More Related Content Similar to Unrestricted - Complex Regulation Practical Security FINAL Similar to Unrestricted - Complex Regulation Practical Security FINAL (20) Unrestricted - Complex Regulation Practical Security FINAL1. ©2016 Avanade Inc. All Rights Reserved.
Wayne Anderson
11 November 2016
©2016 Avanade Inc. All Rights Reserved.
2. ©2016 Avanade Inc. All Rights Reserved.
Wayne Anderson
@NoCo_Architect
GSLC, CISM, MCSE: Security, Security+, etc.
Avanade delivers innovative solutions on the Microsoft platform
for thousands of enterprise clients around the world.
I focus on our readiness to meet those clients’ information
security and privacy needs.
I am not an attorney. Nothing in this presentation is legal advice on whether you are or are not compliant. Please engage appropriate counsel and/or
subject matter experts on the specific conditions of your program.
©2016 Avanade Inc. All Rights Reserved.
Director, Global Client Information Security
Avanade
4. ©2016 Avanade Inc. All Rights Reserved.
Business Tension is High
79%
50%
X
60%
Market Fragmentation
CEOs consistently see a fragmented marketplace, which
requires meeting MANY standards to access clients.
Figure 4. PWC 2016 Annual Global CEO Survey
Complexity is Challenging Business
79% of CEOs identified “over-regulation” as a key
concern for organizational growth prospects.
Figure 1. PWC 2016 Annual Global CEO Survey
Technology Discussion is Beyond IT
By 2020, large enterprises with digital business
aspirations will see business unit IT spending increase
to 50% of enterprise IT spending.
Gartner. Full Transparency for Enterprise Technology Spending is a
Fundamental Strategy for CIOs and CFOs.
Security is hard in Digital Workplace
By 2020, 60% of digital businesses will suffer failures
due to inability of security to manage digital risk.
Gartner. The Four Steps to Manage Risk and Security in Bimodal IT
5. ©2016 Avanade Inc. All Rights Reserved.
Control Requirements
Obligations for “reasonable” business.
US CA AG, US FTC, GDPR, HIPAA, cPPP
Detection and Response
Identification of high risk events, and
appropriate response capabilities to limit
impact to the organization.
Regulatory Reviews
Audits, scoring, regulatory fines.
ENISA, FFIEC, FISMA, GDPR, AU Banking
Privacy Obligations
Rights of the individual vs system function
GDPR, HIPAA, US FTC, JP PPC, AU Privacy Act
Data Governance
Ensuring data flows are understood,
identified, classified, and associated controls
are applied to assets which interact with the
data.
Technology and Operations
Operating the digital perimeter, networks,
and endpoints which provide the day to day
foundation of cyber security incident
prevention and detection capability.
Six Degrees of Security Operations
6. ©2016 Avanade Inc. All Rights Reserved.
Control Requirements
Obligations for “reasonable” business.
US CA AG, US FTC, GDPR, HIPAA, cPPP
Detection and Response
Identification of high risk events, and
appropriate response capabilities to limit
impact to the organization.
Regulatory Reviews
Audits, scoring, regulatory fines.
ENISA, FFIEC, FISMA, GDPR, AU Banking
Privacy Obligations
Rights of the individual vs system function
GDPR, HIPAA, US FTC, JP PPC, AU Privacy Act
Data Governance
Ensuring data flows are understood,
identified, classified, and associated controls
are applied to assets which interact with the
data.
Technology and Operations
Operating the digital perimeter, networks,
and endpoints which provide the day to day
foundation of cyber security incident
prevention and detection capability.
A line between compliance and security cannot exist.
7. ©2016 Avanade Inc. All Rights Reserved.
Control Requirements
Obligations for “reasonable” business.
US CA AG, US FTC, GDPR, HIPAA, cPPP
Detection and Response
Identification of high risk events, and
appropriate response capabilities to limit
impact to the organization.
Regulatory Reviews
Audits, scoring, regulatory fines.
ENISA, FFIEC, FISMA, GDPR, AU Banking
Privacy Obligations
Rights of the individual vs system function
GDPR, HIPAA, US FTC, JP PPC, AU Privacy Act
Data Governance
Ensuring data flows are understood,
identified, classified, and associated controls
are applied to assets which interact with the
data.
Technology and Operations
Operating the digital perimeter, networks,
and endpoints which provide the day to day
foundation of cyber security incident
prevention and detection capability.
Efficiency in regulatory controls is practical security.
8. ©2016 Avanade Inc. All Rights Reserved.
Business > Compliance > Intelligence
First and Foremost,
Align to Business.
Our budgets, our people, our
focus as security
professionals exist for a
reason. Know that reason.
Know that we exist to help
the organization do
something.
Know what you Do.
Intimately.
How does your business
impact the complexity of
your asset set? What data
do you handle? Where? Is
some of it optional? What
happens to the business in
negative events?
Build the Sum of your
Obligations.
The obligations of the
modern business actually
form a fairly comprehensive
control map for most
organizations!
Modify based on
Treatment and Intel.
Risk tolerance and
intelligence / modelling of
specific threats to your
business will modify how you
prioritize and invest in
controls.
Mission Context Compliance Risk
9. ©2016 Avanade Inc. All Rights Reserved.
Start by Prioritizing your Obligations
Keys to Compliance
#1: Build a positive relationship
with your legal team.
#2: A security leader must be
focused on and understand the
business.
#3: Prioritize your obligations.
CIS Top 20
applies to entire business
as a basic subset of
controls
GDPR
oversight of holding
subject data
Country
Regulation
provides more granular
guidance for local
systems and locations
PCI DSS
readiness to accept and
work with payment cards
ENISA
guidance to operate as a
European financial
institution
Example: European Bank
Additive Control Set: Most foundational controls are prioritized highest.
10. ©2016 Avanade Inc. All Rights Reserved.
Map your Control Set
Keys to Compliance
#4: Map your Control Set
hint: choose a base framework
#5: Use published audit rubrics
for internal validation
ISO 27001
Controls
A 5 A 5.1 A 6 A 6.1 A 6.2 A 7 A 7.1 A 7.2 A 7.3 A 8 A 8.1 A 8.2
Country
Regulation
ENISA
GDPR
PCI DSS
CIS Top 20
Whatever
Use your base framework.
Add your programs. Hint: Include regulatory rules and case law.
11. ©2016 Avanade Inc. All Rights Reserved.
Map your Control Set
Keys to Compliance
#4: Map your Control Set
hint: choose a base framework
#5: Use published audit rubrics
for internal validation
Make use of consulting, advisory, and industry resources
Gartner, Forrester, Nymity, Bloomberg
Unified Compliance Framework Common Controls Hub
EU Office of Data Protection Commissioner Guide to Audit Process
EU Directive EC 95/46 Personal Data protection Audit Framework
US Health Human Services Audit Protocol
Consider whether outside counsel or consultants are of value to your organization’s needs.
Do you have the trusted in-house expertise necessary to change direction?
12. ©2016 Avanade Inc. All Rights Reserved.
Regulatory Changes are part of your Intelligence
Keys to Compliance
#6: Invest in regulatory
management tools
#7: Feeds for security and privacy
changes are as necessary as
malware and email intel.Threat Intelligence
Legislation
Are you subject to new laws? GDPR
is coming in May 2018, do you know
what is different? HIPAA was
updated this year. Did your program
update?
Organizational Updates
As international organizations like ISO,
ISACA, CIS, and others update
guidance – your business needs to
understand the changes, they often
reflect the state of industry
expectations.
Block Lists
Network and CIRT
Enforcement Actions
The track record of how judges and
agencies interpret those rules is very
important for the day to day guidance
of how to operate and document the
security program.
Are you leveraging knowledge
sharing platforms?
Interflow, Threat Central, Confer,
ThreatConnect, etc.
13. ©2016 Avanade Inc. All Rights Reserved.
Risk Management
Keys to Compliance
#8: The law is not optional.
#9: Keep good records. Look for
inconsistency.
#10: Risk decisions require
competency.
ISO 27001
Controls
A 5 A 5.1 A 6 A 6.1 A 6.2 A 7 A 7.1 A 7.2 A 7.3 A 8 A 8.1 A 8.2
Country
Regulation
ENISA
GDPR
PCI DSS
CIS Top 20
Use control origins in your risk assessments.
Law: Prioritize up. Market-Only with low exposure: Prioritize down.
14. ©2016 Avanade Inc. All Rights Reserved.
Risk Management
Keys to Compliance
#8: The law is not optional.
#9: Keep good records. Look for
inconsistency.
#10: Risk decisions require
competency.
ISO 27001
Controls
A 5 A 5.1 A 6 A 6.1 A 6.2 A 7 A 7.1 A 7.2 A 7.3 A 8 A 8.1 A 8.2
Country
Regulation
ENISA
GDPR
PCI DSS
CIS Top 20
Use control origins in your risk assessments.
Law: Prioritize up. Market-Only with low exposure: Prioritize down.
It is easy to say “everything applies.”
Your risk scale and criteria should have sufficient range to provide
differentiation in priority and impact among “required” controls.
15. ©2016 Avanade Inc. All Rights Reserved.
1. Build a positive relationship with your legal team.
2. A security leader must be focused on and understand the business.
3. Prioritize your obligations.
4. Map your Control Set
5. Use published audit rubrics for internal validation
6. Invest in regulatory management tools
7. Feeds for security and privacy changes are as necessary as malware and
email intel.
8. The law is not optional.
9. Keep good records. Look for inconsistency.
10. Risk decisions require competency.
Translating Compliance to Practical Security
16. ©2016 Avanade Inc. All Rights Reserved.
Questions?
Want to see more like this? Let us know you liked it:
Rate this session: oreillysecuritycon.com/eu
Editor's Notes Being a security professional is harder and more complex than it ever has been before.
For the modern medium and large sized business, today’s compliance landscape is a varied plain of interlocking and overlapping regulations.