Slide Heading Leveraging Frameworks to Develop an Effective Control Environment W. Wade Sapp CUNA Mutual Group February 11, 2015
Transcript
Slide Heading Leveraging Frameworks to Develop an Effective Control
Environment W. Wade Sapp
CUNA Mutual Group February 11, 2015
Introductions
• Presenter – Wade started his professional career as a financial institution examiner
during the end of the Savings and Loan crisis. Regulating suffering financial institutions provided a rich environment to analyze, learn from and mitigate failed internal controls. Past successful projects include designing and implementing general ledgers, information system conversions and internal control framework implementation and testing.
• Company – CUNA Mutual Group, Madison Wi – CUNA currently utilizes a hybrid financial reporting control framework to
satisfy Model Audit Rule requirements, issues a SOC1 for their Pension Operations, and issues three separate SOC2 reports for various product lines
Agenda
Slide Heading
Review of 2014 Events
Framework Definition
Where to begin
Basic Framework principles
Popular Frameworks
Looking Back at 2014
• 783 (reported) U.S. data breaches • 27.5 percent increase over 2013 • 18.3 percent increase over the previous high of 662
breaches tracked in 2010 • Medical/Healthcare industry topped the list at 42.5 percent
of reported breaches • Business Sector 33 percent • Military 11.7 percent • Education 7.3 percent • Banking/Financial 5.5 percent
Presenter
Presentation Notes
So let’s take a look back at recent history and at what is going on in our world. The number of U.S. data breaches tracked in 2014 hit a record high of 783 in 2014, according to a recent report released by the Identity Theft Resource Center (ITRC) and sponsored by IDT911™. This represents a substantial hike of 27.5 percent over the number of breaches reported in 2013 and a significant increase of 18.3 percent over the previous high of 662 breaches tracked in 2010. The number of U.S. data breach incidents tracked since 2005 also hit a milestone of 5,029 reported data breach incidents, involving more than 675 million estimated records. Continuing a three-year trend, breaches in the Medical/Healthcare industry topped the ITRC 2014 Breach List with 42.5 percent of the breaches identified in 2014. The Business sector continued in its second place ranking with 33.0 percent of the data breach incidents, followed by the Government/Military sector at 11.7 percent. These categories were followed by the Education sector at 7.3 percent and Banking/Credit/Financial at 5.5 percent. These stats were surprising to me. Especially the medical industry. Last year I attended a cybersecurity essentials meeting in Chicago. Several government agencies were represented including the department of Homeland Security and the FBI. One of my key takeaways was the fact that 50K medical records taken off-shore to be used for fraudulent Medicare claims can net $11Million
Looking Back at 2014
• Hacking generated 29.0 percent of 2014 breaches • Subcontractor/Third Party 15.1 percent • Accidental Exposure of information 11.5 percent • Data in Transit 7.9 percent • Hardware Loss, Employee Negligence, Accidental Web
Exposure, Paper Breaches and Other 36.5 percent • “Without a doubt, 2015 will see more massive takedowns,
hacks, and exposure of sensitive personal information like we have witnessed in years past,” Adam Levin, founder and chairman of IDT911
Presenter
Presentation Notes
A consulting firm, Since 2003, IDT911 has been leading the charge against hackers, thieves and even simple human error.
2015 Predictions • In the past 12 months, GM reported more than a $3.8 billion hit for
vehicle repairs and compensation for accident victims from its 71 recalls covering close to 30 million vehicles
• Forrester predicts an even more challenging risk and compliance business environment in 2015 with even greater corporate blunders, stricter regulatory enforcement, and executives who will continue to fail to address their most important customer-facing risks
• In 2015, a single corporate risk event will lead to losses topping $20Billion
• JPMorgan Chase & Co. (JPM) Chief Executive Officer Jamie Dimon said the biggest U.S. bank will probably double its $250 million annual computer-security budget within the next five years.
The GRC Playbook by Christopher McClean, Nick Hayes, and Renee Murphy November 12, 2014
Presenter
Presentation Notes
Cyber events have long tails. The fallout can adversely affect an organization for years, if they survive. J.P. Morgan Chase had cyber attack over the summer may have compromised information about 76 million households. That included customer names, addresses, phone numbers and email contact information. In addition, the breach affected about 7 million of J.P. Morgan’s small businesses customers.
Technology Challenges
The Grand Balancing Act • Keep the lights on – SLA’s • ROI – Value Delivery • Manage Costs – Budget vs Actual • Master Complexity – DCO, Cloud, Mobile, BYOD • Align Technology with Business Objectives • Regulatory Compliance • Risk Management • Security – Patching, Securing without Breaking
Presenter
Presentation Notes
You have provide the perception of delivering value, which means that you have to benchmark against something, such as Service Level Agreements, budget to actual, other Key Performance Indicators.
What is a Framework?
Framework Definition • The basic structure of something • A set of ideas or facts that provide support for
something • A supporting structure: a structural frame,
foundation, skeleton, holds everything up • When you decide to not pick a public framework,
you will end up with a framework anyway: your own Ryan Florence 2014
Presenter
Presentation Notes
During my college days, my brother and I built homes for Ryan Homes in Baltimore. Monday morning we would start with a foundation with bolts sticking out of the concrete foundation, and a steel beam traversing the basement crevice. When we went home Friday evening, the house was up, under roof and the tar paper was on. The next Monday morning we would be back and when we left again on Friday, all the interior walls were up, all external doors and windows were in, and as a finishing touch we would install the sheetrock clips so the sheetrock crew could quickly hang the sheetrock, get it mudded and taped, finished, and move on to the next house. Now we just didn’t throw these houses together, from the base plate on the foundation to the tar paper on the roof they had to be built according to the blueprint, they had to be square, strong, within Code, and delivered on time. Today we’re going to talk about a few frameworks and framework strategies. We’re going to talk about right-sizing your organization’s internal control framework and a few methods on how to ensure the supporting controls are effective. Controls cost money. If properly blueprinted, a lean and effective framework will protect your organization from most adverse actions and will provide a much greater probability that you will meet stated objectives. And it will free up poorly spent risk dollars to mitigate other issues.
Framework Relevance
• Frameworks are used against you every day • Regulatory Compliance Requirements • Elected Frameworks, PCI Certification, ISO 27001 • Process Improvement • Risk Mitigation • Failed to meet objectives • Breach, Fraud • Just good business
Presenter
Presentation Notes
Hopefully, I have designed this presentation to be relevant to your environment. 2014 was the year of the breach as was 2013. Major cyber attacks on organizations resulted in millions of exposed records, billions spent on remediation and significant damage to many brands. While cybercriminals enjoyed a profitable year at the expense of many enterprises, the APT has continued to enjoy success stealing sensitive data in espionage attempts. We have a now not-so-new direct to consumer brand called TRUstage. It’s my understanding that when the TRUstage website went live, it was being probed in under 30 seconds. A few facts from 2014: Cybercrime, hactivism and advanced attacks all continue to threaten enterprise networks and they continue to increase against our precious utility infrastructure. web-based attacks outnumbered email-based attacks nearly three to one. Attacks are much more nation state sponsored. The 16 year old geek sitting in his basement has been replaced by well-trained well-funded cyber teams who go to work each day just like we do. The only difference is that our objectives are 180 degrees out of phase. We try to keep them out where they are trying to get in. A framework, any framework if implemented reasonably well will deliver improved monitoring and reporting, better risk identification and response and more opportunities for risk-based decision making Frameworks are not just about financial reporting, credit card data or satisfying those pesky auditors. Today, you can pretty much find a framework to guide you through developing a control environment ensuring reasonable assurance that your organization meets its objectives, whatever those objectives are. Your competitors use them, hackers use them. Your framework, whatever the definition of that is needs to be complete, all material risks identified and mitigated to an acceptable level, and proven effective through testing. Keep in mind that implementing a framework is not an all inclusive internal control environment. It is possibly the bare minimum set of controls your organization needs.
Framework Advantages
• Provide a comprehensive and systematic approach to more proactive and holistic risk and opportunity management
• Provide a standardized dictionary of key risk and control terminology and acronyms
• Require that organizations examine their complete portfolio of risks, consider how those risks interrelate, and that management develops an appropriate risk mitigation approach to address these risks in a manner that is consistent with the organization’s strategy and risk appetite
Presenter
Presentation Notes
The biggest value add of any frameworks in systematic approach and promotion of continuous improvement, diligent management practices, ongoing monitoring and risk classification and mitigation. Frameworks: Abstract the stuff you need to do all the time and focus instead on what makes your app unique. Put that in context for your environment. To me it means, develop an internal control framework to ensure routine, repeated actions occur consistent and as expected, freeing my time up to focus on unique or new issues. A framework will provide consistent results from standardized business processes, freeing up resources to focus on other requirements. Ad-hoc issues, new business, new business requirements.
Ethical Hacking Framework
Presenter
Presentation Notes
PLANNING THE TEST - As with anything worth doing, proper planning is essential to performing a successful project. Existing security policies, culture, laws and regulations, best practices, and industry requirements will drive many of the inputs needed to make decisions on the scope and scale of a test SOUND OPERATIONS - Who does what, when, where, how long, who is out of bounds, and what is in bounds of a test all need to be addressed RECONNAISSANCE - Reconnaissance is the search for freely available information to assist in the attack. The search can be quick ping sweeps to see what IP addresses on a network will respond, scouring newsgroups on the Internet in search of misguided employees divulging useful information, or rummaging through the trash to find receipts for telecommunication services. ENUMERATION - Enumeration (also known as network or vulnerability discovery) is essentially obtaining readily available (and sometimes provided) information directly from the target’s systems, applications, and networks VULNERABILITY ANALYSIS - There is a logical and pragmatic approach to analyzing data. During the enumeration phase, testers try to perform an interpretation of the information collected looking for relationships that may lead to exposures that can be exploited. EXPLOITATION - Of course, all of this planning must lead to some form of attack (test) DELIVERABLE - found a hole, got the etc./shadow, cracked the passwords, and took over your shipping application INTEGRATION – Mitigate the vulnerability, transfer the risk, accept the risk
Hacking Framework
Presenter
Presentation Notes
These folks had a plan
Hacking Framework
Presenter
Presentation Notes
And these folks are looking for a plan, or to implement one, maybe against you. Vulnerable internet-facing industrial systems controlling crucial equipment used by power plants, airports, factories and other critical systems are subjected to sustained attacks within hours of appearing online, according to new honeypot-based research by Trend Micro. The security weaknesses of SCADA (supervisory control and data acquisition) industrial control systems have been a major focus of interest in information security circles for the last three years or so.
Hacking Framework
Presenter
Presentation Notes
Group Discussion
Framework Complexity
Presenter
Presentation Notes
This is a short list of suggested frameworks for the Healthcare industry. No company can afford to implement all of these frameworks and supporting controls. As a framework selector and implementer, we need to understand what risks have in our environment, and what risks reside outside of management’s risk appetite.
Framework Complexity
Presenter
Presentation Notes
If you notice, this slide is dated. It refers to ISO17799 which is now 27001 Frameworks are somewhat overlapping. Sometimes an organization does need to implement an entire framework. Sometimes the right answer is pulling sections or principles from various frameworks to build an effective internal control environment. At CUNA, we primarily utilize COBIT, PCI and ITIL. We have also mapped some controls to ISO in anticipation of implementing that framework in the future. Regarding information security, keep in mind that protecting data and the technology environment requires a layered control approach. If your front line security controls fail, what is the second layer of defense? What is the third layer? Most companies cannot or will not fund an iron clad risk free control requirement, nor would your customers tolerate it. Controls need to be effective and mitigate risk, but they also cannot hinder system performance and tarnish the customer experience. A right-sized internal control framework can help deliver expected results, but you can guarantee that over time some controls will break. Which is why you need a layered defense.
Framework Project Risks
• May be difficult to gain momentum • Does not completely eliminate all risk, can only
provide reasonable assurance that risk will mostly remain within acceptable risk parameters
• Does not guarantee regulatory compliance • Does not guarantee Return On Investment • Could be a career limiting move • Inadequate planning and project management
could escalate framework costs, waste resources
Presenter
Presentation Notes
Think about how busy folks in your organization. They have customers to service. They already have various audits and regulatory examinations to deal with. Maybe your company is growing and the headcount is not keeping up with service delivery demand. And then you come through to tell them you are implementing this wonderful new framework. Be respective of those who have daily responsibilities, and try to understand where they are coming from. Sometimes, you may need to shuffle your schedule around according to the schedule of others. Be flexible when you can. Sometimes a little consideration will go a long way. Framework implementation is not a one time affair. Take time to build relationships as you go. They will pay huge dividends in the future.
Framework Comparison
Presenter
Presentation Notes
Discuss redundancies
Framework Comparison
Presenter
Presentation Notes
An example of framework comparisons. These are a comparison of some of the major frameworks showing where they fit at various levels of abstraction within the enterprise. More abstract at the top, more refined as you travel down the slide.
Where to Begin
• Develop a high level scope • Inventory relevant processes, assets, vendors,
stakeholders, roles and responsibilities • Don’t reinvent the wheel • Leverage existing frameworks and controls • Conduct a readiness assessment, identify gaps • Develop and Information and communication plan
Presenter
Presentation Notes
SCOPE - What do you want to accomplish? Business objectives? Prioritize by department or entity… eat the elephant one bite at a time. Lack of conceptual clarity – goals, objectives Physical / Emotional harm Adverse use of stolen records, ransom wear, identity theft Destroyed data Reputation / Social Media Revenue Financial reporting / Compliance Cloud Other stakeholder goals and objectives Inventory – You will need to understand the processes, systems, locations etc. that fall within the scope of the project to build your budget and timeline Service Levels Classified assets Digital secrets, Tax Strategy Projections R & D Inventory Prototypes Contractual Requirements Pension / Payroll Let’s talk a little about stakeholders. When we implemented out Model Audit Rule internal control framework we spent a material amount of time with the VP’s of respective business processes. They walked us through their business operations and we developed a process narrative and identified a list of risks and compensating controls. As we worked through the test of design phase. More than once when we got to the process manager’s desk we were told, “gee, we haven’t done it like that in two years.” A word of caution – we careful about moving through your project without validating your information. If you have spent any amount of time in your organization you likely have a feel for the effectiveness of the communication and information sharing process, or how ineffective it is. Some organizations maintain pretty good, current process documentation, and sometimes it varies by department, division, subsidiary, etc. be careful not at assume that since you were provided good documentation by the last business unit that the next business unit will also have current information readily available. Think through the authority levels of your stakeholders. Stakeholders need to step up and be responsible for the framework. You can facilitate it, but you can’t own it. You may find as you progress through the project that you don’t yet have the correct individuals at the table. Items to consider: Be careful of what you promise. You may need to provide different scenarios based upon scope, schedule, cost and quality. Are all relevant areas of risk represented? Do they representative have the proper level of authority? Budget, problem escalation and resolution, adequate knowledge, too high or too low in the chain of command? My theory on authority levels is, you cannot say yes if you don’t have the authority to say no. I used to visit the General Motors plant in Wilmington when I worked at their credit union. Every worker on the assembly line had the authority to stop the assembly line. They had the authority to say no, which empowered them to ensure the quality of the vehicles being produced. I have sometimes rejected control testing because the individual who approved or certified the activity did not have the correct level of authority. What do you want to accomplish – what are your deliverables? Is the expectation to just implement a framework or a sub-set of a framework? Maybe you just need to implement a subsection to mitigate a risk or vulnerability. Or, does the framework you are implementing come with a certification as a deliverable such as PCI certification? You need to clearly understand the culture of your organization and those managing you in-scope processes. Especially if you have foreign operations or subsidiaries in scope. What may be a standard ethical practice in the US may not exist in your off-shore operations. When we implemented Model Audit Rule, we identified approximately 200 controls gaps during our assessment. Most of which consisted of controls in place that were not properly documented, which was an easy fix. We also leveraged existing SAS70 controls and used them as a base to help establish our IT general Control implementation. Talk to your compliance folks, identify previously established controls and frameworks. Don’t be shy, talk to your external auditors and see if you can leverage any of their work. What resources and expertise are available? Contract or hire the gaps? Don’t hesitate to bring in a professional to get you started to get some time. You also need to understand the speed of your business. In our organization, we sometimes have to go out 3 weeks to get on someone’s calendar, Especially if you need to invite multiple people. A realistic timeline is critical
Policies and Procedures
Policies • Define expected standards of behavior • Establish high level structures and processes • Set fundamental requirements, limits and
allocates responsibilities • Establish control mechanisms
Procedures • Describes in detail the process or steps to be
taken in order to implement a policy • Apply to a specific area or process
Presenter
Presentation Notes
As you work through your corporate documents and processes you will be identifying documentation gaps. Sometimes compliance is as simple as adding sentence to an existing document. On the other end of the spectrum you may identify required policies or standards that do not exist. The key is that by getting your documentation in order, you will begin to change behavior to a more compliance mindset, increasing the probability of future compliance. People ensure controls are properly designed and effective. Framework compliance is not a point in time, it’s s continuous mindset. The concept and quantification of risk is defined and understood differently between entities and throughout an organization. In order to ensure an enterprise risk strategy is being executed, a proactive culture of risk prevention and process development is required. Adding requirements and expectation in your corporate documentation will significantly improve your probability of an effective control environment. The key point regarding policies and procedures is that the implementation of an effective, sustainable control framework will usually require significant culture change. Clear concise documentation will provide a good return by helping to ensure compliance. Most people want to do the right thing, but they need you guidance to understand what the right thing is. Explain control expectations in your documentation Explain consequences of non-compliance Documents must be maintained and readily available for all interested parties. Don’t forget your contractors, interns, off-shore folks, visitors Insert your framework into your new hire orientation Conduct lunch and learns Maybe record some short skits. Have fund with it. The more interesting you can make a dry subject the more the audience will retain.
The COSO Principles Control Environment 1. The organization demonstrates a commitment to integrity and
ethical values 2. The board of directors demonstrates independence from
management and exercises oversight of the development and performance of internal control
3. Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives
4. The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment of objectives
5. The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives
Presenter
Presentation Notes
You maybe thinking COSO? That’s operational audit guidelines – but in today’s world the auditor needs to understand the entire business process, especially if you are a consultant. If your organization cannot be successfully benchmarked against these guiding principles, it is going to be difficult to implement an effective control framework. Tone at the top, establishes and evaluates standards of conduct, addresses deviations, code of conduct, speak freely hotline, gift policy Establishes oversight responsibilities, applies relevant expertise, operates independently, provides oversight on the control environment, risk assessment, information and communication, monitoring activities. Considers all structures of the entity, reporting lines, defines and assigns authority limits and responsibilities Establishes policies and expected practices, evaluates and addresses competence and addresses shortcomings, attracts, develops and retains individuals with the correct skillsets, succession planning, the right people doing the right things at the right time for the right pay Enforces accountability and authority as defined in the structure, establishes and evaluates performance measures, incentives and rewards, considers excessive pressure (single points of failure, impossible workloads…) added this one – provides a confidential opportunity to speak freely
The COSO Principles
Risk Assessment 6. The organization specifies objectives with sufficient
clarity to enable the identification and assessment of risks relating to objectives
7. The organization identifies risks to the achievement of its objectives across the entity and analyze risks as a basis for determining how the risks should be managed
8. The organization considers the potential for fraud in assessing risks to the achievement of objectives
9. The organization identifies and assesses change that could significantly impact the system of internal control
Presenter
Presentation Notes
6. Specific objectives should be defined such as operational objectives, financial reporting, compliance requirements. 7. Across the entity, subsidiaries, divisions or operating units, needs to involve the correct level of management and authority. Don’t forget off-shore and business partner, vendor activities 8. Must consider various types of fraud not just financial fraud, there are other types of fraud than stealing cash, how about falsifying equipment calibrations, must assess opportunities and external pressures such as hardships, addictions 9. Assess changes in the external environment, the business model, changes in leadership, vision, mission
The COSO Principles
Control Activities 10. The organization selects and develops control activities
that contribute to the mitigation of risks to the achievement of objectives to acceptable levels
11. The organization selects the develops general control activities over technology to support the achievement of objectives
12. The organization deploys control activities through policies that establish what is expected and procedures that put policies into action
Presenter
Presentation Notes
Number 11 speaks to selecting appropriate IT control frameworks. Effective IT general controls provide reasonable assurance over data attributes such as completeness, accuracy, restricted access, and financial reporting integrity. Number 12 speaks to the policy and procedure suggested we talked about earlier.
The COSO Principles
Information and Communication 13. The organization obtains or generates and uses relevant,
quality information to support the functioning of other components of internal control
14. The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control
15. The organization communicates with external parties regarding matters affecting the functioning of other components of internal control
The COSO Principles
Monitoring Activities 16.The organization selects, develops and performs
ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning
17.The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors as appropriate
Commonizing Controls
Presenter
Presentation Notes
There is a significant amount of free material available that compares various frameworks and the underlying controls
Commonizing Controls
Requirement Control
ISO A.5.1.1 Information security policy document
An information security policy document shall be approved by management, and published and communicated to all employees and relevant external parties.
SOC2 Confidentiality Trust Principle
Management has established policies and procedures to describe security and confidentiality requirements and standards of the firm. Security and confidentiality policies, procedures, and standards are reviewed, updated, and approved on an annual basis.
IT General Control
A comprehensive security policy exists, and is supported by a framework of security standards that supports the objectives of the organization's security policy.
SOC1
CA #2.1 A security policy exists and is supported by a framework of security standards.The policy and security standards are reviewed annually and updated as necessary.
Security Policy Controls
Presenter
Presentation Notes
Commonizing or control rationalization may help reduce the efforts needed to maintain framework controls. I could challenge 10 of you folks to combine these controls into an single control and I would receive multiple versions.
Commonizing Controls
Management has established and maintains an information security framework which is supported by documented policies, procedures and standards. The framework and supporting documents are reviewed and approved by management at least annually. All relevant documents are published and communicated to all employees and relevant third parties.
Presenter
Presentation Notes
This is my version. By combining these controls into a single control I have reduced the security policy controls and the costs associated with control testing
Framework Auditing • Frameworks are written for business
operations, not for auditors • Auditors need to be competent in the
framework to effectively review and comment on attributes
• May need to engage a subject matter expert • May want to consider attorney client
privilege • Need to remain independent and objective
Presenter
Presentation Notes
Competency – if you do not understand firewall rules, how can you validate that PCI firewall rule requirements are effective?
Framework Auditing
• Internal auditors must refrain from assessing specific operations for which they were previously responsible
• Frameworks must be sustainable, controls must be effective every day
• If a certification is a deliverable, must be qualified / certified through the certifying organization, have received a certificate of approval at the appropriate level
PCI DSS
Presenter
Presentation Notes
Some control frameworks provide different levels of requirements based upon certain variables. This is an example of the PCI merchant levels which are primarily governed by transaction volume. Remember, any control framework is a set of the bare minimum controls you should be implementing in your organization. Sometimes the minimum is adequate. Sometimes you may need additional control to keep your data and processes secure.
PCI DSS
• The Payment Card Industry Data Security Standard (PCI DSS) applies to companies of any size that accept credit card payments. If your company intends to accept card payment, and store, process and transmit cardholder data, you need to host your data securely with a PCI compliant hosting provider.
Presenter
Presentation Notes
A Report On Compliance (ROC) is an extensive document (for us, > 100 pages in size) deliverable provided by a QSA (Qualified Security Assessor) after completion of a PCI assessment. Theoretically, an ROC could also be provided by an ISA (Internal Security Assessor) as well. A Self-Assessment Questionnaire (SAQ or, in our case SAQ-D) is an alternative to a ROC and can be completed by an ISA or other appropriately credentialed auditor (e.g., an Internal Auditor). SAQs can only be used when the merchant has a sufficiently low level of PCI transactions, as defined by each card brand. Both the ROC and the SAQ must be accompanied by a sign-off document (only 1-2 pages or so in length) known as the AOC (Attestation Of Compliance). This becomes the document of record for completion of a PCI assessment. If a merchant has an acquirer (a liaison between the merchant and the issuing card brands), then a copy of the AOC needs to be forwarded to the acquirer. CUNA Mutual’ s transaction level is low enough to preclude the need for an acquirer, so we keep a copy of the AOC on record locally. nd stores credit data.
Dashboard-PAT-Locker Linkages
Presenter
Presentation Notes
PCI Assessment tracker custom built eGRC tool All built in SharePoint saves us approximately $35K annually One of the primary tools we use map PCI requirements to specific controls that are relevant to our organization. Including assignment of responsibility, completion status, links to supporting evidence as well as the original requirements statement from the DSS and the testing procedures resulting from our interpretation of those requirements. Any given stakeholder within our PCI program can monitor the status of their controls and requirements. Workflow, requirements, status, evidence. Used by all relevant parties, control owners, reviewers, auditors, etc. Access controls, backups, automated workflow
PCI Dashboard Detail
Presenter
Presentation Notes
Additional detail of the Tracker
PCI Assessment Tool Detail
Presenter
Presentation Notes
A single page within the assessment tool, this is the lynchpin between the dashboards and the evidence locker. It holds everything together, and also maps back to the DSS
Evidence Locker Detail
Presenter
Presentation Notes
When you select the evidence locker link it drills down to the individual Locker. From here the individual locker, you can export the relevant evidence. In addition, the control owners can review or copy and paste previous supporting evidence from previous years if there are no changes. We also use a similar version of this tool to manage our SOC2 control framework.
remote-access technologies for vendors and business partners only when needed by vendors and business partners, with immediate deactivation after use
12.3.9 Verify that the usage policies require activation of remote-access technologies used by vendors and business partners only when needed by vendors and business partners, with immediate deactivation after use.
N/A. CMFG does not provide vendor access to any PCI zone systems. This was confirmed through review of VPN users and active accounts permitted to access PCI zone through the jump host.
Prescriptive Detail in PCI DSS
Presenter
Presentation Notes
This is an extract from the updated PCI DSS 3.0 which also now offers guidance. It not only tells you what to do, but explains the spirit of the control which help the implementer and control owner clearly understand how to comply with the requirements.
PCI DSS Updates 2.0 – 3.0 • 1.1.3 - Clarified what the network diagram must include and added new
requirement at 1.1.3 for a current diagram that shows cardholder data flows.
• 2.4 - New requirement to maintain an inventory of system components in scope for PCI DSS to support development of configuration standards.
• 3.5.2, 3.6.x - Split requirement 3.5.2 into two requirements to focus separately on storing cryptographic keys in a secure form (3.5.2), and in the fewest possible locations (3.5.3). Requirement 3.5.2 also provides flexibility with more options for secure storage of cryptographic keys.
• 5.3 - New requirement to ensure that anti-virus solutions are actively running (formerly in 5.2), and cannot be disabled or altered by users unless specifically authorized by management on a per-case basis.
PCI DSS Updates 2.0 – 3.0 • 6.5.10 - New requirement for coding practices to protect against broken
authentication and session management. Effective July 1, 2015 • 8.6 - New requirement where other authentication mechanisms are
used (for example, physical or logical security tokens, smart cards, certificates, etc.) that the mechanisms must be linked to an individual account and ensure only the intended user can gain access with that mechanism.
• 9.3 - New requirement to control physical access to sensitive areas for onsite personnel, including a process to authorize access, and revoke access immediately upon termination.
• 9.9.x - New requirements to protect devices that capture payment card data via direct physical interaction with the card from tampering and substitution. Effective July 1, 2015
PCI DSS Updates 2.0 – 3.0
• 11.1.x - Enhanced requirement to include an inventory of authorized wireless access points and a business justification (11.1.1) to support scanning for unauthorized wireless devices, and added new requirement 11.1.2 to align with an already-existing testing procedure, for incident response procedures if unauthorized wireless access points are detected.
• 11.3.4 - New requirement, if segmentation is used to isolate the CDE from other networks, to perform penetration tests to verify that the segmentation methods are operational and effective.
• 11.5.1 - New requirement to implement a process to respond to any alerts generated by the change-detection mechanism (supports 11.5)
PCI DSS Updates 2.0 – 3.0
• 12.8.5 - New requirement to maintain information about which PCI DSS requirements are managed by each service provider, and which are managed by the entity.
• 12.9 - New requirement for service providers to provide the written agreement/acknowledgment to their customers as specified at requirement 12.8. Effective July 1, 2015
• 12.10.x - Renumbered requirement and updated 12.10.5 to clarify the intent is for alerts from security monitoring systems to be included in the incident response plan. “Clarification”
COBIT
Control Objectives for Information and Related Technology (COBIT) is a framework created by ISACA for information technology (IT) management and IT governance. It is a supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks.
Purpose: To authorize private entities to prevent, investigate, and mitigate cybersecurity threats, to authorize the sharing of cyber threat indicators and countermeasures, and for other purposes.
Cybersecurity Information Sharing Act of 2014
Executive Order 13636; February 12, 2013 • Cyber threat information sharing • Focus is on vital infrastructure • Voluntary critical infrastructure
cybersecurity program • NIST to develop a cybersecurity control
framework
NIST Cybersecurity Framework
NIST Cybersecurity Framework - Created in conjunction with the Cybersecurity Act of 2014 The Framework, (V1 released February 12, 2014) was created through collaboration between industry and government, consists of standards, guidelines, and practices to promote the protection of critical infrastructure. The prioritized, flexible, repeatable, and cost-effective approach of the Framework helps owners and operators of critical infrastructure to manage cybersecurity-related risk.
NIST Cybersecurity Framework
The framework is largely a process—it’s designed to help organizations start a cybersecurity program or improve an existing one. It features a number of industry vetted actions that businesses can take to assess and strengthen their state of security over time using risk-based methods. It is not meant to be prescriptive or impose new regulatory requirements on industry.
NIST Cybersecurity Framework
Framework Core • Divided into Functions (Identify, Protect, Detect,
Respond, and Recover) • 22 related Categories (e.g., Asset Management,
Risk Management, etc. – very similar to sections in ISO 27001 Annex A)
• 98 Subcategories (very similar to controls in ISO 27001 Annex A)
• Subcategories refer to other frameworks such as ISO 27001, COBIT, NIST SP 800-53, etc.
Presenter
Presentation Notes
Appears to be primarily based on cybersecurity risks and incident response
NIST Cybersecurity Framework
• Like ISO/IEC 27001, the Cybersecurity Framework is based on risk management
• Both are technology neutral • Both provide a methodology on how to
implement information security • Both have the purpose of achieving
business benefits while observing legal and regulatory requirements
Presenter
Presentation Notes
Appears to be primarily based on cybersecurity risks and incident response
NIST Cybersecurity Framework
Presenter
Presentation Notes
The framework is very similar to a typical Incident Response process.
NIST Cybersecurity Framework
Presenter
Presentation Notes
The NIST Framework aligns with multiple existing franeworks.
An Exploration of the New Cybersecurity Framework May 22, 2014
• Ann M. Beauchesne, Vice President, National Security and Emergency Preparedness Department, U.S. Chamber of Commerce
• Michael Daniel, Special Assistant to the President and Cybersecurity Coordinator, the White House
• Dr. Patrick D. Gallagher, Under Secretary for Standards and Technology and Director, U.S. Department of Commerce
• Troy Land, Assistant to the Special Agent in Charge, Electronic Crimes Task Force, U.S. Secret Service
• Eric D. Shiffman, Supervisory Special Agent, FBI Chicago Division, Cyber Task Force
An Exploration of the New Cybersecurity Framework May 22, 2014
• U.S. companies are losing trade secrets to cyber-attacks which will be devastating to the economy long-term
• Risk management is a term that management simply does not understand
• Cyberspace defense is warfare, companies need to adequately organize, train and equip their security professionals, each company needs a fully trained team of cyber warriors
• Either fund Cybersecurity before the attack or you will fund it after the breach
An Exploration of the New Cybersecurity Framework May 22, 2014
• It is a given that corporate security professionals are allotted limited resources (underfunded)
• Companies need to implement an evolving security framework
• Threat detection and analysis is critical to protecting sensitive data
• Security frameworks must be driven by the respective industry to be effective, not by the government
An Exploration of the New Cybersecurity Framework May 22, 2014
• Most of the U.S. infrastructure is privately held, the Government is looking for industry leaders to be part of their cyber team
• One of the biggest risks to companies is actually the loss of utility-related U.S. infrastructure
• Cybersecurity is not an ad-on to a company’s processes, it must be part of the organization’s Governance strategy
An Exploration of the New Cybersecurity Framework May 22, 2014
• Companies are encouraged to conduct a cyber-resiliency review, and map existing cyber controls to the framework
• Cyber data sharing is voluntary today, but regulatory authorities are becoming more conscious of the framework
• No single strategy can prevent advanced and persistent threats—popularly known as APTs
Lessons Learned
• Tone at the top is critical to your success • Don’t forget vendors and other third parties when scoping • Stakeholders should represent all material areas, and
represent the proper level of authority • Clearly understand your team’s skillsets and gaps • Utilize professionals for key activities if needed, will
improve the probability of project success • Be sure to work with the business area professionals
(those who know) • Think the deliverables through, establish consistent
documentation and formats
Lessons Learned
• Embed compliance into corporate documentation • Clearly communicate control ownership and
responsibilities • Understand up front how maintenance of the framework
will be operationalized and transferred from the project team
• Communicate expectations, provide awareness training • Don’t reinvent the wheel – leverage what controls and
frameworks you already have in place • Always know your audience and manage you message
appropriately • Anticipate future control framework needs
