EnterpriseGRC Solutions Core Competencies include Strategy, ROI, Architecture, and Process - Providing Compliance Mapping as a Service
Security Governance and Compliance
Compliance is a universe of constraints enforcing business and technology practice aligned to the minimally acceptable product, service and financial benchmarks, consumer and citizen safety, and continuous availability of critical resource as mandated by US and World Governments. Considerations for HIPAA, the USA Patriot Act, Graham, FISMA/ e-Government, OMB Circulars (various, such as A119 and A130), Executive Directives, DCIDs can't be limited to government, federal and financial programs. Businesses work in tandem, weaving regulatory issues via e-commerce, outsourcing and third party services, such that any law has implications for across multiple industries and business classifications. Laws like the Clinger-Cohen Act, the Paper Reduction Act, Basel I and II European Union privacy laws and Safe Harbor Principles California Security Breach Notice Law as well as emerging bills with similar guidelines SEC rule 17-a4, NARA regulations for federal records management, SEC CFR 17 Rule no. 16900 affecting Clearing Corporations, the National Strategy to Secure Cyberspace and many associated Public Laws and Government guidelines (especially those affecting Security programs and implementation of appropriate standards such as various FIPS) are all a part of our audit universe. The EnterpriseGRC Solutions toolbox is a list of applications and industry tools, with special attention to the better companies and materials, as found most successfully implemented among our clients.
Strategy and Techniques - Approach to Mapping Service, IT Regulation and Frameworks
A clear win for any IT Service organization can be found in providing mapped CobiT and ISO 27001 programs. Aligning service delivery to regulatory driven compliance models enables immediately sustained client value.
The simplest possible view of controls mapping might include
- Business Process - Service
- Business Control Requirement - Regulation
- Control Process – Control Framework Identifier
- System Enablers – Technology policy
- People Enablers – Business Policy
- Standard and Frequency of Measure – Compliance Metrics
- Compliance Reporting – Representation of Compliance
- Providing Compliance Mapping as a Service
- The common understanding of the goals for providing compliance services should include the following intentions:
- To avoid breaches of any criminal or civil law, statutory, regulatory or contractual obligations and of any security requirements
- To ensure compliance of systems with organizational security policies and standards
- To maximize the effectiveness of and to minimize interference to/from the system audit process.[i]
COBIT supports IT governance by providing a framework to ensure that:
- IT is aligned with the business
- IT enables the business and maximizes benefits
- IT resources are used responsibly
- IT risks are managed appropriately [ii]
When considering the drivers that allow for use of IT consulting, a risk of non-compliance with ISO 27001 makes a lot of sense.
- Related risks of non-compliance with ISO 27001 include:
- Risk of information disclosure, including related risks such as loss of confidence and trust
- Incomplete risk assessment and, thus, an inadequate level of risk management
- Inadequate business continuity management
- Lack of security awareness within the organization
- Inadequate security requirements when interacting with third-party organizations
- Inadequate level of physical and logical security
- Flawed procedures due to the lack of incident management
- Inadequate security controls coverage in outsourcing/contractual arrangements
Mapping client processes, regulatory requirements, risks and commonly adopted standards or frameworks needs to serve a business purpose. While many seek the Holy Grail spreadsheet providing one clean map of the audit universe, they must ultimately face reality. Mapping is an exercise that includes the client, business context, and a collaborative decision-making process. Just as business demands change, the purpose of mapping would require similar levels of adjustment.
For example, an organization might have already identified their IT General Computing Controls, and determined to include the CobiT control PO7.4 "Personnel training". Current, free and available guidance tells us this is mapped to ISO 27001 8.2.2 "Information security awareness, education, and training".
This mapping serves to reinforce that a policy for Personnel training exists and a program is or should be, implemented. Reliance upon generic mapping, however, is problematic and might even serve to move a compliance project off course.
Consider the published guidance for mapping PO6.2. In the absence of industry and company-specific risk, the control could be assigned to many areas of Security Policy.
Example: (CobiT 4.1) PO6.2 Enterprise IT risk and internal control framework
Definition: Develop and maintain a framework that establishes the enterprise's overall approach to risks and internal control to deliver value while protecting IT resources and systems. The framework should be integrated with the IT process framework and the quality management system, and comply with overall business objectives. It should be aimed at maximizing the success of value delivery while minimizing risks to information assets through preventive measures, timely identification of irregularities, limitation of losses and timely recovery of business assets.
- PO6.2 Enterprise IT risk and internal control framework Maps to twenty areas of ISO 27001:
- 5.1.1 Information security policy document control framework
- 11.1.1 Access control policy
- 6.2.2 Addressing security when dealing with customers
- 11.3.1 Password use
- 7.1.3 Acceptable use of assets
- 11.3.2 Unattended user equipment
- 8.2.2 Information security awareness, education, and training
- 11.3.3 Clear desk and clear screen policy
- 8.3.2 Return of assets
- 11.7.1 Mobile computing and communications
- 9.1.5 Working in secure areas
- 11.7.2 Teleworking
- 9.2.7 Removal of property
- 12.3.1 Policy on the use of cryptographic controls
- 10.7.3 Information handling procedures
- 15.1.2 Intellectual property rights (IPR)
- 10.8.1 Information exchange policies and procedures
- 15.1.5 Prevention of misuse of information processing facilities
- 10.9.3 Publicly available information
- 15.2.1 Compliance with security policies and standards
(At the time of this paper, mapping scope had not yet included ISO 27002:2013, NIST CSF, SOC 2 2016, PCI DSS 3.2, CIS CSC 6.1, NIST 800-53r4 and Appendix J, HIPPA/ HITRUST, and a number of smaller mapping standards. Please review images at the base of this document for more information about current mapping capabilities.)
The question of any mapping exercise needs to be, "based on the risk that is managed or mitigated by this control, which areas of policy are most necessary to achieving its success?" The answer to this question is only valid in the context of a company's current risk apatite and posture. A small business, as for example, a corner grocery chain, might not have concern for intellectual property rights. There might only be one antiquated computer and one register at each of less than twenty locations. Is it reasonable to suggest they deploy a full-scale internal control framework to include cryptographic controls? Does it matter that they lack a policy for teleworking? What if they decide to manage risk using third party expertise? Perhaps all of their security requirements will be covered in an upcoming PCI/Visa compliance review. That being the case, the organization model is directly tied to both what they control and how they control it.Having established that no single map of controls, regulations, and policies can apply across multiple business contexts, there is an even greater need to enable a Dynamic Mapping Process. In order to rapidly and effectively evaluate an organization's risk of NonCompliance with any Law or framework, certain tools and project components need to be in place.
- Method to gather, record and report the client Risk Profile
- Means for mapping Risks to Controls
- Source of Regulatory information and means for keeping it up to date
- Interface to Develop, Map and Report Processes, Programs or Services with respectively aligned Controls
- This tool set must enable a capacity to engage across Risks, Controls, Process, Regulation and Policy, capturing and compiling client information and allowing for consistent billable, actionable output.
- Risk Assessment creates a profile of an entity's most significant Regulatory and Enterprise Concerns
- Controls Assessment establishes the "in scope" Control objectives that are used to highlight compliance points within any process. Policy Mapping ties actual and required client policy documentation to the established Control framework. Process Profiling creates the step by step activities and their associated controls that are represented as mapped process flow diagram. This area of documentation may serve as compliance demonstration, future state planning or even sales material.
- Source Database including 600+ searchable laws, frameworks and resources related to IT Regulatory Compliance
- Enterprise Risk Management interface used to gather, review and map Risk to requirements, controls, assets and strategic milestones.
- Assessment Portal used to identify 1000+ Standard Control Objectives including COSO, CobiT, NIST, ISO 27001, ITIL, PCI/VISA, BASEL II, and OCEG Framework. Portal allows for selection of scope, maturity evaluation, mapping across multiple frameworks.
- Policy Mapping Module allows review of all processes and policies, mapping their content to related areas of BS7799 Part 1 (27001) and accompanied by Statement of Applicability according to Annex 1.
- Process Profile facilitates an ISO 9001 documentation framework and establishes baseline depiction for more than 200 standard processes.
- System requirements are Microsoft Office 2003 or 2007, Visio Professional 2003 or 2007, Four Gig of Ram and 20 gig drive space. It is also desirable to use an external drive of 250 gigs in size and this facilitates sharing the data with client and co-workers in optimal security.
Corporate organizations need objective benchmarks to measure and distinguish the quality of their own their security practices. While not perfect, most organizations respect and utilize some aspect of the evolved mapping of a combined ISO 27001 and CobiT 4.1 + CobiT 5 standard. This hybrid and customized model provide a comprehensive catalog of topics that should be considered in designing, implementing, and operating a secure IT infrastructure.The following sections provide images of tools and summary of the ISO/IEC domain areas.
- Figure 1 Dynamic Process Documentation – Available on Intranet
- Figure 2 Sample Process Profile – Meeting ISO 9001 standard
- Figure 3 Change Management output showing all process and mapped controls
- Figure 4 Risk Management Control Mapped Process Flow Diagram
- Figure 5 Maturity Assessment tool – Tracking by CMM, CobiT or BASEL II assessment criteria
- Figure 6 Interface allows for Mapping Policy and Control – set values from Policy Mapping Module
- Figure 7 Policy Mapping tracks existing policy relative to ISO standard, related controls, owners and gaps
- Figure 8 Application for Management and Reporting Enterprise Risk – Meets AS5 and OMB related requirements
- Figure 9 Immediate High-Level Reporting – One of hundreds existing reports – Easily customized
- Figure 10 Heat Map Shows Residual and Inherent Risk – Accounting Oversight Ready
- Figure 11 Source Documentation shows Regulation and Standards – Instantaneous regulatory background reporting
Figure 1 Sample output: Process Documentation and Controls Mapping - Dynamic Process Documentation – Available on Intranet
Sample Process Profile – Meeting ISO 9001 standard
Figure 4 Risk Management Control Mapped Process Flow Diagram
Figure 5 Maturity Assessment tool – Tracking by CMM, CobiT or BASEL II assessment criteria
Figure 6 Interface allows for Mapping Policy and Control – set values from Policy Mapping Module
Figure 7 Policy Mapping tracks existing policy relative to ISO standard, related controls, owners and gaps
Figure 8 Application for Management and Reporting Enterprise Risk – Meets AS5 and OMB related requirements
Figure 9 Immediate High-Level Reporting – One of hundreds existing reports – Easily customized
Figure 10 Heat Map Shows Residual and Inherent Risk – Accounting Oversight Ready
Figure 11 Source Documentation shows Regulation and Standards – Instantaneous regulatory background reporting
Evolution of ideas as demonstrated by most recent updates to CobiT 5, Delivering Business Benefits With COBIT: An Introduction to COBIT 5, By Derek Oliver, Ph.D., CISA, CISM, CRISC, and John Lainhart, CISA, CISM, CGEIT, CRISC, CIPP/G
Quoting directly from the online article, "The draft model was then stored in the metal safe repository, and the picture of the model was generated by the repository. The model reflects the structure of the COBIT 4.1 framework, IT Assurance Guide: Using COBIT and COBIT 4.1 Process Assessment Model Exposure Draft, with an extension as explained in the figure. The extension of some attributes in the assurance model is included to show how a model can be adapted to specific requirements (e.g., the support of an assessment process) and still keep the original model.
The model shows all the important terms, their properties, and their relationships. It can be used to teach, design and structure the information base that will contain the model. This is not the metamodel, but it is what the authors wanted to express or show about the model. It is also only a draft or proof of concept of the architecture; however, it is a good basis from which to start and can be extended or changed easily for use in other intended purposes.
Beyond the descriptive function, the model is also intended to structure the information base where the instances of the model with the complete textual information are stored, maintained and documented."
Figure 12 GRC Application Components
EnterpriseGRC Solutions is referencing common standard methodology and is not the creator of either CISSP or ISO 27001 guidance. [ii] © 2006 IT Governance Institute, COBIT® Mapping: Mapping of ISO/IEC 17799:2005 With COBIT® 4.0, with permission to reproduce sections of ISO/IEC 17799:2005, copyright 2005 the International Organization for Standardization (ISO), granted to ITGI by ISO.