compliance: how to manage (lame) audit recommendations
TRANSCRIPT
![Page 1: Compliance: How to Manage (Lame) Audit Recommendations](https://reader034.vdocuments.site/reader034/viewer/2022042415/625f16957f77451794220927/html5/thumbnails/1.jpg)
Compliance: How to Manage (Lame) Audit Recommendations
Brian V. CummingsTata Consultancy Services Ltd
Tuesday, August 9, 2011 1:30 p.m.
Session 9221
![Page 2: Compliance: How to Manage (Lame) Audit Recommendations](https://reader034.vdocuments.site/reader034/viewer/2022042415/625f16957f77451794220927/html5/thumbnails/2.jpg)
Security & Compliance Risk Landscape
RISK
Hacking, Phishing,Social Engineering
Internal Fraud and Abuse
International and Inter-Enterprise
Information Theft
CyberX ActivitiesX = Crime, Terrorism, Warfare
Legal and regulatory action
Sophisticated,
automated, stealthy
Still acknowledged as the
most prevalent and serious
threat.
Privacy laws, regulations, sanctions, and
penalties can jeopardize enterprise viability
Sophisticated, automated, and
stealthy by organized crime, ad
hoc criminals, corporate
enterprises, and international
intelligence agencies with varying
motivations, but all employing
highly skilled hackers.
“Information warfare “
and competition is
real and not confined
to critical
infrastructure.
Employees
“Loose lips” and
careless security
behaviors
- 1 -
Presentation addresses the management of Audit recommendations from the perspective of the CISO
![Page 3: Compliance: How to Manage (Lame) Audit Recommendations](https://reader034.vdocuments.site/reader034/viewer/2022042415/625f16957f77451794220927/html5/thumbnails/3.jpg)
Security & Compliance Risk Landscape
RISK
Hacking, Phishing,Social Engineering
Internal Fraud and Abuse
International and Inter-EnterpriseInformation Theft
CyberX ActivitiesX = Crime, Terrorism, Warfare
Legal and regulatory action
Sophisticated, automated, stealthy
Still acknowledged as the most prevalent and serious threat.
Privacy laws, regulations, sanctions, and penalties can jeopardize enterprise viability
Sophisticated, automated, and stealthy by organized crime, ad hoc criminals, corporate enterprises, and international intelligence agencies with varying motivations, but all employing highly skilled hackers.
“Information warfare “ and competition is real and not confined to critical infrastructure.
Employees Auditors“Loose lips” and careless security behaviors
Irrelevant, time-diluting
recommendations
- 2 -
![Page 4: Compliance: How to Manage (Lame) Audit Recommendations](https://reader034.vdocuments.site/reader034/viewer/2022042415/625f16957f77451794220927/html5/thumbnails/4.jpg)
What do you do? What can you do?
If everyone in an entity is not pulling in the same direction, then you won’t get to where you need to be as fast as you need to be there.
- 3 -
Business Alignment
Good InformationSecurity Practices
ISMS Certification
Protection, Enablement, Compliance, Productivity
![Page 5: Compliance: How to Manage (Lame) Audit Recommendations](https://reader034.vdocuments.site/reader034/viewer/2022042415/625f16957f77451794220927/html5/thumbnails/5.jpg)
What do you do? What can you do?
If everyone in an entity is not pulling in the same direction, then you won’t get to where you need to be as fast as you need to be there.
Audit Comment to CISO:
Make sure that all
Ethernet ports are
disabled if they are not in
use to avoid unauthorized
intrusion from the Intranet.
- 4 -
Beleaguered CISO
![Page 6: Compliance: How to Manage (Lame) Audit Recommendations](https://reader034.vdocuments.site/reader034/viewer/2022042415/625f16957f77451794220927/html5/thumbnails/6.jpg)
What is wrong with that Audit Recommedation?
• Is it addressed to the person who has the authority to do
something about it?
• Is it addressed to the person who can implement and
operationalize it?
• What is the real risk relative to other risks the entity may
face?
• Is it consistent with the security objectives of the entity and
the current plan and budget?
• Is it feasible (solutions, budget, resources)?
- 5 -
![Page 7: Compliance: How to Manage (Lame) Audit Recommendations](https://reader034.vdocuments.site/reader034/viewer/2022042415/625f16957f77451794220927/html5/thumbnails/7.jpg)
What about your Auditor?
- 6 -
![Page 8: Compliance: How to Manage (Lame) Audit Recommendations](https://reader034.vdocuments.site/reader034/viewer/2022042415/625f16957f77451794220927/html5/thumbnails/8.jpg)
What about your Auditor?
• Is your auditor a bully?
• Is your auditor knowledgeable?
• Is your auditor on the right page?
• What is your organization’s attitude toward audit
recommendations?
- 7 -
![Page 9: Compliance: How to Manage (Lame) Audit Recommendations](https://reader034.vdocuments.site/reader034/viewer/2022042415/625f16957f77451794220927/html5/thumbnails/9.jpg)
How to manage (all of) your auditors
- 8 -
InfoSecRoadmap
• Strategic Plan• Tactical Plan
• Budget
Risk Management Process
• Risk Assessment• Risk Priorities
InfoSecFramework
• Strategy• Maturity Level
Take charge and leverage the things you should be doing anyway to help manage your auditors
![Page 10: Compliance: How to Manage (Lame) Audit Recommendations](https://reader034.vdocuments.site/reader034/viewer/2022042415/625f16957f77451794220927/html5/thumbnails/10.jpg)
How to manage (all of) your auditors
- 9 -
Risk Management Program
Subordinate decisions to a Risk Management process
InfoSec Roadmap
Set/Lead InfoSec Planning
InfoSec Framework
Set/Lead Program Vision and Strategy
![Page 11: Compliance: How to Manage (Lame) Audit Recommendations](https://reader034.vdocuments.site/reader034/viewer/2022042415/625f16957f77451794220927/html5/thumbnails/11.jpg)
Information Security Framework
- 10 -
• Ownership?
• Funding?
• Implementer?
• Operator?
• Assurer?
• Policy
• Standards
• Procedures
• Automation
• What resources, assets to you
have?
• How important are they?
• What are the risks?
• Business Alignment
• Overall program strategy
• Target Maturity level
Vision Visibility
AccountabilitySustainability
![Page 12: Compliance: How to Manage (Lame) Audit Recommendations](https://reader034.vdocuments.site/reader034/viewer/2022042415/625f16957f77451794220927/html5/thumbnails/12.jpg)
Enterprise Security Architecture
- 11 - 11
Assess and Categorize Systems
Select Security Controls
Implement Security Controls
Assess security controls
Authorize System
Monitor Security Controls
Change/
Release
Management
Secure SDLC
Configuration
Management
‘CIA’ Information
Classification
Security
Life Cycle
SEIM/ Forensics
Compliance
Security
testing and
scanning
Security
testing and
scanning
Vulnerability Management
Threat Management
Assess requirements/
components with ESA
Key
Blue-Security
Life Cycle
Green- ITIL/
Security
Process
Orange
- ESA
Incident Management
![Page 13: Compliance: How to Manage (Lame) Audit Recommendations](https://reader034.vdocuments.site/reader034/viewer/2022042415/625f16957f77451794220927/html5/thumbnails/13.jpg)
InfoSec Roadmap - Strategic
- 12 -
Program Domain
2011 2012 2013 2014 2015
Governance
Compliance
Networks
Servers
Desk Top
Applications
Data/Database
SIEM
Insider Threat
Physical &
Environmental
Multi-Year Planned Milestones
![Page 14: Compliance: How to Manage (Lame) Audit Recommendations](https://reader034.vdocuments.site/reader034/viewer/2022042415/625f16957f77451794220927/html5/thumbnails/14.jpg)
InfoSec Roadmap - Strategic
- 13 -
2011 2012 2013 2014 2015
Program Domain
Q
1
Q
2
Q
3
Q
4
Q
1
Q
2
Q
3
Q
4
Q
1
Q
2
Q
3
Q
4H1 H2 Year
Governance
Compliance
Networks
Servers
Desk Top
Applications
Data/Database
SIEM
Insider Threat
Physical &
Environmental
Or, if you can, plan Q by Q
![Page 15: Compliance: How to Manage (Lame) Audit Recommendations](https://reader034.vdocuments.site/reader034/viewer/2022042415/625f16957f77451794220927/html5/thumbnails/15.jpg)
InfoSec Roadmap - Tactical
- 14 -
2011 2012 2013
Program Domain
Q
1
Q
2
Q
3
Q
4
Q
1
Q
2
Q
3
Q
4
Q
1
Q
2
Q
3
Q
4H1 H2 Year
Governance
Compliance
Networks
Servers
Desk Top
Applications
Data/Database
SIEM
Insider Threat
Physical &
Environmental
For Current Year, planned and
budgeted milestones, allowing
for long term projects.
![Page 16: Compliance: How to Manage (Lame) Audit Recommendations](https://reader034.vdocuments.site/reader034/viewer/2022042415/625f16957f77451794220927/html5/thumbnails/16.jpg)
Risk Management Program
- 15 -
Asset Identification &
Valuation
Requirements
• Business
• Legal / Contractual
• Security
Threat & Vulnerability
Assessment
Selection of Controls (ISO 27001)
Implementation of Controls
Risk Assessment
Information Security Management System (ISMS)
![Page 17: Compliance: How to Manage (Lame) Audit Recommendations](https://reader034.vdocuments.site/reader034/viewer/2022042415/625f16957f77451794220927/html5/thumbnails/17.jpg)
Auditor Buy-In
- 16 -
![Page 18: Compliance: How to Manage (Lame) Audit Recommendations](https://reader034.vdocuments.site/reader034/viewer/2022042415/625f16957f77451794220927/html5/thumbnails/18.jpg)
Auditor Buy-In
First Best Thing To Do
Second Best Thing To Do
Audit Briefing Paper
- 17 -
Get Auditor Input and Approval
![Page 19: Compliance: How to Manage (Lame) Audit Recommendations](https://reader034.vdocuments.site/reader034/viewer/2022042415/625f16957f77451794220927/html5/thumbnails/19.jpg)
Summary: Manage Your Auditors
Establish a collaborative relationship
Leverage your good practices (or establish same)
Communicate frequently
- 18 -
![Page 20: Compliance: How to Manage (Lame) Audit Recommendations](https://reader034.vdocuments.site/reader034/viewer/2022042415/625f16957f77451794220927/html5/thumbnails/20.jpg)