Contract Compliance Framework


Published on

This presentation describes how contract compliance service can be provided to aid organisations working on bids can quickly and effectively achieved. The key compliance areas include: Data Protection, Information security (ISO27001), PCI DSS, SOX & FSA. The author is a season risk management consultant with experience of quick win strategies and tactics to achieve the aims and goals of an exercise.

1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Contract Compliance Framework

  1. 1. Contract compliance service (Pre & post contract compliance) Ben Oguntala, LLB Hons, LL.M CEO PCI FSA DPA SOX 27K
  2. 2. • Education About the Author – – LLB Hons LL.M • Financial/Securities regulation • UK/EC competition law • Forte – Risk Management specialist – Fraud compliance Consultant – Compliance specialist – Data Protection specialist – Information Security Consultant – Outsourcing compliance – Merger & acquisition due diligence • Previous clients – British Gas – Vodafone – Orange – O2 Telefonica UK – RWE NPower CEO – Riesgo Risk Management – BNP Paribas – Ministry of Justice (London Probation) Telephone – 07812 039867 – Revenue & Customs – Nortel/Motorola/Ericsson/Nokia “Contract compliance is a value add solution that assists – CapGemini Organisations involved in the activities of gathering compliance – BT Evidence in support of a bid or contract.” – KPMG & Cisco
  3. 3. Introduction Riesgo Compliance solution • Riesgo Risk Management solution is a service that is designed to Framework setup continuously monitor & maintain an organisation’s compliance to key Ongoing regulatory standards in a bid to compliance support project tenders. • It monitors and maintains compliance Core Add on compliance compliance in order to ensure that project functions functions requirements are dealt with as time efficiently as possible. PCI FSA DPA SOX 27K Gaps & remediation • The solution offers assurance to the parties in a contract and enables a fast response to project requirements for compliance. Projects Projects Projects
  4. 4. 1 – New or recurring client Project bid initiated Compliance 2 – Recurring clients End client set up report on Riesgo RM would start at 6 generated 8 – Generation of compliance report in accordance with customer requirements in 3. Riesgo RM Final compliance Audit compliance cycle 3 – Definition of Scope definition the client’s agreed requirements 7 – Final audit confirmation that the gaps are filled initial 4 – Initial setup and audit Remedial work compliance implementation audit 6 – Remedial work to Compliance fill the gap identified report with remedial work 5 – Compliance report based on 4
  5. 5. Compliance in Contract bids/tenders Regulatory Organisation Processes DPA ISMS forum Policies and procedures SOX Incident management Security management FSA Business continuity planning Management structure PCI Audit ISO 27001 3rd parties & outsourcing Security operations Every contract has an element of compliance requirement associated with it. In view of the fact that quite often, contract will include access to client data, it is reasonable to assume at minimum there are a few sets of standards, regulatory requirements that would apply. The service we provide is an ongoing compliance monitoring that allows an organisation to cost effectively respond to project requirements for compliance report & evidence.
  6. 6. Our services: Regulatory compliance • The solution we provide will enable a client to demonstrate their compliance with the following regulatory requirements: – DPA – Data Protection Act • Applicable in the UK and Europe – SOX • Applicable to companies trading in the US stock exchange – FSA – financial services Authority • Applicable to organisations that are regulated by the Financial services Authority – PCI • Applicable to organisations that handle or transmit payment card services – ISO 27001 • Applicable to all organisations with IT system that have an obligation to operate a secure system
  7. 7. Our services: Organisational framework • The solution we provide can demonstrate an organisation’s, information security structure and architecture fairly easily as well as a continuous assessment of compliance. – ISMS forum • A management structure that handles information security issues and access to senior management on security related matters – Security management • The involvement of security in the operation of the organisation, the like between business units and the management team. – Management structure • Demonstrating the link between business management teams and their security responsibilities as well as engagement. – 3rd parties and outsources • Demonstrating that adequate processes and controls are in place between the organisation and 3rd parties. • Where there is outsourcing in place, can demonstrate that there tentacles of security are extended to the outsourcing parties in the form of policies and procedures.
  8. 8. Our services: Processes • The solution we provide can demonstrate the client has adequate processes in place to meet the project requirements. – Policies • Policies are listed in a central repository and reviewed frequently • Policies are associated with procedures and guidelines and also frequently reviewed – Incident management • Incident reporting from the client’s business units, 3rd parties or outsourcing partners • Incident management register • Risk register – Business continuity plan • BCP policies, procedures and test schedules – Audit • Internal and External audits with fixes for non compliances – Security operations • Security management structure • Security points of contact per business unit • 3rd party security points of contact • Asset register • Risk management framework
  9. 9. Solution organisation Executive summary Common functions overview Management Policies Procedures Processes Contract compliance dashboard PCI Added functions Non compliances FSA Gap analysis Remedial action The Setup DPA client Implementation Compliance Project SOX Audit compliance requirements Risk report 27K PCI Compliance report FSA Reports DPA SOX 27K
  10. 10. Compliance FSA PCI SOX DPA matrix requirements requirements requirements requirements Core DPA Core SOX Core FSA Core PCI ISO27001 Business continuity Security organisation Compliance monitor Training & awareness FSA 100% Policies & procedures PCI 100% Asset management SOX 80% HR security DPA 97% Physical & 27K 80% environmental security Incident management Compliance Change management Access control
  11. 11. Implementation project Gap analysis Project design Implementation Roll out Stage 1 Stage 2 Stage 3 Stage 4 • Assess your current • Designing your • Once the HLD is Taking stage 3 estate & your requirements based designed and signed objectives on the result of off, we initiate the and • Release of your BRS stage1 implementation and methodically • Scope definition • Release of the HLD across a portion of rolling out the to be signed off your estate solution to the • We confirm that all the adaptors can rest of your trigger alerts. estate. The implementation project can take up to 6 months and 3 Man resources. The number of resources may vary due to the scope of the project. The costs associated include: -Software licence - incident management licence -Support and maintenance The solution is designed to be a cost effective means to curtailing fraud within your estate.
  12. 12. Contact details • Ben Oguntala • Email – • Telephone – +44 7812 039 867