Compliance vs Continuous improvement

4,909 views

Published on

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
4,909
On SlideShare
0
From Embeds
0
Number of Embeds
3,827
Actions
Shares
0
Downloads
31
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Improvement Remove faults before they produce incidents Feedback on the result of changes Remove bottlenecks that hamper performance; Finding points of diminishing return: Making tradeoffs. Manage what you control (different measurement, different action) Concentrate on making changes that improve the contribution to Business Goals and Obligations, or reduce the use of resources. Detect significant anomalies in processes and inform decisions to fix or improve processes. Use Risk Assessment and Audits as long as they help Continuous Improvement. Improvements in the metric meaningfully enhance the contribution of the process towards the goals of the management system.
  • Improvement Remove faults before they produce incidents Feedback on the result of changes Remove bottlenecks that hamper performance; Finding points of diminishing return: Making tradeoffs. Manage what you control (different measurement, different action) Concentrate on making changes that improve the contribution to Business Goals and Obligations, or reduce the use of resources. Detect significant anomalies in processes and inform decisions to fix or improve processes. Use Risk Assessment and Audits as long as they help Continuous Improvement. Improvements in the metric meaningfully enhance the contribution of the process towards the goals of the management system.
  • Who are the users of the system? Do they need to be specifically authorized? From whom do we want to protect the system's information? Will any part of the system be located in publicly accessible locations? Will the system handle personal information of clients, potential clients, stockholders or employees? What are the different locations subject to diverse regulations in terms of handling of personal information and data breach disclosure where parts of the system will be located? Will the system use licensed information from third parties? What are the different locations subject to diverse regulations in terms of licensed information where parts of the system will be located? Will the system handle intellectual property? What are the different locations subject to diverse regulations in terms of intellectual property where parts of the system will be located? These questions help understand the inventory, DRM, watermarking, obfuscation and compliance needs.
  • When should the system be performing normally (8x5, e.g)? How many interruptions are acceptable? What would be the longest acceptable interruption? What is the maximum amount of transactions that can be lost because of an interruption? These questions help understand the data and system backup, high availability and business continuity needs. For how long will the system's data be archived? If the data needs to be deleted, when should this happen? These questions help understand the long term archival and safe deletion needs. What is the maximum acceptable percentage of records with wrong information? What is the maximum percentage of records that can be missing? These questions help understand the data quality control needs
  • Expired information is one problem Metadata is another
  • Expired information is one problem Metadata is another
  • Compliance vs Continuous improvement

    1. 1. Compliance vs Continuous Improvement Vicente Aceituno, October 2012 1
    2. 2. Semmelweis 3
    3. 3. Semmelweis 4
    4. 4. Compliance Continuous Improvement Security Objectives 5
    5. 5. • Represents Best Practices. 6 Compliance Advantages
    6. 6. • Easy to justify «It is what you are supposed to do». 7 Compliance Advantages
    7. 7. • One size fits all: It doesn’t always meet the changing needs of the business. 8 Compliance Disadvantages
    8. 8. • The use of resources might be higher that necessary. 9 Compliance Disadvantages
    9. 9. • Slow improvement cycle • Between Audits • Between updates of the Standard. 10 Compliance Disadvantages
    10. 10. • It is difficult to turn business needs into security requirements using traditional concepts. • …but that doesn’t stop you from implementing compliance. 11 Continuous Improvement Disadvantages
    11. 11. • It is difficult to turn business needs into security requirements using traditional concepts. • …but that doesn’t stop you from implementing compliance. • …and that is why compliance is so popular. 12 Continuous Improvement Disadvantages
    12. 12. • It is a brake for innovation. 13 Compliance Disadvantages
    13. 13. Compliance  For compliance you need: • Perform Gap Analysis between what you do and what the standard says. • Action plan to fill the gaps.  Incidents are seen as a failure…but management is not to blame….We are compliant!  Improvement comes through better compliance
    14. 14. Compliance Continuous Improvement Security Objectives 15
    15. 15. • You can still use Best Practices. 16 Continuous Improvement Advantages
    16. 16. • It meets the changing needs of the business. 17 Continuous Improvement Advantages
    17. 17. • It uses an appropiate amount of resources. 18 Continuous Improvement Advantages
    18. 18. • Fast improvement cycle: • Between Follow-up reports. 19 Continuous Improvement Advantages
    19. 19. • It is difficult to turn business needs into security requirements using traditional concepts. • …but there is a solution: O-ISM3 Security Objectives. 20 Continuous Improvement Disadvantages
    20. 20. • It requires a high level of maturity, including the use of metrics. • …but there is a solution: O-ISM3 Metrics. 21 Continuous Improvement Disadvantages
    21. 21. Continuous Improvement  For compliance you need: • A thorough understanding for the security needs of the organization. • A high level or maturity to deliver those needs.  Incidents are an opportunity for improvement. Management is to blame if improvements are not introduced.  Improvement comes through meeting the needs better or with fewer resources.
    22. 22. Compliance Continuous Improvement Security Objectives 23
    23. 23.  Use of services and physical and logical access to repositories and systems is restricted to authorized users; Access Control
    24. 24.  Secrets (industrial, trade) are accessible to authorized users only; Access Control
    25. 25.  Personal information of clients and employees is accessible for a valid purpose to authorized users only, preserves their anonymity if necessary, and is held for no longer than required. Access Control
    26. 26.  Intellectual property (licensed, copyrighted, patented and trademarks) is accessible to authorized users only;  Third party services and repositories are appropriately licensed and accessible only to authorized users; Access Control
    27. 27.  Users are accountable for the repositories and messages they create or modify;  Users are accountable for their acceptance of contracts and agreements.  Users are accountable for their use of services. Access Control
    28. 28.  Accurate time and date is reflected in all records; Access Control
    29. 29.  Availability of repositories, services and channels exceeds Customer needs;  Reliability and performance of services and channels exceeds Customer needs;  Volatility of services and channels within Customer needs; Priority Objectives
    30. 30.  Repositories are retained at least as long as Customer requirements;  Expired or end of life-cycle repositories are permanently destroyed; Durability Objectives
    31. 31.  Precision, relevance (up-to- date), completeness and consistency of repositories exceeds Customer needs; Quality Objectives
    32. 32. Technical Objectives * Keep systems free of weaknesses. * Keep systems that need to be visible from not trusted systems the least visible possible. * Have systems run trusted services only. * Keep electricity, temperature and humidity within controlled limits. Press Any Key to Continue
    33. 33. Information Security that makes Business Sense inovement.es/oism3 Web www.inovement.es Video Blog youtube.com/user/vaceituno Blog ism3.com Twitter twitter.com/vaceituno Presentations slideshare.net/vaceituno/presentations Articles slideshare.net/vaceituno/documents

    ×