SlideShare a Scribd company logo
1 of 37
Download to read offline
Information Security …
                               Title Title Title Title Title Title Title
                               Title Title Title Title Title Title Title
simply perform as you expect
                               It’s All About COMPLIANCE Honey!




                                                       DINESH BAREJA
                                                       DD MM YYYY
                                                       08 October 2011
ME:           Dinesh Bareja (dinesh.bareja@gridinfocom.com)
AT:           Grid Infocom Pvt Ltd, Gurgaon
AS:           VP and Principal Consultant (Information Security)
CERTS:        CISA, CISM, ITIL, BS7799, Cert in IPR, ERM
ASSNS: ISACA, Indian Honeynet Project, NULL, ClubHack, NSD,
Open Security Alliance, The FAQ Project.

An InfoSec professional I believe real life provides most of the answers to the problems that ail
cyberia. My heart is happily under constant attack by the dynamics / excitement of the security
business, and I happily live in a state of constant surprise at the ignorance of those who think they are
secure. Try to give back to the community, in my own small way, for the perennial flow of knowledge,
learning and friends.
This talk is about…
• Information Security – where does it come into an
  organization, how…. Why, when..
• InfoSec Drivers – what drives IS
• Analyst reports about IS drivers
• International Regulations
• India – Compliance Drivers
Information Security… what, why, when …
•   Good Controls (thinking)
•   Awareness
•   Compliance (good habits)
•   Tools

• Efficiency
• Process Hygiene
                               A LOT OF HARD WORK THAT
• Technology Management        IS NEVER ENOUGH

• 24 x 7 x 365                 IT’S ABOUT COMPLIANCE ..
• Proactive … Real time        You are never in order 
Information Security Components
• GOVERNANCE
• RISK
• COMPLIANCE
• AVAILABILITY
• ACCESSIBILITY
• ACCOUNTABILITY
And What Drives InfoSecurity
• Technology Upgrades
• Forward thinking management
• CxO buy in
• Optimized Processes
• Customer Requirement
• Post incident trauma
• Organization Growth and Maturity
Primary Driver for Information Security


    “Compliance with incident
    disclosure laws, Payment
    Card Industry Data Security
    Standard (PCI-DSS), and
    data privacy regulations is
    the primary driver of our
    data security.”

 “The Value Of Corporate Secrets,” a commissioned study conducted by Forrester Consulting on behalf of RSA and Microsoft, November 2009
Primary Driver for Information Security

    “Compliance” of all types has
    become the primary driver of data
    security programs. Nearly 90% of
    surveyed enterprises agreed that
    compliance with PCI-DSS, Data
    Privacy laws, Data Breach
    regulations, and existing Data
    Security Policies is the primary
    driver of their data security
    programs

 “The Value Of Corporate Secrets,” a commissioned study conducted by Forrester Consulting on behalf of RSA and Microsoft, November 2009
Why Regulations
• Regulators impose rules to ensure that business
  risks are minimized
• Corporate accounting scandals and frauds
• Global financial crisis / recession
• Corporate Governance
• Accountability to shareholders
• Guarantee of quality of service
• Compliance rules may prescribe not only a code of conduct for
  employees, but also how compliance is to be verified
• Non compliance may result in penalties
Forrester




The_Value_of_Corporate_Secrets : Source: A commissioned study conducted by Forrester Consulting on behalf of RSA and Microsoft, November 2009
Regulatory compliance is the
key driver of IT security
adoption for 50 % of Indian
financial services enterprises

Symantec Security Check – Indian Financial
Services Industry 2011 (Banking, Financial
Services and Insurance industries).
Information Security   It's All About Compliance
Why Should I Comply
• Internal Revenue, New Zealand
Information Security   It's All About Compliance
The Regulatory Cocktail

                                    IT Act, DSCI
                    RBI             Framework,
                 Guidelines,         ISO27001
                 BS25999,
                   SEBI
                 Guidelines,
                 CTCL Audit

                                Telecom
                                Security,
                               Clause 49,
                                PCI DSS




               Compliance Requirements
              lead to Information Security
Regulatory / Compliance Requirement Extracts
• FISMA Section 3534 "(a) The head of each [Federal] agency shall
  delegate to the agency Chief Information Officer ensuring that the
  agency effectively implements and maintains information security
  policies, procedures, and control techniques;“
• ISO 27002 Section 5.1 "A written policy document should be available
  to all employees responsible for information security“
• HIPAA Security Final Rule, 164.316 (a) Policies and Procedures "(R)
  Implement reasonable and appropriate policies and procedures to
  comply with the standards, implementation specifications, or other
  requirements of this subpart.“
Information Security Related…
Some Laws / Statutory Regulations
• Health Insurance Portability and Accountability Act (HIPAA) of 1996 - requires health
  care providers, insurance providers and employers to safeguard the security and
  privacy of health data.
• Gramm-Leach-Bliley Act of 1999 (GLBA), also known as the Financial Services
  Modernization Act of 1999, protects the privacy and security of private financial
  information that financial institutions collect, hold, and process.
• Sarbanes-Oxley Act of 2002 (SOX). Section 404 - publicly traded companies assess
  the effectiveness of their internal controls for financial reporting. CIO responsible for
  the security, accuracy and the reliability of the systems that manage and report the
  financial data.
• Payment Card Industry Data Security Standard (PCI DSS) - requirements for
  enhancing payment account data security.
• Personal Information Protection and Electronics Document Act (PIPEDA) –protecting
  personal information that is collected, used or disclosed
Some Laws / Statutory Regulations
• The Family Educational Rights and Privacy Act (USA Federal law) privacy of student
  education records.
• UK Data Protection Act 1998 - provisions for the regulation of the processing of
  information relating to individuals, including the obtaining, holding, use or disclosure
  of such information.
• UK Computer Misuse Act 1990 - computer crime (e.g. cracking - sometimes
  incorrectly referred to as hacking) a criminal offence.
• EU Data Protection Directive - adopt national regulations to standardize the
  protection of data privacy for citizens throughout the EU.
• EU Data Retention – ISPs, phone companies keep data on every electronic message
  sent and phone call made for between six months and two years.
INDIA… Some Statutory Regulations

             • IT Act
             • RBI Guidelines
             • Telecom Security Guidelines
             • SEBI
             • CTCL
             • Clause 49
             • Environmental
             • IPC
ATTACKS ARE COSTLY


• 23% experienced external attacks (phishing
    attempts, IP theft, DoS attacks).
• 67% experiencing a data breach lost man hours
• 61% lost customers as a result
• 80% faced downtime due to online attacks
•   Rs 6.86 crore avg losses due to security breaches
    at Financial services
•   Rs 12.6 crore avg losses at Indian banks
•   External theft of confidential information was faced
    an average of 1.5 times
•   Internal theft of information an average of 5.8 times.
•   4 hours (average) to resume normal operations

•   51% financial services enterprises in India cited
    compliance as the primary driver for adopting IT
    security.
•   25% respondents that experienced a digital attack
    faced monetary penalization.
The Consequences of Non-Compliance
                             Dept of Telecommunication

                             Rs 50cr for a security
                             breach due to inadequacies

                             Liability of criminal
                             proceedings under Indian
                             Telegraph Act, IT Act, IPC,
                             CrPC

                             License cancellation
Cost of Non Compliance
• 2010 … Example – Encryption (Ponemon Institute’s annual “U.S.
  Enterprise Encryption Trends Report” - 964 IT and business leaders
  surveyed)
• In the past, protecting data and mitigating data breaches drove
  encryption adoption.
• Now regulatory compliance became the top reason for implementing
  encryption technologies
• 69% compliance is their primary driver for encryption
• 63% mitigating data breaches was the driver for encryption adoption
• The results show the growing realization that compliance is important
  as companies try to avoid post-breach legal noncompliance penalties.
Business Benefits for InfoSec Vendors
Over the last year, RBI has mandated two factor
authentication at banks for all delivery channels.
• In the past 12 months…
    – 31% of respondent-banks invested in identity management
    – Investment in technologies to address such regulations is
      likely to continue.
• Survey finding..
    – Technology investments during the next financial year will be
      made towards stronger governance, business continuity
      planning, securing mobile and wireless transactions, data loss
      prevention and network security.
RBI Security Guidelines Framework
     (1)                NINE areas identified from the use of IT in Banking
Information
Technology
Governance                                    Recommendations of the “Working Group on
                     (5)
                  IS Audit
                                              Information Security, Electronic Banking,
      (2)                          (8)        Technology Risk Management and Cyber Frauds”
 Information                    Customer
   Security
                    (6)
                                Education     Conduct current state Gap Analysis
                Cyber Frauds
                                              Plan for remediation and compliance
     (3)                           (9)
IT Operations
                    (7)
                               Legal Issues   Implement basic framework by Oct 31, 2011 and
                 Business
                 Continuity
                                              rest within a period of one year
                 Planning
    (4)
IT Services
                                              Report management oversight and review in bank
Outsourcing                                   Annual Report from 2011-12 onwards
                                              Continuously improve controls         based   on
                                              emerging risks and concerns
Requirements                                                   &           GIC Solution
Policies and procedures        Vulnerability Assessment
                                                                           •       Develop and maintain security policies (Automated
Risk Assessment                Establishing on-going security
                               monitoring processes                                Compliance)
Inventory , information/data   Patch Management:                           •       Generation of meaningful security metrics of
classification                                                                     security performance (Archer)
Defining roles and             Change Management                           •       Assignment of roles, responsibilities and
responsibilities                                                                   accountability for information security (Access
Access Control                 Audit trails                                        Manager)
Information security and       Information security reporting and          •       Development/maintenance of a security and control
information asset life-cycle   metrics
                                                                                   framework that consists of standards, measures,
Personnel security             Information security and Critical service
                                                                                   practices and procedures (Archer, enVision)
                               providers/vendors
Physical security           Network Security
                                                                           •       Classification and assignment of ownership of
User Training and Awareness Remote Access:
                                                                                   information assets (DLP)
                                                                           •       Periodic risk assessments and ensuring adequate,
Incident management            Distributed Denial of service
                               attacks(DDoS/DoS):
                                                                                   effective and tested controls for people, processes
Application Control and        Implementation of ISO 27001
                                                                                   and technology to enhance information security
Security                       Information Security Management                     (Consulting)
                               System                                      •       Processes to monitor security incidents (SIEM)
Migration controls             Wireless Security                           •       Effective identity and access management processes
Implementation of new          Business Continuity Considerations:                 (Access Manager)
technologies:
                                                                           •       IS awareness program for users/officials
Encryption                     Information security assurance            (2)
Date Security                  General Information Security delivery Information
                               channels                                Security
Telecom Security …
                 HIGHLIGHTS OF AMENDMENT TO NLD LICENSE AGREEMENT DATED 31 MAY 2011


  23.7(i)
                 23.7(i) Security Responsibility
  Security       -   Complete and Total Responsibility for Security of Networks under which the following must
Responsibility       be done – Network Forensics, Network Hardening, Network PT, Risk Assessment
                 23.7(ii) Security Audit
                 - Conduct a network security audit once a year by network audit certification agency, as per
                     ISO15408 and ISO27001
                 23.7(iii) Security Testing
                 - Network elements must be tested as per defined standards – IT and IT related against
                     ISO15048, ISMS against ISO27001; Telecom elements against 3GPP 3GPP2 security
                                                                                         .
                     standards. Up to 31 Mar 2013 this can be done overseas and after this date in India
                 23.7(iv) Security Configuration
                 - Include all security features, as per standards, while procuring equipment and implement the
                     same.
                 - Maintain list of all features while equipment is in use
                 - List is subject to inspection by Licensing Authority
                 23.7(v) Security Personnel
                 - CISO, System Administrators, Nodal Executives for handling NLD/ILD switches, central
                     database, softswitches … all must be Indian Nationals.
CTCL Audit – shall broadly cover…
•   Existing features and system parameters implemented in the trading system.
•   Identify the adequacy of input, processing and output controls
•   Identify the adequacy of the application security so that it commensurate to the size and nature of
    application.
•   Event logging and system monitoring.
•   User management.
•   Password policy/standards
•   Test of adherence to policies
•   Network management and controls
•   Change management and version controls.
•   Backup systems and procedures
•   Business continuity and disaster recovery plan
•   Documentation for system processes
•   Security features such as access control network firewalls and virus protection measures.
•   Any other area/aspect which may be material for inclusion in the audit certificate and/or which may be
    specified by the Exchange from time to time.
ISO270001
Security
 Policy

           Organization
                of
                                           Access
           Information
                                           Control
             Security
                                                        Information
                          Physical and                    Security
                          Environment                     Incident
                            Security                    Managament
                                          Information
              Asset                         Systems
           Management                     Acquisition
                                         Development
                                         Maintenance
                          Communicati
                            on and
                           Operations
                          Management
             Human
            Resource
            Security
Bottom Line …. On Compliance
To Be Or Not To Be.
Should Compliance be the end goal or the catalyst of
Information Security initiatives – in conclusion, we look
at the options and issues.
Same Message Another Source!

                Compliance is one of the biggest
                drivers of information security
                initiatives.

                However, despite the findings,
                industry observers believe that
                compliance      efforts    aren't
   There is a   necessarily making organizations
     rider !    more secure..

                TechTarget survey of U.K. information security professionals
Corporate intellectual property
               comprises 62% of a company's
               data assets, but security
               programs are focused on
               compliance rather than data
               protection              (CNET)
    This
confuses the
 argument
   further
Strategy – Compliance / Security
• Compliance is NOT Security
• Security is NOT Compliance

• Organizations must drive Compliance and NOT be
  driven by Compliance
• Information Security to leverage Compliance FUD to
  get Management attention
• Compliance provides good ROI numbers for
  reporting
Strategy – Compliance / Security
• Security requires organizations to step up to extract
  benefits from both C and S initiatives
• Build maturity, through awareness programs, among
  stakeholders to recognize and support intangible
  benefits
• Identify and enforce C ><S balance through
  practical controls and measures
Remember
Thank You




E: dinesh@opensecurityalliance.org
E: dineshobareja@gmail.com
M: 9769890505
References and Credits
•   CSO Online
•   Purpleslog on flickr
•   Internet Crime Complaint Center
•   flickr.com/GDS Infographics
•   freedigitalphotos.net/digitalart
•   Google Uncle !

More Related Content

What's hot

Cybersecurity Audit
Cybersecurity AuditCybersecurity Audit
Cybersecurity AuditEC-Council
 
What is ISO 27001 ISMS
What is ISO 27001 ISMSWhat is ISO 27001 ISMS
What is ISO 27001 ISMSBusiness Beam
 
Iso27001 Isaca Seminar (23 May 08)
Iso27001  Isaca Seminar (23 May 08)Iso27001  Isaca Seminar (23 May 08)
Iso27001 Isaca Seminar (23 May 08)samsontamwaiho
 
ISO 27001 - information security user awareness training presentation - Part 1
ISO 27001 - information security user awareness training presentation - Part 1ISO 27001 - information security user awareness training presentation - Part 1
ISO 27001 - information security user awareness training presentation - Part 1Tanmay Shinde
 
Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Dam Frank
 
Isms awareness training
Isms awareness trainingIsms awareness training
Isms awareness trainingSAROJ BEHERA
 
Cybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your OrganizationCybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your OrganizationTriCorps Technologies
 
Information Security Awareness Training
Information Security Awareness TrainingInformation Security Awareness Training
Information Security Awareness TrainingRandy Bowman
 
Information security management system
Information security management systemInformation security management system
Information security management systemArani Srinivasan
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Edureka!
 
ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewShankar Subramaniyan
 
Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023PECB
 

What's hot (20)

Cybersecurity Audit
Cybersecurity AuditCybersecurity Audit
Cybersecurity Audit
 
What is ISO 27001 ISMS
What is ISO 27001 ISMSWhat is ISO 27001 ISMS
What is ISO 27001 ISMS
 
Iso27001 Isaca Seminar (23 May 08)
Iso27001  Isaca Seminar (23 May 08)Iso27001  Isaca Seminar (23 May 08)
Iso27001 Isaca Seminar (23 May 08)
 
Security audit
Security auditSecurity audit
Security audit
 
Iso 27001 awareness
Iso 27001 awarenessIso 27001 awareness
Iso 27001 awareness
 
ISO 27001 - information security user awareness training presentation - Part 1
ISO 27001 - information security user awareness training presentation - Part 1ISO 27001 - information security user awareness training presentation - Part 1
ISO 27001 - information security user awareness training presentation - Part 1
 
IT security
IT securityIT security
IT security
 
ISO 27001
ISO 27001ISO 27001
ISO 27001
 
Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3
 
ISO 27001 Benefits
ISO 27001 BenefitsISO 27001 Benefits
ISO 27001 Benefits
 
CISA Training - Chapter 2 - 2016
CISA Training - Chapter 2 - 2016CISA Training - Chapter 2 - 2016
CISA Training - Chapter 2 - 2016
 
Information security
Information securityInformation security
Information security
 
Isms awareness training
Isms awareness trainingIsms awareness training
Isms awareness training
 
Cybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your OrganizationCybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your Organization
 
Information Security Awareness Training
Information Security Awareness TrainingInformation Security Awareness Training
Information Security Awareness Training
 
Information security management system
Information security management systemInformation security management system
Information security management system
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
 
ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process Overview
 
SOC2 Intro and Mindfulness
SOC2 Intro and MindfulnessSOC2 Intro and Mindfulness
SOC2 Intro and Mindfulness
 
Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023
 

Viewers also liked

Information Security Management Education Program - Concept Document
Information Security Management Education Program - Concept Document Information Security Management Education Program - Concept Document
Information Security Management Education Program - Concept Document Dinesh O Bareja
 
Business - IT Alignment Increases Value Of IT
Business - IT Alignment Increases Value Of ITBusiness - IT Alignment Increases Value Of IT
Business - IT Alignment Increases Value Of ITDinesh O Bareja
 
Mind Your Manners On Linked In
Mind Your Manners On Linked InMind Your Manners On Linked In
Mind Your Manners On Linked InDinesh O Bareja
 
Community Disaster Incident Response
Community Disaster  Incident ResponseCommunity Disaster  Incident Response
Community Disaster Incident ResponseDinesh O Bareja
 
ISE - InfoSec Essentials .. an introduction
ISE - InfoSec Essentials .. an introductionISE - InfoSec Essentials .. an introduction
ISE - InfoSec Essentials .. an introductionDinesh O Bareja
 
Incident Response Requires Superhumans
Incident Response Requires SuperhumansIncident Response Requires Superhumans
Incident Response Requires SuperhumansDinesh O Bareja
 
Indian Thoughts in Information Security
Indian Thoughts in Information SecurityIndian Thoughts in Information Security
Indian Thoughts in Information SecurityDinesh O Bareja
 
Governance in Cybercrime and Cybersecurity orgns - final distribution Organiz...
Governance in Cybercrime and Cybersecurity orgns - final distribution Organiz...Governance in Cybercrime and Cybersecurity orgns - final distribution Organiz...
Governance in Cybercrime and Cybersecurity orgns - final distribution Organiz...Dinesh O Bareja
 
Bug Bounty Programs : Good for Government
Bug Bounty Programs : Good for GovernmentBug Bounty Programs : Good for Government
Bug Bounty Programs : Good for GovernmentDinesh O Bareja
 
Governance and IoT Cyber Risks - presented at Defcon-OWASP Lucknow, India
Governance and IoT Cyber Risks - presented at Defcon-OWASP Lucknow, IndiaGovernance and IoT Cyber Risks - presented at Defcon-OWASP Lucknow, India
Governance and IoT Cyber Risks - presented at Defcon-OWASP Lucknow, IndiaDinesh O Bareja
 
Cyberwar - Is India Ready
Cyberwar - Is India ReadyCyberwar - Is India Ready
Cyberwar - Is India ReadyDinesh O Bareja
 
Managing Frequently Overlooked Risks & Threats (FORTS) in Corporations
Managing Frequently Overlooked Risks & Threats (FORTS) in CorporationsManaging Frequently Overlooked Risks & Threats (FORTS) in Corporations
Managing Frequently Overlooked Risks & Threats (FORTS) in CorporationsDinesh O Bareja
 
Common Sense 101 - so much to learn about CS
Common Sense 101 - so much to learn about CSCommon Sense 101 - so much to learn about CS
Common Sense 101 - so much to learn about CSDinesh O Bareja
 
Hacking And Its Prevention
Hacking And Its PreventionHacking And Its Prevention
Hacking And Its PreventionDinesh O Bareja
 

Viewers also liked (16)

Information Security Management Education Program - Concept Document
Information Security Management Education Program - Concept Document Information Security Management Education Program - Concept Document
Information Security Management Education Program - Concept Document
 
Business - IT Alignment Increases Value Of IT
Business - IT Alignment Increases Value Of ITBusiness - IT Alignment Increases Value Of IT
Business - IT Alignment Increases Value Of IT
 
Security Awareness
Security AwarenessSecurity Awareness
Security Awareness
 
Mind Your Manners On Linked In
Mind Your Manners On Linked InMind Your Manners On Linked In
Mind Your Manners On Linked In
 
Community Disaster Incident Response
Community Disaster  Incident ResponseCommunity Disaster  Incident Response
Community Disaster Incident Response
 
ISE - InfoSec Essentials .. an introduction
ISE - InfoSec Essentials .. an introductionISE - InfoSec Essentials .. an introduction
ISE - InfoSec Essentials .. an introduction
 
Incident Response Requires Superhumans
Incident Response Requires SuperhumansIncident Response Requires Superhumans
Incident Response Requires Superhumans
 
Indian Thoughts in Information Security
Indian Thoughts in Information SecurityIndian Thoughts in Information Security
Indian Thoughts in Information Security
 
Compliance Awareness
Compliance AwarenessCompliance Awareness
Compliance Awareness
 
Governance in Cybercrime and Cybersecurity orgns - final distribution Organiz...
Governance in Cybercrime and Cybersecurity orgns - final distribution Organiz...Governance in Cybercrime and Cybersecurity orgns - final distribution Organiz...
Governance in Cybercrime and Cybersecurity orgns - final distribution Organiz...
 
Bug Bounty Programs : Good for Government
Bug Bounty Programs : Good for GovernmentBug Bounty Programs : Good for Government
Bug Bounty Programs : Good for Government
 
Governance and IoT Cyber Risks - presented at Defcon-OWASP Lucknow, India
Governance and IoT Cyber Risks - presented at Defcon-OWASP Lucknow, IndiaGovernance and IoT Cyber Risks - presented at Defcon-OWASP Lucknow, India
Governance and IoT Cyber Risks - presented at Defcon-OWASP Lucknow, India
 
Cyberwar - Is India Ready
Cyberwar - Is India ReadyCyberwar - Is India Ready
Cyberwar - Is India Ready
 
Managing Frequently Overlooked Risks & Threats (FORTS) in Corporations
Managing Frequently Overlooked Risks & Threats (FORTS) in CorporationsManaging Frequently Overlooked Risks & Threats (FORTS) in Corporations
Managing Frequently Overlooked Risks & Threats (FORTS) in Corporations
 
Common Sense 101 - so much to learn about CS
Common Sense 101 - so much to learn about CSCommon Sense 101 - so much to learn about CS
Common Sense 101 - so much to learn about CS
 
Hacking And Its Prevention
Hacking And Its PreventionHacking And Its Prevention
Hacking And Its Prevention
 

Similar to Information Security It's All About Compliance

A practical data privacy and security approach to ffiec, gdpr and ccpa
A practical data privacy and security approach to ffiec, gdpr and ccpaA practical data privacy and security approach to ffiec, gdpr and ccpa
A practical data privacy and security approach to ffiec, gdpr and ccpaUlf Mattsson
 
Information security: importance of having defined policy & process
Information security: importance of having defined policy & processInformation security: importance of having defined policy & process
Information security: importance of having defined policy & processInformation Technology Society Nepal
 
Improve IT Security and Compliance with Mainframe Data in Splunk
Improve IT Security and Compliance with Mainframe Data in SplunkImprove IT Security and Compliance with Mainframe Data in Splunk
Improve IT Security and Compliance with Mainframe Data in SplunkPrecisely
 
Pci Europe 2009 Underside Of The Compliance Ecosystem
Pci Europe 2009   Underside Of The Compliance EcosystemPci Europe 2009   Underside Of The Compliance Ecosystem
Pci Europe 2009 Underside Of The Compliance Ecosystemkpatrickwheeler
 
Protect Sensitive Data on Your IBM i (Social Distance Your IBM i/AS400)
Protect Sensitive Data on Your IBM i (Social Distance Your IBM i/AS400)Protect Sensitive Data on Your IBM i (Social Distance Your IBM i/AS400)
Protect Sensitive Data on Your IBM i (Social Distance Your IBM i/AS400)Precisely
 
S nandakumar_banglore
S nandakumar_bangloreS nandakumar_banglore
S nandakumar_bangloreIPPAI
 
S nandakumar
S nandakumarS nandakumar
S nandakumarIPPAI
 
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...PECB
 
Get Ready for Syncsort's New Best-of-Breed Security Solution
Get Ready for Syncsort's New Best-of-Breed Security SolutionGet Ready for Syncsort's New Best-of-Breed Security Solution
Get Ready for Syncsort's New Best-of-Breed Security SolutionPrecisely
 
Data Security Policy For Ecommerce Payment Card Applications
Data Security Policy For Ecommerce Payment Card ApplicationsData Security Policy For Ecommerce Payment Card Applications
Data Security Policy For Ecommerce Payment Card ApplicationsMichelle Meienburg
 
Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...
Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...
Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...IBM Security
 
Information security management v2010
Information security management v2010Information security management v2010
Information security management v2010joevest
 
Cyber Security in Manufacturing
Cyber Security in ManufacturingCyber Security in Manufacturing
Cyber Security in ManufacturingCentraComm
 
A Plan For Physical And Digital Security Protocols
A Plan For Physical And Digital Security ProtocolsA Plan For Physical And Digital Security Protocols
A Plan For Physical And Digital Security ProtocolsKim Moore
 
Complying with Cybersecurity Regulations for IBM i Servers and Data
Complying with Cybersecurity Regulations for IBM i Servers and DataComplying with Cybersecurity Regulations for IBM i Servers and Data
Complying with Cybersecurity Regulations for IBM i Servers and DataPrecisely
 
Iso 27001 2005- by netpeckers consulting
Iso 27001 2005- by netpeckers consultingIso 27001 2005- by netpeckers consulting
Iso 27001 2005- by netpeckers consultingIskcon Ahmedabad
 

Similar to Information Security It's All About Compliance (20)

Information Security for Small Business
Information Security for Small BusinessInformation Security for Small Business
Information Security for Small Business
 
Information Security for Small Business
Information Security for Small BusinessInformation Security for Small Business
Information Security for Small Business
 
A practical data privacy and security approach to ffiec, gdpr and ccpa
A practical data privacy and security approach to ffiec, gdpr and ccpaA practical data privacy and security approach to ffiec, gdpr and ccpa
A practical data privacy and security approach to ffiec, gdpr and ccpa
 
Information security: importance of having defined policy & process
Information security: importance of having defined policy & processInformation security: importance of having defined policy & process
Information security: importance of having defined policy & process
 
Improve IT Security and Compliance with Mainframe Data in Splunk
Improve IT Security and Compliance with Mainframe Data in SplunkImprove IT Security and Compliance with Mainframe Data in Splunk
Improve IT Security and Compliance with Mainframe Data in Splunk
 
Pci Europe 2009 Underside Of The Compliance Ecosystem
Pci Europe 2009   Underside Of The Compliance EcosystemPci Europe 2009   Underside Of The Compliance Ecosystem
Pci Europe 2009 Underside Of The Compliance Ecosystem
 
Protect Sensitive Data on Your IBM i (Social Distance Your IBM i/AS400)
Protect Sensitive Data on Your IBM i (Social Distance Your IBM i/AS400)Protect Sensitive Data on Your IBM i (Social Distance Your IBM i/AS400)
Protect Sensitive Data on Your IBM i (Social Distance Your IBM i/AS400)
 
S nandakumar_banglore
S nandakumar_bangloreS nandakumar_banglore
S nandakumar_banglore
 
S nandakumar
S nandakumarS nandakumar
S nandakumar
 
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
 
Get Ready for Syncsort's New Best-of-Breed Security Solution
Get Ready for Syncsort's New Best-of-Breed Security SolutionGet Ready for Syncsort's New Best-of-Breed Security Solution
Get Ready for Syncsort's New Best-of-Breed Security Solution
 
Data Security Policy For Ecommerce Payment Card Applications
Data Security Policy For Ecommerce Payment Card ApplicationsData Security Policy For Ecommerce Payment Card Applications
Data Security Policy For Ecommerce Payment Card Applications
 
Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...
Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...
Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...
 
Essay About Tft2
Essay About Tft2Essay About Tft2
Essay About Tft2
 
Information security management v2010
Information security management v2010Information security management v2010
Information security management v2010
 
ACFN vISO eBook
ACFN vISO eBookACFN vISO eBook
ACFN vISO eBook
 
Cyber Security in Manufacturing
Cyber Security in ManufacturingCyber Security in Manufacturing
Cyber Security in Manufacturing
 
A Plan For Physical And Digital Security Protocols
A Plan For Physical And Digital Security ProtocolsA Plan For Physical And Digital Security Protocols
A Plan For Physical And Digital Security Protocols
 
Complying with Cybersecurity Regulations for IBM i Servers and Data
Complying with Cybersecurity Regulations for IBM i Servers and DataComplying with Cybersecurity Regulations for IBM i Servers and Data
Complying with Cybersecurity Regulations for IBM i Servers and Data
 
Iso 27001 2005- by netpeckers consulting
Iso 27001 2005- by netpeckers consultingIso 27001 2005- by netpeckers consulting
Iso 27001 2005- by netpeckers consulting
 

More from Dinesh O Bareja

WFH Cybersecurity Basics Employees and Employers
WFH Cybersecurity Basics Employees and Employers WFH Cybersecurity Basics Employees and Employers
WFH Cybersecurity Basics Employees and Employers Dinesh O Bareja
 
Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing Dinesh O Bareja
 
Can Cyber Insurance Enforce Change in Enterprise GRC
Can Cyber Insurance Enforce Change in Enterprise GRCCan Cyber Insurance Enforce Change in Enterprise GRC
Can Cyber Insurance Enforce Change in Enterprise GRCDinesh O Bareja
 
Finance and Accounting professionals to bridge the gap with IT
Finance and Accounting professionals to bridge the gap with ITFinance and Accounting professionals to bridge the gap with IT
Finance and Accounting professionals to bridge the gap with ITDinesh O Bareja
 
Bug Bounty Hunter's Manifesto V1.0
Bug Bounty Hunter's Manifesto V1.0Bug Bounty Hunter's Manifesto V1.0
Bug Bounty Hunter's Manifesto V1.0Dinesh O Bareja
 
India Top5 Information Security Concerns 2013
India Top5 Information Security Concerns 2013India Top5 Information Security Concerns 2013
India Top5 Information Security Concerns 2013Dinesh O Bareja
 
OSA - Internet Security in India
OSA - Internet Security in IndiaOSA - Internet Security in India
OSA - Internet Security in IndiaDinesh O Bareja
 
20100224 Presentation at RGIT Mumbai - Information Security Awareness
20100224 Presentation at RGIT Mumbai - Information Security Awareness20100224 Presentation at RGIT Mumbai - Information Security Awareness
20100224 Presentation at RGIT Mumbai - Information Security AwarenessDinesh O Bareja
 

More from Dinesh O Bareja (9)

WFH Cybersecurity Basics Employees and Employers
WFH Cybersecurity Basics Employees and Employers WFH Cybersecurity Basics Employees and Employers
WFH Cybersecurity Basics Employees and Employers
 
Cybersecurity 2.0
Cybersecurity 2.0Cybersecurity 2.0
Cybersecurity 2.0
 
Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing
 
Can Cyber Insurance Enforce Change in Enterprise GRC
Can Cyber Insurance Enforce Change in Enterprise GRCCan Cyber Insurance Enforce Change in Enterprise GRC
Can Cyber Insurance Enforce Change in Enterprise GRC
 
Finance and Accounting professionals to bridge the gap with IT
Finance and Accounting professionals to bridge the gap with ITFinance and Accounting professionals to bridge the gap with IT
Finance and Accounting professionals to bridge the gap with IT
 
Bug Bounty Hunter's Manifesto V1.0
Bug Bounty Hunter's Manifesto V1.0Bug Bounty Hunter's Manifesto V1.0
Bug Bounty Hunter's Manifesto V1.0
 
India Top5 Information Security Concerns 2013
India Top5 Information Security Concerns 2013India Top5 Information Security Concerns 2013
India Top5 Information Security Concerns 2013
 
OSA - Internet Security in India
OSA - Internet Security in IndiaOSA - Internet Security in India
OSA - Internet Security in India
 
20100224 Presentation at RGIT Mumbai - Information Security Awareness
20100224 Presentation at RGIT Mumbai - Information Security Awareness20100224 Presentation at RGIT Mumbai - Information Security Awareness
20100224 Presentation at RGIT Mumbai - Information Security Awareness
 

Recently uploaded

activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfJamie (Taka) Wang
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024D Cloud Solutions
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1DianaGray10
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdfPedro Manuel
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IES VE
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.YounusS2
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?IES VE
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarPrecisely
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesMd Hossain Ali
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioChristian Posta
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPathCommunity
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7DianaGray10
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6DianaGray10
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...DianaGray10
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxGDSC PJATK
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemAsko Soukka
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URLRuncy Oommen
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Websitedgelyza
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UbiTrack UK
 

Recently uploaded (20)

activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdf
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity Webinar
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation Developers
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptx
 
201610817 - edge part1
201610817 - edge part1201610817 - edge part1
201610817 - edge part1
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystem
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URL
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Website
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
 

Information Security It's All About Compliance

  • 1. Information Security … Title Title Title Title Title Title Title Title Title Title Title Title Title Title simply perform as you expect It’s All About COMPLIANCE Honey! DINESH BAREJA DD MM YYYY 08 October 2011
  • 2. ME: Dinesh Bareja (dinesh.bareja@gridinfocom.com) AT: Grid Infocom Pvt Ltd, Gurgaon AS: VP and Principal Consultant (Information Security) CERTS: CISA, CISM, ITIL, BS7799, Cert in IPR, ERM ASSNS: ISACA, Indian Honeynet Project, NULL, ClubHack, NSD, Open Security Alliance, The FAQ Project. An InfoSec professional I believe real life provides most of the answers to the problems that ail cyberia. My heart is happily under constant attack by the dynamics / excitement of the security business, and I happily live in a state of constant surprise at the ignorance of those who think they are secure. Try to give back to the community, in my own small way, for the perennial flow of knowledge, learning and friends.
  • 3. This talk is about… • Information Security – where does it come into an organization, how…. Why, when.. • InfoSec Drivers – what drives IS • Analyst reports about IS drivers • International Regulations • India – Compliance Drivers
  • 4. Information Security… what, why, when … • Good Controls (thinking) • Awareness • Compliance (good habits) • Tools • Efficiency • Process Hygiene A LOT OF HARD WORK THAT • Technology Management IS NEVER ENOUGH • 24 x 7 x 365 IT’S ABOUT COMPLIANCE .. • Proactive … Real time You are never in order 
  • 5. Information Security Components • GOVERNANCE • RISK • COMPLIANCE • AVAILABILITY • ACCESSIBILITY • ACCOUNTABILITY
  • 6. And What Drives InfoSecurity • Technology Upgrades • Forward thinking management • CxO buy in • Optimized Processes • Customer Requirement • Post incident trauma • Organization Growth and Maturity
  • 7. Primary Driver for Information Security “Compliance with incident disclosure laws, Payment Card Industry Data Security Standard (PCI-DSS), and data privacy regulations is the primary driver of our data security.” “The Value Of Corporate Secrets,” a commissioned study conducted by Forrester Consulting on behalf of RSA and Microsoft, November 2009
  • 8. Primary Driver for Information Security “Compliance” of all types has become the primary driver of data security programs. Nearly 90% of surveyed enterprises agreed that compliance with PCI-DSS, Data Privacy laws, Data Breach regulations, and existing Data Security Policies is the primary driver of their data security programs “The Value Of Corporate Secrets,” a commissioned study conducted by Forrester Consulting on behalf of RSA and Microsoft, November 2009
  • 9. Why Regulations • Regulators impose rules to ensure that business risks are minimized • Corporate accounting scandals and frauds • Global financial crisis / recession • Corporate Governance • Accountability to shareholders • Guarantee of quality of service • Compliance rules may prescribe not only a code of conduct for employees, but also how compliance is to be verified • Non compliance may result in penalties
  • 10. Forrester The_Value_of_Corporate_Secrets : Source: A commissioned study conducted by Forrester Consulting on behalf of RSA and Microsoft, November 2009
  • 11. Regulatory compliance is the key driver of IT security adoption for 50 % of Indian financial services enterprises Symantec Security Check – Indian Financial Services Industry 2011 (Banking, Financial Services and Insurance industries).
  • 13. Why Should I Comply • Internal Revenue, New Zealand
  • 15. The Regulatory Cocktail IT Act, DSCI RBI Framework, Guidelines, ISO27001 BS25999, SEBI Guidelines, CTCL Audit Telecom Security, Clause 49, PCI DSS Compliance Requirements lead to Information Security
  • 16. Regulatory / Compliance Requirement Extracts • FISMA Section 3534 "(a) The head of each [Federal] agency shall delegate to the agency Chief Information Officer ensuring that the agency effectively implements and maintains information security policies, procedures, and control techniques;“ • ISO 27002 Section 5.1 "A written policy document should be available to all employees responsible for information security“ • HIPAA Security Final Rule, 164.316 (a) Policies and Procedures "(R) Implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of this subpart.“
  • 18. Some Laws / Statutory Regulations • Health Insurance Portability and Accountability Act (HIPAA) of 1996 - requires health care providers, insurance providers and employers to safeguard the security and privacy of health data. • Gramm-Leach-Bliley Act of 1999 (GLBA), also known as the Financial Services Modernization Act of 1999, protects the privacy and security of private financial information that financial institutions collect, hold, and process. • Sarbanes-Oxley Act of 2002 (SOX). Section 404 - publicly traded companies assess the effectiveness of their internal controls for financial reporting. CIO responsible for the security, accuracy and the reliability of the systems that manage and report the financial data. • Payment Card Industry Data Security Standard (PCI DSS) - requirements for enhancing payment account data security. • Personal Information Protection and Electronics Document Act (PIPEDA) –protecting personal information that is collected, used or disclosed
  • 19. Some Laws / Statutory Regulations • The Family Educational Rights and Privacy Act (USA Federal law) privacy of student education records. • UK Data Protection Act 1998 - provisions for the regulation of the processing of information relating to individuals, including the obtaining, holding, use or disclosure of such information. • UK Computer Misuse Act 1990 - computer crime (e.g. cracking - sometimes incorrectly referred to as hacking) a criminal offence. • EU Data Protection Directive - adopt national regulations to standardize the protection of data privacy for citizens throughout the EU. • EU Data Retention – ISPs, phone companies keep data on every electronic message sent and phone call made for between six months and two years.
  • 20. INDIA… Some Statutory Regulations • IT Act • RBI Guidelines • Telecom Security Guidelines • SEBI • CTCL • Clause 49 • Environmental • IPC
  • 21. ATTACKS ARE COSTLY • 23% experienced external attacks (phishing attempts, IP theft, DoS attacks). • 67% experiencing a data breach lost man hours • 61% lost customers as a result • 80% faced downtime due to online attacks • Rs 6.86 crore avg losses due to security breaches at Financial services • Rs 12.6 crore avg losses at Indian banks • External theft of confidential information was faced an average of 1.5 times • Internal theft of information an average of 5.8 times. • 4 hours (average) to resume normal operations • 51% financial services enterprises in India cited compliance as the primary driver for adopting IT security. • 25% respondents that experienced a digital attack faced monetary penalization.
  • 22. The Consequences of Non-Compliance Dept of Telecommunication Rs 50cr for a security breach due to inadequacies Liability of criminal proceedings under Indian Telegraph Act, IT Act, IPC, CrPC License cancellation
  • 23. Cost of Non Compliance • 2010 … Example – Encryption (Ponemon Institute’s annual “U.S. Enterprise Encryption Trends Report” - 964 IT and business leaders surveyed) • In the past, protecting data and mitigating data breaches drove encryption adoption. • Now regulatory compliance became the top reason for implementing encryption technologies • 69% compliance is their primary driver for encryption • 63% mitigating data breaches was the driver for encryption adoption • The results show the growing realization that compliance is important as companies try to avoid post-breach legal noncompliance penalties.
  • 24. Business Benefits for InfoSec Vendors Over the last year, RBI has mandated two factor authentication at banks for all delivery channels. • In the past 12 months… – 31% of respondent-banks invested in identity management – Investment in technologies to address such regulations is likely to continue. • Survey finding.. – Technology investments during the next financial year will be made towards stronger governance, business continuity planning, securing mobile and wireless transactions, data loss prevention and network security.
  • 25. RBI Security Guidelines Framework (1) NINE areas identified from the use of IT in Banking Information Technology Governance Recommendations of the “Working Group on (5) IS Audit Information Security, Electronic Banking, (2) (8) Technology Risk Management and Cyber Frauds” Information Customer Security (6) Education Conduct current state Gap Analysis Cyber Frauds Plan for remediation and compliance (3) (9) IT Operations (7) Legal Issues Implement basic framework by Oct 31, 2011 and Business Continuity rest within a period of one year Planning (4) IT Services Report management oversight and review in bank Outsourcing Annual Report from 2011-12 onwards Continuously improve controls based on emerging risks and concerns
  • 26. Requirements & GIC Solution Policies and procedures Vulnerability Assessment • Develop and maintain security policies (Automated Risk Assessment Establishing on-going security monitoring processes Compliance) Inventory , information/data Patch Management: • Generation of meaningful security metrics of classification security performance (Archer) Defining roles and Change Management • Assignment of roles, responsibilities and responsibilities accountability for information security (Access Access Control Audit trails Manager) Information security and Information security reporting and • Development/maintenance of a security and control information asset life-cycle metrics framework that consists of standards, measures, Personnel security Information security and Critical service practices and procedures (Archer, enVision) providers/vendors Physical security Network Security • Classification and assignment of ownership of User Training and Awareness Remote Access: information assets (DLP) • Periodic risk assessments and ensuring adequate, Incident management Distributed Denial of service attacks(DDoS/DoS): effective and tested controls for people, processes Application Control and Implementation of ISO 27001 and technology to enhance information security Security Information Security Management (Consulting) System • Processes to monitor security incidents (SIEM) Migration controls Wireless Security • Effective identity and access management processes Implementation of new Business Continuity Considerations: (Access Manager) technologies: • IS awareness program for users/officials Encryption Information security assurance (2) Date Security General Information Security delivery Information channels Security
  • 27. Telecom Security … HIGHLIGHTS OF AMENDMENT TO NLD LICENSE AGREEMENT DATED 31 MAY 2011 23.7(i) 23.7(i) Security Responsibility Security - Complete and Total Responsibility for Security of Networks under which the following must Responsibility be done – Network Forensics, Network Hardening, Network PT, Risk Assessment 23.7(ii) Security Audit - Conduct a network security audit once a year by network audit certification agency, as per ISO15408 and ISO27001 23.7(iii) Security Testing - Network elements must be tested as per defined standards – IT and IT related against ISO15048, ISMS against ISO27001; Telecom elements against 3GPP 3GPP2 security . standards. Up to 31 Mar 2013 this can be done overseas and after this date in India 23.7(iv) Security Configuration - Include all security features, as per standards, while procuring equipment and implement the same. - Maintain list of all features while equipment is in use - List is subject to inspection by Licensing Authority 23.7(v) Security Personnel - CISO, System Administrators, Nodal Executives for handling NLD/ILD switches, central database, softswitches … all must be Indian Nationals.
  • 28. CTCL Audit – shall broadly cover… • Existing features and system parameters implemented in the trading system. • Identify the adequacy of input, processing and output controls • Identify the adequacy of the application security so that it commensurate to the size and nature of application. • Event logging and system monitoring. • User management. • Password policy/standards • Test of adherence to policies • Network management and controls • Change management and version controls. • Backup systems and procedures • Business continuity and disaster recovery plan • Documentation for system processes • Security features such as access control network firewalls and virus protection measures. • Any other area/aspect which may be material for inclusion in the audit certificate and/or which may be specified by the Exchange from time to time.
  • 29. ISO270001 Security Policy Organization of Access Information Control Security Information Physical and Security Environment Incident Security Managament Information Asset Systems Management Acquisition Development Maintenance Communicati on and Operations Management Human Resource Security
  • 30. Bottom Line …. On Compliance To Be Or Not To Be. Should Compliance be the end goal or the catalyst of Information Security initiatives – in conclusion, we look at the options and issues.
  • 31. Same Message Another Source! Compliance is one of the biggest drivers of information security initiatives. However, despite the findings, industry observers believe that compliance efforts aren't There is a necessarily making organizations rider ! more secure.. TechTarget survey of U.K. information security professionals
  • 32. Corporate intellectual property comprises 62% of a company's data assets, but security programs are focused on compliance rather than data protection (CNET) This confuses the argument further
  • 33. Strategy – Compliance / Security • Compliance is NOT Security • Security is NOT Compliance • Organizations must drive Compliance and NOT be driven by Compliance • Information Security to leverage Compliance FUD to get Management attention • Compliance provides good ROI numbers for reporting
  • 34. Strategy – Compliance / Security • Security requires organizations to step up to extract benefits from both C and S initiatives • Build maturity, through awareness programs, among stakeholders to recognize and support intangible benefits • Identify and enforce C ><S balance through practical controls and measures
  • 36. Thank You E: dinesh@opensecurityalliance.org E: dineshobareja@gmail.com M: 9769890505
  • 37. References and Credits • CSO Online • Purpleslog on flickr • Internet Crime Complaint Center • flickr.com/GDS Infographics • freedigitalphotos.net/digitalart • Google Uncle !