Leveraging compliance to raise the bar on security

Leveraging compliance to raise the bar on security

Mike LemireInformation Security Officer Pearson Higher Ed@mike_lemire

Why leveraging Compliance is important

Compliance with regulations, security frameworks and industry standards is required for many

industries and can also be a business enabler for many types of service providers.

For these reasons compliance is an important business objective. This session will provide an

overview of compliance objectives pertinent to various industries and show how you can enable

compliance to raise the bar on security in your organization.

My experience:

-RiskMetrics

-Acquia

-Pearson

Business Reasons for Compliance

While good security practices reduce risk, compliance helps enable business success.● Lack of compliance is an inhibitor to adoption of services

o Particularly true if: you are a SaaS provider you hold and process customer confidential data your service are important to customer business process

● Compliance demonstrates high standards of security and availability to your customerso Independent validation of your control environment

● Achieving compliance enables business expansion into related vertical markets● Management and business leadership will more likely fund security objectives when they enable

business expansion

Control Domains Compliance Helps You Improve

● Compliance helps you drive build repeatable processes in your organizationo Change Managemento Scanning and Patch Management processo User Managemento Role Based Access Controls RBACo Separation of Dutieso Business Continuity/ Disaster Recoveryo Authentication and Account Managemento HR (Background checks, NDAs)o Corporate Policies

SSAE16 (formerly SAS70) Service Organization Control

Developed by: American Institute of Certified Public Accountants

Important to: Public companies, US companies, Financial, Insurance and related industries

SOC 1 is focused on controls related to financial reporting

accounting and billing systems

systems which if negatively impacted may impact financial results

focus on corporate controls like HR, RBAC, Change Control, Security Testing

SOC 2 is focused security and privacy controls

Type 1 Examination: Point in time assessment - prepare you for Type 2

Type 2 Examination: Period of time assessment of control environment (6 months, 1 year)

Compliance Objectives and their relation to vertical markets

Cloud Security Alliance Security and Trust Assurance Registry (STAR)

Developed by: Technology Industry Consortium

Important to: Companies who outsource to cloud service providers

140 key controls which adopters of cloud services should inquire about

● self assessment

● publish results

● certification

https://cloudsecurityalliance.org/star/


BITS – Shared Assessment

Developed by: Banking Industry Consortium

Important to: Financial Institutions

Shared Assessment is a long list of controls across many domains, similar to ISO 27002

An attempt to standardize how financial firms do vendor risk assessments for outsourced services.

Very comprehensive set of controls

SIG: Standard Information Gathering Questionnare Lite and Full

https://sharedassessments.org/


HIPAA

Developed by: US Dept of Health and Human Services

Important to: Any service provider handling health care information

Health Information Technology for Economic and Clinical Health Act (HITECH) Act provides controls and assessment framework


FISMA

Developed by: Congress, NIST

Important to: United States Federal Government, other governments

Based on NIST publications and standards

FIPS 199: determine your FISMA level (low, medium, high)

NIST 800-53 rev 3: defines controls applicable to your FISMA level

System Security Plan: Documents your controls

ATO: Authority to Operate

FedRAMP: FISMA for Cloud Service Providers


Payment Card Industry (PCI)

Developed by: Discover, MasterCard, JCB, MasterCard, Visa

Important to: Anyone who accepts credit cards for payment

Step 1: Determine Merchant Level

1: process over 6M CC transactions/ year

2: 1M-6M CC transactions / year

3: 20k - 1M CC transactions / year

4: Fewer than 20K


Step 2: Determine PCI Compliance Type - Relevant Controls

C: CC outsourced but connected to the Internet - 80

D: CC held - 288

Step 3: Complete Self Assessment Questionnaire (ie evidence controls)

Step 4: Quarterly Scanning (no vulns)

Step 5: Complete audit/report by Qualified Security Assessor (QSA) - only if Level 1


There is a lot of alignment between various compliance objectives into your best practices. CSA Cloud Controls Matrix puts it all together

Putting it Together

Putting it Together

Establish your compliance objectives - in line with your business objectives

Itemize the controls of each objective

Create a control mapping (similar to CSA Control Matrix)

Create a control gap tracking worksheet

Add any customer feedback (RFPs, Contracts, Questionnaires from Vendor risk)

Tracking Your Controls - Gaps

The keys to success:• Establish compliance objectives as important corporate and business objective• Develop robust, audit-able processes• Continuous improvement to administrative and technical controls• Address the compliance gaps

● product roadmaps● IT roadmaps● corporate governance

Achieve your compliance objectivesProfit and be rewarded

Questions?

[email protected]@mike_lemire

mailto:[email protected]