Compliance A Career View M.S.Sripati Background image : www.freedigitalphotos.net
Agenda● Who Am I● What is Compliance● Why Compliance● Different Roles● Role Requirements● How to get in Background image : www.freedigitalphotos.net
Who Am I● ISMS Implementer (HIPAA, ISO 27001)● Web Application Security Student● CISA● 7 Years in Industry● Different Roles ● Developer (PHP, Ruby) ● AISO ● ISMS Implementer● http://www.sripati.info Background image : www.freedigitalphotos.net
What is Compliance● The activity (and other associated activities) of following a rule ● Legal (HIPAA, IT Act of India, DPA of EU) ● Regulatory (PCI-DSS) ● Standards (ISO 27001)● Perceptions ● A boring word ● Should not be in security Background image : www.freedigitalphotos.net
http://www.infosecinstitute.com/jobs/security-auditor.html● Security Fares well if you know the BIG picture Background image : www.freedigitalphotos.net http://www.itjobswatch.co.uk/jobs/uk/it%20security%20auditor.do
Why Compliance● Business Requirements● Overall security cannot be achieved by tools alone● Company expectations on wearing many hats Background image : www.freedigitalphotos.net
Why Compliance● Business Requirements ● Security - a client requirement in project ● Business understands that a structured approach is required to tackle security ● Need to assure client – ISO 27001 – Internal Information Security Program (awareness / appsec / netsec) – Regular internal / external audits / reviews Background image : www.freedigitalphotos.net
Why Compliance● Overall security cannot be achieved by tools alone ● Physical Security – Vendor related threats – Unauthorized entry ● Application Security – Coding mistakes (copy / paste and then legal fine) ● Network Security – Unpatched network – No testing before patching ● Internal Threats – People stealing data – Passing confidential information ● Human Factor – Password sharing / re-use / writing on paper – Unmanned & Unlocked desktops / laptops – Installing pirated software – Downloading pirated movies / ebooks Background image : www.freedigitalphotos.net
Why Compliance● Company Expectations ● Business connect with Infosec ● Maintain Communication among all stakeholders (Admin, IT, Other Departments, Project Teams, HR - trainings) ● Get Things Done (ensure security across all functions) ● Ensure that we stay compliant / no breach (incidents, disaster, be ready for anything etc.) ● Ensure that we clear any security audits Background image : www.freedigitalphotos.net
Some Roles in Compliance Domain● Implementors ● Ensure that security is implemented across all functions ● Troubleshoot any process gaps ● Ensure that security processes are performing as they should● Auditors ● Ensure that security process holes are identified Background image : www.freedigitalphotos.net
Role Requirements● Implementors ● ISACA ● Understading of overall security system ● CISA ● Understanding of how to get buy-ins ● CISM from authorities ● CRISC How technical pieces fit together 2 ISC ● ● ● How to identify issues ● CISSP ● What to tackle first (prioritize) ● CSSLP● Auditors ● ISO ● Process understanding ● ISO 27001 LI ● How to identify weaknesses ● ISO 27001 LA Background image : www.freedigitalphotos.net
How to get In● Implementors ● Ask in current organization for any compliance related work – Learn – Evolve (ensure business connect with IS)● Auditors ● Read ISO 27001 / 27002 – Google ISO 27001 blogs / google group ● Study audit reports vis-a-vis the standard (ask your superiors for a copy, if it is being done) ● Look at your organization from 27001 point of view, note findings ● Show the findings to your superiors, ask for feedback ● Clear CISA and start applying (if your company does not do it)● Your technical knowledge + Compliance = Deadly Impact! Background image : www.freedigitalphotos.net
A particular slide catching your eye?
Clipping is a handy way to collect important slides you want to go back to later.