Your SlideShare is downloading. ×
2010 06 gartner   avoiding audit fatigue in nine steps 1d
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply

2010 06 gartner avoiding audit fatigue in nine steps 1d

1,234
views

Published on

Avoiding Audit Fatigue: Achieving Compliance In A Multi-compliance World In Nine Steps …

Avoiding Audit Fatigue: Achieving Compliance In A Multi-compliance World In Nine Steps
Gartner Security/Risk Management Conference
July 2010

It's common for information security managers to be held responsible for failed audits where they had little control or influence in the rest of the organization. This presentation provides nine steps that information security managers can use to break the compliance blame cycle and build an information security program that more effectively mitigates security risk. By successfully executing these steps, the information security manager will no longer continually react to and
manage the audit preparation crisis du jour. Instead, the information security manager will institute and rely upon regular, defined activities to complete the heavy lifting of preparing for a successful audit long before the audit occurs.

This session also describes how IT security managers can achieve alignment among all stakeholders so that information security and compliance activities become integrated into daily business operations.

Completing the nine steps in this presentation requires business stakeholders, IT management, and information security management to all mutually support the same goal. This session describes how to gain this alignment and defines the various compliance roles so that information
security and compliance activities become integrated into daily

Published in: Business

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,234
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
35
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • There are many ways to react to this: like, fear, horror, trying to become invisible… All understandable, given the circumstances…
  • Transcript

    • 1. Avoiding Audit Fatigue: Achieving Compliance In A Multi-Compliance World In Nine Steps
      Gene Kim, CISA, TOCICO JonahCTO and Founder(Twitter: @RealGeneKim) Gartner 2010
    • 2. Where Did The High Performers Come From?
    • 3. Agenda
      The problems of compliance du jour and the audit blame cycle
      How did the high performing IT organizations make their “good to great” transformations?
      Nine practical steps overcome audit fatigue
      What does integration of security controls into daily operation feel like?
      Additional resources
      Authors
      Gene Kim, Founder/CTO, Tripwire, Inc.
      Jennifer Bayuk, Cybersecurity Program Director, Stevens Institute of Technology
    • 4. “Boss, We Are Ready For The Upcoming Audits…”
    • 5. “OMG. OMG. The Auditors Are Coming When?!?”
    • 6. “IT Operations Not Quite As Ready As They Thought…”
    • 7. “Infosec Must Do Heroics, Generating Reports And Presentations From Scratch…”
    • 8. “Despite Heroics, The Business Still Fails The Audit…”
    • 9. “InfosecAs Professional Apologist…’”
    • 10. Problems: Accountability
      Infosec often discovers too late that business and IT management were not as prepared for the audits as was represented
      Business, IT and infosec must perform heroics to generate proof of compliance, often requiring new documents and presentations from scratch in response to auditor questions
      Business may fail an audit test, requiring remediation work, audit retests, fines, loss of auditor confidence in the infosecprogram, as well as loss of personal trust in the infosec manager
      A security breach may occur, and the business must now explain how it occurred despite passing the audit
    • 11. Problem: Organizational
      Information security is often organized and designed to minimally interfere with business and IT operations, but creates barriers to meeting compliance goals
      Information security is held accountable, but control effectiveness relies upon other business and IT management to be adequately prepared
    • 12. Problems: The Real Business Cost
      Scheduled value-adding work and projects are delayed because of all the urgent and unplanned audit prep work
      Business continues to implement controls as a part of a one-time audit preparation project to achieve compliance, with little thought on how to maintain compliance over time
      Next time requires just as much effort, instead of integrating controls into daily business and IT operational processes
      The business starts treating audit prep as a legitimate value-adding project, even charging time against it
      Multiple regulatory and contractual requirements result in IT controls being tested numerous times by numerous parties, requiring management to perform work multiple times
    • 13. Information Security and Compliance Risks
      Information security practitioners are always one change away from a security breach
      Front page news
      Regulatory fines
      Brand damage
      High profile security failures are increasing external pressures for security and compliance
      Sarbanes-Oxley (SOX) Act of 2002, the Gramm-Leach-Bliley Act, Health Insurance Portability and Accountability Act (HIPAA), emerging privacy laws, and the Payment Card Industry Data Security Standard (PCI DSS)
    • 14. Going from Good to Great
    • 15. Desired Outcome: Create A Higher Performing, More Nimble and More Secure IT Organization
      10,000
      1000
      Best in Class Ops and Security
      100
      10
      1
      0
      20
      40
      60
      80
      100
      120
      140
      Operations Metrics Benchmarks:Best in Class: Server/sysadmin ratios
      • Highest ratio of staff for pre-production processes
      • 16. Lowest amount of unplanned work
      • 17. Highest change success rate
      • 18. Best posture of compliance
      • 19. Lowest cost of compliance
      Size of Operation
      # Servers
      Efficiency of Operation
      Server/sysadmin ratio
      Source: IT Process Institute (2001)
    • 20. Higher Performing IT Organizations Are More Stable, Nimble, Compliant And Secure
      • High performers maintain a posture of compliance
      • 21. Fewest number of repeat audit findings
      • 22. One-third amount of audit preparation effort
      • 23. High performers find and fix security breaches faster
      • 24. 5 times more likely to detect breaches by automated control
      • 25. 5 times less likely to have breaches result in a loss event
      • 26. When high performers implement changes…
      • 27. 14 times morechanges
      • 28. One-half the change failure rate
      • 29. One-quarter the first fix failure rate
      • 30. 10x fasterMTTR for Sev 1 outages
      • 31. When high performers manage IT resources…
      • 32. One-third the amount of unplanned work
      • 33. 8 times moreprojects and IT services
      • 34. 6 times moreapplications
      Source: IT Process Institute, May 2008
    • 35. Visible Ops: Playbook of High Performers
      The IT Process Institute has been studying high-performing organizations since 1999
      What is common to all the high performers?
      What is different between them and average and low performers?
      How did they become great?
      Answers have been codified in the Visible Ops Methodology
    • 36. Over Ten Years, We Benchmarked 1500+ IT Orgs
      Source: EMA (2009)
      Source: IT Process Institute (2008)
    • 37. 2007: Three Controls Predict 60% Of Performance
      To what extent does an organization define, monitor and enforce the following?
      Standardized configuration strategy
      Process discipline
      Controlled access to production systems
      Source: IT Process Institute, May 2008
    • 38. Nine Practical Steps To Overcome Audit Fatigue And The Blame Cycle
    • 39. The Nine Steps To Avoid Audit Fatigue
      Step 1: Align with tone at the top
      Step 2: Create a set of merged infosec and compliance/business goals
      Step 3: Define ideal information security goal indicators
      Step 4: Gain an end-to-end understanding of the information flow
      Step 5: Agree upon control ownership, roles and responsibilities
      Step 6: Define the control tests so business process control owners will agree with the results
      Step 7: Schedule and conduct regular control tests
      Step 8: Organize metrics and remediation reports
      Step 9: Detect and respond to significant changes to the control environment
    • 40. Step 1: Align With Tone At The Top
      Ensure that compliance activity is clearly managed from the top down.
    • 41. Step 2: Merge Information Security Into The Compliance/ Business Goals
      Document IT governance goals and the risks to achieving those goals
      Confirm that information security and compliance helps achieve those goals.
      For instance:
      A manufacturing company must comply with a regulatory requirement that certain chemical toxins are never released into the atmosphere in amounts over 10 particles per second.
      The manufacturing control system has been designed to ensure that this toxin is released at a rate of only 1 particle per second.
    • 42. Step 2: Merge Information Security Into The Compliance/ Business Goals
      What is the business objective?
      Ensure smooth operation of the manufacturing process, in accordance to the business plan and all associated laws and regulations.
      What are the information security and compliance risks?
      The manufacturing control system could fail and release more than the allowed amount of the chemical toxin into the atmosphere.
      The measurement system may not detect this release.
      Also, the manufacturing control measurement data could be altered or lost, which would prevent management from validating emissions output compliance.
      What is my information security goal to address this risk?
      We must maintain integrity over the particle release measurement process and the measurement data.
    • 43. Step 2: Merge Information Security Into The Compliance/ Business Goals
      What control will we implement to meet this goal?
      An access and measurement testing control process will protect the toxin release measurement software against tampering.
      The control will alert operations when changes to access are detected and when abnormal variations in the toxin measurements occur.
      The alert response will include automated and manual procedures that verify that the algorithm installed in the production system is the same as the one that underwent rigorous pre-production system testing.
      What does plant management (the business process owner) need to do to support this goal?
      The control process would require the business process owner to configure the production system to minimize the access any given individual needs to change the algorithm and the corresponding data.
      The control process would also require the business process owner to minimize the job functions that require access to the algorithms and the measurement data.
    • 44. Step 3: Define Ideal Information Security Measures
      Develop theoretical ideal indicators that demonstrate that information security goals are being met.
      Examples
      # of access roles not validated by management
      % of accounts not matching management-defined roles
      % of configurations not pre-approved by management
      % of changes not approved by management
      % of systems with centralized logging
    • 45. Step 4: Gain End-to-End Understanding
      Do an end-to-end business process walk-through to understand and document:
      Where does sensitive information enter, transit, get stored, and exit the organization?
      What are the risks to organizational goals and information flow?
      Where is reliance placed on technology to prevent and detect control failures?
    • 46. Step 4: Gain End-to-End Understanding
      A merchant has a business process that supports a customer loyalty program. The program includes issuing branded credit cards.
      The consumer credit information flow starts with a customer filling out an online application form, which is…
      Sent to the credit calculation application, is then…
      Sent to a sales application, and…
      Ends up in an application that runs on the desktop of every customer service representative.
      What is the business goal?
      To ensure that customers approved for the credit card services are capable of meeting their obligations, so that any credit extended to the customer is likely to be repaid.
    • 47. Step 4: Gain End-to-End Understanding
      What are the business, information security and compliance risks?
      Customer information is inaccurate
      Customer information is inadvertently disclosed, violating regulatory requirements
      Through what applications does the information flow?
      The online application form is delivered through a third-party vendor,
      The credit calculation is done on cloud computing resources
      The sales application is run internally by IT operations
      The customer service application is run by a combination of internally developed server software and desktop software on the customer service desktops.
    • 48. Step 5: Agree Upon Control Ownership, Roles And Responsibilities
      Clearly define roles and responsibilities for audit compliance activities at the process owner level.
    • 49. Step 6: Define The Control Tests So Control Owners Will Agree With The Results
      Make sure that evidence that demonstrates compliance goals have been met can be generated in an automated manner, upon demand.
      This will mirror the accountability spreadsheet that the auditors will likely construct
      This is what enables information security to not be left holding the bag when IT operations is disorganized or unprepared.
    • 50. Step 7: Schedule And Conduct Regular Control Tests
      Conduct tests of controls effectiveness frequently enough be able to rely on their effectiveness regardless of variances in audit scope and timing.
      Ensure that sample size is safely larger than the auditor’s
      You will find unprepared IT control owners long before the audits
      “Hope is not a strategy. Trust is not a control.”
    • 51. Step 8: Organize Metrics And Remediation Reports
      Track the completion of required remediation work, ideally to be completed well in advance of the audit.
      By compliance objective
      By business process
      By control owner
      This will look like a PMO status report
    • 52. Step 9: Detect And Respond To Significant Changes To The Control Environment
      Have the situational awareness to know when the information flow or control environment has significantly changed, requiring these steps to be redone
      For example, when an application is changed to allow consumer data to be downloaded to desktops instead of being viewed through pre-defined application reports).
    • 53. What Does Integration Of Security Controls Into Daily Operations Look Like?
    • 54. Find What’s Most Important First
    • 55. Quickly Find What Is Different…
    • 56. Before Something Bad Happens…
    • 57. Find Risk Early…
    • 58. Communicate It Effectively To Peers…
    • 59. Hold People Accountable…
    • 60. Based On Objective Evidence…
    • 61. Answer Important Questions…
    • 62. Ever Increasing Situational Mastery…
    • 63. Show Value To The Business…
    • 64. Be Recognized For Contribution…
    • 65. And Do More With Less…
    • 66. Higher Performing IT Organizations Are More Stable, Nimble, Compliant And Secure
      • High performers maintain a posture of compliance
      • 67. Fewest number of repeat audit findings
      • 68. One-third amount of audit preparation effort
      • 69. High performers find and fix security breaches faster
      • 70. 5 times more likely to detect breaches by automated control
      • 71. 5 times less likely to have breaches result in a loss event
      • 72. When high performers implement changes…
      • 73. 14 times morechanges
      • 74. One-half the change failure rate
      • 75. One-quarter the first fix failure rate
      • 76. 10x fasterMTTR for Sev 1 outages
      • 77. When high performers manage IT resources…
      • 78. One-third the amount of unplanned work
      • 79. 8 times moreprojects and IT services
      • 80. 6 times moreapplications
      Source: IT Process Institute, May 2008
    • 81. It’s The Way…
      Automate Compliance
      Protect Sensitive Data
      EliminateOutages
      TAKE CONTROL.
      Tripwire VIA
      VIA
      TM
      TM
      Tripwire
    • 82. Tripwire VIA™IT Security & Compliance Automation Suite
      Tripwire VIATM
      VISIBILITY  INTELLIGENCE  AUTOMATION
      File Integrity Monitoring
      SecurityEvent Manager
      Compliance Policy Manager
      Log Manager
      Tripwire Enterprise
      Tripwire Log Center
      Configuration Remediation
    • 83. Resources
      • From the IT Process Institute www.itpi.org
      Both Visible Ops Handbooks
      ITPI IT Controls Performance Study
      • Stop by the Tripwire booth for
      a copy of Visible Ops Security
      “Avoiding Audit Fatigue: Nine Steps To Achieve Compliance In A Multi-Compliance World ” white paper
      Follow Gene Kim
      On Twitter: @RealGeneKim
      genek@tripwire.com
      Blog: http://www.tripwire.com/blog/?cat=34