Compliance Scorecard/Dashboard ProgramGlenn Gunara-ChenConsulting Services
2
Agenda
• Experience in Compliance within Public Sector• Case Study:
– IMPACT Scorecard Program and Compliance Dashboard
3
Experience
• United States FISMA Scorecard– Environmental Protection Agency (EPA)– Smithsonian Institute
• IMPACT
4
IMPACT?
• The International Multilateral Partnership Against Cyber-Threats (‘IMPACT’) is a global initiative that was launched at the IMPACT World Cyber Security Summit.
• More than 27 countries are represented and it is the largest global partnership ever organised on cyber-terrorism.
• IMPACT is the world’s first truly international, public-private sector collaborative institution against cyber-threats
IMPACT serves as a platform to stimulate co-operation between governments, as well as between governments of the world and the international private sector. IMPACT will effectively enhance
the capability of the global community to prevent, defend and respond to cyber threats.
5
IMPACT Security Framework
• Asset inventory• Asset categorization
– High– Moderate– Low
• Security controls– Management
– Risk Assessments, Planning, System and Services Acquisition, Certification, Accreditation and Security Assessments
– Operational– Personnel Security, Physical and Environmental Protection, Contingency Planning,
Configuration Management, Maintenance, System and Information Integrity, Media Protection, Incident Response, Awareness and Training
– Technical– Identification and Authentication, Access Control, Audit and Accountability, System and
Communications Protection
5
6
Compliance overview
Determine risk and develop appropriate policies
Govern
Monitor compliance and remediate problems
Demonstrate due care and optimize controls
Operating Systems
Databases
Applications
Directories
People
SOX
HIPAA
GLBA
FISMA
Basel ll
COSO
COBIT
ISO17799
NIST
Internal policies
PCI-DSS
CIS
NIST
NSA
REGULATIONS FRAMEWORKS STANDARDS
Define
CORPORATE POLICIES
Control
MEASURE
RECORD
REPORT
IT CONTROL CHECKS
Determine risk and develop appropriate policies
Govern
Monitor compliance and remediate problems
Demonstrate due care and optimize controls
Operating Systems
Databases
Applications
Directories
People
SOX
HIPAA
GLBA
FISMA
Basel ll
COSO
COBIT
ISO17799
NIST
Internal policies
PCI-DSS
CIS
NIST
NSA
REGULATIONS FRAMEWORKS STANDARDS
Define
CORPORATE POLICIES
Control
MEASURE
RECORD
REPORT
IT CONTROL CHECKS
IMPACT Government Security Scorecard (IGSS) System
7
Summary of Approach
Exception
Technical Controls
Written Policy
Procedural Controls
Create Map Publish Assess Fix
Control self assessment
• Questionnaire responses• Risk-based prioritization Entitlements review• Group\file permission • classify & assign owners• Approval workflow
Configurations• Security best practices• Remediation Vulnerabilities• Non-credentialed
checks• Credentialed checks• Patch Mgmt
PCISOX
Basel II
NIST
COBIT
ISO
Scoped by Risk Level
Corporate Policies• Info Security• Access Control• Termination
8
Introduction to IMPACT Scorecard
• Consolidated view of compliance levels– Automated
• Dashboard view– Drill down capability
• Management Reporting capabilities– Independent assessment– Grading system
• Center of Excellence
9
IMPACT Scorecard Diagram
Federal Compliance Enforcement Agency
Malay
sian
Fed
eral
Gov
ernm
ent
Min
istri
es
IMPACT Scorecard
Meta Database
Collectors
10
Methodology ensures users receive the information they need, when they need it.
The CoE configure and support the solution to meet bespoke needs.
11
12
Sample IGSS Dashboard View (1/3)
13
Sample IGSS Dashboard View (2/3)
14
15
16
17
© 2007 Symantec Corporation. All rights reserved. THIS DOCUMENT IS PROVIDED FOR INFORMATIONAL PURPOSES ONLY AND IS NOT INTENDED AS ADVERTISING. ALL WARRANTIES RELATING TO THE INFORMATION IN THIS DOCUMENT, EITHER EXPRESS OR IMPLIED, ARE DISCLAIMED TO THE MAXIMUM EXTENT ALLOWED BY LAW. THE INFORMATION IN THIS DOCUMENT IS SUBJECT TO CHANGE WITHOUT NOTICE.
Thank You!