1. NTXISSA Cyber Security Conference – November 10-11, 2017
@NTXISSA #NTXISSACSC5
Developing an Evidence Driven
Information Security Compliance
Strategy
Patrick Garrett, J.D., CISSP
Account Information Security Officer
DXC Technology
November 10, 2017
2. NTXISSA Cyber Security Conference – November 10-11, 2017
@NTXISSA #NTXISSACSC5
Bio and Disclaimer:
• Account Information Security Officer @ DXC Technology
• Responsible for end to end delivery of security
services and overall compliance of assigned accounts.
• Former attorney and Infosec and compliance
consultant.
Disclaimer: The content, statements, and opinions given
in this presentation are mine alone and not that of my
employer. I am not speaking on behalf of DXC
Technology. This is not legal advice and should not be
relied on as such.
2
3. NTXISSA Cyber Security Conference – November 10-11, 2017
@NTXISSA #NTXISSACSC5
Lets build a compliance program!
3
4. NTXISSA Cyber Security Conference – November 10-11, 2017
@NTXISSA #NTXISSACSC5
Why is a compliance program needed?
• Orderly delivery of services or products.
• Avoid Civil and Criminal liability
• Meet Regulatory requirements
• Quality Control - deliver Consistent
results
• Identify and Reduce Risk
4
5. NTXISSA Cyber Security Conference – November 10-11, 2017
@NTXISSA #NTXISSACSC5
An effective compliance program
Federal sentencing guidelines for organizations.
§8B2.1 (a):
To have an effective compliance and ethics program . . . an
organization shall—
(1) exercise due diligence to prevent and detect criminal
conduct; and
(2) otherwise promote an organizational culture that
encourages ethical conduct and a commitment to
compliance with the law.
5
6. NTXISSA Cyber Security Conference – November 10-11, 2017
@NTXISSA #NTXISSACSC5
Is your compliance program effective?
6
7. NTXISSA Cyber Security Conference – November 10-11, 2017
@NTXISSA #NTXISSACSC5
Key considerations when building or
assessing a compliance program
• Following best practices?
• Are the right stakeholders engaged?
• Can you demonstrate due diligence in
implementing it?
• Are the components interchangeable and
functioning?
• Is it designed to be reasonably effective?
• Can it withstand third party testing and
replication?
7
8. NTXISSA Cyber Security Conference – November 10-11, 2017
@NTXISSA #NTXISSACSC5
What is an evidence driven strategy?
• A practical roadmap for building a
compliance program that is:
• Flexible
• Effective
• Security Framework Agnostic
• Framework based on established best
practices.
•Designed using a proven methodology.
8
9. NTXISSA Cyber Security Conference – November 10-11, 2017
@NTXISSA #NTXISSACSC5
What is an evidence driven strategy?
• Builds in the evidence you need to prove
due diligence and effectiveness.
• Components are interchangeable and do
not affect the others.
• Does not make your organization secure
but helps you get there.
9
10. NTXISSA Cyber Security Conference – November 10-11, 2017
@NTXISSA #NTXISSACSC5
Now...ready for the exciting stuff?
10
11. NTXISSA Cyber Security Conference – November 10-11, 2017
@NTXISSA #NTXISSACSC5
Review of Best Practices
11
Consistent
enforcement and
response to violations.
Cultivate an atmosphere
that encourages
compliance.
Ongoing tracking and
evaluation of the program
effectiveness.
Meaningful
communication and
education vertically
across the organization.
Top down
oversight and
executive level
accountability and
independence.
Implement reasonable measures to enforce
standards and policies.
12. NTXISSA Cyber Security Conference – November 10-11, 2017
@NTXISSA #NTXISSACSC5
Compliance Framework
12
Oversight and Reporting
High level accountability and
ongoing evaluation of the
program’s effectiveness.
1
Promotion and Training
Communicate the standards
and procedures and ensure
they are understood at all
levels.
3
Identify and Treat Risk
Continue to Evaluate if the
baseline is still suitable and
are the controls still effective.
5
Standard and Policies
Establish the baseline of
conduct the organization is
expected to adhere to.
2
Enforcement and Auditing
Implement controls to enforce
baseline and audit to
determine level of compliance.
4
13. NTXISSA Cyber Security Conference – November 10-11, 2017
@NTXISSA #NTXISSACSC5
Oversight and Reporting
• Board of Directors or equivalent must oversee the
program.
• Sufficient knowledge of the program.
• Ensure its implemented and is effective.
• Ongoing obligation.
• High level individual assigned responsibility for
implementing the program.
• Independence - separation of duties.
• May delegate the day to day operations.
• Exercise due care in selecting operational staff that will
have “substantial discretionary authority”.
13
14. NTXISSA Cyber Security Conference – November 10-11, 2017
@NTXISSA #NTXISSACSC5
Oversight and Reporting
Demonstrating reasonable oversight and knowledge:
• Annual board level “deep dive” training.
• Annual assessment report with executive signoff.
• Monthly or quarterly metric reporting.
• Risk Assessment results.
• Clearly identified and documented roles.
Relevant metrics:
• Violations per control or geographic location.
• Systemic process failures identified.
• Percent of organization completed annual training.
14
15. NTXISSA Cyber Security Conference – November 10-11, 2017
@NTXISSA #NTXISSACSC5
Standards and Policies
• Establish the organization’s risk profile:
• Applicable regulations and contracts.
• What is the risk appetite and threat landscape?
• Select the cybersecurity framework (s) that best fits your
profile.
• Consider Org size, resources, and capabilities.
• Simplicity vs comprehensive
• In-house vs. outsourcing
• Create your security baseline by drafting policies and
standards.
• Create a central repository for all baseline collateral.
15
16. NTXISSA Cyber Security Conference – November 10-11, 2017
@NTXISSA #NTXISSACSC5
Standard and Policies
Demonstrating due diligence in selection process:
• Documented pre-build risk assessment
• Selection Criteria for Cyber framework
• Legal or Consultant engagement - if available.
• Vendor Contract and SOWs
• OS Configuration Standards, etc.
Relevant metrics:
• Time to implement - Estimated v. actual
• Overall organization spend for compliance.
• Relevant vendor SLAs and KPI scores
16
17. NTXISSA Cyber Security Conference – November 10-11, 2017
@NTXISSA #NTXISSACSC5
Promotion and Training
• Accessible repository for standards and policies.
• Communicate your baseline at all levels.
• Chunked, digestible training
• Interactive -Require input during sessions
• Executive sponsorship and endorsement from outside
security.
• Require at on-boarding and annually at minimum.
• Publicize location of all baseline material and the method for
anonymous reporting and reassure zero retaliation.
• Solicit feedback.
17
18. NTXISSA Cyber Security Conference – November 10-11, 2017
@NTXISSA #NTXISSACSC5
Promotion and Training
Demonstrating efforts to bolster overall compliance:
• Seminars, courses, and newsletters
• Awareness marketing materials
• Deployed surveys and questionnaires.
• Course content (all versions)
Relevant metrics:
• Spike / Declines in violations before and after training.
• Overall training completion rates vs. pass rates.
• Questionnaire scoring on granular level.
• Survey participation rate and satisfaction %.
18
19. NTXISSA Cyber Security Conference – November 10-11, 2017
@NTXISSA #NTXISSACSC5
Enforcement and Auditing
Engage your operations team and early.
• Select and implement controls that align with your
security framework.
• Confidentiality, Integrity, Availability
• Monitor for deviations, violations, and failures.
• Method for anonymous reporting or advice.
• Clearly defined and communicated sanctions.
• Consistent and timely enforcement.
• Annual process updates.
• Are the controls working as intended?
.
19
20. NTXISSA Cyber Security Conference – November 10-11, 2017
@NTXISSA #NTXISSACSC5
Enforcement and Auditing
Demonstrating reasonable enforcement actions:
• Processes and work instructions
• Physical walkthrough of facility
• Weekly / Monthly reporting dashboards.
• Console reports and patching schedules.
• Incident tickets and closures.
Relevant metrics:
• % of OS and application patch saturation
• Ticket response and resolutions times.
• Volume of malware detected, IPs blocked, etc..
20
21. NTXISSA Cyber Security Conference – November 10-11, 2017
@NTXISSA #NTXISSACSC5
Identify and Treat Risk
• Identify gaps in overall compliance program as
well as controls.
• Robust incident handling process.
• Security incident table tops.
• Organizational Risk Register (POAM)
• Process for deviation approvals.
• Lessons learned documented - systemic issues.
• Periodic review of baseline and risk profile - still
appropriate?
21
22. NTXISSA Cyber Security Conference – November 10-11, 2017
@NTXISSA #NTXISSACSC5
Identify and Treat Risk
Demonstrating your compliance program is effective:
• If gaps identified - means your program is working!
• Reported Incidents and violations
• Third party audits- no deviations found.
• All deviations are documented and approved.
• Risk treatment plans
Relevant metrics:
• Incident volume and other metrics
• No. employee self-disclosures - demonstrates culture
• Average remediation times and repeated stats.
22