Upload
mike-lemire
View
155
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Leveraging compliance to raise the bar on security
Citation preview
Leveraging compliance to raise the bar on security
Mike LemireInformation Security Officer Pearson Higher Ed@mike_lemire
Why leveraging Compliance is important
Compliance with regulations, security frameworks and industry standards is required for many
industries and can also be a business enabler for many types of service providers.
For these reasons compliance is an important business objective. This session will provide an
overview of compliance objectives pertinent to various industries and show how you can enable
compliance to raise the bar on security in your organization.
My experience:
-RiskMetrics
-Acquia
-Pearson
Business Reasons for Compliance
While good security practices reduce risk, compliance helps enable business success.● Lack of compliance is an inhibitor to adoption of services
o Particularly true if: you are a SaaS provider you hold and process customer confidential data your service are important to customer business process
● Compliance demonstrates high standards of security and availability to your customerso Independent validation of your control environment
● Achieving compliance enables business expansion into related vertical markets● Management and business leadership will more likely fund security objectives when they enable
business expansion
Control Domains Compliance Helps You Improve
● Compliance helps you drive build repeatable processes in your organizationo Change Managemento Scanning and Patch Management processo User Managemento Role Based Access Controls RBACo Separation of Dutieso Business Continuity/ Disaster Recoveryo Authentication and Account Managemento HR (Background checks, NDAs)o Corporate Policies
SSAE16 (formerly SAS70) Service Organization Control
Developed by: American Institute of Certified Public Accountants
Important to: Public companies, US companies, Financial, Insurance and related industries
SOC 1 is focused on controls related to financial reporting
accounting and billing systems
systems which if negatively impacted may impact financial results
focus on corporate controls like HR, RBAC, Change Control, Security Testing
SOC 2 is focused security and privacy controls
Type 1 Examination: Point in time assessment - prepare you for Type 2
Type 2 Examination: Period of time assessment of control environment (6 months, 1 year)
Compliance Objectives and their relation to vertical markets
Cloud Security Alliance Security and Trust Assurance Registry (STAR)
Developed by: Technology Industry Consortium
Important to: Companies who outsource to cloud service providers
140 key controls which adopters of cloud services should inquire about
● self assessment
● publish results
● certification
https://cloudsecurityalliance.org/star/
Compliance Objectives and their relation to vertical markets
BITS – Shared Assessment
Developed by: Banking Industry Consortium
Important to: Financial Institutions
Shared Assessment is a long list of controls across many domains, similar to ISO 27002
An attempt to standardize how financial firms do vendor risk assessments for outsourced services.
Very comprehensive set of controls
SIG: Standard Information Gathering Questionnare Lite and Full
https://sharedassessments.org/
Compliance Objectives and their relation to vertical markets
HIPAA
Developed by: US Dept of Health and Human Services
Important to: Any service provider handling health care information
Health Information Technology for Economic and Clinical Health Act (HITECH) Act provides controls and assessment framework
Compliance Objectives and their relation to vertical markets
FISMA
Developed by: Congress, NIST
Important to: United States Federal Government, other governments
Based on NIST publications and standards
FIPS 199: determine your FISMA level (low, medium, high)
NIST 800-53 rev 3: defines controls applicable to your FISMA level
System Security Plan: Documents your controls
ATO: Authority to Operate
FedRAMP: FISMA for Cloud Service Providers
Compliance Objectives and their relation to vertical markets
Payment Card Industry (PCI)
Developed by: Discover, MasterCard, JCB, MasterCard, Visa
Important to: Anyone who accepts credit cards for payment
Step 1: Determine Merchant Level
1: process over 6M CC transactions/ year
2: 1M-6M CC transactions / year
3: 20k - 1M CC transactions / year
4: Fewer than 20K
Compliance Objectives and their relation to vertical markets
Step 2: Determine PCI Compliance Type - Relevant Controls
C: CC outsourced but connected to the Internet - 80
D: CC held - 288
Step 3: Complete Self Assessment Questionnaire (ie evidence controls)
Step 4: Quarterly Scanning (no vulns)
Step 5: Complete audit/report by Qualified Security Assessor (QSA) - only if Level 1
Compliance Objectives and their relation to vertical markets
There is a lot of alignment between various compliance objectives into your best practices. CSA Cloud Controls Matrix puts it all together
Putting it Together
Putting it Together
Establish your compliance objectives - in line with your business objectives
Itemize the controls of each objective
Create a control mapping (similar to CSA Control Matrix)
Create a control gap tracking worksheet
Add any customer feedback (RFPs, Contracts, Questionnaires from Vendor risk)
Tracking Your Controls - Gaps
The keys to success:• Establish compliance objectives as important corporate and business objective• Develop robust, audit-able processes• Continuous improvement to administrative and technical controls• Address the compliance gaps
● product roadmaps● IT roadmaps● corporate governance
Achieve your compliance objectivesProfit and be rewarded