Upload
eric-lyn
View
215
Download
0
Tags:
Embed Size (px)
Citation preview
G
R
C
The Science of Compliance®
®
Craig Isaacs
CEO, Unified Compliance Framework The world's largest and most reviewed legal
framework.
2
G
R
C
Strict Adherence to a Standard
Will Leave You Exposed
3
Areas of Exposure: Comparison of Standards to…
1. PCI
2. SOX
3. Healthcare
4. Banking
4
ISO 27002
5
238 Direct Controls
PCI DSS 3.0
6
293 Direct Controls
ISO 27002 vs PCI DSS 3.0: Overlapping Controls
7
162 Unique Controls
217 Unique Controls
76
17%Overlap
PCI DSS 3.0 Unique Controls
Sample of Unique Controls:
1. Establish and maintain a media inventory.
2. Test the system for buffer overflows.
3. Incorporate breach of the security of data incident response notification into the incident response plan.
8
217 Unique Controls
ISO 27002 Unique Controls
Sample of Unique Controls:
1. Separate systems that store or process restricted data from those that do not by deploying Physical access controls.
2. Define the executive policy, executive mission, and executive vision of the continuity planning process.
3. Verify that the continuity plan includes purchasing enough insurance.
9
162 Unique Controls
“Sarbanes-Oxley” Isn’t One Authority Document
1. Sarbanes-Oxley Act (only 19 direct controls in audit, records management, and monitoring)
2. COSO ERM
3. 17 CFR Parts 210, 240.
4. PCAOB Auditing Standards
5. Etc…10
SOX Guidance
11
174 Direct
Controls
ISO 27002 vs SOX Group: Overlapping Controls
12
162 Unique Controls
10%Overlap
136 Unique
Controls38
121 Unique
Controls
ISO 27002 vs PCI DSS 3.0 vs SOX
13
133 Unique Controls 202 Unique
Controls9
15
67
29
SOX
ISO PCI
Sarbanes-Oxley Unique Controls
Sample of Unique Controls:
1. Establish and maintain data processing integrity through segregation of duties.
2. Assign the audit to impartial auditors.
3. Establish and maintain a compliance monitoring policy and audit policy.
14
121 Unique
Controls
Comparison of Standards
1. NIST 800-53R4
2. ISO 27002
15
ISO 27002
16
238 Direct Controls
721 Direct Controls
NIST 800-53R4
17
588 Unique Controls
ISO 27002 vs NIST 800-53 R4
18
105 Unique Controls
133
16%Overlap
677 Unique Controls130
Unique Controls
SOX Guidance vs NIST 800-53 R4
19
44
5%Overlap
577 Unique Controls149 Unique
Controls
PCI DSS 3.0 vs NIST 800-53 R4
20
144
17%Overlap
Healthcare & Life Sciences vs. NIST 800-53 R4
21
721 Direct Controls
NIST 800-53R4
22
Healthcare & Life Sciences Guidance
23
1214 Direct Controls
1214Unique
Controls
NIST 800-53 R4 vs. Healthcare & Life Sciences
2423%Overl
ap
364357
UniqueControls
Banking Guidance vs. ISO 27002
25
ISO 27002
26
238 Direct Controls
Banking Guidance
27
935 Direct Controls
729 Unique
Controls
ISO 27002 vs. Banking Guidance
2821%
Overlap
20632
Recommendations
• Reduce audit and compliance costs by properly defining system scope and related control requirements.
• Leverage standards where overlaps exist.
• Determine business case for implementing controls without mandates.
• Automate evidence gathering, compliance correlation, and ongoing compliance review.
• Audit once as much as possible. 29