nishidh, cissp. to comply with sarbanes oxley and other legislations to comply with industry...
TRANSCRIPT
Nishidh, CISSP
To comply with Sarbanes oxley and other legislations
To comply with industry standards and business partner requirements
To protect customer information To protect employee data To detect fraud To identify and correct any manual errors To identify hardware or software errors To proactive monitoring infrastructure For business continuity
Because?
People who enjoy our services and products – our customers
People who give money to run business – our investors
People who run business – our employees
Easy security controls for customer applications.
Prevent unauthorized disclosure of customer data.
Prevent unintended destruction of customer data.
Promptly inform customers about security incidents
Help customers in taking corrective actions.
Protect customers Accurate financial reporting ( Sarbanes
Oxley Act ) Give good return on investment ( no over
investment on security and effective use of control )
Employees require open environment Security control should not reduce
productivity. Transparent monitoring Well informed Security Policies
We need to invest in security not to just comply with any legislation or meet any industry or partner requirements
ButWe need to invest in security to protect
customer, investor and employees. This is a TRUST business and if we loose TRUST, we will loose everything.
Top down approach Identify critical business goals Identify critical functions to meet
business goals Identify risk to critical functions Effective Risk management
Reduce Risk Transfer risk Accept Risk
Identify origin of risk ( 3Ps ) People Processes Products
Identify and implement controls Verify effectiveness of controls ( Audit )
People are weakest link in any security system.
People require policies, standards, guideline and procedure to react in predefined manner.
Security Awareness Programs are mandatory for implementation of policies and standards.
People should be able to report security incidents or threats and take guidance from incident response team.
Processes are key for smooth and secure business operations
Processes implements Policies and Standards. Processes implements “separation of duties”
and “need to know” concept to comply with any legislation requirements on security.
It is require to monitor process deviation in order to identify suspicious activities or Fraud
Continuous audit on processes is mandatory to verify compliance.
Products can be any hardware, third party package or custom applications.
Products provides platform to implement processes.
Products require to generate reports and audit trails to notify deviation in processes.
It is required to analyze product based on policies and standards before integrating in environment.
To develop applications, extra care of security reviews /testing are required.
If product use cryptography, then key protection and data recovery are equally important.