unrestricted - complex regulation practical security final

©2016 Avanade Inc. All Rights Reserved.

Wayne Anderson11 November 2016



Wayne Anderson

@NoCo_Architect

GSLC, CISM, MCSE: Security, Security+, etc.

Avanade delivers innovative solutions on the Microsoft platformfor thousands of enterprise clients around the world.

I focus on our readiness to meet those clients’ information security and privacy needs.

I am not an attorney. Nothing in this presentation is legal advice on whether you are or are not compliant. Please engage appropriate counsel and/or subject matter experts on the specific conditions of your program.


Director, Global Client Information SecurityAvanade


Business Tension is High

79%

50%

X

60%

Market FragmentationCEOs consistently see a fragmented marketplace, which

requires meeting MANY standards to access clients.Figure 4. PWC 2016 Annual Global CEO Survey

Complexity is Challenging Business

79% of CEOs identified “over-regulation” as a key concern for organizational growth prospects.

Figure 1. PWC 2016 Annual Global CEO Survey

Technology Discussion is Beyond ITBy 2020, large enterprises with digital business

aspirations will see business unit IT spending increase to 50% of enterprise IT spending.

Gartner. Full Transparency for Enterprise Technology Spending is a Fundamental Strategy for CIOs and CFOs.

Security is hard in Digital WorkplaceBy 2020, 60% of digital businesses will suffer failures

due to inability of security to manage digital risk.

Gartner. The Four Steps to Manage Risk and Security in Bimodal IT


Control RequirementsObligations for “reasonable” business.US CA AG, US FTC, GDPR, HIPAA, cPPP

Detection and ResponseIdentification of high risk events, and

appropriate response capabilities to limit impact to the organization.

Regulatory ReviewsAudits, scoring, regulatory fines.

ENISA, FFIEC, FISMA, GDPR, AU Banking

Privacy ObligationsRights of the individual vs system functionGDPR, HIPAA, US FTC, JP PPC, AU Privacy Act

Data GovernanceEnsuring data flows are understood, identified, classified, and associated controls are applied to assets which interact with the data.

Technology and OperationsOperating the digital perimeter, networks,

and endpoints which provide the day to day foundation of cyber security incident prevention and detection capability.

Six Degrees of Security Operations











A line between compliance and security cannot exist.











Efficiency in regulatory controls is practical security.


Business > Compliance > Intelligence

First and Foremost, Align to Business.

Our budgets, our people, our focus as security

professionals exist for a reason. Know that reason. Know that we exist to help

the organization do something.

Know what you Do. Intimately.

How does your business impact the complexity of

your asset set? What data do you handle? Where? Is

some of it optional? What happens to the business in

negative events?

Build the Sum of your Obligations.

The obligations of the modern business actually

form a fairly comprehensive control map for most

organizations!

Modify based on Treatment and Intel.

Risk tolerance and intelligence / modelling of

specific threats to your business will modify how you

prioritize and invest in controls.

Mission Context Compliance Risk


Start by Prioritizing your Obligations

Keys to Compliance

#1: Build a positive relationship with your legal team.

#2: A security leader must be focused on and understand the business.

#3: Prioritize your obligations.

CIS Top 20applies to entire business

as a basic subset of controls

GDPRoversight of holding

subject data

Country Regulation

provides more granular guidance for local

systems and locations

PCI DSSreadiness to accept and work with payment cards

ENISAguidance to operate as a European financial institution

Example: European Bank

Additive Control Set: Most foundational controls are prioritized highest.


Map your Control Set

Keys to Compliance

#4: Map your Control Sethint: choose a base framework

#5: Use published audit rubrics for internal validation

ISO 27001 Controls A 5 A 5.1 A 6 A 6.1 A 6.2 A 7 A 7.1 A 7.2 A 7.3 A 8 A 8.1 A 8.2

Country Regulation

ENISA

GDPR

PCI DSS

CIS Top 20

Whatever

Use your base framework.

Add your programs. Hint: Include regulatory rules and case law.


Map your Control Set

Keys to Compliance

#4: Map your Control Sethint: choose a base framework

#5: Use published audit rubrics for internal validation

Make use of consulting, advisory, and industry resources

Gartner, Forrester, Nymity, BloombergUnified Compliance Framework Common Controls Hub

EU Office of Data Protection Commissioner Guide to Audit ProcessEU Directive EC 95/46 Personal Data protection Audit FrameworkUS Health Human Services Audit Protocol

Consider whether outside counsel or consultants are of value to your organization’s needs.

Do you have the trusted in-house expertise necessary to change direction?

http://www.unifiedcompliance.com/products/common-controls-hub/

https://www.dataprotection.ie/docimages/documents/GuidetoAuditProcessAug2014.pdf

https://joinup.ec.europa.eu/catalogue/asset_release/personal-data-protection-audit-framework-eu-directive-ec-95/46-part-ii-check

http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/protocol/index.html


Regulatory Changes are part of your Intelligence

Keys to Compliance

#6: Invest in regulatory management tools

#7: Feeds for security and privacy changes are as necessary as malware and email intel.Threat Intelligence

LegislationAre you subject to new laws? GDPR is coming in May 2018, do you know what is different? HIPAA was updated this year. Did your program update?

Organizational UpdatesAs international organizations like ISO,

ISACA, CIS, and others update guidance – your business needs to

understand the changes, they often reflect the state of industry

expectations.

Block Lists

Network and CIRT

Enforcement Actions

The track record of how judges and agencies interpret those rules is very important for the day to day guidance of how to operate and document the security program.

Are you leveraging knowledge sharing platforms? Interflow, Threat Central, Confer, ThreatConnect, etc.


Risk Management

Keys to Compliance

#8: The law is not optional.

#9: Keep good records. Look for inconsistency.

#10: Risk decisions require competency.


Country Regulation

ENISA

GDPR

PCI DSS

CIS Top 20

Use control origins in your risk assessments.Law: Prioritize up. Market-Only with low exposure: Prioritize down.


Risk Management

Keys to Compliance

#8: The law is not optional.

#9: Keep good records. Look for inconsistency.

#10: Risk decisions require competency.


Country Regulation

ENISA

GDPR

PCI DSS

CIS Top 20

Use control origins in your risk assessments.Law: Prioritize up. Market-Only with low exposure: Prioritize down.

It is easy to say “everything applies.”

Your risk scale and criteria should have sufficient range to provide differentiation in priority and impact among “required” controls.


1. Build a positive relationship with your legal team.2. A security leader must be focused on and understand the

business.3. Prioritize your obligations.4. Map your Control Set5. Use published audit rubrics for internal validation6. Invest in regulatory management tools7. Feeds for security and privacy changes are as necessary as

malware and email intel.8. The law is not optional.9. Keep good records. Look for inconsistency.10. Risk decisions require competency.

Translating Compliance to Practical Security


Questions?

Want to see more like this? Let us know you liked it:Rate this session: oreillysecuritycon.com/eu

unrestricted - complex regulation practical security final

Documents