ntxissacsc4 - business geekdom: 1 = 3 = 5
TRANSCRIPT
@NTXISSA#NTXISSACSC3
BusinessGeekdom:1=3=5
GrantGilliamCISSP,CISM,CISAManagingDirectorGilliamSecurity,LLCOctober7,2016
@NTXISSA#NTXISSACSC3
Situation:ComplianceNightmare
NTXISSACyberSecurityConference– October2-3,2015 2
COBIT4
COBIT5
HITRUST
ITILv3
ITIL2011
COSO2013
NISTCIF
FFIECSecurity
NERCCCIP
GLBA-FACTA
SANSCSC
DoD8500.2
PCIDSS3.1/3.2
HIPAASec.Rule
NIST800-53Rev4
NIST800-171
CSAv3.0.1
IRS1075
ISO27001:2013
CJIS5.5
AICPASOC
@NTXISSA#NTXISSACSC3
Yielding…
• Nomeanstomeasurecompliance• Severalmanhoursmaintaining• Novisibilityintoframeworks• Decentralizedgovernance• Increasedcomplexity• Duplicationofeffort
NTXISSACyberSecurityConference– October7-8,2016 3
@NTXISSA#NTXISSACSC3
Problem
Eachdifferentbusinessunitisunabletotranslaterequirementstoanothergroup,therebycausingthe“Geek”effect.
“It’sonlyaproblemifyouhaveasolution.”AnnaKendrickUpInTheAir,2009
NTXISSACyberSecurityConference– October2-3,2015 4
@NTXISSA#NTXISSACSC3
UseCaseResources Cost
Human Capital
SecurityResource $170
Security Leadership $250
Outside Consultants $500
Business Owner x1hr
HoursSpent
Costfor onemeeting $920
NTXISSACyberSecurityConference– October2-3,2015 5
UseCase:1hourcompliancemeeting
Usuallywehavenomoreinformationthanwhereweinitiallystarted.
@NTXISSA#NTXISSACSC3
Whatisbusinessgeekdom?
Define:business geekdomAdifferentbusinessunitunabletotranslaterequirementstoanothergroupthatoftenperceivestheotherasa‘geek’.
NTXISSACyberSecurityConference– October2-3,2015 6
@NTXISSA#NTXISSACSC3
BusinessBenefit• Metricstoenableinstantaneousgapassessmentsacrossthebusiness
• Minimalheadcountmaintainingseveraldifferentframeworks
• Visibilitytocurrentandfuturestatebusinessrequirements
• Reducedcomplexityduetoasinglesetofcontrols• Nomoreduplicationofeffortacrossdepartments• Centralizedgovernanceacrossthebusiness
NTXISSACyberSecurityConference– October2-3,2015 7
@NTXISSA#NTXISSACSC3
Solution:1=3=5
NTXISSACyberSecurityConference– October2-3,2015 8
SecurityControl
Framework
Acentralizedtranslatortomakeframeworksincongruencewithoneanother
@NTXISSA#NTXISSACSC3
Example
NTXISSACyberSecurityConference– October2-3,2015 9
Anenterprisesecurityarchitecturealigningyourrequirements,suchas:
- HIPAA- HITRUST- NISTCIF- NIST800-53- NIST800-171- PCIDSSv3.1- COBIT5- …
Finding:Mostframeworkshavealargeoverlapwithothermajorframeworks.
AddedBonus:Guidancefromothermajorframeworks.
@NTXISSA#NTXISSACSC3
Example
NTXISSACyberSecurityConference– October2-3,2015 10
Legislative &Mandated
NIST800 Series
NISTCybersecurityFramework
DoDI8500Series
PCIDataSecurityStandard
Gramm-Leach-BlileyAct
NERC/ FERC
HIPAASecurityRule
FFIEC SecurityHandbook
IRS1075
BestPractices
ISO/IEC27000Series
CloudSecurityAlliance
SANSCritical SecurityControls
COSO 2013Principles
COBIT 5
COBIT4
HITRUST
Internal
ITILversion3
ITIL2011
IntegrationtoGRCTool
@NTXISSA#NTXISSACSC3
FutureUseCase
NTXISSACyberSecurityConference– October2-3,2015 11
UseCase:1hourcompliancemeeting
UsuallyWehavenomoreinformationthanwhereweinitiallystarted.
Resources Cost
Human Capital
SecurityResource $170
Security Leadership $250
Outside Consultants $500
Business Owner x1hr
HoursSpent
Costfor onemeeting $920$420
@NTXISSA#NTXISSACSC3
ConceptinHistory
NTXISSACyberSecurityConference– October2-3,2015 12
Source:http://jessepaedia.blogspot.com/2014/04/what-living-language-is-closest-to-latin.html
RomanceLanguages
@NTXISSA#NTXISSACSC3@NTXISSA#NTXISSACSC3
The Collin College Engineering DepartmentCollin College StudentChapteroftheNorthTexasISSA
NorthTexasISSA(InformationSystemsSecurityAssociation)
NTXISSACyberSecurityConference– October7-8,2016 14
Thankyou