SlideShare a Scribd company logo

Beijaflore inc. white paper IT compliance program v1.0

Maxime de Jabrun
Maxime de Jabrun

4 steps to transform IT compliance nightmare into a smooth journey

Technology
1 of 22
Download to read offline
CYBER RISK & SECURITY 4 steps to transform Compliance nightmare into a smooth journey IT risk, Data Privacy & Cyber Security compliance NOV 9th 2017 Whitepaper lead - Maxime de Jabrun Key contributors - Boris Mallet, Laurent Cordival, Julien Pinot
Cyber Risk & Security 2© Beijaflore Group Cyber Risk & Security TABLE OF CONTENT 01 REGULATIONS CHALLENGE FOR ORGANIZATIONS 02 OUR APPROACH 03 ONE GLOBAL COMPLIANCE APPROACH 04 THE EVOLVING SCOPE OF APPLICABILITY 05 COMPLIANCE PROGRAMS PRIORITIZATION 06 MONITORING AND CONTROL OF COMPLIANCE
© Beijaflore Group / 3INTERNALCYBER RISK & SECURITY 1 REGULATIONS CHALLENGE FOR ORGANIZATIONS
4© Beijaflore Group CYBER RISK & SECURITY CYBERSECURITY REGULATIONS HAVE BECOME A COMPLEX CHALLENGE FOR ORGANIZATIONS STAKES Demonstrate compliance to sustain business activities and develop reputational trust Limit risks of financial penalties and management responsibilities Optimize compliance analysis and implementation Facilitate reporting to authorities Enable digital transformation CONTEXT Organizations digitization increase IT assets values and their exposition to threats Growth in the number of data breaches (in the US: +590% in 11 years) and increase in value stolen during data breaches Organizations face a multiplication of regulations, defined to quickly secure this digital transformation Requirements come from various regulations authorities : geographical, industries, clients, and technology partners Multiplication of compliance programs increase lack of Cybersecurity resource
5© Beijaflore Group CYBER RISK & SECURITY The growth of cyber security threats has generated a regulations overlap for organizations in the US. SOME CYBER SECURITY REGULATIONS (1) Critical Infrastructure Protection (2) General Data Protection Regulation CIP (1) GDPR (2) US Laws / Regulations Ensure the personal data protection for each European civilian by May 2018  New York DFS  HIPAA  Gramm-Leach- Bliley Act  FISMA… Ensure the security of vulnerable and interconnected infrastructures in the United States (oversee by FS-ISAC, HHS, FEMA) Essential Services Specific Data By location (US) OTHERS  SWIFT  PCI-DSS  … By technology
6© Beijaflore Group CYBER RISK & SECURITY BEIJAFLORE OBSERVED THE FOLLOWING RECURRENT ISSUES AMBIGUOUS SCOPE OF APPLICABILITY IMPLIES COMPLEXITY WITH BROAD SCOPE AND NON COMPLIANCE RISKS WITH OVER-SELECTIVE SCOPE DIFFICULTY ADAPTING COMPLIANCE PROGRAMS TO DIFFERENT ASSET TYPES UNSATISFYING COMPLIANCE GOVERNANCE WITHIN ORGANIZATION SUBJECT MATTER EXPERTS UNAVAILABILITY IN ORGANIZATION FRAMEWORKS, POLICIES AND TOOLS MULTIPLICATION
7© Beijaflore Group CYBER RISK & SECURITY BEIJAFLORE OBSERVED THE FOLLOWING RECURRENT ISSUES Unsatisfying governance of compliance within organization  Unclear responsibilities between internal stakeholders  Difficulties aligning entities constraints and objectives for compliance  Need for a common alignment of organizations’ entities for compliance (legal, IT, business)  Lack of skills and/or empowerment of single point of contact for reporting to authority  Local entities manage each compliance program alone, without Group governance & organization Ambiguous scope of applicability implies complexity with broad scope and non compliance risk with over-selective scope  Requirements and control points overlap between each regulation  Cost & operational impacts to assess new regulations requirements in global compliance strategy  Ambiguous regulation requirements wording generates inconsistencies between scopes or occurrences  Increased compliance costs on mutualized IT (IS, Organization, user & admins access)  Compliance is too expensive on full scope for organizations, and inefficient on coverage of risks Difficulty adapting compliance programs to different asset types  IT asset referential fast evolution versus compliance program timeframe  Need to quickly update IT referential to avoid program delays  Asset Referential and Mapping inaccuracy deteriorates cost and time efficiency in compliance programs  Change management / Difficulties to make technical changes because of lack of control on IT impacts Subject Matter Experts Unavailability in organization  Lack of IT, control and legal skills for project Frameworks, policies and tools multiplication  Requirements multiplication impacting high number of overlapping policies  Non applicable or contradictory requirements  High number of compliance follow up spreadsheets, dashboards, etc.  Vocabulary inconsistency
© Beijaflore Group / 8INTERNALCYBER RISK & SECURITY 2 OUR APPROACH
9© Beijaflore Group CYBER RISK & SECURITY OUR APPROACH TO ADDRESS THE COMPLIANCE NIGHTMARE PLAN COMPLIANCE PROGRAMS THROUGH MATURITY LEVELS AND PROJECTS' ITERATIVE IMPLEMENTATION • Assessment of required workload, investment costs and impact on the run • Plan prioritization • Identification & focus on quick-wins with high impact on compliance ENSURE ONGOING COMPLIANCE MONITORING AND CONTROL • Non-compliance monitoring • Self-assessment and capability to demonstrate compliance to authority • Risk evaluation & non-compliance acceptance MANAGE THE EVOLVING SCOPE OF APPLICABILITY • Detailed scope of applicability with clear and shared criterion • Scope of applicability isolation • Integration of compliance requirements in change management • New requirements negotiation with contractors ENFORCE ONE GLOBAL COMPLIANCE APPROACH: SHARING & SPECIALIZATION • One single program • Corporate Leadership Involvement • Sharing of a common framework • Business compliance initiatives reuse • Role specialization for compliance 1 2 3 4
© Beijaflore Group / 10INTERNALCYBER RISK & SECURITY 3 ONE GLOBAL COMPLIANCE APPROACH
Cyber Risk & Security 11Copyright Beijaflore Group INTEGRATE ALL COMPLIANCE PROGRAMS IN A GLOBAL STRATEGY & CYBERSECURITY PROGRAM • All compliance requirements should be managed through a standard Group approach : local entities should not manage each compliance program alone • Compliance Mapping : – Group should have local compliance regulations overall vision, fed by each entity • Regulation requirements mapping with internal policies: – Group needs to update internal policy to ensure coverage on its organization full scope • Implementation programs/project steering: – Depending on Group governance & operational efficiency and milestones • Reporting to authorities: – A central global GRC solution as-a-service, with a single point of contact for each authority Look for other compliance or business initiatives reuse to deploy compliance programs to minimize additional budget and awareness/change management
Cyber Risk & Security 12Copyright Beijaflore Group INVOLVE CORPORATE LEADERSHIP ON COMPLIANCE INITIATIVES AND BUILD EFFICIENT COMMUNICATION • Compliance programs require corporate leadership and commitment to be effective – Corporate programs require transversal involvement – Group entities & department are more likely to be collaborative if compliance programs are sponsored by top-level management • Corporate leaders & compliance officers should provide efficient communication through : – Policies and Procedures – Training & awareness materials – Disciplinary guidelines – Standards  Involve Top management on compliance initiatives to gain Group support Need of high seniority in compliance project team to be able to communicate with top management
Cyber Risk & Security 13© Beijaflore Group DECIDE ON COMPLIANCE GOVERNANCE : SPECIALIZE ROLES There should be a Single point of contact for Authority Reporting, Technical arbitration, compliance control who will : • Ensure global consistency of compliance programs approaches • Identify conflicts between regulations requirements and arbitrate • Control all requirements compliance Workforce planning is key for compliance program success • Appropriate soft-skills casting • Training on compliance Subject Matter Experts should be transversal to all compliance programs  do not rebuild SME teams for each program Assurance Program Management Experts
14© Beijaflore Group CYBER RISK & SECURITY DEFINE AND SHARE A COMMON FRAMEWORK OF REQUIREMENTS FOR ALL COMPLIANCE REGULATIONS APPROACH › Translate requirements in a common language › Standardize all compliance requirements in a reference matrix/control plan • Impacts (scale defined with the business), Catalogue of Threat sources, Vulnerabilities, Controls, Security tools › Globally manage the group level of compliance based on the framework • Program status follow up FOR EACH NEW REGULATION : › Transformation of all requirements in the common language › Requirements mapping & Integration in the Control Plan › Gap analysis • Perform Gap analysis with new regulation requirements • Confirm with operational contacts the Gap analysis • Update the Control plan › Remediation Plan • Define Program streams & approach • Manage program streams
© Beijaflore Group / 15INTERNALCYBER RISK & SECURITY 4 THE EVOLVING SCOPE OF APPLICABILITY
Cyber Risk & Security 16© Beijaflore Group MANAGE THE EVOLVING SCOPE OF APPLICABILITY Define detailed Scope of Applicability with clear and shared criterion Isolate as much as possible the Scope of Applicability Start negotiating new requirements with third parties as soon as possible to meet deadlines What are the compliance requirements ? Which criterion will I use What assets are considered/impacted ? Which departments/entities are concerned ? Who are my suppliers/contractors/3rd parties? What demands should be required? Integrate in change management compliance requirements (build & evolution process) What are the different projects/initiatives in the organization ? On specific IT or Business assets?
© Beijaflore Group / 17INTERNALCYBER RISK & SECURITY 5 COMPLIANCE PROGRAMS PRIORITIZATION
Cyber Risk & Security 18Copyright Beijaflore Group DRIVE THE COMPLIANCE PROGRAMS PLANNING THROUGH MATURITY LEVELS AND ITERATIVE IMPLEMENTATION OF EACH PROJECT Technical asset Organizationalscope Prototype Expansion Finalization • Assess your organization processes maturity with 5 maturity levels – 5 – Optimized – 4 – Controlled – 3 – Defined – 2 – Repeatable – 1 – Heroic • Use a 3 iterative steps implementation for each initiative, based on – Requirements – Organizational scope : start with compliance mature entity – Technical assets: start with “easy” assets to quickly show results PRIORIZATION THROUGH 3 steps 1 – sections with short term deadlines + improve low maturity sections up to DEFINED 2 – maturity to reach CONTROLLED level on all processes 3 – Optimized compliance
© Beijaflore Group / 19INTERNALCYBER RISK & SECURITY 6 COMPLIANCE MONITORING AND CONTROL
Cyber Risk & Security 20Copyright Beijaflore Group MONITOR NON-COMPLIANCE TO PEACEFULLY PRIORITIZE ACTIONS MaturityLevelofNoncompliance Ease to implement Low High LowHigh 1 5 4 2 3 6 7 10 8 9 11 14 13 15 16 17 18 Use One global referential to ease internal change management, global arbitration and reporting  # requirement/section maturity level  # points of conformity  Risks’ matrix (non compliance risk vs ease to implement actions)  Act quickly on the Easy to implement/High impact on compliance Monitor non compliance Use One global referential to ease internal change management, global arbitration and reporting
Cyber Risk & Security 21Copyright Beijaflore Group PREPARE COMPLIANCE SELF-ASSESSMENT TOOLS AND CAPABILITY TO DEMONSTRATE COMPLIANCE TO AUTHORITY ASSURANCE LEVELS 1. Declarative statement 2. Controlled statement 3. Automatic tool 4. Certified automatic tool • Define assurance maturity levels for self-assessment – Promote automated assessment through your organization • Prepare compliance self-assessment tools (dashboards, questionnaire, excel sheet, forms, etc.) • Identify means and capability to demonstrate compliance to external/internal authority • Prepare & maintain list of evidence related to compliance for authorities • Define process for compliance certification to authority when applicable • Work with internal Audit teams when possible / applicable Self assessment allows for steering of initiatives and quick decisions making
22© Beijaflore Group CONFIDENTIALCYBER RISK & SECURITY CONTACTS Publication Director NYC office Maxime de JABRUN Global Executive Vice President mdejabrun410@beijaflore.com +33 6 64 65 28 39 CISSP, ISO 27001 Lead Auditor, Lean 6 Sigma Blackbelt Boris MALLET Cyber Risk & Security Manager bmallet201@beijaflore.com +1.646.790.5726

Recommended

Security Framework for Digital Risk Managment
Security Framework for Digital Risk ManagmentSecurity Framework for Digital Risk Managment
Security Framework for Digital Risk ManagmentSecurestorm
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewTandhy Simanjuntak
 
Enterprise governance risk_compliance_fcm slides
Enterprise governance risk_compliance_fcm slidesEnterprise governance risk_compliance_fcm slides
Enterprise governance risk_compliance_fcm slidesEnterpriseGRC Solutions, Inc.
 
NIST IT Standards for Local Governments 2010
NIST IT Standards for Local Governments 2010NIST IT Standards for Local Governments 2010
NIST IT Standards for Local Governments 2010Donald E. Hester
 
Building the Business Case for TPRM - DVV Solutions Breakfast Briefing March ...
Building the Business Case for TPRM - DVV Solutions Breakfast Briefing March ...Building the Business Case for TPRM - DVV Solutions Breakfast Briefing March ...
Building the Business Case for TPRM - DVV Solutions Breakfast Briefing March ...DVV Solutions Third Party Risk Management
 
5 Steps To Masterminding An Effective Security Awareness Program
5 Steps To Masterminding An Effective Security Awareness Program5 Steps To Masterminding An Effective Security Awareness Program
5 Steps To Masterminding An Effective Security Awareness ProgramTerranova Security
 
The State of TPRM in the UK - DVV Solutions Breakfast Briefing March 2019
The State of TPRM in the UK - DVV Solutions Breakfast Briefing March 2019The State of TPRM in the UK - DVV Solutions Breakfast Briefing March 2019
The State of TPRM in the UK - DVV Solutions Breakfast Briefing March 2019DVV Solutions Third Party Risk Management
 
Frontline solutions For Security Practitioners 1008
Frontline solutions For Security Practitioners 1008Frontline solutions For Security Practitioners 1008
Frontline solutions For Security Practitioners 1008Rick Wanner
 

Recommended

Security Framework for Digital Risk Managment
Security Framework for Digital Risk ManagmentSecurity Framework for Digital Risk Managment
Security Framework for Digital Risk ManagmentSecurestorm
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewTandhy Simanjuntak
 
Enterprise governance risk_compliance_fcm slides
Enterprise governance risk_compliance_fcm slidesEnterprise governance risk_compliance_fcm slides
Enterprise governance risk_compliance_fcm slidesEnterpriseGRC Solutions, Inc.
 
NIST IT Standards for Local Governments 2010
NIST IT Standards for Local Governments 2010NIST IT Standards for Local Governments 2010
NIST IT Standards for Local Governments 2010Donald E. Hester
 
Building the Business Case for TPRM - DVV Solutions Breakfast Briefing March ...
Building the Business Case for TPRM - DVV Solutions Breakfast Briefing March ...Building the Business Case for TPRM - DVV Solutions Breakfast Briefing March ...
Building the Business Case for TPRM - DVV Solutions Breakfast Briefing March ...DVV Solutions Third Party Risk Management
 
5 Steps To Masterminding An Effective Security Awareness Program
5 Steps To Masterminding An Effective Security Awareness Program5 Steps To Masterminding An Effective Security Awareness Program
5 Steps To Masterminding An Effective Security Awareness ProgramTerranova Security
 
The State of TPRM in the UK - DVV Solutions Breakfast Briefing March 2019
The State of TPRM in the UK - DVV Solutions Breakfast Briefing March 2019The State of TPRM in the UK - DVV Solutions Breakfast Briefing March 2019
The State of TPRM in the UK - DVV Solutions Breakfast Briefing March 2019DVV Solutions Third Party Risk Management
 
Frontline solutions For Security Practitioners 1008
Frontline solutions For Security Practitioners 1008Frontline solutions For Security Practitioners 1008
Frontline solutions For Security Practitioners 1008Rick Wanner
 
Abidance Cip Presentation
Abidance Cip PresentationAbidance Cip Presentation
Abidance Cip Presentationjamesholler
 
Erm talking points
Erm talking pointsErm talking points
Erm talking pointsEnterpriseGRC Solutions, Inc.
 
Security architecture frameworks
Security architecture frameworksSecurity architecture frameworks
Security architecture frameworksJohn Arnold
 
Cytegic presentation 02 12
Cytegic presentation 02 12Cytegic presentation 02 12
Cytegic presentation 02 12Cytegic
 
Cloud Management in the U.S. Federal Government
Cloud Management in the U.S. Federal GovernmentCloud Management in the U.S. Federal Government
Cloud Management in the U.S. Federal Governmentscoopnewsgroup
 
TrustedAgent GRC for Vulnerability Management
TrustedAgent GRC for Vulnerability ManagementTrustedAgent GRC for Vulnerability Management
TrustedAgent GRC for Vulnerability ManagementTuan Phan
 
How To Set Security Awareness Strategic Goals, KPIs and Metrics
How To Set Security Awareness Strategic Goals, KPIs and MetricsHow To Set Security Awareness Strategic Goals, KPIs and Metrics
How To Set Security Awareness Strategic Goals, KPIs and MetricsTerranova Security
 
Six Degrees Aegis - What's your cybersecurity maturity score?
Six Degrees Aegis - What's your cybersecurity maturity score?Six Degrees Aegis - What's your cybersecurity maturity score?
Six Degrees Aegis - What's your cybersecurity maturity score?Six Degrees
 
Does audit make us more secure
Does audit make us more secureDoes audit make us more secure
Does audit make us more secureEnterpriseGRC Solutions, Inc.
 
#OSSPARIS19 - Understanding Open Source Governance - Gilles Gravier, Wipro Li...
#OSSPARIS19 - Understanding Open Source Governance - Gilles Gravier, Wipro Li...#OSSPARIS19 - Understanding Open Source Governance - Gilles Gravier, Wipro Li...
#OSSPARIS19 - Understanding Open Source Governance - Gilles Gravier, Wipro Li...Paris Open Source Summit
 
Vulnerability Management Whitepaper PowerPoint Presentation Slides
Vulnerability Management Whitepaper PowerPoint Presentation SlidesVulnerability Management Whitepaper PowerPoint Presentation Slides
Vulnerability Management Whitepaper PowerPoint Presentation SlidesSlideTeam
 
Cybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect MatchCybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect MatchMcKonly & Asbury, LLP
 
Its time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primerIts time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primerEnclaveSecurity
 
Cisco Advanced Services
Cisco Advanced ServicesCisco Advanced Services
Cisco Advanced ServicesCisco do Brasil
 
Cybersecurity Preparedness Trends and Best Practices
Cybersecurity Preparedness Trends and Best PracticesCybersecurity Preparedness Trends and Best Practices
Cybersecurity Preparedness Trends and Best PracticesTony Moroney
 
TrustedAgent GRC for Public Sector
TrustedAgent GRC for Public SectorTrustedAgent GRC for Public Sector
TrustedAgent GRC for Public SectorTuan Phan
 
TrustedAgent and Defense Industrial Base (DIB)
TrustedAgent and Defense Industrial Base (DIB)TrustedAgent and Defense Industrial Base (DIB)
TrustedAgent and Defense Industrial Base (DIB)Tuan Phan
 
Standards in Third Party Risk - DVV Solutions ISACA North May 19
Standards in Third Party Risk - DVV Solutions ISACA North May 19 Standards in Third Party Risk - DVV Solutions ISACA North May 19
Standards in Third Party Risk - DVV Solutions ISACA North May 19 DVV Solutions Third Party Risk Management
 
Integrated GRC
Integrated GRCIntegrated GRC
Integrated GRCTranscendent Group
 
Why You Should Prioritize Third Party Risk Management (TPRM) in Today's Marke...
Why You Should Prioritize Third Party Risk Management (TPRM) in Today's Marke...Why You Should Prioritize Third Party Risk Management (TPRM) in Today's Marke...
Why You Should Prioritize Third Party Risk Management (TPRM) in Today's Marke...Resolver Inc.
 
Nist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quanticoNist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quanticoTuan Phan
 
ISO 27001 In The Age Of Privacy
ISO 27001 In The Age Of PrivacyISO 27001 In The Age Of Privacy
ISO 27001 In The Age Of PrivacyControlCase
 

More Related Content

What's hot

Abidance Cip Presentation
Abidance Cip PresentationAbidance Cip Presentation
Abidance Cip Presentationjamesholler
 
Security architecture frameworks
Security architecture frameworksSecurity architecture frameworks
Security architecture frameworksJohn Arnold
 
Cytegic presentation 02 12
Cytegic presentation 02 12Cytegic presentation 02 12
Cytegic presentation 02 12Cytegic
 
Cloud Management in the U.S. Federal Government
Cloud Management in the U.S. Federal GovernmentCloud Management in the U.S. Federal Government
Cloud Management in the U.S. Federal Governmentscoopnewsgroup
 
TrustedAgent GRC for Vulnerability Management
TrustedAgent GRC for Vulnerability ManagementTrustedAgent GRC for Vulnerability Management
TrustedAgent GRC for Vulnerability ManagementTuan Phan
 
How To Set Security Awareness Strategic Goals, KPIs and Metrics
How To Set Security Awareness Strategic Goals, KPIs and MetricsHow To Set Security Awareness Strategic Goals, KPIs and Metrics
How To Set Security Awareness Strategic Goals, KPIs and MetricsTerranova Security
 
Six Degrees Aegis - What's your cybersecurity maturity score?
Six Degrees Aegis - What's your cybersecurity maturity score?Six Degrees Aegis - What's your cybersecurity maturity score?
Six Degrees Aegis - What's your cybersecurity maturity score?Six Degrees
 
#OSSPARIS19 - Understanding Open Source Governance - Gilles Gravier, Wipro Li...
#OSSPARIS19 - Understanding Open Source Governance - Gilles Gravier, Wipro Li...#OSSPARIS19 - Understanding Open Source Governance - Gilles Gravier, Wipro Li...
#OSSPARIS19 - Understanding Open Source Governance - Gilles Gravier, Wipro Li...Paris Open Source Summit
 
Vulnerability Management Whitepaper PowerPoint Presentation Slides
Vulnerability Management Whitepaper PowerPoint Presentation SlidesVulnerability Management Whitepaper PowerPoint Presentation Slides
Vulnerability Management Whitepaper PowerPoint Presentation SlidesSlideTeam
 
Cybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect MatchCybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect MatchMcKonly & Asbury, LLP
 
Its time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primerIts time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primerEnclaveSecurity
 
Cybersecurity Preparedness Trends and Best Practices
Cybersecurity Preparedness Trends and Best PracticesCybersecurity Preparedness Trends and Best Practices
Cybersecurity Preparedness Trends and Best PracticesTony Moroney
 
TrustedAgent GRC for Public Sector
TrustedAgent GRC for Public SectorTrustedAgent GRC for Public Sector
TrustedAgent GRC for Public SectorTuan Phan
 
TrustedAgent and Defense Industrial Base (DIB)
TrustedAgent and Defense Industrial Base (DIB)TrustedAgent and Defense Industrial Base (DIB)
TrustedAgent and Defense Industrial Base (DIB)Tuan Phan
 
Why You Should Prioritize Third Party Risk Management (TPRM) in Today's Marke...
Why You Should Prioritize Third Party Risk Management (TPRM) in Today's Marke...Why You Should Prioritize Third Party Risk Management (TPRM) in Today's Marke...
Why You Should Prioritize Third Party Risk Management (TPRM) in Today's Marke...Resolver Inc.
 

What's hot (20)

Abidance Cip Presentation
Abidance Cip PresentationAbidance Cip Presentation
Abidance Cip Presentation
 
Erm talking points
Erm talking pointsErm talking points
Erm talking points
 
Security architecture frameworks
Security architecture frameworksSecurity architecture frameworks
Security architecture frameworks
 
Cytegic presentation 02 12
Cytegic presentation 02 12Cytegic presentation 02 12
Cytegic presentation 02 12
 
Cloud Management in the U.S. Federal Government
Cloud Management in the U.S. Federal GovernmentCloud Management in the U.S. Federal Government
Cloud Management in the U.S. Federal Government
 
TrustedAgent GRC for Vulnerability Management
TrustedAgent GRC for Vulnerability ManagementTrustedAgent GRC for Vulnerability Management
TrustedAgent GRC for Vulnerability Management
 
How To Set Security Awareness Strategic Goals, KPIs and Metrics
How To Set Security Awareness Strategic Goals, KPIs and MetricsHow To Set Security Awareness Strategic Goals, KPIs and Metrics
How To Set Security Awareness Strategic Goals, KPIs and Metrics
 
Six Degrees Aegis - What's your cybersecurity maturity score?
Six Degrees Aegis - What's your cybersecurity maturity score?Six Degrees Aegis - What's your cybersecurity maturity score?
Six Degrees Aegis - What's your cybersecurity maturity score?
 
Does audit make us more secure
Does audit make us more secureDoes audit make us more secure
Does audit make us more secure
 
#OSSPARIS19 - Understanding Open Source Governance - Gilles Gravier, Wipro Li...
#OSSPARIS19 - Understanding Open Source Governance - Gilles Gravier, Wipro Li...#OSSPARIS19 - Understanding Open Source Governance - Gilles Gravier, Wipro Li...
#OSSPARIS19 - Understanding Open Source Governance - Gilles Gravier, Wipro Li...
 
Vulnerability Management Whitepaper PowerPoint Presentation Slides
Vulnerability Management Whitepaper PowerPoint Presentation SlidesVulnerability Management Whitepaper PowerPoint Presentation Slides
Vulnerability Management Whitepaper PowerPoint Presentation Slides
 
Cybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect MatchCybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect Match
 
Its time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primerIts time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primer
 
Cisco Advanced Services
Cisco Advanced ServicesCisco Advanced Services
Cisco Advanced Services
 
Cybersecurity Preparedness Trends and Best Practices
Cybersecurity Preparedness Trends and Best PracticesCybersecurity Preparedness Trends and Best Practices
Cybersecurity Preparedness Trends and Best Practices
 
TrustedAgent GRC for Public Sector
TrustedAgent GRC for Public SectorTrustedAgent GRC for Public Sector
TrustedAgent GRC for Public Sector
 
TrustedAgent and Defense Industrial Base (DIB)
TrustedAgent and Defense Industrial Base (DIB)TrustedAgent and Defense Industrial Base (DIB)
TrustedAgent and Defense Industrial Base (DIB)
 
Standards in Third Party Risk - DVV Solutions ISACA North May 19
Standards in Third Party Risk - DVV Solutions ISACA North May 19 Standards in Third Party Risk - DVV Solutions ISACA North May 19
Standards in Third Party Risk - DVV Solutions ISACA North May 19
 
Integrated GRC
Integrated GRCIntegrated GRC
Integrated GRC
 
Why You Should Prioritize Third Party Risk Management (TPRM) in Today's Marke...
Why You Should Prioritize Third Party Risk Management (TPRM) in Today's Marke...Why You Should Prioritize Third Party Risk Management (TPRM) in Today's Marke...
Why You Should Prioritize Third Party Risk Management (TPRM) in Today's Marke...
 

Similar to Beijaflore inc. white paper IT compliance program v1.0

Nist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quanticoNist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quanticoTuan Phan
 
ISO 27001 In The Age Of Privacy
ISO 27001 In The Age Of PrivacyISO 27001 In The Age Of Privacy
ISO 27001 In The Age Of PrivacyControlCase
 
Power your businesswith risk informed decisions
Power your businesswith risk informed decisionsPower your businesswith risk informed decisions
Power your businesswith risk informed decisionsAlireza Ghahrood
 
Third-Party Risk Management: Implementing a Strategy
Third-Party Risk Management: Implementing a StrategyThird-Party Risk Management: Implementing a Strategy
Third-Party Risk Management: Implementing a StrategyNICSA
 
New technologies - Amer Haza'a
New technologies - Amer Haza'aNew technologies - Amer Haza'a
New technologies - Amer Haza'aFahmi Albaheth
 
Does title make a difference?
Does title make a difference?Does title make a difference?
Does title make a difference?Pete Nieminen
 
Symantec Corporate Presentation
Symantec Corporate PresentationSymantec Corporate Presentation
Symantec Corporate PresentationInvestorSymantec
 
Meraj Ahmad - Information security in a borderless world
Meraj Ahmad - Information security in a borderless worldMeraj Ahmad - Information security in a borderless world
Meraj Ahmad - Information security in a borderless worldnooralmousa
 
How to Drive Value from Operational Risk Data - Part 2
How to Drive Value from Operational Risk Data - Part 2How to Drive Value from Operational Risk Data - Part 2
How to Drive Value from Operational Risk Data - Part 2Perficient, Inc.
 
How to Centre your PCI Programme Around your Business Objective - SureCloud
How to Centre your PCI Programme Around your Business Objective - SureCloud How to Centre your PCI Programme Around your Business Objective - SureCloud
How to Centre your PCI Programme Around your Business Objective - SureCloud SureCloud
 
Role of the virtual ciso
Role of the virtual cisoRole of the virtual ciso
Role of the virtual cisoMichael Ball
 
Introduction to IT compliance program and Discuss the challenges IT .pdf
Introduction to IT compliance program and Discuss the challenges IT .pdfIntroduction to IT compliance program and Discuss the challenges IT .pdf
Introduction to IT compliance program and Discuss the challenges IT .pdfSALES97
 
Security Program Guidance and Establishing a Culture of Security
Security Program Guidance and Establishing a Culture of SecuritySecurity Program Guidance and Establishing a Culture of Security
Security Program Guidance and Establishing a Culture of SecurityDoug Copley
 
Building Your DPIA/PIA Program: Tips & Case Studies [TrustArc Webinar Slides]
Building Your DPIA/PIA Program: Tips & Case Studies [TrustArc Webinar Slides]Building Your DPIA/PIA Program: Tips & Case Studies [TrustArc Webinar Slides]
Building Your DPIA/PIA Program: Tips & Case Studies [TrustArc Webinar Slides]TrustArc
 
EUCI Mapping Cybersecurity to CIP
EUCI Mapping Cybersecurity to CIPEUCI Mapping Cybersecurity to CIP
EUCI Mapping Cybersecurity to CIPScott Baron
 
MCGlobalTech Service Presentation
MCGlobalTech Service PresentationMCGlobalTech Service Presentation
MCGlobalTech Service PresentationWilliam McBorrough
 
How to Make Change Management a Reality
How to Make Change Management a RealityHow to Make Change Management a Reality
How to Make Change Management a Realitydreamforce2006
 

Similar to Beijaflore inc. white paper IT compliance program v1.0 (20)

Nist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quanticoNist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quantico
 
ISO 27001 In The Age Of Privacy
ISO 27001 In The Age Of PrivacyISO 27001 In The Age Of Privacy
ISO 27001 In The Age Of Privacy
 
Power your businesswith risk informed decisions
Power your businesswith risk informed decisionsPower your businesswith risk informed decisions
Power your businesswith risk informed decisions
 
Third-Party Risk Management: Implementing a Strategy
Third-Party Risk Management: Implementing a StrategyThird-Party Risk Management: Implementing a Strategy
Third-Party Risk Management: Implementing a Strategy
 
New technologies - Amer Haza'a
New technologies - Amer Haza'aNew technologies - Amer Haza'a
New technologies - Amer Haza'a
 
Lead Through Disruption Guide PDF
Lead Through Disruption Guide PDFLead Through Disruption Guide PDF
Lead Through Disruption Guide PDF
 
Does title make a difference?
Does title make a difference?Does title make a difference?
Does title make a difference?
 
Symantec Corporate Presentation
Symantec Corporate PresentationSymantec Corporate Presentation
Symantec Corporate Presentation
 
Meraj Ahmad - Information security in a borderless world
Meraj Ahmad - Information security in a borderless worldMeraj Ahmad - Information security in a borderless world
Meraj Ahmad - Information security in a borderless world
 
How to Drive Value from Operational Risk Data - Part 2
How to Drive Value from Operational Risk Data - Part 2How to Drive Value from Operational Risk Data - Part 2
How to Drive Value from Operational Risk Data - Part 2
 
How to Centre your PCI Programme Around your Business Objective - SureCloud
How to Centre your PCI Programme Around your Business Objective - SureCloud How to Centre your PCI Programme Around your Business Objective - SureCloud
How to Centre your PCI Programme Around your Business Objective - SureCloud
 
Role of the virtual ciso
Role of the virtual cisoRole of the virtual ciso
Role of the virtual ciso
 
Introduction to IT compliance program and Discuss the challenges IT .pdf
Introduction to IT compliance program and Discuss the challenges IT .pdfIntroduction to IT compliance program and Discuss the challenges IT .pdf
Introduction to IT compliance program and Discuss the challenges IT .pdf
 
Insight into Security Leader Success Part 2
Insight into Security Leader Success Part 2Insight into Security Leader Success Part 2
Insight into Security Leader Success Part 2
 
Security Program Guidance and Establishing a Culture of Security
Security Program Guidance and Establishing a Culture of SecuritySecurity Program Guidance and Establishing a Culture of Security
Security Program Guidance and Establishing a Culture of Security
 
Building Your DPIA/PIA Program: Tips & Case Studies [TrustArc Webinar Slides]
Building Your DPIA/PIA Program: Tips & Case Studies [TrustArc Webinar Slides]Building Your DPIA/PIA Program: Tips & Case Studies [TrustArc Webinar Slides]
Building Your DPIA/PIA Program: Tips & Case Studies [TrustArc Webinar Slides]
 
EUCI Mapping Cybersecurity to CIP
EUCI Mapping Cybersecurity to CIPEUCI Mapping Cybersecurity to CIP
EUCI Mapping Cybersecurity to CIP
 
MCGlobalTech Service Presentation
MCGlobalTech Service PresentationMCGlobalTech Service Presentation
MCGlobalTech Service Presentation
 
7 Steps To Developing A Cloud Security Plan
7 Steps To Developing A Cloud Security Plan7 Steps To Developing A Cloud Security Plan
7 Steps To Developing A Cloud Security Plan
 
How to Make Change Management a Reality
How to Make Change Management a RealityHow to Make Change Management a Reality
How to Make Change Management a Reality
 

Recently uploaded

Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentationphoebematthew05
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 

Recently uploaded (20)

Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentation
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
 

Beijaflore inc. white paper IT compliance program v1.0

  • 1. CYBER RISK & SECURITY 4 steps to transform Compliance nightmare into a smooth journey IT risk, Data Privacy & Cyber Security compliance NOV 9th 2017 Whitepaper lead - Maxime de Jabrun Key contributors - Boris Mallet, Laurent Cordival, Julien Pinot
  • 2. Cyber Risk & Security 2© Beijaflore Group Cyber Risk & Security TABLE OF CONTENT 01 REGULATIONS CHALLENGE FOR ORGANIZATIONS 02 OUR APPROACH 03 ONE GLOBAL COMPLIANCE APPROACH 04 THE EVOLVING SCOPE OF APPLICABILITY 05 COMPLIANCE PROGRAMS PRIORITIZATION 06 MONITORING AND CONTROL OF COMPLIANCE
  • 3. © Beijaflore Group / 3INTERNALCYBER RISK & SECURITY 1 REGULATIONS CHALLENGE FOR ORGANIZATIONS
  • 4. 4© Beijaflore Group CYBER RISK & SECURITY CYBERSECURITY REGULATIONS HAVE BECOME A COMPLEX CHALLENGE FOR ORGANIZATIONS STAKES Demonstrate compliance to sustain business activities and develop reputational trust Limit risks of financial penalties and management responsibilities Optimize compliance analysis and implementation Facilitate reporting to authorities Enable digital transformation CONTEXT Organizations digitization increase IT assets values and their exposition to threats Growth in the number of data breaches (in the US: +590% in 11 years) and increase in value stolen during data breaches Organizations face a multiplication of regulations, defined to quickly secure this digital transformation Requirements come from various regulations authorities : geographical, industries, clients, and technology partners Multiplication of compliance programs increase lack of Cybersecurity resource
  • 5. 5© Beijaflore Group CYBER RISK & SECURITY The growth of cyber security threats has generated a regulations overlap for organizations in the US. SOME CYBER SECURITY REGULATIONS (1) Critical Infrastructure Protection (2) General Data Protection Regulation CIP (1) GDPR (2) US Laws / Regulations Ensure the personal data protection for each European civilian by May 2018  New York DFS  HIPAA  Gramm-Leach- Bliley Act  FISMA… Ensure the security of vulnerable and interconnected infrastructures in the United States (oversee by FS-ISAC, HHS, FEMA) Essential Services Specific Data By location (US) OTHERS  SWIFT  PCI-DSS  … By technology
  • 6. 6© Beijaflore Group CYBER RISK & SECURITY BEIJAFLORE OBSERVED THE FOLLOWING RECURRENT ISSUES AMBIGUOUS SCOPE OF APPLICABILITY IMPLIES COMPLEXITY WITH BROAD SCOPE AND NON COMPLIANCE RISKS WITH OVER-SELECTIVE SCOPE DIFFICULTY ADAPTING COMPLIANCE PROGRAMS TO DIFFERENT ASSET TYPES UNSATISFYING COMPLIANCE GOVERNANCE WITHIN ORGANIZATION SUBJECT MATTER EXPERTS UNAVAILABILITY IN ORGANIZATION FRAMEWORKS, POLICIES AND TOOLS MULTIPLICATION
  • 7. 7© Beijaflore Group CYBER RISK & SECURITY BEIJAFLORE OBSERVED THE FOLLOWING RECURRENT ISSUES Unsatisfying governance of compliance within organization  Unclear responsibilities between internal stakeholders  Difficulties aligning entities constraints and objectives for compliance  Need for a common alignment of organizations’ entities for compliance (legal, IT, business)  Lack of skills and/or empowerment of single point of contact for reporting to authority  Local entities manage each compliance program alone, without Group governance & organization Ambiguous scope of applicability implies complexity with broad scope and non compliance risk with over-selective scope  Requirements and control points overlap between each regulation  Cost & operational impacts to assess new regulations requirements in global compliance strategy  Ambiguous regulation requirements wording generates inconsistencies between scopes or occurrences  Increased compliance costs on mutualized IT (IS, Organization, user & admins access)  Compliance is too expensive on full scope for organizations, and inefficient on coverage of risks Difficulty adapting compliance programs to different asset types  IT asset referential fast evolution versus compliance program timeframe  Need to quickly update IT referential to avoid program delays  Asset Referential and Mapping inaccuracy deteriorates cost and time efficiency in compliance programs  Change management / Difficulties to make technical changes because of lack of control on IT impacts Subject Matter Experts Unavailability in organization  Lack of IT, control and legal skills for project Frameworks, policies and tools multiplication  Requirements multiplication impacting high number of overlapping policies  Non applicable or contradictory requirements  High number of compliance follow up spreadsheets, dashboards, etc.  Vocabulary inconsistency
  • 8. © Beijaflore Group / 8INTERNALCYBER RISK & SECURITY 2 OUR APPROACH
  • 9. 9© Beijaflore Group CYBER RISK & SECURITY OUR APPROACH TO ADDRESS THE COMPLIANCE NIGHTMARE PLAN COMPLIANCE PROGRAMS THROUGH MATURITY LEVELS AND PROJECTS' ITERATIVE IMPLEMENTATION • Assessment of required workload, investment costs and impact on the run • Plan prioritization • Identification & focus on quick-wins with high impact on compliance ENSURE ONGOING COMPLIANCE MONITORING AND CONTROL • Non-compliance monitoring • Self-assessment and capability to demonstrate compliance to authority • Risk evaluation & non-compliance acceptance MANAGE THE EVOLVING SCOPE OF APPLICABILITY • Detailed scope of applicability with clear and shared criterion • Scope of applicability isolation • Integration of compliance requirements in change management • New requirements negotiation with contractors ENFORCE ONE GLOBAL COMPLIANCE APPROACH: SHARING & SPECIALIZATION • One single program • Corporate Leadership Involvement • Sharing of a common framework • Business compliance initiatives reuse • Role specialization for compliance 1 2 3 4
  • 10. © Beijaflore Group / 10INTERNALCYBER RISK & SECURITY 3 ONE GLOBAL COMPLIANCE APPROACH
  • 11. Cyber Risk & Security 11Copyright Beijaflore Group INTEGRATE ALL COMPLIANCE PROGRAMS IN A GLOBAL STRATEGY & CYBERSECURITY PROGRAM • All compliance requirements should be managed through a standard Group approach : local entities should not manage each compliance program alone • Compliance Mapping : – Group should have local compliance regulations overall vision, fed by each entity • Regulation requirements mapping with internal policies: – Group needs to update internal policy to ensure coverage on its organization full scope • Implementation programs/project steering: – Depending on Group governance & operational efficiency and milestones • Reporting to authorities: – A central global GRC solution as-a-service, with a single point of contact for each authority Look for other compliance or business initiatives reuse to deploy compliance programs to minimize additional budget and awareness/change management
  • 12. Cyber Risk & Security 12Copyright Beijaflore Group INVOLVE CORPORATE LEADERSHIP ON COMPLIANCE INITIATIVES AND BUILD EFFICIENT COMMUNICATION • Compliance programs require corporate leadership and commitment to be effective – Corporate programs require transversal involvement – Group entities & department are more likely to be collaborative if compliance programs are sponsored by top-level management • Corporate leaders & compliance officers should provide efficient communication through : – Policies and Procedures – Training & awareness materials – Disciplinary guidelines – Standards  Involve Top management on compliance initiatives to gain Group support Need of high seniority in compliance project team to be able to communicate with top management
  • 13. Cyber Risk & Security 13© Beijaflore Group DECIDE ON COMPLIANCE GOVERNANCE : SPECIALIZE ROLES There should be a Single point of contact for Authority Reporting, Technical arbitration, compliance control who will : • Ensure global consistency of compliance programs approaches • Identify conflicts between regulations requirements and arbitrate • Control all requirements compliance Workforce planning is key for compliance program success • Appropriate soft-skills casting • Training on compliance Subject Matter Experts should be transversal to all compliance programs  do not rebuild SME teams for each program Assurance Program Management Experts
  • 14. 14© Beijaflore Group CYBER RISK & SECURITY DEFINE AND SHARE A COMMON FRAMEWORK OF REQUIREMENTS FOR ALL COMPLIANCE REGULATIONS APPROACH › Translate requirements in a common language › Standardize all compliance requirements in a reference matrix/control plan • Impacts (scale defined with the business), Catalogue of Threat sources, Vulnerabilities, Controls, Security tools › Globally manage the group level of compliance based on the framework • Program status follow up FOR EACH NEW REGULATION : › Transformation of all requirements in the common language › Requirements mapping & Integration in the Control Plan › Gap analysis • Perform Gap analysis with new regulation requirements • Confirm with operational contacts the Gap analysis • Update the Control plan › Remediation Plan • Define Program streams & approach • Manage program streams
  • 15. © Beijaflore Group / 15INTERNALCYBER RISK & SECURITY 4 THE EVOLVING SCOPE OF APPLICABILITY
  • 16. Cyber Risk & Security 16© Beijaflore Group MANAGE THE EVOLVING SCOPE OF APPLICABILITY Define detailed Scope of Applicability with clear and shared criterion Isolate as much as possible the Scope of Applicability Start negotiating new requirements with third parties as soon as possible to meet deadlines What are the compliance requirements ? Which criterion will I use What assets are considered/impacted ? Which departments/entities are concerned ? Who are my suppliers/contractors/3rd parties? What demands should be required? Integrate in change management compliance requirements (build & evolution process) What are the different projects/initiatives in the organization ? On specific IT or Business assets?
  • 17. © Beijaflore Group / 17INTERNALCYBER RISK & SECURITY 5 COMPLIANCE PROGRAMS PRIORITIZATION
  • 18. Cyber Risk & Security 18Copyright Beijaflore Group DRIVE THE COMPLIANCE PROGRAMS PLANNING THROUGH MATURITY LEVELS AND ITERATIVE IMPLEMENTATION OF EACH PROJECT Technical asset Organizationalscope Prototype Expansion Finalization • Assess your organization processes maturity with 5 maturity levels – 5 – Optimized – 4 – Controlled – 3 – Defined – 2 – Repeatable – 1 – Heroic • Use a 3 iterative steps implementation for each initiative, based on – Requirements – Organizational scope : start with compliance mature entity – Technical assets: start with “easy” assets to quickly show results PRIORIZATION THROUGH 3 steps 1 – sections with short term deadlines + improve low maturity sections up to DEFINED 2 – maturity to reach CONTROLLED level on all processes 3 – Optimized compliance
  • 19. © Beijaflore Group / 19INTERNALCYBER RISK & SECURITY 6 COMPLIANCE MONITORING AND CONTROL
  • 20. Cyber Risk & Security 20Copyright Beijaflore Group MONITOR NON-COMPLIANCE TO PEACEFULLY PRIORITIZE ACTIONS MaturityLevelofNoncompliance Ease to implement Low High LowHigh 1 5 4 2 3 6 7 10 8 9 11 14 13 15 16 17 18 Use One global referential to ease internal change management, global arbitration and reporting  # requirement/section maturity level  # points of conformity  Risks’ matrix (non compliance risk vs ease to implement actions)  Act quickly on the Easy to implement/High impact on compliance Monitor non compliance Use One global referential to ease internal change management, global arbitration and reporting
  • 21. Cyber Risk & Security 21Copyright Beijaflore Group PREPARE COMPLIANCE SELF-ASSESSMENT TOOLS AND CAPABILITY TO DEMONSTRATE COMPLIANCE TO AUTHORITY ASSURANCE LEVELS 1. Declarative statement 2. Controlled statement 3. Automatic tool 4. Certified automatic tool • Define assurance maturity levels for self-assessment – Promote automated assessment through your organization • Prepare compliance self-assessment tools (dashboards, questionnaire, excel sheet, forms, etc.) • Identify means and capability to demonstrate compliance to external/internal authority • Prepare & maintain list of evidence related to compliance for authorities • Define process for compliance certification to authority when applicable • Work with internal Audit teams when possible / applicable Self assessment allows for steering of initiatives and quick decisions making
  • 22. 22© Beijaflore Group CONFIDENTIALCYBER RISK & SECURITY CONTACTS Publication Director NYC office Maxime de JABRUN Global Executive Vice President mdejabrun410@beijaflore.com +33 6 64 65 28 39 CISSP, ISO 27001 Lead Auditor, Lean 6 Sigma Blackbelt Boris MALLET Cyber Risk & Security Manager bmallet201@beijaflore.com +1.646.790.5726