establishing an integrated isms for the co-operative ... · your presenters… richard mayall...
TRANSCRIPT
Establishing an Integrated ISMS for the
Co-operative Banking Group
STREAM Integrated Risk Manager Risk management made simple
Richard Mayall [email protected]
Partner, Acuity Risk Management
Mark Henry [email protected]
IT Security Assurance Manager, The Co-operative Banking Group
Some of our Customers
Typical Customer requirements
1. Many Standards: ISO 27001 22301 9001
14001 18000 20000 PCI-DSS COBIT
GSI IAMM…
2. Variety of methodologies, assessment
schemes, risk types, KRIs, KPIs…
3. Efficient compliance and risk processes in
complex business environments
4. Dashboards, reports, exports for
internal / external auditors…
GRC Key Components
…and supporting processes
Overview
Introductions
Co-operative Banking Group : ISMS Requirements
Selection of ‘Content’ for the system
How we constructed the system
Example data collection and reporting views
Summary and questions…
Your presenters…
Richard Mayall
Supported CBG with original ISO 27001 certification, risk
assessment
Supported migration to STREAM for ISO 27001 in June 2008
Supporting current development of ISMS with CBG
Responsible within Acuity for integrated content development
projects for our Enterprise STREAM customers
Mark Henry
34yrs experience in Financial Services with last 10yrs in Security.
Manages IT Security Assurance to ensure we meet our Legal,
Regulatory and Business Requirements.
Managed the ISO 27001 re-certification for smile & Personal
Banking Internet channels since 1999 (using Stream).
Developed and implemented a 3rd Party Data Assurance Model
Revamping our Security Baseline Controls into a comprehensive
IT Security Governance Framework
The Co-operative Group
ITS Governance Framework
Key Objectives :-
Align / report against key Standards (i.e. ISO 27001 and PCI-DSS)
Benchmark against industry peers & ‘best practice’ (via. ISF Benchmark)
New IT developments built to appropriate CBG Security Standards
Certify compliance with Banking Industry Payment Schemes
(e.g. CHAPS, Faster Payments, BACS)
Validation and highlighting of areas of best practice across IT
Identification and effective risk management of all control deficiencies
regular reporting to inform risk and investment decisions
Support Co-op’s ethical stance by demonstrating good compliance and
risk management.
IT Security Control Standard Architecture
IT Security Governance Framework
Building the System
ISO 27001 COBIT PCI-DSS PCI-DSS
Reporting Lenses
‘Baseline’ ISF Controls
(Assessed)
Platform specific
technical Standards
(Assessed for each
applicable technical
environment)
Content in STREAM
Control Assessment
Control Assessment II
High-level summary reporting
Control deployment summary
Linkages for the ISO lens…
ISO 27001
Through the ISO 27001 lens…
ISO 27001
Multiple Control Standards
Drillable Risk Dashboards
Dashboards for various business views, gauges for:
Risk counts by threshold
Risks levels against appetite
Control deployment levels
Personal Workflow…
Way ahead
Gather assessments across the IT estate
Create further lenses:
PCI-DSS
COBIT
CHAPS, Faster Payments, BACS…
STREAM Servers
Benchmark
Submissions
Output data from STREAM for ISF Benchmark
submissions…
Develop interfaces to accept ‘assessment’ data feeds
from technical monitoring tools (Qualys)
Real-time Data Feeds
(Qualys)
Essential Components
Questions?
Acuity Risk Management LLP
Liberty House
222 Regent Street +44 20 7297 2086
London
W1B 5TR www.acuityrm.com
STREAM Integrated Risk Manager Risk management made simple
The Co-operative Banking Group
Miller Street
Manchester
Lancashire
M60 0AL www.co-operativebankinggroup.co.uk