Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.

Achieving integrated mandatory compliance with ISO 31000

587 Aufrufe

Veröffentlicht am

The webinar covers:
• Overview of ISO 31000
• Overview of PCI and HIPAA compliance
• Achieving integrated compliance through ISO 31000

Presenter:
This webinar was presented by Bogdan Dragomir, a security professional with over 24 years of experience in the IT field over 5 years as a Regional Security Manager with Savvis Communications being responsible for leading multiple security initiatives, being trusted adviser for many companies in South and Central US and coordinating penetration testing across US and UK. He is an expert in the area of Risk Management, Integrated Compliance, Secure Architecture Design and Analysis, Incident Management, Security Assessment and Auditing.

Link of the recorded webinar published on YouTube: https://youtu.be/gzwOFKCOYVo

Veröffentlicht in: Bildung
  • Als Erste(r) kommentieren

Achieving integrated mandatory compliance with ISO 31000

  1. 1. Bogdan Dragomir Job Positions Bogdan Dragomir is a security professional with over 24 years of experience in the IT field over 5 years as a Regional Security Manager with Savvis Communications being responsible for leading multiple security initiatives, being trusted adviser for many companies in South and Central US and coordinating penetration testing across US and UK. (657)-200-5506 bdragomir@gmail.com https://www.linkedin.com/in/bogdandrago twitter.com/name.surname fb.com/name.surname
  2. 2. Achieving PCI-DSS compliance through ISO 31000 adoption By: Bogdan Dragomir QSA, Six Sigma Lean Professional, CMS, SixSigma Black Belt, Jonah's Jonah®, Certified ISO27001/22301/31000 trainer
  3. 3. ISO 31000 • ISO 31000 - “a process that provides confidence that planned objectives will be achieved within an acceptable degree of residual risk.” • Developed by the International Organization for Standardization (ISO) and based off the AS/NZS, ISO 31000 provides principles and generic guidelines on risk management.
  4. 4. PCI DSS • The Payment Card Industry Data Security Standard – a standard enforced on to merchants and geared to secure customer card information. • Encompasses 12 domains and over ten times as many controls. • Apparent no relationship with ISO31000 However….
  5. 5. The problem • IT management is focusing on security as an abstract concept often driven by compliance. • Compliance is focusing on mapping what IT does and check marking or not the requirement(s) box(es). • Often the compliance lifecycle is not integrated or supported by anything else other than the fines imposed.
  6. 6. The reality • Many companies fail to be compliant or to maintain an all times compliance posture is that they are addressing requirements and not their intent. • PCI-DSS and other industry mandatory standards relay on an organizational implied CMMI level of 3 or above with some of the processes needing to be at level 4 or above. • All mandatory (compliance) standards are vertical standards; industry specific standards, based on common industry risks and aim to guide towards a common approach to risk treatment.
  7. 7. Listen and silent use the same exact letters but describe a different activity • In a parent-child relationship Risk is the parent and Security is the child. • no point for anyone to deploy security solutions for inexistent risks. • addressing punctual requirements while missing their intent is the new approach to compliance.
  8. 8. Governance Risk and Compliance (GRC) The good: • Great concept. • Well publicized • Realistic The bad • Misunderstood • Can induce confusion
  9. 9. ISO 31000 Overview • Mandate and Commitment – Design or framework • Organization Context • Risk Mgmnt Policy • Integrated Risk Mgmnt – Implement Risk Management • Implement framework and associated processes – Monitor and review Framework – Improve Framework
  10. 10. The value • The biggest value in adopting ISO31000 lay in its promotion of continuous improvement, diligent management practices and ongoing monitoring. • The biggest value in adopting PCI-DSS is in meeting the minimum security state as recognized by the industry
  11. 11. The Danger • There is no danger in adopting only ISO31000 • Adopting only PCI-DSS – might or might not ensure proper management sponsorship. – might or might not ensure proper readiness for other mandatory compliance bodies (SoX/HIPAA/etc). – Might not be a sustainable approach.
  12. 12. Doing what makes sense vs doing what is expected. “Unless companies’ transition from the mind set of regulatory risk management to the comprehensive IT risk management they will never truly see the long term benefit or continual compliance.” – Mohammed Akbar -Deploy your own Risk Management framework -Own your risk catalog and risk rating. -Define your inherent risks. -Assess your controls and assess their effectiveness -Analyze the residual risks and … -Use compliance ONLY when making risk treatment decisions. -
  13. 13. How to achieve lasting compliance using a sustainable approach.
  14. 14. Prepare your organization • PCI-DSS and other industry mandatory standards relay on an organizational implied CMMI level 3, or above, with some of the processes needing to be at level 4, or above.
  15. 15. CMMI level 3 or level 4? • CMMI defines level 3 of maturity as the first level where the processes are tailored for organization’s goal and proactively managed. A CMMI level 3 assures a synergy between Policies, processes and process management rendering consistently the expected results. • CMMI level 4 is defined as the first level of maturity where processes are measured and controlled. • In order to achieve a sustainable compliance organizations have to ensure that at minimum Change Management, Asset Management and Risk management are at CMMI level 4.
  16. 16. Define and deploy Risk Management Framework • Use ISO 31000 • Go granular when documenting your risks (many sources i.e. BITS) • Document your risk threshold and risk appetite criteria. • Communicate your vision and how it relates to your organization’s mission • Define and document your risk management related processes (asset management, change management, etc) – ensure they are integrated!
  17. 17. What about Change Management, Asset Management? • PCI-DSS doesn’t spell risk management as a required workflow or defined process but it does rely on it when it allows organizations to use compensating controls; • It doesn’t require asset management but it does require inventory and so much more; • It doesn’t say we need to have a change management process but it requires to perform assessments after any major change… ………Can one still think these processes are not required?
  18. 18. “The pineapple is not a single fruit but a group of berries that have fused together” • Having processes at the right maturity level is critical, but it is not the only thing we need to have; in addition to the correct maturity level we need to ensure flawless process integration. Change management is great same is Risk Management and Asset Management but if they are not synchronized they might as well not exist.
  19. 19. Why deploying ISO and not DSS • ISO establishes Management commitment DSS – assumes it exists • ISO establishes a Risk management methodology concept DSS is using a pre-defined one (most common risks within the industry) • ISO establishes the continual improvement processes – DSS is using PCI-DSS versions which might be slower than risk evolution.
  20. 20. …continued. • ISO sets the bar to a organizational specific risk treatment – DSS will set the bar to a holistic level • ISO implemention will enable multiple industry strandards compliance readiness • ISO forces maturity increase – DSS relies on increased maturity
  21. 21. ? twitter.com/name.surname fb.com/name.surname THANK YOU QUESTIONS (657)-200-5506 bdragomir@gmail.com https://www.linkedin.com/in/bogdandrago

×