SlideShare une entreprise Scribd logo

2007 issa journal-building a comprehensive security control framework

A
asundaram1

The authors developed a comprehensive security control framework that unified information security, privacy, physical security, and customer credentialing controls. They selected ISO 17799 as the base framework due to its alignment with their existing security policy. The framework was mapped to other regulatory requirements like SOX, PCI DSS, and SAS70. Developing the framework presented challenges around determining the appropriate framework, identifying all relevant controls, and classifying key controls. The benefits of a unified framework include reduced audit duplication and more efficient compliance testing.

Technologie
1  sur  4
Télécharger pour lire hors ligne
ISSA The Global Voice of Information Security ISSA Journal | April 2007 Building a Comprehensive Security Control Framework By Lori Crooks and Aurobindo Sundaram Developing a comprehensive security control framework involving information security, privacy, physical security, and customer credentialing. O ver the last several years, information security has pro- gressed from being ad-hoc, to project-based, and then to program-based. The next evolution for information security is in process-based or control-based frameworks. These frameworks treat information security as a business process, and different security standards into a unified security control frame- work (the framework). The Methodology involve the integration of best practice codes of practice (e.g., ISO We examined different ways to create our framework. They are 17799:2005), regulatory requirements (e.g., GLBA requirements, summarized below. HIPAA requirements), policy, and compliance. 1. Create a custom framework For 6 months in 2006, we developed a comprehensive security con- This would have involved our researching all of our controls, ensur- trol framework involving information security, privacy, physical ing that they were substantially complete and broad enough as an security, and customer credentialing.1 The following sections will information security framework (by comparing them against ISO, describe our process, particularly in unifying the framework, the for example), and then crafting a set of control objectives2 and associ- expected benefits of a framework for an organization, and tools and ated control activities that would be the meat of the framework. procedures that can aid readers in their efforts to develop their own frameworks. Once we thought more about this, although it sometimes made sense to create a custom framework, in this case, we would have had to The Problem weigh its advantages against (a) having to explain to all our external auditors how the framework met their requirements; and (b) having Most companies are subject to meeting the requirements of differ- to continuously research and update the custom framework when ent regulations. For instance, our Insurance Data Services business is standards and regulations change. regulated under the Federal Fair Credit Reporting Act (FCRA). We also perform annual Sarbanes Oxley (SOX) 404 audits to fulfill SEC 2. Use multiple frameworks, overlapping as necessary requirements. Our customers audit us using their own standards, sometimes based on international standards, such as ISO 17799. Our This option was the easiest solution, essentially nearly preserving the credit card processing applications are required to be compliant with status quo, while searching for commonalities in control objectives. the Payment Card Industry Data Security Standards (PCI DSS). The point of this method would have been to spend the bulk of our And finally, we have requirements from several of our partners to time in making the controls consistent across the different frame- complete annual SAS70 Type II audits. works, while leaving each of the frameworks themselves unmodi- fied. Our Information Security Policy was based on ISO 17799, but it was specific to IT Security, and only loosely integrated with several of The disadvantage of this method is that tracking and managing our other programs, such as hiring and termination practices and multiple frameworks still involves significant overhead. In addition, physical security. In addition, we were finding that on every audit every time a new framework (regulatory or otherwise) impacts the or assessment that was performed on us, we were duplicating effort, company, this process would have to be completed again. Although performing redundant testing, and not re-using results from prior we could hope to identify operational synergies with this option, we audits. For efficiency and structure, there was a need to converge our 2 The objectives of management that are used as the framework for developing and imple- 1 Customer credentialing is our term for validating a customer’s information and bonafide menting controls business credentials before allowing them access to sensitive information. An automated or manual process that is periodically performed to meet a control objective 27
Building a Comprehensive Security Control Framework | Lori Crooks and Aurobindo Sundaram ISSA Journal | April 2007 were unsure if they would be significant, compared to the other op- ISO- SAS AIC FACT tions. Control Framework GLBA 17799 70 PA ACT 5.0 – Policies and 3. Create a single framework with appropriate Procedures x x x x mappings to other frameworks 6.0 – Organizing With this option, we would have to pick one framework as the base Security and Privacy x x x framework, and then ensure that we created mappings where neces- 7.0 – Asset sary to all the regulatory and customer standards we had to comply Management x x x x with. If the framework was complete, every time a new regulation 8.0 – Human Resource was introduced, we would simply have to redo the mapping pro- cess, since the controls themselves would already exist. In rare cases, Security x x x x 9.0 - Physical and however, additional controls would have to be added to extend the framework. Environmental Security x x The disadvantage of this method is that we were essentially starting 10.0 – Communications from scratch. All of our existing controls would have to be mapped and Operating Management x x x x x to the base framework, and we would have to develop entirely new controls to meet the control objectives of the base framework. In ad- dition, there would inevitably be control objectives in the base frame- 11.0 – Access Control x x x x x 12.0 – Application work, which, even though we did not believe were applicable, would still have to implemented or addressed in some way. And finally, we Development x x x x would have to start the process of mapping all of our existing meth- 13.0 – Information odologies and controls for SOX, SAS70, etc., to the new framework. Security Incident Management x x x x In the end, we decided to select Option for the following reasons: • Our information security policy was already based on ISO 15.0 – Compliance x 17799, and many of our technical security programs (e.g. 16.0 – Customer vulnerability management, virus protection, application se- Credentialing curity, patch management) already mapped to elements of the corresponding ISO best practices. Diagram 1 – Control Framework Mapping and Normalization Example • The ISO standard, although specific to information securi- ty, is widely accepted worldwide. Emerging standards, such The framework as the BITS FISAP4 are based on ISO 17799. As we started populating the framework, we realized that the ISO • Using a single framework gave us a starting point and a standard is heavily slanted towards security. goal. We could then focus on mapping and migrating con- • Physical security controls mapped easily into Section 9 - trols from other audit requirements into the framework. Physical Security The end goal was to reduce audit time, combine testing, and • Corporate governance model for security and privacy unify all of our controls. mapped into Section 5 - Policies and Procedures • Option 1 would have resulted in our diverging from indus- • Privacy controls mapped into sections 11 - Access Control try and international standards. We felt that had we done and 15 - Compliance this, we would have spent significant additional time con- vincing our partners and auditors of the completeness and However, our controls for customer credentialing were not ad- breadth of our framework. equately covered in the ISO standard (some controls were covered in Section 6 - Organizing Information Security). Therefore, we extend- • Option 2 would have involved leaving the existing systems ed our base framework to add an additional section on Customer in place, while trying to exploit some synergies of operations. Credentialing. To us, this felt more like a stop gap solution, as the origi- nal problem would not have been fixed. Although this was Tip: It is important that organizations not try to keep a framework workable, we felt it better to build a clean, unified frame- rigid and inflexible. There are occasions where a framework must be work for the future, despite the inevitable growing pains extended, and as long as it is done with discipline, the organization and integration issues along the way. can reap the advantages of such an extension. Diagram 1 shows the different sections of ISO 17799:2005 and our Challenges mappings to different regulatory frameworks. In particular, our re- sources section points the reader to step-by-step guides to regulatory As with every project, challenges were encountered. For this project compliance planning. Our paper, though, focuses on a security con- challenges included determining the correct framework to use, iden- trol framework for managing business operations, including regula- tifying controls outside of information security, ensuring complete- tory compliance.5 ness of the framework and classifying key controls. Each of these challenges is discussed below. As previously mentioned, deciding on the methodology was chal- 4 Financial Institution Shared Assessment Program lenging. After we decided on Option , we considered several frame- 5 With SAS70 Type II audit the mapping may be expanded or reduced. works, e.g., COBIT, ISO 17799, for our base control framework. 28
Building a Comprehensive Security Control Framework | Lori Crooks and Aurobindo Sundaram ISSA Journal | April 2007 The frameworks were assessed to see which one fit the company absence of a particular control to judge whether or not it was a key and its various divisions best. Our company is unique because we control. have many corporate-wide controls, but also we have several busi- ness units that have their own set of controls. A few of the business Benefits units had defined controls because they had gone through a SAS70 There are many benefits to a unified control framework. This Type II audit; however, those controls did not tie to a specific control framework will be used for the whole company. Instead of having framework – they were ad-hoc. After reviewing the different frame- different controls or control sets for internal audit, compliance, and works, we decided that the ISO 17799:2005 code of practice fit our security, there will be one unified framework. During Sarbanes- company – both company-wide and business unit specific. Since our Oxley testing, internal audit will be able to use this framework, as security policy is aligned to the ISO, it made defining those controls will the security team for simpler. their assessments. The One issue we identified completeness of this after our selection of the All our employees undergo mandatory information framework means that standard framework was security and privacy training annually. This our external auditors will to decide how to address be able to use our frame- the sections that did not awareness helps us push accountability onto every work for their testing, for fall under ISO 17799. We employee of the company. SOX, SAS70, and other decided to enhance the compliance testing. Fi- framework and add addi- nally, our customers will tional sections as appropriate. Since privacy is key to our business, we appreciate the rigor and structure of a framework based on an inter- added elements of privacy in our controls, based on AICPA Gener- nationally accepted standard. ally Accepted Privacy Principles (GAPP). We also added a section We are currently completing the implementation of a compliance on customer credentialing because we have controls for validating management tool for the framework. This will assist us in maintain- our customers and their use of data that we provide. Since there is no ing compliance information centrally. Since we know certain con- standard for credentialing, we built it based on our own controls. trols occur on a periodic basis, we can place those documents within The ISO 17799 framework has sections that cover human resources, the management tool. Auditors can directly access the management physical security, environmental security, change control, and other tool in read-only mode to assist with their testing. This saves time for sections that are not strictly related to information security. Since the auditors and for the company, because the auditors do not have to each of these sections falls out of our experience in information se- set up time with the employee to gather the documents. curity, we had to coordinate and interview individuals who were Since the control framework is so broad, it affects every individual. knowledgeable in these other sections. We spent significant resourc- This benefits the company because individuals will be expected to es performing walk-throughs of processes, and defining appropriate be control conscious and to learn how to ensure their controls are control activities that could be tied back into our framework working effectively. In fact, all our employees undergo mandatory As mentioned previously, we identified which controls were corpo- information security and privacy training annually. This awareness rate-wide and which ones were business unit specific. This took time helps us push accountability onto every employee of the company. to ensure that there were appropriate controls for each of the business units. Unfortunately, maintaining controls specific to each business Lessons learned unit is complicated, time consuming, and leads to inconsistency in implementations. It is far more efficient to drive control activities As we went through the framework definition process, we learned from a corporate perspective (for instance, policies, procedures and many lessons: external expertise is useful, at least in the beginning; standards should be created and enforced at a corporate level, unless resources with audit backgrounds are helpful, especially in defining there are aspects that are so business-unit specific as to merit an ex- controls from processes; you will invariably need to make multiple ception). As part of our continued evolution in information security, review and modification passes over the framework; and you should we are rationalizing these business unit controls to make them enter- plan on the effort taking longer than you estimate. prise controls – for instance, although different application develop- Although they can be expensive, using consultants to assist in the ment groups use different project management methods, all of them control definition process is useful. In particular, they assisted with are required to abide by secure application development standards ensuring that the framework and our controls were complete, while developed at the corporate level. This consolidation and centraliza- identifying where our control gaps were. We do not recommend that tion will reduce the number of controls to test, focus accountability the reader use consultants in the control definition phase – this is on corporate compliance, and provide consistency for customers and best performed in-house using resources such as the internal audit auditors. and compliance teams. Once all the controls were identified and placed in the framework, Internal resources with auditing backgrounds are valuable because it was important to go back through and compare to ISO 17799 to their experience and knowledge is useful during the control defi- determine whether there was at least one control for each control nition process. It is particularly valuable when reviewing control objective in the standard. Gaps were identified during our complete- processes with business operations and translating them into control ness check, so we had to find an effective control to fit in that gap. activities that would meet an external auditor’s requirements. Another challenge was identifying the key controls. We wanted to Our framework went through many revisions and took more time ensure that our auditors were being efficient and only looking at the to develop than we initially planned. This is especially true when key controls. But since we had defined many controls, trying to de- there are many gaps in the framework, because those take longer termine key controls was a challenge. We analyzed the risk of the 29
Building a Comprehensive Security Control Framework | Lori Crooks and Aurobindo Sundaram ISSA Journal | April 2007 to identify and define controls for. It took a lot of time to sit with Regulatory Compliance Planning Guide (Mapping Regulations to various individuals and understand their processes. Some processes High Level Control Objectives) – http://www.microsoft.com/tech- are more complicated than others and took multiple meetings. Once net/security/guidance/complianceandpolicies/compliance/rcguide/1- the process was understood, we had to pull controls from that and 02-00.mspx?mfr=true then go back to the control owner to ensure we had documented it Regulatory Compliance Planning Guide Front Page – http://www. correctly. microsoft.com/technet/security/guidance/complianceandpolicies/ This framework is not a one-time development; it will be an ongo- compliance/rcguide/1-02-00.mspx?mfr=true ing process that will involve updates and maintenance. We’ll have to periodically review to ensure that all controls are still relevant and About the Authors check to see if new controls have been put in place. However, we believe that the up-front effort we have expended will serve us well Lori Crooks is a Security Compliance Analyst at ChoicePoint, Inc in Al- in the long run. pharetta, GA. Lori has 6 years experience in auditing and security. She is a CISA and co-creater of ChoicePoint’s Security Control Framework. She can be reached at lori.crooks@choicepoint.com Resources Aurobindo Sundaram is the Vice President of Information Security at Creating a Systemized Approach to Regulatory Compliance at Mi- ChoicePoint, Inc. in Alpharetta, GA. He has worked in the information crosoft - http://www.microsoft.com/technet/itshowcase/content/reg- security industry for more than 10 years, and is responsible for articulat- compliance.mspx ing the vision and supervising the implementation of ChoicePoint’s Secu- BITS Financial Services Roundtable - http://www.bitsinfo.org/ rity Control Framework. He can be reached at aurobindo.sundaram@ about.html choicepoint.com 30

Recommandé

Valiente Balancing It SecurityCompliance, Complexity & Cost
Valiente Balancing It SecurityCompliance, Complexity & CostValiente Balancing It SecurityCompliance, Complexity & Cost
Valiente Balancing It SecurityCompliance, Complexity & CostGuardEra Access Solutions, Inc.
 
Achieving Effective IT Security with Continuous ISO 27001 Compliance
Achieving Effective IT Security with Continuous ISO 27001 ComplianceAchieving Effective IT Security with Continuous ISO 27001 Compliance
Achieving Effective IT Security with Continuous ISO 27001 ComplianceTripwire
 
Building an Effective GRC Process with TrustedAgent GRC
Building an Effective GRC Process with TrustedAgent GRCBuilding an Effective GRC Process with TrustedAgent GRC
Building an Effective GRC Process with TrustedAgent GRCTuan Phan
 
5 Challenges to Continuous PCI DSS Compliance
5 Challenges to Continuous PCI DSS Compliance5 Challenges to Continuous PCI DSS Compliance
5 Challenges to Continuous PCI DSS ComplianceTripwire
 
Rob kloots presentation_issa_spain
Rob kloots presentation_issa_spainRob kloots presentation_issa_spain
Rob kloots presentation_issa_spainRobert Kloots
 
ICAM Our Vision
ICAM Our VisionICAM Our Vision
ICAM Our VisionJonathan McGuinness
 
.The Complete Guide to Log and Event Management
.The Complete Guide to Log and Event Management.The Complete Guide to Log and Event Management
.The Complete Guide to Log and Event ManagementEnterprise Technology Management (ETM)
 
Outlook emerging security_technology_trends
Outlook emerging security_technology_trendsOutlook emerging security_technology_trends
Outlook emerging security_technology_trendswardell henley
 

Recommandé

Valiente Balancing It SecurityCompliance, Complexity & Cost
Valiente Balancing It SecurityCompliance, Complexity & CostValiente Balancing It SecurityCompliance, Complexity & Cost
Valiente Balancing It SecurityCompliance, Complexity & CostGuardEra Access Solutions, Inc.
 
Achieving Effective IT Security with Continuous ISO 27001 Compliance
Achieving Effective IT Security with Continuous ISO 27001 ComplianceAchieving Effective IT Security with Continuous ISO 27001 Compliance
Achieving Effective IT Security with Continuous ISO 27001 ComplianceTripwire
 
Building an Effective GRC Process with TrustedAgent GRC
Building an Effective GRC Process with TrustedAgent GRCBuilding an Effective GRC Process with TrustedAgent GRC
Building an Effective GRC Process with TrustedAgent GRCTuan Phan
 
5 Challenges to Continuous PCI DSS Compliance
5 Challenges to Continuous PCI DSS Compliance5 Challenges to Continuous PCI DSS Compliance
5 Challenges to Continuous PCI DSS ComplianceTripwire
 
Rob kloots presentation_issa_spain
Rob kloots presentation_issa_spainRob kloots presentation_issa_spain
Rob kloots presentation_issa_spainRobert Kloots
 
ICAM Our Vision
ICAM Our VisionICAM Our Vision
ICAM Our VisionJonathan McGuinness
 
.The Complete Guide to Log and Event Management
.The Complete Guide to Log and Event Management.The Complete Guide to Log and Event Management
.The Complete Guide to Log and Event ManagementEnterprise Technology Management (ETM)
 
Outlook emerging security_technology_trends
Outlook emerging security_technology_trendsOutlook emerging security_technology_trends
Outlook emerging security_technology_trendswardell henley
 
Control Compliance Suite 10
Control Compliance Suite 10Control Compliance Suite 10
Control Compliance Suite 10Symantec
 
ITFM Business Brief
ITFM Business BriefITFM Business Brief
ITFM Business Briefwdjohnson1
 
Massbiz Consulting Crede Sed Proba
Massbiz Consulting Crede Sed ProbaMassbiz Consulting Crede Sed Proba
Massbiz Consulting Crede Sed ProbaJames McDonald
 
Sådan undgår du misbrug af kundedata og fortrolig information
Sådan undgår du misbrug af kundedata og fortrolig informationSådan undgår du misbrug af kundedata og fortrolig information
Sådan undgår du misbrug af kundedata og fortrolig informationIBM Danmark
 
Cyber Crime Conference 2017 - DFLabs Supervised Active Intelligence - Andrea ...
Cyber Crime Conference 2017 - DFLabs Supervised Active Intelligence - Andrea ...Cyber Crime Conference 2017 - DFLabs Supervised Active Intelligence - Andrea ...
Cyber Crime Conference 2017 - DFLabs Supervised Active Intelligence - Andrea ...DFLABS SRL
 
Towards Automating Security Compliance Value Chain_FSE15_2June_submitted_final
Towards Automating Security Compliance Value Chain_FSE15_2June_submitted_finalTowards Automating Security Compliance Value Chain_FSE15_2June_submitted_final
Towards Automating Security Compliance Value Chain_FSE15_2June_submitted_finalSmita S. Ghaisas
 
Authentication_Best_Practices_WP(EN)_web
Authentication_Best_Practices_WP(EN)_webAuthentication_Best_Practices_WP(EN)_web
Authentication_Best_Practices_WP(EN)_webSafeNet
 
Symantec Control Compliance Suite 11, February 2012
Symantec Control Compliance Suite 11, February 2012Symantec Control Compliance Suite 11, February 2012
Symantec Control Compliance Suite 11, February 2012Symantec
 
Security Certification - Critical Review
Security Certification - Critical ReviewSecurity Certification - Critical Review
Security Certification - Critical ReviewISA Interchange
 
Security Certification - Critical Review
Security Certification - Critical ReviewSecurity Certification - Critical Review
Security Certification - Critical ReviewISA Interchange
 
Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and In...
Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and In...Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and In...
Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and In...DFLABS SRL
 
SunGard Enterprise Cloud Services @ Cloud Connect 2011
SunGard Enterprise Cloud Services @ Cloud Connect 2011SunGard Enterprise Cloud Services @ Cloud Connect 2011
SunGard Enterprise Cloud Services @ Cloud Connect 2011Satish Hemachandran
 
DFlabs corporate profile 01-2013
DFlabs corporate profile 01-2013DFlabs corporate profile 01-2013
DFlabs corporate profile 01-2013DFLABS SRL
 
Privacy Impact Assessment Final
Privacy Impact Assessment FinalPrivacy Impact Assessment Final
Privacy Impact Assessment FinalBen Omoakin Oguntala, developingafrica(dot)net
 
Data Integrity Protection
Data Integrity ProtectionData Integrity Protection
Data Integrity Protectionproitsolutions
 
Risk management
Risk managementRisk management
Risk managementkalli007
 
The safety leadership challenge building soft skills for exemplary safety p...
The safety leadership challenge building soft skills for exemplary safety p...The safety leadership challenge building soft skills for exemplary safety p...
The safety leadership challenge building soft skills for exemplary safety p...OHS Leaders Summit
 
Fedramp developing-system-security-plan-slides
Fedramp developing-system-security-plan-slidesFedramp developing-system-security-plan-slides
Fedramp developing-system-security-plan-slidesTuan Phan
 
IBM Banking: Automated Systems help meet new Compliance Requirements
IBM Banking: Automated Systems help meet new Compliance RequirementsIBM Banking: Automated Systems help meet new Compliance Requirements
IBM Banking: Automated Systems help meet new Compliance RequirementsIBM Banking
 
Why should I do SOC2?
Why should I do SOC2?Why should I do SOC2?
Why should I do SOC2?VISTA InfoSec
 
Practical Federal Compliance Strategies and Examples
Practical Federal Compliance Strategies and ExamplesPractical Federal Compliance Strategies and Examples
Practical Federal Compliance Strategies and ExamplesAmazon Web Services
 
zSecurity_L9_Standards and Policies.ppt
zSecurity_L9_Standards and Policies.pptzSecurity_L9_Standards and Policies.ppt
zSecurity_L9_Standards and Policies.pptssuser45a8a6
 

Contenu connexe

Tendances

Control Compliance Suite 10
Control Compliance Suite 10Control Compliance Suite 10
Control Compliance Suite 10Symantec
 
ITFM Business Brief
ITFM Business BriefITFM Business Brief
ITFM Business Briefwdjohnson1
 
Massbiz Consulting Crede Sed Proba
Massbiz Consulting Crede Sed ProbaMassbiz Consulting Crede Sed Proba
Massbiz Consulting Crede Sed ProbaJames McDonald
 
Sådan undgår du misbrug af kundedata og fortrolig information
Sådan undgår du misbrug af kundedata og fortrolig informationSådan undgår du misbrug af kundedata og fortrolig information
Sådan undgår du misbrug af kundedata og fortrolig informationIBM Danmark
 
Cyber Crime Conference 2017 - DFLabs Supervised Active Intelligence - Andrea ...
Cyber Crime Conference 2017 - DFLabs Supervised Active Intelligence - Andrea ...Cyber Crime Conference 2017 - DFLabs Supervised Active Intelligence - Andrea ...
Cyber Crime Conference 2017 - DFLabs Supervised Active Intelligence - Andrea ...DFLABS SRL
 
Towards Automating Security Compliance Value Chain_FSE15_2June_submitted_final
Towards Automating Security Compliance Value Chain_FSE15_2June_submitted_finalTowards Automating Security Compliance Value Chain_FSE15_2June_submitted_final
Towards Automating Security Compliance Value Chain_FSE15_2June_submitted_finalSmita S. Ghaisas
 
Authentication_Best_Practices_WP(EN)_web
Authentication_Best_Practices_WP(EN)_webAuthentication_Best_Practices_WP(EN)_web
Authentication_Best_Practices_WP(EN)_webSafeNet
 
Symantec Control Compliance Suite 11, February 2012
Symantec Control Compliance Suite 11, February 2012Symantec Control Compliance Suite 11, February 2012
Symantec Control Compliance Suite 11, February 2012Symantec
 
Security Certification - Critical Review
Security Certification - Critical ReviewSecurity Certification - Critical Review
Security Certification - Critical ReviewISA Interchange
 
Security Certification - Critical Review
Security Certification - Critical ReviewSecurity Certification - Critical Review
Security Certification - Critical ReviewISA Interchange
 
Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and In...
Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and In...Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and In...
Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and In...DFLABS SRL
 
SunGard Enterprise Cloud Services @ Cloud Connect 2011
SunGard Enterprise Cloud Services @ Cloud Connect 2011SunGard Enterprise Cloud Services @ Cloud Connect 2011
SunGard Enterprise Cloud Services @ Cloud Connect 2011Satish Hemachandran
 
DFlabs corporate profile 01-2013
DFlabs corporate profile 01-2013DFlabs corporate profile 01-2013
DFlabs corporate profile 01-2013DFLABS SRL
 
Data Integrity Protection
Data Integrity ProtectionData Integrity Protection
Data Integrity Protectionproitsolutions
 
Risk management
Risk managementRisk management
Risk managementkalli007
 
The safety leadership challenge building soft skills for exemplary safety p...
The safety leadership challenge building soft skills for exemplary safety p...The safety leadership challenge building soft skills for exemplary safety p...
The safety leadership challenge building soft skills for exemplary safety p...OHS Leaders Summit
 
Fedramp developing-system-security-plan-slides
Fedramp developing-system-security-plan-slidesFedramp developing-system-security-plan-slides
Fedramp developing-system-security-plan-slidesTuan Phan
 
IBM Banking: Automated Systems help meet new Compliance Requirements
IBM Banking: Automated Systems help meet new Compliance RequirementsIBM Banking: Automated Systems help meet new Compliance Requirements
IBM Banking: Automated Systems help meet new Compliance RequirementsIBM Banking
 
Why should I do SOC2?
Why should I do SOC2?Why should I do SOC2?
Why should I do SOC2?VISTA InfoSec
 

Tendances (20)

Control Compliance Suite 10
Control Compliance Suite 10Control Compliance Suite 10
Control Compliance Suite 10
 
ITFM Business Brief
ITFM Business BriefITFM Business Brief
ITFM Business Brief
 
Massbiz Consulting Crede Sed Proba
Massbiz Consulting Crede Sed ProbaMassbiz Consulting Crede Sed Proba
Massbiz Consulting Crede Sed Proba
 
Sådan undgår du misbrug af kundedata og fortrolig information
Sådan undgår du misbrug af kundedata og fortrolig informationSådan undgår du misbrug af kundedata og fortrolig information
Sådan undgår du misbrug af kundedata og fortrolig information
 
Cyber Crime Conference 2017 - DFLabs Supervised Active Intelligence - Andrea ...
Cyber Crime Conference 2017 - DFLabs Supervised Active Intelligence - Andrea ...Cyber Crime Conference 2017 - DFLabs Supervised Active Intelligence - Andrea ...
Cyber Crime Conference 2017 - DFLabs Supervised Active Intelligence - Andrea ...
 
Towards Automating Security Compliance Value Chain_FSE15_2June_submitted_final
Towards Automating Security Compliance Value Chain_FSE15_2June_submitted_finalTowards Automating Security Compliance Value Chain_FSE15_2June_submitted_final
Towards Automating Security Compliance Value Chain_FSE15_2June_submitted_final
 
Authentication_Best_Practices_WP(EN)_web
Authentication_Best_Practices_WP(EN)_webAuthentication_Best_Practices_WP(EN)_web
Authentication_Best_Practices_WP(EN)_web
 
Symantec Control Compliance Suite 11, February 2012
Symantec Control Compliance Suite 11, February 2012Symantec Control Compliance Suite 11, February 2012
Symantec Control Compliance Suite 11, February 2012
 
Security Certification - Critical Review
Security Certification - Critical ReviewSecurity Certification - Critical Review
Security Certification - Critical Review
 
Security Certification - Critical Review
Security Certification - Critical ReviewSecurity Certification - Critical Review
Security Certification - Critical Review
 
Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and In...
Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and In...Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and In...
Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and In...
 
SunGard Enterprise Cloud Services @ Cloud Connect 2011
SunGard Enterprise Cloud Services @ Cloud Connect 2011SunGard Enterprise Cloud Services @ Cloud Connect 2011
SunGard Enterprise Cloud Services @ Cloud Connect 2011
 
DFlabs corporate profile 01-2013
DFlabs corporate profile 01-2013DFlabs corporate profile 01-2013
DFlabs corporate profile 01-2013
 
Privacy Impact Assessment Final
Privacy Impact Assessment FinalPrivacy Impact Assessment Final
Privacy Impact Assessment Final
 
Data Integrity Protection
Data Integrity ProtectionData Integrity Protection
Data Integrity Protection
 
Risk management
Risk managementRisk management
Risk management
 
The safety leadership challenge building soft skills for exemplary safety p...
The safety leadership challenge building soft skills for exemplary safety p...The safety leadership challenge building soft skills for exemplary safety p...
The safety leadership challenge building soft skills for exemplary safety p...
 
Fedramp developing-system-security-plan-slides
Fedramp developing-system-security-plan-slidesFedramp developing-system-security-plan-slides
Fedramp developing-system-security-plan-slides
 
IBM Banking: Automated Systems help meet new Compliance Requirements
IBM Banking: Automated Systems help meet new Compliance RequirementsIBM Banking: Automated Systems help meet new Compliance Requirements
IBM Banking: Automated Systems help meet new Compliance Requirements
 
Why should I do SOC2?
Why should I do SOC2?Why should I do SOC2?
Why should I do SOC2?
 

Similaire à 2007 issa journal-building a comprehensive security control framework

Practical Federal Compliance Strategies and Examples
Practical Federal Compliance Strategies and ExamplesPractical Federal Compliance Strategies and Examples
Practical Federal Compliance Strategies and ExamplesAmazon Web Services
 
zSecurity_L9_Standards and Policies.ppt
zSecurity_L9_Standards and Policies.pptzSecurity_L9_Standards and Policies.ppt
zSecurity_L9_Standards and Policies.pptssuser45a8a6
 
Enforcing Corporate Security Policies via Computational Intelligence Techniques
Enforcing Corporate Security Policies via Computational Intelligence TechniquesEnforcing Corporate Security Policies via Computational Intelligence Techniques
Enforcing Corporate Security Policies via Computational Intelligence TechniquesJuan J. Merelo
 
Generic Security Framework for Multiple Heterogeneous Virtual Infrastructures
Generic Security Framework for Multiple Heterogeneous Virtual InfrastructuresGeneric Security Framework for Multiple Heterogeneous Virtual Infrastructures
Generic Security Framework for Multiple Heterogeneous Virtual InfrastructuresIJRES Journal
 
Framework for information systems adaptation to security policies PCI DSS, SO...
Framework for information systems adaptation to security policies PCI DSS, SO...Framework for information systems adaptation to security policies PCI DSS, SO...
Framework for information systems adaptation to security policies PCI DSS, SO...Jesús Vázquez González
 
Security Authorization: An Approach for Community Cloud Computing Environments
Security Authorization: An Approach for Community Cloud Computing EnvironmentsSecurity Authorization: An Approach for Community Cloud Computing Environments
Security Authorization: An Approach for Community Cloud Computing EnvironmentsBooz Allen Hamilton
 
Simplify Your Approach To_Assess The Risks Of Moving Into The Cloud
Simplify Your Approach To_Assess The Risks Of Moving Into The CloudSimplify Your Approach To_Assess The Risks Of Moving Into The Cloud
Simplify Your Approach To_Assess The Risks Of Moving Into The CloudHappiest Minds Technologies
 
Biznet GIO National Seminar on Digital Forensics
Biznet GIO National Seminar on Digital ForensicsBiznet GIO National Seminar on Digital Forensics
Biznet GIO National Seminar on Digital ForensicsYusuf Hadiwinata Sutandar
 
Security for v mware
Security for v mwareSecurity for v mware
Security for v mwareReadWrite
 
A Pragmatic Approach to SIEM: Buy for Compliance, Use for Security
A Pragmatic Approach to SIEM: Buy for Compliance, Use for SecurityA Pragmatic Approach to SIEM: Buy for Compliance, Use for Security
A Pragmatic Approach to SIEM: Buy for Compliance, Use for SecurityTripwire
 
Agiliance Whitepaper - Six Key Steps
Agiliance Whitepaper - Six Key StepsAgiliance Whitepaper - Six Key Steps
Agiliance Whitepaper - Six Key Stepsagiliancecommunity
 
SAFECode’s latest “Software Security Guidance for Agile Practitioners” White...
SAFECode’s latest “Software Security Guidance for Agile Practitioners” White...SAFECode’s latest “Software Security Guidance for Agile Practitioners” White...
SAFECode’s latest “Software Security Guidance for Agile Practitioners” White...EMC
 
Wipro's Compliance as a Service [CAAS]
Wipro's Compliance as a Service [CAAS]Wipro's Compliance as a Service [CAAS]
Wipro's Compliance as a Service [CAAS]Symantec
 
Cloud auditing workshop - GRC323 - AWS re:Inforce 2019
Cloud auditing workshop - GRC323 - AWS re:Inforce 2019 Cloud auditing workshop - GRC323 - AWS re:Inforce 2019
Cloud auditing workshop - GRC323 - AWS re:Inforce 2019 Amazon Web Services
 
The Federal Information Security Management Act
The Federal Information Security Management ActThe Federal Information Security Management Act
The Federal Information Security Management ActMichelle Singh
 
Auditing Check Point Firewalls
Auditing Check Point FirewallsAuditing Check Point Firewalls
Auditing Check Point FirewallsBen Rothke
 
113505 6969-ijecs-ijens
113505 6969-ijecs-ijens113505 6969-ijecs-ijens
113505 6969-ijecs-ijensgeekmodeboy
 

Similaire à 2007 issa journal-building a comprehensive security control framework (20)

Practical Federal Compliance Strategies and Examples
Practical Federal Compliance Strategies and ExamplesPractical Federal Compliance Strategies and Examples
Practical Federal Compliance Strategies and Examples
 
zSecurity_L9_Standards and Policies.ppt
zSecurity_L9_Standards and Policies.pptzSecurity_L9_Standards and Policies.ppt
zSecurity_L9_Standards and Policies.ppt
 
Enforcing Corporate Security Policies via Computational Intelligence Techniques
Enforcing Corporate Security Policies via Computational Intelligence TechniquesEnforcing Corporate Security Policies via Computational Intelligence Techniques
Enforcing Corporate Security Policies via Computational Intelligence Techniques
 
Generic Security Framework for Multiple Heterogeneous Virtual Infrastructures
Generic Security Framework for Multiple Heterogeneous Virtual InfrastructuresGeneric Security Framework for Multiple Heterogeneous Virtual Infrastructures
Generic Security Framework for Multiple Heterogeneous Virtual Infrastructures
 
Framework for information systems adaptation to security policies PCI DSS, SO...
Framework for information systems adaptation to security policies PCI DSS, SO...Framework for information systems adaptation to security policies PCI DSS, SO...
Framework for information systems adaptation to security policies PCI DSS, SO...
 
Security Authorization: An Approach for Community Cloud Computing Environments
Security Authorization: An Approach for Community Cloud Computing EnvironmentsSecurity Authorization: An Approach for Community Cloud Computing Environments
Security Authorization: An Approach for Community Cloud Computing Environments
 
Simplify Your Approach To_Assess The Risks Of Moving Into The Cloud
Simplify Your Approach To_Assess The Risks Of Moving Into The CloudSimplify Your Approach To_Assess The Risks Of Moving Into The Cloud
Simplify Your Approach To_Assess The Risks Of Moving Into The Cloud
 
Biznet GIO National Seminar on Digital Forensics
Biznet GIO National Seminar on Digital ForensicsBiznet GIO National Seminar on Digital Forensics
Biznet GIO National Seminar on Digital Forensics
 
Security for v mware
Security for v mwareSecurity for v mware
Security for v mware
 
A Pragmatic Approach to SIEM: Buy for Compliance, Use for Security
A Pragmatic Approach to SIEM: Buy for Compliance, Use for SecurityA Pragmatic Approach to SIEM: Buy for Compliance, Use for Security
A Pragmatic Approach to SIEM: Buy for Compliance, Use for Security
 
Agiliance Wp Key Steps
Agiliance Wp Key StepsAgiliance Wp Key Steps
Agiliance Wp Key Steps
 
Agiliance Whitepaper - Six Key Steps
Agiliance Whitepaper - Six Key StepsAgiliance Whitepaper - Six Key Steps
Agiliance Whitepaper - Six Key Steps
 
Unit 4 standards.ppt
Unit 4 standards.pptUnit 4 standards.ppt
Unit 4 standards.ppt
 
SAFECode’s latest “Software Security Guidance for Agile Practitioners” White...
SAFECode’s latest “Software Security Guidance for Agile Practitioners” White...SAFECode’s latest “Software Security Guidance for Agile Practitioners” White...
SAFECode’s latest “Software Security Guidance for Agile Practitioners” White...
 
Wipro's Compliance as a Service [CAAS]
Wipro's Compliance as a Service [CAAS]Wipro's Compliance as a Service [CAAS]
Wipro's Compliance as a Service [CAAS]
 
Cloud auditing workshop - GRC323 - AWS re:Inforce 2019
Cloud auditing workshop - GRC323 - AWS re:Inforce 2019 Cloud auditing workshop - GRC323 - AWS re:Inforce 2019
Cloud auditing workshop - GRC323 - AWS re:Inforce 2019
 
TOGAF 9 - Security Architecture Ver1 0
TOGAF 9 - Security Architecture Ver1 0TOGAF 9 - Security Architecture Ver1 0
TOGAF 9 - Security Architecture Ver1 0
 
The Federal Information Security Management Act
The Federal Information Security Management ActThe Federal Information Security Management Act
The Federal Information Security Management Act
 
Auditing Check Point Firewalls
Auditing Check Point FirewallsAuditing Check Point Firewalls
Auditing Check Point Firewalls
 
113505 6969-ijecs-ijens
113505 6969-ijecs-ijens113505 6969-ijecs-ijens
113505 6969-ijecs-ijens
 

Dernier

"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 

Dernier (20)

"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 

2007 issa journal-building a comprehensive security control framework

  • 1. ISSA The Global Voice of Information Security ISSA Journal | April 2007 Building a Comprehensive Security Control Framework By Lori Crooks and Aurobindo Sundaram Developing a comprehensive security control framework involving information security, privacy, physical security, and customer credentialing. O ver the last several years, information security has pro- gressed from being ad-hoc, to project-based, and then to program-based. The next evolution for information security is in process-based or control-based frameworks. These frameworks treat information security as a business process, and different security standards into a unified security control frame- work (the framework). The Methodology involve the integration of best practice codes of practice (e.g., ISO We examined different ways to create our framework. They are 17799:2005), regulatory requirements (e.g., GLBA requirements, summarized below. HIPAA requirements), policy, and compliance. 1. Create a custom framework For 6 months in 2006, we developed a comprehensive security con- This would have involved our researching all of our controls, ensur- trol framework involving information security, privacy, physical ing that they were substantially complete and broad enough as an security, and customer credentialing.1 The following sections will information security framework (by comparing them against ISO, describe our process, particularly in unifying the framework, the for example), and then crafting a set of control objectives2 and associ- expected benefits of a framework for an organization, and tools and ated control activities that would be the meat of the framework. procedures that can aid readers in their efforts to develop their own frameworks. Once we thought more about this, although it sometimes made sense to create a custom framework, in this case, we would have had to The Problem weigh its advantages against (a) having to explain to all our external auditors how the framework met their requirements; and (b) having Most companies are subject to meeting the requirements of differ- to continuously research and update the custom framework when ent regulations. For instance, our Insurance Data Services business is standards and regulations change. regulated under the Federal Fair Credit Reporting Act (FCRA). We also perform annual Sarbanes Oxley (SOX) 404 audits to fulfill SEC 2. Use multiple frameworks, overlapping as necessary requirements. Our customers audit us using their own standards, sometimes based on international standards, such as ISO 17799. Our This option was the easiest solution, essentially nearly preserving the credit card processing applications are required to be compliant with status quo, while searching for commonalities in control objectives. the Payment Card Industry Data Security Standards (PCI DSS). The point of this method would have been to spend the bulk of our And finally, we have requirements from several of our partners to time in making the controls consistent across the different frame- complete annual SAS70 Type II audits. works, while leaving each of the frameworks themselves unmodi- fied. Our Information Security Policy was based on ISO 17799, but it was specific to IT Security, and only loosely integrated with several of The disadvantage of this method is that tracking and managing our other programs, such as hiring and termination practices and multiple frameworks still involves significant overhead. In addition, physical security. In addition, we were finding that on every audit every time a new framework (regulatory or otherwise) impacts the or assessment that was performed on us, we were duplicating effort, company, this process would have to be completed again. Although performing redundant testing, and not re-using results from prior we could hope to identify operational synergies with this option, we audits. For efficiency and structure, there was a need to converge our 2 The objectives of management that are used as the framework for developing and imple- 1 Customer credentialing is our term for validating a customer’s information and bonafide menting controls business credentials before allowing them access to sensitive information. An automated or manual process that is periodically performed to meet a control objective 27
  • 2. Building a Comprehensive Security Control Framework | Lori Crooks and Aurobindo Sundaram ISSA Journal | April 2007 were unsure if they would be significant, compared to the other op- ISO- SAS AIC FACT tions. Control Framework GLBA 17799 70 PA ACT 5.0 – Policies and 3. Create a single framework with appropriate Procedures x x x x mappings to other frameworks 6.0 – Organizing With this option, we would have to pick one framework as the base Security and Privacy x x x framework, and then ensure that we created mappings where neces- 7.0 – Asset sary to all the regulatory and customer standards we had to comply Management x x x x with. If the framework was complete, every time a new regulation 8.0 – Human Resource was introduced, we would simply have to redo the mapping pro- cess, since the controls themselves would already exist. In rare cases, Security x x x x 9.0 - Physical and however, additional controls would have to be added to extend the framework. Environmental Security x x The disadvantage of this method is that we were essentially starting 10.0 – Communications from scratch. All of our existing controls would have to be mapped and Operating Management x x x x x to the base framework, and we would have to develop entirely new controls to meet the control objectives of the base framework. In ad- dition, there would inevitably be control objectives in the base frame- 11.0 – Access Control x x x x x 12.0 – Application work, which, even though we did not believe were applicable, would still have to implemented or addressed in some way. And finally, we Development x x x x would have to start the process of mapping all of our existing meth- 13.0 – Information odologies and controls for SOX, SAS70, etc., to the new framework. Security Incident Management x x x x In the end, we decided to select Option for the following reasons: • Our information security policy was already based on ISO 15.0 – Compliance x 17799, and many of our technical security programs (e.g. 16.0 – Customer vulnerability management, virus protection, application se- Credentialing curity, patch management) already mapped to elements of the corresponding ISO best practices. Diagram 1 – Control Framework Mapping and Normalization Example • The ISO standard, although specific to information securi- ty, is widely accepted worldwide. Emerging standards, such The framework as the BITS FISAP4 are based on ISO 17799. As we started populating the framework, we realized that the ISO • Using a single framework gave us a starting point and a standard is heavily slanted towards security. goal. We could then focus on mapping and migrating con- • Physical security controls mapped easily into Section 9 - trols from other audit requirements into the framework. Physical Security The end goal was to reduce audit time, combine testing, and • Corporate governance model for security and privacy unify all of our controls. mapped into Section 5 - Policies and Procedures • Option 1 would have resulted in our diverging from indus- • Privacy controls mapped into sections 11 - Access Control try and international standards. We felt that had we done and 15 - Compliance this, we would have spent significant additional time con- vincing our partners and auditors of the completeness and However, our controls for customer credentialing were not ad- breadth of our framework. equately covered in the ISO standard (some controls were covered in Section 6 - Organizing Information Security). Therefore, we extend- • Option 2 would have involved leaving the existing systems ed our base framework to add an additional section on Customer in place, while trying to exploit some synergies of operations. Credentialing. To us, this felt more like a stop gap solution, as the origi- nal problem would not have been fixed. Although this was Tip: It is important that organizations not try to keep a framework workable, we felt it better to build a clean, unified frame- rigid and inflexible. There are occasions where a framework must be work for the future, despite the inevitable growing pains extended, and as long as it is done with discipline, the organization and integration issues along the way. can reap the advantages of such an extension. Diagram 1 shows the different sections of ISO 17799:2005 and our Challenges mappings to different regulatory frameworks. In particular, our re- sources section points the reader to step-by-step guides to regulatory As with every project, challenges were encountered. For this project compliance planning. Our paper, though, focuses on a security con- challenges included determining the correct framework to use, iden- trol framework for managing business operations, including regula- tifying controls outside of information security, ensuring complete- tory compliance.5 ness of the framework and classifying key controls. Each of these challenges is discussed below. As previously mentioned, deciding on the methodology was chal- 4 Financial Institution Shared Assessment Program lenging. After we decided on Option , we considered several frame- 5 With SAS70 Type II audit the mapping may be expanded or reduced. works, e.g., COBIT, ISO 17799, for our base control framework. 28
  • 3. Building a Comprehensive Security Control Framework | Lori Crooks and Aurobindo Sundaram ISSA Journal | April 2007 The frameworks were assessed to see which one fit the company absence of a particular control to judge whether or not it was a key and its various divisions best. Our company is unique because we control. have many corporate-wide controls, but also we have several busi- ness units that have their own set of controls. A few of the business Benefits units had defined controls because they had gone through a SAS70 There are many benefits to a unified control framework. This Type II audit; however, those controls did not tie to a specific control framework will be used for the whole company. Instead of having framework – they were ad-hoc. After reviewing the different frame- different controls or control sets for internal audit, compliance, and works, we decided that the ISO 17799:2005 code of practice fit our security, there will be one unified framework. During Sarbanes- company – both company-wide and business unit specific. Since our Oxley testing, internal audit will be able to use this framework, as security policy is aligned to the ISO, it made defining those controls will the security team for simpler. their assessments. The One issue we identified completeness of this after our selection of the All our employees undergo mandatory information framework means that standard framework was security and privacy training annually. This our external auditors will to decide how to address be able to use our frame- the sections that did not awareness helps us push accountability onto every work for their testing, for fall under ISO 17799. We employee of the company. SOX, SAS70, and other decided to enhance the compliance testing. Fi- framework and add addi- nally, our customers will tional sections as appropriate. Since privacy is key to our business, we appreciate the rigor and structure of a framework based on an inter- added elements of privacy in our controls, based on AICPA Gener- nationally accepted standard. ally Accepted Privacy Principles (GAPP). We also added a section We are currently completing the implementation of a compliance on customer credentialing because we have controls for validating management tool for the framework. This will assist us in maintain- our customers and their use of data that we provide. Since there is no ing compliance information centrally. Since we know certain con- standard for credentialing, we built it based on our own controls. trols occur on a periodic basis, we can place those documents within The ISO 17799 framework has sections that cover human resources, the management tool. Auditors can directly access the management physical security, environmental security, change control, and other tool in read-only mode to assist with their testing. This saves time for sections that are not strictly related to information security. Since the auditors and for the company, because the auditors do not have to each of these sections falls out of our experience in information se- set up time with the employee to gather the documents. curity, we had to coordinate and interview individuals who were Since the control framework is so broad, it affects every individual. knowledgeable in these other sections. We spent significant resourc- This benefits the company because individuals will be expected to es performing walk-throughs of processes, and defining appropriate be control conscious and to learn how to ensure their controls are control activities that could be tied back into our framework working effectively. In fact, all our employees undergo mandatory As mentioned previously, we identified which controls were corpo- information security and privacy training annually. This awareness rate-wide and which ones were business unit specific. This took time helps us push accountability onto every employee of the company. to ensure that there were appropriate controls for each of the business units. Unfortunately, maintaining controls specific to each business Lessons learned unit is complicated, time consuming, and leads to inconsistency in implementations. It is far more efficient to drive control activities As we went through the framework definition process, we learned from a corporate perspective (for instance, policies, procedures and many lessons: external expertise is useful, at least in the beginning; standards should be created and enforced at a corporate level, unless resources with audit backgrounds are helpful, especially in defining there are aspects that are so business-unit specific as to merit an ex- controls from processes; you will invariably need to make multiple ception). As part of our continued evolution in information security, review and modification passes over the framework; and you should we are rationalizing these business unit controls to make them enter- plan on the effort taking longer than you estimate. prise controls – for instance, although different application develop- Although they can be expensive, using consultants to assist in the ment groups use different project management methods, all of them control definition process is useful. In particular, they assisted with are required to abide by secure application development standards ensuring that the framework and our controls were complete, while developed at the corporate level. This consolidation and centraliza- identifying where our control gaps were. We do not recommend that tion will reduce the number of controls to test, focus accountability the reader use consultants in the control definition phase – this is on corporate compliance, and provide consistency for customers and best performed in-house using resources such as the internal audit auditors. and compliance teams. Once all the controls were identified and placed in the framework, Internal resources with auditing backgrounds are valuable because it was important to go back through and compare to ISO 17799 to their experience and knowledge is useful during the control defi- determine whether there was at least one control for each control nition process. It is particularly valuable when reviewing control objective in the standard. Gaps were identified during our complete- processes with business operations and translating them into control ness check, so we had to find an effective control to fit in that gap. activities that would meet an external auditor’s requirements. Another challenge was identifying the key controls. We wanted to Our framework went through many revisions and took more time ensure that our auditors were being efficient and only looking at the to develop than we initially planned. This is especially true when key controls. But since we had defined many controls, trying to de- there are many gaps in the framework, because those take longer termine key controls was a challenge. We analyzed the risk of the 29
  • 4. Building a Comprehensive Security Control Framework | Lori Crooks and Aurobindo Sundaram ISSA Journal | April 2007 to identify and define controls for. It took a lot of time to sit with Regulatory Compliance Planning Guide (Mapping Regulations to various individuals and understand their processes. Some processes High Level Control Objectives) – http://www.microsoft.com/tech- are more complicated than others and took multiple meetings. Once net/security/guidance/complianceandpolicies/compliance/rcguide/1- the process was understood, we had to pull controls from that and 02-00.mspx?mfr=true then go back to the control owner to ensure we had documented it Regulatory Compliance Planning Guide Front Page – http://www. correctly. microsoft.com/technet/security/guidance/complianceandpolicies/ This framework is not a one-time development; it will be an ongo- compliance/rcguide/1-02-00.mspx?mfr=true ing process that will involve updates and maintenance. We’ll have to periodically review to ensure that all controls are still relevant and About the Authors check to see if new controls have been put in place. However, we believe that the up-front effort we have expended will serve us well Lori Crooks is a Security Compliance Analyst at ChoicePoint, Inc in Al- in the long run. pharetta, GA. Lori has 6 years experience in auditing and security. She is a CISA and co-creater of ChoicePoint’s Security Control Framework. She can be reached at lori.crooks@choicepoint.com Resources Aurobindo Sundaram is the Vice President of Information Security at Creating a Systemized Approach to Regulatory Compliance at Mi- ChoicePoint, Inc. in Alpharetta, GA. He has worked in the information crosoft - http://www.microsoft.com/technet/itshowcase/content/reg- security industry for more than 10 years, and is responsible for articulat- compliance.mspx ing the vision and supervising the implementation of ChoicePoint’s Secu- BITS Financial Services Roundtable - http://www.bitsinfo.org/ rity Control Framework. He can be reached at aurobindo.sundaram@ about.html choicepoint.com 30