5. Question 2: If the “Hotdeal” service is
at highest level of IT security (data
protection, encryption, etc.). Would it
be sufficient to export to Germany?
Question mark
6. 1. Why IT Compliance.
2. What is IT Compliance.
3. Framework, standards,
practices
4. How to Assess IT Compliance
5. Cost framework of IT Compliance
6. Compliance Vs Non-Compliance.
7. Practical Results from market
research.
Main
Points
8. THE BIG FOURONCE WAS THE BIG FIVE
Source: http://www.articula.us/blog/wp-content/uploads/2012/07/Big4Logos.jpg
http://cdn.list25.com/wp-content/uploads/2013/01/Slide79.jpg
http://static1.businessinsider.com/image/4ae49adf0000000000a1ac51-1200/enron-broadband.jpg
9. BIG FOUR’S SECURITY SURVEY (IN 2006)
Source: Ernst & Young. 2006 Global Information Security Survey. Technical report, 2006. Available at
http://www.ey.com/global/assets.nsf/International/TSRS_-_GISS_2006/$file/EY_GISS2006.pdf.
Trend 4
Trend 5
Trend 6
The impact of compliance continues to grow.
Compliance is promoting teaming between information security and
other functional business groups.
Compliance is improving information security.
10. - Laws, rules and regulations
(could be industry specific)
- Considered as mandatory
Example: National Data
Protection Acts, Informatic
and liberty Law, Financial
Security law, SOX,
EUROSoX, Basel II, HIPPA,
- Standards, Frameworks
and Security Practices.
- Optimization perspective
Example: ISO 9000, ISO
13335, ISO 17799:2005, ISO
2700x, COBIT, COSO etc.
12. IT Compliance types
Regulation Compliance
• E.g. working 9ham – 5hpm, VAT 10%
Legal (Law) Compliance
• E.g:Killing people is against the law
Industry-specific Compliance
• Food, pharmacy industry law suites
13. IT Compliance frameworks, standards,
practices
SOX
• Enhanced standards certify accuracy of financial info
COSO
• Mgmt & governance critical aspects: risk mgmt, fraud,etc.
COBIT
• Best practice Framework for IT Mgmt & IT Governance
ISO 9000, ISO 2700x, etc.
14. Typical Information Security Compliance Assessement
Source: Tashi, Igli. (2009). Regulatory Compliance and Information
16. • Regulatory penalties.
• Brand damages.
• Loss of customer’s trust.
Source: http://learnatvivid.files.wordpress.com/2012/07/non_compliance_costs.jpg
17. Findings from Market research
- Conduct independent
research on privacy, data
protection and information
security policy
- Benchmark study 2011.
- 46 multinational companies - 160 functional
leaders (CFO, CIO, etc).
22. WHAT AFFECTS COST OF COMPLIANCE & NON-
COMPLIANCE?
•Industry & organizational size
•Laws & regulations are main drivers for
investment
23. COMPLIANCE & NON-COMPLIANCE SUPPORT
•Effective security strategy Lower cost of non-compliance
•On-going internal Compliance audits reduce total cost of
Compliance.
24. GAP BETWEEN COMPLIANCE & NON-COMPLIANCE
COST
•Related to number of records lost or stolen
in data breaches (break/compromise the
laws)
25. 10 EFFECTIVENESS ATTRIBUTES
1. Appoint high-level individual to lead compliance
2. Ensure over-sight compliance activities
3. Budget to meet goals, objectives
4. Cross-functional committee oversee local
requirements
5. Implement metrics.
6. Senior executives receive critical reports, crisis
level.
7. Reduce risk in business & threats of change.
8. Keep pace between changing workforce &
security.
26. Summary
1. Why IT Compliance.
2. What is IT Compliance.
3. Framework, standards,
practices
4. How to Assess IT Compliance
5. Cost framework of IT Compliance
6. Compliance Vs Non-Compliance.
7. Practical Results from market
research.
29. REFERENCES
• Tashi, Igli. (2009). Regulatory Compliance and Information
Security. IEEE.
• Ponemon Institute (2011). The True Cost of Compliance.
Benchmark Study of Multinational Organizations.
• Big Four’s Security Survey: Ernst & Young. Global
Information Security Survey, Technical report, 2006.
Notas del editor
A successful E-commerce web-site in Vietnam. It provides the sales off, hotdeal of the different goods, services.
Four biggest Audit Firmthe need to generate some new legislation to prevent, detect and correct such aberrations appearsBest way to inspire trust to organizations’ stakeholders or governmental agenciesrequired for an organization to remain legal
Compliance: VN rule is Helmet when riding MotorbikeSecurity: Wearing strong helmet + jacket…
Regulations: working 9ham – 5hpm, VAT 10%, Laws: Killing people is against the law. Industry-specific: Food, pharmacy industry law suites.
Control Objectives for Information and Related Technology (COBIT) is a framework created by ISACA for information technology (IT) management and IT governance. It is a supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks.Committee of Sponsoring Organizations (COSO): providing thought leadership to executive management and governance entities on critical aspects of organizational governance, business ethics, internal control, enterprise risk management, fraud, and financial reportingSarbanes–Oxley Act (SOX): Enhanced strandards for all U.S. public company boards, management and public accounting firms. Individually certify the accuracy of financial information. Increase the independence of the outside auditors
NIST: National Institute of Standards and Technology
Compliance policies: Activities creation and dissemination of policies, protection of confidential or sensitive information such as customer data, employee records, financial information, intellectual properties and others.Direct cost – the direct expense outlay to accomplish a given activity.Indirect cost – the amount of time, effort and other organizational resources spent, but not as a direct cash outlay.Opportunity cost – the cost resulting from lost business opportunities as a result of compliance infractions that diminish the organization’s reputation and goodwill.