Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Compliance vs Continuous improvement

5,251 views

Published on

Published in: Technology, Business
  • Be the first to comment

Compliance vs Continuous improvement

  1. 1. Compliance vs Continuous Improvement Vicente Aceituno, October 2012 1
  2. 2. Semmelweis 3
  3. 3. Semmelweis 4
  4. 4. Compliance Continuous Improvement Security Objectives 5
  5. 5. • Represents Best Practices. 6 Compliance Advantages
  6. 6. • Easy to justify «It is what you are supposed to do». 7 Compliance Advantages
  7. 7. • One size fits all: It doesn’t always meet the changing needs of the business. 8 Compliance Disadvantages
  8. 8. • The use of resources might be higher that necessary. 9 Compliance Disadvantages
  9. 9. • Slow improvement cycle • Between Audits • Between updates of the Standard. 10 Compliance Disadvantages
  10. 10. • It is difficult to turn business needs into security requirements using traditional concepts. • …but that doesn’t stop you from implementing compliance. 11 Continuous Improvement Disadvantages
  11. 11. • It is difficult to turn business needs into security requirements using traditional concepts. • …but that doesn’t stop you from implementing compliance. • …and that is why compliance is so popular. 12 Continuous Improvement Disadvantages
  12. 12. • It is a brake for innovation. 13 Compliance Disadvantages
  13. 13. Compliance  For compliance you need: • Perform Gap Analysis between what you do and what the standard says. • Action plan to fill the gaps.  Incidents are seen as a failure…but management is not to blame….We are compliant!  Improvement comes through better compliance
  14. 14. Compliance Continuous Improvement Security Objectives 15
  15. 15. • You can still use Best Practices. 16 Continuous Improvement Advantages
  16. 16. • It meets the changing needs of the business. 17 Continuous Improvement Advantages
  17. 17. • It uses an appropiate amount of resources. 18 Continuous Improvement Advantages
  18. 18. • Fast improvement cycle: • Between Follow-up reports. 19 Continuous Improvement Advantages
  19. 19. • It is difficult to turn business needs into security requirements using traditional concepts. • …but there is a solution: O-ISM3 Security Objectives. 20 Continuous Improvement Disadvantages
  20. 20. • It requires a high level of maturity, including the use of metrics. • …but there is a solution: O-ISM3 Metrics. 21 Continuous Improvement Disadvantages
  21. 21. Continuous Improvement  For compliance you need: • A thorough understanding for the security needs of the organization. • A high level or maturity to deliver those needs.  Incidents are an opportunity for improvement. Management is to blame if improvements are not introduced.  Improvement comes through meeting the needs better or with fewer resources.
  22. 22. Compliance Continuous Improvement Security Objectives 23
  23. 23.  Use of services and physical and logical access to repositories and systems is restricted to authorized users; Access Control
  24. 24.  Secrets (industrial, trade) are accessible to authorized users only; Access Control
  25. 25.  Personal information of clients and employees is accessible for a valid purpose to authorized users only, preserves their anonymity if necessary, and is held for no longer than required. Access Control
  26. 26.  Intellectual property (licensed, copyrighted, patented and trademarks) is accessible to authorized users only;  Third party services and repositories are appropriately licensed and accessible only to authorized users; Access Control
  27. 27.  Users are accountable for the repositories and messages they create or modify;  Users are accountable for their acceptance of contracts and agreements.  Users are accountable for their use of services. Access Control
  28. 28.  Accurate time and date is reflected in all records; Access Control
  29. 29.  Availability of repositories, services and channels exceeds Customer needs;  Reliability and performance of services and channels exceeds Customer needs;  Volatility of services and channels within Customer needs; Priority Objectives
  30. 30.  Repositories are retained at least as long as Customer requirements;  Expired or end of life-cycle repositories are permanently destroyed; Durability Objectives
  31. 31.  Precision, relevance (up-to- date), completeness and consistency of repositories exceeds Customer needs; Quality Objectives
  32. 32. Technical Objectives * Keep systems free of weaknesses. * Keep systems that need to be visible from not trusted systems the least visible possible. * Have systems run trusted services only. * Keep electricity, temperature and humidity within controlled limits. Press Any Key to Continue
  33. 33. Information Security that makes Business Sense inovement.es/oism3 Web www.inovement.es Video Blog youtube.com/user/vaceituno Blog ism3.com Twitter twitter.com/vaceituno Presentations slideshare.net/vaceituno/presentations Articles slideshare.net/vaceituno/documents

×