G

R

C

The Science of Compliance®

®

Craig Isaacs

CEO, Unified Compliance Framework The world's largest and most reviewed legal

framework.

2

G

R

C

Strict Adherence to a Standard

Will Leave You Exposed

3

Areas of Exposure: Comparison of Standards to…

1. PCI

2. SOX

3. Healthcare

4. Banking

4

ISO 27002

5

238 Direct Controls

PCI DSS 3.0

6

293 Direct Controls

ISO 27002 vs PCI DSS 3.0: Overlapping Controls

7

162 Unique Controls

217 Unique Controls

76

17%Overlap

PCI DSS 3.0 Unique Controls

Sample of Unique Controls:

1. Establish and maintain a media inventory.

2. Test the system for buffer overflows.

3. Incorporate breach of the security of data incident response notification into the incident response plan.

8

217 Unique Controls

ISO 27002 Unique Controls

Sample of Unique Controls:

1. Separate systems that store or process restricted data from those that do not by deploying Physical access controls.

2. Define the executive policy, executive mission, and executive vision of the continuity planning process.

3. Verify that the continuity plan includes purchasing enough insurance.

9

162 Unique Controls

“Sarbanes-Oxley” Isn’t One Authority Document

1. Sarbanes-Oxley Act (only 19 direct controls in audit, records management, and monitoring)

2. COSO ERM

3. 17 CFR Parts 210, 240.

4. PCAOB Auditing Standards

5. Etc…10

SOX Guidance

11

174 Direct

Controls

ISO 27002 vs SOX Group: Overlapping Controls

12

162 Unique Controls

10%Overlap

136 Unique

Controls38

121 Unique

Controls

ISO 27002 vs PCI DSS 3.0 vs SOX

13

133 Unique Controls 202 Unique

Controls9

15

67

29

SOX

ISO PCI

Sarbanes-Oxley Unique Controls

Sample of Unique Controls:

1. Establish and maintain data processing integrity through segregation of duties.

2. Assign the audit to impartial auditors.

3. Establish and maintain a compliance monitoring policy and audit policy.

14

121 Unique

Controls

Comparison of Standards

1. NIST 800-53R4

2. ISO 27002

15

ISO 27002

16

238 Direct Controls

721 Direct Controls

NIST 800-53R4

17

588 Unique Controls

ISO 27002 vs NIST 800-53 R4

18

105 Unique Controls

133

16%Overlap

677 Unique Controls130

Unique Controls

SOX Guidance vs NIST 800-53 R4

19

44

5%Overlap

577 Unique Controls149 Unique

Controls

PCI DSS 3.0 vs NIST 800-53 R4

20

144

17%Overlap

Healthcare & Life Sciences vs. NIST 800-53 R4

21

721 Direct Controls

NIST 800-53R4

22

Healthcare & Life Sciences Guidance

23

1214 Direct Controls

1214Unique

Controls

NIST 800-53 R4 vs. Healthcare & Life Sciences

2423%Overl

ap

364357

UniqueControls

Banking Guidance vs. ISO 27002

25

ISO 27002

26

238 Direct Controls

Banking Guidance

27

935 Direct Controls

729 Unique

Controls

ISO 27002 vs. Banking Guidance

2821%

Overlap

20632

Recommendations

• Reduce audit and compliance costs by properly defining system scope and related control requirements.

• Leverage standards where overlaps exist.

• Determine business case for implementing controls without mandates.

• Automate evidence gathering, compliance correlation, and ongoing compliance review.

• Audit once as much as possible. 29