SlideShare une entreprise Scribd logo

Valiente Balancing It SecurityCompliance, Complexity & Cost

GuardEra Access Solutions, Inc.
GuardEra Access Solutions, Inc.
Technologie
1  sur  4
Télécharger pour lire hors ligne
ISSA The Global Voice of Information Security ISSA Journal | July 2009 Balancing IT Security Compliance, Complexity, and Cost By Carlos Valiente, Jr. – ISSA member, Tampa Bay, USA Chapter The author discusses implementing the International Organization for Standardization ISO 27001, the international practice for information security management. O rganizations today risk customer trust, their reputa- each compliance effort is approached individually. However, tions, and ultimately shareholder value when they many of the controls that need to be defined, assessed, and do not address or prevent information security enforced are common across regulations. A silo-based ap- breaches. Many are required by law to comply with a grow- proach leads to a lot of redundant compliance efforts that ing number of government and industry-specific controls de- significantly increase the cost. In addition, companies have signed to safeguard the confidentiality, integrity, and avail- realized that as the number and scope of requirements grow, ability of IT systems from information security breaches. sheer complexity of assessing multi-regulatory compliance One strategy to consider is implementing the International with a large number of overlapping controls becomes a chal- Organization for Standardization1 ISO 27001, the interna- lenge. All these factors combined calls for a smarter approach tional practice for information security management. to addressing information security. Below is a partial list of Companies struggle to protect intellectual property and oth- the most common compliance standards: er sensitive information as they often lack the visibility need- California SB 1386 – known as the Security Breach Infor- ed to define effective access policies that help mitigate risk. IT mation Act, this state law governs organizations that serve departments bear one of the heaviest burdens in compiling customers residing in California and store confidential data the data required by auditors, as their responsibilities include about those customers on computers, or transmit such data the documentation of procedures for security policy, com- over networks. The law requires proactive protection of pri- pliance controls, and risk management processes. For many vate data for Californians. organizations, this is a key point of failure both before and EU Privacy Directives – Directive 95/46/EC of the European during an audit, which inevitably leads to increasing the cost Parliament and of the Council of 24 October 1995, on the of audit-related fees. protection of individuals with regard to the processing of The reality, however, is that security breaches will continue personal data and on the free movement of such data. to occur2 and the problem is not getting any easier to solve. GLBA – The Gramm-Leach-Bliley Act of 1999 requires fi- The exponential growth of information breaches, the level of nancial institutions to create, document, and continuously complexity of the infrastructure – network, virtual operating audit security procedures to protect the nonpublic personal systems, and applications – continues to grow at a fast pace. information of their clients, including precautions to prevent It is easy to get caught up in reacting to the current symp- unauthorized electronic access. tom or problem that is causing immediate pain, rather than proactively tracing the issue back to its root cause to find a FISMA – Requires that federal agencies establish risk-based long-term fix that will take the organization to a higher level information security programs to secure federal information. of overall performance. HIPAA – The Health Information Portability and Account- ability Act was one of the first mandates requiring organiza- Regulatory standards tions to implement IT security controls to protect the privacy Many organizations take a silo-based approach to complying of protected health information that they handle and store. with regulatory standards (e.g., PCI, GLBA, SOX, etc.), where PCI DSS – The PCI Data Security Standard was developed by the major credit card companies as a guideline to help orga- 1 www.iso.org. nizations that process card payments to prevent credit card 2 www.datalossdb.org. fraud, hacking, and various other security issues. 22
Balancing IT Security Compliance, Complexity, and Cost | Carlos Valiente, Jr. ISSA Journal | July 2009 SOX – The Sarbanes-Oxley Act of 2002 requires Regulatory Security & the company’s auditor to attest to and report on Legislative PLAN Compliance management’s assessment of the effectiveness of Contractual Management the company’s internal controls and procedures Establish the Framework Program for financial reporting. Continual Improvement PIPEDA – The Personal Information Protec- Implement and Approach to Maintain and Improve tion and Electronic Documents Act is a Cana- Operate the Framework Information Security Management the Framework dian law relating to data privacy. It governs how private-sector organizations collect, use, and DO Monitor and Review ACT disclose personal information in the course of the Framework commercial business. The key benefit of ISO 27001 is that it provides a single, stra- CHECK Figure 2 tegic, and comprehensive framework to information security, tives. Once implemented, organizations that have a need to and implementing these broad-based controls covers a wide advertise that they are 27001-compliant can be certified by a area set of control objectives required in SB-1386, HIPAA, number of accredited third-party audit registrars worldwide. PCI, GLBA, SOX and EU Directive 95 (see Figure 1). You can This is very similar to a manufacturing organization achiev- significantly reduce the number of controls and implemen- ing ISO 9001 certification or a service organization achiev- tation costs by achieving a transparent optimized security ing a SAS 70 for effectiveness of controls. Following is a brief baseline across the organization. summary of ISO 27002’s eleven main sections or domains. Regulatory & Corporate Objectives Security policy EU Privacy It prescribes a written, high-level policy document that Directives • Security Policy should be approved by management and published and com- • Human Resources municated to all employees responsible for information se- HIPAA • Access Controls curity in a manner that is understandable to the intended • Business Continuity recipient. The primary objective of a policy statement is to PCI ISO • Physical Security • Incident Management outline the aims of the organization as endorsed by the ex- ecutive management team. The document should be written SOX 27001 • Operations Management clearly so that it can be interpreted at all levels of the organi- zation and applied to the standards operations procedures. GLBA • Compliance The supporting standards and procedures, which are then • Asset Management derived from the overall policy statement, will control the SB-1386 • Infosec Organization day-by-day operations, which occur at the various functional • Infosys Dev. & Maint. levels within the organization. Others Organization of information security Figure 1 This is primarily about people rather than technology, and how they are organized to manage the information security The ISO standards framework function. It outlines how management is organized and es- The framework takes a very broad approach to information tablished to initiate and control the implementation of infor- security. The term information addresses all forms of data, mation security within the organization. In large or global documents, communications, conversations, messages, re- organizations, it is sometimes necessary to co-ordinate in- cordings, and photographs. It includes everything from digi- formation security measures by establishing distribution tal data, email, faxes to telephone conversations. The stan- services channels. It is important that organizations support dard effectively comes in two parts: the delegation of security responsibility to areas where those • ISO/IEC 27001:2005 is a standard specification for an responsibilities can be properly discharged. information security management system (ISMS). Asset management • ISO/IEC 27002:2005 is a standard code of practice and can be regarded as a comprehensive catalogue of All major information assets should be accounted for and individual control objectives. have an owner designated by name or title and responsible and accountable for his or her assigned assets. This will in- When you implement 27001 you are building an informa- clude access rights to, and classification of, those assets. The tion security management system using a continual improve- owner of the assets determines documents and promulgates ment approach (see Figure 2); 27002 is intended to be used the rules for the use of those assets for their whole life cycle. in conjunction and prescribes the individual control objec- This includes creation or purchase to disposal. Finally, to en- 23
Balancing IT Security Compliance, Complexity, and Cost | Carlos Valiente, Jr. ISSA Journal | July 2009 sure that information assets receive an appropriate level of sions are what requires protection and who has the keys. These protection, classification levels should be used to indicate the are strictly business decisions that should not depend on the need and priorities for security protection. Classifications technology at all. This domain covers areas such as user ac- should show the value, sensitivity, and criticality of each in- cess management, responsibilities, network access controls, formation asset. operating systems, application access controls, and mobile computing. Human resources It ensures that employees, contractors, and third-party users Information systems acquisition understand their responsibilities and are suitable for the roles Access to information and business processes should be con- they are considered for, and aims to reduce the risk of theft, trolled on the basis of business and security requirements. fraud, or misuse of facilities. Information security should be All security requirements should be identified and agreed to addressed at the recruitment stage, included in the job de- prior to the development or acquisition of information sys- scriptions and contracts, and monitored during an individu- tems. It is also essential that any commercial software (e.g., al’s employment. It should also form part of the exit process off-the-shelf software, software as a service (SaaS), or cloud to ensure that organizational assets are returned prior to ces- computing) options have suitable controls built in, and the sation of employment or contract. All users of information inclusion of such controls is considered a part of the acqui- systems should be given adequate security education and sition process. These controls include, for example, crypto- technical training. graphic controls, access to system files, change control proce- dures, disaster recovery, and vulnerability analysis. Physical and environmental security Information processing facilities supporting critical or sen- Information security incident management sitive business activities should be housed in secure areas. This domain ensures information security events and weak- This includes protection of equipment and information from nesses associated with information systems are communi- physical harm, as well as physical control of access to infor- cated in a manner that allows timely corrective action to be mation and equipment. It also contains two of the most sig- taken. An effective and efficient incident management system nificant control features of the standard: the education and for information security incidents must be implemented with training of staff and setting contractually the expected be- appropriate escalation processes. When breaches of security havior of anyone with access to organizational resources. do occur, for whatever reason, it is important to contain the result by reporting the incident and responding to it as quick- Communications and operations management ly as possible. For example: To whom should an incident be This broad domain section aims to ensure correct and secure reported? What information will that person need to know? operation of information processing facilities and that re- What precautions should be taken to limit the organization’s sponsibilities and procedures are established for the manage- exposure to the security breach? ment of all computers, networks, and information processing facilities. For example, all changes to operational informa- Business continuity management tion processing facilities and systems should be controlled. This counteracts interruptions to business activities and to The operating procedures identified by the information se- protect critical business processes from the effects of ma- curity policy relating to all information processing should be jor failures of information systems or disasters and ensures documented and maintained under formal change control. their timely resumption. A business continuity management Segregation of duties should be considered to minimize the process should be implemented to reduce the disruption risk of negligent or deliberate system misuse. Development caused by disasters and security failures to an acceptable level and testing facilities should be isolated from operational or through a combination of preventative and recovery controls. production systems. Rules for the promotion of software to For example, how IT intends to deliver corporate informa- operational status should be defined and documented. In ad- tion when the power goes off, a fire occurs, or when the com- dition, this domain addresses third-party service delivery, puters simply break down. system planning and acceptance, protection against mali- cious code or antivirus, backup and recovery procedures, Compliance media handling, and the exchange of information. To avoid breaches of any law, statute, regulation, or contrac- tual obligation and of any security requirements. The design, Access control operation, use, and management of information systems may This section is all about the control or access to information be subject to statutory, regulatory, and contractual security and systems on the basis of business and security needs. Sys- requirements. This domain also addresses compliance to an tem access can be controlled in a number of ways using hard- organization’s own security policies and standards. Most im- ware and/or software. The real question is not how control is portant is that there should be controls to safeguard opera- achieved but who is allowed access and to what. System access tional systems and audit tools during system audits. is like every other system of locks and keys; the basic deci- 24
Balancing IT Security Compliance, Complexity, and Cost | Carlos Valiente, Jr. ISSA Journal | July 2009 Implementation steps Implementation benefits There are different methods of implementing ISO27001 and Some of the benefits to implementing 27001 over point solu- the exact process may vary or need tailoring for each organi- tions include the following: zation. Here are basic key steps to consider: • Provides an internationally recognized information 1. Define the scope of implementation security strategy, structure, and methodology 2. Develop the information security policy and obtain • Allows an organization to demonstrate credibility, management approval trust, confidence, and due-diligence to clients and 3. Identify your information assets and owners business partners 4. Classify your information assets • Establishes that relevant laws and regulations are be- 5. Define the risk assessment process methodology and ing met identify the risks • Increases awareness of information protection within 6. Map the ISO 27001 controls applicable to mitigating the the organization risks identified in step 5 • Documents processes, policies, and procedures and 7. Document the statement of applicability to identify the provides for a structured, reusable approach controls chosen for your environment, explaining how • Becomes part of the formal business process to im- and why they are appropriate prove security and reduce risk 8. Define the organization’s policies, standards, and proce- • Provides a holistic approach to monitoring and con- dures trolling the IT environment across the enterprise 9. Communicate the policies and procedures to entire or- • Ensures that a commitment to information security ganization exists at all levels of the organization 10. Implement the identified controls and document them • Leads to substantial cost savings of implementing in- 11. Implement a security awareness training program for the formation security and compliance efforts entire organization 12. Perform and implement a scheduled internal compliance Conclusion audit program Are you “doing things right” rather than “doing the right 13. Engage a third-party auditor to provide assurance things”?4 The first is tactical and the second is strategic think- 14. Proactively close any gaps identified during audit ing. Both are clearly needed to run a successful organization, 15. Maintain matrices of the security practice and ensure but it is important to make sure you are steering your ship continuous improvement where you want it to go rather than clinging desperately to 16. Certify your organization the anchor chain as it drags you through the water. When it comes to protecting information, this framework, if implemented correctly, can increase your resource efficiency Spain ISO 27001 while helping manage risk, reducing the number of controls Italy Hungary Certificates Worldwide and ultimately your overall spending. By eliminating a silo- based approach to compliance, and leveraging commonality Czeck Republic of controls across various regulations and mandates, com- USA plexity decreases significantly and compliance becomes more Germany sustainable and cost-efficient. Implementing a single stra- China tegic solution will help an organization manage complexity Taiwan and total cost of ownership of information security, risk, and UK compliance. India 0 100 200 300 400 500 About the Author Carlos Valiente Jr., CISSP, CISA, CISM, Figure 3 CGEIT, LA-27001, is a results-driven in- Industry certification trends formation security specialist and compli- According to the international certification register, which ance audit professional with 21+ years maintains a list of the ISMS certificates awarded to organiza- experience leading and managing global tions worldwide,3 only 86 certifications have been granted in IT, information security, compliance, and the U.S., while countries like India, UK, China, Taiwan, and risk management programs in Big 4 and Germany are leading the U.S. in adopting 27001 ISMS (see Fortune 500 companies. For more information, comments, or Figure 3). Japan accounts for 3000 of the 5000 plus certifica- questions email vtechno@gmail.com. tions issued worldwide. 3 www.iso27001certificates.com. 4 A quote from business thinker Peter F. Drucker. 25

Recommandé

Contractor Responsibilities under the Federal Information Security Management...
Contractor Responsibilities under the Federal Information Security Management...Contractor Responsibilities under the Federal Information Security Management...
Contractor Responsibilities under the Federal Information Security Management...padler01
 
113505 6969-ijecs-ijens
113505 6969-ijecs-ijens113505 6969-ijecs-ijens
113505 6969-ijecs-ijensgeekmodeboy
 
Information Security Identity and Access Management Administration 07072016
Information Security Identity and Access Management Administration 07072016Information Security Identity and Access Management Administration 07072016
Information Security Identity and Access Management Administration 07072016Leon Blum
 
Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005ControlCase
 
4 System For Information Security
4 System For Information Security4 System For Information Security
4 System For Information SecurityAna Meskovska
 
ISMS Part I
ISMS Part IISMS Part I
ISMS Part Ikhushboo
 
Iso 27001 awareness
Iso 27001 awarenessIso 27001 awareness
Iso 27001 awarenessÃsħâr Ãâlâm
 
A to Z of Information Security Management
A to Z of Information Security ManagementA to Z of Information Security Management
A to Z of Information Security ManagementMark Conway
 

Recommandé

Contractor Responsibilities under the Federal Information Security Management...
Contractor Responsibilities under the Federal Information Security Management...Contractor Responsibilities under the Federal Information Security Management...
Contractor Responsibilities under the Federal Information Security Management...padler01
 
113505 6969-ijecs-ijens
113505 6969-ijecs-ijens113505 6969-ijecs-ijens
113505 6969-ijecs-ijensgeekmodeboy
 
Information Security Identity and Access Management Administration 07072016
Information Security Identity and Access Management Administration 07072016Information Security Identity and Access Management Administration 07072016
Information Security Identity and Access Management Administration 07072016Leon Blum
 
Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005ControlCase
 
4 System For Information Security
4 System For Information Security4 System For Information Security
4 System For Information SecurityAna Meskovska
 
ISMS Part I
ISMS Part IISMS Part I
ISMS Part Ikhushboo
 
Iso 27001 awareness
Iso 27001 awarenessIso 27001 awareness
Iso 27001 awarenessÃsħâr Ãâlâm
 
A to Z of Information Security Management
A to Z of Information Security ManagementA to Z of Information Security Management
A to Z of Information Security ManagementMark Conway
 
ISO 27001 - IMPLEMENTATION CONSULTING
ISO 27001 - IMPLEMENTATION CONSULTINGISO 27001 - IMPLEMENTATION CONSULTING
ISO 27001 - IMPLEMENTATION CONSULTINGArul Nambi
 
Information security-management-system
Information security-management-systemInformation security-management-system
Information security-management-systemintellisenseit
 
Information Security Management Systems(ISMS) By Dr Wafula
Information Security Management Systems(ISMS) By Dr WafulaInformation Security Management Systems(ISMS) By Dr Wafula
Information Security Management Systems(ISMS) By Dr WafulaDiscover JKUAT
 
Information Security
Information SecurityInformation Security
Information SecurityWe Learn - A Continuous Learning Forum from Welingkar's Distance Learning Program.
 
What is expected from an organization under NCA ECC Compliance?
What is expected from an organization under NCA ECC Compliance?What is expected from an organization under NCA ECC Compliance?
What is expected from an organization under NCA ECC Compliance?VISTA InfoSec
 
ITFM Business Brief
ITFM Business BriefITFM Business Brief
ITFM Business Briefwdjohnson1
 
ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewShankar Subramaniyan
 
Introduction to Information System Security
Introduction to Information System SecurityIntroduction to Information System Security
Introduction to Information System Securitychauhankapil
 
What is ISO 27001 ISMS
What is ISO 27001 ISMSWhat is ISO 27001 ISMS
What is ISO 27001 ISMSBusiness Beam
 
Overview of ISO 27001 ISMS
Overview of ISO 27001 ISMSOverview of ISO 27001 ISMS
Overview of ISO 27001 ISMSAkhil Garg
 
Improving Your Information Security Program
Improving Your Information Security ProgramImproving Your Information Security Program
Improving Your Information Security ProgramSeccuris Inc.
 
ISO 27001 Information Security Management Systems Trends and Developments
ISO 27001 Information Security Management Systems Trends and DevelopmentsISO 27001 Information Security Management Systems Trends and Developments
ISO 27001 Information Security Management Systems Trends and DevelopmentsCertification Europe
 
ISO 27001 Certification - The Benefits and Challenges
ISO 27001 Certification - The Benefits and ChallengesISO 27001 Certification - The Benefits and Challenges
ISO 27001 Certification - The Benefits and ChallengesCertification Europe
 
University iso 27001 bgys intro and certification lami kaya may2012
University iso 27001 bgys intro and certification lami kaya may2012University iso 27001 bgys intro and certification lami kaya may2012
University iso 27001 bgys intro and certification lami kaya may2012Hakem Filiz
 
G12: Implementation to Business Value
G12: Implementation to Business ValueG12: Implementation to Business Value
G12: Implementation to Business ValueHyTrust
 
Isms awareness presentation
Isms awareness presentationIsms awareness presentation
Isms awareness presentationPranay Kumar
 
What is iso 27001 isms
What is iso 27001 ismsWhat is iso 27001 isms
What is iso 27001 ismsCraig Willetts ISO Expert
 
Iso 27001 2005- by netpeckers consulting
Iso 27001 2005- by netpeckers consultingIso 27001 2005- by netpeckers consulting
Iso 27001 2005- by netpeckers consultingIskcon Ahmedabad
 
Implementing ISO27001 2013
Implementing ISO27001 2013Implementing ISO27001 2013
Implementing ISO27001 2013scttmcvy
 
Iso27001- Nashwan Mustafa
Iso27001- Nashwan MustafaIso27001- Nashwan Mustafa
Iso27001- Nashwan MustafaFahmi Albaheth
 
Achieving Effective IT Security with Continuous ISO 27001 Compliance
Achieving Effective IT Security with Continuous ISO 27001 ComplianceAchieving Effective IT Security with Continuous ISO 27001 Compliance
Achieving Effective IT Security with Continuous ISO 27001 ComplianceTripwire
 
Chapter 10 security standart
Chapter 10 security standartChapter 10 security standart
Chapter 10 security standartnewbie2019
 

Contenu connexe

Tendances

ISO 27001 - IMPLEMENTATION CONSULTING
ISO 27001 - IMPLEMENTATION CONSULTINGISO 27001 - IMPLEMENTATION CONSULTING
ISO 27001 - IMPLEMENTATION CONSULTINGArul Nambi
 
Information security-management-system
Information security-management-systemInformation security-management-system
Information security-management-systemintellisenseit
 
Information Security Management Systems(ISMS) By Dr Wafula
Information Security Management Systems(ISMS) By Dr WafulaInformation Security Management Systems(ISMS) By Dr Wafula
Information Security Management Systems(ISMS) By Dr WafulaDiscover JKUAT
 
What is expected from an organization under NCA ECC Compliance?
What is expected from an organization under NCA ECC Compliance?What is expected from an organization under NCA ECC Compliance?
What is expected from an organization under NCA ECC Compliance?VISTA InfoSec
 
ITFM Business Brief
ITFM Business BriefITFM Business Brief
ITFM Business Briefwdjohnson1
 
ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewShankar Subramaniyan
 
Introduction to Information System Security
Introduction to Information System SecurityIntroduction to Information System Security
Introduction to Information System Securitychauhankapil
 
What is ISO 27001 ISMS
What is ISO 27001 ISMSWhat is ISO 27001 ISMS
What is ISO 27001 ISMSBusiness Beam
 
Overview of ISO 27001 ISMS
Overview of ISO 27001 ISMSOverview of ISO 27001 ISMS
Overview of ISO 27001 ISMSAkhil Garg
 
Improving Your Information Security Program
Improving Your Information Security ProgramImproving Your Information Security Program
Improving Your Information Security ProgramSeccuris Inc.
 
ISO 27001 Information Security Management Systems Trends and Developments
ISO 27001 Information Security Management Systems Trends and DevelopmentsISO 27001 Information Security Management Systems Trends and Developments
ISO 27001 Information Security Management Systems Trends and DevelopmentsCertification Europe
 
ISO 27001 Certification - The Benefits and Challenges
ISO 27001 Certification - The Benefits and ChallengesISO 27001 Certification - The Benefits and Challenges
ISO 27001 Certification - The Benefits and ChallengesCertification Europe
 
University iso 27001 bgys intro and certification lami kaya may2012
University iso 27001 bgys intro and certification lami kaya may2012University iso 27001 bgys intro and certification lami kaya may2012
University iso 27001 bgys intro and certification lami kaya may2012Hakem Filiz
 
G12: Implementation to Business Value
G12: Implementation to Business ValueG12: Implementation to Business Value
G12: Implementation to Business ValueHyTrust
 
Isms awareness presentation
Isms awareness presentationIsms awareness presentation
Isms awareness presentationPranay Kumar
 
Iso 27001 2005- by netpeckers consulting
Iso 27001 2005- by netpeckers consultingIso 27001 2005- by netpeckers consulting
Iso 27001 2005- by netpeckers consultingIskcon Ahmedabad
 
Implementing ISO27001 2013
Implementing ISO27001 2013Implementing ISO27001 2013
Implementing ISO27001 2013scttmcvy
 
Iso27001- Nashwan Mustafa
Iso27001- Nashwan MustafaIso27001- Nashwan Mustafa
Iso27001- Nashwan MustafaFahmi Albaheth
 

Tendances (20)

ISO 27001 - IMPLEMENTATION CONSULTING
ISO 27001 - IMPLEMENTATION CONSULTINGISO 27001 - IMPLEMENTATION CONSULTING
ISO 27001 - IMPLEMENTATION CONSULTING
 
Information security-management-system
Information security-management-systemInformation security-management-system
Information security-management-system
 
Information Security Management Systems(ISMS) By Dr Wafula
Information Security Management Systems(ISMS) By Dr WafulaInformation Security Management Systems(ISMS) By Dr Wafula
Information Security Management Systems(ISMS) By Dr Wafula
 
Information Security
Information SecurityInformation Security
Information Security
 
What is expected from an organization under NCA ECC Compliance?
What is expected from an organization under NCA ECC Compliance?What is expected from an organization under NCA ECC Compliance?
What is expected from an organization under NCA ECC Compliance?
 
ITFM Business Brief
ITFM Business BriefITFM Business Brief
ITFM Business Brief
 
ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process Overview
 
Introduction to Information System Security
Introduction to Information System SecurityIntroduction to Information System Security
Introduction to Information System Security
 
What is ISO 27001 ISMS
What is ISO 27001 ISMSWhat is ISO 27001 ISMS
What is ISO 27001 ISMS
 
Overview of ISO 27001 ISMS
Overview of ISO 27001 ISMSOverview of ISO 27001 ISMS
Overview of ISO 27001 ISMS
 
Improving Your Information Security Program
Improving Your Information Security ProgramImproving Your Information Security Program
Improving Your Information Security Program
 
ISO 27001 Information Security Management Systems Trends and Developments
ISO 27001 Information Security Management Systems Trends and DevelopmentsISO 27001 Information Security Management Systems Trends and Developments
ISO 27001 Information Security Management Systems Trends and Developments
 
ISO 27001 Certification - The Benefits and Challenges
ISO 27001 Certification - The Benefits and ChallengesISO 27001 Certification - The Benefits and Challenges
ISO 27001 Certification - The Benefits and Challenges
 
University iso 27001 bgys intro and certification lami kaya may2012
University iso 27001 bgys intro and certification lami kaya may2012University iso 27001 bgys intro and certification lami kaya may2012
University iso 27001 bgys intro and certification lami kaya may2012
 
G12: Implementation to Business Value
G12: Implementation to Business ValueG12: Implementation to Business Value
G12: Implementation to Business Value
 
Isms awareness presentation
Isms awareness presentationIsms awareness presentation
Isms awareness presentation
 
What is iso 27001 isms
What is iso 27001 ismsWhat is iso 27001 isms
What is iso 27001 isms
 
Iso 27001 2005- by netpeckers consulting
Iso 27001 2005- by netpeckers consultingIso 27001 2005- by netpeckers consulting
Iso 27001 2005- by netpeckers consulting
 
Implementing ISO27001 2013
Implementing ISO27001 2013Implementing ISO27001 2013
Implementing ISO27001 2013
 
Iso27001- Nashwan Mustafa
Iso27001- Nashwan MustafaIso27001- Nashwan Mustafa
Iso27001- Nashwan Mustafa
 

Similaire à Valiente Balancing It SecurityCompliance, Complexity & Cost

Achieving Effective IT Security with Continuous ISO 27001 Compliance
Achieving Effective IT Security with Continuous ISO 27001 ComplianceAchieving Effective IT Security with Continuous ISO 27001 Compliance
Achieving Effective IT Security with Continuous ISO 27001 ComplianceTripwire
 
Chapter 10 security standart
Chapter 10 security standartChapter 10 security standart
Chapter 10 security standartnewbie2019
 
Why ISO 27001 for an Organisation
Why ISO 27001 for an OrganisationWhy ISO 27001 for an Organisation
Why ISO 27001 for an OrganisationSyed Azher
 
Is awareness government
Is awareness governmentIs awareness government
Is awareness governmentHamisi Kibonde
 
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001PECB
 
GDPR compliance and information security: Reducing data breach risks
GDPR compliance and information security: Reducing data breach risksGDPR compliance and information security: Reducing data breach risks
GDPR compliance and information security: Reducing data breach risksIT Governance Ltd
 
Standards & Framework.pdf
Standards & Framework.pdfStandards & Framework.pdf
Standards & Framework.pdfkarthikvcyber
 
NQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation GuideNQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation GuideNQA
 
NQA - ISO 27001 Implementation Guide
NQA - ISO 27001 Implementation GuideNQA - ISO 27001 Implementation Guide
NQA - ISO 27001 Implementation GuideNA Putra
 
Standards & Framework.ppt
Standards & Framework.pptStandards & Framework.ppt
Standards & Framework.pptkarthikvcyber
 
Whitepaper iso 27001_isms | All about ISO 27001
Whitepaper iso 27001_isms | All about ISO 27001Whitepaper iso 27001_isms | All about ISO 27001
Whitepaper iso 27001_isms | All about ISO 27001Chandan Singh Ghodela
 
Agiliance Whitepaper - Six Key Steps
Agiliance Whitepaper - Six Key StepsAgiliance Whitepaper - Six Key Steps
Agiliance Whitepaper - Six Key Stepsagiliancecommunity
 
CHAPTER 3 Security Policies and Regulations In this chap
CHAPTER 3 Security Policies and Regulations In this chapCHAPTER 3 Security Policies and Regulations In this chap
CHAPTER 3 Security Policies and Regulations In this chapEstelaJeffery653
 
A Comprehensive Guide To Information Security Excellence ISO 27001 Certificat...
A Comprehensive Guide To Information Security Excellence ISO 27001 Certificat...A Comprehensive Guide To Information Security Excellence ISO 27001 Certificat...
A Comprehensive Guide To Information Security Excellence ISO 27001 Certificat...Tromenz Learning
 
The Virtual Security Officer Platform
The Virtual Security Officer PlatformThe Virtual Security Officer Platform
The Virtual Security Officer PlatformShanmugavel Sankaran
 
Fadi Mutlak - Information security governance
Fadi Mutlak - Information security governanceFadi Mutlak - Information security governance
Fadi Mutlak - Information security governancenooralmousa
 

Similaire à Valiente Balancing It SecurityCompliance, Complexity & Cost (20)

Achieving Effective IT Security with Continuous ISO 27001 Compliance
Achieving Effective IT Security with Continuous ISO 27001 ComplianceAchieving Effective IT Security with Continuous ISO 27001 Compliance
Achieving Effective IT Security with Continuous ISO 27001 Compliance
 
Chapter 10 security standart
Chapter 10 security standartChapter 10 security standart
Chapter 10 security standart
 
Why ISO 27001 for an Organisation
Why ISO 27001 for an OrganisationWhy ISO 27001 for an Organisation
Why ISO 27001 for an Organisation
 
ISACA Cybersecurity Audit course brochure
ISACA Cybersecurity Audit course brochureISACA Cybersecurity Audit course brochure
ISACA Cybersecurity Audit course brochure
 
Is awareness government
Is awareness governmentIs awareness government
Is awareness government
 
Pindad iso27000 2016 smki
Pindad iso27000 2016 smkiPindad iso27000 2016 smki
Pindad iso27000 2016 smki
 
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
 
GDPR compliance and information security: Reducing data breach risks
GDPR compliance and information security: Reducing data breach risksGDPR compliance and information security: Reducing data breach risks
GDPR compliance and information security: Reducing data breach risks
 
Standards & Framework.pdf
Standards & Framework.pdfStandards & Framework.pdf
Standards & Framework.pdf
 
NQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation GuideNQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation Guide
 
NQA - ISO 27001 Implementation Guide
NQA - ISO 27001 Implementation GuideNQA - ISO 27001 Implementation Guide
NQA - ISO 27001 Implementation Guide
 
Standards & Framework.ppt
Standards & Framework.pptStandards & Framework.ppt
Standards & Framework.ppt
 
Whitepaper iso 27001_isms | All about ISO 27001
Whitepaper iso 27001_isms | All about ISO 27001Whitepaper iso 27001_isms | All about ISO 27001
Whitepaper iso 27001_isms | All about ISO 27001
 
Agiliance Wp Key Steps
Agiliance Wp Key StepsAgiliance Wp Key Steps
Agiliance Wp Key Steps
 
Agiliance Whitepaper - Six Key Steps
Agiliance Whitepaper - Six Key StepsAgiliance Whitepaper - Six Key Steps
Agiliance Whitepaper - Six Key Steps
 
CHAPTER 3 Security Policies and Regulations In this chap
CHAPTER 3 Security Policies and Regulations In this chapCHAPTER 3 Security Policies and Regulations In this chap
CHAPTER 3 Security Policies and Regulations In this chap
 
A Comprehensive Guide To Information Security Excellence ISO 27001 Certificat...
A Comprehensive Guide To Information Security Excellence ISO 27001 Certificat...A Comprehensive Guide To Information Security Excellence ISO 27001 Certificat...
A Comprehensive Guide To Information Security Excellence ISO 27001 Certificat...
 
The Virtual Security Officer Platform
The Virtual Security Officer PlatformThe Virtual Security Officer Platform
The Virtual Security Officer Platform
 
ISO/IEC 27001.pdf
ISO/IEC 27001.pdfISO/IEC 27001.pdf
ISO/IEC 27001.pdf
 
Fadi Mutlak - Information security governance
Fadi Mutlak - Information security governanceFadi Mutlak - Information security governance
Fadi Mutlak - Information security governance
 

Plus de GuardEra Access Solutions, Inc.

Plus de GuardEra Access Solutions, Inc. (20)

HIPAA Regs
HIPAA RegsHIPAA Regs
HIPAA Regs
 
HITECH Modifications to HIPAA
HITECH Modifications to HIPAAHITECH Modifications to HIPAA
HITECH Modifications to HIPAA
 
Patrick Notley1
Patrick Notley1Patrick Notley1
Patrick Notley1
 
Awarenesstechnologies Intro Document
Awarenesstechnologies Intro DocumentAwarenesstechnologies Intro Document
Awarenesstechnologies Intro Document
 
Mx Pb En 100929
Mx Pb En 100929Mx Pb En 100929
Mx Pb En 100929
 
Rp 2010 data-breach-report-en_xg
Rp 2010 data-breach-report-en_xgRp 2010 data-breach-report-en_xg
Rp 2010 data-breach-report-en_xg
 
Deepwater Horizon
Deepwater HorizonDeepwater Horizon
Deepwater Horizon
 
Cloud Computing Payback
Cloud Computing PaybackCloud Computing Payback
Cloud Computing Payback
 
10844 5415 The Value Of Corporate Secrets
10844 5415 The Value Of Corporate Secrets10844 5415 The Value Of Corporate Secrets
10844 5415 The Value Of Corporate Secrets
 
Security Breach Laws
Security Breach LawsSecurity Breach Laws
Security Breach Laws
 
2010 New Guidelines Hipaa Checklist V1
2010 New Guidelines Hipaa Checklist V12010 New Guidelines Hipaa Checklist V1
2010 New Guidelines Hipaa Checklist V1
 
2010 Hipaa Rules 011310
2010 Hipaa Rules 0113102010 Hipaa Rules 011310
2010 Hipaa Rules 011310
 
Og Disparate It Mgmt Tool Impact Report
Og Disparate It Mgmt Tool Impact ReportOg Disparate It Mgmt Tool Impact Report
Og Disparate It Mgmt Tool Impact Report
 
Accel Ops Brochure0609
Accel Ops Brochure0609Accel Ops Brochure0609
Accel Ops Brochure0609
 
Healthcare Data Security Update
Healthcare Data Security UpdateHealthcare Data Security Update
Healthcare Data Security Update
 
HITECH Act
HITECH ActHITECH Act
HITECH Act
 
EMR Yes- No
EMR Yes- NoEMR Yes- No
EMR Yes- No
 
SourceFire IPS Overview
SourceFire IPS OverviewSourceFire IPS Overview
SourceFire IPS Overview
 
Closing the Clinical IT Chasm
Closing the Clinical IT ChasmClosing the Clinical IT Chasm
Closing the Clinical IT Chasm
 
2009 Databreach Report
2009 Databreach Report2009 Databreach Report
2009 Databreach Report
 

Dernier

CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 

Dernier (20)

CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 

Valiente Balancing It SecurityCompliance, Complexity & Cost

  • 1. ISSA The Global Voice of Information Security ISSA Journal | July 2009 Balancing IT Security Compliance, Complexity, and Cost By Carlos Valiente, Jr. – ISSA member, Tampa Bay, USA Chapter The author discusses implementing the International Organization for Standardization ISO 27001, the international practice for information security management. O rganizations today risk customer trust, their reputa- each compliance effort is approached individually. However, tions, and ultimately shareholder value when they many of the controls that need to be defined, assessed, and do not address or prevent information security enforced are common across regulations. A silo-based ap- breaches. Many are required by law to comply with a grow- proach leads to a lot of redundant compliance efforts that ing number of government and industry-specific controls de- significantly increase the cost. In addition, companies have signed to safeguard the confidentiality, integrity, and avail- realized that as the number and scope of requirements grow, ability of IT systems from information security breaches. sheer complexity of assessing multi-regulatory compliance One strategy to consider is implementing the International with a large number of overlapping controls becomes a chal- Organization for Standardization1 ISO 27001, the interna- lenge. All these factors combined calls for a smarter approach tional practice for information security management. to addressing information security. Below is a partial list of Companies struggle to protect intellectual property and oth- the most common compliance standards: er sensitive information as they often lack the visibility need- California SB 1386 – known as the Security Breach Infor- ed to define effective access policies that help mitigate risk. IT mation Act, this state law governs organizations that serve departments bear one of the heaviest burdens in compiling customers residing in California and store confidential data the data required by auditors, as their responsibilities include about those customers on computers, or transmit such data the documentation of procedures for security policy, com- over networks. The law requires proactive protection of pri- pliance controls, and risk management processes. For many vate data for Californians. organizations, this is a key point of failure both before and EU Privacy Directives – Directive 95/46/EC of the European during an audit, which inevitably leads to increasing the cost Parliament and of the Council of 24 October 1995, on the of audit-related fees. protection of individuals with regard to the processing of The reality, however, is that security breaches will continue personal data and on the free movement of such data. to occur2 and the problem is not getting any easier to solve. GLBA – The Gramm-Leach-Bliley Act of 1999 requires fi- The exponential growth of information breaches, the level of nancial institutions to create, document, and continuously complexity of the infrastructure – network, virtual operating audit security procedures to protect the nonpublic personal systems, and applications – continues to grow at a fast pace. information of their clients, including precautions to prevent It is easy to get caught up in reacting to the current symp- unauthorized electronic access. tom or problem that is causing immediate pain, rather than proactively tracing the issue back to its root cause to find a FISMA – Requires that federal agencies establish risk-based long-term fix that will take the organization to a higher level information security programs to secure federal information. of overall performance. HIPAA – The Health Information Portability and Account- ability Act was one of the first mandates requiring organiza- Regulatory standards tions to implement IT security controls to protect the privacy Many organizations take a silo-based approach to complying of protected health information that they handle and store. with regulatory standards (e.g., PCI, GLBA, SOX, etc.), where PCI DSS – The PCI Data Security Standard was developed by the major credit card companies as a guideline to help orga- 1 www.iso.org. nizations that process card payments to prevent credit card 2 www.datalossdb.org. fraud, hacking, and various other security issues. 22
  • 2. Balancing IT Security Compliance, Complexity, and Cost | Carlos Valiente, Jr. ISSA Journal | July 2009 SOX – The Sarbanes-Oxley Act of 2002 requires Regulatory Security & the company’s auditor to attest to and report on Legislative PLAN Compliance management’s assessment of the effectiveness of Contractual Management the company’s internal controls and procedures Establish the Framework Program for financial reporting. Continual Improvement PIPEDA – The Personal Information Protec- Implement and Approach to Maintain and Improve tion and Electronic Documents Act is a Cana- Operate the Framework Information Security Management the Framework dian law relating to data privacy. It governs how private-sector organizations collect, use, and DO Monitor and Review ACT disclose personal information in the course of the Framework commercial business. The key benefit of ISO 27001 is that it provides a single, stra- CHECK Figure 2 tegic, and comprehensive framework to information security, tives. Once implemented, organizations that have a need to and implementing these broad-based controls covers a wide advertise that they are 27001-compliant can be certified by a area set of control objectives required in SB-1386, HIPAA, number of accredited third-party audit registrars worldwide. PCI, GLBA, SOX and EU Directive 95 (see Figure 1). You can This is very similar to a manufacturing organization achiev- significantly reduce the number of controls and implemen- ing ISO 9001 certification or a service organization achiev- tation costs by achieving a transparent optimized security ing a SAS 70 for effectiveness of controls. Following is a brief baseline across the organization. summary of ISO 27002’s eleven main sections or domains. Regulatory & Corporate Objectives Security policy EU Privacy It prescribes a written, high-level policy document that Directives • Security Policy should be approved by management and published and com- • Human Resources municated to all employees responsible for information se- HIPAA • Access Controls curity in a manner that is understandable to the intended • Business Continuity recipient. The primary objective of a policy statement is to PCI ISO • Physical Security • Incident Management outline the aims of the organization as endorsed by the ex- ecutive management team. The document should be written SOX 27001 • Operations Management clearly so that it can be interpreted at all levels of the organi- zation and applied to the standards operations procedures. GLBA • Compliance The supporting standards and procedures, which are then • Asset Management derived from the overall policy statement, will control the SB-1386 • Infosec Organization day-by-day operations, which occur at the various functional • Infosys Dev. & Maint. levels within the organization. Others Organization of information security Figure 1 This is primarily about people rather than technology, and how they are organized to manage the information security The ISO standards framework function. It outlines how management is organized and es- The framework takes a very broad approach to information tablished to initiate and control the implementation of infor- security. The term information addresses all forms of data, mation security within the organization. In large or global documents, communications, conversations, messages, re- organizations, it is sometimes necessary to co-ordinate in- cordings, and photographs. It includes everything from digi- formation security measures by establishing distribution tal data, email, faxes to telephone conversations. The stan- services channels. It is important that organizations support dard effectively comes in two parts: the delegation of security responsibility to areas where those • ISO/IEC 27001:2005 is a standard specification for an responsibilities can be properly discharged. information security management system (ISMS). Asset management • ISO/IEC 27002:2005 is a standard code of practice and can be regarded as a comprehensive catalogue of All major information assets should be accounted for and individual control objectives. have an owner designated by name or title and responsible and accountable for his or her assigned assets. This will in- When you implement 27001 you are building an informa- clude access rights to, and classification of, those assets. The tion security management system using a continual improve- owner of the assets determines documents and promulgates ment approach (see Figure 2); 27002 is intended to be used the rules for the use of those assets for their whole life cycle. in conjunction and prescribes the individual control objec- This includes creation or purchase to disposal. Finally, to en- 23
  • 3. Balancing IT Security Compliance, Complexity, and Cost | Carlos Valiente, Jr. ISSA Journal | July 2009 sure that information assets receive an appropriate level of sions are what requires protection and who has the keys. These protection, classification levels should be used to indicate the are strictly business decisions that should not depend on the need and priorities for security protection. Classifications technology at all. This domain covers areas such as user ac- should show the value, sensitivity, and criticality of each in- cess management, responsibilities, network access controls, formation asset. operating systems, application access controls, and mobile computing. Human resources It ensures that employees, contractors, and third-party users Information systems acquisition understand their responsibilities and are suitable for the roles Access to information and business processes should be con- they are considered for, and aims to reduce the risk of theft, trolled on the basis of business and security requirements. fraud, or misuse of facilities. Information security should be All security requirements should be identified and agreed to addressed at the recruitment stage, included in the job de- prior to the development or acquisition of information sys- scriptions and contracts, and monitored during an individu- tems. It is also essential that any commercial software (e.g., al’s employment. It should also form part of the exit process off-the-shelf software, software as a service (SaaS), or cloud to ensure that organizational assets are returned prior to ces- computing) options have suitable controls built in, and the sation of employment or contract. All users of information inclusion of such controls is considered a part of the acqui- systems should be given adequate security education and sition process. These controls include, for example, crypto- technical training. graphic controls, access to system files, change control proce- dures, disaster recovery, and vulnerability analysis. Physical and environmental security Information processing facilities supporting critical or sen- Information security incident management sitive business activities should be housed in secure areas. This domain ensures information security events and weak- This includes protection of equipment and information from nesses associated with information systems are communi- physical harm, as well as physical control of access to infor- cated in a manner that allows timely corrective action to be mation and equipment. It also contains two of the most sig- taken. An effective and efficient incident management system nificant control features of the standard: the education and for information security incidents must be implemented with training of staff and setting contractually the expected be- appropriate escalation processes. When breaches of security havior of anyone with access to organizational resources. do occur, for whatever reason, it is important to contain the result by reporting the incident and responding to it as quick- Communications and operations management ly as possible. For example: To whom should an incident be This broad domain section aims to ensure correct and secure reported? What information will that person need to know? operation of information processing facilities and that re- What precautions should be taken to limit the organization’s sponsibilities and procedures are established for the manage- exposure to the security breach? ment of all computers, networks, and information processing facilities. For example, all changes to operational informa- Business continuity management tion processing facilities and systems should be controlled. This counteracts interruptions to business activities and to The operating procedures identified by the information se- protect critical business processes from the effects of ma- curity policy relating to all information processing should be jor failures of information systems or disasters and ensures documented and maintained under formal change control. their timely resumption. A business continuity management Segregation of duties should be considered to minimize the process should be implemented to reduce the disruption risk of negligent or deliberate system misuse. Development caused by disasters and security failures to an acceptable level and testing facilities should be isolated from operational or through a combination of preventative and recovery controls. production systems. Rules for the promotion of software to For example, how IT intends to deliver corporate informa- operational status should be defined and documented. In ad- tion when the power goes off, a fire occurs, or when the com- dition, this domain addresses third-party service delivery, puters simply break down. system planning and acceptance, protection against mali- cious code or antivirus, backup and recovery procedures, Compliance media handling, and the exchange of information. To avoid breaches of any law, statute, regulation, or contrac- tual obligation and of any security requirements. The design, Access control operation, use, and management of information systems may This section is all about the control or access to information be subject to statutory, regulatory, and contractual security and systems on the basis of business and security needs. Sys- requirements. This domain also addresses compliance to an tem access can be controlled in a number of ways using hard- organization’s own security policies and standards. Most im- ware and/or software. The real question is not how control is portant is that there should be controls to safeguard opera- achieved but who is allowed access and to what. System access tional systems and audit tools during system audits. is like every other system of locks and keys; the basic deci- 24
  • 4. Balancing IT Security Compliance, Complexity, and Cost | Carlos Valiente, Jr. ISSA Journal | July 2009 Implementation steps Implementation benefits There are different methods of implementing ISO27001 and Some of the benefits to implementing 27001 over point solu- the exact process may vary or need tailoring for each organi- tions include the following: zation. Here are basic key steps to consider: • Provides an internationally recognized information 1. Define the scope of implementation security strategy, structure, and methodology 2. Develop the information security policy and obtain • Allows an organization to demonstrate credibility, management approval trust, confidence, and due-diligence to clients and 3. Identify your information assets and owners business partners 4. Classify your information assets • Establishes that relevant laws and regulations are be- 5. Define the risk assessment process methodology and ing met identify the risks • Increases awareness of information protection within 6. Map the ISO 27001 controls applicable to mitigating the the organization risks identified in step 5 • Documents processes, policies, and procedures and 7. Document the statement of applicability to identify the provides for a structured, reusable approach controls chosen for your environment, explaining how • Becomes part of the formal business process to im- and why they are appropriate prove security and reduce risk 8. Define the organization’s policies, standards, and proce- • Provides a holistic approach to monitoring and con- dures trolling the IT environment across the enterprise 9. Communicate the policies and procedures to entire or- • Ensures that a commitment to information security ganization exists at all levels of the organization 10. Implement the identified controls and document them • Leads to substantial cost savings of implementing in- 11. Implement a security awareness training program for the formation security and compliance efforts entire organization 12. Perform and implement a scheduled internal compliance Conclusion audit program Are you “doing things right” rather than “doing the right 13. Engage a third-party auditor to provide assurance things”?4 The first is tactical and the second is strategic think- 14. Proactively close any gaps identified during audit ing. Both are clearly needed to run a successful organization, 15. Maintain matrices of the security practice and ensure but it is important to make sure you are steering your ship continuous improvement where you want it to go rather than clinging desperately to 16. Certify your organization the anchor chain as it drags you through the water. When it comes to protecting information, this framework, if implemented correctly, can increase your resource efficiency Spain ISO 27001 while helping manage risk, reducing the number of controls Italy Hungary Certificates Worldwide and ultimately your overall spending. By eliminating a silo- based approach to compliance, and leveraging commonality Czeck Republic of controls across various regulations and mandates, com- USA plexity decreases significantly and compliance becomes more Germany sustainable and cost-efficient. Implementing a single stra- China tegic solution will help an organization manage complexity Taiwan and total cost of ownership of information security, risk, and UK compliance. India 0 100 200 300 400 500 About the Author Carlos Valiente Jr., CISSP, CISA, CISM, Figure 3 CGEIT, LA-27001, is a results-driven in- Industry certification trends formation security specialist and compli- According to the international certification register, which ance audit professional with 21+ years maintains a list of the ISMS certificates awarded to organiza- experience leading and managing global tions worldwide,3 only 86 certifications have been granted in IT, information security, compliance, and the U.S., while countries like India, UK, China, Taiwan, and risk management programs in Big 4 and Germany are leading the U.S. in adopting 27001 ISMS (see Fortune 500 companies. For more information, comments, or Figure 3). Japan accounts for 3000 of the 5000 plus certifica- questions email vtechno@gmail.com. tions issued worldwide. 3 www.iso27001certificates.com. 4 A quote from business thinker Peter F. Drucker. 25