RISK AND COMPLIANCE MANAGEMENT

EXPERIENCES

Dr. Vilius Benetis, CISA, CRISC

Email: v.benetis@baip.lt

2012 11 15 Riga

AFTER THE EVENT….

⎮2

CONTENT

• Reasoning for compliance and risk

• Framework landscape

• Lumension Risk Manager

⎮3

REASONING FOR COMPLIANCE AND RISK

• Regulations from:

– Central Bank, government, Visa/Mastercard

• Compliance – it is a cost.

– how to “optimise it”?

• Risk management –

– Security processes demand risk management

– ..mainly for Investment prioritisation

– ..and it tight integrates into auditing procedures

– Still, subjective analysis

⎮4

FORMALLY COMPLIANT

⎮5

RISK AND COMPLIANCE MATHEMATICS

Risk =

asset value * threat probability * vulnerability impact

Risk of non-compliance =

size of fine * probability to be checked * non-

compliance scope

(Jatin Sehgal, Quality Manager, EY CertifyPoint )

⎮6

A VIEW ON RISK MANAGEMENT

• Probabilities of attack/threat?

• Works (rather) well for hazards

– Due to extrapolation and trending

• Works bad for huge impacts

– Impact size is limited by value of asset

– Human based InfoSec threats are difficult to monitor and predict on medium (maturity, size, monitoring level) organizations

• Benefits of risk management:

– Compliance, audit of information security

⎮7

WHAT MUST BE PROTECTED:

• Commercial sector:

– protects services, products, secrets

• Governments:

– Protects services, citizens data, biometrics

• E-health

– health records

• SCADANote: in red – what can be lost only once

⎮8

LOSSES

• Fraudulent transactions (stealing money)

• Stealing of sensitive data

• Theft of personal identity

• Manipulation of data in databases

• Service disruption

⎮9

FRAMEWORK LANDSCAPE

• ISO 27000 family

• US FISMA family• FIPS 199-200, NIST SP800-53, ...

• Australian DSD Top 35 (and top 4)

• SANS Top 20 Critical Controls

• COBIT 5 (for Information Security)

• PCI DSS

• OWASP family

• Microsoft SDL and related

• National frameworks

• Universal Compliance framework

⎮10

⎮11

⎮12

FUNCTIONALITY

According to Gartner, the core IT GRCM functions are:

• Controls and policy mapping

• Policy distribution and training attestation

• IT control self-assessment and measurement

• IT GRCM asset repository

• Automated general computer control (GCC) collection

• Remediation and exception management

• Basic compliance reporting

• IT compliance dashboards

• IT risk evaluation

Organizations with a primary interest in IT-centric GRCM requirements should be aware that most EGRC platforms balance finance, operational and IT requirements at the expense of IT-centric depth.

⎮13

HOW TO MANAGE SECURITY FRAMEWORK

• How to organize security initiatives?

• How to monitor their success?

• How to build trust in own risk

management?

• How to develop compliance management

as a simple, but efficient and helpful

instrument for everyone in organization?

⎮14

WHAT I LOOK FOR IN THE TOOL

• Method what makes sense

– best practice?

• Automation:

– Evaluation, delegation, review

– History tracking and review

– Reporting

– Change planning

⎮15

⎮1

6

PROPRIETARY & 161616

LRM OverviewBasel II GLBA PCI FISMA OMB06-16 FDCC HIPAA NHS NERC SOX ISO/IEC DPA…

LRM Scoring

Lumension

Patch, Scan &

Configuration

Lumension

Application

& Device

Control

3rd Party

Products

Automated Connectors

Pass

Fail

Partial

N/A Compliance & Risk

Reporting

Business

Interests

Information

& Processes

Assessment Workflow

Web-Based

SurveysAuditor /

Analyst

Attestation

1 Identify

2 Assess

3 Remediate

4 Manage

1717

Product WorkflowHow it gets implemented.

⎮1

8181818

PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION

» Identify the complete IT environment, how it supports the business, and what inherent risk they are

exposed to.

Enumerate

Business

Applications

Identify

Supported

Business

Interests

Identify

Supporting IT

Infrastructure

Conduct

Business

Impact

Analysis

Complete

Subject Risk

Profiles

Identify High-

Level Threats

Determine

Compliance

Requirements

End Result» Complete picture of all elements of the environment (Subjects)

» Mapping of Subjects to their business role

» Identification of High-Level Threats and Compliance Mandates

Assets

imported via

Connectors

19

» Identify the required controls needed to mitigate risk and satisfy compliance mandates.

Defined

Subjects and

Risk Profiles

Mapping

Rules Define

Required

Controls

Customer /

Pro-Serve

Customizes

Rules

Determine

Required

Controls

End Result» Prescription of controls needed for compliance & risk mitigation

202020

» Automatically assess whether technical, procedural, and physical controls are in place.

Defined

Subjects &

Controls

Connectors

automatically

score tech.

Controls

Create

Assessment

for non-tech

controls

Send surveys

to system

owners

Auditor /

Analysts

directly enter

test results

Delegation /

Approval

Cycles

End Result» Pass / Fail / Partial scores on all subjects, all controls

» Scoring data lives in a single, organized repository

» Assessments get done faster, cheaper, and better

Approve &

Commit

assessment

scores

Receive

survey

responses

212121

» Generate comprehensive reports & metrics, and prioritize remediation based on impact to metrics.

Complete

scores on all

subjects

Generate

Reports &

Metrics

Define

Remediation

Projects

Determine

Impact of

projects on

metrics

End Result» Cover-to-cover compliance reports & metrics

» Risk-based reports & metrics

» Comprehensive operational security reports & metrics

» Prioritized remediation efforts

222222

» One place to collect information

» Workflow and surveys facilitate

assessment of manual controls

» Connectors automate collection

of technical assessment data

» Easily generate comprehensive

reports, metrics

Improve Manual ProcessExcel, Email, Manual work, and Homegrown Apps

THANK YOU!

⎮23