Upload
educause
View
223
Download
0
Embed Size (px)
Citation preview
7/29/2019 Proactive Compliance Through Information Systems Risk Management (166345700)
http://slidepdf.com/reader/full/proactive-compliance-through-information-systems-risk-management-166345700 1/22
Proactive Compliance throughInformation Systems Risk Management
Michele Dickinson & Jon Hanny | January 12, 2010
7/29/2019 Proactive Compliance Through Information Systems Risk Management (166345700)
http://slidepdf.com/reader/full/proactive-compliance-through-information-systems-risk-management-166345700 2/22
Michele L. Dickinson Information Security Officer CISA, MSIS Widener University
Jonathan Hanny Application Security Specialist CISSP, GSLC, CRISC The George Washington University
PRESENTERS:
Proactive Compliance Through Information Systems RiskManagement
7/29/2019 Proactive Compliance Through Information Systems Risk Management (166345700)
http://slidepdf.com/reader/full/proactive-compliance-through-information-systems-risk-management-166345700 3/22
Definitions
Proactive Compliance Through Information Systems RiskManagement
Compliance Compliance is the process of ensuring adherence to security policies*.
These policies can be internal, legislative or regulatory.
Information Systems Risk Management Information Systems Risk Management is the process of identifying
vulnerabilities and threats to the information resources used by an
organization in achieving business objectives, and deciding what
countermeasures, if any, to take in reducing risk to an acceptable level,based on the value of the information resource to the organization.
7/29/2019 Proactive Compliance Through Information Systems Risk Management (166345700)
http://slidepdf.com/reader/full/proactive-compliance-through-information-systems-risk-management-166345700 4/22
Objectives
Proactive Compliance Through Information Systems RiskManagement
What is Information Systems Risk Management?
Why is ISRM needed?
How can ISRM impact compliance
requirements?
How can ISRM impact Proactive security?
Where does ISRM fit?
How do I im lement ISRM?
7/29/2019 Proactive Compliance Through Information Systems Risk Management (166345700)
http://slidepdf.com/reader/full/proactive-compliance-through-information-systems-risk-management-166345700 5/22
Proactive Compliance Through Information Systems RiskManagement
What is Information Systems Risk
Management?
7/29/2019 Proactive Compliance Through Information Systems Risk Management (166345700)
http://slidepdf.com/reader/full/proactive-compliance-through-information-systems-risk-management-166345700 6/22
Isrm Overview
Proactive Compliance Through Information Systems RiskManagement
CategorizeInformation
System FIPS
199/SP 800-60
Starting Point
SelectSecurity Controls
FIPS 200/SP 800-53
SupplementSecurity Controls
SP 800-53/SP
800-30
DocumentSecurity Controls
SP 800-18
ImplementSecurity Controls
SP 800-70
AssessSecurity Controls
SP 800-53
AuthorizeSecurity Controls
SP 800-37
Monitor Security Controls
SP 800-37/SP
800-60
Risk Managem ent
Framework
Security Life CycleNIST SP 800-53 rev2
7/29/2019 Proactive Compliance Through Information Systems Risk Management (166345700)
http://slidepdf.com/reader/full/proactive-compliance-through-information-systems-risk-management-166345700 7/22
Considerations
Proactive Compliance Through Information Systems RiskManagement
Consider your organizations needs
Consider regulatory requirements
Consider existing best practices
Consider your staffing and budget
Consider your geographic location
7/29/2019 Proactive Compliance Through Information Systems Risk Management (166345700)
http://slidepdf.com/reader/full/proactive-compliance-through-information-systems-risk-management-166345700 8/22
Proactive Compliance Through Information Systems RiskManagement
Why is ISRM necessary?
7/29/2019 Proactive Compliance Through Information Systems Risk Management (166345700)
http://slidepdf.com/reader/full/proactive-compliance-through-information-systems-risk-management-166345700 9/22
ISRM IS NEEDED
Proactive Compliance Through Information Systems RiskManagement
To meet regulatory compliance requirements
To support the Risk Appetite of theorganization
To prevent the loss of PII
To prevent a security incident and loss of
“consumer confidence”
To prevent negative press
7/29/2019 Proactive Compliance Through Information Systems Risk Management (166345700)
http://slidepdf.com/reader/full/proactive-compliance-through-information-systems-risk-management-166345700 10/22
Proactive Compliance Through Information Systems RiskManagement
How can ISRM impact compliancerequirements?
7/29/2019 Proactive Compliance Through Information Systems Risk Management (166345700)
http://slidepdf.com/reader/full/proactive-compliance-through-information-systems-risk-management-166345700 11/22
ISRM & Compliance
Proactive Compliance Through Information Systems RiskManagement
Security policies drive implementation Based on legislative or regulatory requirements
Definition of Critical data
Evaluation of current business processes
Continuous monitoring and risk assessments
7/29/2019 Proactive Compliance Through Information Systems Risk Management (166345700)
http://slidepdf.com/reader/full/proactive-compliance-through-information-systems-risk-management-166345700 12/22
Compliance Intersections
Proactive Compliance Through Information Systems RiskManagement
Policy Access Controls
Confidential data defined
Physical security over confidentialdata
Network segmentation
Security over 3rdparties
Data Classification Training
Incident Response
•HIPAA
•GLBA
•Identity Theft
•PCI-DSS
•Mass. Identity Theft
7/29/2019 Proactive Compliance Through Information Systems Risk Management (166345700)
http://slidepdf.com/reader/full/proactive-compliance-through-information-systems-risk-management-166345700 13/22
Proactive Compliance Through Information Systems RiskManagement
How can ISRM impact Proactive Security?
7/29/2019 Proactive Compliance Through Information Systems Risk Management (166345700)
http://slidepdf.com/reader/full/proactive-compliance-through-information-systems-risk-management-166345700 14/22
Proactive Compliance Through Information Systems RiskManagement
Security Approaches
7/29/2019 Proactive Compliance Through Information Systems Risk Management (166345700)
http://slidepdf.com/reader/full/proactive-compliance-through-information-systems-risk-management-166345700 15/22
Proactive Compliance Through Information Systems RiskManagement
Risk Management Framework
Characteristics Near real-time risk management …through the
implementation of robust continuous monitoring
processes Provides emphasis on the selection, implementation,
assessment, and monitoring of security controls, and
the authorization of information systems
Establishes responsibility and accountability for
security controls
i C li h h f i S i k
7/29/2019 Proactive Compliance Through Information Systems Risk Management (166345700)
http://slidepdf.com/reader/full/proactive-compliance-through-information-systems-risk-management-166345700 16/22
Proactive Compliance Through Information Systems RiskManagement
Starting Points
Identify governance Security committee with executive oversight
Perform risk assessment
Establish a proactive security model for visibility
and continuous assessment
P i C li Th h I f i S Ri k
7/29/2019 Proactive Compliance Through Information Systems Risk Management (166345700)
http://slidepdf.com/reader/full/proactive-compliance-through-information-systems-risk-management-166345700 17/22
Proactive Compliance Through Information Systems RiskManagement
Where does ISRM fit?
P ti C li Th h I f ti S t Ri k
7/29/2019 Proactive Compliance Through Information Systems Risk Management (166345700)
http://slidepdf.com/reader/full/proactive-compliance-through-information-systems-risk-management-166345700 18/22
Integrate into SDLC
Proactive Compliance Through Information Systems RiskManagement
P ti C li Th h I f ti S t Ri k
7/29/2019 Proactive Compliance Through Information Systems Risk Management (166345700)
http://slidepdf.com/reader/full/proactive-compliance-through-information-systems-risk-management-166345700 19/22
Proactive Compliance Through Information Systems RiskManagement
How do I implement ISRM?
P ti C li Th h I f ti S t Ri k
7/29/2019 Proactive Compliance Through Information Systems Risk Management (166345700)
http://slidepdf.com/reader/full/proactive-compliance-through-information-systems-risk-management-166345700 20/22
How to implement isrm
Proactive Compliance Through Information Systems RiskManagement
Executive buy-in is a “Must have”
Identify stakeholders & ISRM committee
Categorize Information
Clearly define Policies, Processes, &Procedures to support the Organization
Promote ISRM as a valuable service to the
entire organization
P ti C li Th h I f ti S t Ri k
7/29/2019 Proactive Compliance Through Information Systems Risk Management (166345700)
http://slidepdf.com/reader/full/proactive-compliance-through-information-systems-risk-management-166345700 21/22
What did you think?
Proactive Compliance Through Information Systems RiskManagement
Your input is important to us!
Click on “Evaluate This Session” on the Mid-
Atlantic Regional program page.
Thank you!
M. L. DickinsonInformation Security Officer
Widener University
(610) 499-1044
Jonathan Hanny Application Security Specialist
The George Washington University
(703) 726-4469
Presenter Contact Information:
7/29/2019 Proactive Compliance Through Information Systems Risk Management (166345700)
http://slidepdf.com/reader/full/proactive-compliance-through-information-systems-risk-management-166345700 22/22
THANK YOU