1 / 18

Simplified IT Compliance Frameworks to Reduce Costs and Strengthen Security

Simplified IT Compliance Frameworks to Reduce Costs and Strengthen Security. David Simmons, Security Solution Consultant RSA, The Security Division of EMC. DR. Data warehouse. WAN. WW Campuses. Production Data. WWW. WW Customers. WAN. Staging. WW Partners. File Server. VPN.

tiara
Télécharger la présentation

Simplified IT Compliance Frameworks to Reduce Costs and Strengthen Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Simplified IT ComplianceFrameworks to Reduce Costs and Strengthen Security David Simmons, Security Solution Consultant RSA, The Security Division of EMC

  2. DR Data warehouse WAN WW Campuses Production Data WWW WW Customers WAN Staging WW Partners File Server VPN Remote Employees Network Applications Files Why is Information Security So Difficult?…because sensitive information is always moving, transforming Business Analytics Back up tape Customer Portal Disk storage Back up disk Outsourced Development Enterprise email Endpoint Storage

  3. DR Data warehouse WAN WW Campuses WWW WW Customers WAN Staging WW Partners File Server VPN Remote Employees Network Applications Files Why is Information Security So Difficult?…and every movement and transformation has unique risks Device Theft Media Theft UnauthorizedActivity Media Loss Business Analytics UnauthorizedAccess Intercept UnauthorizedAccess Back up tape Unavailability Takeover Fraud Customer portal Production Data Disk storage Corruption Eavesdropping Unintentional Distribution Back up disk Data Theft Outsourced Development Data Loss UnauthorizedActivity Device Loss Enterprise email DOS Endpoint Storage

  4. Risk Components Understanding Risk “Risk is the combination of the probability of an event and its consequences.” (ISO definition) Assets (Information, infrastructure, etc.) Threats (Sources, Objectives & Methods) Vulnerabilities (People, Process & Technology) Managing Risk Avoid –Eliminate the source of the risk Control –Implement controls to reduce risk Accept –Be aware but take no action Ignore –Refuse to acknowledge risk Transfer –Assign risk to other agency

  5. PCI SOX HIPAA Internal Reqs Partner Reqs HR Records-Card Holder Data-Health Records-Financial Results Intellectual Property-Financial Transactions Personal Identifiable Information Grades-Exams-Contracts-SSN What risks are we willing to accept, what risks do we need to protect against to enable the business? Risk Unavailability - Data Corruption - Denial of service Eavesdropping - Media Loss - Data theft Device failure - Denial of Service - Unautorized activity Device takeover - Intercept - Unavailability Lost Laptops-Unauthorized Access-Data theft Risk Aligns Security Investments to Compliance Requirements Sensitive Information What information is important to the business? Where does it go? What bad things can happen? Security Incidents Endpoint Network App / DB FS/CMS Storage

  6. Today’s Agenda • Compliance Landscape • Frameworks for Security and Compliance • Examples: Frameworks in Action • Solutions for Simplified IT Compliance

  7. Organizations worldwide: Spend heavily on compliance Don’t see expected security improvements Have shrinking budgets Need to get better value out of investments they do make RSA has an approach to help: Reduce costs Simplify compliance Improve security Be proactive, instead of reactive Why We’re Here Today • Compliance landscape • Industry groups • Business partners • Customers • Internal policy • Governmental • Ernst & Young • “In 2007, compliance remained the number one driver of information security.”

  8. And … what’s next? Framework-Based SecurityPreparing for Ever-Changing Compliance PCI DSS HIPAA Internal Policy GLBA HSPD 12 CSB 1386 Country Privacy Laws SOX EU CDR UK RIPA FISMA COCOM Data Security Act FACTA EU Data Privacy FFIEC BASEL II J-SOX IRS 97-22 NERC NISPOM Partner Rules ACSI 33 NIST 800 State Privacy Laws

  9. Encryption Encryption Monitoring Monitoring Encryption Authentication Authentication NAC Authentication Policy Data Leakage Monitoring Reactive & Expensive IT Compliance PCI DSS Compliance Internal Policy Compliance Partner Policy Compliance Data Privacy Regulation Compliance Basel II Compliance Endpoint Network App / DB FS/CMS Storage Access Control Monitoring Access Control Gartner estimates that allocating resources on a regulation-by- regulation basis means that enterprises spend an average of 150% more on compliance, largely due to duplication of effort! “Gartner for IT Leaders Overview: The IT Compliance Professional.” French Caldwell. October 22, 2007 Log Management

  10. Encryption Encryption Encryption Encryption Encryption Framework-Based Compliance & SecurityEnabling Cost-Effective Compliance PCI DSS Compliance Internal Policy Compliance Partner Policy Compliance Data Privacy Regulation Compliance Basel II Compliance Endpoint Network App / DB FS/CMS Storage Monitor, Report, Audit Authentication Access Control Encryption Key Management Data Loss Prevention

  11. The Solution: Framework-based Security & Compliance • Security controls framework is: • A comprehensive set of security controls (policies, procedures and technologies) • Based upon industry-wide best practices • Ideal for defining controls that should be applied in proactive manner • Integrated into an organization’s IT security policy • Applied based upon how data are classified within your organization • Security controls framework helps: • Drive you to think about all security requirements needed • Eliminate gaps in your security programs • Enable more cost-effective compliance • Execute your Information Risk Management strategy “Most [CISOs] have realized that a principles-based framework can help them not only address multiple regulations simultaneously, but also get a more comprehensive grasp on the security universe they are responsible for.” Khalid Kark Forrester Research

  12. Framework-Based Compliance & SecurityLaying A Foundation for Policy & Controls ISO 27002 Clauses Many references • ISO 27002 • Information Technology Infrastructure Library (ITIL) • Control Objectives for Information Technology (CoBIT) • Committee of Sponsoring Organizations of the Treadway Commission (COSO) ISO 27002 Clauses • Risk Assessment and Treatment • Security Policy • Organization of Information Security • Asset Management • Human Resources Security • Physical Security • Communications and Ops Management • Access Control • Information Systems Acquisition, Development, Maintenance • Information Security Incident management • Business Continuity • Compliance ‘ISO [27002] is generally acknowledged to be the golden standard for coverage of security domain information.’ (Burton Group)

  13. ISO 27002 & Compliance Alignment

  14. ISO 27002 & Compliance Alignment • Key Best Practices • Security policy (ISO 27002 5) • Inventory of assets (ISO 27002 7.1.1) • Information classification (ISO 27002 7.2) • Physical entry control (ISO 27002 9.1.2) • Segregation of duties (ISO 27002 10.1.3) • Audit logging (ISO 27002 10.10.1) • Monitoring system use (ISO 27002 10.10.2) • User access management (ISO 27002 11.2) • User identification and authentication (ISO 11.5.2) • Teleworking protection (ISO 27002 11.7.2) • Cryptographic controls (ISO 27002 12.3.1) • Data leakage prevention (ISO 27002 12.5.4) • Compliance monitoring (ISO 27002 15.2) Sarbanes Oxley

  15. Framework-Based SecurityCommunicating Security to Partners & Customers ISO 27001 and ISO 27002: • Delivering a common language communicating security on a global basis • Customers • Outsourcers • Business Partners • Regulators • Auditors • Non-security staff

  16. Employee Records Intellectual Property Health Records ISO 27002 Framework Framework-Based SecurityEliminating Gaps in Your Security Program Financial Records Personal Information Credit Card Data Framework Based Solutions Comprehensive checklist Controls Holistic View of Security Patchwork Solutions

  17. PCI Data Security Standard Sarbanes-Oxley Internal Policy Data Privacy Regulations Other Security Controls Frameworks ISO 27002 Cardholder Data Financial Data Intellectual Property Personally Identifiable Info Aligning ComplianceCase Study: Large Telco Result: Save Money, Time By Deploying Repeatable Controls for Multiple Requirements Other Controls: Policies, Procedures and Technologies 4) Apply Controls in a Consistent and Repeatable Manner to Mitigate Risk & Manage Compliance Access Control Logging Encryption Authentication 3) Discover Data, Assess Risk Discover Data and Assets, and Assess Risk Based on Policy Internal Framework of Policies, Procedures & Technologies 2) Build a Framework of Best Practices Based Upon ISO 27002 1) Identify Sensitive Data Types

  18. Identify regulated data Analyze regulatory impact Identify high business impact data Qualify acceptable risk level for information Inventory & Risk Assessment Define information classifications Define information security policy Incorporate classification into policy Policy & Classification Discover and document assets (people, systems & information) Discover and document current controls Discovery Implement Controls Define cross-organizational control requirements Implement controls (e.g., technologies, procedures) Monitor information environment Monitor & enforce compliance Incorporate risk analysis into mgt. processes Monitor, Manage and Improve Components of Framework Based Compliance & Security Programs

More Related