25
Security & IT Governance: Strategies to Building a Sustainable Model for Your Organization

Security & IT Governance - ISACA · • Established the Common Security Framework ... Create Plan to Enhance Existing Processes & Controls ... •Security Policy & Program

Embed Size (px)

Citation preview

Security & IT Governance: Strategies to Building a Sustainable

Model for Your Organization

© 2010 Protiviti Inc. An Equal Opportunity Employer.

CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.

Outside View of Increased Regulatory Requirements

• Regulatory compliance is often seen as “sand in the gears” requirements that

increase cost, introduce friction into the business processes, and have little or

no payback.

• Introduction of multiple standards and an increasingly complex regulatory

environment has disrupted IT Governance focus on improving process

efficiencies

• Limited awareness of unified mapping of new standards and requirements has

resulted in duplication of efforts

• Shifts in technology usage, such as the use of Cloud Computing, has

introduced new risks to businesses and introduced uncertainty on how to

mitigate these risks while continuing to meet new requirements

1

Source: Gartner Research

© 2010 Protiviti Inc. An Equal Opportunity Employer.

CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.

2

Modern

Enterprise

Increased

Boards & Executives

AccountabilityUncertainty

Variability

Liability

Speed

Spiraling

Compliance

Costs

Multiple

Diverse

Risks

Globalization

Pressures on Business Today

Governance Requirements

Common Elements and Challenges

3

© 2010 Protiviti Inc. An Equal Opportunity Employer.

CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.

Governance Requirements

4

Legislative & Mandated

• SOX

• HIPAA/HITECH

• PCI

• NIST

• Red Flag Rules

• eDiscovery

External & non-mandated

• ISO 27001/2

• SLA

• HITRUST

• COSO

• COBIT

Internal

• SAS 70

• Internal SLAs

• Business Continuity

• Customer Requirements

Understand the external and internal governance expectations of IT,

and the common controls and objectives.

© 2010 Protiviti Inc. An Equal Opportunity Employer.

CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.

Governance Requirements

ISO 27001 Compliance

• Examines the organization's information security risks, taking account of the threats,

vulnerabilities and impacts

• Requires the organization to design and implement a coherent and comprehensive suite

of information security controls

• Brings information security under explicit management control

PCI Compliance

• Prevents credit card fraud through increased controls around data and its exposure to

compromise.

• The standard applies to all organizations which hold, process, or pass cardholder

information

SOX

• Established corporate governance standards for public companies.

• Placed responsibility on boards of directors, CEOs and CFOs to design and implement

appropriate corporate governance processes.

5

© 2010 Protiviti Inc. An Equal Opportunity Employer.

CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.

Governance Requirements

HIPAA/HITECH

• Outlines information security requirements for health information systems and

exchanges.

• Established the Common Security Framework (CSF), a certifiable framework that can be

used by any and all organizations that create, access, store or exchange personal health

and financial information.

• The CSF harmonizes the requirements of existing standards and regulations, including

federal (HIPAA, HITECH), third party (PCI, COBIT) and government (NIST, FTC).

Business Continuity

• Prepares an organization to respond to events that disrupt normal and on-going

operations.

• Risk management is an essential element of business continuity.

and many more…

6

© 2010 Protiviti Inc. An Equal Opportunity Employer.

CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.

7

© 2010 Protiviti Inc. An Equal Opportunity Employer.

CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.

Governance RequirementsTypical Challenges

8

Managed in silos

Mostly reactionary

projects

Handled separately from

mainstream processes

and decision making

Humans utilized as

middleware

Limited and fragmented

use of technology

… leading to

• Greater risks

• More complexity

• Lower

confidence

• Higher cost

© 2010 Protiviti Inc. An Equal Opportunity Employer.

CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.

Governance RequirementsCommon Elements - One Framework, Multiple Standards

Compliance frameworks have been developed to simultaneously cover a wide range of

standards:

• ISACA COBIT – ISACA has and continues to invest efforts in mapping COBIT

framework with ISO/IEC 27002, SOX, etc. to improve control environment

efficiencies.

• Unified Compliance Framework (UCF) – One of the first and largest independent

initiatives to map IT controls across international regulations, standards, and best

practices.

• HITRUST Common Security Framework (CSF) – Unifies all targeted frameworks

and standards (COBIT, ISO, PCI, HIPAA, etc.) relevant to health care. Many

portions of the framework can also aid non-health care related organizations.

9

© 2010 Protiviti Inc. An Equal Opportunity Employer.

CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.

What is HITRUST?

• The Health Information Trust Alliance (HITRUST) was born out of the

belief that information security should be a core pillar of the broad adoption

of health information systems and exchanges.

• Industry-based collaboration among healthcare, business, technology and

information security leaders, has established the Common Security

Framework (CSF), a certifiable framework that can be used by any and all

organizations that create, access, store or exchange personal health and

financial information.

• The CSF is an information security framework that harmonizes the

requirements of existing standards and regulations, including federal

(HIPAA, HITECH), third party (PCI, COBIT) and government (NIST, FTC).

As a framework, the CSF provides organizations with the needed

structure, detail and clarity relating to information security tailored to the

healthcare industry.

• Beyond the establishment of the CSF, HITRUST is also driving adoption

and widespread confidence in the framework and sound risk management

practices through education, advocacy and other outreach activities.

Ultimately, an organization's adoption of the CSF will establish confidence

in its ability to ensure the security of personal health information.

Executive Committee

© 2010 Protiviti Inc. An Equal Opportunity Employer.

CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.

Governance Requirements Common Elements - One Framework, Multiple Standards

11

ISO 27001/2

PCI

COBIT

NIST

HIPAA

Security

HITECH

Act

Meaningful

Use States

ISO 27001/2

PCI

COBIT

NIST

HIPAA

Security

HITECH

Act

Meaningful

Use States

HITRUST CSF

The HITRUST Common Security Framework (CSF) provides a valuable method to assess the

security controls in a healthcare environment – and provide a path for continuous

improvement. Because it was developed leveraging multiple security standards and

regulations, the model provides a convenient single model to leverage for many of your

security governance requirements.

© 2010 Protiviti Inc. An Equal Opportunity Employer.

CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.

HITRUST Common Security Framework (CSF)

• The HITRUST Common Security

Framework is a viable alternative to

developing a custom framework

• HITRUST unifies all targeted

frameworks and standards relevant to

health care

• HITRUST is constantly revised to

ensure currency and relevance

• Control practices tailored to the health

care environment

• Self-assessment criteria for control and

supporting control practice compliance

© 2009 HITRUST LLC, Frisco, TX. All Rights Reserved.

12

Governance Framework

13

© 2010 Protiviti Inc. An Equal Opportunity Employer.

CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.

14

Productivity

IT Governance vs. Compliance

IT Processes

• Val IT

• ITIL

• ISO

• Best Practices

“Do it better”

Performance

Value Adding

Compliance

• Sox

• Banking Regs

• National Regs

• Other Regs

“Do it or else”

Check & Balance

Transparency

Risk

Management

• CobiT

• Operation Risk Mgmt

• IT Security

• IT Risk Mgmt

“Do it to protect”

Mitigation

Value Preserving

Control

Objectives

(statements)

Process Regulation Controls

Practices

IT Governance

Reporting & Metrics

“Do it right”

Strategy

Value Defining

Policy Standards

© 2010 Protiviti Inc. An Equal Opportunity Employer.

CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.

The Protiviti Governance Model

15

• Effective IT governance aids in

addressing and mitigating some of the

overall risks faced by an organization

• By implementing effective governance

practices mechanisms are established

for IT to:

Understand and manage all IT-

related risks

Optimize returns on IT-related

business investments

Deliver value from IT expenditure

Maximize opportunities for

business use of IT

Provide appropriate IT

capabilities

Address legal and regulatory

compliance

Provide transparency and

assurance that IT objectives are

being achieved

The value of effective governance is improved business performance and outcomes.

© 2010 Protiviti Inc. An Equal Opportunity Employer.

CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.

Envisioning the Future State IT Governance is defined as the ability for the enterprise’s IT function to sustain and extend the

organization’s strategies and objectives.

Understand & Scope

Identify your organization’s internal & external

requirements.

Establish Desired Structure

Assess Business and IT strategy to determine the proper

alignment of business activities and controls.

Determine Existing Capabilities

Evaluate the existing formal and informal management

practices within IT. Assess how these align with the

desired structure of the governance program.

Create Plan to Enhance Existing Processes & Controls

Create a plan to enhance and formalize existing

management processes.

16

Sustain

Measure process throughput via KPIs, monitor process

performance and identify workflow constraints.

© 2010 Protiviti Inc. An Equal Opportunity Employer.

CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.

Common Governance Implementation Strategy

17

• Security Policy &

Program

• Security Strategy &

Architecture

• Security

Implementation &

Deployment

• Security Metrics

• Incident Response

• Awareness &

Training

• Access Mgmt

Policy &

Standards

• IDAM Design &

Implementation

• Identity Credential

Selection Services

• Identity Federation

Strategy &

Implementation

• Data Classification

• Data Leakage Services

• Encryption & Storage

Strategy & Implementation

• Privacy Management &

Implementation

• PCI Planning, Readiness

& Compliance

• HITRUST Planning,

Readiness & Compliance

• Other Data Compliance

• Vendor Due Diligence

• Other Data Security &

Privacy Management

• Infrastructure

Vulnerability

• Application

Vulnerability

• Network

Vulnerability

• Database

Vulnerability

Program• Policy

• Standards

• Alignment

• Metrics

• Awareness

• Training

Data Centric• Discovery

• Classification

• Data Leakage

• Encryption

• Privacy

• Compliance

• PCI, HITRUST

• Vendor Mgmt

Strength• Servers

• Network

• Application

• Database

ID Mgmt• Policy

• Implementation

– SSO, RBAC

• Federation

• Trusted Credentials

• Open Identities

© 2010 Protiviti Inc. An Equal Opportunity Employer.

CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.

Envisioning the Future State

18

What is to be measured:

• Your specific control requirements must be integrated into existing

management processes.

• Consider what KPIs are needed to measure compliance? Process

Performance? Resource productivity?

• How can our KPIs be categorized into how IT manages demand and service?

What IT processes will be impacted:

• Determine the processes that will influence IT’s new KPIs?

- Security Administration

- Asset Management

- Project Management

- Security Monitoring

- Incident Management

• Establish an organizational structure and performance expectations that

support the objectives

© 2010 Protiviti Inc. An Equal Opportunity Employer.

CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.

19

© 2010 Protiviti Inc. An Equal Opportunity Employer.

CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.

Future State Outcomes

20

• Organizational Transparency

• Ongoing collaboration with the entire organization to determine current compliance

requirements, overlaps amongst these requirements, and opportunities for control

consolidation to improve efficiencies.

• Communication on a regular basis between IT teams to maintain standardized

processes

• Integration, Streamlined Processes, and Common Dialog

• Understanding business needs, the current IT landscape – including people,

processes, and technology, and the required future state

• Development of solid risk management strategies capable of identifying high-risk

processes and control requirements to mitigate these risks

• Integration and standardization of activities among the entire IT team – from Help

Desk to Infrastructure Support

© 2010 Protiviti Inc. An Equal Opportunity Employer.

CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.

Future State Outcomes

21

• Integration, Streamlined Processes, and Common Dialog (continued)

• Proactive monitoring of Public Policy and the current Regulatory Environment in

order to meet new and existing regulatory requirements

• Automation of compliance efforts through Governance, Risk, and Compliance

platforms

• Security and Resource Efficiencies

• Controls driven by business process vs. compliance

• Improvement in security and monitoring from streamlined control sets

• Increased resource efficiencies and cost savings through effectively defined roles

© 2010 Protiviti Inc. An Equal Opportunity Employer.

CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.

Summary

22

• Identify and assess all of your external and internal governance

requirements.

• Build a single common control framework specific to your

organization – leverage existing frameworks as a starting point.

• Determine the KPIs that could be used to measure adherence.

• Identify the IT management processes that influence your

control and KPI requirements.

• Determine how you can formalize and enhance those existing

processes.

• Build sustainability through active management, link

performance objectives to organizational objectives.

Compliance should be a byproduct of a good governance process

© 2010 Protiviti Inc. An Equal Opportunity Employer.

CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.

Darren Jones

One PPG Place, Suite 2350

Pittsburgh, PA 15222

Direct: 412.402.1747

Mobile: 412.302.2978

Fax: 412.402.1764

[email protected]

Powerful Insights. Proven Delivery.™

Contact Us

For additional information or to receive a copy of this slide deck, please

contact the presentation team:

23

Timothy Maloney

One PPG Place, Suite 2350

Pittsburgh, PA 15222

Direct: 412.402.1720

Mobile: 412.303.6338

Fax: 412.402.1791

[email protected]

Powerful Insights. Proven Delivery.™

© 2010 Protiviti Inc. An Equal Opportunity Employer.

CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.

24