Compliance does not equal security

© 2015 Recall Corporation. Proprietary & Confidential

Compliance does not equal security.

Paige NeedlingDirector, Global Information Security

© 2015 Recall Corporation. Proprietary & Confidential 2

IT security umbrella

Compliance for IT

Data privacy protection

Privacy risk assessment

Vulnerability assessment and management

Governance oversight

IT security training and awareness

Application security

Cost/Benefits analysis

Policies and standards

Business continuity management

Incident response management


IT compliance/certifications

♦ ISO 27001: 2013

♦ ISO 20000: 2011

♦ Payment Card Industry Data Security Standard (PCI DSS v3.0)

♦ SOC2 Type 1, SOC2 Type2

♦ Cloud Security Alliance Security Trust & Assurance Registry (CSA STAR)

♦ HIPAA

♦ ITIL

♦ NIST

♦ NAID


Common misconceptions

Security and compliance are NOT the same

♦ Meeting compliance requirements results in minimal baseline protection – the IT equivalent of earning a grade of “C”

♦ Focusing on compliance first is like putting the cart before the horse – compliance should be byproduct of a solid security program, not the source of it

VS.

COMPLIANCE SECURITY

Security and Compliance by Kurt Hagerman 4/29/14


Compliance challenges

♦ Global, multigenerational, multicultural workforce (C)

♦ Complexity of GRC regulatory environment (M)

♦ Increased reliance on third parties (C)

♦ Breaking down compliance silos (C)

♦ Security/Compliance budget (M)

♦ Achieving and maintaining compliance (M)─ Document, measure, repeat, control

www.complianceweek.com (Managing Compliance for the Evolving Workforce May 2015); Microsoft IT Compliance Management Guide; Wikipedia

http://www.complianceweek.com/


If you have a metal chain on your gate, but it is held together with a ribbon…

…what good does it do?


Create a security-centric yet compliant culture

1 Streamline processes

7 Build partnerships

6 Embrace change

5 Instill culture

4 Strengthen knowledge

3 Gain compliance

2 Conduct training

A secure and compliant culture should not be complicated, too many steps leads to confusion

Help people understand the risks by providing relevant and current Security Awareness Training

The law; is the law; is the law

Partner with your company’s business units to ensure buy-in and understanding of the security/compliance initiatives

Not everyone will agree with the security or compliance posture of the company…. Try to understand their position

“Change is inevitable, but misery is optional”

Partner with Compliance to gain funding for Security initiatives and remediation of gaps


Be mission-centric

It is not enough to simply ask…

Have the proper technologies been implemented to protect the company and our customers?

The questions you should ask first are…

1. Have we identified the largest vulnerabilities within the organization?

2. How do we prioritize risk mitigation efforts?

3. Who is the enemy?

4. Is our Incident Response sufficient enough to handle a breach?

5. Are proper processes and strategies implemented to sustain a breach?

6. Is our compliance program effective?


Mission-centric

Protecting the perimeter is no longer enough

♦ Security and Compliance must have three main areas of focus:

1. Protection

2. Due Diligence─ Having the capability to identify emerging threats and reduce detection

time

3. Recovery ─ How quickly can your organization respond to a breach?

─ Does your Incident Response Policy address both natural and manmade breaches and incidents?

─ Does your company have a plan and the necessary resources/budget/culture to quickly recover when normal services are disrupted?


Noncompliance consequences

♦ Reputation degradation

♦ Loss of market share if competitors comply and your organization does not

♦ Loss of focus business strategic direction

♦ Personal and organizational fines

♦ Personal liability and even incarceration for extreme offenses

♦ Limited access to capital markets and loss of listing in the stock markets

♦ Diminished credit ratings

♦ Limited abilities to do business in specific jurisdictions

♦ Increased regulatory oversight


Compliance opportunities

♦ Improved oversight and effective governance

♦ Competitive advantage─ New business opportunities based on first in show

status

♦ Privacy regulation compliance─ Builds trust and confidence with customers

♦ Improve ROI by integrating IT with the business─ Move compliance and security to the front of the bus

♦ Increased management visibility of IT security/compliance can achieve efficiency gains and cost savings for the business


Components for an effective IT security and compliance alignment partnership

IT Security& Compliance

! Risk Management & Oversight

Vendor OversightRegulatory & Compliance Management

Effective Policy Management & Reporting

Effective Incident Response

Vulnerability Scanning & Patching ManagementAudit Management



Vulnerability scanning & patching management

1. Have an active scanning schedule against network assets and verify results are in compliance with the security policy

2. Maintain constant oversight of vulnerable systems and devices

3. Deploy patches as soon as they become available based on the Change Management schedule

4. Test patches before pushing to all machines on your network



Risk management & oversight

1. Ensure risks are proactively managed as part of the overall information security program. It is the catalyst to identify your assets, threats and controls, and then mitigate and manage risk with the right controls.

2. Streamline the risk assessment process by customizing the common set of assets, threats and controls to your organization environment

3. Have an effective remediation plan that is incorporated in the workflow and ticketing process

!



Vendor oversight

1. Have an effective solution that allows you to identify, analyze and mitigate risk presented by third-party vendors

2. Perform annual vendor assessments on 3rd party vendors to ensure they are in compliance with the organization Vendor Policy

3. Gain the visibility to identify vendors that represent the greatest risk



Effective incident response

1. Perform annual testing capabilities and prove your organization has the capacity to recover in the event that a cyber-breach should occur

2. Review procedures annually, perform testing and train employees on a scheduled basis

3. Track and report on the details of your information security incidents, including what was affected, incident categorization, severity of disruption, date and time of detection, declaration of disclosure and resolution



Regulatory & compliance management

1. Have compliance regulations tied to controls and guidelines

2. If possible, have critical updates applied in real-time and reflected within the risk and audit process where applicable



Effective policy management & reporting

1. Have an effective process that allows you to review, update and implement polices as needed across the enterprise

2. Have a centralized repository where materials, policies, procedures, guidelines, checklists and standards are stored and maintained

3. Map policies to your organization’s controls for tracking and proper implementation

4. Ensure proper training is conducted to for policy understanding across the organization

5. Have a distribution process to deliver policies and updates to the appropriate individuals for tracking, review, testing and sign-off

6. Map your organization’s policies to your compliance regulations and security frameworks



Audit management

1. Have audit conducted and ensure the results are measured against your controls for risk scoring, have reports submitted to control owners

2. Leverage surveys that integrate data collection to asset risks


Retain & gain

♦ It is far more expensive to acquire new customers than it is to retain existing ones

♦ Partner early on with the business to gain buy-in and momentum for security and compliance projects

♦ Be VERY clear about what you have to lose if you don’t do this…

♦ Position yourself as a key player in driving the company’s strategy

♦ Show the compliance solutions and security gains early on

♦ Money, Money, Money!! - or we don’t have any!

♦ Resources, Resources, Resources!!! - or we don’t have any!


Q & A

© 2015 Recall Corporation. Proprietary & Confidential

Thank you.

Technology

Compliance does not equal security