2010 06 gartner avoiding audit fatigue in nine steps 1d
DESCRIPTION
Avoiding Audit Fatigue: Achieving Compliance In A Multi-compliance World In Nine StepsGartner Security/Risk Management ConferenceJuly 2010It's common for information security managers to be held responsible for failed audits where they had little control or influence in the rest of the organization. This presentation provides nine steps that information security managers can use to break the compliance blame cycle and build an information security program that more effectively mitigates security risk. By successfully executing these steps, the information security manager will no longer continually react to andmanage the audit preparation crisis du jour. Instead, the information security manager will institute and rely upon regular, defined activities to complete the heavy lifting of preparing for a successful audit long before the audit occurs.This session also describes how IT security managers can achieve alignment among all stakeholders so that information security and compliance activities become integrated into daily business operations.Completing the nine steps in this presentation requires business stakeholders, IT management, and information security management to all mutually support the same goal. This session describes how to gain this alignment and defines the various compliance roles so that informationsecurity and compliance activities become integrated into dailyTRANSCRIPT
Configuration Assessment &Change Auditing Solutions
VISIBILITYINTELLIGENCE
AUTOMATION
IT Security andCompliance Automation
Avoiding Audit Fatigue: Achieving Compliance In A Multi-Compliance World In Nine Steps
Gene Kim, CISA, TOCICO JonahCTO and Founder(Twitter: @RealGeneKim) Gartner 2010
compliance | security | control 2 Don’t Take Chances. TAKE CONTROL. IT SECURITY & COMPLIANCE AUTOMATION
Where Did The High Performers Come From?
compliance | security | control 3 Don’t Take Chances. TAKE CONTROL. IT SECURITY & COMPLIANCE AUTOMATION
Agenda
The problems of compliance du jour and the audit blame cycle How did the high performing IT organizations make their
“good to great” transformations? Nine practical steps overcome audit fatigue What does integration of security controls into daily operation
feel like? Additional resources
Authors Gene Kim, Founder/CTO, Tripwire, Inc. Jennifer Bayuk, Cybersecurity Program Director, Stevens Institute of Technology
compliance | security | control 4 Don’t Take Chances. TAKE CONTROL. IT SECURITY & COMPLIANCE AUTOMATION
“Boss, We Are Ready For The Upcoming Audits…”
compliance | security | control 5 Don’t Take Chances. TAKE CONTROL. IT SECURITY & COMPLIANCE AUTOMATION
“OMG. OMG. The Auditors Are Coming When?!?”
compliance | security | control 6 Don’t Take Chances. TAKE CONTROL. IT SECURITY & COMPLIANCE AUTOMATION
“IT Operations Not Quite As Ready As They Thought…”
compliance | security | control 7 Don’t Take Chances. TAKE CONTROL. IT SECURITY & COMPLIANCE AUTOMATION
“Infosec Must Do Heroics, Generating Reports And Presentations From Scratch…”
compliance | security | control 8 Don’t Take Chances. TAKE CONTROL. IT SECURITY & COMPLIANCE AUTOMATION
“Despite Heroics, The Business Still Fails The Audit…”
compliance | security | control 9 Don’t Take Chances. TAKE CONTROL. IT SECURITY & COMPLIANCE AUTOMATION
“Infosec As Professional Apologist…’”
compliance | security | control 12 Don’t Take Chances. TAKE CONTROL. IT SECURITY & COMPLIANCE AUTOMATION
Problems: The Real Business Cost
Scheduled value-adding work and projects are delayed because of all the urgent and unplanned audit prep work
Business continues to implement controls as a part of a one-time audit preparation project to achieve compliance, with little thought on how to maintain compliance over time
Next time requires just as much effort, instead of integrating controls into daily business and IT operational processes
The business starts treating audit prep as a legitimate value-adding project, even charging time against it
Multiple regulatory and contractual requirements result in IT controls being tested numerous times by numerous parties, requiring management to perform work multiple times
compliance | security | control 13 Don’t Take Chances. TAKE CONTROL. IT SECURITY & COMPLIANCE AUTOMATION
Information Security and Compliance Risks
Information security practitioners are always one change away from a security breach Front page news Regulatory fines Brand damage
High profile security failures are increasing external pressures for security and compliance Sarbanes-Oxley (SOX) Act of 2002, the Gramm-
Leach-Bliley Act, Health Insurance Portability and Accountability Act (HIPAA), emerging privacy laws, and the Payment Card Industry Data Security Standard (PCI DSS)
14
COMPLIANCESECURITYCONTROL
Going from Good to Great
compliance | security | control 15 Don’t Take Chances. TAKE CONTROL. IT SECURITY & COMPLIANCE AUTOMATION
Desired Outcome: Create A Higher Performing, More Nimble and More Secure IT Organization
1
10
100
1000
10,000
0 20 40 60 80 100 120 140
Operations Metrics Benchmarks:Best in Class: Server/sysadmin ratios
# S
erve
rs
Server/sysadmin ratio
Siz
e of
Ope
ratio
n
Efficiency of Operation
• Highest ratio of staff for pre-production processes
• Lowest amount of unplanned work
• Highest change success rate
• Best posture of compliance
• Lowest cost of compliance
Source: IT Process Institute (2001)
Best in Class Ops and Security
compliance | security | control 16 Don’t Take Chances. TAKE CONTROL. IT SECURITY & COMPLIANCE AUTOMATION
Higher Performing IT Organizations Are More Stable, Nimble, Compliant And Secure
High performers maintain a posture of compliance Fewest number of repeat audit findings One-third amount of audit preparation effort
High performers find and fix security breaches faster 5 times more likely to detect breaches by automated control 5 times less likely to have breaches result in a loss event
When high performers implement changes… 14 times more changes One-half the change failure rate One-quarter the first fix failure rate 10x faster MTTR for Sev 1 outages
When high performers manage IT resources… One-third the amount of unplanned work 8 times more projects and IT services 6 times more applications Source: IT Process Institute, May 2008
compliance | security | control 17 Don’t Take Chances. TAKE CONTROL. IT SECURITY & COMPLIANCE AUTOMATION
Visible Ops: Playbook of High Performers
The IT Process Institute has been studying high-performing organizations since 1999 What is common to all the high
performers? What is different between them and
average and low performers? How did they become great?
Answers have been codified in the Visible Ops Methodology
compliance | security | control 18 Don’t Take Chances. TAKE CONTROL. IT SECURITY & COMPLIANCE AUTOMATION
Over Ten Years, We Benchmarked 1500+ IT Orgs
Source: IT Process Institute (2008)
Source: EMA (2009)
compliance | security | control 19 Don’t Take Chances. TAKE CONTROL. IT SECURITY & COMPLIANCE AUTOMATION
2007: Three Controls Predict 60% Of Performance
To what extent does an organization define, monitor and enforce the following? Standardized configuration strategy Process discipline Controlled access to production systems
Source: IT Process Institute, May 2008
20
COMPLIANCESECURITYCONTROL
Nine Practical Steps To Overcome Audit Fatigue And The Blame Cycle
compliance | security | control 21 Don’t Take Chances. TAKE CONTROL. IT SECURITY & COMPLIANCE AUTOMATION
The Nine Steps To Avoid Audit Fatigue
Step 1: Align with tone at the top Step 2: Create a set of merged infosec and compliance/business
goals Step 3: Define ideal information security goal indicators Step 4: Gain an end-to-end understanding of the information flow Step 5: Agree upon control ownership, roles and responsibilities Step 6: Define the control tests so business process control
owners will agree with the results Step 7: Schedule and conduct regular control tests Step 8: Organize metrics and remediation reports Step 9: Detect and respond to significant changes to the control
environment
compliance | security | control 22 Don’t Take Chances. TAKE CONTROL. IT SECURITY & COMPLIANCE AUTOMATION
Step 1: Align With Tone At The Top
Ensure that compliance activity is clearly managed from the top down.
compliance | security | control 23 Don’t Take Chances. TAKE CONTROL. IT SECURITY & COMPLIANCE AUTOMATION
Step 2: Merge Information Security Into The Compliance/ Business Goals
Document IT governance goals and the risks to achieving those goals
Confirm that information security and compliance helps achieve those goals.
For instance: A manufacturing company must comply with a regulatory
requirement that certain chemical toxins are never released into the atmosphere in amounts over 10 particles per second.
The manufacturing control system has been designed to ensure that this toxin is released at a rate of only 1 particle per second.
compliance | security | control 24 Don’t Take Chances. TAKE CONTROL. IT SECURITY & COMPLIANCE AUTOMATION
Step 2: Merge Information Security Into The Compliance/ Business Goals
What is the business objective? Ensure smooth operation of the manufacturing process, in
accordance to the business plan and all associated laws and regulations.
What are the information security and compliance risks? The manufacturing control system could fail and release more
than the allowed amount of the chemical toxin into the atmosphere.
The measurement system may not detect this release. Also, the manufacturing control measurement data could be
altered or lost, which would prevent management from validating emissions output compliance.
What is my information security goal to address this risk? We must maintain integrity over the particle release
measurement process and the measurement data.
compliance | security | control 25 Don’t Take Chances. TAKE CONTROL. IT SECURITY & COMPLIANCE AUTOMATION
Step 2: Merge Information Security Into The Compliance/ Business Goals
What control will we implement to meet this goal? An access and measurement testing control process will protect the toxin
release measurement software against tampering. The control will alert operations when changes to access are detected and
when abnormal variations in the toxin measurements occur. The alert response will include automated and manual procedures that verify
that the algorithm installed in the production system is the same as the one that underwent rigorous pre-production system testing.
What does plant management (the business process owner) need to do to support this goal? The control process would require the business process owner to configure the
production system to minimize the access any given individual needs to change the algorithm and the corresponding data.
The control process would also require the business process owner to minimize the job functions that require access to the algorithms and the measurement data.
compliance | security | control 26 Don’t Take Chances. TAKE CONTROL. IT SECURITY & COMPLIANCE AUTOMATION
Step 3: Define Ideal Information Security Measures
Develop theoretical ideal indicators that demonstrate that information security goals are being met.
Examples # of access roles not validated by management % of accounts not matching management-defined roles % of configurations not pre-approved by management % of changes not approved by management % of systems with centralized logging
compliance | security | control 27 Don’t Take Chances. TAKE CONTROL. IT SECURITY & COMPLIANCE AUTOMATION
Step 4: Gain End-to-End Understanding
Do an end-to-end business process walk-through to understand and document: Where does sensitive information enter, transit, get stored, and
exit the organization? What are the risks to organizational goals and information flow? Where is reliance placed on technology to prevent and detect
control failures?
compliance | security | control 28 Don’t Take Chances. TAKE CONTROL. IT SECURITY & COMPLIANCE AUTOMATION
Step 4: Gain End-to-End Understanding
A merchant has a business process that supports a customer loyalty program. The program includes issuing branded credit cards. The consumer credit information flow starts with a customer
filling out an online application form, which is… Sent to the credit calculation application, is then… Sent to a sales application, and… Ends up in an application that runs on the desktop of every
customer service representative. What is the business goal?
To ensure that customers approved for the credit card services are capable of meeting their obligations, so that any credit extended to the customer is likely to be repaid.
compliance | security | control 29 Don’t Take Chances. TAKE CONTROL. IT SECURITY & COMPLIANCE AUTOMATION
Step 4: Gain End-to-End Understanding
What are the business, information security and compliance risks? Customer information is inaccurate Customer information is inadvertently disclosed, violating
regulatory requirements Through what applications does the information flow?
The online application form is delivered through a third-party vendor,
The credit calculation is done on cloud computing resources The sales application is run internally by IT operations The customer service application is run by a combination of
internally developed server software and desktop software on the customer service desktops.
compliance | security | control 30 Don’t Take Chances. TAKE CONTROL. IT SECURITY & COMPLIANCE AUTOMATION
Step 5: Agree Upon Control Ownership, Roles And Responsibilities
Clearly define roles and responsibilities for audit compliance activities at the process owner level.
compliance | security | control 31 Don’t Take Chances. TAKE CONTROL. IT SECURITY & COMPLIANCE AUTOMATION
Step 6: Define The Control Tests So Control Owners Will Agree With The Results
Make sure that evidence that demonstrates compliance goals have been met can be generated in an automated manner, upon demand. This will mirror the accountability spreadsheet that the auditors
will likely construct
This is what enables information security to not be left holding the bag when IT operations is disorganized or unprepared.
compliance | security | control 32 Don’t Take Chances. TAKE CONTROL. IT SECURITY & COMPLIANCE AUTOMATION
Step 7: Schedule And Conduct Regular Control Tests
Conduct tests of controls effectiveness frequently enough be able to rely on their effectiveness regardless of variances in audit scope and timing. Ensure that sample size is safely larger than the auditor’s
You will find unprepared IT control owners long before the audits
“Hope is not a strategy. Trust is not a control.”
compliance | security | control 33 Don’t Take Chances. TAKE CONTROL. IT SECURITY & COMPLIANCE AUTOMATION
Step 8: Organize Metrics And Remediation Reports
Track the completion of required remediation work, ideally to be completed well in advance of the audit. By compliance objective By business process By control owner
This will look like a PMO status report
compliance | security | control 34 Don’t Take Chances. TAKE CONTROL. IT SECURITY & COMPLIANCE AUTOMATION
Step 9: Detect And Respond To Significant Changes To The Control Environment
Have the situational awareness to know when the information flow or control environment has significantly changed, requiring these steps to be redone
For example, when an application is changed to allow consumer data to be downloaded to desktops instead of being viewed through pre-defined application reports).
35
COMPLIANCESECURITYCONTROL
What Does Integration Of Security Controls Into Daily Operations Look Like?
compliance | security | control 36 Don’t Take Chances. TAKE CONTROL. IT SECURITY & COMPLIANCE AUTOMATION
Find What’s Most Important First
compliance | security | control 37 Don’t Take Chances. TAKE CONTROL. IT SECURITY & COMPLIANCE AUTOMATION
Quickly Find What Is Different…
compliance | security | control 38 Don’t Take Chances. TAKE CONTROL. IT SECURITY & COMPLIANCE AUTOMATION
Before Something Bad Happens…
compliance | security | control 39 Don’t Take Chances. TAKE CONTROL. IT SECURITY & COMPLIANCE AUTOMATION
Find Risk Early…
compliance | security | control 40 Don’t Take Chances. TAKE CONTROL. IT SECURITY & COMPLIANCE AUTOMATION
Communicate It Effectively To Peers…
compliance | security | control 41 Don’t Take Chances. TAKE CONTROL. IT SECURITY & COMPLIANCE AUTOMATION
Hold People Accountable…
compliance | security | control 42 Don’t Take Chances. TAKE CONTROL. IT SECURITY & COMPLIANCE AUTOMATION
Based On Objective Evidence…
compliance | security | control 43 Don’t Take Chances. TAKE CONTROL. IT SECURITY & COMPLIANCE AUTOMATION
Answer Important Questions…
compliance | security | control 44 Don’t Take Chances. TAKE CONTROL. IT SECURITY & COMPLIANCE AUTOMATION
Ever Increasing Situational Mastery…
compliance | security | control 45 Don’t Take Chances. TAKE CONTROL. IT SECURITY & COMPLIANCE AUTOMATION
Show Value To The Business…
compliance | security | control 46 Don’t Take Chances. TAKE CONTROL. IT SECURITY & COMPLIANCE AUTOMATION
Be Recognized For Contribution…
compliance | security | control 47 Don’t Take Chances. TAKE CONTROL. IT SECURITY & COMPLIANCE AUTOMATION
And Do More With Less…
compliance | security | control 48 Don’t Take Chances. TAKE CONTROL. IT SECURITY & COMPLIANCE AUTOMATION
Higher Performing IT Organizations Are More Stable, Nimble, Compliant And Secure
High performers maintain a posture of compliance Fewest number of repeat audit findings One-third amount of audit preparation effort
High performers find and fix security breaches faster 5 times more likely to detect breaches by automated control 5 times less likely to have breaches result in a loss event
When high performers implement changes… 14 times more changes One-half the change failure rate One-quarter the first fix failure rate 10x faster MTTR for Sev 1 outages
When high performers manage IT resources… One-third the amount of unplanned work 8 times more projects and IT services 6 times more applications Source: IT Process Institute, May 2008
compliance | security | control 49 Don’t Take Chances. TAKE CONTROL. IT SECURITY & COMPLIANCE AUTOMATION
Tripwire VIATM
VIA Automate Compliance
Protect Sensitive Data
EliminateOutages
TAKE CONTROL.
Tripwire TM
It’s The Way…
compliance | security | control 50 Don’t Take Chances. TAKE CONTROL. IT SECURITY & COMPLIANCE AUTOMATION
Tripwire Enterprise Tripwire Log Center
File Integrity Monitoring
Compliance Policy Manager
Configuration Remediation
Log Manager
SecurityEvent Manager
Tripwire VIATM
VISIBILITY INTELLIGENCE AUTOMATION
Tripwire VIA™IT Security & Compliance Automation Suite
compliance | security | control 51 Don’t Take Chances. TAKE CONTROL. IT SECURITY & COMPLIANCE AUTOMATION
Resources
Ο From the IT Process Institute www.itpi.org Both Visible Ops Handbooks ITPI IT Controls Performance Study
Stop by the Tripwire booth for a copy of Visible Ops Security “Avoiding Audit Fatigue: Nine Steps To
Achieve Compliance In A Multi-Compliance World ” white paper
Follow Gene Kim On Twitter: @RealGeneKim [email protected] Blog: http://www.tripwire.com/blog/?cat=34