Download this presentation - Information Security: Covering ...


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Download this presentation - Information Security: Covering ...

  1. 1. Separating Fact from Fiction: Security Technologies for Regulatory Compliance Diana Kelley, Senior Analyst Burton Group
  2. 2. Agenda <ul><li>Regulatory compliance – One size does not fit all </li></ul><ul><ul><li>And compliance is not a product </li></ul></ul><ul><ul><li>Why “SOX-in-a-box” is a myth </li></ul></ul><ul><li>Compliance frameworks </li></ul><ul><ul><li>A systematic, comprehensive approach </li></ul></ul><ul><ul><li>Policy first </li></ul></ul><ul><li>Tools that can help </li></ul><ul><ul><li>Building a toolbox </li></ul></ul><ul><ul><li>Management and Compliance “dashboards” </li></ul></ul>
  3. 3. Compliance: The Biggest Time Waster of 2005? <ul><li>August 2005 Share Conference on-line registrant poll </li></ul><ul><li>Looking back from the year 2015 at wasteful or ineffective efforts in 2005 </li></ul><ul><ul><li>28% - Sarbanes-Oxley compliance </li></ul></ul><ul><ul><li>23% - Deployment of unproven technologies </li></ul></ul><ul><ul><li>19% - Purchase of unneeded technologies </li></ul></ul><ul><ul><li>Source: ComputerWorld, August 23, 2005,,10801,104118,00.html </li></ul></ul>
  4. 4. Regulatory Compliance – One Size Does not Fit All <ul><li>Compliance is a not a product </li></ul><ul><ul><li>Combination of people, process, and technology </li></ul></ul><ul><li>Why “SOX-in-a-box” is a myth </li></ul><ul><ul><li>Or a misnomer </li></ul></ul><ul><ul><li>Enterprise IT systems are extremely complex </li></ul></ul><ul><ul><li>Regulations are not prescriptive </li></ul></ul><ul><ul><li>Regulations may have competing requirements </li></ul></ul><ul><ul><ul><li>Ex: Log file retention times </li></ul></ul></ul><ul><ul><ul><li>Ex: PII storage </li></ul></ul></ul>
  5. 5. Sarbanes-Oxley <ul><li>Section 404, a, 2 of the regulation: &quot;[an internal control report, which shall] contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.&quot; </li></ul>
  6. 6. Control Weaknesses Reporting During SOX Compliance Work <ul><li>Lack of adequate system documentation </li></ul><ul><li>Lack of audit training and experience </li></ul><ul><li>Lack of management oversight </li></ul><ul><li>Too many privileges (IT personnel often had too many privileges, and there was insufficient separation of duties), such as multiple IDs, generic IDs </li></ul><ul><li>Inadequate handling of privilege changes related to promotions and job re-assignment </li></ul><ul><li>Documentation for small, routine maintenance tasks was often non-existent or inadequate </li></ul>
  7. 7. PCI Data Security Standard <ul><li>Build and maintain a secure network </li></ul><ul><li>Protect cardholder data </li></ul><ul><li>Maintain a vulnerability management program </li></ul><ul><li>Implement strong access control measures </li></ul><ul><li>Regularly monitor and test networks </li></ul>
  8. 8. Compliance Frameworks <ul><li>Created by an organization to simplify the compliance process </li></ul><ul><li>A set of policies, procedures, and technologies that normalizes the organization’s approach to compliance </li></ul><ul><li>Benefits of compliance frameworks </li></ul><ul><ul><li>Consistent policy based approach to compliance </li></ul></ul><ul><ul><li>Separation of concerns </li></ul></ul><ul><ul><li>Reduced reporting time </li></ul></ul><ul><ul><li>Easier maintenance </li></ul></ul><ul><ul><li>Centralized control </li></ul></ul>
  9. 9. Legal matters <ul><li>What is the company required to supply, by law? </li></ul><ul><ul><li>Audit compliance </li></ul></ul><ul><ul><ul><li>ISO, SAS70 </li></ul></ul></ul><ul><ul><ul><li>HIPAA, SOX, GLBA, EUDD </li></ul></ul></ul><ul><ul><li>Who is accountable for lack of compliance? </li></ul></ul><ul><ul><li>Will fees be levied or ops shut down? </li></ul></ul><ul><li>Why it matters </li></ul><ul><ul><li>Business continuity </li></ul></ul><ul><ul><li>Audit success </li></ul></ul><ul><ul><li>Policy enforcement </li></ul></ul><ul><ul><li>Reporting requirements </li></ul></ul>
  10. 10. A Systematic Comprehensive Approach <ul><li>First things first - What constitutes compliance? </li></ul><ul><ul><li>Work with internal and external audit teams </li></ul></ul><ul><ul><li>Use “a suitable, recognized control framework established by a body of experts that followed due-process procedures.” </li></ul></ul><ul><ul><li> </li></ul></ul><ul><ul><li>Understand there is a legacy – exceptions will have to be documented </li></ul></ul><ul><ul><li>Establish control frameworks </li></ul></ul><ul><ul><li>Translate policies to technical policies </li></ul></ul><ul><ul><ul><li>The bits and bytes of compliance </li></ul></ul></ul><ul><ul><ul><li>EX: Hierarchical administrator or superuser accounts </li></ul></ul></ul><ul><li>Identify what can be automated, and what can’t </li></ul>
  11. 11. Control Framework Example <ul><li>Managers explicitly attest to information currency, accuracy, and validity </li></ul><ul><li>Employees are trained in proper information handling </li></ul><ul><li>Customers are mailed confirmation “opt-in” letters </li></ul><ul><li>Logs are periodically reviewed </li></ul><ul><li>Management creates separate job titles and responsibilities </li></ul>Organization Control Activities <ul><li>Application code formally tested before move to production </li></ul>Financial information integrity is maintained <ul><li>Network isolation </li></ul><ul><li>Outbound content control </li></ul>Health information is protected from unauthorized access <ul><li>Secure log server </li></ul><ul><li>Tamperproof audit record </li></ul>Changes to customer information are approved and accurate <ul><li>Role-based access control </li></ul><ul><li>Management approval of access requests </li></ul>Duties are separated between debit/credit accounting functions IT Control Activities Control Objectives
  12. 12. Thinking through Compliance Requirements <ul><li>What standards does the company need to adhere to? What devices/apps need to be covered? </li></ul><ul><ul><li>Standard devices </li></ul></ul><ul><ul><li>Legacy systems </li></ul></ul><ul><ul><li>Home-grown applications </li></ul></ul><ul><ul><li>Internal -- Policies </li></ul></ul><ul><ul><ul><li>ISO compliance </li></ul></ul></ul><ul><ul><li>External -- </li></ul></ul><ul><ul><ul><li>SOX, HIPAA, GLBA </li></ul></ul></ul><ul><ul><ul><li>Partners </li></ul></ul></ul>
  13. 13. The Devil’s in the Details <ul><li>Some Gotchas </li></ul><ul><ul><li>Heterogeneous environments increase complexity </li></ul></ul><ul><ul><li>The weakest link device/application </li></ul></ul><ul><ul><li>Adherence to corporate standards, but failure in audit </li></ul></ul><ul><ul><li>Application development </li></ul></ul><ul><ul><li>Requirements for new devices – can new devices be added quickly within the compliance framework? </li></ul></ul>
  14. 14. COSO <ul><li>Committee of Sponsoring Organizations of the Treadway Commission (COSO) is widely accepted around the world as an acceptable baseline framework for compliance </li></ul><ul><ul><li>Prescribes risk management to achieve internal control objectives including efficiency and effectiveness of operations, financial reporting, and legal/regulatory compliance </li></ul></ul><ul><li>COSO mandates that management: </li></ul><ul><ul><li>Set control objectives for the enterprise </li></ul></ul><ul><ul><li>Identify events that can cause substantial negative consequences to the enterprise and therefore affect shareholder value </li></ul></ul><ul><ul><li>Assess risks associated with those events </li></ul></ul>
  15. 15. <ul><li>The COSO cube </li></ul><ul><ul><li>Objectives </li></ul></ul><ul><ul><ul><li>Strategy </li></ul></ul></ul><ul><ul><ul><li>Operations </li></ul></ul></ul><ul><ul><ul><li>Reporting </li></ul></ul></ul><ul><ul><ul><li>Compliance </li></ul></ul></ul><ul><ul><li>Entity’s Units </li></ul></ul><ul><ul><ul><li>Entity </li></ul></ul></ul><ul><ul><ul><li>Division </li></ul></ul></ul><ul><ul><ul><li>Business unit </li></ul></ul></ul><ul><ul><ul><li>Subsidiary </li></ul></ul></ul><ul><ul><li>Components </li></ul></ul><ul><ul><ul><li>Internal environment </li></ul></ul></ul><ul><ul><ul><li>Objective setting </li></ul></ul></ul><ul><ul><ul><li>Event identification </li></ul></ul></ul><ul><ul><ul><li>Risk assessment </li></ul></ul></ul><ul><ul><ul><li>Risk response </li></ul></ul></ul><ul><ul><ul><li>Control activities </li></ul></ul></ul><ul><ul><ul><li>Information and communication </li></ul></ul></ul><ul><ul><ul><li>Monitoring </li></ul></ul></ul>
  16. 16. CoBiT – IT Governance Institute <ul><li>A set of documents and resources that represent a framework of guiding objectives and processes for IT governance and audit control </li></ul><ul><li>An increasingly important guideline for properly implementing security controls within an organization </li></ul><ul><li>Many internal auditors choose CoBiT as an important foundation for audit activity within IT organizations </li></ul><ul><li>CoBiT contains 34 control areas over four high-level domains. </li></ul>
  17. 17. <ul><li>A conceptual diagram of a mapping from five COSO components to the high-level four CoBiT domains to SOX section 302 and section 404 compliance. </li></ul>COSO Components and CoBiT Domains/Objectives (Source: ISACA’s “IT Control Objectives for Sarbanes-Oxley”)
  18. 18. ISO17799 <ul><li>A detailed, internationally accepted security standard </li></ul><ul><li>Covers 10 major sections </li></ul><ul><ul><li>Business continuity planning </li></ul></ul><ul><ul><li>System access control </li></ul></ul><ul><ul><li>System development and maintenance </li></ul></ul><ul><ul><li>Physical and environmental security </li></ul></ul><ul><ul><li>Compliance </li></ul></ul><ul><ul><li>Personnel security </li></ul></ul><ul><ul><li>Security organization </li></ul></ul><ul><ul><li>Computer and operations management </li></ul></ul><ul><ul><li>Asset classification </li></ul></ul><ul><ul><li>Security policy </li></ul></ul><ul><li>Used by many companies around the world as their IT baseline </li></ul>
  19. 19. A Note on Framework Adoption <ul><li>Don’t adopt any framework’s controls blindly </li></ul><ul><ul><li>Must show evidence that ALL the controls your company specified are working </li></ul></ul><ul><ul><ul><li>COBIT has 34 control domains; each requires as many as 10 control activities </li></ul></ul></ul><ul><ul><li>However, be prepared to justify differences to auditors </li></ul></ul>
  20. 20. Building a Toolbox - Realistically <ul><li>Tools are not like stretch socks that can expand to fit the needs of a vast regulatory mandate </li></ul><ul><li>Enabling tools for increased efficiency and automation </li></ul><ul><ul><li>Reporting </li></ul></ul><ul><ul><li>Change management </li></ul></ul><ul><ul><li>Technical policy management </li></ul></ul><ul><ul><li>Documentation management </li></ul></ul><ul><ul><li>Compliance checks </li></ul></ul>
  21. 21. Not a simple problem… <ul><li>There are many “moving parts” in the compliance toolbox </li></ul><ul><ul><li>Compliance is a large project </li></ul></ul><ul><ul><li>Compliance may touch all systems in the enterprise </li></ul></ul><ul><li>Devices and applications have disparate logs and reporting </li></ul><ul><ul><li>There is no audit log standard </li></ul></ul><ul><ul><li>Proprietary applications may not have adequate logging or access to logs </li></ul></ul><ul><li>If the data collected from the devices is to be trusted, security of the information on the device and in transit is a critical consideration </li></ul><ul><ul><li>Agentless solutions are, usually easier to deploy </li></ul></ul><ul><ul><li>But may result in less audit control over the data prior to hand off </li></ul></ul>
  22. 22. Many of the ingredients may already be in your cupboard! <ul><li>Many existing tools can be used in the compliance program </li></ul><ul><ul><li>Auditing </li></ul></ul><ul><ul><li>Documentation </li></ul></ul><ul><ul><li>Network Management </li></ul></ul><ul><li>Vendors are changing product features and positioning in response to the need for a compliance-oriented perspective </li></ul><ul><ul><li>Providing additional hooks for process integration </li></ul></ul><ul><ul><li>Compliance oriented reporting </li></ul></ul>
  23. 23. Financial Applications – Oracle and SAP <ul><li>Many products contain (and are developing more) features that, if used correctly, help organizations with compliance </li></ul><ul><ul><li>Project organization for documentation, testing, and sign-off for internal controls </li></ul></ul><ul><ul><li>Test procedures based on the risk management framework defined by COSO </li></ul></ul><ul><ul><li>Workflow procedures that accelerate testing and sign-off </li></ul></ul><ul><ul><li>Object-level analysis of segregation of duties (SOD) </li></ul></ul><ul><ul><li>Authorization administration </li></ul></ul><ul><ul><li>Real-time drill-down analysis and reporting </li></ul></ul>
  24. 24. Document, Document, Document <ul><li>Many of the regulations have heavy documentation requirements </li></ul><ul><ul><li>Flow charts of internal controls </li></ul></ul><ul><ul><li>Written policies and procedures associated with those controls </li></ul></ul><ul><ul><li>Ability to access appropriate policies in a hierarchical view </li></ul></ul><ul><li>A documentation system that can capture and present critical policies and procedures is required </li></ul><ul><ul><li>Some vendors have released documentation tools specifically designed to aid in the compliance process </li></ul></ul><ul><ul><ul><li>Ex: Lotus Workplace for Business Controls and Reporting, OpenPages SOX Express. </li></ul></ul></ul>
  25. 25. Network Monitoring <ul><li>Monitoring performance, continuity of service, and service levels are CoBiT control objectives and very often compliance requirements </li></ul><ul><li>Many organizations have network monitoring solutions in place from leading vendors such as IBM Tivoli, HP OpenView, and Computer Associates Unicenter </li></ul><ul><li>These solutions manage components that are already on a network; there is no need to replace these systems </li></ul><ul><li>However, many can be configured to provide evidence of control in support of compliance reporting </li></ul>
  26. 26. Change Management/Project Management <ul><li>Change management tools deploy policy and configuration changes to a managed set of target devices and track the changes made </li></ul><ul><ul><li>Many companies already have some change management systems in place </li></ul></ul><ul><li>The compliance process is a large project – and needs to be managed as such </li></ul><ul><li>Project management tools and workflow can help: </li></ul><ul><ul><li>Manage the assignment of tasks to individuals </li></ul></ul><ul><ul><li>Track the level of completeness </li></ul></ul><ul><ul><li>Provide reports to show overall progress and current status </li></ul></ul>
  27. 27. Identity Management <ul><li>Not called out specifically in many regulations, and not one of the CoBiT controls </li></ul><ul><ul><li>However - unique user IDs and authenticators are recommended by CoBiT and required for many regulations such as HIPAA </li></ul></ul><ul><ul><li>Without unique user IDs, tracking and controlling access and usage on systems housing healthcare, financial, and other sensitive data would be impossible </li></ul></ul><ul><li>IdM as in important part of the compliance process for most organizations </li></ul>
  28. 28. Log Aggregation and Storage <ul><li>Centralized storage of log and audit file activity </li></ul><ul><li>Managing this storage process is critical </li></ul><ul><ul><li>How will the information be parsed when answers are needed? </li></ul></ul><ul><li>Can the Storage Area Network (SAN) handle the data? </li></ul><ul><ul><li>Many organizations have SANs from established vendors such as Symantec/Veritas and IBM/Tivoli </li></ul></ul><ul><ul><li>Will the additional audit log data storage requirements overtax the SAN? </li></ul></ul>
  29. 29. Perimeter Controls and Isolation <ul><li>Firewalls can be used to cordon off critical systems into highly protected zones </li></ul><ul><li>Virtual local area networks (VLANs) can be created to segregate systems involved in processing healthcare information or reporting financials </li></ul><ul><li>intrusion detection and prevention solutions can be implemented to provide additional monitoring of access to systems and prevent attacks </li></ul>
  30. 30. Forensics <ul><li>Network forensic tools capture all of the traffic on a network or network segment and record it for later use </li></ul><ul><ul><li>Help administrators and auditors track users and system access </li></ul></ul><ul><ul><li>Used after an incident has occurred to piece together where systems failed and how to make them more robust in the future </li></ul></ul><ul><li>Endpoint forensic tools can be used to examine the contents of a hard drive, and, in some cases, recover deleted information that may contain valuable evidence </li></ul><ul><li>Note: historical forensics and legal forensics are not the same </li></ul>
  31. 31. Security Event Information Management <ul><li>SEIM tools are designed to monitor and manage security within an organization </li></ul><ul><ul><li>Aggregate </li></ul></ul><ul><ul><li>Normalize </li></ul></ul><ul><ul><li>Correlate </li></ul></ul><ul><li>Intelligent correlation is the key to avoid the “drowning in data” syndrome </li></ul><ul><ul><li>Compliance specific correlation rules may be time intensive to create </li></ul></ul><ul><ul><li>Know thy systems and requirements in advance </li></ul></ul>
  32. 32. Compliance Dashboards? *Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley Act (GLBA), Personal Information Protection and Electronic Documents Act (PIPEDA)
  33. 33. Compliance Dashboards <ul><li>An emerging space </li></ul><ul><ul><li>Portal-based view into metrics, configuration settings and other indicators of activity </li></ul></ul><ul><ul><li>But most regulations are not prescriptive enough to translate to a “one size fits all” portal view </li></ul></ul><ul><ul><ul><li>And vendors may focus on different areas of compliance (SOX, HIPAA, Basel II) </li></ul></ul></ul><ul><ul><li>Dashboards can be customized to report on areas of compliance based on company defined indicators </li></ul></ul><ul><ul><ul><li>But the company must determine the controls and indicators to be monitored </li></ul></ul></ul><ul><ul><ul><li>Even with customization the dashboard will (most likely!) not be able to supply transparency and reporting on every component of compliance </li></ul></ul></ul>
  34. 34. The Tool Taxonomy Partial views of compliance areas or custom built Compliance dashboards Layered defense SIM/SEM, forensics Isolation, layered defense Firewalls, perimeter devices Audit, change management, control, etc. Management and monitoring Separation of duty, access control, audit Identity management Compliance project, evidence of control activities Documentation (everywhere) Compliance project, sign-offs Project management, workflow Native security capabilities Financial applications Compliance Function Tool Type
  35. 35. A Quick Checklist <ul><li>Read the regulations and determine target compliance policies and requirements </li></ul><ul><li>Perform a security gap analysis </li></ul><ul><li>Identify gaps between existing practices and the targets </li></ul><ul><li>Determine the steps needed to close the gaps – and document any exceptions </li></ul><ul><li>Create an action plan for on-going compliance and assessment </li></ul><ul><li>Implement, monitor and maintain </li></ul><ul><li>Call in outside experts as needed </li></ul>
  36. 36. Conclusion <ul><li>Compliance may not be a product – but products can help ease the burden </li></ul><ul><li>Create a compliance framework for the enterprise </li></ul><ul><li>New regulations are inevitable – frameworks help keep organizations compliance hardy </li></ul>