IT compliance

IT COMPLIANCE

Group 8: - Phan Dinh Vuong - Vuong Tat KhangInstructor: Prof.Dr.Martin Knahl

Compliance means?

Obey, follow the laws, rules, demands,etc.

Big Deal

Source: hotdeal.vn 18/08/2013

Question mark

Question 1: Can we export this successful model of “HOTDEAL” Service to Germany?

Question 2: If the “Hotdeal” service is at highest level of IT security (data protection, encryption, etc.). Would it be sufficient to export to Germany?

Question mark

1. Why IT Compliance.2. What is IT Compliance.3. Framework, standards,

practices4. How to Assess IT Compliance

5. Cost framework of IT Compliance6. Compliance Vs Non-Compliance.7. Practical Results from market research.

Main Points

ENRON Scandal 2001

THE BIG FOURONCE WAS THE BIG FIVE

Source: http://www.articula.us/blog/wp-content/uploads/2012/07/Big4Logos.jpghttp://cdn.list25.com/wp-content/uploads/2013/01/Slide79.jpg http://static1.businessinsider.com/image/4ae49adf0000000000a1ac51-1200/enron-broadband.jpg

BIG FOUR’S SECURITY SURVEY (IN 2006)

Source: Ernst & Young. 2006 Global Information Security Survey. Technical report, 2006. Available at http://www.ey.com/global/assets.nsf/International/TSRS_-_GISS_2006/$file/EY_GISS2006.pdf.

Trend 4

Trend 5

Trend 6

The impact of compliance continues to grow.

Compliance is promoting teaming between information security and other functional business groups.

Compliance is improving information security.

- Laws, rules and regulations (could be industry specific) - Considered as mandatoryExample: National Data Protection Acts, Informatic and liberty Law, Financial Security law, SOX, EUROSoX, Basel II, HIPPA,

- Standards, Frameworks and Security Practices.- Optimization perspectiveExample: ISO 9000, ISO 13335, ISO 17799:2005, ISO 2700x, COBIT, COSO etc.

Source: http://www.j4vv4d.com/wp-content/uploads/2011/10/secVcomp.jpghttp://www.redspin.com/blog/wp-content/uploads//2011/05/SECvsCOMP.png

Focus on validating of following the Rules

Static and slow to be updated

Focus on protection

Dynamic

IT Compliance types

Regulation Compliance• E.g. working 9ham – 5hpm,

VAT 10%

Legal (Law) Compliance• E.g:Killing people is against

the law

Industry-specific Compliance• Food, pharmacy industry law

suites

IT Compliance frameworks, standards, practices

SOX• Enhanced standards certify accuracy of

financial infoCOSO• Mgmt & governance critical aspects: risk

mgmt, fraud,etc.COBIT• Best practice Framework for IT Mgmt & IT

Governance

ISO 9000, ISO 2700x, etc.

Typical Information Security Compliance Assessement

Source: Tashi, Igli. (2009). Regulatory Compliance and Information Security. IEEE.

INTER-RELATIONSHIP

• Regulatory penalties.

• Brand damages.

• Loss of customer’s trust.

Source: http://learnatvivid.files.wordpress.com/2012/07/non_compliance_costs.jpg

Findings from Market research- Conduct independent research

on privacy, data protection and information security policy- Benchmark study 2011.

- 46 multinational companies - 160 functional leaders (CFO, CIO, etc).

IT Appliance Cost Framework

Source: Ponemon Institute| Benchmark Study | January 2011

Cost comparison

Compliance cost Vs Non-compliance cost?

IT Appliance Cost Framework

Source: Ponemon Institute| Benchmark Study | January 2011

IT Appliance Cost Framework

Source: Ponemon Institute| Benchmark Study | January 2011

WHAT AFFECTS COST OF COMPLIANCE & NON-COMPLIANCE?

•Industry & organizational size

•Laws & regulations are main drivers for investment

COMPLIANCE & NON-COMPLIANCE SUPPORT

•Effective security strategy Lower cost of non-compliance

•On-going internal Compliance audits reduce total cost of Compliance.

GAP BETWEEN COMPLIANCE & NON-COMPLIANCE COST

•Related to number of records lost or stolen in data breaches (break/compromise the laws)

10 EFFECTIVENESS ATTRIBUTES

1. Appoint high-level individual to lead compliance

2. Ensure over-sight compliance activities

3. Budget to meet goals, objectives

4. Cross-functional committee oversee local requirements

5. Implement metrics.

6. Senior executives receive critical reports, crisis level.

7. Reduce risk in business & threats of change.

8. Keep pace between changing workforce & security.

9. Secure business during the transition

10.Prevent attack to critical resources, info, infrastructure.

Summary1. Why IT Compliance.2. What is IT Compliance.3. Framework, standards,

practices4. How to Assess IT Compliance

5. Cost framework of IT Compliance6. Compliance Vs Non-Compliance.7. Practical Results from market research.

Q&A

THANK YOU!

REFERENCES

• Tashi, Igli. (2009). Regulatory Compliance and Information Security. IEEE.

• Ponemon Institute (2011). The True Cost of Compliance. Benchmark Study of Multinational Organizations.

• Big Four’s Security Survey: Ernst & Young. Global Information Security Survey, Technical report, 2006.