SlideShare a Scribd company logo

Unrestricted - Complex Regulation Practical Security FINAL

Download as PPTX, PDF
W
Wayne Anderson
1 of 16
©2016 Avanade Inc. All Rights Reserved. Wayne Anderson 11 November 2016 ©2016 Avanade Inc. All Rights Reserved.
©2016 Avanade Inc. All Rights Reserved. Wayne Anderson @NoCo_Architect GSLC, CISM, MCSE: Security, Security+, etc. Avanade delivers innovative solutions on the Microsoft platform for thousands of enterprise clients around the world. I focus on our readiness to meet those clients’ information security and privacy needs. I am not an attorney. Nothing in this presentation is legal advice on whether you are or are not compliant. Please engage appropriate counsel and/or subject matter experts on the specific conditions of your program. ©2016 Avanade Inc. All Rights Reserved. Director, Global Client Information Security Avanade
©2016 Avanade Inc. All Rights Reserved.©2016 Avanade Inc. All Rights Reserved.
©2016 Avanade Inc. All Rights Reserved. Business Tension is High 79% 50% X 60% Market Fragmentation CEOs consistently see a fragmented marketplace, which requires meeting MANY standards to access clients. Figure 4. PWC 2016 Annual Global CEO Survey Complexity is Challenging Business 79% of CEOs identified “over-regulation” as a key concern for organizational growth prospects. Figure 1. PWC 2016 Annual Global CEO Survey Technology Discussion is Beyond IT By 2020, large enterprises with digital business aspirations will see business unit IT spending increase to 50% of enterprise IT spending. Gartner. Full Transparency for Enterprise Technology Spending is a Fundamental Strategy for CIOs and CFOs. Security is hard in Digital Workplace By 2020, 60% of digital businesses will suffer failures due to inability of security to manage digital risk. Gartner. The Four Steps to Manage Risk and Security in Bimodal IT
©2016 Avanade Inc. All Rights Reserved. Control Requirements Obligations for “reasonable” business. US CA AG, US FTC, GDPR, HIPAA, cPPP Detection and Response Identification of high risk events, and appropriate response capabilities to limit impact to the organization. Regulatory Reviews Audits, scoring, regulatory fines. ENISA, FFIEC, FISMA, GDPR, AU Banking Privacy Obligations Rights of the individual vs system function GDPR, HIPAA, US FTC, JP PPC, AU Privacy Act Data Governance Ensuring data flows are understood, identified, classified, and associated controls are applied to assets which interact with the data. Technology and Operations Operating the digital perimeter, networks, and endpoints which provide the day to day foundation of cyber security incident prevention and detection capability. Six Degrees of Security Operations
©2016 Avanade Inc. All Rights Reserved. Control Requirements Obligations for “reasonable” business. US CA AG, US FTC, GDPR, HIPAA, cPPP Detection and Response Identification of high risk events, and appropriate response capabilities to limit impact to the organization. Regulatory Reviews Audits, scoring, regulatory fines. ENISA, FFIEC, FISMA, GDPR, AU Banking Privacy Obligations Rights of the individual vs system function GDPR, HIPAA, US FTC, JP PPC, AU Privacy Act Data Governance Ensuring data flows are understood, identified, classified, and associated controls are applied to assets which interact with the data. Technology and Operations Operating the digital perimeter, networks, and endpoints which provide the day to day foundation of cyber security incident prevention and detection capability. A line between compliance and security cannot exist.
©2016 Avanade Inc. All Rights Reserved. Control Requirements Obligations for “reasonable” business. US CA AG, US FTC, GDPR, HIPAA, cPPP Detection and Response Identification of high risk events, and appropriate response capabilities to limit impact to the organization. Regulatory Reviews Audits, scoring, regulatory fines. ENISA, FFIEC, FISMA, GDPR, AU Banking Privacy Obligations Rights of the individual vs system function GDPR, HIPAA, US FTC, JP PPC, AU Privacy Act Data Governance Ensuring data flows are understood, identified, classified, and associated controls are applied to assets which interact with the data. Technology and Operations Operating the digital perimeter, networks, and endpoints which provide the day to day foundation of cyber security incident prevention and detection capability. Efficiency in regulatory controls is practical security.
©2016 Avanade Inc. All Rights Reserved. Business > Compliance > Intelligence First and Foremost, Align to Business. Our budgets, our people, our focus as security professionals exist for a reason. Know that reason. Know that we exist to help the organization do something. Know what you Do. Intimately. How does your business impact the complexity of your asset set? What data do you handle? Where? Is some of it optional? What happens to the business in negative events? Build the Sum of your Obligations. The obligations of the modern business actually form a fairly comprehensive control map for most organizations! Modify based on Treatment and Intel. Risk tolerance and intelligence / modelling of specific threats to your business will modify how you prioritize and invest in controls. Mission Context Compliance Risk
©2016 Avanade Inc. All Rights Reserved. Start by Prioritizing your Obligations Keys to Compliance #1: Build a positive relationship with your legal team. #2: A security leader must be focused on and understand the business. #3: Prioritize your obligations. CIS Top 20 applies to entire business as a basic subset of controls GDPR oversight of holding subject data Country Regulation provides more granular guidance for local systems and locations PCI DSS readiness to accept and work with payment cards ENISA guidance to operate as a European financial institution Example: European Bank Additive Control Set: Most foundational controls are prioritized highest.
©2016 Avanade Inc. All Rights Reserved. Map your Control Set Keys to Compliance #4: Map your Control Set hint: choose a base framework #5: Use published audit rubrics for internal validation ISO 27001 Controls A 5 A 5.1 A 6 A 6.1 A 6.2 A 7 A 7.1 A 7.2 A 7.3 A 8 A 8.1 A 8.2 Country Regulation ENISA GDPR PCI DSS CIS Top 20 Whatever Use your base framework. Add your programs. Hint: Include regulatory rules and case law.
©2016 Avanade Inc. All Rights Reserved. Map your Control Set Keys to Compliance #4: Map your Control Set hint: choose a base framework #5: Use published audit rubrics for internal validation Make use of consulting, advisory, and industry resources Gartner, Forrester, Nymity, Bloomberg Unified Compliance Framework Common Controls Hub EU Office of Data Protection Commissioner Guide to Audit Process EU Directive EC 95/46 Personal Data protection Audit Framework US Health Human Services Audit Protocol Consider whether outside counsel or consultants are of value to your organization’s needs. Do you have the trusted in-house expertise necessary to change direction?
©2016 Avanade Inc. All Rights Reserved. Regulatory Changes are part of your Intelligence Keys to Compliance #6: Invest in regulatory management tools #7: Feeds for security and privacy changes are as necessary as malware and email intel.Threat Intelligence Legislation Are you subject to new laws? GDPR is coming in May 2018, do you know what is different? HIPAA was updated this year. Did your program update? Organizational Updates As international organizations like ISO, ISACA, CIS, and others update guidance – your business needs to understand the changes, they often reflect the state of industry expectations. Block Lists Network and CIRT Enforcement Actions The track record of how judges and agencies interpret those rules is very important for the day to day guidance of how to operate and document the security program. Are you leveraging knowledge sharing platforms? Interflow, Threat Central, Confer, ThreatConnect, etc.
©2016 Avanade Inc. All Rights Reserved. Risk Management Keys to Compliance #8: The law is not optional. #9: Keep good records. Look for inconsistency. #10: Risk decisions require competency. ISO 27001 Controls A 5 A 5.1 A 6 A 6.1 A 6.2 A 7 A 7.1 A 7.2 A 7.3 A 8 A 8.1 A 8.2 Country Regulation ENISA GDPR PCI DSS CIS Top 20 Use control origins in your risk assessments. Law: Prioritize up. Market-Only with low exposure: Prioritize down.
©2016 Avanade Inc. All Rights Reserved. Risk Management Keys to Compliance #8: The law is not optional. #9: Keep good records. Look for inconsistency. #10: Risk decisions require competency. ISO 27001 Controls A 5 A 5.1 A 6 A 6.1 A 6.2 A 7 A 7.1 A 7.2 A 7.3 A 8 A 8.1 A 8.2 Country Regulation ENISA GDPR PCI DSS CIS Top 20 Use control origins in your risk assessments. Law: Prioritize up. Market-Only with low exposure: Prioritize down. It is easy to say “everything applies.” Your risk scale and criteria should have sufficient range to provide differentiation in priority and impact among “required” controls.
©2016 Avanade Inc. All Rights Reserved. 1. Build a positive relationship with your legal team. 2. A security leader must be focused on and understand the business. 3. Prioritize your obligations. 4. Map your Control Set 5. Use published audit rubrics for internal validation 6. Invest in regulatory management tools 7. Feeds for security and privacy changes are as necessary as malware and email intel. 8. The law is not optional. 9. Keep good records. Look for inconsistency. 10. Risk decisions require competency. Translating Compliance to Practical Security
©2016 Avanade Inc. All Rights Reserved. Questions? Want to see more like this? Let us know you liked it: Rate this session: oreillysecuritycon.com/eu

Recommended

Convince your board - cyber attack prevention is better than cure
Convince your board - cyber attack prevention is better than cureConvince your board - cyber attack prevention is better than cure
Convince your board - cyber attack prevention is better than cureDave James
 
GDPR, Data Privacy and Cybersecurity - MIT Symposium
GDPR, Data Privacy and Cybersecurity - MIT SymposiumGDPR, Data Privacy and Cybersecurity - MIT Symposium
GDPR, Data Privacy and Cybersecurity - MIT SymposiumEric Vanderburg
 
New Requirements of Fraud Prevention
New Requirements of Fraud PreventionNew Requirements of Fraud Prevention
New Requirements of Fraud PreventionGuardian Analytics
 
EXTERNAL - Whitepaper - 5 Steps to Weather the Zero Hour
EXTERNAL - Whitepaper - 5 Steps to Weather the Zero HourEXTERNAL - Whitepaper - 5 Steps to Weather the Zero Hour
EXTERNAL - Whitepaper - 5 Steps to Weather the Zero HourYasser Mohammed
 
Preserving the Privilege during Breach Response
Preserving the Privilege during Breach ResponsePreserving the Privilege during Breach Response
Preserving the Privilege during Breach ResponsePriyanka Aash
 
Haystax carbon for Insider Threat Management & Continuous Evaluation
Haystax carbon for Insider Threat Management & Continuous EvaluationHaystax carbon for Insider Threat Management & Continuous Evaluation
Haystax carbon for Insider Threat Management & Continuous EvaluationHaystax Technology
 
Laser App Conference 2017 - Sid Yenamandra, Entreda
Laser App Conference 2017 - Sid Yenamandra, EntredaLaser App Conference 2017 - Sid Yenamandra, Entreda
Laser App Conference 2017 - Sid Yenamandra, EntredaLaser App Software
 
A CISO's Guide to Cyber Liability Insurance
A CISO's Guide to Cyber Liability InsuranceA CISO's Guide to Cyber Liability Insurance
A CISO's Guide to Cyber Liability InsuranceSecureAuth
 

Recommended

Convince your board - cyber attack prevention is better than cure
Convince your board - cyber attack prevention is better than cureConvince your board - cyber attack prevention is better than cure
Convince your board - cyber attack prevention is better than cureDave James
 
GDPR, Data Privacy and Cybersecurity - MIT Symposium
GDPR, Data Privacy and Cybersecurity - MIT SymposiumGDPR, Data Privacy and Cybersecurity - MIT Symposium
GDPR, Data Privacy and Cybersecurity - MIT SymposiumEric Vanderburg
 
New Requirements of Fraud Prevention
New Requirements of Fraud PreventionNew Requirements of Fraud Prevention
New Requirements of Fraud PreventionGuardian Analytics
 
EXTERNAL - Whitepaper - 5 Steps to Weather the Zero Hour
EXTERNAL - Whitepaper - 5 Steps to Weather the Zero HourEXTERNAL - Whitepaper - 5 Steps to Weather the Zero Hour
EXTERNAL - Whitepaper - 5 Steps to Weather the Zero HourYasser Mohammed
 
Preserving the Privilege during Breach Response
Preserving the Privilege during Breach ResponsePreserving the Privilege during Breach Response
Preserving the Privilege during Breach ResponsePriyanka Aash
 
Haystax carbon for Insider Threat Management & Continuous Evaluation
Haystax carbon for Insider Threat Management & Continuous EvaluationHaystax carbon for Insider Threat Management & Continuous Evaluation
Haystax carbon for Insider Threat Management & Continuous EvaluationHaystax Technology
 
Laser App Conference 2017 - Sid Yenamandra, Entreda
Laser App Conference 2017 - Sid Yenamandra, EntredaLaser App Conference 2017 - Sid Yenamandra, Entreda
Laser App Conference 2017 - Sid Yenamandra, EntredaLaser App Software
 
A CISO's Guide to Cyber Liability Insurance
A CISO's Guide to Cyber Liability InsuranceA CISO's Guide to Cyber Liability Insurance
A CISO's Guide to Cyber Liability InsuranceSecureAuth
 
Recovering from a Cyber Attack
Recovering from a Cyber AttackRecovering from a Cyber Attack
Recovering from a Cyber AttackShawn Tuma
 
ROI of Privacy: Building a Case for Investment [Webinar Slides]
ROI of Privacy: Building a Case for Investment [Webinar Slides]ROI of Privacy: Building a Case for Investment [Webinar Slides]
ROI of Privacy: Building a Case for Investment [Webinar Slides]TrustArc
 
The Trick to Passing Your Next Compliance Audit
The Trick to Passing Your Next Compliance AuditThe Trick to Passing Your Next Compliance Audit
The Trick to Passing Your Next Compliance AuditSBWebinars
 
Boards' Eye View of Digital Risk & GDPR v2
Boards' Eye View of Digital Risk & GDPR v2Boards' Eye View of Digital Risk & GDPR v2
Boards' Eye View of Digital Risk & GDPR v2Graham Mann
 
15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage YearsJeremiah Grossman
 
Webinar: "How to invest efficiently in cybersecurity (Return on Security Inv...
Webinar: "How to invest efficiently in cybersecurity (Return on Security Inv...Webinar: "How to invest efficiently in cybersecurity (Return on Security Inv...
Webinar: "How to invest efficiently in cybersecurity (Return on Security Inv...Berezha Security Group
 
Webinar | Cybersecurity vulnerabilities of your business - Berezha Security G...
Webinar | Cybersecurity vulnerabilities of your business - Berezha Security G...Webinar | Cybersecurity vulnerabilities of your business - Berezha Security G...
Webinar | Cybersecurity vulnerabilities of your business - Berezha Security G...Berezha Security Group
 
Cybercrime and Cyber Threats - CBLA - Eric Vanderburg
Cybercrime and Cyber Threats - CBLA - Eric VanderburgCybercrime and Cyber Threats - CBLA - Eric Vanderburg
Cybercrime and Cyber Threats - CBLA - Eric VanderburgEric Vanderburg
 
WhiteHat Security Website Statistics [Full Report] (2013)
WhiteHat Security Website Statistics [Full Report] (2013)WhiteHat Security Website Statistics [Full Report] (2013)
WhiteHat Security Website Statistics [Full Report] (2013)Jeremiah Grossman
 
Richard Hogg & Dennis Waldron - #InfoGov17 - Cognitive Unified Governance & P...
Richard Hogg & Dennis Waldron - #InfoGov17 - Cognitive Unified Governance & P...Richard Hogg & Dennis Waldron - #InfoGov17 - Cognitive Unified Governance & P...
Richard Hogg & Dennis Waldron - #InfoGov17 - Cognitive Unified Governance & P...ARMA International
 
Heather Enlow & Chris Ingram - Cybersecurity Act of 2015 and Other Hot Privac...
Heather Enlow & Chris Ingram - Cybersecurity Act of 2015 and Other Hot Privac...Heather Enlow & Chris Ingram - Cybersecurity Act of 2015 and Other Hot Privac...
Heather Enlow & Chris Ingram - Cybersecurity Act of 2015 and Other Hot Privac...centralohioissa
 
A Perfect Storm: More Security Threats and More Compliance Costs
A Perfect Storm: More Security Threats and More Compliance CostsA Perfect Storm: More Security Threats and More Compliance Costs
A Perfect Storm: More Security Threats and More Compliance CostsTripwire
 
Department of Justice IT Sales Opportunities
Department of Justice IT Sales OpportunitiesDepartment of Justice IT Sales Opportunities
Department of Justice IT Sales OpportunitiesimmixGroup
 
Gartner presentation risq dec 2016 jie zhang
Gartner presentation risq dec 2016 jie zhangGartner presentation risq dec 2016 jie zhang
Gartner presentation risq dec 2016 jie zhangColloqueRISQ
 
30 Minute Release11i Security
30 Minute Release11i Security30 Minute Release11i Security
30 Minute Release11i SecuritySecureDBA
 
Outside the (Black) Box: Protecting Core Operations in Energy
Outside the (Black) Box: Protecting Core Operations in EnergyOutside the (Black) Box: Protecting Core Operations in Energy
Outside the (Black) Box: Protecting Core Operations in Energyaccenture
 
HIPAA and HITECH Compliance Guide
HIPAA and HITECH Compliance GuideHIPAA and HITECH Compliance Guide
HIPAA and HITECH Compliance GuideFitCEO, Inc. (FCI)
 
2016 Scalar Security Study: The Cyber Security Readiness of Canadian Organiza...
2016 Scalar Security Study: The Cyber Security Readiness of Canadian Organiza...2016 Scalar Security Study: The Cyber Security Readiness of Canadian Organiza...
2016 Scalar Security Study: The Cyber Security Readiness of Canadian Organiza...Scalar Decisions
 
Is it a Risk to Be Compliant?
Is it a Risk to Be Compliant?Is it a Risk to Be Compliant?
Is it a Risk to Be Compliant?PECB
 
FusionX & Accenture: One Global Security Team
FusionX & Accenture: One Global Security TeamFusionX & Accenture: One Global Security Team
FusionX & Accenture: One Global Security Teamaccenture
 
COVID-19 free penetration tests by Pentest-Tools.com
COVID-19 free penetration tests by Pentest-Tools.comCOVID-19 free penetration tests by Pentest-Tools.com
COVID-19 free penetration tests by Pentest-Tools.comPentest-Tools.com
 
HEMISPHERE SMB Case Study
HEMISPHERE SMB Case StudyHEMISPHERE SMB Case Study
HEMISPHERE SMB Case StudyCarter Schoenberg
 

More Related Content

What's hot

Recovering from a Cyber Attack
Recovering from a Cyber AttackRecovering from a Cyber Attack
Recovering from a Cyber AttackShawn Tuma
 
ROI of Privacy: Building a Case for Investment [Webinar Slides]
ROI of Privacy: Building a Case for Investment [Webinar Slides]ROI of Privacy: Building a Case for Investment [Webinar Slides]
ROI of Privacy: Building a Case for Investment [Webinar Slides]TrustArc
 
The Trick to Passing Your Next Compliance Audit
The Trick to Passing Your Next Compliance AuditThe Trick to Passing Your Next Compliance Audit
The Trick to Passing Your Next Compliance AuditSBWebinars
 
Boards' Eye View of Digital Risk & GDPR v2
Boards' Eye View of Digital Risk & GDPR v2Boards' Eye View of Digital Risk & GDPR v2
Boards' Eye View of Digital Risk & GDPR v2Graham Mann
 
15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage YearsJeremiah Grossman
 
Webinar: "How to invest efficiently in cybersecurity (Return on Security Inv...
Webinar: "How to invest efficiently in cybersecurity (Return on Security Inv...Webinar: "How to invest efficiently in cybersecurity (Return on Security Inv...
Webinar: "How to invest efficiently in cybersecurity (Return on Security Inv...Berezha Security Group
 
Webinar | Cybersecurity vulnerabilities of your business - Berezha Security G...
Webinar | Cybersecurity vulnerabilities of your business - Berezha Security G...Webinar | Cybersecurity vulnerabilities of your business - Berezha Security G...
Webinar | Cybersecurity vulnerabilities of your business - Berezha Security G...Berezha Security Group
 
Cybercrime and Cyber Threats - CBLA - Eric Vanderburg
Cybercrime and Cyber Threats - CBLA - Eric VanderburgCybercrime and Cyber Threats - CBLA - Eric Vanderburg
Cybercrime and Cyber Threats - CBLA - Eric VanderburgEric Vanderburg
 
WhiteHat Security Website Statistics [Full Report] (2013)
WhiteHat Security Website Statistics [Full Report] (2013)WhiteHat Security Website Statistics [Full Report] (2013)
WhiteHat Security Website Statistics [Full Report] (2013)Jeremiah Grossman
 
Richard Hogg & Dennis Waldron - #InfoGov17 - Cognitive Unified Governance & P...
Richard Hogg & Dennis Waldron - #InfoGov17 - Cognitive Unified Governance & P...Richard Hogg & Dennis Waldron - #InfoGov17 - Cognitive Unified Governance & P...
Richard Hogg & Dennis Waldron - #InfoGov17 - Cognitive Unified Governance & P...ARMA International
 
Heather Enlow & Chris Ingram - Cybersecurity Act of 2015 and Other Hot Privac...
Heather Enlow & Chris Ingram - Cybersecurity Act of 2015 and Other Hot Privac...Heather Enlow & Chris Ingram - Cybersecurity Act of 2015 and Other Hot Privac...
Heather Enlow & Chris Ingram - Cybersecurity Act of 2015 and Other Hot Privac...centralohioissa
 
A Perfect Storm: More Security Threats and More Compliance Costs
A Perfect Storm: More Security Threats and More Compliance CostsA Perfect Storm: More Security Threats and More Compliance Costs
A Perfect Storm: More Security Threats and More Compliance CostsTripwire
 
Department of Justice IT Sales Opportunities
Department of Justice IT Sales OpportunitiesDepartment of Justice IT Sales Opportunities
Department of Justice IT Sales OpportunitiesimmixGroup
 
Gartner presentation risq dec 2016 jie zhang
Gartner presentation risq dec 2016 jie zhangGartner presentation risq dec 2016 jie zhang
Gartner presentation risq dec 2016 jie zhangColloqueRISQ
 
30 Minute Release11i Security
30 Minute Release11i Security30 Minute Release11i Security
30 Minute Release11i SecuritySecureDBA
 
Outside the (Black) Box: Protecting Core Operations in Energy
Outside the (Black) Box: Protecting Core Operations in EnergyOutside the (Black) Box: Protecting Core Operations in Energy
Outside the (Black) Box: Protecting Core Operations in Energyaccenture
 
HIPAA and HITECH Compliance Guide
HIPAA and HITECH Compliance GuideHIPAA and HITECH Compliance Guide
HIPAA and HITECH Compliance GuideFitCEO, Inc. (FCI)
 
2016 Scalar Security Study: The Cyber Security Readiness of Canadian Organiza...
2016 Scalar Security Study: The Cyber Security Readiness of Canadian Organiza...2016 Scalar Security Study: The Cyber Security Readiness of Canadian Organiza...
2016 Scalar Security Study: The Cyber Security Readiness of Canadian Organiza...Scalar Decisions
 
Is it a Risk to Be Compliant?
Is it a Risk to Be Compliant?Is it a Risk to Be Compliant?
Is it a Risk to Be Compliant?PECB
 
FusionX & Accenture: One Global Security Team
FusionX & Accenture: One Global Security TeamFusionX & Accenture: One Global Security Team
FusionX & Accenture: One Global Security Teamaccenture
 

What's hot (20)

Recovering from a Cyber Attack
Recovering from a Cyber AttackRecovering from a Cyber Attack
Recovering from a Cyber Attack
 
ROI of Privacy: Building a Case for Investment [Webinar Slides]
ROI of Privacy: Building a Case for Investment [Webinar Slides]ROI of Privacy: Building a Case for Investment [Webinar Slides]
ROI of Privacy: Building a Case for Investment [Webinar Slides]
 
The Trick to Passing Your Next Compliance Audit
The Trick to Passing Your Next Compliance AuditThe Trick to Passing Your Next Compliance Audit
The Trick to Passing Your Next Compliance Audit
 
Boards' Eye View of Digital Risk & GDPR v2
Boards' Eye View of Digital Risk & GDPR v2Boards' Eye View of Digital Risk & GDPR v2
Boards' Eye View of Digital Risk & GDPR v2
 
15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years
 
Webinar: "How to invest efficiently in cybersecurity (Return on Security Inv...
Webinar: "How to invest efficiently in cybersecurity (Return on Security Inv...Webinar: "How to invest efficiently in cybersecurity (Return on Security Inv...
Webinar: "How to invest efficiently in cybersecurity (Return on Security Inv...
 
Webinar | Cybersecurity vulnerabilities of your business - Berezha Security G...
Webinar | Cybersecurity vulnerabilities of your business - Berezha Security G...Webinar | Cybersecurity vulnerabilities of your business - Berezha Security G...
Webinar | Cybersecurity vulnerabilities of your business - Berezha Security G...
 
Cybercrime and Cyber Threats - CBLA - Eric Vanderburg
Cybercrime and Cyber Threats - CBLA - Eric VanderburgCybercrime and Cyber Threats - CBLA - Eric Vanderburg
Cybercrime and Cyber Threats - CBLA - Eric Vanderburg
 
WhiteHat Security Website Statistics [Full Report] (2013)
WhiteHat Security Website Statistics [Full Report] (2013)WhiteHat Security Website Statistics [Full Report] (2013)
WhiteHat Security Website Statistics [Full Report] (2013)
 
Richard Hogg & Dennis Waldron - #InfoGov17 - Cognitive Unified Governance & P...
Richard Hogg & Dennis Waldron - #InfoGov17 - Cognitive Unified Governance & P...Richard Hogg & Dennis Waldron - #InfoGov17 - Cognitive Unified Governance & P...
Richard Hogg & Dennis Waldron - #InfoGov17 - Cognitive Unified Governance & P...
 
Heather Enlow & Chris Ingram - Cybersecurity Act of 2015 and Other Hot Privac...
Heather Enlow & Chris Ingram - Cybersecurity Act of 2015 and Other Hot Privac...Heather Enlow & Chris Ingram - Cybersecurity Act of 2015 and Other Hot Privac...
Heather Enlow & Chris Ingram - Cybersecurity Act of 2015 and Other Hot Privac...
 
A Perfect Storm: More Security Threats and More Compliance Costs
A Perfect Storm: More Security Threats and More Compliance CostsA Perfect Storm: More Security Threats and More Compliance Costs
A Perfect Storm: More Security Threats and More Compliance Costs
 
Department of Justice IT Sales Opportunities
Department of Justice IT Sales OpportunitiesDepartment of Justice IT Sales Opportunities
Department of Justice IT Sales Opportunities
 
Gartner presentation risq dec 2016 jie zhang
Gartner presentation risq dec 2016 jie zhangGartner presentation risq dec 2016 jie zhang
Gartner presentation risq dec 2016 jie zhang
 
30 Minute Release11i Security
30 Minute Release11i Security30 Minute Release11i Security
30 Minute Release11i Security
 
Outside the (Black) Box: Protecting Core Operations in Energy
Outside the (Black) Box: Protecting Core Operations in EnergyOutside the (Black) Box: Protecting Core Operations in Energy
Outside the (Black) Box: Protecting Core Operations in Energy
 
HIPAA and HITECH Compliance Guide
HIPAA and HITECH Compliance GuideHIPAA and HITECH Compliance Guide
HIPAA and HITECH Compliance Guide
 
2016 Scalar Security Study: The Cyber Security Readiness of Canadian Organiza...
2016 Scalar Security Study: The Cyber Security Readiness of Canadian Organiza...2016 Scalar Security Study: The Cyber Security Readiness of Canadian Organiza...
2016 Scalar Security Study: The Cyber Security Readiness of Canadian Organiza...
 
Is it a Risk to Be Compliant?
Is it a Risk to Be Compliant?Is it a Risk to Be Compliant?
Is it a Risk to Be Compliant?
 
FusionX & Accenture: One Global Security Team
FusionX & Accenture: One Global Security TeamFusionX & Accenture: One Global Security Team
FusionX & Accenture: One Global Security Team
 

Similar to Unrestricted - Complex Regulation Practical Security FINAL

COVID-19 free penetration tests by Pentest-Tools.com
COVID-19 free penetration tests by Pentest-Tools.comCOVID-19 free penetration tests by Pentest-Tools.com
COVID-19 free penetration tests by Pentest-Tools.comPentest-Tools.com
 
Deliver the ‘Right’ Customer Experience without Compromising Data Security
Deliver the ‘Right’ Customer Experience without Compromising Data SecurityDeliver the ‘Right’ Customer Experience without Compromising Data Security
Deliver the ‘Right’ Customer Experience without Compromising Data SecuritySPLICE Software
 
Common sense in security
Common sense in securityCommon sense in security
Common sense in securityPeter Bassill
 
2016 Global data valuation survey
2016 Global data valuation survey2016 Global data valuation survey
2016 Global data valuation surveyBrunswick Group
 
Cyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & RecommendationsCyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & RecommendationsUlf Mattsson
 
{d1a164b5-f3a5-4840-96b1-16dd83ccdda9}_Wells_Fargo_GIB_Cyber_security_100615_...
{d1a164b5-f3a5-4840-96b1-16dd83ccdda9}_Wells_Fargo_GIB_Cyber_security_100615_...{d1a164b5-f3a5-4840-96b1-16dd83ccdda9}_Wells_Fargo_GIB_Cyber_security_100615_...
{d1a164b5-f3a5-4840-96b1-16dd83ccdda9}_Wells_Fargo_GIB_Cyber_security_100615_...Taiye Lambo
 
Cyber Security Vendor Risk Management /Supply Chain Risk Management
Cyber Security Vendor Risk Management /Supply Chain Risk ManagementCyber Security Vendor Risk Management /Supply Chain Risk Management
Cyber Security Vendor Risk Management /Supply Chain Risk ManagementMafazo: Digital Solutions
 
Ri cyber-security-for-your-small-business
Ri cyber-security-for-your-small-businessRi cyber-security-for-your-small-business
Ri cyber-security-for-your-small-businessMeg Weber
 
Adaptive & Unified Approach to Risk Management & Compliance-via-ccf
Adaptive & Unified Approach to Risk Management & Compliance-via-ccfAdaptive & Unified Approach to Risk Management & Compliance-via-ccf
Adaptive & Unified Approach to Risk Management & Compliance-via-ccfawish11
 
Achieving Hi-Fidelity Security by Combining Packet and Endpoint Data
Achieving Hi-Fidelity Security by Combining Packet and Endpoint DataAchieving Hi-Fidelity Security by Combining Packet and Endpoint Data
Achieving Hi-Fidelity Security by Combining Packet and Endpoint DataEnterprise Management Associates
 
Cyber Defence - Service portfolio
Cyber Defence - Service portfolioCyber Defence - Service portfolio
Cyber Defence - Service portfolioKaloyan Krastev
 
Website Security Statistics Report 2013
Website Security Statistics Report 2013Website Security Statistics Report 2013
Website Security Statistics Report 2013Bee_Ware
 
How to determine a proper scope selection based on ISO 27001?
How to determine a proper scope selection based on ISO 27001?How to determine a proper scope selection based on ISO 27001?
How to determine a proper scope selection based on ISO 27001?PECB
 
7 steps to build an effective corporate compliance strategy
7 steps to build an effective corporate compliance strategy7 steps to build an effective corporate compliance strategy
7 steps to build an effective corporate compliance strategyMaarten BOONEN
 
IT Security and Risk Management - Visionet Systems
IT Security and Risk Management - Visionet SystemsIT Security and Risk Management - Visionet Systems
IT Security and Risk Management - Visionet SystemsVisionet Systems, Inc.
 
Digital Trust - Tech Vision 2016 Trend 5
Digital Trust - Tech Vision 2016 Trend 5Digital Trust - Tech Vision 2016 Trend 5
Digital Trust - Tech Vision 2016 Trend 5Accenture Technology
 
Digital Trust - Tech Vision 2016 Trend 5
Digital Trust - Tech Vision 2016 Trend 5Digital Trust - Tech Vision 2016 Trend 5
Digital Trust - Tech Vision 2016 Trend 5accenture
 
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...PECB
 
Top 10 Interview Questions for Risk Analyst.pptx
Top 10 Interview Questions for Risk Analyst.pptxTop 10 Interview Questions for Risk Analyst.pptx
Top 10 Interview Questions for Risk Analyst.pptxinfosec train
 

Similar to Unrestricted - Complex Regulation Practical Security FINAL (20)

COVID-19 free penetration tests by Pentest-Tools.com
COVID-19 free penetration tests by Pentest-Tools.comCOVID-19 free penetration tests by Pentest-Tools.com
COVID-19 free penetration tests by Pentest-Tools.com
 
HEMISPHERE SMB Case Study
HEMISPHERE SMB Case StudyHEMISPHERE SMB Case Study
HEMISPHERE SMB Case Study
 
Deliver the ‘Right’ Customer Experience without Compromising Data Security
Deliver the ‘Right’ Customer Experience without Compromising Data SecurityDeliver the ‘Right’ Customer Experience without Compromising Data Security
Deliver the ‘Right’ Customer Experience without Compromising Data Security
 
Common sense in security
Common sense in securityCommon sense in security
Common sense in security
 
2016 Global data valuation survey
2016 Global data valuation survey2016 Global data valuation survey
2016 Global data valuation survey
 
Cyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & RecommendationsCyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & Recommendations
 
{d1a164b5-f3a5-4840-96b1-16dd83ccdda9}_Wells_Fargo_GIB_Cyber_security_100615_...
{d1a164b5-f3a5-4840-96b1-16dd83ccdda9}_Wells_Fargo_GIB_Cyber_security_100615_...{d1a164b5-f3a5-4840-96b1-16dd83ccdda9}_Wells_Fargo_GIB_Cyber_security_100615_...
{d1a164b5-f3a5-4840-96b1-16dd83ccdda9}_Wells_Fargo_GIB_Cyber_security_100615_...
 
Cyber Security Vendor Risk Management /Supply Chain Risk Management
Cyber Security Vendor Risk Management /Supply Chain Risk ManagementCyber Security Vendor Risk Management /Supply Chain Risk Management
Cyber Security Vendor Risk Management /Supply Chain Risk Management
 
Ri cyber-security-for-your-small-business
Ri cyber-security-for-your-small-businessRi cyber-security-for-your-small-business
Ri cyber-security-for-your-small-business
 
Adaptive & Unified Approach to Risk Management & Compliance-via-ccf
Adaptive & Unified Approach to Risk Management & Compliance-via-ccfAdaptive & Unified Approach to Risk Management & Compliance-via-ccf
Adaptive & Unified Approach to Risk Management & Compliance-via-ccf
 
Achieving Hi-Fidelity Security by Combining Packet and Endpoint Data
Achieving Hi-Fidelity Security by Combining Packet and Endpoint DataAchieving Hi-Fidelity Security by Combining Packet and Endpoint Data
Achieving Hi-Fidelity Security by Combining Packet and Endpoint Data
 
Cyber Defence - Service portfolio
Cyber Defence - Service portfolioCyber Defence - Service portfolio
Cyber Defence - Service portfolio
 
Website Security Statistics Report 2013
Website Security Statistics Report 2013Website Security Statistics Report 2013
Website Security Statistics Report 2013
 
How to determine a proper scope selection based on ISO 27001?
How to determine a proper scope selection based on ISO 27001?How to determine a proper scope selection based on ISO 27001?
How to determine a proper scope selection based on ISO 27001?
 
7 steps to build an effective corporate compliance strategy
7 steps to build an effective corporate compliance strategy7 steps to build an effective corporate compliance strategy
7 steps to build an effective corporate compliance strategy
 
IT Security and Risk Management - Visionet Systems
IT Security and Risk Management - Visionet SystemsIT Security and Risk Management - Visionet Systems
IT Security and Risk Management - Visionet Systems
 
Digital Trust - Tech Vision 2016 Trend 5
Digital Trust - Tech Vision 2016 Trend 5Digital Trust - Tech Vision 2016 Trend 5
Digital Trust - Tech Vision 2016 Trend 5
 
Digital Trust - Tech Vision 2016 Trend 5
Digital Trust - Tech Vision 2016 Trend 5Digital Trust - Tech Vision 2016 Trend 5
Digital Trust - Tech Vision 2016 Trend 5
 
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
 
Top 10 Interview Questions for Risk Analyst.pptx
Top 10 Interview Questions for Risk Analyst.pptxTop 10 Interview Questions for Risk Analyst.pptx
Top 10 Interview Questions for Risk Analyst.pptx
 

Unrestricted - Complex Regulation Practical Security FINAL

  • 1. ©2016 Avanade Inc. All Rights Reserved. Wayne Anderson 11 November 2016 ©2016 Avanade Inc. All Rights Reserved.
  • 2. ©2016 Avanade Inc. All Rights Reserved. Wayne Anderson @NoCo_Architect GSLC, CISM, MCSE: Security, Security+, etc. Avanade delivers innovative solutions on the Microsoft platform for thousands of enterprise clients around the world. I focus on our readiness to meet those clients’ information security and privacy needs. I am not an attorney. Nothing in this presentation is legal advice on whether you are or are not compliant. Please engage appropriate counsel and/or subject matter experts on the specific conditions of your program. ©2016 Avanade Inc. All Rights Reserved. Director, Global Client Information Security Avanade
  • 3. ©2016 Avanade Inc. All Rights Reserved.©2016 Avanade Inc. All Rights Reserved.
  • 4. ©2016 Avanade Inc. All Rights Reserved. Business Tension is High 79% 50% X 60% Market Fragmentation CEOs consistently see a fragmented marketplace, which requires meeting MANY standards to access clients. Figure 4. PWC 2016 Annual Global CEO Survey Complexity is Challenging Business 79% of CEOs identified “over-regulation” as a key concern for organizational growth prospects. Figure 1. PWC 2016 Annual Global CEO Survey Technology Discussion is Beyond IT By 2020, large enterprises with digital business aspirations will see business unit IT spending increase to 50% of enterprise IT spending. Gartner. Full Transparency for Enterprise Technology Spending is a Fundamental Strategy for CIOs and CFOs. Security is hard in Digital Workplace By 2020, 60% of digital businesses will suffer failures due to inability of security to manage digital risk. Gartner. The Four Steps to Manage Risk and Security in Bimodal IT
  • 5. ©2016 Avanade Inc. All Rights Reserved. Control Requirements Obligations for “reasonable” business. US CA AG, US FTC, GDPR, HIPAA, cPPP Detection and Response Identification of high risk events, and appropriate response capabilities to limit impact to the organization. Regulatory Reviews Audits, scoring, regulatory fines. ENISA, FFIEC, FISMA, GDPR, AU Banking Privacy Obligations Rights of the individual vs system function GDPR, HIPAA, US FTC, JP PPC, AU Privacy Act Data Governance Ensuring data flows are understood, identified, classified, and associated controls are applied to assets which interact with the data. Technology and Operations Operating the digital perimeter, networks, and endpoints which provide the day to day foundation of cyber security incident prevention and detection capability. Six Degrees of Security Operations
  • 6. ©2016 Avanade Inc. All Rights Reserved. Control Requirements Obligations for “reasonable” business. US CA AG, US FTC, GDPR, HIPAA, cPPP Detection and Response Identification of high risk events, and appropriate response capabilities to limit impact to the organization. Regulatory Reviews Audits, scoring, regulatory fines. ENISA, FFIEC, FISMA, GDPR, AU Banking Privacy Obligations Rights of the individual vs system function GDPR, HIPAA, US FTC, JP PPC, AU Privacy Act Data Governance Ensuring data flows are understood, identified, classified, and associated controls are applied to assets which interact with the data. Technology and Operations Operating the digital perimeter, networks, and endpoints which provide the day to day foundation of cyber security incident prevention and detection capability. A line between compliance and security cannot exist.
  • 7. ©2016 Avanade Inc. All Rights Reserved. Control Requirements Obligations for “reasonable” business. US CA AG, US FTC, GDPR, HIPAA, cPPP Detection and Response Identification of high risk events, and appropriate response capabilities to limit impact to the organization. Regulatory Reviews Audits, scoring, regulatory fines. ENISA, FFIEC, FISMA, GDPR, AU Banking Privacy Obligations Rights of the individual vs system function GDPR, HIPAA, US FTC, JP PPC, AU Privacy Act Data Governance Ensuring data flows are understood, identified, classified, and associated controls are applied to assets which interact with the data. Technology and Operations Operating the digital perimeter, networks, and endpoints which provide the day to day foundation of cyber security incident prevention and detection capability. Efficiency in regulatory controls is practical security.
  • 8. ©2016 Avanade Inc. All Rights Reserved. Business > Compliance > Intelligence First and Foremost, Align to Business. Our budgets, our people, our focus as security professionals exist for a reason. Know that reason. Know that we exist to help the organization do something. Know what you Do. Intimately. How does your business impact the complexity of your asset set? What data do you handle? Where? Is some of it optional? What happens to the business in negative events? Build the Sum of your Obligations. The obligations of the modern business actually form a fairly comprehensive control map for most organizations! Modify based on Treatment and Intel. Risk tolerance and intelligence / modelling of specific threats to your business will modify how you prioritize and invest in controls. Mission Context Compliance Risk
  • 9. ©2016 Avanade Inc. All Rights Reserved. Start by Prioritizing your Obligations Keys to Compliance #1: Build a positive relationship with your legal team. #2: A security leader must be focused on and understand the business. #3: Prioritize your obligations. CIS Top 20 applies to entire business as a basic subset of controls GDPR oversight of holding subject data Country Regulation provides more granular guidance for local systems and locations PCI DSS readiness to accept and work with payment cards ENISA guidance to operate as a European financial institution Example: European Bank Additive Control Set: Most foundational controls are prioritized highest.
  • 10. ©2016 Avanade Inc. All Rights Reserved. Map your Control Set Keys to Compliance #4: Map your Control Set hint: choose a base framework #5: Use published audit rubrics for internal validation ISO 27001 Controls A 5 A 5.1 A 6 A 6.1 A 6.2 A 7 A 7.1 A 7.2 A 7.3 A 8 A 8.1 A 8.2 Country Regulation ENISA GDPR PCI DSS CIS Top 20 Whatever Use your base framework. Add your programs. Hint: Include regulatory rules and case law.
  • 11. ©2016 Avanade Inc. All Rights Reserved. Map your Control Set Keys to Compliance #4: Map your Control Set hint: choose a base framework #5: Use published audit rubrics for internal validation Make use of consulting, advisory, and industry resources Gartner, Forrester, Nymity, Bloomberg Unified Compliance Framework Common Controls Hub EU Office of Data Protection Commissioner Guide to Audit Process EU Directive EC 95/46 Personal Data protection Audit Framework US Health Human Services Audit Protocol Consider whether outside counsel or consultants are of value to your organization’s needs. Do you have the trusted in-house expertise necessary to change direction?
  • 12. ©2016 Avanade Inc. All Rights Reserved. Regulatory Changes are part of your Intelligence Keys to Compliance #6: Invest in regulatory management tools #7: Feeds for security and privacy changes are as necessary as malware and email intel.Threat Intelligence Legislation Are you subject to new laws? GDPR is coming in May 2018, do you know what is different? HIPAA was updated this year. Did your program update? Organizational Updates As international organizations like ISO, ISACA, CIS, and others update guidance – your business needs to understand the changes, they often reflect the state of industry expectations. Block Lists Network and CIRT Enforcement Actions The track record of how judges and agencies interpret those rules is very important for the day to day guidance of how to operate and document the security program. Are you leveraging knowledge sharing platforms? Interflow, Threat Central, Confer, ThreatConnect, etc.
  • 13. ©2016 Avanade Inc. All Rights Reserved. Risk Management Keys to Compliance #8: The law is not optional. #9: Keep good records. Look for inconsistency. #10: Risk decisions require competency. ISO 27001 Controls A 5 A 5.1 A 6 A 6.1 A 6.2 A 7 A 7.1 A 7.2 A 7.3 A 8 A 8.1 A 8.2 Country Regulation ENISA GDPR PCI DSS CIS Top 20 Use control origins in your risk assessments. Law: Prioritize up. Market-Only with low exposure: Prioritize down.
  • 14. ©2016 Avanade Inc. All Rights Reserved. Risk Management Keys to Compliance #8: The law is not optional. #9: Keep good records. Look for inconsistency. #10: Risk decisions require competency. ISO 27001 Controls A 5 A 5.1 A 6 A 6.1 A 6.2 A 7 A 7.1 A 7.2 A 7.3 A 8 A 8.1 A 8.2 Country Regulation ENISA GDPR PCI DSS CIS Top 20 Use control origins in your risk assessments. Law: Prioritize up. Market-Only with low exposure: Prioritize down. It is easy to say “everything applies.” Your risk scale and criteria should have sufficient range to provide differentiation in priority and impact among “required” controls.
  • 15. ©2016 Avanade Inc. All Rights Reserved. 1. Build a positive relationship with your legal team. 2. A security leader must be focused on and understand the business. 3. Prioritize your obligations. 4. Map your Control Set 5. Use published audit rubrics for internal validation 6. Invest in regulatory management tools 7. Feeds for security and privacy changes are as necessary as malware and email intel. 8. The law is not optional. 9. Keep good records. Look for inconsistency. 10. Risk decisions require competency. Translating Compliance to Practical Security
  • 16. ©2016 Avanade Inc. All Rights Reserved. Questions? Want to see more like this? Let us know you liked it: Rate this session: oreillysecuritycon.com/eu

Editor's Notes

  1. Being a security professional is harder and more complex than it ever has been before. For the modern medium and large sized business, today’s compliance landscape is a varied plain of interlocking and overlapping regulations.