© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.

Slides:



Advertisements
Similar presentations
Microsoft Operations Framework (MOF) 4.0
Advertisements

Chapter 10 Accounting Information Systems and Internal Controls
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Control and Accounting Information Systems
Bill McClanahan – Principal Business Consultant LPS Integration.
ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Chapter © 2009 Pearson Education, Inc. Publishing as Prentice Hall.
Chapter © 2009 Pearson Education, Inc. Publishing as Prentice Hall.
Security Controls – What Works
WHY CHOOSE CEO-PE?  We employ International Association of Privacy Professionals (IAPP) Certified and Health Insurance Portability & Accountability Act.
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.
Information Security Governance and Risk Chapter 2 Part 1 Pages 21 to 69.
Security Governance Technology Executive Club
© 2014 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.
Click to add text © 2010 IBM Corporation OpenPages Solution Overview Mark Dinning Principal Solutions Consultant.
Information Systems Controls for System Reliability -Information Security-
© 2012 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.
Privileged and Confidential Strategic Approach to Asset Management Presented to October Urban Water Council Regional Seminar.
Why Information Governance….instead of Records & Information Management? Angela Fares, RHIA, CRM, CISA, CGEIT, CRISC, CISM or
Consultancy.
Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
Financial Advisory & Litigation Consulting Services Risk Management 2006 September 14-15, 2006 The Metropolitan Club, New York, NY Workshop B: Information.
Bucharest, Romania October 2006 The World is Changing and so is Information Assurance Management This document is confidential and is intended solely for.
What Keeps You Awake at Night Compliance Corporate Governance Critical Infrastructure Are there regulatory risks? Do employees respect and adhere to internal.
Windows 2000 Security Policies & Practices: How to build your plan Mandy Andress, CISSP President ArcSec Technologies.
GRC - Governance, Risk MANAGEMENT, and Compliance
Case Study: Five ways to energize your information security program By Jim Reiner, ISO, HIPAA Security Manager County of.
Enterprise Risk Management & IT Compliance March 30, 2010 Presented by: Ken Rowe, Director Enterprise Systems Assurance & Chief Security Officer University.
Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.
Challenges in Infosecurity Practices at IT Organizations
1 CISCO SAFE: VALIDATED SECURITY REFERENCE ARCHITECTURE What It Is Business Transformation Top Questions To Ask To Initiate The Sale Where It Fits KEY.
Chapter © 2009 Pearson Education, Inc. Publishing as Prentice Hall.
ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:
Roadmap to Maturity FISMA and ISO 2700x. Technical Controls Data IntegritySDLC & Change Management Operations Management Authentication, Authorization.
April 14, A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.
Privacy Project Framework & Structure HIPAA Summit Brent Saunders
IT Governance: COBIT, ISO17799 & ITIL. Introduction COBIT ITIL ISO17799Others.
Everyone’s Been Hacked Now What?. OakRidge What happened?
ERP For Payments Presented by: Greg Midtbo Oracle Corporation Industry Vice President Financial Services.
Information Security IBK3IBV01 College 3 Paul J. Cornelisse.
TMS - Cooperation partner of TÜV SÜD EFFECTIVE SERVICE MANAGEMENT based on ISO/IEC & ISO/IEC
HIPAA Security John Parmigiani Director HIPAA Compliance Services CTG HealthCare Solutions, Inc.
Information Security Framework Regulatory Compliance and Reporting Auditing and Validation Metrics Definition and Collection Reporting (management, regulatory,
Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
Screening activities Mike E. Farrell James E. Bartlett and Ghislaine C.Y. Gillessen Munich, January 2014.
Deck 5 Accounting Information Systems Romney and Steinbart Linda Batch February 2012.
Dr. Mark Gaynor, Dr. Feliciano Yu, Bryan Duepner.
CBIZ RISK & ADVISORY SERVICES BUSINESS CONTINUITY PLANNING Developing a Readiness Strategy that Mitigates Risk and is Actionable and Easy to Implement.
Compliance Primer Shekar Ayyar SVP BindView Corporation.
Lecture 5 Control and AIS Copyright © 2012 Pearson Education 7-1.
Presenter Gene Geiger, A-LIGN Partner -HITRUST Practitioner -CPA -CISSP -CCSK -QSA -PCIP -ISO 27K LA.
1© Copyright 2016 EMC Corporation. All rights reserved. VIEWTRUST SOFTWARE OVERVIEW RISK MANAGEMENT AND COMPLIANCE MONITORING.
The Business of Information Security Introducing the RSA Security Practice of EMC Consulting Dennis Pinkerton March 17, 2010 Happy St. Patrick’s Day.
Information Security Program
BIL 424 NETWORK ARCHITECTURE AND SERVICE PROVIDING.
IS4550 Security Policies and Implementation
Data Minimization Framework
Cyber-Security for Healthcare
INTRODUCTION TO ISO 9001:2015 FOR IMPLEMENTATION Varinder Kumar CISA, ISO27001 LA, ISO 9001 LA, ITIL, CEH, MEPGP IT, Certificate course in PII & Privacy.
IS4680 Security Auditing for Compliance
Transforming IT Management
Privacy Project Framework & Structure
Holistic Approach to Information Security
Cyber Risk & Cyber Insurance - Overview
Security Policies and Implementation Issues
Presentation transcript:

© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security Services Product Manager

© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential _10_2008_c1 Examining the Threat Landscape Risk Source:

© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential _10_2008_c1 The Twin Information Security Challenges How to Manage Both with Limited Resources?  Information security threats Rapidly evolving threats Many distinct point solutions How to best protect IT confidentiality, integrity, and availability  Information security compliance obligations Many separate but overlapping standards Regulatory: SOX, HIPAA, GLBA, state and local Industry: PCI, HITRUST Customer: SAS70, ISO 27001

© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential _10_2008_c1 How Have These Information Security Challenges Evolved? IT Compliance IT Risk IT Security Today and Future How to Manage Risk? IT Security 2000s Is There an Audit Trail? 1990s What Happened? Enterprise Focus: Enterprise Response: Integrated Compliance and Security Programs Siloed Compliance and Security Programs Security Products IT Security IT Compliance

© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential _10_2008_c1 Organization Continue to Struggle: Addressing Information Security Threats and Compliance  How to prioritize limited resources  How to be most effective  How to reduce the cost Most Organizations Have Addressed these Challenges with Siloed Efforts Resulting in: High CostsFragmented TeamsRedundanciesUnknown Risks

© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential _10_2008_c1 Solution: Address Information Security Challenges Through One Program  Risk Management: How to determine the likelihood and impact of business threats and use a systematic approach, based on an organization's risk tolerance, to prioritizing resources to deal with those threats  Governance: How we set policies to achieve our strategic objectives and address risk and how we set up the organizational structures and processes to see that the policies are executed successfully  Compliance: How we establish the controls needed to meet our governance objectives and how we validate the effectiveness of those controls  Common Control Framework: A unified set of controls that addresses all of an organization's internal and external compliance objectives simultaneously IT Governance, Risk Management, and Compliance (IT GRC)

© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential _10_2008_c1 Implement Monitor Common Control Framework Update Operate Risk Assessment Contractual Requirements Company Vision and Strategy Business Drivers Regulations Industry Standards External Authority Documents International Standards and Control Models Asset Inventory SecurityCompliance Threats Vulnerabilities What Does It Mean to Address Information Security Through IT GRC? Business Value

© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential _10_2008_c1 Value of the IT GRC Approach  IT GRC delivers dramatic business value Revenue: 17% HigherLoss from loss of customer data: 96% Lower Profit: 14% HigherBusiness disruptions from IT: 50x less likely Audit costs: 50% Lower Customer retention: 18% Higher For companies with the most mature IT GRC Programs Source: IT Policy Compliance Group 2008  Maximize reduction in IT security risk with available resources Risk-based, business-focused decisions and resource prioritization Raise visibility of comprehensive security posture Use internationally recognized best practices  Reduce cost of compliance One set of controls to implement and manage One program to govern Many Compliance standards addressed

© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential _10_2008_c1 Where Do I Start with IT GRC? Identify and Prioritize Gaps Define Common Control Framework:  Identify compliance obligations  Asset inventory  Evaluate threats and vulnerabilities  Understand business requirements  Risk assessment Assess Control Implementation for Presence and Effectiveness:  Policy controls  Process controls  Technical controls Remediate Control Gaps:  Define and publish policies  Develop processes  Deploy security technology solutions  Train employees Maintain Controls and Framework: Operate and monitor technical controls Maintain subscriptions Periodic assessments Evolve solutions as needed AssessDefine MaintainRemediate

© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential _10_2008_c1 Step One: Define Common Control Framework  Inventory IT assets  Identify threats, vulnerabilities, and associated controls Best practices: ISO Compliance: PCI, SOX, HIPAA, GLBA, etc. Business, legal, contractual  Assess risk  Consolidate into a Common Control Framework (CCF) Map common controls from each source Eliminate duplication of overlapping controls

© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential _10_2008_c1 Control Objectives Covered by ISO  Security policy  Asset management  Information classification  Data loss prevention  Identity management  Access control  Physical security  HR security  Network security management  Vulnerability management  security  Security event and incident management  Security for software development, deployment and maintenance  Business continuity management  Compliance

© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential _10_2008_c1 Mapping Multiple Control Sources into a Common Control Framework (CCF) Best Practice Frameworks:  COBiT Controls for IT governance  ISO Subset of IT controls Focused on security Mapped to COBiT controls  ITIL Subset of IT controls Focused on process Mapped to ISO COBiT ISO ITIL

© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential _10_2008_c1 Mapping Multiple Control Sources into a Common Control Framework (CCF) Compliance Standards:  HIPAA, SOX, PCI  And others (this is just a sample)  Many overlapping Controls De-duplicated COBiT ISO HIPAA SOX PCI ITIL

© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential _10_2008_c1 Mapping Multiple Control Sources into a Common Control Framework (CCF)  Controls required by specific business needs COBiT ISO ITIL HIPAA SOX Business, Legal, Contractual PCI

© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential _10_2008_c1 COBiT ISO ITIL HIPAA SOX Business, Legal, Contractual PCI Mapping Multiple Control Sources into a Common Control Framework (CCF) ITIL HIPAA Result— Customized CCF:  Security best practices  Applicable compliance standards  Business requirements

© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential _10_2008_c1 Step Two: Assess Control Implementation Three Types of Controls must Be Assessed for Presence and Effectiveness  Policy controls High level to detailed security policies  Technical controls Assessed based on security architecture best practices Validated with active testing  Process and employee readiness controls Are the processes well designed? Are the processes followed?

© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential _10_2008_c1 Step Three: Remediate Control Gaps Control Gaps Should Be Prioritized for Remediation Based on Business Risk  Policy controls Development of new or enhancement of existing security policies  Technical controls Deploy new security technology solutions Identify controls eligible for outsourcing Identify needed subscriptions for security intelligence and signatures  Process and employee readiness controls Develop processes Train employees Design ongoing awareness program

© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential _10_2008_c1 Step Four: Maintain Controls Governance of the Program Is Accomplished Through Maintaining the Controls and the Framework Itself  Ongoing maintenance of technical controls Operate: ongoing monitoring and management Optimize: tune and evolve security solutions as needed  Periodic assessments of all controls For changes in control needs: threats, compliance, business For control effectiveness: policy, technical, process  Evolve controls and CCF as needed Prioritize gaps Update CFF and controls

© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential _10_2008_c1 How Can Cisco Help with IT GRC? IT GRC Information Security Services Security Control Assessment Services:  Security Policy Assessment  Network Security Architecture Assessment  Security Posture Assessment  Security Process Assessment Security control development and deployment services  Security intelligence content subscriptions  Cisco self- defending network solutions Security remote management services Security optimization service Security control assessment and remediation services *Services available from Cisco and Cisco certified partners Remediate AssessDefine Maintain

© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential _10_2008_c1

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.