”Leveraging Best-Practice Frameworks To Simplify .
”Leveraging Best-Practice Frameworks toSimplify Regulatory Compliance”Alan CalderCEO, IT Governance
TMLeveraging Best Practice Frameworks toSimplify Regulatory ComplianceThought Rock Live16 November 2010Alan CalderIT Governance Ltdwww.itgovernance.co.uk
TMOVERVIEW Governance and regulatory backgroundManaging regulatory riskRole of best practice frameworksThe CobiT/ITIL/ISO 27002 FrameworkCritical success factors in deploymentQuestions and Answers IT Governance Ltd 2005 - 20103
TMGovernance and compliancerequirements Canadian Law––US-based entities (including subsidiaries)– Canadian Securities RegulationsPIPEDA–Listed companies: Sarbanes Oxley, SEC regulation – primarily financial compliance andgovernance, heavily IT-dependentSectoral regulation: GLBA, HIPAA, HITECH, PATRIOT ACTUS Laws––Data Breach lawsOther: CAN-SPAM Act, Various State Level Data Security LawsEU organizations––Corporate Governance regimeEU data protection, privacy regimes Manager‟s Guide to Compliance: www.trbookstore.com/product/1292.aspx Emerging Standard for Corporate Compliance:www.trbookstore.com/product/1805.aspx Conclusion: conflicting and competing legal and regulatory requirements IT Governance Ltd 2005 - 20104
TMConflicts & common themes Governance: Shareholder rights, transparency, board accountability–US Corporate governance vs EU corporate governance –Statute vs voluntary code„Comply or die‟ vs „comply or explain‟Rules-based vs principles-basedFinancial risk vs operational riskThe „triple bottom line‟ – economic, environmental and socialData protection & Privacy Protection––––Two separate regimesInteraction with Freedom of Information legislationIncreased data collection parallels growing concern over individual data protectionCanadian and EU regulations more stringent, more coherent than US Common EU code, although implemented differently in each EU countryMort individual US states have their own privacy protection regulations, some with far-reaching provisionsConfidentiality, availability and integrity of informationDesign and implementation of appropriate controlsChanging environment requires management‟s on-going attention IT Governance Ltd 2005 - 20105
TMManaging compliance Traditional approach––Law- and regulation-specific compliance activitySilo-based –Rules-focused ––Finance deals with financial complianceIT deals with data and computer-related regulationOperational units deal with specific compliance requirementsSubstantial case law and other guidanceProject-based eg Basel project, MiFID project, SOX projectUse external consultantsNow inadequate Many controls relate to more than one compliance requirementAbsence of coherent national and international guidelines––– –––Evolving, fast-changing legal environmentUntested laws and regulationsJurisdictional and regulatory overlaps» 50 different state security breach lawsEmerging loopholesAggressive regulators (particularly US)Retrospective impactsConflict between managing principles-related risk and rules-based riskCompliance projects bring costs, divert resources, interrupt processes IT Governance Ltd 2005 - 20106
TMIt’s not just compliance More people online increased digital risk–Evolving, increasingly sophisticated threats –Technological evolution –VoIP, iPods, VoB, Social MediaCloud computingCommercial migration to the Internet Action at a distanceAutomationIdentity theftOrganized crimeBlended threatsTerrorismCommunicationCommerceIncreased digital danger for citizens increased regulatory opportunity for lawmakers–New regulations likely to have the same characteristics as the existing ones IT Governance Ltd 2005 - 20107
TMManagement of Risk Boards must, on an ongoing basis, identify, assess and deal withsignificant risks in all areas, including in information andcommunications processes (Turnbull Guidance) US executives must inform the SEC „on a rapid and current basissuch additional information concerning material changes in thefinancial condition or operations of the issuer‟ (SOX s409) Operational risk is „the risk of direct or indirect loss resulting frominadequate or failed internal processes, people and systems or fromexternal events‟ (Basel committee definition, 2001) „The board must identify key risk areas these should be regularlymonitored, with particular attention given to technology and systems‟(King III,), and „the board is responsible for the total process of riskmanagement‟ (King III) IT Governance Ltd 2005 - 20108
TMERM and COSO SOX expects the use of an Internal Control framework such as COSOCOSO (Committee of Sponsoring Organizations of the Treadway Commission)– Enterprise Risk Management – Integrated Framework (2004) Encompasses the Internal Control – Integrated Framework– “All entities face uncertainty, and the challenge for management is to determinehow much uncertainty to accept as it strives to grow stakeholder value.Uncertainty presents both risk and opportunity, with the potential to erode orenhance value”COSO defines internal control as:––a process, effected by an entity's board of directors, management, and other personnel,designed to provide reasonable assurance regarding the achievement of objectives in thefollowing categories: effectiveness and efficiency of operations, reliability of financial reporting, compliance with applicablelaws and regulations IT Governance Ltd 2005 - 20109
TMBest Practice Frameworks - CobiT Fourth edition, widely adopted, including in EuropeLooks at the management of the IT organizationBroad and principles-basedAimed at board members, managers and auditorsA toolkit of critical success factors, key goal indicators, key performanceindicators and maturity models34 Information technology processes– Four domains: Planning and organization,Acquisition and implementation,Delivery and support, andMonitoring– 318 Recommended control objectives Each with an audit guideline Incorporates a generic process CMM Full CobiT selection: www.trbookstore.com/category/56.aspx IT Governance Ltd 2005 - 201010
TMThe Challenge Internal control structures more interested in integrity and availabilityof data – less so confidentiality– Privacy and Data Protection regulation all concerned with confidentiality Internal control structures are more interested in controls that indelivering IT services Internal control structures are weak on information security controls– where there is a major strategic threat Internal control structures do not automatically generate bottom-linebenefits Internal control projects can conflict – for resources and priority –with more business-focused IT service management and informationsecurity projects IT Governance Ltd 2005 - 201011
TMBest Practice Frameworks - ITIL ITIL – IT Infrastructure LibraryEmerged from OGC, now ITILv3 - fastest growing international IT framework–– Aimed at IT service management practitioners, but with a broad, cross-IT relevanceIT Service Lifecycle.IT Service Management––„management of services to meet the customer‟s requirements‟ (OGC)ISO/IEC 20000:2005 Qualifications scheme, formal training, implementation toolsITIL is very widely adoptedITIL is about business ownership of business-orientated processes that perform reliably andconsistently – ie their existence is fundamental to the control environment, but they have neverbeen mapped to the COSO requirements ITIL Books: www.trbookstore.com/category/192.aspxISO20000 Books: www.trbookstore.com/category/62.aspx IT Governance Ltd 2005 - 201012
Best practice frameworks – ISO 27001 &ISO 27002 OECD Guidelines for the Security of Information Systems and Networks: Towards a Culture ofSecurity (2002)Confidentiality, availability, integrity of dataRisk-assessment drivenAimed at information security practitionersISO/IEC 27001:2005 is the specification for an Information Security Management System––– Vendor-independent, technology neutralApplies across all sectors, all organizational sizesCapable of external certificationISO/IEC 27002:2005––– TMMandated by ISO/IEC 27001International Code of Best Practice15 clauses, 134 controlsControls and implementation guidance more detailed than CobiTKey principles – availability, integrity, confidentiality – at the heart of information protectionregulation–Key controls map to specific requirements of HIPAA, GLBA, PCI etcISO27001 Books & Tools: www.trbookstore.com/category/91.aspx IT Governance Ltd 2005 - 201013
Best of all Worlds:Joint Framework Aligning CobiT, ITIL and ISO 27002 for Business Benefit – a Management Briefingfrom ITGI and OGCFormalizes relationship between the three IT best-practice frameworksInitiates on-going work programme leading to improved interactionCobiT should be used to provide “an overall control framework based on [generic] ITprocess model” – defines what should be done at the governance (high) levelITIL and ISO 27002 are mapped to high-level CobiT process and control objectives––––– TMISO 27002 defines what must be done in terms of information security controlsITIL describes how service management aspects should be handledAppendix I maps CobiT controls to ITIL processes and ISO 27002 controlsAppendix II maps ITIL processes to CobiT control objectivesEnables ITIL, CobiT and ISO 27002 projects to be cross-linked/integratedProvides a single, coherent, officially-developed independent best-practice frameworkfor IT and business ligning COBITITILV3ISO27002 Bus Benefit 9Nov08 Research.pdf IT Governance Ltd 2005 - 201014
TMITIL and ISO 27002 Precision 1Control Environment: organizationCobiT Control ObjectiveKey AreasITILISO 27002PO4.6 Establishment ofroles & responsibilities Explicit roles andSS 2.6 Functions &Processes across thelifecycleSD 6.2 Activity AnalysisSD 6.4 Roles &ResponsibilitiesST 6.3 Organisationmodels to support servicetransitionCS! 6 Organising forcontinual serviceimprovement6.1.2 Information securityco-ordination6.1.3 Allocation ofinformation securityresponsibilities6.1.5 Confidentialityagreements8.1.1 Roles &responsibilities8.1.2 Screening8.1.3 Terms & Conditions ofEmployment8.2.2 Information securityawareness, education &training IT Governance Ltd 2005 - 2010responsibilitiesClear accountabilitiesand end-user authorities15
TMITIL and ISO 27002 Precision 2Control environment: systems securityCobiT Control ObjectiveKey AreasITILISO 27002DS5.4 User accountmanagementLifecyclemanagement of useraccounts and accessprivilegesSO 4.5 AccessmanagementSO 4.5.5.1 RequestingaccessSO 4.5.5.2 VerificationSO 4.5.5.3 Providing rightsSO 4.5.5.4 Monitoringidentify statusSO 4.5.5.5 Logging &tracking accessSO 4.5.5.6 Removing orrestricting rights6.1.5 Confidentiality agreements6.2.2 Addressing security whendealing with customers8.3.1 Termination responsibilities8.3.3 Removal of access rights10.1.3 Segregation of duties11.1.1 Access control policy11.2.1 User registration11.2.2 Privilege Management11.2.4 Review of user accessrights11.3.1 Password use11.5.1 Secure logon procedures11.5.3 Password managementsystem11.6.1 Information accessrestriction IT Governance Ltd 2005 - 201016
TMCritical success factors It must be designed to work–––––––– Take legal advice – ensure specific, relevant legal requirements are identified and compliance with them built into the programm eTreat it as a programme of linked projects–––– A single, over-arching risk-management framework that will meet the ERM requirements as well as conform with CobiT, ITIL, ISO 27001 andregulatory requirementsDesign controls and measures into processes – ie ensure that ITIL practitioners and controls expert talk earlyEnsure that controls are proportionate to the riskDevelop a single documentation system within an integrated framework and delivery/maintenance processIntegrate with other processes and frameworksCommon language, standard definitions, standardised approach to all aspects of the frameworkEnsure that change management is inbuilt and operative, so that the framework can evolveIntegrate audit and external review processesNot a one-off, make-or-break effortPrioritize implementation to ensure effective resource deployment for visible benefitsEnable organizational learningKeep everything in proportionIt‟s a change management project–Management must fully understand and drive best-practice selection and deployment–Users must fully understand and support best-practice deployment Initial training for everyone involved Business level risk assessment should drive the programmeIdentify clear (meaningful), user-related benefits from effective IT systems IT Governance Ltd 2005 - 201017
TMBenefits Single integrated compliance approach–––––– Delivers a complete internal control frameworkDelivers general control objectives in line with corporate governance requirementsMeets regulatory requirements of data- and privacy-related regulationCertification to ISO 27001 and ISO 20000 demonstrates compliancePrepares organization for future/emerging regulatory requirementsDemonstrably a coherent attempt to comply with competing regulations and meet complex compliance requirementsImproves business performance–Focuses on business processes, rather than controls––––Enables broad-based shift from reactive to proactive IT operationsEnables effective external training and qualification of staff and a standard measure of assessing skills and knowledgeIncreased standardisation can lead to reduced costs, improved efficiency and increased qualityWorks cross-company, reducing vertical siloes of expertise and practice, improving communication and business effectiveness Speed of deployment–– Builds controls into business processesAvoids „trial and error‟ wheel re-inventionReduces dependence on expensive technology experts and proprietary methodologiesCan improve competitiveness – because of increased attractiveness to consumers and commercial customers IT Governance Ltd 2005 - 201018
TMQ&AAlan CalderIT Governance Ltdwww.itgovernance.co.uk IT Governance Ltd 2005 - 201019
Join Us For Lunch Every Tuesday At 12PM!Phone: 1.877.581.3942Email: Info@ThoughtRock.netTwitter: @ThoughtRockerswww.ThoughtRock.net
ISO/IEC 27001:2005 is the specification for an Information Security Management System – Vendor-independent, technology neutral – Applies across all sectors, all organizational sizes – Capable of external certification ISO/IEC 27002:2005 – Mandated by ISO/IEC 27001 – International Code of Best Practice – 15 clauses, 134 controls
patterns during design phase Frameworks Data Entry Frameworks, Business Rules Frameworks, etc. Design Patterns: Elements of Reuseable Object-Oriented Software By Erich Gamma, Richard Helm, Ralph Johnson, and John Vlissides COTS Best Practice I.e, Documentum, Crystal Enterprise, Oracle Security, SQL Server, etc. Focus on Frameworks
work/products (Beading, Candles, Carving, Food Products, Soap, Weaving, etc.) ⃝I understand that if my work contains Indigenous visual representation that it is a reflection of the Indigenous culture of my native region. ⃝To the best of my knowledge, my work/products fall within Craft Council standards and expectations with respect to
Frameworks Okay to start out with standard frameworks HOWEVER it is advisable to use case specific frameworks as you become more experienced DO NOT memorize and regurgitate frameworks; it shows on interviews Your framework should be unique and have depth (MECE) for the specific business problem (issue tree) It is okay to ask for some extra time; BCG
3 Best Practice Recommendations The following sections provide context for the specific best practices recommended by the CATA WG to implement effective call authentication frameworks. The report defines many of the concepts regarding the parties that have a role in the telephone number caller identity trust ecosystem. The best
AP Biology Practice Tests 2 2020 2020 Practice Tests . AP Calculus AB Practice Tests ; 2 2020 . 2020 . Practice Tests . AP Calculus BC Practice Tests 2 2020 2020 . Practice Tests . AP Chemistry Practice Tests . 2 2020 . 2020 : Practice Tests AP Computer Science 2 2019 2020 Practice Tests . AP English Language and Composition Practice Tests : 2 2020
Leveraging VMware Consolidated Backup for Disaster Recovery Leveraging VMware Consolidated Backup for Disaster Recovery September 10-13, 2007. Contents Contents
Our Story: Leveraging Open Source for an Enterprise CMS Solution 4 Carleton Content Management System Version 2.0 . OUR STORY: LEVERAGING OPEN SOURCE TO DEVELOP AN ENTERPRISE CMS 1. INTRODUCTION In conjunction with the Carleton University Web Services' presentation at the 2010 Ontario .
Spring Awakening [1891/1906]. Translated by Jonathan Franzen. Faber & Faber 2007. [on loan from NYU Berlin] o Oskar Kokoschka. Murderer, Hope of Women In: Plays and Poems [1907/1910. ]. Translated by Michael Mitchell. Ariadne Press 2001. pp. 21 – 28. [course reader] o David F. Kuhns. German Expressionist Theatre: The Actor and the Stage .
