Upload
centralohioissa
View
747
Download
2
Embed Size (px)
Citation preview
Governance, Risk & ComplianceBill Lisse, Global CISO - OCLCMax Aulakh, vCISO - MAFAZO
Introductions
Bill Max
Background• OCLCs Environment
• Control complexity & various business scenarios
• Multiple global security regulations• US• Canada• European
Security Business Case for OCLC• Registered to ISO/IEC 27001:2005• Since 2011
• NIST SP 800-53 Controls mapped to ISO/IEC 27001• Updated to ISO/IEC 27001:2013
Shifting Regulatory Landscape
• Executive Order -- Improving Critical Infrastructure Cybersecurity 13636 - February 2013
• OMB Guidance to agencies to implement
• OMB Guidance to contractors to implement
Problem Statement• Mapping ISO 27001 to NIST SP 800-53
• No longer acceptable• US SaaS Product must be FedRAMP Accredited through a 3PAO• Short timeline • Talent shortage and staffing problems
• SSP, POAM & FedRAMP documentation takes time• Additionally required SSPs for non-Cloud government customers
FedRAMP• Federal Risk and Authorization Management Program
(FedRAMP)• Government-wide program • Standardized approach to security assessment, authorization, and
continuous monitoring for cloud products and services
• Third Party Assessment Organizations (3PAO)• 3PAO is an organization that has been certified to help cloud service
providers and government agencies meet FedRAMP compliance regulations
Tryump• OCLC Selected Tryump • Document automation • Documentation & security artifacts management
NIST Based Compliance
• NIST SP 800-53• 26 Control Families• 950+ Controls• 1 to 4 Statements per control • 2000 to 3000 total responses required for all controls
• 200+ Control Parameters• 1 SSP can be over 400 Pages• Total document submission package can be 400 to 800 pages
Who has to comply• Cloud Computing Providers
• FEDRAMP• IRS Pub 1075• DFARs Federal Contractors• Research & Development Centers
• Healthcare• Universities • Federally Funded Research Institutions
• If you do business with the government!
Solving complexity• Built for & by security pros
• Distribute controls to the organization• Inheriting controls from a common catalog of enterprise• Multiple systems management• Develop multiple SSPs