powerpoint template - isaca riyadh
TRANSCRIPT
Governance, Risk, Compliance and
Managed Services
19/12/2009Presenter: Samer Omar, I(TS)2 General Manager
CISSP, CISA, CCSP, CISM, C | EH, ISO 27001 Lead Auditor, QSA
2
2
1 Overview GRC -Governance, Risk & Compliance
Agenda
Governance
4 Compliance
3 Risk Management
5 GRC and Best Practices/Standards
6 Managed Security and Risk Management Services
4
ComplianceGovernance
Risk
GRC
GRC
Is the coordination of the People, Policies, Procedures and Products
involved in each of these areas across an enterprise?
GRC Goals
5
Help coordinate efforts among a wide variety of
organization roles, allowing them to leverage
a common framework and technology infrastructure.
1 2
Provide better visibility into a company's risk
posture.
Driving Factors for GRC
Regulatory mandates
The emergence of new forms of risk
Growing stakeholder focus on managing these risks
6
IT GRC
7
IT GRC help organizations create:
IT Efficiencies
Achieve a Holistic View of the IT Environment
Ensure Greater IT Accountability.
Benefits of IT GRC
8
94% reduction in the loss or theft of
data
80% fewer business losses from IT
disruptions
52% lower spending on annual audit-
related expenses
10% more revenue;
9% higher profits;
9% better customer retention
Top 5 Practices for IT GRC
1. A balanced scorecard to measure results
2. Risk- and reward-based objectives, policies, and
incentives
– Data theft and loss
– IT service failures or interruptions
– Regulatory compliance
– Disaster recovery procedures
– Legal discovery requests
3. Risk prevention and the automation of controls
4. Continuous measurement, assessment, and reporting
5. Quality control and continuous improvement
9
IT Governance
IT Governance is a subset discipline of
Corporate Governance focused on Information
Technology (IT) systems and their performance
and risk management. It ensures the alignment
of IT with enterprise objectives
11
IT Governance Discipline
The discipline of information technology governance derives
from corporate governance and deals primarily with the
connection between business focus and IT management of
an organization.
It highlights the importance of IT related matters and states
that strategic IT decisions should be owned by the corporate
board, rather than by the CISO/CSO or other IT managers.
12
IT Governance Goals
13
The primary goals for Information Technology
Governance :
Aligning IT strategy with the business strategy
Cascading strategy and goals down into the enterprise
Providing organizational structures that facilitate the implementation of strategy and goals
Insisting that an IT control framework be adopted and implemented
Measuring IT performance
IT Risk Management
IT Risk Management encompasses all IT-related risks,
including:
18
IT Governance
RisksRelational
Risks
IT Risk Management
Business
Disruption RisksTechnology
risks
IT Risk Management Process
DetermineAcceptable
Risk
AssessRisks
DefineSecurity
Requirements
MeasureSecurity
Solutions
Design andBuild
SecuritySolutions
OperateSupportSecurity
Solutions
Executive Sponsor“What's important”
Information Security“Prioritize Risks”
IT Group“Best Control Solution”
19
IT Compliance
22
IT compliance refers to two areas:
How well a company follows its own rules (internal
compliance), and how well a company follows the rules
imposed on it by outside groups (external compliance).
Both are important and can impose restrictions on a
business.
Compliance management encompasses the :
Maintenance
Implementation
Testing
Remediation
Reporting
of the set of technical, procedural, and mitigating controls.
Compliance Stakeholders
Business
Management
IT AuditIT Operations
• Consolidate security data
• Proactively identify threats
• Prioritize IT risks
• Assign and verify remediation
• Security & compliance
summary metrics
• Reduce costs of reporting
• Identify areas of risk to the
LOB
• Reduce audit costs
• Automated view into security data
• Automate risk & regulatory
reporting
• Prioritized and track remediation
• Utilize existing remediation tools
• Closed-loop workflow
IT Security
What are
Compliance
Needs
To These
Stakeholders
?
23
Tough challenges in meeting the requirements of a variety
of regulation & standards.
Complying with regulation & standards is the real
challenge.
Compliance is Difficult
25
26
Control Objectives for Information and related Technology
A detailed framework with hands-on information on how to achieve
a successful operational Service management of IT
A set of best practices for organizations to follow to implement
and maintain a security program.
COBIT
ITIL/ISO 20000
ISO/IEC 27001
GRC Implementation-Standards & Best Practices
Some of the well known frameworks developed to guide the implementation
of GRC are:
What is COBIT?
Is regarded as the worlds leading IT governance and control framework. This is done by providing tools to assess and measure the performance of 34 IT processes of an organization.
Is globally accepted as being the most comprehensive work for IT governance, organization, as well as IT process and risk management.
COBIT provides good practices for the management of IT processes in a manageable and logical structure.
27
COBIT
COBIT Core components include:
Framework with high level control objectives
Management guidelines
Detailed control objectives
Audit guidelines
28
PO1 Define a strategic IT Plan
PO2 Define the information architecture
PO3 Determine the technological direction
PO4 Define the IT organisation & relationships
PO5 Manage the IT investment
PO6 Communicate mgmnt aims & direction
PO7 Manage human resources
PO8 Ensure compliance with external req.
PO9 Assess risks
PO10 Manage Projects
PO11 Manage Quality
COBIT Processes & Domains
PLANNING AND
ORGANISATION
INFORMATION
AI1 Identify automated solutions
AI2 Acquire and maintain application software
AI3 Acquire and maintain technology infrastructure
AI4 Develop and maintain procedures
AI5 Install and accredit systems
AI6 Manage changes
M1 Monitor the processes
M2 Assess internal control adequacy
M3 Obtain independent assurance
M4 Provide for independent audit
DS1 Define and manage service levels
DS2 Manage third-party services
DS3 Manage performance and capacity
DS4 Ensure continuous service
DS5 Ensure systems security
DS6 Identify and allocate costs
DS7 Educate and train users
DS8 Assist and advise customers
DS9 Manage the configuration
DS10 Manage problems and incidents
DS11 Manage data
DS12 Manage facilities
DS13 Manage operations
DELIVERY AND
SUPPORT
AQUISITION AND
IMPLEMENTATION
MONITORING
29
ITIL
30
Developed by Office of Government Commerce (UK)
ITIL is intended to assist organizations to develop a framework for IT Service Management.
IT Service Management is:
• A top-down, business driven approach to the management of IT that
specifically addresses
o the strategic business value generated by the IT organization
o the need to deliver a high quality IT service.
• Designed to focus on the people, processes and technology issues
that IT organizations face.
ISO 20000 Standards
ISO/IEC 20000-1:2005 is the
formal Specification and defines
the requirements for an
organization to deliver managed
services of an acceptable quality
for its customers.
ISO/IEC 20000-2:2005 is the Code
of Practice and describes the best
practices for Service Management
processes within the scope of
ISO/IEC 20000-1. The code of
Practice will be of particular use
to organizations preparing to be
audited against ISO/IEC 20000 or
planning service improvements.
31
An internationally recognized structured methodology
dedicated to information security
A management process to evaluate, implement, maintain,
which it is called an Information Security Management
System (ISMS)
A comprehensive set of controls comprised of best
practices in information security
Applicable to all industry sectors
Emphasis on prevention
• NOT a technical standard
• NOT a product or technology driven
• NOT an equipment evaluation methodology
(e.g. Common Criteria/ISO 15408)
What Is ISO 27001?
32
ISO 27001 Domains
SecurityPolicy
Organization of Information
Security
Asset Management
Human Resources
Security
Physical &Environmental
Security
Communications& Operations Management
Access Control
Information Systems
acquisition, development
and maintenance
Business Continuity
Management
Compliance
Information Security Incident
management
11 – Domains
133 - Control statements
39 - Specific aims and focus
(Control Objectives )
33
Global Regulations & Standards
There are some other Global
Regulations & Standards that can
assist in the implementation of
GRC:
Payment Card Industry- PCI
Sarbanes—Oxley
Health Insurance Portability
and Accountability Act- HIBAA
34
Payment Card Industry- PCI
The Payment Card Industry (PCI)
Data Security Standard (DSS) was
developed to encourage and
enhance cardholder data security
and facilitate the broad adoption of
consistent data security measures
globally.
PCI DSS announced in September 2004
• Collaboration between VISA and MasterCard
• Offers a single approach to safeguarding sensitive data for all card brands.
35
PCI Overview
Applies to
• all merchants that ―store, process, or transmit cardholder data‖
• all payment (acceptance) channels, including brick-and-mortar, mail, telephone, e-commerce (Internet)
Includes 12 requirements, based on
• administrative controls (policies, procedures, etc.)
• physical security (locks, physical barriers, etc.)
• technical security (passwords, encryption, etc.)
36
Sarbanes--Oxley
Sarbanes-Oxley Act (SOX) was designed to restore investor
confidence following the outbreak of corporate scandals and
bankruptcies around2000. Currently SOX is only applicable
to publicly traded companies under jurisdiction of SEC, but
some states are pushing for application to large non-profit
organizations.
SOX also outlines the responsibilities of the accounting firms:
• Section 204- Auditors must report all critical accounting policies and
practices to the firm’s audit committee.
• Section 203- The lead audit and reviewing partner must rotate off the
audit every 5 years.
• Section 201- Prohibits any public accounting firm from providing non-
audit services while auditing firm. These services include
bookkeeping, appraisal, and others (excludes tax preparation).
37
HIPAA
Health Insurance Portability and
Accountability Act- HIBAA
Department of Health and Human
Services - Health Insurance Reform:
Security Standards; Final Rule (2003)
• This final rule adopts standards for the
security of electronic protected health
information to be implemented by health
plans, health care clearinghouses, and
certain health care providers.
• This final rule implements some of the
requirements of the Administrative
Simplification subtitle of the Health
Insurance Portability and Accountability
Act of 1996 (HIPAA).
38
HIPAA
HIPAA regulations were designed to:
1. Protect individuals’ rights to privacy and confidentiality
2. Assure the security of electronic transfer of personal information
The scope includes:
Administrative safeguards
Physical safeguards
Technical safeguards
Organizational requirements
Policies and procedures and
documentation requirements
39
Saudi Arabia Regulations & Standards
Local Regulations & Standards
that can assist in the
implementation of GRC:
―Cyber Crime Act‖ –Released by Saudi Cabinet -
March 26th, 2007:
―Tadawul‖ Information
Security Requirements
―SAMA‖ Regulations
―CITC‖
40
European Regulations & Standards
• European Data Protection Directive – EU
• Data Protection Act 1998 (DPA) - UK
• Computer Misuse Act 1990 - UK
• The Federal Data Protection and Information
Commissioner (FDPIC) – Switzerland
• Commission for the Protection of Privacy - Belgium
• The Data Inspection Board - Sweden
• Data Protection Commissioner – Ireland
• Act on Personal Protection of Data- Poland
41
43
Managed Services
Is the practice of
transferring day-
to-day related
management
responsibility as
a strategic
method for
improved
effective and
efficient
operations.
44
IT Managed Services Provider
An information technology (IT)
services provider, who manages
and assumes responsibility for
providing a defined set of services
to their clients either proactively or
as they (not the client) determine
that the services are needed.
MSS Driver
Three main drivers are pushing
enterprises and businesses to
external service providers for help in
managing security threats:
1. Increasing distribution of IT
assets across geographically
dispersed operations
2. Increasing sophistication and
proliferation of security
Threats
3. Lack of adequate training to
tackle the problem internally
45
The MSS Value Proposition in a Nut Shell
• Today’s value proposition• Getting more value out of
existing technology investments
• Achieving, monitoring, and maintaining regulatory and industry compliance
• Improving security while lowering operational costs
• Tomorrow’s value proposition
• Proactively preventing intrusions
• Advanced algorithms for data mining and behavioral modeling (versus signatures)
• Ability to demonstrate effectiveness of solution
1997 2002 2005 2010
Filling Skill Gaps
OperationalExcellence
Intelligence& Control
Small/Med Enterprise
Large Enterprise
Enterprise/Telco
46
Managed Services Benefits
Customer peace of mind – monitor
network on 24x7x365 basis proactively
Single point of contact for all network
issues
Single supplier instead of multiple
vendors
Defined Service Levels (for service
delivery)
Known costs for management & fixed
price contracts
Avoid costs of building own
management & reporting systems
Lower Total Cost Ownership (TCO) for
client
47
BUSINESS
INTELLIGENCE
Executive & Operations Dashboards Historical & Trend Reporting
Security Monitoring & Management
Service, SLA & Process
END-TO-END
SERVICE &
PROCESS
VISIBILITY
Central Console
49
50
End-to-End Managed and Support Services
In Sourcing Self Manage Out tasking Management
Proactive Awareness: Increased Visibility and Control
Support
Support
•SecureCall
•SecureAssesst
24x7
Monitoring and
Analysis
Proactive
•SecureWatch
Managed
Security
Managed
•SecureManage
Bu
sin
ess R
eq
uir
em
en
ts
Outsourcing Managed Security Services
Investment decisions about information security are best
considered in the context of managing business risk.
Risks can be:
accepted
mitigated
avoided
transferred
Outsourcing selected
managed security services (MSS) by forming a partnership
with a Managed Security Service Provider (MSSP) is often a
good solution for transferring information security responsibility
and operations.
51
MSSPs Security Services
MSSPs services may include:
Network boundary protection, including managed services for
firewalls, intrusion detection systems (IDSs), and virtual private
networks (VPNs)
Security monitoring (may be included in network boundary
protection)
Incident management, including emergency response and
forensic analysis. (This service may be in addition to security
monitoring.)
Vulnerability assessment and penetration testing
Anti-virus and content filtering services
Information security risk assessments
Data archiving and restoration
On-site consulting
52