© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.

  • Published on
    14-Dec-2015

  • View
    213

  • Download
    1

Embed Size (px)

Transcript

  • Slide 1

2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security Services Product Manager Slide 2 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 2 14854_10_2008_c1 Examining the Threat Landscape Risk Source: www.privacyrights.org Slide 3 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 3 14854_10_2008_c1 The Twin Information Security Challenges How to Manage Both with Limited Resources? Information security threats Rapidly evolving threats Many distinct point solutions How to best protect IT confidentiality, integrity, and availability Information security compliance obligations Many separate but overlapping standards Regulatory: SOX, HIPAA, GLBA, state and local Industry: PCI, HITRUST Customer: SAS70, ISO 27001 Slide 4 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 4 14854_10_2008_c1 How Have These Information Security Challenges Evolved? IT Compliance IT Risk IT Security Today and Future How to Manage Risk? IT Security 2000s Is There an Audit Trail? 1990s What Happened? Enterprise Focus: Enterprise Response: Integrated Compliance and Security Programs Siloed Compliance and Security Programs Security Products IT Security IT Compliance Slide 5 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 5 14854_10_2008_c1 Organization Continue to Struggle: Addressing Information Security Threats and Compliance How to prioritize limited resources How to be most effective How to reduce the cost Most Organizations Have Addressed these Challenges with Siloed Efforts Resulting in: High CostsFragmented TeamsRedundanciesUnknown Risks Slide 6 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 6 14854_10_2008_c1 Solution: Address Information Security Challenges Through One Program Risk Management: How to determine the likelihood and impact of business threats and use a systematic approach, based on an organization's risk tolerance, to prioritizing resources to deal with those threats Governance: How we set policies to achieve our strategic objectives and address risk and how we set up the organizational structures and processes to see that the policies are executed successfully Compliance: How we establish the controls needed to meet our governance objectives and how we validate the effectiveness of those controls Common Control Framework: A unified set of controls that addresses all of an organization's internal and external compliance objectives simultaneously IT Governance, Risk Management, and Compliance (IT GRC) Slide 7 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 7 14854_10_2008_c1 Implement Monitor Common Control Framework Update Operate Risk Assessment Contractual Requirements Company Vision and Strategy Business Drivers Regulations Industry Standards External Authority Documents International Standards and Control Models Asset Inventory SecurityCompliance Threats Vulnerabilities What Does It Mean to Address Information Security Through IT GRC? Business Value Slide 8 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 8 14854_10_2008_c1 Value of the IT GRC Approach IT GRC delivers dramatic business value Revenue: 17% HigherLoss from loss of customer data: 96% Lower Profit: 14% HigherBusiness disruptions from IT: 50x less likely Audit costs: 50% Lower Customer retention: 18% Higher For companies with the most mature IT GRC Programs Source: IT Policy Compliance Group 2008 Maximize reduction in IT security risk with available resources Risk-based, business-focused decisions and resource prioritization Raise visibility of comprehensive security posture Use internationally recognized best practices Reduce cost of compliance One set of controls to implement and manage One program to govern Many Compliance standards addressed Slide 9 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 9 14854_10_2008_c1 Where Do I Start with IT GRC? Identify and Prioritize Gaps Define Common Control Framework: Identify compliance obligations Asset inventory Evaluate threats and vulnerabilities Understand business requirements Risk assessment Assess Control Implementation for Presence and Effectiveness: Policy controls Process controls Technical controls Remediate Control Gaps: Define and publish policies Develop processes Deploy security technology solutions Train employees Maintain Controls and Framework: Operate and monitor technical controls Maintain subscriptions Periodic assessments Evolve solutions as needed AssessDefine MaintainRemediate Slide 10 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 10 14854_10_2008_c1 Step One: Define Common Control Framework Inventory IT assets Identify threats, vulnerabilities, and associated controls Best practices: ISO 27002 Compliance: PCI, SOX, HIPAA, GLBA, etc. Business, legal, contractual Assess risk Consolidate into a Common Control Framework (CCF) Map common controls from each source Eliminate duplication of overlapping controls Slide 11 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 11 14854_10_2008_c1 Control Objectives Covered by ISO 27002 Security policy Asset management Information classification Data loss prevention Identity management Access control Physical security HR security Network security management Vulnerability management Email security Security event and incident management Security for software development, deployment and maintenance Business continuity management Compliance Slide 12 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 12 14854_10_2008_c1 Mapping Multiple Control Sources into a Common Control Framework (CCF) Best Practice Frameworks: COBiT Controls for IT governance ISO 27002 Subset of IT controls Focused on security Mapped to COBiT controls ITIL Subset of IT controls Focused on process Mapped to ISO COBiT ISO 27002 ITIL Slide 13 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 13 14854_10_2008_c1 Mapping Multiple Control Sources into a Common Control Framework (CCF) Compliance Standards: HIPAA, SOX, PCI And others (this is just a sample) Many overlapping Controls De-duplicated COBiT ISO 27002 HIPAA SOX PCI ITIL Slide 14 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14 14854_10_2008_c1 Mapping Multiple Control Sources into a Common Control Framework (CCF) Controls required by specific business needs COBiT ISO 27002 ITIL HIPAA SOX Business, Legal, Contractual PCI Slide 15 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 15 14854_10_2008_c1 COBiT ISO 27002 ITIL HIPAA SOX Business, Legal, Contractual PCI Mapping Multiple Control Sources into a Common Control Framework (CCF) ITIL HIPAA Result Customized CCF: Security best practices Applicable compliance standards Business requirements Slide 16 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 16 14854_10_2008_c1 Step Two: Assess Control Implementation Three Types of Controls must Be Assessed for Presence and Effectiveness Policy controls High level to detailed security policies Technical controls Assessed based on security architecture best practices Validated with active testing Process and employee readiness controls Are the processes well designed? Are the processes followed? Slide 17 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 17 14854_10_2008_c1 Step Three: Remediate Control Gaps Control Gaps Should Be Prioritized for Remediation Based on Business Risk Policy controls Development of new or enhancement of existing security policies Technical controls Deploy new security technology solutions Identify controls eligible for outsourcing Identify needed subscriptions for security intelligence and signatures Process and employee readiness controls Develop processes Train employees Design ongoing awareness program Slide 18 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 18 14854_10_2008_c1 Step Four: Maintain Controls Governance of the Program Is Accomplished Through Maintaining the Controls and the Framework Itself Ongoing maintenance of technical controls Operate: ongoing monitoring and management Optimize: tune and evolve security solutions as needed Periodic assessments of all controls For changes in control needs: threats, compliance, business For control effectiveness: policy, technical, process Evolve controls and CCF as needed Prioritize gaps Update CFF and controls Slide 19 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 19 14854_10_2008_c1 How Can Cisco Help with IT GRC? IT GRC Information Security Services Security Control Assessment Services: Security Policy Assessment Network Security Architecture Assessment Security Posture Assessment Security Process Assessment Security control development and deployment services Security intelligence content subscriptions Cisco self- defending network solutions Security remote management services Security optimization service Security control assessment and remediation services *Services available from Cisco and Cisco certified partners Remediate AssessDefine Maintain Slide 20 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 20 14854_10_2008_c1

Recommended

View more >