Embed Size (px)
Citation preview
Yulianto Roessaptono, CISA, CISSP, MBA, IT Engineer
Services : To help Company achieve Compliance and establish Resilience InformaAon Security Management PlaCorm.
The Roles of InformaAon Security & Privacy ProtecAon in Business Development
1. Company that provides Business-to-Business and Business-to-Customer Communications
2. Company that facilitates smooth data transactions with high quality data management
3. Company that offers inherent security that exceeds industry standards to protect sensitive data
4. Company that are working on PCI-DSS Compliance, SOX compliance, CEO/CFO certification, and improve Internal Controls.
1. Accurate, complete, and timely transactions execution 2. Confidentiality of Information is preserved when sending data via Networks 3. Integrity of Data is protected when processed through Networks 4. Availability of system to provide services 24/7 with 99.999% availability 5. PCI-DSS compliance means it is safe for the Customers to send Cardholder
Data via the Company’s Channels. 6. Privacy of the Personally Identifiable Information (PII) is guarded.
1. The infrastructure, the access management, and the information security management are in place to provide confidentiality of information, integrity of data, and availability of the system and processes.
2. Adherence to PCI-DSS v3.1 compliance requirements, and to other compliance initiatives
3. Industry Best Practice Information Security Management Standard adoption
Business Case
The Offering
What the Customers Want
The Business Key words
The Roles of Informa/on Security in Business Development
Let’s take a case of a Compliance Ini8a8ve – PCI-‐DSS v3.1
Your Company is working on PCI-‐DSS 3.1 compliance And you want to ensure a comprehensive and quick implementaBon with lowest cost possible. Let me walk you through the process. • There are 8 steps, and for the first 3 steps you need the help from a CISA-‐CISSP professional. • The second 3 steps, you can do it yourself or ask for the help from a CISA-‐CISSP professional. • The last 2 steps are to be done by third party.
How do we get there Solu8on Requirement Performed by a CerAfied
Auditor (CISA) and Security Professional (CISSP)
Risk, if Not Done
1. Develop comprehensive Policies and Standards • Mapped to the industry best pracAce security
frameworks (ISO, COBIT, NIST) and PCI-‐DSS v3.0
CISA-‐CISSP Consultant. High Risk Policies and Standards that help Company to understand the current security stance.
2. Security Governance and Compliance Solu8on: • Gap Analysis with Walkthrough / IT Audit, • Risk idenAficaAon and PrioriAzaAon, • Gap RemediaAon, Roadmap, and ImplementaAon Plan
CISA-‐CISSP Consultant.
Cri8cal Your Company will be vulnerable to aVacks (insider and outsider threat), accidental exploitaAon, incompliance, eroding customer confidence in the Company’s system.
3. Cardholder Data Environment • Network SegmentaAon, Network Diagram,
Component IdenAficaAon and Assessment • Scope ReducAon, • Security Baselining
CISA-‐CISSP Consultant. Cri8cal SegmentaAon will reduce compliance scope, therefore less compliance cost.
4. Access Control Management SoluAon and ImplementaAon, Change and ConfiguraAon Management.
Internal Company with the help from a CISA-‐CISSP consultant.
High Risk. Good access control will enhance resilience of the system and ensure compliance
5. Security InformaAon and Event Management (SIEM), File Integrity Monitoring SoluAon and ImplementaAon
Internal Company with the help from a CISA-‐CISSP consultant.
Medium Risk.
6. Vulnerability Scanning and PenetraAon TesAng Approved Scanning Vendors Medium Risk
7. ROC (Report of Compliance) Internal Company with the help from a CISA-‐CISSP consultant.
Final Step
8. PCI Compliance Assessment and Valida8on PCI Assessor Final Step
2
2
Network Diagram • Cardholder Data Environment • SegmentaBon • Scope ReducBon
Cardholder Data Flow Diagram • Data Flow • Component idenBficaBon • Security Architecture implementaBon
Risk Assessment / Internal Audit • IdenBfy criBcal assets, threats,
vulnerabiliBes • Analysis of Risk • Development of miBgaBng controls &
compensaBng controls • Risk prioriBzaBon, and • RemediaBon plan.
2
Advisory on several cri/cal implementa/ons • EncrypBon • Access Control • Data Management • Etc.
1. To ensure compliance with PCI requirements, which will result in the creation of a secure Cardholder Data Environment (CDE), separate from the rest of the corporate network
2. Establish Enterprise-wide, resilience and efficient Information Security Management Platform that mapped to industry best practices
1. Mapped to newly developed Policies and Standards; Identify control gaps and vulnerabilities, Compliance to PCI-DSS requirements, and Adopt best practice Information Security Management platform.
2. Adopt a holistic approach and evaluate the network and architecture as a whole to reduce the evaluation and assessment time.
3. Discovery process to determine the following: 1. Understand key business processes which include credit card and
PII processing, and applications hosting critical server with business sensitive data.
2. Understand the information flow in all its states; in motion, in transit, at rest of all sensitive data that include card data.
3. Draw Detailed Network Diagram, CDE, Cardholder Data Flow, Component identifications, Scope categorization, and Segmentation to reduce the scope. (‘As-Is’ and ‘To-Be’)
4. Proof of Concept and Validation
1. Assessment; gap analysis, risk identification, risk assessment, prioritization 2. Remediation Plan 3. Implementation; short, medium, and long term.
Detailed Roadmap
Reporting and Recommendation
Discovery & Design
Scope
Comprehensive approach along with best standard framework and methodology
You are hiring an experienced, senior consultant committed to you all the way.
Thank you,
Yulianto Roessaptono, CISA, CISSP, MBA, IT Engineer (416) 568-‐1619; email: [email protected]
Dedicated to deliver excellent job execuBon from start to finish
