Compliance Framework

Integrated Compliance FrameworkDave Barnett, CISSP, CISM, CSDP, CSSLPDave.Barnett@computer.org

Sarbanes OxleyFinancial reporting accuracyHealth Insurance Portability & Accountability Act (HIPAA)Medical information for employee benefitsPrivacyEuropean Union Data Protection DirectiveCanadaJapanCalifornia Senate Bill 1386 (plus 25 other states)FDA21 CFR Part 11 and Good Manufacturing Practice (GMP)Some Compliance Requirements…

Federal Trade CommissionConsumer protection Credit Card regulationsPayment Card Industry (PCI) required by VISA CISP, MasterCard SDP, and Amex Data Security Requirement Trade ComplianceCustom Trade Partnership Against Terrorism (C-TPAT)Export of materials and technology to restricted companiesEnvironmental Health and Safety (EH&S)Hazardous materials handling and transportationDEAOSHAContinued…

LitigationeDiscoveryIntellectual Property (IP)Patents and Patent infringement litigationCertificationsISO 9001ISO 17799 / ISO 27001 BS 15000 / ISO 20000 Continued…

Emerging legal standard for security* T.J. Hooper case, 60 F.2d 737 (2d Cir. 1932)**In 1928, the tug boat T.J. Hooper sank in a storm. The cargo owners sued, saying the tugboat captain should have known a storm was coming.Tug owner said only way to know was to have a radio on board, which was not common practice, and not required by any law.However, Judge agreed with cargo owners – the tug owners should have had a radio on board, even though it was not required. The lack of a radio made the tug unseaworthy.Legal Strategy for Compliance* See http://www.bakerinfo.com/ecommerce/newlawis.pdf and http://www.bakerinfo.com/ecommerce/ISLEGAL.PDF** From Tom Smedinghoff, Baker & McKenzie, at RSA 2006 presentation LAW-104

Identify the assets to be protectedConduct risk assessmentSee http://en.wikipedia.org/wiki/United_States_v._Carroll_Towing_Co.Develop and implement a security programThat is responsive to the risk assessmentMust be in writingReasonable, appropriate, suitable, necessary, adequateAddressthird partiesContractors, customers, suppliers, business partners, and providers of outsourced servicesDue diligence, contractual obligation, monitoring and auditingContinually monitor, reassess, and adjust the programCompliance Strategy** From Tom Smedinghoff, Baker & McKenzie, at RSA 2006 presentation LAW-104

There is considerable overlap (~ 80%) for all security and privacy related compliance requirementsThese and other requirements typically need documented and implemented good processes“Say what you do, do what you say”Follow compliance strategyIdentify information assets to be protectedFollow a risk management processFor example, NIST SP 800-30 http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdfHow do we handle all of these compliance requirements?

Following industry standards is a good startProvides a defensible position against regulation and litigationBest practices are beneficial and defensibleRecent revisions of standards include risk management COSO ERMCOSO + Risk ManagementCobiT 4.0ISO 17799:2005 Create Defensible Position

Adopt current industry standardsBut get ahead of the curve where possibleDocument and follow processInclude risk management as a best practiceMake sure processes are:EffectiveEfficientAuditableGood Practice, Good Process

Three levels of frameworks, each operating at different degree of detail and scope, that together provide a set of controls and governance for IT Regulatory ComplianceEach level down provides more detail and greater scopeLevel 1: COSO Enterprise Risk Management (ERM)Organization wide controlsEndorsed by the SEC for Sarbanes-OxleyLevel 2: CobiT® 4.xIT wide controls relating to COSO ERMPO9 and DS5.2Level 3: Subject matter specific controls and best practices, e.g.ITIL SM (for AI6, DS9, DS10)IT Service Delivery ISO 17799:2005 (for DS5)IT SecurityISO 15288:2002 (for AI2, AI3, AI7)System Development Life CyclePMI PMBOK (for PO10)Project ManagementSix Sigma (for PO8)Integrated Compliance Framework

ITIL (Information Technology Infrastructure Library)Republished in 2002 as British Standard 15000, IT Service ManagementPart 1 is specification for certificationPart 2 is code of practiceRepublished in 2005 as ISO 20000, Information Technology Service ManagementPart 1 is specification for certificationPart 2 is code of practiceCompliance Standards Harmonization

ISO 17799 Originally British Standard 7799Part 1 is code of practicePart 2 is specification for certificationSatisfies CobiT® DS5 - Ensure Systems SecurityISO 17799:2005 is the code of practiceRequired for BS15000:2 and ISO 20000:2Part 2 of BS 7799 (specification for certification) republished as ISO 27001:2005Required for BS15000:1 and ISO 20001:1Compliance Standards Harmonization

ISO 9001Quality Management Systems -RequirementsISO 27001 satisfies ISO 9001 for Systems SecurityBS15000:1, ISO 20000:1, and ISO 20000:2 satisfy ISO 9001 for service managementCobiT® 4.0 (2005)Harmonized with ITIL, ISO 9001, ISO 17799, and CMMSix SigmaISO 27001, ISO 20000:1, and ISO 20000:2 use PDCA (Deming Cycle), a learning model used in Six Sigma and other Quality ProgramsProvides tools for Quality Management SystemsContinuous improvement keeps us ahead of the curve and satisfies monitoring and assessment requirement for legal process.Compliance Standards Harmonization

Committee of Sponsoring Organization (COSO) of the Treadway Commission (http://www.coso.org/), “Enterprise Risk Management – Integrated Framework” (http://www.coso.org/Publications/ERM/COSO_ERM.ppt)Enterprise risk management is:A process, ongoing and flowing through an organizationEffected by people at every level of an organizationApplied across the enterprise, at every level and unit, and includes taking an entity level portfolio view of riskAble to provide reasonable assurance to an entity’s management and board of directorsLevel 1: COSO ERM

Eight interrelated COSO components, derived from the way management runs a businessInternal Environment – The internal environment encompasses the tone of an organization, and sets the basis for how risk is viewed and addressed by an entity’s people, including risk management philosophy and risk appetite, integrity and ethical values, and the environment in which they operate.Objective Setting – Objectives must exist before management can identify potential events affecting their achievement. Enterprise risk management ensures that management has in place a process to set objectives and that the chosen objectives support and align with the entity’s mission and are consistent with its risk appetite.COSO ERM Components

Event Identification – Internal and external events affecting achievement of an entity’s objectives must be identified, distinguishing between risks and opportunities. Opportunities are channeled back to management’s strategy or objective-setting processes.Risk Assessment – Risks are analyzed, considering likelihood and impact, as a basis for determining how they should be managed. Risks are assessed on an inherent and a residual basis.Risk Response – Management selects risk responses – avoiding, accepting, reducing, or sharing risk – developing a set of actions to align risks with the entity’s risk tolerances and risk appetite.COSO ERM Components

Control Activities – Policies and procedures are established and implemented to help ensure the risk responses are effectively carried out.Information and Communication – Relevant information is identified, captured, and communicated in a form and timeframe that enable people to carry out their responsibilities. Effective communication also occurs in a broader sense, flowing down, across, and up the entity.Monitoring – The entirety of enterprise risk management is monitored and modifications made as necessary. Monitoring is accomplished through ongoing management activities, separate evaluations, or both.COSO ERM Components

Control Objectives for Information and related Technology (CobiT)(http://www.isaca.org/cobit.html)Covers all controls within or relevant to IT organizationLevel 2: CobiT® 4.x

Level 2: CobiT® 4.x Plan and Organize (PO)PO1 Define a Strategic IT PlanPO2 Define the Information ArchitecturePO3 Determine Technological DirectionPO4 Define the IT Processes, Organization and RelationshipsPO5 Manage the IT InvestmentPO6 Communicate Management Aims and DirectionPO7 Manage IT Human ResourcesPO8 Manage QualitySix SigmaStandards ProcessPO9 Assess and Manage IT RisksPO10 Manage ProjectsPMBOK

AI1 Identify Automated SolutionsAI2 Acquire and Maintain Application Software*SDLCAI3 Acquire and Maintain Technology Infrastructure*SDLC AI4 Enable Operation and Use*AI5 Procure IT ResourcesAI6 Manage Changes*ITIL AI7 Install and Accredit Solutions and ChangesSDLC*Priorities for Sarbanes OxleyLevel 2: CobiT® 4.x Acquire and Implement (AI)

DS1 Define and Manage Service Levels*DS2 Manage Third-party Services*DS3 Manage Performance and CapacityDS4 Ensure Continuous ServiceDS5 Ensure Systems Security*ISO 17799:2005 / 27001:2005DS6 Identify and Allocate CostsDS7 Educate and Train UsersDS8 Manage Service Desk and IncidentsDS9 Manage the Configuration*ITILDS10 Manage Problems*ITILDS11 Manage Data*DS12 Manage the Physical EnvironmentDS13 Manage Operations*Level 2: CobiT® 4.x Deliver and Support (DS)

ME1 Monitor and Evaluate IT PerformanceME2 Monitor and Evaluate Internal ControlME3 Ensure Regulatory ComplianceME4 Provide IT GovernanceLevel 2: CobiT® 4.x Monitor and Evaluate (ME)

ITIL (IT Infrastructure Library) is the most widely accepted approach to IT Service Management in the world. (http://www.ogc.gov.uk/)provides a cohesive set of well defined best practices, drawn from the public and private sectors internationally. It is supported by a comprehensive qualification scheme, accredited training organizations, and implementation and assessment tools.Addresses and extends CobiT level of compliance framework: AI6 Manage Changes*DS9 Manage the Configuration*DS10 Manage Problems*AKA BS 15000, or ISO 20000Level 3: ITIL

Guidelines and certification for IT Security Program“Information security is the protection of information from a wide range of threats in order to ensure business continuity, minimize business risk, and maximize return on investments and business opportunities.”Address and extends CobiT level of compliance framework: DS5 Ensure Systems Security*Required for BS 15000 and ISO 20000 securityAKA BS 7799, or ISO 27001 Level 3: ISO 17799

Project Management Body of Knowledge from PMI http://www.pmibookstore.org/PMIBookStore/productDetails.aspx?itemID=358&varID=1Describes best practices for Project ManagementAddresses and extends CobiT level of compliance framework: PO10 Manage projectsIEEE 1490-2003, Adoption of PMI Standard: A Guide to the Project Management Body of Knowledge http://webstore.ansi.org/ansidocstore/product.asp?sku=IEEE+Std+1490%2D2003Level 3: PMBOK

ISO 15288:2002 is a compendium of standards and best practices for systems and software development life cycle methodologieshttp://www.15288.com/Addresses and extends CobiT level of Compliance Framework:AI2 Acquire and Maintain Application Software*AI3 Acquire and Maintain Technology Infrastructure*AI7 Install and Accredit Solutions and ChangesLevel 3: System Development Life Cycle

Six Sigma is a disciplined, data driven approach and methodology for eliminating defects and improving qualityhttp://www.isixsigma.com/sixsigma/six_sigma.aspAddresses CobiT level of Compliance FrameworkPO8 Manage QualityLevel 3: Six Sigma

The Compliance Framework consists of generally accepted industry standards and risk management practices at multiple levels, to meet requirements for a security program in an effective, efficient, and auditable manner.Summary

Compliance Framework

More Related Content

What's hot

Viewers also liked

Similar to Compliance Framework

Compliance Framework