Compliance Framework


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Compliance Framework

  1. 1. Integrated Compliance Framework<br />Dave Barnett, CISSP, CISM, CSDP, CSSLP<br /><br />
  2. 2. Sarbanes Oxley<br />Financial reporting accuracy<br />Health Insurance Portability & Accountability Act (HIPAA)<br />Medical information for employee benefits<br />Privacy<br />European Union Data Protection Directive<br />Canada<br />Japan<br />California Senate Bill 1386 (plus 25 other states)<br />FDA<br />21 CFR Part 11 and Good Manufacturing Practice (GMP)<br />Some Compliance Requirements…<br />
  3. 3. Federal Trade Commission<br />Consumer protection <br />Credit Card regulations<br />Payment Card Industry (PCI) required by VISA CISP, MasterCard SDP, and Amex Data Security Requirement <br />Trade Compliance<br />Custom Trade Partnership Against Terrorism (C-TPAT)<br />Export of materials and technology to restricted companies<br />Environmental Health and Safety (EH&S)<br />Hazardous materials handling and transportation<br />DEA<br />OSHA<br />Continued…<br />
  4. 4. Litigation<br />eDiscovery<br />Intellectual Property (IP)<br />Patents and Patent infringement litigation<br />Certifications<br />ISO 9001<br />ISO 17799 / ISO 27001 <br />BS 15000 / ISO 20000 <br />Continued…<br />
  5. 5. Emerging legal standard for security* <br />T.J. Hooper case, 60 F.2d 737 (2d Cir. 1932)**<br />In 1928, the tug boat T.J. Hooper sank in a storm. The cargo owners sued, saying the tugboat captain should have known a storm was coming.<br />Tug owner said only way to know was to have a radio on board, which was not common practice, and not required by any law.<br />However, Judge agreed with cargo owners – the tug owners should have had a radio on board, even though it was not required. The lack of a radio made the tug unseaworthy.<br />Legal Strategy for Compliance<br />* See and<br />** From Tom Smedinghoff, Baker & McKenzie, at RSA 2006 presentation LAW-104 <br />
  6. 6. Identify the assets to be protected<br />Conduct risk assessment<br />See<br />Develop and implement a security program<br />That is responsive to the risk assessment<br />Must be in writing<br />Reasonable, appropriate, suitable, necessary, adequate<br />Addressthird parties<br />Contractors, customers, suppliers, business partners, and providers of outsourced services<br />Due diligence, contractual obligation, monitoring and auditing<br />Continually monitor, reassess, and adjust the program<br />Compliance Strategy*<br />* From Tom Smedinghoff, Baker & McKenzie, at RSA 2006 presentation LAW-104 <br />
  7. 7. There is considerable overlap (~ 80%) for all security and privacy related compliance requirements<br />These and other requirements typically need documented and implemented good processes<br />“Say what you do, do what you say”<br />Follow compliance strategy<br />Identify information assets to be protected<br />Follow a risk management process<br />For example, NIST SP 800-30<br />How do we handle all of these compliance requirements?<br />
  8. 8. Following industry standards is a good start<br />Provides a defensible position against regulation and litigation<br />Best practices are beneficial and defensible<br />Recent revisions of standards include risk management <br />COSO ERM<br />COSO + Risk Management<br />CobiT 4.0<br />ISO 17799:2005 <br />Create Defensible Position<br />
  9. 9. Adopt current industry standards<br />But get ahead of the curve where possible<br />Document and follow process<br />Include risk management as a best practice<br />Make sure processes are:<br />Effective<br />Efficient<br />Auditable<br />Good Practice, Good Process<br />
  10. 10. Three levels of frameworks, each operating at different degree of detail and scope, that together provide a set of controls and governance for IT Regulatory Compliance<br />Each level down provides more detail and greater scope<br />Level 1: COSO Enterprise Risk Management (ERM)<br />Organization wide controls<br />Endorsed by the SEC for Sarbanes-Oxley<br />Level 2: CobiT® 4.x<br />IT wide controls relating to COSO ERM<br />PO9 and DS5.2<br />Level 3: Subject matter specific controls and best practices, e.g.<br />ITIL SM (for AI6, DS9, DS10)<br />IT Service Delivery <br />ISO 17799:2005 (for DS5)<br />IT Security<br />ISO 15288:2002 (for AI2, AI3, AI7)<br />System Development Life Cycle<br />PMI PMBOK (for PO10)<br />Project Management<br />Six Sigma (for PO8)<br />Integrated Compliance Framework<br />
  11. 11. ITIL (Information Technology Infrastructure Library)<br />Republished in 2002 as British Standard 15000, IT Service Management<br />Part 1 is specification for certification<br />Part 2 is code of practice<br />Republished in 2005 as ISO 20000, Information Technology Service Management<br />Part 1 is specification for certification<br />Part 2 is code of practice<br />Compliance Standards Harmonization<br />
  12. 12. ISO 17799 <br />Originally British Standard 7799<br />Part 1 is code of practice<br />Part 2 is specification for certification<br />Satisfies CobiT® DS5 - Ensure Systems Security<br />ISO 17799:2005 is the code of practice<br />Required for BS15000:2 and ISO 20000:2<br />Part 2 of BS 7799 (specification for certification) republished as ISO 27001:2005<br />Required for BS15000:1 and ISO 20001:1<br />Compliance Standards Harmonization<br />
  13. 13. ISO 9001<br />Quality Management Systems -Requirements<br />ISO 27001 satisfies ISO 9001 for Systems Security<br />BS15000:1, ISO 20000:1, and ISO 20000:2 satisfy ISO 9001 for service management<br />CobiT® 4.0 (2005)<br />Harmonized with ITIL, ISO 9001, ISO 17799, and CMM<br />Six Sigma<br />ISO 27001, ISO 20000:1, and ISO 20000:2 use PDCA (Deming Cycle), a learning model used in Six Sigma and other Quality Programs<br />Provides tools for Quality Management Systems<br />Continuous improvement keeps us ahead of the curve and satisfies monitoring and assessment requirement for legal process.<br />Compliance Standards Harmonization<br />
  14. 14. Committee of Sponsoring Organization (COSO) of the Treadway Commission (, <br /> “Enterprise Risk Management – Integrated Framework” (<br />Enterprise risk management is:<br />A process, ongoing and flowing through an organization<br />Effected by people at every level of an organization<br />Applied across the enterprise, at every level and unit, and includes taking an entity level portfolio view of risk<br />Able to provide reasonable assurance to an entity’s management and board of directors<br />Level 1: COSO ERM<br />
  15. 15. Eight interrelated COSO components, derived from the way management runs a business<br />Internal Environment – The internal environment encompasses the tone of an organization, and sets the basis for how risk is viewed and addressed by an entity’s people, including risk management philosophy and risk appetite, integrity and ethical values, and the environment in which they operate.<br />Objective Setting – Objectives must exist before management can identify potential events affecting their achievement. Enterprise risk management ensures that management has in place a process to set objectives and that the chosen objectives support and align with the entity’s mission and are consistent with its risk appetite.<br />COSO ERM Components<br />
  16. 16. Event Identification – Internal and external events affecting achievement of an entity’s objectives must be identified, distinguishing between risks and opportunities. Opportunities are channeled back to management’s strategy or objective-setting processes.<br />Risk Assessment – Risks are analyzed, considering likelihood and impact, as a basis for determining how they should be managed. Risks are assessed on an inherent and a residual basis.<br />Risk Response – Management selects risk responses – avoiding, accepting, reducing, or sharing risk – developing a set of actions to align risks with the entity’s risk tolerances and risk appetite.<br />COSO ERM Components<br />
  17. 17. Control Activities – Policies and procedures are established and implemented to help ensure the risk responses are effectively carried out.<br />Information and Communication – Relevant information is identified, captured, and communicated in a form and timeframe that enable people to carry out their responsibilities. Effective communication also occurs in a broader sense, flowing down, across, and up the entity.<br />Monitoring – The entirety of enterprise risk management is monitored and modifications made as necessary. Monitoring is accomplished through ongoing management activities, separate evaluations, or both.<br />COSO ERM Components<br />
  18. 18. Control Objectives for Information and related Technology (CobiT)<br />(<br />Covers all controls within or relevant to IT organization<br />Level 2: CobiT® 4.x <br />
  19. 19. Level 2: CobiT® 4.x Plan and Organize (PO)<br />PO1 Define a Strategic IT Plan<br />PO2 Define the Information Architecture<br />PO3 Determine Technological Direction<br />PO4 Define the IT Processes, Organization and Relationships<br />PO5 Manage the IT Investment<br />PO6 Communicate Management Aims and Direction<br />PO7 Manage IT Human Resources<br />PO8 Manage Quality<br />Six Sigma<br />Standards Process<br />PO9 Assess and Manage IT Risks<br />PO10 Manage Projects<br />PMBOK<br />
  20. 20. AI1 Identify Automated Solutions<br />AI2 Acquire and Maintain Application Software*<br />SDLC<br />AI3 Acquire and Maintain Technology Infrastructure*<br />SDLC <br />AI4 Enable Operation and Use*<br />AI5 Procure IT Resources<br />AI6 Manage Changes*<br />ITIL <br />AI7 Install and Accredit Solutions and Changes<br />SDLC<br /><ul><li>*Priorities for Sarbanes Oxley</li></ul>Level 2: CobiT® 4.x Acquire and Implement (AI)<br />
  21. 21. DS1 Define and Manage Service Levels*<br />DS2 Manage Third-party Services*<br />DS3 Manage Performance and Capacity<br />DS4 Ensure Continuous Service<br />DS5 Ensure Systems Security*<br />ISO 17799:2005 / 27001:2005<br />DS6 Identify and Allocate Costs<br />DS7 Educate and Train Users<br />DS8 Manage Service Desk and Incidents<br />DS9 Manage the Configuration*<br />ITIL<br />DS10 Manage Problems*<br />ITIL<br />DS11 Manage Data*<br />DS12 Manage the Physical Environment<br />DS13 Manage Operations*<br />Level 2: CobiT® 4.x Deliver and Support (DS)<br />
  22. 22. ME1 Monitor and Evaluate IT Performance<br />ME2 Monitor and Evaluate Internal Control<br />ME3 Ensure Regulatory Compliance<br />ME4 Provide IT Governance<br />Level 2: CobiT® 4.x Monitor and Evaluate (ME)<br />
  23. 23. ITIL (IT Infrastructure Library) is the most widely accepted approach to IT Service Management in the world. (<br />provides a cohesive set of well defined best practices, drawn from the public and private sectors internationally. <br />It is supported by a comprehensive qualification scheme, accredited training organizations, and implementation and assessment tools.<br />Addresses and extends CobiT level of compliance framework: <br />AI6 Manage Changes*<br />DS9 Manage the Configuration*<br />DS10 Manage Problems*<br />AKA BS 15000, or ISO 20000<br />Level 3: ITIL<br />
  24. 24. Guidelines and certification for IT Security Program<br />“Information security is the protection of information from a wide range of threats in order to ensure business continuity, minimize business risk, and maximize return on investments and business opportunities.”<br />Address and extends CobiT level of compliance framework: <br />DS5 Ensure Systems Security*<br />Required for BS 15000 and ISO 20000 security<br />AKA BS 7799, or ISO 27001 <br />Level 3: ISO 17799<br />
  25. 25. Project Management Body of Knowledge from PMI<br />Describes best practices for Project Management<br />Addresses and extends CobiT level of compliance framework: <br />PO10 Manage projects<br />IEEE 1490-2003, Adoption of PMI Standard: A Guide to the Project Management Body of Knowledge <br /><br />Level 3: PMBOK<br />
  26. 26. ISO 15288:2002 is a compendium of standards and best practices for systems and software development life cycle methodologies<br /><br />Addresses and extends CobiT level of Compliance Framework:<br />AI2 Acquire and Maintain Application Software*<br />AI3 Acquire and Maintain Technology Infrastructure*<br />AI7 Install and Accredit Solutions and Changes<br />Level 3: System Development Life Cycle<br />
  27. 27. Six Sigma is a disciplined, data driven approach and methodology for eliminating defects and improving quality<br /><br />Addresses CobiT level of Compliance Framework<br />PO8 Manage Quality<br />Level 3: Six Sigma<br />
  28. 28. The Compliance Framework consists of generally accepted industry standards and risk management practices at multiple levels, to meet requirements for a security program in an effective, efficient, and auditable manner.<br />Summary<br />