This document discusses compliance as a career path. It defines compliance as following rules such as legal, regulatory and standards. It outlines different compliance roles such as implementors and auditors. Implementors ensure security is implemented across functions, while auditors identify security process weaknesses. Requirements for these roles include certifications from ISACA and ISO. Experience in a current organization and clear understanding of standards can help get into compliance roles.
1. Compliance
A Career View
M.S.Sripati
Background image :
www.freedigitalphotos.net
2. Agenda
● Who Am I
● What is Compliance
● Why Compliance
● Different Roles
● Role Requirements
● How to get in
Background image :
www.freedigitalphotos.net
3. Who Am I
● ISMS Implementer (HIPAA, ISO 27001)
● Web Application Security Student
● CISA
● 7 Years in Industry
● Different Roles
● Developer (PHP, Ruby)
● AISO
● ISMS Implementer
● http://www.sripati.info
Background image :
www.freedigitalphotos.net
4. What is Compliance
● The activity (and other associated activities) of
following a rule
● Legal (HIPAA, IT Act of India, DPA of EU)
● Regulatory (PCI-DSS)
● Standards (ISO 27001)
● Perceptions
● A boring word
● Should not be in security
Background image :
www.freedigitalphotos.net
6. Why Compliance
● Business Requirements
● Overall security cannot be achieved by tools
alone
● Company expectations on wearing many hats
Background image :
www.freedigitalphotos.net
7. Why Compliance
● Business Requirements
● Security - a client requirement in project
● Business understands that a structured approach is
required to tackle security
● Need to assure client
– ISO 27001
– Internal Information Security Program (awareness /
appsec / netsec)
– Regular internal / external audits / reviews
Background image :
www.freedigitalphotos.net
8. Why Compliance
● Overall security cannot be achieved by tools alone
● Physical Security
– Vendor related threats
– Unauthorized entry
● Application Security
– Coding mistakes (copy / paste and then legal fine)
● Network Security
– Unpatched network
– No testing before patching
● Internal Threats
– People stealing data
– Passing confidential information
● Human Factor
– Password sharing / re-use / writing on paper
– Unmanned & Unlocked desktops / laptops
– Installing pirated software
– Downloading pirated movies / ebooks
Background image :
www.freedigitalphotos.net
9. Why Compliance
● Company Expectations
● Business connect with Infosec
● Maintain Communication among all stakeholders
(Admin, IT, Other Departments, Project Teams, HR -
trainings)
● Get Things Done (ensure security across all
functions)
● Ensure that we stay compliant / no breach
(incidents, disaster, be ready for anything etc.)
● Ensure that we clear any security audits
Background image :
www.freedigitalphotos.net
10. Some Roles in Compliance Domain
● Implementors
● Ensure that security is implemented across all
functions
● Troubleshoot any process gaps
● Ensure that security processes are performing as
they should
● Auditors
● Ensure that security process holes are identified
Background image :
www.freedigitalphotos.net
11. Role Requirements
● Implementors ● ISACA
● Understading of overall security system ● CISA
● Understanding of how to get buy-ins ● CISM
from authorities ● CRISC
How technical pieces fit together 2
ISC
●
●
● How to identify issues ● CISSP
● What to tackle first (prioritize) ● CSSLP
● Auditors ● ISO
● Process understanding ● ISO 27001 LI
● How to identify weaknesses ● ISO 27001 LA
Background image :
www.freedigitalphotos.net
12. How to get In
● Implementors
● Ask in current organization for any compliance related work
– Learn
– Evolve (ensure business connect with IS)
● Auditors
● Read ISO 27001 / 27002
– Google ISO 27001 blogs / google group
● Study audit reports vis-a-vis the standard (ask your superiors for a copy, if it is being
done)
● Look at your organization from 27001 point of view, note findings
● Show the findings to your superiors, ask for feedback
● Clear CISA and start applying (if your company does not do it)
● Your technical knowledge + Compliance = Deadly Impact!
Background image :
www.freedigitalphotos.net