Upload
gallia
View
36
Download
0
Embed Size (px)
DESCRIPTION
Holistic Approach to Information Security. Greg Carter, Cisco Security Services Product Manager. Examining the Threat Landscape. Risk. Risk. Risk. Risk. Source: www.privacyrights.org. The Twin Information Security Challenges How to Manage Both with Limited Resources?. - PowerPoint PPT Presentation
Citation preview
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
14854_10_2008_c1
1
Holistic Approach to Information Security
Greg Carter, Cisco Security Services Product Manager
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 2
14854_10_2008_c1
Examining the Threat Landscape
Risk
Risk
Risk
Risk
Source: www.privacyrights.org
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 3
14854_10_2008_c1
The Twin Information Security ChallengesHow to Manage Both with Limited Resources?
Information security threatsRapidly evolving threats
Many distinct point solutions
How to best protect IT confidentiality, integrity, and availability
Information security compliance obligationsMany separate but overlapping standards
Regulatory: SOX, HIPAA, GLBA, state and local
Industry: PCI, HITRUST
Customer: SAS70, ISO 27001
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 4
14854_10_2008_c1
How Have These Information Security Challenges Evolved?
IT Compliance
IT Risk
IT Security
Today and Future
How to Manage Risk?
IT Security
2000s
Is There an Audit Trail?
1990s
What Happened?Enterprise
Focus:
EnterpriseResponse:
Integrated Compliance and Security Programs
Siloed Compliance and Security Programs
Security Products
IT Security
IT Compliance
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 5
14854_10_2008_c1
Organization Continue to Struggle:
Addressing InformationSecurity Threats and Compliance How to prioritize limited
resources How to be most effective How to reduce the cost
Most Organizations Have Addressed these Challenges with Siloed Efforts Resulting in:
High Costs Fragmented Teams Redundancies Unknown Risks
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 6
14854_10_2008_c1
Solution: Address Information Security Challenges Through One Program
Risk Management: How to determine the likelihood and impact of business threats and use a systematic approach, based on an organization's risk tolerance, to prioritizing resources to deal with those threats
Governance: How we set policies to achieve our strategic objectives and address risk and how we set up the organizational structures and processes to see that the policies are executed successfully
Compliance: How we establish the controls needed to meet our governance objectives and how we validate the effectiveness of those controls
Common Control Framework: A unified set of controls that addresses all of an organization's internal and external compliance objectives simultaneously
IT Governance, Risk Management, and Compliance (IT GRC)
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 7
14854_10_2008_c1
Implement
Monitor
CommonControl
FrameworkUpd
ate
OperateRisk Assessment
Contractual Requirements
Company Vision and Strategy
Business Drivers
Regulations
Industry Standards
ExternalAuthority Documents
InternationalStandards andControl Models
Asset Inventory
Security ComplianceThreatsVulnerabilities
What Does It Mean to Address Information Security Through IT GRC?
Business Value
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 8
14854_10_2008_c1
Value of the IT GRC Approach
IT GRC delivers dramatic business value
Revenue: 17% Higher Loss from loss of customer data: 96% Lower
Profit: 14% Higher Business disruptions from IT: 50x less likely
Audit costs: 50% Lower Customer retention: 18% Higher
For companies with the most mature IT GRC ProgramsSource: IT Policy Compliance Group 2008
Maximize reduction in IT security risk with available resources
Risk-based, business-focused decisions and resource prioritization
Raise visibility of comprehensive security posture
Use internationally recognized best practices
Reduce cost of compliance
One set of controls to implement and manage
One program to govern
Many Compliance standards addressed
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 9
14854_10_2008_c1
Where Do I Start with IT GRC?
Identify and Prioritize Gaps
Define CommonControlFramework: Identify compliance
obligations
Asset inventory
Evaluate threats and vulnerabilities
Understand business requirements
Risk assessment
Assess ControlImplementation for Presence and Effectiveness: Policy controls
Process controls
Technical controls
RemediateControl Gaps: Define and publish
policies
Develop processes
Deploy security technology solutions
Train employees
Maintain Controlsand Framework:• Operate and monitor
technical controls
• Maintain subscriptions
• Periodic assessments
• Evolve solutions as needed
AssessDefine MaintainRemediate
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 10
14854_10_2008_c1
Step One: Define Common Control Framework
Inventory IT assets
Identify threats, vulnerabilities, and associated controls
Best practices: ISO 27002
Compliance: PCI, SOX, HIPAA, GLBA, etc.
Business, legal, contractual
Assess risk
Consolidate into a Common Control Framework (CCF)
Map common controls from each source
Eliminate duplication of overlapping controls
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 11
14854_10_2008_c1
Control Objectives Coveredby ISO 27002
Security policy
Asset management
Information classification
Data loss prevention
Identity management
Access control
Physical security
HR security
Network security management
Vulnerability management
Email security
Security event and incident management
Security for software development, deployment and maintenance
Business continuity management
Compliance
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 12
14854_10_2008_c1
Mapping Multiple Control Sources into a Common Control Framework (CCF)
Best PracticeFrameworks:
COBiT
Controls for IT governance
ISO 27002
Subset of IT controls
Focused on security
Mapped to COBiT controls
ITIL
Subset of IT controls
Focused on process
Mapped to ISO
COBiT
ISO 27002
ITIL
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 13
14854_10_2008_c1
Mapping Multiple Control Sources into a Common Control Framework (CCF)
ComplianceStandards:
HIPAA, SOX, PCI
And others (this is just a sample)
Many overlappingControls
De-duplicated
COBiT
ISO 27002
HIPAA
SOX
PCI
ITIL
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 14
14854_10_2008_c1
Mapping Multiple Control Sources into a Common Control Framework (CCF)
Controls required by specific business needs
COBiT
ISO 27002
ITIL
HIPAA
SOX
Business, Legal,
ContractualPCI
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 15
14854_10_2008_c1
COBiT
ISO 27002
ITIL
HIPAA
SOX
Business, Legal,
ContractualPCI
Mapping Multiple Control Sources into a Common Control Framework (CCF)
ITIL
HIPAA
Result— CustomizedCCF:
Security best practices
Applicable compliance standards
Business requirements
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 16
14854_10_2008_c1
Step Two: Assess Control Implementation
Three Types of Controls must Be Assessed for Presenceand Effectiveness
Policy controls
High level to detailed security policies
Technical controls
Assessed based on security architecture best practices
Validated with active testing
Process and employee readiness controls
Are the processes well designed?
Are the processes followed?
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 17
14854_10_2008_c1
Step Three: Remediate Control Gaps
Control Gaps Should Be Prioritized for RemediationBased on Business Risk
Policy controls
Development of new or enhancement of existing security policies
Technical controls
Deploy new security technology solutions
Identify controls eligible for outsourcing
Identify needed subscriptions for security intelligence and signatures
Process and employee readiness controls
Develop processes
Train employees
Design ongoing awareness program
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 18
14854_10_2008_c1
Step Four: Maintain Controls
Governance of the Program Is Accomplished ThroughMaintaining the Controls and the Framework Itself
Ongoing maintenance of technical controlsOperate: ongoing monitoring and management
Optimize: tune and evolve security solutions as needed
Periodic assessments of all controls For changes in control needs: threats, compliance, business
For control effectiveness: policy, technical, process
Evolve controls and CCF as neededPrioritize gaps
Update CFF and controls
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 19
14854_10_2008_c1
How Can Cisco Help with IT GRC?
IT GRC • Information
Security Services
Security ControlAssessmentServices: Security Policy
Assessment
Network Security Architecture Assessment
Security Posture Assessment
Security Process Assessment
• Security control development and deployment services
Security intelligence content subscriptions
Cisco self-defending network solutions
• Security remote management services
• Security optimization service
• Security control assessment and remediation services
*Services available from Cisco and Cisco certified partners
RemediateAssessDefine Maintain
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 20
14854_10_2008_c1