Separating fact from fiction security technologies for regulatory compliance
Download
1 / 36

Separating Fact from Fiction: Security Technologies for Regulatory Compliance - PowerPoint PPT Presentation


  • 272 Views
  • Uploaded on

Separating Fact from Fiction: Security Technologies for Regulatory Compliance . Diana Kelley, Senior Analyst Burton Group. Agenda. Regulatory compliance – One size does not fit all And compliance is not a product Why “SOX-in-a-box” is a myth Compliance frameworks

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Separating Fact from Fiction: Security Technologies for Regulatory Compliance ' - mike_john


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Separating fact from fiction security technologies for regulatory compliance l.jpg

Separating Fact from Fiction: Security Technologies for Regulatory Compliance

Diana Kelley, Senior Analyst

Burton Group


Agenda l.jpg
Agenda Regulatory Compliance

  • Regulatory compliance – One size does not fit all

    • And compliance is not a product

    • Why “SOX-in-a-box” is a myth

  • Compliance frameworks

    • A systematic, comprehensive approach

    • Policy first

  • Tools that can help

    • Building a toolbox

    • Management and Compliance “dashboards”


Compliance the biggest time waster of 2005 l.jpg
Compliance: The Biggest Time Waster of 2005? Regulatory Compliance

  • August 2005 Share Conference on-line registrant poll

  • Looking back from the year 2015 at wasteful or ineffective efforts in 2005

    • 28% - Sarbanes-Oxley compliance

    • 23% - Deployment of unproven technologies

    • 19% - Purchase of unneeded technologies

      Source: ComputerWorld, August 23, 2005, http://www.computerworld.com/hardwaretopics/hardware/story/0,10801,104118,00.html


Regulatory compliance one size does not fit all l.jpg
Regulatory Compliance – One Size Does not Fit All Regulatory Compliance

  • Compliance is a not a product

    • Combination of people, process, and technology

  • Why “SOX-in-a-box” is a myth

    • Or a misnomer

    • Enterprise IT systems are extremely complex

    • Regulations are not prescriptive

    • Regulations may have competing requirements

      • Ex: Log file retention times

      • Ex: PII storage


Sarbanes oxley l.jpg
Sarbanes-Oxley Regulatory Compliance

  • Section 404, a, 2 of the regulation: "[an internal control report, which shall] contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting."


Control weaknesses reporting during sox compliance work l.jpg
Control Weaknesses Reporting During SOX Compliance Work Regulatory Compliance

  • Lack of adequate system documentation

  • Lack of audit training and experience

  • Lack of management oversight

  • Too many privileges (IT personnel often had too many privileges, and there was insufficient separation of duties), such as multiple IDs, generic IDs

  • Inadequate handling of privilege changes related to promotions and job re-assignment

  • Documentation for small, routine maintenance tasks was often non-existent or inadequate


Pci data security standard l.jpg
PCI Data Security Standard Regulatory Compliance

  • Build and maintain a secure network

  • Protect cardholder data

  • Maintain a vulnerability management program

  • Implement strong access control measures

  • Regularly monitor and test networks


Compliance frameworks l.jpg
Compliance Frameworks Regulatory Compliance

  • Created by an organization to simplify the compliance process

  • A set of policies, procedures, and technologies that normalizes the organization’s approach to compliance

  • Benefits of compliance frameworks

    • Consistent policy based approach to compliance

    • Separation of concerns

    • Reduced reporting time

    • Easier maintenance

    • Centralized control


Legal matters l.jpg
Legal matters Regulatory Compliance

  • What is the company required to supply, by law?

    • Audit compliance

      • ISO, SAS70

      • HIPAA, SOX, GLBA, EUDD

    • Who is accountable for lack of compliance?

    • Will fees be levied or ops shut down?

  • Why it matters

    • Business continuity

    • Audit success

    • Policy enforcement

    • Reporting requirements


A systematic comprehensive approach l.jpg
A Systematic Comprehensive Approach Regulatory Compliance

  • First things first - What constitutes compliance?

    • Work with internal and external audit teams

    • Use “a suitable, recognized control framework established by a body of experts that followed due-process procedures.”

      http://www.sox-online.com/release-20040308-1.pdf

    • Understand there is a legacy – exceptions will have to be documented

    • Establish control frameworks

    • Translate policies to technical policies

      • The bits and bytes of compliance

      • EX: Hierarchical administrator or superuser accounts

  • Identify what can be automated, and what can’t


Control framework example l.jpg
Control Framework Example Regulatory Compliance


Thinking through compliance requirements l.jpg
Thinking through Compliance Requirements Regulatory Compliance

  • What standards does the company need to adhere to? What devices/apps need to be covered?

    • Standard devices

    • Legacy systems

    • Home-grown applications

    • Internal -- Policies

      • ISO compliance

    • External --

      • SOX, HIPAA, GLBA

      • Partners


The devil s in the details l.jpg
The Devil’s in the Details Regulatory Compliance

  • Some Gotchas

    • Heterogeneous environments increase complexity

    • The weakest link device/application

    • Adherence to corporate standards, but failure in audit

    • Application development

    • Requirements for new devices – can new devices be added quickly within the compliance framework?


Slide14 l.jpg
COSO Regulatory Compliance

  • Committee of Sponsoring Organizations of the Treadway Commission (COSO) is widely accepted around the world as an acceptable baseline framework for compliance

    • Prescribes risk management to achieve internal control objectives including efficiency and effectiveness of operations, financial reporting, and legal/regulatory compliance

  • COSO mandates that management:

    • Set control objectives for the enterprise

    • Identify events that can cause substantial negative consequences to the enterprise and therefore affect shareholder value

    • Assess risks associated with those events


Slide15 l.jpg

  • The COSO cube Regulatory Compliance

    • Objectives

      • Strategy

      • Operations

      • Reporting

      • Compliance

    • Entity’s Units

      • Entity

      • Division

      • Business unit

      • Subsidiary

    • Components

      • Internal environment

      • Objective setting

      • Event identification

      • Risk assessment

      • Risk response

      • Control activities

      • Information and communication

      • Monitoring


Cobit it governance institute l.jpg
CoBiT – IT Governance Institute Regulatory Compliance

  • A set of documents and resources that represent a framework of guiding objectives and processes for IT governance and audit control

  • An increasingly important guideline for properly implementing security controls within an organization

  • Many internal auditors choose CoBiT as an important foundation for audit activity within IT organizations

  • CoBiT contains 34 control areas over four high-level domains.


Slide17 l.jpg

COSO Components and CoBiT Domains/Objectives (Source: ISACA’s “IT Control Objectives for Sarbanes-Oxley”)


Iso17799 l.jpg
ISO17799 to the high-level four CoBiT domains to SOX section 302 and section 404 compliance.

  • A detailed, internationally accepted security standard

  • Covers 10 major sections

    • Business continuity planning

    • System access control

    • System development and maintenance

    • Physical and environmental security

    • Compliance

    • Personnel security

    • Security organization

    • Computer and operations management

    • Asset classification

    • Security policy

  • Used by many companies around the world as their IT baseline


A note on framework adoption l.jpg
A Note on Framework Adoption to the high-level four CoBiT domains to SOX section 302 and section 404 compliance.

  • Don’t adopt any framework’s controls blindly

    • Must show evidence that ALL the controls your company specified are working

      • COBIT has 34 control domains; each requires as many as 10 control activities

    • However, be prepared to justify differences to auditors


Building a toolbox realistically l.jpg
Building a Toolbox - Realistically to the high-level four CoBiT domains to SOX section 302 and section 404 compliance.

  • Tools are not like stretch socks that can expand to fit the needs of a vast regulatory mandate

  • Enabling tools for increased efficiency and automation

    • Reporting

    • Change management

    • Technical policy management

    • Documentation management

    • Compliance checks


Not a simple problem l.jpg
Not a simple problem… to the high-level four CoBiT domains to SOX section 302 and section 404 compliance.

  • There are many “moving parts” in the compliance toolbox

    • Compliance is a large project

    • Compliance may touch all systems in the enterprise

  • Devices and applications have disparate logs and reporting

    • There is no audit log standard

    • Proprietary applications may not have adequate logging or access to logs

  • If the data collected from the devices is to be trusted, security of the information on the device and in transit is a critical consideration

    • Agentless solutions are, usually easier to deploy

    • But may result in less audit control over the data prior to hand off


Many of the ingredients may already be in your cupboard l.jpg
Many of the ingredients may already be in your cupboard! to the high-level four CoBiT domains to SOX section 302 and section 404 compliance.

  • Many existing tools can be used in the compliance program

    • Auditing

    • Documentation

    • Network Management

  • Vendors are changing product features and positioning in response to the need for a compliance-oriented perspective

    • Providing additional hooks for process integration

    • Compliance oriented reporting


Financial applications oracle and sap l.jpg
Financial Applications – Oracle and SAP to the high-level four CoBiT domains to SOX section 302 and section 404 compliance.

  • Many products contain (and are developing more) features that, if used correctly, help organizations with compliance

    • Project organization for documentation, testing, and sign-off for internal controls

    • Test procedures based on the risk management framework defined by COSO

    • Workflow procedures that accelerate testing and sign-off

    • Object-level analysis of segregation of duties (SOD)

    • Authorization administration

    • Real-time drill-down analysis and reporting


Document document document l.jpg
Document, Document, Document to the high-level four CoBiT domains to SOX section 302 and section 404 compliance.

  • Many of the regulations have heavy documentation requirements

    • Flow charts of internal controls

    • Written policies and procedures associated with those controls

    • Ability to access appropriate policies in a hierarchical view

  • A documentation system that can capture and present critical policies and procedures is required

    • Some vendors have released documentation tools specifically designed to aid in the compliance process

      • Ex: Lotus Workplace for Business Controls and Reporting, OpenPages SOX Express.


Network monitoring l.jpg
Network Monitoring to the high-level four CoBiT domains to SOX section 302 and section 404 compliance.

  • Monitoring performance, continuity of service, and service levels are CoBiT control objectives and very often compliance requirements

  • Many organizations have network monitoring solutions in place from leading vendors such as IBM Tivoli, HP OpenView, and Computer Associates Unicenter

  • These solutions manage components that are already on a network; there is no need to replace these systems

  • However, many can be configured to provide evidence of control in support of compliance reporting


Change management project management l.jpg
Change Management/Project Management to the high-level four CoBiT domains to SOX section 302 and section 404 compliance.

  • Change management tools deploy policy and configuration changes to a managed set of target devices and track the changes made

    • Many companies already have some change management systems in place

  • The compliance process is a large project – and needs to be managed as such

  • Project management tools and workflow can help:

    • Manage the assignment of tasks to individuals

    • Track the level of completeness

    • Provide reports to show overall progress and current status


Identity management l.jpg
Identity Management to the high-level four CoBiT domains to SOX section 302 and section 404 compliance.

  • Not called out specifically in many regulations, and not one of the CoBiT controls

    • However - unique user IDs and authenticators are recommended by CoBiT and required for many regulations such as HIPAA

    • Without unique user IDs, tracking and controlling access and usage on systems housing healthcare, financial, and other sensitive data would be impossible

  • IdM as in important part of the compliance process for most organizations


Log aggregation and storage l.jpg
Log Aggregation and Storage to the high-level four CoBiT domains to SOX section 302 and section 404 compliance.

  • Centralized storage of log and audit file activity

  • Managing this storage process is critical

    • How will the information be parsed when answers are needed?

  • Can the Storage Area Network (SAN) handle the data?

    • Many organizations have SANs from established vendors such as Symantec/Veritas and IBM/Tivoli

    • Will the additional audit log data storage requirements overtax the SAN?


Perimeter controls and isolation l.jpg
Perimeter Controls and Isolation to the high-level four CoBiT domains to SOX section 302 and section 404 compliance.

  • Firewalls can be used to cordon off critical systems into highly protected zones

  • Virtual local area networks (VLANs) can be created to segregate systems involved in processing healthcare information or reporting financials

  • intrusion detection and prevention solutions can be implemented to provide additional monitoring of access to systems and prevent attacks


Forensics l.jpg
Forensics to the high-level four CoBiT domains to SOX section 302 and section 404 compliance.

  • Network forensic tools capture all of the traffic on a network or network segment and record it for later use

    • Help administrators and auditors track users and system access

    • Used after an incident has occurred to piece together where systems failed and how to make them more robust in the future

  • Endpoint forensic tools can be used to examine the contents of a hard drive, and, in some cases, recover deleted information that may contain valuable evidence

    Note: historical forensics and legal forensics are not the same


Security event information management l.jpg
Security Event Information Management to the high-level four CoBiT domains to SOX section 302 and section 404 compliance.

  • SEIM tools are designed to monitor and manage security within an organization

    • Aggregate

    • Normalize

    • Correlate

  • Intelligent correlation is the key to avoid the “drowning in data” syndrome

    • Compliance specific correlation rules may be time intensive to create

    • Know thy systems and requirements in advance


Compliance dashboards l.jpg
Compliance Dashboards? to the high-level four CoBiT domains to SOX section 302 and section 404 compliance.

*Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley Act (GLBA), Personal Information Protection and Electronic Documents Act (PIPEDA)


Compliance dashboards33 l.jpg
Compliance Dashboards to the high-level four CoBiT domains to SOX section 302 and section 404 compliance.

  • An emerging space

    • Portal-based view into metrics, configuration settings and other indicators of activity

    • But most regulations are not prescriptive enough to translate to a “one size fits all” portal view

      • And vendors may focus on different areas of compliance (SOX, HIPAA, Basel II)

    • Dashboards can be customized to report on areas of compliance based on company defined indicators

      • But the company must determine the controls and indicators to be monitored

      • Even with customization the dashboard will (most likely!) not be able to supply transparency and reporting on every component of compliance


The tool taxonomy l.jpg
The Tool Taxonomy to the high-level four CoBiT domains to SOX section 302 and section 404 compliance.


A quick checklist l.jpg
A Quick Checklist to the high-level four CoBiT domains to SOX section 302 and section 404 compliance.

  • Read the regulations and determine target compliance policies and requirements

  • Perform a security gap analysis

  • Identify gaps between existing practices and the targets

  • Determine the steps needed to close the gaps – and document any exceptions

  • Create an action plan for on-going compliance and assessment

  • Implement, monitor and maintain

  • Call in outside experts as needed


Conclusion l.jpg
Conclusion to the high-level four CoBiT domains to SOX section 302 and section 404 compliance.

  • Compliance may not be a product – but products can help ease the burden

  • Create a compliance framework for the enterprise

  • New regulations are inevitable – frameworks help keep organizations compliance hardy


ad