BSidesNoVA 2021 | Rose Songer | Crash Course - Information Security Management System Implementation

hey everyone i'm excited to introduce rose songer with lessons learned crash course and information security management system implementation um she'll be presenting for about an hour and if we have time at the end she'll answer a few questions uh feel free to post them in the chat or in the q a tab rose if you'll take it from here awesome uh yeah thank you for the intro today i will be uh talking all things lessons learned and i sms implementation um learning from the pains that i've experienced over the past few years with implementing isms and how you can learn from those pains and maybe the things that you don't think about along the way

with your implementation so we're going to take a look at all these things and hopefully by the things that i've experienced and the things i'm calling out now um you'll go on to maybe have a more successful implementation um with minimal issues or hiccups um i do have a poll question and out of curiosity um i was curious as to how many of you have actually implemented iso 27001 before so i'm going to jump into the chat but if you could answer the poll and so i could get a sense of who's implemented it or not um just feel free to do that and um i also offer to all of you guys are here today

uh if you have any of your own lessons learned that you think would be beneficial to anybody attending this chat feel free to drop them in the chat so everybody can see um especially if it's something that i've not covered by the end of the presentation i'm hoping that together we can come together and talk about the things that will hopefully make your life a little bit easier so real quick i am rose i am a governance risk compliance manager at cso um in pittsburgh so uh what i do for my role is i oversee all of our governance risk compliance services uh from start to finish if it's you know iso 27001 implementation to security awareness third party risk

management um whatever service it kind of falls under my bucket of view um not only that but i helped implement at our clients which is what helped give me a lot of the knowledge that i'm going to give to you guys today i have a master's in cyber security uh bachelor's in advance networking i've been in it about 15 years so i started out in the navy at 18 years old and i went to work in it and did a lot of shift board communications and things like that and eventually my last year in the navy i was a network engineer and decided oh i like being more hands-on with these things and went to

get all of my degrees and then eventually i made it into governance versus compliance um very different than where i started out but i love what i'm doing right now uh tons of industry experience so uh helps me get my clients ready for whatever they need to so kind of jumping into the different industries uh before i move on to my next point i do want to point out i do have a code presenter today i always like to point him out when i'm doing any of my chats because he likes to make himself known but luckily he is sleeping right now and his name is dexter so if you see him at all on the video

please disregard him i will make sure that he doesn't try to clean himself during this presentation which he has done before so show and tell a little bit about me uh like i said i'm in pittsburgh i've been here for a few years and you know i was in the navy for a little bit of time and it took me to to hawaii and san diego and a couple other places and eventually i made my way to pittsburgh with my family i am married with two kids my son's eleven and my daughter's nine and we stay really busy on top of uh all the things that i do for my company so i always like to include this because

it feels like it gives you a little background into the person um who's presenting and talking and hopefully you can relate on some level whether you have kids live in pittsburgh or whatever it may be all right so talked a little bit about myself who i am and the things that i've done um before i jump into isms 101 i i want to talk a little bit about how i've gotten to the point that i am now giving you guys the lessons learned on all the things that i've experienced uh a few years ago um i was put into a position that i needed to go work on iso 27001 um had a client that

had a program that uh they needed someone to stabilize for them and i got one heck of a crash course um based on my experience obviously i know you know about iso and it's you know concept how you use it the certification and things like that but i hadn't had a deep dive or you know trial by fire and so i went on to do all of this work and it was a trial by fire for the next six months well while i got my bearing on iso um and it really gave me a lot of insight into why it can be so painful for people um and not only that taking those those pain points and trying to figure

out how you navigate from there so that that really is encouraging me to take this to you guys and talk about it and get us working to uh not have those same hiccups for you guys so before we could talk about lessons learned i think it would be suiting uh to talk about what is a isms so um we haven't quite talked about that yet i've been saying the acronym haven't discussed what the actual word means um we're going to talk about what it is whether or not it's worth implementing uh ongoing program management and what exactly is iso 27001 and how it's broken down and how it applies or how it's incorporated into your isms

so first what is an isms well that is an information security management system uh it's built on the plan you check act and really what it is trying to do is get you into a cycle of continuous improvement it does it by establishing governance rolling through the risk assessments and monitoring measuring and then you know if you have non-conformities how you're correcting those non-conformities so it's built off of policies processes procedures all that sort of documented information and essentially what it's trying to get at is the cia triad which all things in security eventually bubble down to that triad right so it's trying to protect the confidentiality integrity and availability of data um your processes and things like that

so this program is built to kind of prompt you into that continuous improvement cycle making sure you're hitting that triad and establishing some governance cell work for your whole program um so at a very high level that is what it is now getting into it at a granular level there's a lot of things that you need to do to make sure that this program is actually operating so that it's actually running in a circle all the time and that you're in that cycle of continuous improvement and you do that through the things that you implement um the the policies and the processes and things like that so um it does fall into the governance risk and compliance

realm a lot when it comes to like those documented processes uh but one thing that i want to call out and i'll mention this several times through the presentation um when you think of your isms don't think just governance source compliance or you know that sort of realm it goes into the technical side and um it goes into the management side and it goes into the workforce side and it goes into a lot of processes within your organization so keep that in mind as we talk about this isms and how you go to implement it and how you learn from my lessons and things like that so return on investment um if you are in a position that you're trying to

pursue in isms you're trying to pursue iso 27001 certification and you are not having a good time getting traction with you know why you need to do this maybe leadership's not bought in yet or anything like that um having a program or having an isms in place really has a lot of benefits and has a lot of return on investment um the first being improved communication one of the hallmarks of your iso certification or your isms built off the iso is that you have communication up and down the chain of command that your workforce knows that your management knows and all these different things and communication is going to be a key item that we talk about a lot

competitive advantage so if you get certified with iso you're able to market it you're going to be able to use that over your competitors if you're in a position that you're offering services to other people and it kind of dovetails in the next point is that um with the iso certification your clients if you're servicing anybody they can request that certification and you may be able to reduce how often you're having assessments done against you um a lot of your clients they want to demand proof that you have security and securities at the forefront of everybody's mind writing so and that comes to third party and third party processes um so if you're in a position that

you're offering services to others and you want to assure them that you're protecting their data you can absolutely provide them the assert that you receive and that will hopefully reassure them they may still want to do some due diligence against you but um at least you can show that you have an independent auditor that's assessed your environment and kind of said whether or not you're doing things securely um next you can use it to improve resilience against cyber attacks so um when we think of um companies that maybe have zero to ad-hoc processes when it comes to incident response um you know they're more prone to huge data breaches and things like that and when you have an isms implemented you

can take that program you can formalize it bring it next to the um to the next maturity level and be able to do tabletops and get everybody responding in a way that they should and you take it from ad hoc to the next maturity levels and you keep improving on it um especially when you have that plan in place you rehearse it you go over the things that you need to do it gives people more confidence in responding right versus not having anything in place and they're running around like oh man i don't know what to do uh the next point down uh building blocks to other frameworks this is actually one of my favorite

benefits of um an isms is that uh you can use it to build on other things so um quick story here or quick two stories is i have one client um that i manage their iso program for it's my sole responsibility i do all their oversight and recently they decided to pursue i trust and so what they decided to do was build high trust on top of that program and they're able to implement all the controls using that framework um and build it into their statement of applicability so you can absolutely use it for you know building blocks to those other frameworks i have another client who uh we did a iso 27001 and stock 2 implemented project

so they had a client that was demanding that they get certified within a really aggressive time frame if i remember it was about nine months and so uh they leveraged iso to build their isms but then had stock two controls built in and they were able to get dual certified um by the end of that nine months to meet the client requirement so um lots of good building blocks there to be able to leverage as part of you know the return on investment and then finally it enforces that continuous improvement cycle so you don't want your program to be stagnant right you want to be in a constant state of improvement doing all the things to get to the next level

especially with security being so important so with the isms it definitely prompts you into that state so program management um one of the the top things here is it builds the organization's culture so your your security program is only going to be really as effective as the culture allows and so um companies that have a more mature isms you may have your culture they're fully on board they've communicated they know when to identify non-conformity they understand the importance of taking awareness training and things like that um once you have the culture bought in it's significantly easier to be able to implement this sort of program if you don't have the the culture or the workforce or whoever bought in

then you're not really going to be able to change that culture it's going to be it's going to be hard to implement this sort of program without having that kind of culture that you need that security first type culture you'll have processes that deliver auditable type evidence so while i want to kind of look at this program from a high level the bottom line you're going to be audited and so if you implement this in the right way and if you decide to get audited maybe you decide you're just going to implement isms and not get audited um you know you'll still have the audible evidence which is what you need for being able to successfully get past

those audits and then you need top level management and again i'm going to talk about this one later because it's really important one of the hallmarks of this program and one of the top clauses is that you have management support and that management have a review and all these other things so um having that top management support within your program will enable that program to continue to be successful versus trying to implement it and you know maybe the management is not invested in the way that they should and then you need to have internal audit for isms if you pursue iso 27001 certification you have to do an internal audit and um the internal audit just as a quick

fact just do it after you implement your program maybe a month before your external audit that gives you a month time to roll it into corrective action processes and things like that um and we'll we'll talk about that one a little bit later too because i include that as like a must-do item so iso 27001 i have hit on it a couple points um i'm going to talk about i want to break it down because it can seem quite complex there's a lot of things going on with it um so the first thing that i want to break down is the clauses so clauses 4 through 10 are mandatory you have to do those please please please

make sure that you do all the things clauses four through ten there's no you can't skip any of the items you have to make sure that you're getting all the points um and with that you have to make sure that you buy the standard um by the standard it'll allow you to be able to view all of that information this is meant to set up your isms so this is going to be that core component to get you in that plan do check act uh then you have annex a so annex a is essentially a category a category a catalog of those information security controls and so um what you'll do with annex a is the result of a risk assessment

you'll leverage annex a to select the controls that will reduce your unacceptable risk we're not going to talk about that too much during this presentation but one of the things you have to do as part of your your isms is you have to conduct a risk assessment you have to know what the risks are in your environment and you have to select the controls from anexa that are going to reduce those risk to an unacceptable or to an acceptable level so um make sure you do that activity and make sure you select the controls that you need to to reduce those risk um and as you can tell on the right there is that pie graph at the bottom

that i believe i got from an advisor um which is a great resource i put it at the tail end of this presentation to give you like a couple reference links so this breaks down the controls and you can tell that one half of it is kind of more administrative you'll see processes like legal and physical security and things like that and then the other side over half of it is it-based controls and so at a high level that tells you it's not just going to be you know governance risk and compliance doing these sort of things it's going to take all of the i.t team or an it's being vague in this sense um

it's going to take all the i.t side to be able to implement these controls and a lot of communication is going to need to happen for that um so that's at a very high level how the iso 27001 is broken down um and we're going to talk more about these as we go through when we talk about um the next point which is the must-do items so the muscu items you guys i didn't know these were must use whenever i first got into iso um it was a rocky road to say the least so first you have mandatory documents so um this i knew i knew it was going to be a thing i work in governance risk compliance

there's always mandatory documents for me so i wasn't too shocked on this one um but as we go more and more into these i definitely will start getting the magnitude of things that needed to happen um you need a scope statement so what is your isms all about we'll do anatomy of what that looks like because i also did not know what that should look like um you have to do everything from clause 4 to clause 10. if you have not read those please do so it will give you so much insight into um why your governance compliance team is hounding you if you have isms why things have to be done on a certain timeline

and things like that um it also drives things like your management review your corrective action process and um management's expectations and things like that um implementation of annexate controls so huge disclaimer and i just touched on it that's for the unacceptable risk to reduce them down to an acceptable level uh and then internal audit so out of all those things i want to touch on three uh sub bullets and i want to talk about mandatory documents first um mandatory documents there are roughly i think about those six first bullets that are must must must do's so um you need to have a scope you need to have an infosec policy you need to have like a risk assessment and

treatment methodology types document that this document is going to govern how you do the risk assessment um you need to have a statement of applicability and we'll talk about that here in a second you need a retreatment plan so the results of the risk assessment should result in a risk treatment plan that eventually makes it to the statement of applicability um a lot of complexity in these documents and so make sure that if you are just being thrown into it that you leverage online resources you talk to somebody um you ask questions and do the things because it can get quite complex and the things that you need to do to make sure you get this isms

up and rolling um there's some other documents that i include in here and you'll see that it is tagged with and if you can see my mouse i'm circling one right now it's a dotnumber.number.number and essentially this is indicating that it came from nxa these items are mandatory if you have selected an annex a control as a result of the risk assessment um so if you have risk relating to assets and not knowing where all they they are you may want to end up doing inventory of assets to support that particular unacceptable risk um a 8.1.3 um now with that said you're likely going to implement all of annex a i have not witnessed an organization

that doesn't implement all of them um just because it makes sense but if there are any that you decide not to do you'll need to make sure that you write out why you're excluding it from the scope and this will likely be on your search so that way other organizations can tell that you have not implemented all the controls um because as part of third party risk management your clients may ask for your certification but they may also ask your statement of applicability to you so that they can see what controls you actually have implemented so just keep that in mind um all these documents i'm not gonna lie to you guys they can be painful to develop to maintain

and do the the type of activities that go with them um just know there's tons of online resources there's people you can talk to there's templates so if you're doing this and you're brand new to it there's tons of templates online so you'll just have to use dr google to find the things that you need to um the next thing i want to hit on and this is one that was quite frankly i was weekend um while i went to do this sort of program and it is your scope statement so i call this out as an anatomy of a scope statement and essentially this is what your isms is and it's a couple sentences one sentence

whatever you want to use that's going to describe your your program um and that's a lot to unpack there right because you're trying to summarize the magnitude of your program and what it's doing in a couple sentences so that way someone can digest it um this scope statement here i pulled from a capstone that i did recently so um uh recently i taught a iso 27001 implementation uh 16-week capstone to some students at duquesne university here in pittsburgh uh super super awesome time um to be able to teach them this so i pulled that the scope statement from that class so this scope statement first you're going to address the cia triad you're always going to want to make sure

that's in here so you're protecting the confidentiality integrity and availability of information assets processes data whatever it may be um you want to document the business processes and so in this case um this is based off of a health care facility um i just say they're supporting outpatient services and mental health and some other things so you'll want to have just a very high level statement what your business is the business processes that it's doing where it is and what controls are applicable to your scope um your scope document eight may also include um information about your interested parties it may also include things about your internal processes um maybe not on a you know high level like this but a

more granular level so what all is supporting these you know uh outpatient services that i'm talking about um so you'll have that in your scope document and your scope document it could be your information security policy it could be a standalone document um the scope statement that's what's going to make it onto the certification so you want to make sure that it is detailed in a way that makes sense for you now this is the last part of the must do items that i want to cover for you guys and this is the statement of applicability um the statement of applicability are all the controls from annex a that you have decided to implement as

a result of your risk treatment plan um it is built in a way that it's consumable you understand what the control is whether or not it's implemented in your justification and whether or not it's fully implemented partially implemented um this document it does not need to be a spreadsheet i know this example it looks like a spreadsheet please use whatever repository document that you have available to you could be a word document it could be um in a grc tool it could be some document i have seen this before one of my clients used monday if you're familiar with it it's a project management tool they built their statement of applicability and that and i was pretty shocked

um i hadn't seen it that way before so with iso and your isms please just use whatever you have available to you to be able to um to implement or put your statement of applicability into place all right so let's talk about not skimping um there are some things that are mandatory and there's some things that you can do to make your program better um these are the things that i've learned along the way don't skimp here make sure that you really hit these items and the first and first one on this list is buy and use the standard make sure that you go you get it you download it you have it available to you

and use this as you build your program um not only is your auditor gonna expect you have this but it's gonna give you everything that you need to be able to know what you need to be implementing for your program so please please please make sure you buy that standard um the next one down and i have a separate sub-bullet for this um is communication communication is highly important it's so important i give it its own sub bullet uh looks like i have robert here saying it's out of focus uh is it out of focus for everybody

elliot could maybe you can it looks pretty good to me for maya okay um robert maybe you can give it just a second and um if not uh i do believe this is being recorded so you could jump in later and i'm sorry it's out of focus for you all right so uh risk assessment don't skip on the risk assessment please make sure that you understand and you know your environment so um you could easily just do a few assets and kind of get a sense of your risk assessment meet with the owners of the assets meet with the system owners meet with anybody that's considered a part of the systems assets whatever they may be

and get down to the bottom line which is identifying risk because this is ultimately going to build your isms and like i said before the statement of applicability um is highly important to your program so make sure you're getting to know your environment and if you have someone telling you that they don't think they have any risk pertaining to their asset their system their application whatever it may be challenge them because it's highly unlikely that they do not have risk i promise you there's risk everywhere right we work with it every day so make sure that you are getting down to that challenge them if they say they don't have any risk because i'm they do um next budget

do not skimp on the budget and i don't mean just budget from a monetary standpoint i mean budget of your resources and your capacity planning that filtering your budget because ultimately what's going to happen is you need resources to implement the program you need budget for the things that you need to buy to support the program there's a lot that goes in here right and so don't skimp on the budget build it out understand what resources you're going to need to use for this program and as part of your budget look at ongoing management of your isms and in fact it's like one of the bottom bullets at the the bottom of the slide is that it's not a once and done

implementation right it's an ongoing maintenance and so um make sure you build that into your budget because you have to plan for ongoing maintenance of the things that need to happen um and this isn't just from a sense of oversight but also if you are someone considered you know a stakeholder in the process or an implementer you need to account for the time that you're gonna have to spend doing access reviews or you know other mandatory act um actions that need to happen with this program so plan your budget um leadership buy-in you have to have it you can't you can't get away with it um i have witnessed programs that have not been as

successful because the leadership's just like yeah yeah yeah you know go ahead and implement it that's not what iso is about iso wants to see your auditors are going to want to see that management is aware of your program and that they're contributing to it they have understanding of it that you have a management review with them that you do all of these things um and they're going to want to see you demonstrate that as part of your artifacts so don't skip on the leadership buy-in or anything of that sense uh central as your approach so um whenever i had my ultra crash course and iso um i went into this program i'm gonna tell you guys

they implemented the program in the tail end of 2018 and i i went in there probably around you know the springtime of 2019 maybe around may and their program hadn't been operating in those six months that they got certified until i got my hands on it and when i did get my hands on it it wasn't centralized you had information over here over here over here in all these different repositories make your life easier and centralize where you're going to keep information whether it's a teams channel a tool whatever you want to use whatever you have available to you please make sure that you just centralize your approach make your life easier don't over complicate the things or anything like

that corrective action process we're going to touch on that one in a little bit that requires a little more dialogue um don't use iso logo you guys i have seen this two times that someone tried to use an iso logo that was not authorized during an audit and almost lost their certification kid you not i have seen it i put it on here because i want to make sure you guys really take that to heart don't use that logo they even have a page on their website that's very particular don't use their iso logo or they will come after you you will possibly get a audit finding um and i was quite shocked about this the first

time that i went through a surveillance audit and i didn't realize how serious they were about it so there's very particular logos that you can use that you can use for your branding your marketing or whatever um just make sure you're using the right one and work with your auditor to make sure that you identify what is the right one to use um and also this applies to uh internally so i have seen instances where people use the iso logo like whatever they pull off of google and they just use it on internal materials it's still applicable don't use the iso logo anywhere or your auditor will come after you um like i said i've seen it twice and i

would both times it was pretty crazy to witness how they get about these logos it must be part of their auditor training that they uh call those things out or they look for it okay so know your interested parties um when i talk about interested parties it's so vague it's not just you know external interested parties or thing people that may be investing in your program it's internally knowing who's invested in the isms whether it's management whether it's your workforce or whoever you have to know those interested parties then you've taken another step you need to know external interested parties whether it's your clients or you know other companies or whatever it may be and then to take it

one extra step because iso likes to be just a smidge complicated you have to know who are your contractual legal regulatory and other requirements so this will likely be handled by you know someone that's in my field governance risk and compliance um they'll likely be facilitating what those expectations are but you have to know you have to know what you need to adhere to for your program and in the instance of that anatomy statement that i gave to you guys they would be um they would need to have the hipaa security rule and hipaa privacy role on their legal regulatory requirements as part of their interested parties and they would need to make sure that

they're able to demonstrate they're actually adhering to those things so there are things that can make your program a bit complicated when you're building it out but those are one of the things you need to be mindful of um i hit on this next one above you guys make sure you're maintaining your program after you implement um it was so painful that story that i told you before where i came in and that was my crash course too so not only was i taking a program that hadn't been operating for a while but i had to learn on the fly and they had missed doing so many things in that six months the program wasn't

operating that it resulted in months of rework months i had things i had to do to fix their program when if you just ongoing maintenance you don't have to do that and if you calculate that into your budget you can plan for it but if you're not planning for it then your program's just gonna fall out of compliance and then you would have spent all that money to get it ready for nothing because if you're not maintaining your program you definitely can't you know go through surveillance audits or anything like that to maintain your certification so make sure that you're planning to maintain the program it's definitely not once and done um understand isms is more than just

governance risk and compliance so um we oversee it right make sure everything's happening you're doing all the things that need to happen um but it's more than governance risk compliance it's it's all of us it's people that work in tech i.t legal wherever we all have to come together to make sure this program is operating within the parameters that you expect and it has to be done in a way that's cohesive and that works and that you're not causing any non-deformities in the system so once you have everybody understanding that more your program becomes much easier to manage and kind of the expectations there um and kind of additionally with that is you have to level set expectations with

others so if you have you know technical people assisting with the implementation of this because there are technical controls you have to level set with them and make sure that they understand that hey we're not just turning this on it may require ongoing oversight from now on in level setting that so they can plan appropriately um and making sure that you have that clear communication and then that last bullet that i want to hit on before digging deeper into those three sub bullets i have um build an achievable timeline if you are not being forced to do this because of a client you know obligation or whatever builds a timeline that's actually achievable don't be overly aggressive with it um if

you're overly aggressive with it it may result in decreased morale um just not hitting your milestones running out of time all these other things just make sure it's achievable leverage the standard to be to better understand what you need to do and then make that timeline achievable um i had my one client i led the efforts for their iso and sock2 um implementation and their timeline it was super aggressive um if we would have been doing this at a larger organization it was a smaller company they had about 20 people if we were doing this at a larger organization it would not have been achievable it was super aggressive nine months so from the time they started

implementation in june when we did the risk assessment to the time they had their stage one in december this is six months this is not a lot of time to implement a program from start to finish and then test it and all of those things and then they rolled into their stage two audit and then finally they had their top two testing and by the time it's all said and done it was like nine months and that's really aggressive and it's hard to um be able to get those things done while being mindful that this isn't everybody's full-time job you're pulling on resources to help you get this implemented and kind of keeping mindful of those downstream impacts

so communication this is highly highly important i think i've said it like multiple times already know your audience so um not everybody's going gonna be bought in uh totally mindful of that understand that um not everybody's gonna see the value in it and you know not understand the return on investment but know your audience so speak the language of management speak the language of the implementers speak the language of the workforce understand how to communicate with them because those are the going to be the people that ensure your program stays successful it's not going to be me and governance risk compliance i'm just going to make sure all the compliancy things are happening these are the people that are going to

make sure that you actually stay in compliance they're going to make sure that the program's actually doing the things that it needs to because it all filters up back to me so management understand that management you know they're going to want to know the bottom line is the budget on track you know do we have any major risk that they need to plan money for you know do we have any major other things going on they want to know the bottom line the things that are going to impact the business which is fair they need to know those things um speak the language of the implementers understand like this is not their full-time job and i don't expect them to

treat it as that and so when you're talking with them be mindful that this may be painful for the people that are implementing the people that have to support the things that we're trying to do in the security group and speak their language bring them a cup of coffee if it brightens up their day i don't care just speak their language understand that it's painful for them and then speak the language of the workforce we all know that the workforce they're the number one risk to our program right that human that human factor right so speak the language of the workforce understand that um they they're not going to understand all the complexities that i'm telling you guys about today

but they need to understand certain aspects they need to understand that we've implemented isms they maybe need to understand security awareness and they need to at least sign off on the information security policy and things like that um so make sure you kind of speak those different languages now one thing that i think is a valuable piece of advice and it's one of the things that i take into concept with any of the security awareness programs that i help stand up or the presentations that i've done on it is think of how you're communicating communicating with these different groups as um kind of marketing right so you want them to be invested in whatever you're trying to sell

and so market to them get them invested in what you're doing and you can plug and play that whatever you're you're thinking of but make sure they're invested in it and they want to buy it because that will keep them engaged in the thing that you are trying to do um if you just throw information at them you know word vomit all the things that they need to do and you're not breaking it down they're not going to be invested in it and you risk falling out of non-compliance because these key people are just investing in it so think of your communication as a marketing strategy if you can get them enticed into whatever you're

trying to sell to them and you will be highly successful if you take it from that approach um and kind of keeping those things in mind all right leadership buy-in super important assemble your best anchorman squad whoever you want to have talking to the management build your use case make sure they're bought in make sure they're attending the meetings where you're talking about these things and the impact and how it has all these downstream effects they have to be bought in they have to do the management review so the management review um gosh i can't recall what clause it comes from exactly i want to say maybe nine um management review is really prescriptive they have to be

a part of that review and they have to be invested in the program and so you've got to make sure that you communicate with them and make sure that you have your infosec team your grc team whoever making sure that that dialogue happens and that they're bought into it because if not your program is at risk and it's at risk when the auditors come it's at risk of failing because you don't have the support so make sure you have that buy-in and make sure that you're addressing it and um you know change course if you need to if they're not completely bought in and take a different tactic but just make sure that they're bought in

all right corrective action process this is also another item within iso that's highly prescriptive and so i felt like this one was a good one to call out where you don't skimp here um during my first experience with iso i remember all right corrective action plans i have them written up like yeah we have to get this thing done and i you know i have like a bare minimum type thing written up you can't do that it's super prescriptive so my word of advice here is make sure that you go to 10.1 non-conformity and corrective action and you make sure you read that part um and when you build your corrective action process that you

take all these things into consideration because you have to have an owner you have to have a plan you have to understand if that non-conformity is resulting in other non-conformities to your isms and you have to identify if it's changing anything in your isms in the first place so make sure that's a standardized process and that everybody knows about it one of the things that i've experienced a lot and this is maybe it's partly my fault but partly not having the right communication and not understanding if the person had actually received or understood the communication is that this process is highly highly important to your program um one of the first things that the auditor is going to do whenever they

come to and look at your isms is they're going to want to know what corrective actions you had during the year and they're going to look at this and they are going to want to know well why didn't this corruptive action get remediated or corrected um within the time frame and it's likely not going to be a lot of people in security it's going to be the person that owns the process and it could be the person that baby um vulnerabilities aren't being patched well it's going to be the person that owns that asset that's not patching the vulnerabilities and they're going to need to be able to say why they're not doing these things

and so you have to make sure that process is standardized and you have to take it a step further and make sure that the people that may act have non-conformities understand the significance of a corrective action plan and that they're not just sitting on it and that they're taking action for it um make sure they have a repository again you don't have to you know go out and buy a fancy grc tool or anything like that you can use whatever's at your your fingertips so it could be a spreadsheet it could be a word it could be monday like the one client that i told you that had monday which is again a project management tool um

yes they put statement of applicability they put their policies they put uh non-conformities all sorts of things in their monday tool i was super super surprised by just how much they were able to get into this project management tool so use whatever you have available to you um last thing here is do not forget to do root cause analysis on any of the uh non-conformities you have so again going back to that concept of continuous improvement um if you have non-conformity meaning you're not adhering to something within your program um and you're not doing a root cause analysis on why that non-conformity happened then you may have additional non-conformities that have that same root cause and so

um you're not really fixing what actually happened you may fix the non-conformity and put a band-aid on it but you're not fixing the root cause of why that thing happened and it's gonna result in more and more things happen um happening so you have to make sure that you get that done that you have that in place um and that you have that root cause analysis documented so that way you have proof of it um and it doesn't have to be anything complicated i use the 5y approach whenever i do root cause analysis so go down the rabbit hole of y until you have no more y's to ask and you hit the bottom of the root cause

analysis doesn't have to be overly complicated just have to get there and then you have to make sure you're addressing um fixing that so this is the last area i'm gonna hit looks like i'm still doing okay on time uh i call this put a bow on it so think of your isms like a nice package that you want to hand to the auditor you don't want all of your hard work to go to waste so put a bow on it to continue the evidence make sure that you have a manual which i'll show in a second what i mean by having a manual um make sure you have continuous improvement going on so you don't want to waste all that hard

work that you did not have the program operating after you you implement and then not have any continuous improvement happening because what's going to happen is your leadership they're not going to get bought into anything else because we let that program slip or your your program's not going to go to the next maturity level so make sure you're hitting that cycle of continuous improvement to make sure your program continues to get better um and then audit prep audit prep i think is highly important um we're gonna dig into that one in just a second make sure you do audit prep and make sure that you build audit prep into that achievable time frame that we were

talking about so isms manual you can use whatever repository that you have available to you in this instance i just created a um a bunch of folders just to show you guys what i mean by manual the manual is going to take all those things that you just did all the work all the evidence all of the artifacts and it's going to put it in a central repository so that way when the auditor does come you've put the bow on it you've tick and tie you've done all the things to make this nice package of things all of your hard work goes into here you know there's you're likely gonna go have to dig up

some stuff as they ask questions but the meat and potatoes of the things that you just got done doing are in those folders and so um auditor's gonna say oh show me your governance well here you go here's my governance and here's my internal audit artifacts and here's my management review here's all the things and it's gonna make your life so much easier whenever you sit down to do um your audit and you know this is you can use it for your internal audits too so um definitely makes your life easier um like i said this is going to be someone that is maintaining oversight of the program and knows all the things going on

but just make sure if you aren't that person that you know where these things are because you'll likely need to be involved um audit prep so audit prep i have always uh thought was a challenge you don't know what to expect a lot of people go into the audit super nervous and so if you are familiar with going through an audit and you are overseeing this sort of program happening please plan a chunk where you're doing just audit prep and what i mean is um building that manual having an eight-hour prep session whatever you want to do where you sit down and you look at all the things that i just covered in that manual and you walk with your

internal stakeholders and let me let me take that back your main stakeholders to look at your manual people like your cso and other people that are going to be invested in those things have them sit down and walk through this manual and make sure that you have all the things that you need for your auditor and that everybody's aware of those materials because i have been in an audit where people were not aware of the materials and they started saying the wrong thing and you never want that happening during the audit so make sure everybody's aware of these documents they know how to navigate to them they understand their purpose and have this session a couple weeks in

advance i promise you it will make your life so much easier um i usually do it about three weeks in advance we sit down we spend eight hours in the same room and this year we did it virtually well last year we did it virtually um and you sit there and you go through all the things um and if you can get time back to your day by doing it quicker then you know by all means but make sure everybody's aware of those documents doing it three weeks in advance allows you time to go back and correct the document to make sure there's nothing in there that's monkey or out of place um and then

that kind of ties into the next bullet down is prep the oddities so while we're talking about the main stakeholders to see so you know maybe the other parts of the security team make sure that you're prepping the oddities and we didn't dig too much into that but um as part of your isms you're gonna have some process areas identified and the the process areas are going to um have owners with them and those owners are likely going to be on the hook for uh going through the audit and you want to make sure that they're ready um i would hate to send anybody into an audit feeling nervous or stressed or not knowing what they're going to ask or

anything like that so have a prep session with them and if you're not familiar with getting prepped pull from your resources figure out you know what are the things that need to get ready for and just get them to a place that they can go into the the room they know what to say they know what not to say and things like that it'll make the audit go so much smoother and it will allow them to get more comfortable with what they're doing and then the last bullet there uh i've picked that up through various audits is just have a private channel for anybody involved in the audit um this will allow you to have some offline dialogue

you know what documents to share whether or not you should say something if the auditor is going down a rabbit hole that you don't want them to go down how to get away from it and things like that um so the private chat will just allow you to get some comfort during the audit and get yourself ready um let's see oh one of the bullets i skipped here is know the technology that's going to be used for the audit um with everything happening with the pandemic um the past couple audits i've gone through have been remote um understand what they're gonna be using make sure you understand and prep the the people that are gonna be going into

the audit so that way they have some level of confidence um and if they're going to be on site understand that they're going to be on site and plan for those um the smoother you can make the audit go the better your life will be and the less stress you'll be and i know i'm saying that and you're like oh man i'm still going to be stressed it's still an audit yeah you will but getting prepared beforehand will take your stress level down a few notches so you can go in knowing that you did everything you could versus going in and just wondering about all these things that you should have done that you maybe didn't um so just take

that into consideration all right so we're at the end um i really hope that you guys learned something from this i have just tons of pain points that i've experienced and i don't know if they all came through um if you have any questions that you don't want to ask in the chat or anything um feel free to drop me a message either through this tool or you can reach out to any of the things i have on here i do have some references and included in this presentation this is a public link it's on prezi so if any of you guys are wanting any of the references i used in here or things that you could use to get

familiar with you know isms um you can always use those references i have so um that's all i have for you guys thank you for coming and um i think elliot's gonna see us out of here and um if you don't have any questions i hope you guys all have a wonderful day rose thank you so much for your presentation uh i for one learned a lot uh from uh from that um guys i just wanted to make a quick plug there will be a happy hour for b-sides but tonight from six nine at punchbowl social um as rhodes put up if you have any questions um she has all of her information on there

feel free to reach out and enjoy the rest of the conference all right bye guys take care everyone