regulatory compliance in the real world. lunch was: a.great b.so-so c.ick d.who’s the genius who...
TRANSCRIPT
Lunch was:
A.Great
B.So-so
C. Ick
D.Who’s the genius who decided we should talk about regulation after lunch?
What role do you play in compliance?A. I have the direct responsibility (Compliance
Officer)
B. I have some direct responsibility
C. I have little direct responsibility
D. I know we’re supposed to be compliant but I have no idea what that means
The regulation I care about the mostA. Sarbanes-Oxley
B. HIPAA
C. GLBA
D. FISMA
E. Privacy (Safe Harbor, SB 1386, Identity theft)
F. Other
Business and Technology Scenario
Many want to manage compliance globally, but
are often stuck in a local/regional mode
Scope, applicability, urgency, and impact vary
tremendously
Firms should understand compliance globally to
develop and leverage an enterprise IT plan
Corporate governance,
privacy
Critical infrastructure,
cybercrime
Encryption laws
Industry-specific
WorldCom, Enron, Parmalat, spam:Legislation follows public awareness
Basel IIHIPAA
USA PATRIOT Act Sarbanes-Oxley
Privacy Corporate Governance
Spam
Risk Management
KonTraG
GLBA
xx 7799
BDSG
CC/EAL
95/46/EC
DPA
ITIL
SEI-CMM
Homeland Security
SAS 70
CRAMM
FRAP
TurnbullKing II
RIP
02/58/EC
NIIPA
Safe Harbor
99/93/EC FFIEC
IASFDA 21 CFR Part 11
18 USC 2701
ISF
SEC Rule 17a-4
PA&PAA
FERCPIPEDANPP
Encryption Laws
SB1386
Laws, Regulations, and Related Standards
US
• Federal law, state law,
industry regulation,
presidential directive,
published guidance
Europe and EU
• Treaty, regulation,
directive, decision,
recommendation,
opinion, national laws
International
• OECD, Council of Europe, BIS
Bank for International Settlements in Basel
Figure out which “requirements” apply to your organization
General Legal RequirementsKeep records
Notify of events
Report regularly
Get approval from internal
or external parties
Protect against
unauthorized access
Disclose information
Document activities
Use best practice
Processing not allowed
Make available
continuously
Perform assessment
Specific requirements can be found in implementing provisions and guidance
General Impacts on ITConsolidate apps
Identity management
Additional processing
Protective controls
Audit controls
Guarantee authenticity
Increase bandwidth
Increase storage
Provide redundancy
Reconfigure
Speed up processing
Identify processing errors
Store separately
Centralize management
Use methods and standards
While legislation varies, the impact on IT is often very similar
Roles and Responsibilities Assemble a multidisciplinary
team
Assign lead responsibility
Identify external parties
(PCAOB, DPA, CERTs, FERC,
public)
Clarify role and responsibility
of service providers
Identify counterparts in
different geographies
Map: Law and Role
Assigned responsibility is a key control
CPO CSO CIO CEO CFO
SOX 3 1 2
SAS 70 2 1
HIPAA 2 3 1
Safe Harbor 1
CLERP 1 2
EU 95/46 1 2
PA&PAA 1
EU 02/58 2 1
Mapping Legal Requirements to IT Impact
Many IT changes satisfy several legal requirements — identify them
High/Medium/Low Impact on IT
IT Hears … . Law Says ... App Layer Sec. Layer Infra. Layer Ops Layer Mgmt. LayerKeep records med low low low low high low med med lowNotify of events highmed low low med medReport regularly med low med low med low low low low medmedGet approval from int./ext. parties high high low low low lowProtect against unauthorized access low med high high low low med low low low medDisclose information med low low high medDocument activities low med low low low medUse best pratice low low lowProcessing not allow ed high med low med medMake available continuously high medmed high low medPerform assessment low med low low high
1. Define scope2. Assign responsibility3. Identify requirements 4. Evaluate impact5. Implement solutions
The 55 Strategy
The META Group 5-minute compliance takeaway
LegalSecurity Privacy
InfoTechManagement
LegalSecurity Privacy
InfoTechManagement
Accounting Corporate governanceProtect infrastructure
Regulated industryPrivacy
Accounting Corporate governanceProtect infrastructure
Regulated industryPrivacy
North AmericaEU
AustraliaRussia/China
World
North AmericaEU
AustraliaRussia/China
WorldDocumentProtect
CommunicateAudit
Sign off
DocumentProtect
CommunicateAudit
Sign off
FocusControl access
Extend processingIncrease capacity
Authenticate
FocusControl access
Extend processingIncrease capacity
Authenticate
5 Roles5 Roles
5 Topics5 Topics
5 Regions5 Regions
5 Requirements5 Requirements
5 Actions5 Actions
Security Maturity - 2004
50% 15%
5%
(Re-) Establish Security Team
Develop NewPolicy Set
Initiate StrategicProgram
DesignArchitecture
Institute Processes
Conclude Catch-UpProjects
Track Technology andBusiness Change
AWARENESSPHASE
CORRECTIVEPHASE
OPERATIONSEXCELLENCE PHASE
ContinuousProcess
Improvement
Matu
rity
BLISSFULLIGNORANCE
Review Status Quo
30%
timeNOTE: Population distributions represent typical, large G2000 type organizations
Selecting Appropriate Controls Identify reasonable anticipated risks using an on-
going risk assessment
Identify a reasonable and appropriate set of security
controls
Create a defensible case to support your decisions
Develop a proactive, process oriented security
program
Organizations need to build a defensible case for their control set and
implementation decisions
Step 1 –Risk AssessmentHeavy formal methods are Not
recommended
Light, fast, scalable methods
are Recommended
Most critical: Define reasonably
anticipated risks!
Prioritize risks by:• Criticality
• Likelihood of occurrence
Building blocks
Reasonably anticipated risks will guide the selection of appropriate controls
Step 2: Effective Controls
Regulations recognize that organizations are
like snowflakes so there is built-in flexibility
Selection Criteria can include• Size of organization
• Complexity of organization
• Capabilities of organization
• Cost can be used (carefully!) as a control selection criteria
Match Controls to reasonably anticipated threats!
Step 3: Building a Defensible Case Develop a defensible case for all
audiences.
• Data owners
• Internal auditors
• External auditors
• Regulatory enforcement bodies
Control the discussion by establishing
a strong case for “reasonable and
appropriate”
• Risk assessment
• Metrics to show a track record of
improvement
• Third-party influence
Key to Success
Governance
Plan Build Run
Annual Plan
Foundation
Awareness
SecurityArchitecture
ProcessMaturity
Enforcement
RiskManagement
SecurityOperations
Step 4: Create a Proactive Security Program
V3.3 draft 2
So How Far Should You Go? Judging how much security is enough has become one
of the greatest challenges organizations face.
• If a regulation requires auditing, how much auditing is enough?
• If a regulation requires encryption, how much encryption is
enough?
Many organizations have established requirements
that have overshot the bounds of reasonable and
appropriate
• based on what their peers are doing and what is possible given
the maturity of security solutions today.
What is the focus of your monitoring?
A.Real-time analysis of network security events (firewalls, IDS, routers, etc)
B.General user activity
C.Privileged user activity
D.I just centralize logs because the auditors required it, we don’t actually look at that stuff!
Example: Rightsizing Log Monitoring Clearly stated set of detection requirements and appropriate event
logging policy on monitored systems that supports those
requirements.
Apply a reasonable diligence (commensurate with the value of the
data) to detect required behavior/events and linkage to the
detection and response process when warranted.
It is more important to have a documented and reasonable process
(manual or automated) to analyze this data than fully automated
centralization and analysis.
Most logs have little value beyond a few important indicators so
retention should be justified away to as little as possible.
Some auditors will require inordinate retention requirements
• Argue volume, complexity and value vs. effort.
Example: Rightsizing Log MonitoringLog monitoring should not be implemented wholesale across hundreds
of systems and devices but in the following priority order.
1. Login and Logouts on critical systems (this is not necessarily
useful but several regulations require it explicitly)
2. Perimeter security devices (i.e. Firewalls, IPS, IDS, etc)
3. Failed access to critical data
4. Successful accesses to critical data
5. Internal security devices (i.e. Firewalls, IPS, IDS, etc)
6. Other network devices (i.e. routers) deemed to have value against
detection requirements
7. Host-based security software (Personal FW/IPS)
Effective ControlsAccountability provides for tying actions to people and
assigning necessary responsibility in a decent governance framework.
Transparency makes the operations of an organization more auditable by increasing visibility into core processes.
Measurability provides the basis for continuous improvement and allows for the creation of a baseline that can be compared.
Effective controls embody these characteristics
The Control Environment
Redirect Culture
towards
• Process
• Formalization
• Measurability
• Control
There’s no official list
and little guidance
Configuration and change management.
Separate development, test and production environments
Segregation of Duties (SOD) Identification and
Authentication Clearly defined roles and
responsibilities Service level agreements
(SLA) Enforce the principle of least
privilege. Monitor, measure, report. Compliance enforcement. Documentation
Understand regulatory requirements and standards
• Use legal expertise, multidisciplinary teams, and a pragmatic
approach
Prepare a program for future regulations and ongoing legal
changes
• Determine the impact on IT
• Help to bundle and focus enterprisewide
compliance efforts
Rightsize implementation within the flexibility of the
regulations
• Use “reasonable and appropriate” guided by risk assessment
Get out ahead of current and future regulations