The webinar covers:
• Overview of ISO 31000
• Overview of PCI and HIPAA compliance
• Achieving integrated compliance through ISO 31000
Presenter:
This webinar was presented by Bogdan Dragomir, a security professional with over 24 years of experience in the IT field over 5 years as a Regional Security Manager with Savvis Communications being responsible for leading multiple security initiatives, being trusted adviser for many companies in South and Central US and coordinating penetration testing across US and UK. He is an expert in the area of Risk Management, Integrated Compliance, Secure Architecture Design and Analysis, Incident Management, Security Assessment and Auditing.
Link of the recorded webinar published on YouTube: https://youtu.be/gzwOFKCOYVo
Achieving integrated mandatory compliance with ISO 31000
1.
2. Bogdan Dragomir
Job Positions
Bogdan Dragomir is a security professional with over 24 years of experience in the IT field over 5 years
as a Regional Security Manager with Savvis Communications being responsible for leading multiple
security initiatives, being trusted adviser for many companies in South and Central US and coordinating
penetration testing across US and UK.
(657)-200-5506
bdragomir@gmail.com
https://www.linkedin.com/in/bogdandrago
twitter.com/name.surname
fb.com/name.surname
3. Achieving PCI-DSS compliance
through ISO 31000 adoption
By: Bogdan Dragomir
QSA, Six Sigma Lean Professional, CMS, SixSigma Black Belt,
Jonah's Jonah®, Certified ISO27001/22301/31000 trainer
4.
5. ISO 31000
• ISO 31000 - “a process that provides
confidence that planned objectives will
be achieved within an acceptable
degree of residual risk.”
• Developed by the International
Organization for Standardization (ISO)
and based off the AS/NZS, ISO 31000
provides principles and generic
guidelines on risk management.
6. PCI DSS
• The Payment Card Industry Data Security Standard –
a standard enforced on to merchants and geared to
secure customer card information.
• Encompasses 12 domains and over ten times as
many controls.
• Apparent no relationship with ISO31000
However….
7. The problem
• IT management is focusing on security as an
abstract concept often driven by compliance.
• Compliance is focusing on mapping what IT
does and check marking or not the
requirement(s) box(es).
• Often the compliance lifecycle is not
integrated or supported by anything else
other than the fines imposed.
8. The reality
• Many companies fail to be compliant or to maintain an all
times compliance posture is that they are addressing
requirements and not their intent.
• PCI-DSS and other industry mandatory standards relay on an
organizational implied CMMI level of 3 or above with some of
the processes needing to be at level 4 or above.
• All mandatory (compliance) standards are vertical standards;
industry specific standards, based on common industry risks
and aim to guide towards a common approach to risk
treatment.
9. Listen and silent use the same exact
letters but describe a different activity
• In a parent-child relationship Risk is the parent
and Security is the child.
• no point for anyone to deploy security
solutions for inexistent risks.
• addressing punctual requirements while
missing their intent is the new approach to
compliance.
10. Governance Risk and Compliance
(GRC)
The good:
• Great concept.
• Well publicized
• Realistic
The bad
• Misunderstood
• Can induce confusion
11. ISO 31000 Overview
• Mandate and Commitment
– Design or framework
• Organization Context
• Risk Mgmnt Policy
• Integrated Risk Mgmnt
– Implement Risk Management
• Implement framework and associated
processes
– Monitor and review Framework
– Improve Framework
12. The value
• The biggest value in adopting ISO31000 lay in its
promotion of continuous improvement, diligent
management practices and ongoing monitoring.
• The biggest value in adopting PCI-DSS is in meeting
the minimum security state as recognized by the
industry
13. The Danger
• There is no danger in adopting only ISO31000
• Adopting only PCI-DSS
– might or might not ensure proper management
sponsorship.
– might or might not ensure proper readiness for
other mandatory compliance bodies
(SoX/HIPAA/etc).
– Might not be a sustainable approach.
14. Doing what makes sense vs doing what
is expected.
“Unless companies’ transition from the mind set of regulatory
risk management to the comprehensive IT risk management
they will never truly see the long term benefit or continual
compliance.” – Mohammed Akbar
-Deploy your own Risk Management framework
-Own your risk catalog and risk rating.
-Define your inherent risks.
-Assess your controls and assess their effectiveness
-Analyze the residual risks and …
-Use compliance ONLY when making risk treatment decisions.
-
15. How to achieve lasting compliance
using a sustainable approach.
16. Prepare your organization
• PCI-DSS and other industry mandatory standards relay on an
organizational implied CMMI level 3, or above, with some of the
processes needing to be at level 4, or above.
17. CMMI level 3 or level 4?
• CMMI defines level 3 of maturity as the first level where the
processes are tailored for organization’s goal and proactively
managed. A CMMI level 3 assures a synergy between Policies,
processes and process management rendering consistently
the expected results.
• CMMI level 4 is defined as the first level of maturity where
processes are measured and controlled.
• In order to achieve a sustainable compliance organizations
have to ensure that at minimum Change Management, Asset
Management and Risk management are at CMMI level 4.
18. Define and deploy Risk Management
Framework
• Use ISO 31000
• Go granular when documenting your risks (many
sources i.e. BITS)
• Document your risk threshold and risk appetite
criteria.
• Communicate your vision and how it relates to
your organization’s mission
• Define and document your risk management
related processes (asset management, change
management, etc) – ensure they are integrated!
19. What about Change Management, Asset
Management?
• PCI-DSS doesn’t spell risk management as a required
workflow or defined process but it does rely on it when it
allows organizations to use compensating controls;
• It doesn’t require asset management but it does require
inventory and so much more;
• It doesn’t say we need to have a change management
process but it requires to perform assessments after any
major change…
………Can one still think these processes are not required?
20. “The pineapple is not a single fruit but a
group of berries that have fused together”
• Having processes at the right maturity level is critical,
but it is not the only thing we need to have; in
addition to the correct maturity level we need to
ensure flawless process integration. Change
management is great same is Risk Management and
Asset Management but if they are not synchronized
they might as well not exist.
21. Why deploying ISO and not DSS
• ISO establishes Management commitment DSS – assumes it
exists
• ISO establishes a Risk management methodology concept DSS
is using a pre-defined one (most common risks within the
industry)
• ISO establishes the continual improvement processes – DSS is
using PCI-DSS versions which might be slower than risk
evolution.
22. …continued.
• ISO sets the bar to a organizational specific
risk treatment – DSS will set the bar to a
holistic level
• ISO implemention will enable multiple
industry strandards compliance readiness
• ISO forces maturity increase – DSS relies on
increased maturity