Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

20140410 - Gestion des identités, traçabilité des accés - Analogie avec la qualité logicielle


Published on

Control factory - Software Quality principles applied to security controls

Published in: Software
  • Login to see the comments

  • Be the first to like this

20140410 - Gestion des identités, traçabilité des accés - Analogie avec la qualité logicielle

  1. 1. IT Security Services CONTROL FACTORY |BEHIND THE SCENES| Software Quality principles applied to Security Controls
  3. 3. ENERGY GIANT / BUSINESS LINE / BUSINESS UNIT Integrated and dynamic management of portfolio – purchasing contracts, assets and sales contracts Management & Trading of Energy Client Business Environment
  4. 4. REGULATORY/CONTROLS CONSTRAINTS Highly monitored and regularly audited activities Internal controls Compliance Legal External audits Group internal controls Business line controls Internal Compliance & Legal Risk Operations Internally driven Externally driven Various Auditors
  6. 6. Security Controls governance  Discipline/Part of Corporate Governance focused on information technology (IT) oriented security controls aligned with business constraints Security Control book  An important element of a framework ensuring that the organization’s policies/requirements are formalized, monitored and implemented as controls over time  A centralization of security controls carried out on the organization  A tool-based methodology implementing the security control strategy FRAMING CONTROLS BASED ON REQUIREMENTS
  7. 7. Controlsources Requirement Campaign 1 2 3 n n n n n n relationship | cardinality Report/Gap analysis needs Execution coverage Requirement coverage SECURITY CONTROLS | SOFTWARE QUALITY PRINCIPLES
  8. 8. Standards Regulation Internal Framework In-house best practices Sources of requirements Risks Requirement 1 Requirement 2 Requirement 3 Requirement 4 Requirement “n” internal REG REG Internal IN HOUSE AUDIT … Sources of control Control 1 Control 2 REQ 1 REQ 2 REQ 1 REQ 4 Sourcesofcampaign Iteration 1 Campaign1 Control “n” REQ n REQ n Campaign “n” CTL n CTL 4 CTL n Sourcesofiterations Iteration 2 CAM 1 Iteration 1 Iteration 2 CAM 2 Requirement view Control view Campaign view Execution view Incidents CONTROL ECOSYSTEM CAM 1 CAM 2
  9. 9. Title Description Criticality Category (Security, Business…) Owner Group/source (tag or ordering) Covered risk FRAMEWORK @ A GLANCE Requirement template
  10. 10. Title Description Nature (administrative, technical, physical) Function (preventive, detective, corrective, recovery) Type (Security) Frequency Level (1 to 3) RACI matrix FRAMEWORK @ A GLANCE Control template
  11. 11. Title Description Control suites (STU 1, STU 2,…) Assignee Planning Execution status Basic stats Control plan (CTL1, CTL2,…) FRAMEWORK @ A GLANCE Campaign template
  12. 12. Controlsources Requirement Campaign 1 2 3 n n n n n n relationship | cardinality Report/Gap analysis needs Execution coverage Requirement coverage    - Requirements covered by controls ? - All controls associated to requirement ? - Controls executed as expected ? - Execution coverage of requirement ?   SECURITY CONTROLS | SOFTWARE QUALITY PRINCIPLES
  14. 14. CONTROL FACTORY | DEFINE refers to : Control Factory (CF) a structured collection of assets that aids in producing controls through an assembly process according to specific requirements1 3 2 4 The Control factory applies manufacturing techniques and principles … > Formalization > Automation > Services Oriented > Industrialization Right process  right result Reduce manual intervention Activities divided in services Reusable components
  15. 15. CONTROL FACTORY | OBJECTIVES … to mimic the benefits of traditional manufacturing >Consistency build multiple instances of a control product line & set of controls sharing similar “features and architecture” >Quality integrates reusable controls reducing the likelihood of control design flaws >Productivity Controls activities can be streamlined and automated
  16. 16. Conception Design and logic according to requirements Suppliers relationship Sourcing of data, qualification, remediation Production Producing resources for controls reports, dashboards Delivery Making resources for controls available Supervision Governing controls campaign and remediation Internal QA, maintenance, improvements CONTROL FACTORY | ACTIVITIES/SERVICES Customers
  17. 17. CONTROL FACTORY | PRODUCTION SERVICES Control Production Production is divided in 6 distinct stages : Supply Raw data from multiple collect sources Compute Loading, ordering & storing data Reconcile Identities vs. accounts Control Production of control resources SoD Advanced controls Report Presenting results as expected
  18. 18. PRODUCTION SERVICES| SUPPLY Supply … loading raw data, reconciliation, mapping and ordering for reuse Controlsfactory Advanced controls Reports/views Controls Data Reconciliation Compute 2 3 1 Attaching identities to respective unitary organization Reconciling identities with accounts, perms… Producing controls in the factory Reporting results in expected views 4 …
  19. 19. PRODUCTION SERVICES| REPORT Report … presenting control data as requested (format & delivery) • Timeslots • Reports • Data exports Web portal • Reports sent to reviewers Campaign
  20. 20. Data Lifecycle Data Quality Data Volume Business Activity CONTROLS GOVERNANCE | FOCUS ON PITFALLS  Reduce treatment time from import to remediation  Based on reliable data, readable and understandable  Deeply analyzed and divided i.e. volume that are “control ready” and “supervision ready”  Better integration of stakeholders processes
  21. 21. › Ergonomics and design › Administration › Dashboard & Reporting › Automation CAMPAIGN & CONTROLS | ANALYSIS › Tickets directly created and assigned › Follow-up using the factory › Dynamic reports (web interfaces) › Point and click review › Enriched information › Delegation mechanism enhanced › Improved planning and review mechanism Orientations and improvements › Automated and real-time › Web-based dashboard