Download presentation
Presentation is loading. Please wait.
1
Holistic Approach to Information Security
Greg Carter, Cisco Security Services Product Manager 1
2
Examining the Threat Landscape
Risk Risk Risk Messages: It seems like every time you open the paper you see a new headline involving a corporate scandal or security breach: (insert some of the most recent breaches, I.e. Societe Generale, Hannaford, etc.) Business leaders are just hoping it’s not their name that they find in the headlines tomorrow Risk Source: 2
3
The Twin Information Security Challenges How to Manage Both with Limited Resources?
Information security threats Rapidly evolving threats Many distinct point solutions How to best protect IT confidentiality, integrity, and availability Information security compliance obligations Many separate but overlapping standards Regulatory: SOX, HIPAA, GLBA, state and local Industry: PCI, HITRUST Customer: SAS70, ISO 27001 Boils down to two intertwined challenges associated with Information Security Threats: Compliance: For example: Over 10k controls covering over 400 compliance standards (UCF) 3
4
How Have These Information Security Challenges Evolved?
IT Risk IT Compliance IT Compliance IT Security IT Security IT Security Today and Future 1990s 2000s Enterprise Focus: What Happened? Is There an Audit Trail? How to Manage Risk? Enterprise Response: Siloed Compliance and Security Programs Integrated Compliance and Security Programs Security Products
5
Organization Continue to Struggle:
Addressing Information Security Threats and Compliance How to prioritize limited resources How to be most effective How to reduce the cost Most Organizations Have Addressed these Challenges with Siloed Efforts Resulting in: High Costs Fragmented Teams Redundancies Unknown Risks 5
6
Solution: Address Information Security Challenges Through One Program
IT Governance, Risk Management, and Compliance (IT GRC) Risk Management: How to determine the likelihood and impact of business threats and use a systematic approach, based on an organization's risk tolerance, to prioritizing resources to deal with those threats Governance: How we set policies to achieve our strategic objectives and address risk and how we set up the organizational structures and processes to see that the policies are executed successfully Compliance: How we establish the controls needed to meet our governance objectives and how we validate the effectiveness of those controls Common Control Framework: A unified set of controls that addresses all of an organization's internal and external compliance objectives simultaneously Risk Management: how to determine the likelihood and impact of business threats and use a systematic approach, based on an organization's risk tolerance, to prioritizing resources to deal with those threats - In a nutshell, risk management allows us to achieve the greatest risk reduction while focusing more of our IT resources on providing business value. Governance: how we set policies to achieve our strategic objectives and address risk and how we set up the organizational structures and processes to see that the policies are executed successfully - in a nutshell, governance is how we say what we will do, and do what we say. Compliance: how we establish the controls needed to meet our governance objectives and how we validate the effectiveness of those controls -the risks we address with IT GRC include those posed by security threats, unique business concerns, and failure to meet external compliance obligations. Common Control Framework: a unified set of controls that addresses all of an organization's internal and external compliance objectives simultaneously. 6
7
What Does It Mean to Address Information Security Through IT GRC?
Company Vision and Strategy Business Drivers External Authority Documents Implement Regulations On the left hand side we have the various authority documents…these documents are inputs into the IT-GRC (Speak to the authority documents) Establishment of an asset inventory is critical in the establishment of a IT-GRC IT – GRC involves: - Governance - Risk - Compliance Some of the core capabilities delivered by a Cisco IT-GRC would include: Controls and policy library Policy distribution and response IT Controls self-assessment and measurement IT Asset repository Automated general computer control collection Remediation and exception management reporting Advanced IT risk evaluation and compliance dashboards A common framework allows a taxonomy among the authority documents People/Process/technology are key inputs/outputs of the IT-GRC, which is tightly coupled to SONA/SDN Continuous Quality Improvement allows for Access, Inspect, Measure, Repeat of the CRMP Capability maturity Model The basic premise put forward by all process models within the world of compliance, is that the quality of the compliance program is highly influenced by the quality of the process used to develop and maintain the program. In other words, if my organization is going to be compliant with any given authority document’s rule set, by what process will I introduce those rules to my organization and manage the implementation of becoming compliant with them? Then close with: IT-GRC allows the customer to move away from Tactical … Reactive…. manual security compliance Compliance becomes …… continuous, automated … and is now integrated into the business processes …… No longer is compliance a separate obligation from that of the business operations (They work hand in hand) … which should in theory help use sell security compliance … And allows the adoption of SOA based solutions, secured with SDN Cisco IT-GRC Program Advantages: Scales across Multiple Compliance Obligations and Control Frameworks Designed to standardize the way controls are monitored and audits performed Leverages the Commonalities of Other Regulations with a Systematic Approach Integrates the Compliance Strategy with the Business Strategy Provides A Common Language for Business Processes (Global Impact) Supports Certification of the Organization A focus on IT Security (People/Process/Technology) Highly Coupled with the Cisco Self Defending Network History of Best Practices Helps Our Customer to Identify Practices for Success Allows the Adoption of Strategic and Automated Compliance Notes to change slide (Greg): Show CCF controls applied to Assets (can be a DB representation meaning asset inventory) to create ISMS Input risk assessment against assets and CCF to determine implementation in ISMS Show that we maintain the ISMS through governance Show that the result is compliance and security Common Control Framework Contractual Requirements Update Operate Industry Standards Risk Assessment International Standards and Control Models Monitor Security Compliance Threats Vulnerabilities Asset Inventory Business Value 7
8
Value of the IT GRC Approach
IT GRC delivers dramatic business value Revenue: 17% Higher Loss from loss of customer data: 96% Lower Profit: 14% Higher Business disruptions from IT: 50x less likely Audit costs: 50% Lower Customer retention: 18% Higher For companies with the most mature IT GRC Programs Source: IT Policy Compliance Group 2008 Maximize reduction in IT security risk with available resources Risk-based, business-focused decisions and resource prioritization Raise visibility of comprehensive security posture Use internationally recognized best practices Reduce cost of compliance One set of controls to implement and manage One program to govern Many Compliance standards addressed IT GRC is the right program for driving business value while addressing IT Risk and Compliance challenges Maximize risk reduction with available resources Reduce cost of compliance Information Security is a key facet of IT Risk and Compliance and should be addressed through a larger IT GRC program Improve Information Security Risk reduction Better target available resources to maximize impact Minimize duplication of effort Improve compliance with multiple overlapping standards 8
9
Where Do I Start with IT GRC?
Define Assess Remediate Maintain Define Common Control Framework: Identify compliance obligations Asset inventory Evaluate threats and vulnerabilities Understand business requirements Risk assessment Assess Control Implementation for Presence and Effectiveness: Policy controls Process controls Technical controls Remediate Control Gaps: Define and publish policies Develop processes Deploy security technology solutions Train employees Maintain Controls and Framework: Operate and monitor technical controls Maintain subscriptions Periodic assessments Evolve solutions as needed Identify and Prioritize Gaps
10
Step One: Define Common Control Framework
Inventory IT assets Identify threats, vulnerabilities, and associated controls Best practices: ISO 27002 Compliance: PCI, SOX, HIPAA, GLBA, etc. Business, legal, contractual Assess risk Consolidate into a Common Control Framework (CCF) Map common controls from each source Eliminate duplication of overlapping controls
11
Control Objectives Covered by ISO 27002
Security policy Asset management Information classification Data loss prevention Identity management Access control Physical security HR security Network security management Vulnerability management security Security event and incident management Security for software development, deployment and maintenance Business continuity management Compliance
12
Mapping Multiple Control Sources into a Common Control Framework (CCF)
COBiT ISO 27002 ITIL Best Practice Frameworks: COBiT Controls for IT governance ISO 27002 Subset of IT controls Focused on security Mapped to COBiT controls ITIL Focused on process Mapped to ISO
13
Mapping Multiple Control Sources into a Common Control Framework (CCF)
COBiT ISO 27002 HIPAA SOX PCI ITIL Compliance Standards: HIPAA, SOX, PCI And others (this is just a sample) Many overlapping Controls De-duplicated
14
Mapping Multiple Control Sources into a Common Control Framework (CCF)
COBiT ISO 27002 ITIL HIPAA SOX Business, Legal, Contractual PCI Controls required by specific business needs
15
Mapping Multiple Control Sources into a Common Control Framework (CCF)
COBiT ISO 27002 ITIL HIPAA SOX Business, Legal, Contractual PCI Result— Customized CCF: Security best practices Applicable compliance standards Business requirements ITIL HIPAA
16
Step Two: Assess Control Implementation
Three Types of Controls must Be Assessed for Presence and Effectiveness Policy controls High level to detailed security policies Technical controls Assessed based on security architecture best practices Validated with active testing Process and employee readiness controls Are the processes well designed? Are the processes followed?
17
Step Three: Remediate Control Gaps
Control Gaps Should Be Prioritized for Remediation Based on Business Risk Policy controls Development of new or enhancement of existing security policies Technical controls Deploy new security technology solutions Identify controls eligible for outsourcing Identify needed subscriptions for security intelligence and signatures Process and employee readiness controls Develop processes Train employees Design ongoing awareness program
18
Step Four: Maintain Controls
Governance of the Program Is Accomplished Through Maintaining the Controls and the Framework Itself Ongoing maintenance of technical controls Operate: ongoing monitoring and management Optimize: tune and evolve security solutions as needed Periodic assessments of all controls For changes in control needs: threats, compliance, business For control effectiveness: policy, technical, process Evolve controls and CCF as needed Prioritize gaps Update CFF and controls
19
How Can Cisco Help with IT GRC?
Define Assess Remediate Maintain IT GRC Information Security Services Security Control Assessment Services: Security Policy Assessment Network Security Architecture Assessment Security Posture Assessment Security Process Assessment Security control development and deployment services Security intelligence content subscriptions Cisco self-defending network solutions Security remote management services Security optimization service Security control assessment and remediation services Remediate – Security Control Development & Deployment Services include policy development, process development, and technical control planning, implementation & Design services *Services available from Cisco and Cisco certified partners 19
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.