Business Compliance Obligations


Published on

  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Business Compliance Obligations

  1. 1. Compliance Foundations of Information Security Series Vicente Aceituno @vaceituno (c)Inovement Europe 2014
  2. 2. Vicente Aceituno - Skype: vaceituno Linkedin - Inovement Europe - Video Blog - Blog - Twitter - Presentations - Articles -
  3. 3. Foundations of Information Security Series  Needs  Secrecy  Intellectual Property you Own  Intellectual Property you Use  Privacy  Availability  Retention  Expiration  Quality  Obligations  Technical  Compliance  Legal
  4. 4. What is Information Security?  “Information Security” is an emergent property of people using information.  People have expectations about information.  If there is no people or no information, “Information Security” is meaningless, as there are no expectations to meet.
  5. 5. What is Information Security?  When expectations about information are met, there is “Security”.  When expectations about information are not met, there is an “Incident”.
  6. 6. What is Information Security?  Some expectations are things people (or organizations) want to happen for their own reasons. These are Needs.  Some expectations are things people (or organizations) want to happen in order to meet technical, legal or standard compliance requirements. These are Obligations.
  7. 7. Compliance Obligations
  8. 8. Compliance  There are expectations of organizations about meeting legal, standard, and contractual requirements.
  9. 9. Compliance  If these expectations are met or not is dependent of the observer.  Compliance expectations can be determined by reading very carefully the relevant laws, standards and contracts.  Examples or requirements:  Tax records must be kept for a minimum number of years.  Encryption must be used under legal limitations.  Secrets must be kept according to the terms of agreed Non Disclosure Agreements.
  10. 10. Compliance related incidents  When any requirement of the law, standard or contract is not satisfied.  When any requirement of the law, standard or contract is satisfied, but not in the opinion of an auditor.
  11. 11. Achieving Compliance  In order to achieve Compliance, normally compliance projects are undertaken.  The related O-ISM3 process are:  OSP-21: Information Quality and Compliance Assessment
  12. 12. Compliance Obligations
  13. 13. The O-ISM3 Challenge  This was an exercise designed to throw into sharp relief the inadequacy of traditional information security concepts.  Check the exercise in full at  A summary of conclusions from the exercise, in relation to Compliance, follow.
  14. 14. Secrecy Business Needs Intellectual Property Privacy Business Obligations Compliance
  15. 15. Security and Compliance  Security and Compliance are not equivalent.  Compliance and Security are not synonymous.  Compliance is not useful to understand Security.
  16. 16.  Follow the Foundations of Information Security Series by joining the Linkedin O- ISM3 Group at:  Learn Advanced Information Security Management, joining us at an O-ISM3 Course: