1. IT Security Services
CONTROL FACTORY
|BEHIND THE SCENES|
Software Quality principles applied to
Security Controls

2. ITSecurityServices
BUSINESS ENVIRONMENT
CONTROL FACTORY |BEHIND THE SCENES|

3. ENERGY GIANT / BUSINESS LINE / BUSINESS UNIT
Integrated and dynamic management of
portfolio – purchasing contracts, assets and
sales contracts
Management & Trading of Energy
Client Business Environment

4. REGULATORY/CONTROLS CONSTRAINTS
Highly monitored and regularly audited
activities
Internal
controls
Compliance
Legal
External
audits
Group internal controls
Business line controls
Internal Compliance & Legal
Risk Operations
Internally driven Externally driven
Various
Auditors

5. ITSecurityServices
CONTROLS FRAMING
CONTROL FACTORY |BEHIND THE SCENES|

6. Security Controls governance
 Discipline/Part of Corporate Governance focused on
information technology (IT) oriented security controls
aligned with business constraints
Security Control book
 An important element of a framework ensuring that
the organization’s policies/requirements are
formalized, monitored and implemented as controls
over time
 A centralization of security controls carried out on the
organization
 A tool-based methodology implementing the security
control strategy
FRAMING CONTROLS BASED ON REQUIREMENTS

7. Controlsources
Requirement
Campaign
1
2
3
n
n
n
n
n
n
relationship | cardinality
Report/Gap analysis needs
Execution coverage
Requirement coverage
SECURITY CONTROLS | SOFTWARE QUALITY PRINCIPLES

8. Standards
Regulation
Internal
Framework
In-house best
practices
Sources of requirements
Risks
Requirement 1
Requirement 2
Requirement 3
Requirement 4
Requirement “n”
internal REG
REG
Internal
IN HOUSE
AUDIT
…
Sources of control
Control 1
Control 2
REQ 1 REQ 2
REQ 1 REQ 4
Sourcesofcampaign
Iteration 1
Campaign1
Control “n”
REQ n REQ n
Campaign “n”
CTL n
CTL 4
CTL n
Sourcesofiterations
Iteration 2
CAM 1
Iteration 1
Iteration 2
CAM 2
Requirement view
Control view
Campaign view
Execution view
Incidents
CONTROL ECOSYSTEM
CAM 1
CAM 2

9. Title
Description
Criticality
Category
(Security, Business…)
Owner
Group/source
(tag or ordering)
Covered risk
FRAMEWORK @ A GLANCE
Requirement template

10. Title Description
Nature
(administrative, technical, physical)
Function
(preventive, detective, corrective, recovery)
Type
(Security)
Frequency
Level
(1 to 3)
RACI matrix
FRAMEWORK @ A GLANCE
Control template

11. Title Description
Control suites
(STU 1, STU 2,…)
Assignee
Planning
Execution status
Basic stats
Control plan
(CTL1, CTL2,…)
FRAMEWORK @ A GLANCE
Campaign template

12. Controlsources
Requirement
Campaign
1
2
3
n
n
n
n
n
n
relationship | cardinality
Report/Gap analysis needs
Execution coverage
Requirement coverage



- Requirements covered by controls ?
- All controls associated to requirement ?
- Controls executed as expected ?
- Execution coverage of requirement ?


SECURITY CONTROLS | SOFTWARE QUALITY PRINCIPLES

13. ITSecurityServices
IAM SECURITY OPERATIONS
CONTROL FACTORY |BEHIND THE SCENES|

14. CONTROL FACTORY | DEFINE
refers to :
Control Factory (CF)
a structured collection of assets
that aids in producing controls through an assembly process
according to specific requirements1 3
2 4
The Control factory applies manufacturing
techniques and principles …
> Formalization > Automation
> Services Oriented > Industrialization
Right process  right result Reduce manual intervention
Activities divided in services Reusable components

15. CONTROL FACTORY | OBJECTIVES
… to mimic the benefits of traditional
manufacturing
>Consistency
build multiple instances of a control product line & set of
controls sharing similar “features and architecture”
>Quality
integrates reusable controls reducing the likelihood of control
design flaws
>Productivity
Controls activities can be streamlined and automated

16. Conception
Design and logic according to
requirements
Suppliers
relationship
Sourcing of data,
qualification, remediation
Production
Producing resources for
controls reports, dashboards
Delivery
Making resources for controls
available
Supervision
Governing controls campaign
and remediation
Internal
QA, maintenance,
improvements
CONTROL FACTORY | ACTIVITIES/SERVICES
Customers

17. CONTROL FACTORY | PRODUCTION SERVICES
Control Production
Production is divided in 6 distinct stages :
Supply Raw data from multiple collect sources
Compute Loading, ordering & storing data
Reconcile Identities vs. accounts
Control Production of control resources
SoD Advanced controls
Report Presenting results as expected

18. PRODUCTION SERVICES| SUPPLY
Supply
… loading raw data, reconciliation, mapping
and ordering for reuse
Controlsfactory
Advanced controls
Reports/views
Controls
Data Reconciliation
Compute
2
3
1
Attaching identities to respective
unitary organization
Reconciling identities with accounts,
perms…
Producing controls in the factory
Reporting results in expected views 4
…

19. PRODUCTION SERVICES| REPORT
Report … presenting control data as requested
(format & delivery)
• Timeslots
• Reports
• Data exports
Web portal
• Reports sent to
reviewers
Campaign

20. Data
Lifecycle
Data
Quality
Data
Volume
Business
Activity
CONTROLS GOVERNANCE | FOCUS ON PITFALLS
 Reduce treatment time
from import to
remediation
 Based on reliable data,
readable and
understandable
 Deeply analyzed and divided i.e.
volume that are “control ready”
and “supervision ready”
 Better integration of
stakeholders
processes

21. › Ergonomics and design
› Administration
› Dashboard & Reporting
› Automation
CAMPAIGN & CONTROLS | ANALYSIS
› Tickets directly created and assigned
› Follow-up using the factory
› Dynamic reports (web interfaces)
› Point and click review
› Enriched information
› Delegation mechanism enhanced
› Improved planning and review mechanism
Orientations and improvements
› Automated and real-time
› Web-based dashboard

22. ITSecurityServices
THANK U / QUESTIONS
CONTROL FACTORY |BEHIND THE SCENES|