View
3.623
Download
0
Category
Preview:
DESCRIPTION
Citation preview
Integrated Compliance Framework
Dave Barnett, CISSP, CISM, CSDP, CSSLP
Dave.Barnett@computer.org
Sarbanes Oxley
◦ Financial reporting accuracy
Health Insurance Portability & Accountability Act (HIPAA)
◦ Medical information for employee benefits
Privacy
◦ European Union Data Protection Directive
◦ Canada
◦ Japan
◦ California Senate Bill 1386 (plus 25 other states)
FDA
◦ 21 CFR Part 11 and Good Manufacturing Practice (GMP)
Some Compliance Requirements…
Federal Trade Commission
◦ Consumer protection
Credit Card regulations
◦ Payment Card Industry (PCI) required by VISA CISP, MasterCard SDP, and
Amex Data Security Requirement
Trade Compliance
◦ Custom Trade Partnership Against Terrorism (C-TPAT)
◦ Export of materials and technology to restricted companies
Environmental Health and Safety (EH&S)
◦ Hazardous materials handling and transportation
◦ DEA
◦ OSHA
Continued…
Litigation
◦ eDiscovery
Intellectual Property (IP)
◦ Patents and Patent infringement litigation
Certifications
◦ ISO 9001
◦ ISO 17799 / ISO 27001
◦ BS 15000 / ISO 20000
Continued…
Emerging legal standard for security* T.J. Hooper case, 60 F.2d 737 (2d Cir. 1932)**
◦ In 1928, the tug boat T.J. Hooper sank in a storm. The cargo owners sued, saying the tugboat captain should have known a storm was coming.
◦ Tug owner said only way to know was to have a radio on board, which was not common practice, and not required by any law.
◦ However, Judge agreed with cargo owners – the tug owners should have had a radio on board, even though it was not required. The lack of a radio made the tug unseaworthy.
Legal Strategy for Compliance
* See http://www.bakerinfo.com/ecommerce/newlawis.pdf and http://www.bakerinfo.com/ecommerce/ISLEGAL.PDF
** From Tom Smedinghoff, Baker & McKenzie, at RSA 2006 presentation LAW-104
Identify the assets to be protected Conduct risk assessment
◦ See http://en.wikipedia.org/wiki/United_States_v._Carroll_Towing_Co. Develop and implement a security program
◦ That is responsive to the risk assessment◦ Must be in writing◦ Reasonable, appropriate, suitable, necessary, adequate
Address third parties◦ Contractors, customers, suppliers, business partners, and
providers of outsourced services Due diligence, contractual obligation, monitoring and auditing
Continually monitor, reassess, and adjust the program
Compliance Strategy*
* From Tom Smedinghoff, Baker & McKenzie, at RSA 2006 presentation LAW-104
There is considerable overlap (~ 80%) for all security and privacy related compliance requirements
These and other requirements typically need documented and implemented good processes◦ “Say what you do, do what you say”
Follow compliance strategy◦ Identify information assets to be protected◦ Follow a risk management process
For example, NIST SP 800-30 http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf
How do we handle all of these compliance requirements?
Following industry standards is a good start◦ Provides a defensible position against regulation and
litigation◦ Best practices are beneficial and defensible
Recent revisions of standards include risk management ◦ COSO ERM
COSO + Risk Management◦ CobiT 4.0◦ ISO 17799:2005
Create Defensible Position
Adopt current industry standards◦ But get ahead of the curve where possible◦ Document and follow process◦ Include risk management as a best practice
Make sure processes are:◦ Effective◦ Efficient◦ Auditable
Good Practice, Good Process
Three levels of frameworks, each operating at different degree of detail and scope, that together provide a set of controls and governance for IT Regulatory Compliance
Each level down provides more detail and greater scope
◦ Level 1: COSO Enterprise Risk Management (ERM) Organization wide controls
Endorsed by the SEC for Sarbanes-Oxley
◦ Level 2: CobiT® 4.x IT wide controls relating to COSO ERM
PO9 and DS5.2
◦ Level 3: Subject matter specific controls and best practices, e.g. ITIL SM (for AI6, DS9, DS10)
IT Service Delivery
ISO 17799:2005 (for DS5)
IT Security
ISO 15288:2002 (for AI2, AI3, AI7)
System Development Life Cycle
PMI PMBOK (for PO10)
Project Management
Six Sigma (for PO8)
Integrated Compliance Framework
ITIL (Information Technology Infrastructure Library)◦ Republished in 2002 as British Standard 15000, IT
Service Management Part 1 is specification for certification Part 2 is code of practice
◦ Republished in 2005 as ISO 20000, Information Technology Service Management Part 1 is specification for certification Part 2 is code of practice
Compliance Standards Harmonization
ISO 17799 ◦ Originally British Standard 7799
Part 1 is code of practice Part 2 is specification for certification
◦ Satisfies CobiT® DS5 - Ensure Systems Security◦ ISO 17799:2005 is the code of practice
Required for BS15000:2 and ISO 20000:2◦ Part 2 of BS 7799 (specification for certification)
republished as ISO 27001:2005 Required for BS15000:1 and ISO 20001:1
Compliance Standards Harmonization
ISO 9001◦ Quality Management Systems -Requirements
ISO 27001 satisfies ISO 9001 for Systems Security BS15000:1, ISO 20000:1, and ISO 20000:2 satisfy ISO 9001 for service
management CobiT® 4.0 (2005)
◦ Harmonized with ITIL, ISO 9001, ISO 17799, and CMM Six Sigma
◦ ISO 27001, ISO 20000:1, and ISO 20000:2 use PDCA (Deming Cycle), a learning model used in Six Sigma and other Quality Programs
◦ Provides tools for Quality Management Systems◦ Continuous improvement keeps us ahead of the curve and
satisfies monitoring and assessment requirement for legal process.
Compliance Standards Harmonization
Committee of Sponsoring Organization (COSO) of the Treadway Commission (http://www.coso.org/),
“Enterprise Risk Management – Integrated Framework” (http://www.coso.org/Publications/ERM/COSO_ERM.ppt)
Enterprise risk management is:◦ A process, ongoing and flowing through an organization◦ Effected by people at every level of an organization◦ Applied across the enterprise, at every level and unit, and
includes taking an entity level portfolio view of risk◦ Able to provide reasonable assurance to an entity’s
management and board of directors
Level 1: COSO ERM
Eight interrelated COSO components, derived from the way management runs a business
Internal Environment – The internal environment encompasses the tone of an organization, and sets the basis for how risk is viewed and addressed by an entity’s people, including risk management philosophy and risk appetite, integrity and ethical values, and the environment in which they operate.
Objective Setting – Objectives must exist before management can identify potential events affecting their achievement. Enterprise risk management ensures that management has in place a process to set objectives and that the chosen objectives support and align with the entity’s mission and are consistent with its risk appetite.
COSO ERM Components
Event Identification – Internal and external events affecting achievement of an entity’s objectives must be identified, distinguishing between risks and opportunities. Opportunities are channeled back to management’s strategy or objective-setting processes.
Risk Assessment – Risks are analyzed, considering likelihood and impact, as a basis for determining how they should be managed. Risks are assessed on an inherent and a residual basis.
Risk Response – Management selects risk responses – avoiding, accepting, reducing, or sharing risk – developing a set of actions to align risks with the entity’s risk tolerances and risk appetite.
COSO ERM Components
Control Activities – Policies and procedures are established and implemented to help ensure the risk responses are effectively carried out.
Information and Communication – Relevant information is identified, captured, and communicated in a form and timeframe that enable people to carry out their responsibilities. Effective communication also occurs in a broader sense, flowing down, across, and up the entity.
Monitoring – The entirety of enterprise risk management is monitored and modifications made as necessary. Monitoring is accomplished through ongoing management activities, separate evaluations, or both.
COSO ERM Components
Control Objectives for Information and related Technology (CobiT)
(http://www.isaca.org/cobit.html) Covers all controls within or relevant to IT
organization
Level 2: CobiT® 4.x
PO1 Define a Strategic IT Plan PO2 Define the Information Architecture PO3 Determine Technological Direction PO4 Define the IT Processes, Organization and Relationships PO5 Manage the IT Investment PO6 Communicate Management Aims and Direction PO7 Manage IT Human Resources PO8 Manage Quality
◦ Six Sigma◦ Standards Process
PO9 Assess and Manage IT Risks PO10 Manage Projects
◦ PMBOK
Level 2: CobiT® 4.x Plan and Organize (PO)
AI1 Identify Automated Solutions AI2 Acquire and Maintain Application Software*
◦ SDLC AI3 Acquire and Maintain Technology Infrastructure*
◦ SDLC AI4 Enable Operation and Use* AI5 Procure IT Resources AI6 Manage Changes*
◦ ITIL AI7 Install and Accredit Solutions and Changes
◦ SDLC
• *Priorities for Sarbanes Oxley
Level 2: CobiT® 4.x Acquire and Implement (AI)
DS1 Define and Manage Service Levels* DS2 Manage Third-party Services* DS3 Manage Performance and Capacity DS4 Ensure Continuous Service DS5 Ensure Systems Security*
◦ ISO 17799:2005 / 27001:2005 DS6 Identify and Allocate Costs DS7 Educate and Train Users DS8 Manage Service Desk and Incidents DS9 Manage the Configuration*
◦ ITIL DS10 Manage Problems*
◦ ITIL DS11 Manage Data* DS12 Manage the Physical Environment DS13 Manage Operations*
Level 2: CobiT® 4.x Deliver and Support (DS)
ME1 Monitor and Evaluate IT Performance ME2 Monitor and Evaluate Internal Control ME3 Ensure Regulatory Compliance ME4 Provide IT Governance
Level 2: CobiT® 4.x Monitor and Evaluate (ME)
ITIL (IT Infrastructure Library) is the most widely accepted approach to IT Service Management in the world. (http://www.ogc.gov.uk/)◦ provides a cohesive set of well defined best practices,
drawn from the public and private sectors internationally. It is supported by a comprehensive qualification scheme,
accredited training organizations, and implementation and assessment tools.
Addresses and extends CobiT level of compliance framework: ◦ AI6 Manage Changes*◦ DS9 Manage the Configuration*◦ DS10 Manage Problems*
AKA BS 15000, or ISO 20000
Level 3: ITIL
Guidelines and certification for IT Security Program◦ “Information security is the protection of information from
a wide range of threats in order to ensure business continuity, minimize business risk, and maximize return on investments and business opportunities.”
Address and extends CobiT level of compliance framework: ◦ DS5 Ensure Systems Security*
Required for BS 15000 and ISO 20000 security AKA BS 7799, or ISO 27001
Level 3: ISO 17799
Project Management Body of Knowledge from PMI http://www.pmibookstore.org/PMIBookStore/productDetails.aspx?itemID=358&varID=1
Describes best practices for Project Management
Addresses and extends CobiT level of compliance framework: ◦ PO10 Manage projects
IEEE 1490-2003, Adoption of PMI Standard: A Guide to the Project Management Body of Knowledge http://webstore.ansi.org/ansidocstore/product.asp?sku=IEEE+Std+1490%2D2003
Level 3: PMBOK
ISO 15288:2002 is a compendium of standards and best practices for systems and software development life cycle methodologies◦ http://www.15288.com/
Addresses and extends CobiT level of Compliance Framework:◦ AI2 Acquire and Maintain Application Software*◦ AI3 Acquire and Maintain Technology
Infrastructure*◦ AI7 Install and Accredit Solutions and Changes
Level 3: System Development Life Cycle
Six Sigma is a disciplined, data driven approach and methodology for eliminating defects and improving quality◦ http://www.isixsigma.com/sixsigma/six_sigma.asp
Addresses CobiT level of Compliance Framework◦ PO8 Manage Quality
Level 3: Six Sigma
The Compliance Framework consists of generally accepted industry standards and risk management practices at multiple levels, to meet requirements for a security program in an effective, efficient, and auditable manner.
Summary
Recommended