • Customer: SAS70, ISO 27001

4. How Have These Information Security Challenges Evolved? IT Risk IT Compliance IT Compliance IT Security IT Security IT Security Today and Future 1990s 2000s Enterprise Focus: What Happened? Is There an Audit Trail? How to Manage Risk? Siloed Compliance and Security Programs Integrated Compliance and Security Programs EnterpriseResponse: Security Products

5. Organization Continue to Struggle: Addressing Information Security Threats and Compliance • How to prioritize limited resources • How to be most effective • How to reduce the cost Most Organizations Have Addressed these Challenges with Siloed Efforts Resulting in: High Costs Fragmented Teams Redundancies Unknown Risks

6. Solution: Address Information Security Challenges Through One Program IT Governance, Risk Management, and Compliance (IT GRC) • Risk Management: How to determine the likelihood and impact of business threats and use a systematic approach, based on an organization's risk tolerance, to prioritizing resources to deal with those threats • Governance: How we set policies to achieve our strategic objectives and address risk and how we set up the organizational structures and processes to see that the policies are executed successfully • Compliance: How we establish the controls needed to meet our governance objectives and how we validate the effectiveness of those controls • Common Control Framework: A unified set of controls that addresses all of an organization's internal and external compliance objectives simultaneously

7. Regulations Contractual Requirements Industry Standards International Standards and Control Models What Does It Mean to Address Information Security Through IT GRC? Company Vision and Strategy Business Drivers External Authority Documents Implement CommonControlFramework Update Operate Risk Assessment Monitor Security Compliance Threats Vulnerabilities Asset Inventory Business Value

8. Value of the IT GRC Approach • IT GRC delivers dramatic business value • Revenue: 17% Higher Loss from loss of customer data: 96% Lower • Profit: 14% Higher Business disruptions from IT: 50x less likely • Audit costs: 50% Lower Customer retention: 18% Higher • For companies with the most mature IT GRC ProgramsSource: IT Policy Compliance Group 2008 • Maximize reduction in IT security risk with available resources • Risk-based, business-focused decisions and resource prioritization • Raise visibility of comprehensive security posture • Use internationally recognized best practices • Reduce cost of compliance • One set of controls to implement and manage • One program to govern • Many Compliance standards addressed

9. Where Do I Start with IT GRC? Define Assess Remediate Maintain • Define Common • Control • Framework: • Identify compliance obligations • Asset inventory • Evaluate threats and vulnerabilities • Understand business requirements • Risk assessment • Assess Control • Implementation • for Presence • and Effectiveness: • Policy controls • Process controls • Technical controls • Remediate • Control Gaps: • Define and publish policies • Develop processes • Deploy security technology solutions • Train employees • Maintain Controls • and Framework: • Operate and monitor technical controls • Maintain subscriptions • Periodic assessments • Evolve solutions as needed Identify and Prioritize Gaps

10. Step One: Define Common Control Framework • Inventory IT assets • Identify threats, vulnerabilities, and associated controls • Best practices: ISO 27002 • Compliance: PCI, SOX, HIPAA, GLBA, etc. • Business, legal, contractual • Assess risk • Consolidate into a Common Control Framework (CCF) • Map common controls from each source • Eliminate duplication of overlapping controls

11. Security policy Asset management Information classification Data loss prevention Identity management Access control Physical security HR security Network security management Vulnerability management Email security Security event and incident management Security for software development, deployment and maintenance Business continuity management Compliance Control Objectives Coveredby ISO 27002

12. COBiT ISO 27002 ITIL Mapping Multiple Control Sources into a Common Control Framework (CCF) Best Practice Frameworks: • COBiT • Controls for IT governance • ISO 27002 • Subset of IT controls • Focused on security • Mapped to COBiT controls • ITIL • Subset of IT controls • Focused on process • Mapped to ISO

13. COBiT ISO 27002 ITIL HIPAA PCI SOX Mapping Multiple Control Sources into a Common Control Framework (CCF) Compliance Standards: • HIPAA, SOX, PCI • And others (this is just a sample) • Many overlapping • Controls • De-duplicated

14. COBiT ISO 27002 ITIL Business, Legal, Contractual HIPAA PCI SOX Mapping Multiple Control Sources into a Common Control Framework (CCF) • Controls required by specific business needs

15. COBiT ISO 27002 ITIL Business, Legal, Contractual HIPAA PCI SOX Mapping Multiple Control Sources into a Common Control Framework (CCF) Result— Customized CCF: • Security best practices • Applicable compliance standards • Business requirements ITIL HIPAA

16. Step Two: Assess Control Implementation Three Types of Controls must Be Assessed for Presence and Effectiveness • Policy controls • High level to detailed security policies • Technical controls • Assessed based on security architecture best practices • Validated with active testing • Process and employee readiness controls • Are the processes well designed? • Are the processes followed?

17. Step Three: Remediate Control Gaps Control Gaps Should Be Prioritized for Remediation Based on Business Risk • Policy controls • Development of new or enhancement of existing security policies • Technical controls • Deploy new security technology solutions • Identify controls eligible for outsourcing • Identify needed subscriptions for security intelligence and signatures • Process and employee readiness controls • Develop processes • Train employees • Design ongoing awareness program

18. Step Four: Maintain Controls Governance of the Program Is Accomplished Through Maintaining the Controls and the Framework Itself • Ongoing maintenance of technical controls • Operate: ongoing monitoring and management • Optimize: tune and evolve security solutions as needed • Periodic assessments of all controls • For changes in control needs: threats, compliance, business • For control effectiveness: policy, technical, process • Evolve controls and CCF as needed • Prioritize gaps • Update CFF and controls

19. How Can Cisco Help with IT GRC? Define Assess Remediate Maintain • IT GRC • Information Security Services • Security Control • Assessment • Services: • Security Policy Assessment • Network Security Architecture Assessment • Security Posture Assessment • Security Process Assessment • Security control development and deployment services • Security intelligence content subscriptions • Cisco self-defending network solutions • Security remote management services • Security optimization service • Security control assessment and remediation services *Services available from Cisco and Cisco certified partners