Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Ntxissacsc5 yellow 2-evidence driven infosec compliance strategy-garrettp1

143 views

Published on

ntxissacsc5

Published in: Internet
  • Be the first to comment

  • Be the first to like this

Ntxissacsc5 yellow 2-evidence driven infosec compliance strategy-garrettp1

  1. 1. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 Developing an Evidence Driven Information Security Compliance Strategy Patrick Garrett, J.D., CISSP Account Information Security Officer DXC Technology November 10, 2017
  2. 2. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 Bio and Disclaimer: • Account Information Security Officer @ DXC Technology • Responsible for end to end delivery of security services and overall compliance of assigned accounts. • Former attorney and Infosec and compliance consultant. Disclaimer: The content, statements, and opinions given in this presentation are mine alone and not that of my employer. I am not speaking on behalf of DXC Technology. This is not legal advice and should not be relied on as such. 2
  3. 3. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 Lets build a compliance program! 3
  4. 4. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 Why is a compliance program needed? • Orderly delivery of services or products. • Avoid Civil and Criminal liability • Meet Regulatory requirements • Quality Control - deliver Consistent results • Identify and Reduce Risk 4
  5. 5. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 An effective compliance program Federal sentencing guidelines for organizations. §8B2.1 (a): To have an effective compliance and ethics program . . . an organization shall— (1) exercise due diligence to prevent and detect criminal conduct; and (2) otherwise promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law. 5
  6. 6. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 Is your compliance program effective? 6
  7. 7. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 Key considerations when building or assessing a compliance program • Following best practices? • Are the right stakeholders engaged? • Can you demonstrate due diligence in implementing it? • Are the components interchangeable and functioning? • Is it designed to be reasonably effective? • Can it withstand third party testing and replication? 7
  8. 8. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 What is an evidence driven strategy? • A practical roadmap for building a compliance program that is: • Flexible • Effective • Security Framework Agnostic • Framework based on established best practices. •Designed using a proven methodology. 8
  9. 9. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 What is an evidence driven strategy? • Builds in the evidence you need to prove due diligence and effectiveness. • Components are interchangeable and do not affect the others. • Does not make your organization secure but helps you get there. 9
  10. 10. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 Now...ready for the exciting stuff? 10
  11. 11. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 Review of Best Practices 11 Consistent enforcement and response to violations. Cultivate an atmosphere that encourages compliance. Ongoing tracking and evaluation of the program effectiveness. Meaningful communication and education vertically across the organization. Top down oversight and executive level accountability and independence. Implement reasonable measures to enforce standards and policies.
  12. 12. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 Compliance Framework 12 Oversight and Reporting High level accountability and ongoing evaluation of the program’s effectiveness. 1 Promotion and Training Communicate the standards and procedures and ensure they are understood at all levels. 3 Identify and Treat Risk Continue to Evaluate if the baseline is still suitable and are the controls still effective. 5 Standard and Policies Establish the baseline of conduct the organization is expected to adhere to. 2 Enforcement and Auditing Implement controls to enforce baseline and audit to determine level of compliance. 4
  13. 13. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 Oversight and Reporting • Board of Directors or equivalent must oversee the program. • Sufficient knowledge of the program. • Ensure its implemented and is effective. • Ongoing obligation. • High level individual assigned responsibility for implementing the program. • Independence - separation of duties. • May delegate the day to day operations. • Exercise due care in selecting operational staff that will have “substantial discretionary authority”. 13
  14. 14. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 Oversight and Reporting Demonstrating reasonable oversight and knowledge: • Annual board level “deep dive” training. • Annual assessment report with executive signoff. • Monthly or quarterly metric reporting. • Risk Assessment results. • Clearly identified and documented roles. Relevant metrics: • Violations per control or geographic location. • Systemic process failures identified. • Percent of organization completed annual training. 14
  15. 15. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 Standards and Policies • Establish the organization’s risk profile: • Applicable regulations and contracts. • What is the risk appetite and threat landscape? • Select the cybersecurity framework (s) that best fits your profile. • Consider Org size, resources, and capabilities. • Simplicity vs comprehensive • In-house vs. outsourcing • Create your security baseline by drafting policies and standards. • Create a central repository for all baseline collateral. 15
  16. 16. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 Standard and Policies Demonstrating due diligence in selection process: • Documented pre-build risk assessment • Selection Criteria for Cyber framework • Legal or Consultant engagement - if available. • Vendor Contract and SOWs • OS Configuration Standards, etc. Relevant metrics: • Time to implement - Estimated v. actual • Overall organization spend for compliance. • Relevant vendor SLAs and KPI scores 16
  17. 17. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 Promotion and Training • Accessible repository for standards and policies. • Communicate your baseline at all levels. • Chunked, digestible training • Interactive -Require input during sessions • Executive sponsorship and endorsement from outside security. • Require at on-boarding and annually at minimum. • Publicize location of all baseline material and the method for anonymous reporting and reassure zero retaliation. • Solicit feedback. 17
  18. 18. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 Promotion and Training Demonstrating efforts to bolster overall compliance: • Seminars, courses, and newsletters • Awareness marketing materials • Deployed surveys and questionnaires. • Course content (all versions) Relevant metrics: • Spike / Declines in violations before and after training. • Overall training completion rates vs. pass rates. • Questionnaire scoring on granular level. • Survey participation rate and satisfaction %. 18
  19. 19. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 Enforcement and Auditing Engage your operations team and early. • Select and implement controls that align with your security framework. • Confidentiality, Integrity, Availability • Monitor for deviations, violations, and failures. • Method for anonymous reporting or advice. • Clearly defined and communicated sanctions. • Consistent and timely enforcement. • Annual process updates. • Are the controls working as intended? . 19
  20. 20. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 Enforcement and Auditing Demonstrating reasonable enforcement actions: • Processes and work instructions • Physical walkthrough of facility • Weekly / Monthly reporting dashboards. • Console reports and patching schedules. • Incident tickets and closures. Relevant metrics: • % of OS and application patch saturation • Ticket response and resolutions times. • Volume of malware detected, IPs blocked, etc.. 20
  21. 21. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 Identify and Treat Risk • Identify gaps in overall compliance program as well as controls. • Robust incident handling process. • Security incident table tops. • Organizational Risk Register (POAM) • Process for deviation approvals. • Lessons learned documented - systemic issues. • Periodic review of baseline and risk profile - still appropriate? 21
  22. 22. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 Identify and Treat Risk Demonstrating your compliance program is effective: • If gaps identified - means your program is working! • Reported Incidents and violations • Third party audits- no deviations found. • All deviations are documented and approved. • Risk treatment plans Relevant metrics: • Incident volume and other metrics • No. employee self-disclosures - demonstrates culture • Average remediation times and repeated stats. 22
  23. 23. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 Questions? 23
  24. 24. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 24 Thank you

×