separating fact from fiction security technologies for regulatory compliance l.
Skip this Video
Loading SlideShow in 5 Seconds..
Separating Fact from Fiction: Security Technologies for Regulatory Compliance PowerPoint Presentation
Download Presentation
Separating Fact from Fiction: Security Technologies for Regulatory Compliance

Loading in 2 Seconds...

play fullscreen
1 / 36

Separating Fact from Fiction: Security Technologies for Regulatory Compliance - PowerPoint PPT Presentation

  • Uploaded on

Separating Fact from Fiction: Security Technologies for Regulatory Compliance . Diana Kelley, Senior Analyst Burton Group. Agenda. Regulatory compliance – One size does not fit all And compliance is not a product Why “SOX-in-a-box” is a myth Compliance frameworks

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Separating Fact from Fiction: Security Technologies for Regulatory Compliance' - mike_john

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
separating fact from fiction security technologies for regulatory compliance

Separating Fact from Fiction: Security Technologies for Regulatory Compliance

Diana Kelley, Senior Analyst

Burton Group

  • Regulatory compliance – One size does not fit all
    • And compliance is not a product
    • Why “SOX-in-a-box” is a myth
  • Compliance frameworks
    • A systematic, comprehensive approach
    • Policy first
  • Tools that can help
    • Building a toolbox
    • Management and Compliance “dashboards”
compliance the biggest time waster of 2005
Compliance: The Biggest Time Waster of 2005?
  • August 2005 Share Conference on-line registrant poll
  • Looking back from the year 2015 at wasteful or ineffective efforts in 2005
    • 28% - Sarbanes-Oxley compliance
    • 23% - Deployment of unproven technologies
    • 19% - Purchase of unneeded technologies

Source: ComputerWorld, August 23, 2005,,10801,104118,00.html

regulatory compliance one size does not fit all
Regulatory Compliance – One Size Does not Fit All
  • Compliance is a not a product
    • Combination of people, process, and technology
  • Why “SOX-in-a-box” is a myth
    • Or a misnomer
    • Enterprise IT systems are extremely complex
    • Regulations are not prescriptive
    • Regulations may have competing requirements
      • Ex: Log file retention times
      • Ex: PII storage
sarbanes oxley
  • Section 404, a, 2 of the regulation: "[an internal control report, which shall] contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting."
control weaknesses reporting during sox compliance work
Control Weaknesses Reporting During SOX Compliance Work
  • Lack of adequate system documentation
  • Lack of audit training and experience
  • Lack of management oversight
  • Too many privileges (IT personnel often had too many privileges, and there was insufficient separation of duties), such as multiple IDs, generic IDs
  • Inadequate handling of privilege changes related to promotions and job re-assignment
  • Documentation for small, routine maintenance tasks was often non-existent or inadequate
pci data security standard
PCI Data Security Standard
  • Build and maintain a secure network
  • Protect cardholder data
  • Maintain a vulnerability management program
  • Implement strong access control measures
  • Regularly monitor and test networks
compliance frameworks
Compliance Frameworks
  • Created by an organization to simplify the compliance process
  • A set of policies, procedures, and technologies that normalizes the organization’s approach to compliance
  • Benefits of compliance frameworks
    • Consistent policy based approach to compliance
    • Separation of concerns
    • Reduced reporting time
    • Easier maintenance
    • Centralized control
legal matters
Legal matters
  • What is the company required to supply, by law?
    • Audit compliance
      • ISO, SAS70
    • Who is accountable for lack of compliance?
    • Will fees be levied or ops shut down?
  • Why it matters
    • Business continuity
    • Audit success
    • Policy enforcement
    • Reporting requirements
a systematic comprehensive approach
A Systematic Comprehensive Approach
  • First things first - What constitutes compliance?
    • Work with internal and external audit teams
    • Use “a suitable, recognized control framework established by a body of experts that followed due-process procedures.”

    • Understand there is a legacy – exceptions will have to be documented
    • Establish control frameworks
    • Translate policies to technical policies
      • The bits and bytes of compliance
      • EX: Hierarchical administrator or superuser accounts
  • Identify what can be automated, and what can’t
thinking through compliance requirements
Thinking through Compliance Requirements
  • What standards does the company need to adhere to? What devices/apps need to be covered?
    • Standard devices
    • Legacy systems
    • Home-grown applications
    • Internal -- Policies
      • ISO compliance
    • External --
      • SOX, HIPAA, GLBA
      • Partners
the devil s in the details
The Devil’s in the Details
  • Some Gotchas
    • Heterogeneous environments increase complexity
    • The weakest link device/application
    • Adherence to corporate standards, but failure in audit
    • Application development
    • Requirements for new devices – can new devices be added quickly within the compliance framework?
  • Committee of Sponsoring Organizations of the Treadway Commission (COSO) is widely accepted around the world as an acceptable baseline framework for compliance
    • Prescribes risk management to achieve internal control objectives including efficiency and effectiveness of operations, financial reporting, and legal/regulatory compliance
  • COSO mandates that management:
    • Set control objectives for the enterprise
    • Identify events that can cause substantial negative consequences to the enterprise and therefore affect shareholder value
    • Assess risks associated with those events
The COSO cube
    • Objectives
      • Strategy
      • Operations
      • Reporting
      • Compliance
    • Entity’s Units
      • Entity
      • Division
      • Business unit
      • Subsidiary
    • Components
      • Internal environment
      • Objective setting
      • Event identification
      • Risk assessment
      • Risk response
      • Control activities
      • Information and communication
      • Monitoring
cobit it governance institute
CoBiT – IT Governance Institute
  • A set of documents and resources that represent a framework of guiding objectives and processes for IT governance and audit control
  • An increasingly important guideline for properly implementing security controls within an organization
  • Many internal auditors choose CoBiT as an important foundation for audit activity within IT organizations
  • CoBiT contains 34 control areas over four high-level domains.
A conceptual diagram of a mapping from five COSO components to the high-level four CoBiT domains to SOX section 302 and section 404 compliance.

COSO Components and CoBiT Domains/Objectives (Source: ISACA’s “IT Control Objectives for Sarbanes-Oxley”)

  • A detailed, internationally accepted security standard
  • Covers 10 major sections
    • Business continuity planning
    • System access control
    • System development and maintenance
    • Physical and environmental security
    • Compliance
    • Personnel security
    • Security organization
    • Computer and operations management
    • Asset classification
    • Security policy
  • Used by many companies around the world as their IT baseline
a note on framework adoption
A Note on Framework Adoption
  • Don’t adopt any framework’s controls blindly
    • Must show evidence that ALL the controls your company specified are working
      • COBIT has 34 control domains; each requires as many as 10 control activities
    • However, be prepared to justify differences to auditors
building a toolbox realistically
Building a Toolbox - Realistically
  • Tools are not like stretch socks that can expand to fit the needs of a vast regulatory mandate
  • Enabling tools for increased efficiency and automation
    • Reporting
    • Change management
    • Technical policy management
    • Documentation management
    • Compliance checks
not a simple problem
Not a simple problem…
  • There are many “moving parts” in the compliance toolbox
    • Compliance is a large project
    • Compliance may touch all systems in the enterprise
  • Devices and applications have disparate logs and reporting
    • There is no audit log standard
    • Proprietary applications may not have adequate logging or access to logs
  • If the data collected from the devices is to be trusted, security of the information on the device and in transit is a critical consideration
    • Agentless solutions are, usually easier to deploy
    • But may result in less audit control over the data prior to hand off
many of the ingredients may already be in your cupboard
Many of the ingredients may already be in your cupboard!
  • Many existing tools can be used in the compliance program
    • Auditing
    • Documentation
    • Network Management
  • Vendors are changing product features and positioning in response to the need for a compliance-oriented perspective
    • Providing additional hooks for process integration
    • Compliance oriented reporting
financial applications oracle and sap
Financial Applications – Oracle and SAP
  • Many products contain (and are developing more) features that, if used correctly, help organizations with compliance
    • Project organization for documentation, testing, and sign-off for internal controls
    • Test procedures based on the risk management framework defined by COSO
    • Workflow procedures that accelerate testing and sign-off
    • Object-level analysis of segregation of duties (SOD)
    • Authorization administration
    • Real-time drill-down analysis and reporting
document document document
Document, Document, Document
  • Many of the regulations have heavy documentation requirements
    • Flow charts of internal controls
    • Written policies and procedures associated with those controls
    • Ability to access appropriate policies in a hierarchical view
  • A documentation system that can capture and present critical policies and procedures is required
    • Some vendors have released documentation tools specifically designed to aid in the compliance process
      • Ex: Lotus Workplace for Business Controls and Reporting, OpenPages SOX Express.
network monitoring
Network Monitoring
  • Monitoring performance, continuity of service, and service levels are CoBiT control objectives and very often compliance requirements
  • Many organizations have network monitoring solutions in place from leading vendors such as IBM Tivoli, HP OpenView, and Computer Associates Unicenter
  • These solutions manage components that are already on a network; there is no need to replace these systems
  • However, many can be configured to provide evidence of control in support of compliance reporting
change management project management
Change Management/Project Management
  • Change management tools deploy policy and configuration changes to a managed set of target devices and track the changes made
    • Many companies already have some change management systems in place
  • The compliance process is a large project – and needs to be managed as such
  • Project management tools and workflow can help:
    • Manage the assignment of tasks to individuals
    • Track the level of completeness
    • Provide reports to show overall progress and current status
identity management
Identity Management
  • Not called out specifically in many regulations, and not one of the CoBiT controls
    • However - unique user IDs and authenticators are recommended by CoBiT and required for many regulations such as HIPAA
    • Without unique user IDs, tracking and controlling access and usage on systems housing healthcare, financial, and other sensitive data would be impossible
  • IdM as in important part of the compliance process for most organizations
log aggregation and storage
Log Aggregation and Storage
  • Centralized storage of log and audit file activity
  • Managing this storage process is critical
    • How will the information be parsed when answers are needed?
  • Can the Storage Area Network (SAN) handle the data?
    • Many organizations have SANs from established vendors such as Symantec/Veritas and IBM/Tivoli
    • Will the additional audit log data storage requirements overtax the SAN?
perimeter controls and isolation
Perimeter Controls and Isolation
  • Firewalls can be used to cordon off critical systems into highly protected zones
  • Virtual local area networks (VLANs) can be created to segregate systems involved in processing healthcare information or reporting financials
  • intrusion detection and prevention solutions can be implemented to provide additional monitoring of access to systems and prevent attacks
  • Network forensic tools capture all of the traffic on a network or network segment and record it for later use
    • Help administrators and auditors track users and system access
    • Used after an incident has occurred to piece together where systems failed and how to make them more robust in the future
  • Endpoint forensic tools can be used to examine the contents of a hard drive, and, in some cases, recover deleted information that may contain valuable evidence

Note: historical forensics and legal forensics are not the same

security event information management
Security Event Information Management
  • SEIM tools are designed to monitor and manage security within an organization
    • Aggregate
    • Normalize
    • Correlate
  • Intelligent correlation is the key to avoid the “drowning in data” syndrome
    • Compliance specific correlation rules may be time intensive to create
    • Know thy systems and requirements in advance
compliance dashboards
Compliance Dashboards?

*Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley Act (GLBA), Personal Information Protection and Electronic Documents Act (PIPEDA)

compliance dashboards33
Compliance Dashboards
  • An emerging space
    • Portal-based view into metrics, configuration settings and other indicators of activity
    • But most regulations are not prescriptive enough to translate to a “one size fits all” portal view
      • And vendors may focus on different areas of compliance (SOX, HIPAA, Basel II)
    • Dashboards can be customized to report on areas of compliance based on company defined indicators
      • But the company must determine the controls and indicators to be monitored
      • Even with customization the dashboard will (most likely!) not be able to supply transparency and reporting on every component of compliance
a quick checklist
A Quick Checklist
  • Read the regulations and determine target compliance policies and requirements
  • Perform a security gap analysis
  • Identify gaps between existing practices and the targets
  • Determine the steps needed to close the gaps – and document any exceptions
  • Create an action plan for on-going compliance and assessment
  • Implement, monitor and maintain
  • Call in outside experts as needed
  • Compliance may not be a product – but products can help ease the burden
  • Create a compliance framework for the enterprise
  • New regulations are inevitable – frameworks help keep organizations compliance hardy