First presented at the UC David Security Symposium June 18, 2013 Information security, governance, compliance, and organizational design.

1. An Effective Security
and Compliance Office
UC Davis Security Symposium 2013
Sean Cordero, Cloud Watchmen
Kevin Mazzone, UC Davis Health System
June 18, 2013

2. About the presenters
Sean Cordero, CISSP,
CISM, CISA, CRISC
• Founder Cloud Watchmen
– Provides InfoSec and
compliance services
• 14+ years experience
• Consults with C-level
management at public
and private enterprises
• Regular speaker at
security conferences
• Former CSO of EdFund
and Charlotte Russe
Kevin Mazzone, PMP,
CEH
• M.S. Information
Management & InfoSec
from Syracuse University
• Security and compliance
experience – Intel,
EdFund, UCDHS,
MAXIMUS
• 15+ years of experience
• Former ISO
• Candidate for CISSP
2

3. Objectives
• Based on our experiences, we’ll talk about:
• Engage & approach in a different way
• Establishing relationships and human factors
– Communication tools & standardized reporting
– Show risk & effectuate IT management
• Ensure security agenda is pushed forward
3

4. Overview
• Traditional model
• Proposed model
• Relationship
• Communications
• Summary – Questions & Answers
4

5. Traditional Model
5

6. Traditional model
CEO
CIO
IT Apps
IT Facilities
IT Infra
IT Sec
Compliance
HR
Legal
Physical Security
Records
• IT Sec “enforcer”
• Doesn’t work with
traditional
organizational
constraints
• “Begger-Prince”
• Security team has no
power
• Company policy
– “Crying to Mom”

7. Traditional model gaps
Traditional models don’t address…
• Physical risks
• Non-electronic data
– Records mgmt. & records retention
7

8. Traditional model doesn’t work
• A CIO makes sure information systems are
effectively managed & to get the information to
users - fast
• ISO protects and ensure CIA
• ISO should be the CSO & report to CEO/ COO
• Alternatively, ISO reports to CSO
• Avoid conflict of interest
– Lateral with CIO
8Source: Kovcich

9. Even more…
• Technical reviewer
– Security skills < IT apps and infrastructure
• Policy developer
– Vacuum = useless; important what is done
• Assessor
• Competency of ISO
– Need to manage up & force written decisions
– Fails at: building external relationships, articulating risks,
marketing, create win/win, over reliance on tech fixes to
human factor
9

10. Proposed Model
10

11. Organizational overview
CEO
CIO
IT AppsIT FacilitiesIT Infra
Compliance
HR
Information
Security
Legal Physical
Security
Records
ConsumersofITServices
• Security becomes a
consumer
• Requirements &
expectations based
• Ends Conflict of
interest
• End 2 End risk
understanding
• Carnegie Mellon
placement

12. Proposed Org Benefits
• Influence with biz and support groups
– HR, Legal, Finance, Physical Sec, Biz Units, etc.
– Peer Management Review Committees (MRCs)
• Risk acceptance & documentation
• Buy-off on IA response
• Security governance
12

13. Reality…
• In most orgs, security is already a part of IT
• Establishing & maintaining relationships with the
other consumers of IT is key
13

14. Relationships
14

15. Relationships = Enabler
• “Make the most of what you’ve got”
– Up & out relations – Legal, HR, line of biz, etc.
• IT InfoSec conduit between biz groups and rest
of IT
• IT InfoSec as enabler
– Not just validator
– Sec can run vuln scan
– Poor relationship = backfire
15

16. 16
Goals & desires of IT InfoSec
+ up & out depts. = risk
mgmt. goal

17. Types of engagements
1. Internal IT
2. Lateral
3. Up & out
4. External 3rd parties
– SME
– External auditors (BSA, Joint Commission, PCI,
etc.)
17

18. Internal IT
• Upward to management
• Lateral to support groups
– Infrastructure
– Project management / business analysts
– Applications
• Non-functional requirements
18

19. Internal IT management
• Communicate security & compliance risks!
• Address costs, resource requirements, time,
scope
– Security & remediation not effectively accounted for
in new projects or KTBR
• Security technologies not budgeted
• Resources not assigned security control & remediation
tasks
– CIO can assign more resources or extend the time
• Document decisions
19

20. IT mgmt. comms gone wrong
• When CIO disavows from identified security or
compliance risks & makes determination not work
on through decree or priority they are failing org,
not doing job, and taking on board role
– CIO makes risk decision for entire company
– Blind decision and not represent company
– Bad CIO does whatever can to shut down process
• Document decision
20

21. Up & out engagement
• Conversation - unified way to report, measure,
rank, and how to communicate to up & out
stakeholders
– Meaningless to Legal – x vulnerabilities in patching
• Way to begin holding IT accountable even though
role of sec is to “open the kimono”
• Establish on-going relationship
• Establishes expectations
21

22. 3rd party engagement
• Scope & engagement – top down
– May or may not be from board or audit committee
– Ex: E&Y, BSA, PCI Assessor, FISMA/ FEDRAMP
readiness review, HITECH/ HIPPA comply review,
SOx audit (§404)
• Best way to engage: pen. test, vuln. assessment,
effectiveness reviews
22

23. Communication tools
23

24. • Communication types
– Indirect – written loop back to decision maker
– Direct – 1:1 engagement
• Disclosure levels
– Full – show all the dirty laundry
– Limited – minimal amount of information

25. • Matrix
– Column team – consumer arm (legal, HR, 3rd party,
SMO, 3rd party auditor, internal cust (line-of biz,
QA, UAT,…), external customers, cio, board/
governance committee, cfo/ finance, proj mgmt.,
procurement
– Top – raci basterdized
• influencer – enforcer
• Decision maker
25

26. • Type of engagement and expected outcome
– Direct with IA = bad
• nature, level of disclosure, org risk, dealing w/ auditor
provide min info and just enough to pass
• 3rd party SME = direct, full
• CIO = direct full disclosure sco to cio, indirect
mod to full to lateral groups
26

27. Communication tools
• Written communication & agreements
– IT SLAs to consumer – codified and written; measurable
– Incident response
– Inventory/ asset mgmt.
– Patch / system upkeep
– Base-line configuration
– Email - per our convorsation…
– Policies – vetted, approved
• Up and out groups, external 3rd party, CIO enabler
27

28. Communication tools (cont’d)
• Audit reports
• Checklists
• SOWs / RFP
• Change management
• Risk Assessments
• Management level reports
– -ISO to CIO, Audit Committee, stakeholders/ consumers of IT services
– Measure/ metrics baseline SLA between consumer and IT
– Internal measures / metrics
28

29. Checklists
• Direct communications
• Implementation up for
interpretation
– Security SME sees
requirements one way; IT
another
• Formal support / written
from exec mgmt.
– Let go of non-supported /
legal issue esc to Legal
for resolution
29

30. Indirect audit reports
• Indirect communications
• Finding  go fix it
• Force finding through internal risk acceptance
process and make executive mgmt./ board sign
off & approve to accept
– Forced: prioritization change for IT projects
30

31. Respond to audit reports
• Response is too often date focused
– Consider LOE, costs (ops + expenses), risk,
duration, and time
• Executive management must make decision on
project prioritization, and when to start
– This decision establishes date
– Future date = temporary risk acceptance
– Document mgmt. decision
31

32. SOW / RFP
• Including security requirements as part of
procurement process
• Implementation include security non-functional
requirements
– Often solution supports security controls but they
need to be turned on
32

33. Change management
• Full disclosure
• Operations (upgrades &
KTBR) & project focused
• Non-functional
requirements
– Not going to do; decision
made, documented, and
approved
• Type of risk assessment
33

34. Management level reports
• Full disclosure
• State of compliance
• Unaddressed risks
• Measures related to SLA with IT
– Patching timelines, etc.
34

35. Summary
35

36. Summary
• Security is a consumer of IT
– HR, Legal, Physical Security, Compliance, etc. are
consumers
• Relationships are key
• Communications – tailored for the consumer
– Methods - Indirect v. direct
– Tools

37. Questions and Answers
37

38. Citations
• Kovacich, Dr. Gerald L., CISSP, CFE, CPP. The
information systems security officer's guide,
establishing and managing an information
protection program. 2nd ed. Butterworth-
Heinemann, 2003. Print.
38