© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential

14854_10_2008_c1

1

Holistic Approach to Information Security

Greg Carter, Cisco Security Services Product Manager

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 2

14854_10_2008_c1

Examining the Threat Landscape

Risk

Risk

Risk

Risk

Source: www.privacyrights.org


14854_10_2008_c1

The Twin Information Security ChallengesHow to Manage Both with Limited Resources?

Information security threatsRapidly evolving threats

Many distinct point solutions

How to best protect IT confidentiality, integrity, and availability

Information security compliance obligationsMany separate but overlapping standards

Regulatory: SOX, HIPAA, GLBA, state and local

Industry: PCI, HITRUST

Customer: SAS70, ISO 27001


14854_10_2008_c1

How Have These Information Security Challenges Evolved?

IT Compliance

IT Risk

IT Security

Today and Future

How to Manage Risk?

IT Security

2000s

Is There an Audit Trail?

1990s

What Happened?Enterprise

Focus:

EnterpriseResponse:

Integrated Compliance and Security Programs

Siloed Compliance and Security Programs

Security Products

IT Security

IT Compliance


14854_10_2008_c1

Organization Continue to Struggle:

Addressing InformationSecurity Threats and Compliance How to prioritize limited

resources How to be most effective How to reduce the cost

Most Organizations Have Addressed these Challenges with Siloed Efforts Resulting in:

High Costs Fragmented Teams Redundancies Unknown Risks


14854_10_2008_c1

Solution: Address Information Security Challenges Through One Program

Risk Management: How to determine the likelihood and impact of business threats and use a systematic approach, based on an organization's risk tolerance, to prioritizing resources to deal with those threats

Governance: How we set policies to achieve our strategic objectives and address risk and how we set up the organizational structures and processes to see that the policies are executed successfully

Compliance: How we establish the controls needed to meet our governance objectives and how we validate the effectiveness of those controls

Common Control Framework: A unified set of controls that addresses all of an organization's internal and external compliance objectives simultaneously

IT Governance, Risk Management, and Compliance (IT GRC)


14854_10_2008_c1

Implement

Monitor

CommonControl

FrameworkUpd

ate

OperateRisk Assessment

Contractual Requirements

Company Vision and Strategy

Business Drivers

Regulations

Industry Standards

ExternalAuthority Documents

InternationalStandards andControl Models

Asset Inventory

Security ComplianceThreatsVulnerabilities

What Does It Mean to Address Information Security Through IT GRC?

Business Value


14854_10_2008_c1

Value of the IT GRC Approach

IT GRC delivers dramatic business value

Revenue: 17% Higher Loss from loss of customer data: 96% Lower

Profit: 14% Higher Business disruptions from IT: 50x less likely

Audit costs: 50% Lower Customer retention: 18% Higher

For companies with the most mature IT GRC ProgramsSource: IT Policy Compliance Group 2008

Maximize reduction in IT security risk with available resources

Risk-based, business-focused decisions and resource prioritization

Raise visibility of comprehensive security posture

Use internationally recognized best practices

Reduce cost of compliance

One set of controls to implement and manage

One program to govern

Many Compliance standards addressed


14854_10_2008_c1

Where Do I Start with IT GRC?

Identify and Prioritize Gaps

Define CommonControlFramework: Identify compliance

obligations

Asset inventory

Evaluate threats and vulnerabilities

Understand business requirements

Risk assessment

Assess ControlImplementation for Presence and Effectiveness: Policy controls

Process controls

Technical controls

RemediateControl Gaps: Define and publish

policies

Develop processes

Deploy security technology solutions

Train employees

Maintain Controlsand Framework:• Operate and monitor

technical controls

• Maintain subscriptions

• Periodic assessments

• Evolve solutions as needed

AssessDefine MaintainRemediate


14854_10_2008_c1

Step One: Define Common Control Framework

Inventory IT assets

Identify threats, vulnerabilities, and associated controls

Best practices: ISO 27002

Compliance: PCI, SOX, HIPAA, GLBA, etc.

Business, legal, contractual

Assess risk

Consolidate into a Common Control Framework (CCF)

Map common controls from each source

Eliminate duplication of overlapping controls


14854_10_2008_c1

Control Objectives Coveredby ISO 27002

Security policy

Asset management

Information classification

Data loss prevention

Identity management

Access control

Physical security

HR security

Network security management

Vulnerability management

Email security

Security event and incident management

Security for software development, deployment and maintenance

Business continuity management

Compliance


14854_10_2008_c1

Mapping Multiple Control Sources into a Common Control Framework (CCF)

Best PracticeFrameworks:

COBiT

Controls for IT governance

ISO 27002

Subset of IT controls

Focused on security

Mapped to COBiT controls

ITIL

Subset of IT controls

Focused on process

Mapped to ISO

COBiT

ISO 27002

ITIL


14854_10_2008_c1


ComplianceStandards:

HIPAA, SOX, PCI

And others (this is just a sample)

Many overlappingControls

De-duplicated

COBiT

ISO 27002

HIPAA

SOX

PCI

ITIL


14854_10_2008_c1


Controls required by specific business needs

COBiT

ISO 27002

ITIL

HIPAA

SOX

Business, Legal,

ContractualPCI


14854_10_2008_c1

COBiT

ISO 27002

ITIL

HIPAA

SOX

Business, Legal,

ContractualPCI


ITIL

HIPAA

Result— CustomizedCCF:

Security best practices

Applicable compliance standards

Business requirements


14854_10_2008_c1

Step Two: Assess Control Implementation

Three Types of Controls must Be Assessed for Presenceand Effectiveness

Policy controls

High level to detailed security policies

Technical controls

Assessed based on security architecture best practices

Validated with active testing

Process and employee readiness controls

Are the processes well designed?

Are the processes followed?


14854_10_2008_c1

Step Three: Remediate Control Gaps

Control Gaps Should Be Prioritized for RemediationBased on Business Risk

Policy controls

Development of new or enhancement of existing security policies

Technical controls

Deploy new security technology solutions

Identify controls eligible for outsourcing

Identify needed subscriptions for security intelligence and signatures

Process and employee readiness controls

Develop processes

Train employees

Design ongoing awareness program


14854_10_2008_c1

Step Four: Maintain Controls

Governance of the Program Is Accomplished ThroughMaintaining the Controls and the Framework Itself

Ongoing maintenance of technical controlsOperate: ongoing monitoring and management

Optimize: tune and evolve security solutions as needed

Periodic assessments of all controls For changes in control needs: threats, compliance, business

For control effectiveness: policy, technical, process

Evolve controls and CCF as neededPrioritize gaps

Update CFF and controls


14854_10_2008_c1

How Can Cisco Help with IT GRC?

IT GRC • Information

Security Services

Security ControlAssessmentServices: Security Policy

Assessment

Network Security Architecture Assessment

Security Posture Assessment

Security Process Assessment

• Security control development and deployment services

Security intelligence content subscriptions

Cisco self-defending network solutions

• Security remote management services

• Security optimization service

• Security control assessment and remediation services

*Services available from Cisco and Cisco certified partners

RemediateAssessDefine Maintain


14854_10_2008_c1