SlideShare a Scribd company logo

Compliance Framework

Download as PPTX, PDF
B
barnetdh
1 of 28
Integrated Compliance Framework Dave Barnett, CISSP, CISM, CSDP, CSSLP Dave.Barnett@computer.org
Sarbanes Oxley Financial reporting accuracy Health Insurance Portability & Accountability Act (HIPAA) Medical information for employee benefits Privacy European Union Data Protection Directive Canada Japan California Senate Bill 1386 (plus 25 other states) FDA 21 CFR Part 11 and Good Manufacturing Practice (GMP) Some Compliance Requirements…
Federal Trade Commission Consumer protection Credit Card regulations Payment Card Industry (PCI) required by VISA CISP, MasterCard SDP, and Amex Data Security Requirement Trade Compliance Custom Trade Partnership Against Terrorism (C-TPAT) Export of materials and technology to restricted companies Environmental Health and Safety (EH&S) Hazardous materials handling and transportation DEA OSHA Continued…
Litigation eDiscovery Intellectual Property (IP) Patents and Patent infringement litigation Certifications ISO 9001 ISO 17799 / ISO 27001 BS 15000 / ISO 20000 Continued…
Emerging legal standard for security* T.J. Hooper case, 60 F.2d 737 (2d Cir. 1932)** In 1928, the tug boat T.J. Hooper sank in a storm. The cargo owners sued, saying the tugboat captain should have known a storm was coming. Tug owner said only way to know was to have a radio on board, which was not common practice, and not required by any law. However, Judge agreed with cargo owners – the tug owners should have had a radio on board, even though it was not required. The lack of a radio made the tug unseaworthy. Legal Strategy for Compliance * See http://www.bakerinfo.com/ecommerce/newlawis.pdf and http://www.bakerinfo.com/ecommerce/ISLEGAL.PDF ** From Tom Smedinghoff, Baker & McKenzie, at RSA 2006 presentation LAW-104
Identify the assets to be protected Conduct risk assessment See http://en.wikipedia.org/wiki/United_States_v._Carroll_Towing_Co. Develop and implement a security program That is responsive to the risk assessment Must be in writing Reasonable, appropriate, suitable, necessary, adequate Addressthird parties Contractors, customers, suppliers, business partners, and providers of outsourced services Due diligence, contractual obligation, monitoring and auditing Continually monitor, reassess, and adjust the program Compliance Strategy* * From Tom Smedinghoff, Baker & McKenzie, at RSA 2006 presentation LAW-104
There is considerable overlap (~ 80%) for all security and privacy related compliance requirements These and other requirements typically need documented and implemented good processes “Say what you do, do what you say” Follow compliance strategy Identify information assets to be protected Follow a risk management process For example, NIST SP 800-30 http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf How do we handle all of these compliance requirements?
Following industry standards is a good start Provides a defensible position against regulation and litigation Best practices are beneficial and defensible Recent revisions of standards include risk management COSO ERM COSO + Risk Management CobiT 4.0 ISO 17799:2005 Create Defensible Position
Adopt current industry standards But get ahead of the curve where possible Document and follow process Include risk management as a best practice Make sure processes are: Effective Efficient Auditable Good Practice, Good Process
Three levels of frameworks, each operating at different degree of detail and scope, that together provide a set of controls and governance for IT Regulatory Compliance Each level down provides more detail and greater scope Level 1: COSO Enterprise Risk Management (ERM) Organization wide controls Endorsed by the SEC for Sarbanes-Oxley Level 2: CobiT® 4.x IT wide controls relating to COSO ERM PO9 and DS5.2 Level 3: Subject matter specific controls and best practices, e.g. ITIL SM (for AI6, DS9, DS10) IT Service Delivery ISO 17799:2005 (for DS5) IT Security ISO 15288:2002 (for AI2, AI3, AI7) System Development Life Cycle PMI PMBOK (for PO10) Project Management Six Sigma (for PO8) Integrated Compliance Framework
ITIL (Information Technology Infrastructure Library) Republished in 2002 as British Standard 15000, IT Service Management Part 1 is specification for certification Part 2 is code of practice Republished in 2005 as ISO 20000, Information Technology Service Management Part 1 is specification for certification Part 2 is code of practice Compliance Standards Harmonization
ISO 17799 Originally British Standard 7799 Part 1 is code of practice Part 2 is specification for certification Satisfies CobiT® DS5 - Ensure Systems Security ISO 17799:2005 is the code of practice Required for BS15000:2 and ISO 20000:2 Part 2 of BS 7799 (specification for certification) republished as ISO 27001:2005 Required for BS15000:1 and ISO 20001:1 Compliance Standards Harmonization
ISO 9001 Quality Management Systems -Requirements ISO 27001 satisfies ISO 9001 for Systems Security BS15000:1, ISO 20000:1, and ISO 20000:2 satisfy ISO 9001 for service management CobiT® 4.0 (2005) Harmonized with ITIL, ISO 9001, ISO 17799, and CMM Six Sigma ISO 27001, ISO 20000:1, and ISO 20000:2 use PDCA (Deming Cycle), a learning model used in Six Sigma and other Quality Programs Provides tools for Quality Management Systems Continuous improvement keeps us ahead of the curve and satisfies monitoring and assessment requirement for legal process. Compliance Standards Harmonization
Committee of Sponsoring Organization (COSO) of the Treadway Commission (http://www.coso.org/), “Enterprise Risk Management – Integrated Framework” (http://www.coso.org/Publications/ERM/COSO_ERM.ppt) Enterprise risk management is: A process, ongoing and flowing through an organization Effected by people at every level of an organization Applied across the enterprise, at every level and unit, and includes taking an entity level portfolio view of risk Able to provide reasonable assurance to an entity’s management and board of directors Level 1: COSO ERM
Eight interrelated COSO components, derived from the way management runs a business Internal Environment – The internal environment encompasses the tone of an organization, and sets the basis for how risk is viewed and addressed by an entity’s people, including risk management philosophy and risk appetite, integrity and ethical values, and the environment in which they operate. Objective Setting – Objectives must exist before management can identify potential events affecting their achievement. Enterprise risk management ensures that management has in place a process to set objectives and that the chosen objectives support and align with the entity’s mission and are consistent with its risk appetite. COSO ERM Components
Event Identification – Internal and external events affecting achievement of an entity’s objectives must be identified, distinguishing between risks and opportunities. Opportunities are channeled back to management’s strategy or objective-setting processes. Risk Assessment – Risks are analyzed, considering likelihood and impact, as a basis for determining how they should be managed. Risks are assessed on an inherent and a residual basis. Risk Response – Management selects risk responses – avoiding, accepting, reducing, or sharing risk – developing a set of actions to align risks with the entity’s risk tolerances and risk appetite. COSO ERM Components
Control Activities – Policies and procedures are established and implemented to help ensure the risk responses are effectively carried out. Information and Communication – Relevant information is identified, captured, and communicated in a form and timeframe that enable people to carry out their responsibilities. Effective communication also occurs in a broader sense, flowing down, across, and up the entity. Monitoring – The entirety of enterprise risk management is monitored and modifications made as necessary. Monitoring is accomplished through ongoing management activities, separate evaluations, or both. COSO ERM Components
Control Objectives for Information and related Technology (CobiT) (http://www.isaca.org/cobit.html) Covers all controls within or relevant to IT organization Level 2: CobiT® 4.x
Level 2: CobiT® 4.x Plan and Organize (PO) PO1 Define a Strategic IT Plan PO2 Define the Information Architecture PO3 Determine Technological Direction PO4 Define the IT Processes, Organization and Relationships PO5 Manage the IT Investment PO6 Communicate Management Aims and Direction PO7 Manage IT Human Resources PO8 Manage Quality Six Sigma Standards Process PO9 Assess and Manage IT Risks PO10 Manage Projects PMBOK
AI1 Identify Automated Solutions AI2 Acquire and Maintain Application Software* SDLC AI3 Acquire and Maintain Technology Infrastructure* SDLC AI4 Enable Operation and Use* AI5 Procure IT Resources AI6 Manage Changes* ITIL AI7 Install and Accredit Solutions and Changes SDLC ,[object Object],Level 2: CobiT® 4.x Acquire and Implement (AI)
DS1 Define and Manage Service Levels* DS2 Manage Third-party Services* DS3 Manage Performance and Capacity DS4 Ensure Continuous Service DS5 Ensure Systems Security* ISO 17799:2005 / 27001:2005 DS6 Identify and Allocate Costs DS7 Educate and Train Users DS8 Manage Service Desk and Incidents DS9 Manage the Configuration* ITIL DS10 Manage Problems* ITIL DS11 Manage Data* DS12 Manage the Physical Environment DS13 Manage Operations* Level 2: CobiT® 4.x Deliver and Support (DS)
ME1 Monitor and Evaluate IT Performance ME2 Monitor and Evaluate Internal Control ME3 Ensure Regulatory Compliance ME4 Provide IT Governance Level 2: CobiT® 4.x Monitor and Evaluate (ME)
ITIL (IT Infrastructure Library) is the most widely accepted approach to IT Service Management in the world. (http://www.ogc.gov.uk/) provides a cohesive set of well defined best practices, drawn from the public and private sectors internationally. It is supported by a comprehensive qualification scheme, accredited training organizations, and implementation and assessment tools. Addresses and extends CobiT level of compliance framework: AI6 Manage Changes* DS9 Manage the Configuration* DS10 Manage Problems* AKA BS 15000, or ISO 20000 Level 3: ITIL
Guidelines and certification for IT Security Program “Information security is the protection of information from a wide range of threats in order to ensure business continuity, minimize business risk, and maximize return on investments and business opportunities.” Address and extends CobiT level of compliance framework: DS5 Ensure Systems Security* Required for BS 15000 and ISO 20000 security AKA BS 7799, or ISO 27001 Level 3: ISO 17799
Project Management Body of Knowledge from PMI http://www.pmibookstore.org/PMIBookStore/productDetails.aspx?itemID=358&varID=1 Describes best practices for Project Management Addresses and extends CobiT level of compliance framework: PO10 Manage projects IEEE 1490-2003, Adoption of PMI Standard: A Guide to the Project Management Body of Knowledge http://webstore.ansi.org/ansidocstore/product.asp?sku=IEEE+Std+1490%2D2003 Level 3: PMBOK
ISO 15288:2002 is a compendium of standards and best practices for systems and software development life cycle methodologies http://www.15288.com/ Addresses and extends CobiT level of Compliance Framework: AI2 Acquire and Maintain Application Software* AI3 Acquire and Maintain Technology Infrastructure* AI7 Install and Accredit Solutions and Changes Level 3: System Development Life Cycle
Six Sigma is a disciplined, data driven approach and methodology for eliminating defects and improving quality http://www.isixsigma.com/sixsigma/six_sigma.asp Addresses CobiT level of Compliance Framework PO8 Manage Quality Level 3: Six Sigma
The Compliance Framework consists of generally accepted industry standards and risk management practices at multiple levels, to meet requirements for a security program in an effective, efficient, and auditable manner. Summary

Recommended

D1 security and risk management v1.62
D1 security and risk management v1.62D1 security and risk management v1.62
D1 security and risk management v1.62AlliedConSapCourses
 
Business Impact Analysis - The Most Important Step during BCMS Implementation
Business Impact Analysis - The Most Important Step during BCMS ImplementationBusiness Impact Analysis - The Most Important Step during BCMS Implementation
Business Impact Analysis - The Most Important Step during BCMS ImplementationPECB
 
Compliance Management | Compliance Solutions
Compliance Management | Compliance SolutionsCompliance Management | Compliance Solutions
Compliance Management | Compliance SolutionsCorporater
 
Busines Continuity And Compliance
Busines Continuity And ComplianceBusines Continuity And Compliance
Busines Continuity And Compliancesalamali
 
GRC Governance, Risk mgmt. & Compliance Executive
GRC Governance, Risk mgmt. & Compliance ExecutiveGRC Governance, Risk mgmt. & Compliance Executive
GRC Governance, Risk mgmt. & Compliance ExecutiveMax Neira Schliemann
 
Vendor Management - PCI DSS, ISO 27001, E13PA,HIPPA & FFIEC
Vendor Management - PCI DSS, ISO 27001, E13PA,HIPPA & FFIECVendor Management - PCI DSS, ISO 27001, E13PA,HIPPA & FFIEC
Vendor Management - PCI DSS, ISO 27001, E13PA,HIPPA & FFIECControlCase
 
Accountability Corbit Overview 06262007
Accountability Corbit Overview 06262007Accountability Corbit Overview 06262007
Accountability Corbit Overview 06262007Humberto Bruno Pontes Silva
 
Sap security compliance tools_PennonSoft
Sap security compliance tools_PennonSoftSap security compliance tools_PennonSoft
Sap security compliance tools_PennonSoftPennonSoft
 

Recommended

D1 security and risk management v1.62
D1 security and risk management v1.62D1 security and risk management v1.62
D1 security and risk management v1.62AlliedConSapCourses
 
Business Impact Analysis - The Most Important Step during BCMS Implementation
Business Impact Analysis - The Most Important Step during BCMS ImplementationBusiness Impact Analysis - The Most Important Step during BCMS Implementation
Business Impact Analysis - The Most Important Step during BCMS ImplementationPECB
 
Compliance Management | Compliance Solutions
Compliance Management | Compliance SolutionsCompliance Management | Compliance Solutions
Compliance Management | Compliance SolutionsCorporater
 
Busines Continuity And Compliance
Busines Continuity And ComplianceBusines Continuity And Compliance
Busines Continuity And Compliancesalamali
 
GRC Governance, Risk mgmt. & Compliance Executive
GRC Governance, Risk mgmt. & Compliance ExecutiveGRC Governance, Risk mgmt. & Compliance Executive
GRC Governance, Risk mgmt. & Compliance ExecutiveMax Neira Schliemann
 
Vendor Management - PCI DSS, ISO 27001, E13PA,HIPPA & FFIEC
Vendor Management - PCI DSS, ISO 27001, E13PA,HIPPA & FFIECVendor Management - PCI DSS, ISO 27001, E13PA,HIPPA & FFIEC
Vendor Management - PCI DSS, ISO 27001, E13PA,HIPPA & FFIECControlCase
 
Accountability Corbit Overview 06262007
Accountability Corbit Overview 06262007Accountability Corbit Overview 06262007
Accountability Corbit Overview 06262007Humberto Bruno Pontes Silva
 
Sap security compliance tools_PennonSoft
Sap security compliance tools_PennonSoftSap security compliance tools_PennonSoft
Sap security compliance tools_PennonSoftPennonSoft
 
GRC 101 ISACA Bengaluru on 28th Dec 2013
GRC 101 ISACA Bengaluru on 28th Dec 2013GRC 101 ISACA Bengaluru on 28th Dec 2013
GRC 101 ISACA Bengaluru on 28th Dec 2013FixNix Inc.,
 
Risk and Regulatory Change Management - 360factors EUEC 2015 Presentation
Risk and Regulatory Change Management - 360factors EUEC 2015 PresentationRisk and Regulatory Change Management - 360factors EUEC 2015 Presentation
Risk and Regulatory Change Management - 360factors EUEC 2015 Presentation360factors
 
Working in Compliance vs. Working On Compliance
Working in Compliance vs. Working On ComplianceWorking in Compliance vs. Working On Compliance
Working in Compliance vs. Working On Compliance360factors
 
Simplifying IT GRC
Simplifying IT GRCSimplifying IT GRC
Simplifying IT GRCanand choudhary
 
Regulatory Change Management
Regulatory Change ManagementRegulatory Change Management
Regulatory Change Management360factors
 
Case study: Why you need ISO/IEC 20000 to ensure success?
Case study: Why you need ISO/IEC 20000 to ensure success?Case study: Why you need ISO/IEC 20000 to ensure success?
Case study: Why you need ISO/IEC 20000 to ensure success?PECB
 
REGULATORY CHANGE MANAGEMENT (RCM) In Environmental Health and Safety
REGULATORY CHANGE MANAGEMENT (RCM) In Environmental Health and SafetyREGULATORY CHANGE MANAGEMENT (RCM) In Environmental Health and Safety
REGULATORY CHANGE MANAGEMENT (RCM) In Environmental Health and Safety360factors
 
Enterprise Governance, Risk and Compliance
Enterprise Governance, Risk and ComplianceEnterprise Governance, Risk and Compliance
Enterprise Governance, Risk and ComplianceAxis Technology, LLC
 
The Importance of IT Compliance Management
The Importance of IT Compliance Management The Importance of IT Compliance Management
The Importance of IT Compliance Management 360factors
 
Survey results - Centrally vs Locally managed compliance
Survey results - Centrally vs Locally managed complianceSurvey results - Centrally vs Locally managed compliance
Survey results - Centrally vs Locally managed complianceNimonik
 
Information System Audit and Control
Information System Audit and ControlInformation System Audit and Control
Information System Audit and ControlAsad Raza
 
Assessing the Impact of a Disruption: Building an Effective Business Impact A...
Assessing the Impact of a Disruption: Building an Effective Business Impact A...Assessing the Impact of a Disruption: Building an Effective Business Impact A...
Assessing the Impact of a Disruption: Building an Effective Business Impact A...PECB
 
IT Control Objectives for SOX
IT Control Objectives for SOXIT Control Objectives for SOX
IT Control Objectives for SOXMahesh Patwardhan
 
NQA ISO 22301 Business Continuity Checklist
NQA ISO 22301 Business Continuity ChecklistNQA ISO 22301 Business Continuity Checklist
NQA ISO 22301 Business Continuity ChecklistNQA
 
GRC
GRCGRC
GRCMaryam Hidayatallah CPFA,MIPA,MA,CICA
 
ISO 27001 ISMS MEASUREMENT
ISO 27001 ISMS MEASUREMENTISO 27001 ISMS MEASUREMENT
ISO 27001 ISMS MEASUREMENTGaffri Johnson
 
Donna Febriani
Donna FebrianiDonna Febriani
Donna FebrianiDonna Febriani
 
Iso 27001 metrics and implementation guide
Iso 27001 metrics and implementation guideIso 27001 metrics and implementation guide
Iso 27001 metrics and implementation guidemfmurat
 
ISO 19600 Section 4.5 - Know your Obligations
ISO 19600 Section 4.5 - Know your ObligationsISO 19600 Section 4.5 - Know your Obligations
ISO 19600 Section 4.5 - Know your ObligationsNimonik
 
How to determine a proper scope selection based on ISO 27001?
How to determine a proper scope selection based on ISO 27001?How to determine a proper scope selection based on ISO 27001?
How to determine a proper scope selection based on ISO 27001?PECB
 
Compliance framework
Compliance frameworkCompliance framework
Compliance frameworkManoj Agarwal
 
Integrated Compliance
Integrated ComplianceIntegrated Compliance
Integrated ComplianceControlCase
 

More Related Content

What's hot

GRC 101 ISACA Bengaluru on 28th Dec 2013
GRC 101 ISACA Bengaluru on 28th Dec 2013GRC 101 ISACA Bengaluru on 28th Dec 2013
GRC 101 ISACA Bengaluru on 28th Dec 2013FixNix Inc.,
 
Risk and Regulatory Change Management - 360factors EUEC 2015 Presentation
Risk and Regulatory Change Management - 360factors EUEC 2015 PresentationRisk and Regulatory Change Management - 360factors EUEC 2015 Presentation
Risk and Regulatory Change Management - 360factors EUEC 2015 Presentation360factors
 
Working in Compliance vs. Working On Compliance
Working in Compliance vs. Working On ComplianceWorking in Compliance vs. Working On Compliance
Working in Compliance vs. Working On Compliance360factors
 
Regulatory Change Management
Regulatory Change ManagementRegulatory Change Management
Regulatory Change Management360factors
 
Case study: Why you need ISO/IEC 20000 to ensure success?
Case study: Why you need ISO/IEC 20000 to ensure success?Case study: Why you need ISO/IEC 20000 to ensure success?
Case study: Why you need ISO/IEC 20000 to ensure success?PECB
 
REGULATORY CHANGE MANAGEMENT (RCM) In Environmental Health and Safety
REGULATORY CHANGE MANAGEMENT (RCM) In Environmental Health and SafetyREGULATORY CHANGE MANAGEMENT (RCM) In Environmental Health and Safety
REGULATORY CHANGE MANAGEMENT (RCM) In Environmental Health and Safety360factors
 
Enterprise Governance, Risk and Compliance
Enterprise Governance, Risk and ComplianceEnterprise Governance, Risk and Compliance
Enterprise Governance, Risk and ComplianceAxis Technology, LLC
 
The Importance of IT Compliance Management
The Importance of IT Compliance Management The Importance of IT Compliance Management
The Importance of IT Compliance Management 360factors
 
Survey results - Centrally vs Locally managed compliance
Survey results - Centrally vs Locally managed complianceSurvey results - Centrally vs Locally managed compliance
Survey results - Centrally vs Locally managed complianceNimonik
 
Information System Audit and Control
Information System Audit and ControlInformation System Audit and Control
Information System Audit and ControlAsad Raza
 
Assessing the Impact of a Disruption: Building an Effective Business Impact A...
Assessing the Impact of a Disruption: Building an Effective Business Impact A...Assessing the Impact of a Disruption: Building an Effective Business Impact A...
Assessing the Impact of a Disruption: Building an Effective Business Impact A...PECB
 
IT Control Objectives for SOX
IT Control Objectives for SOXIT Control Objectives for SOX
IT Control Objectives for SOXMahesh Patwardhan
 
NQA ISO 22301 Business Continuity Checklist
NQA ISO 22301 Business Continuity ChecklistNQA ISO 22301 Business Continuity Checklist
NQA ISO 22301 Business Continuity ChecklistNQA
 
ISO 27001 ISMS MEASUREMENT
ISO 27001 ISMS MEASUREMENTISO 27001 ISMS MEASUREMENT
ISO 27001 ISMS MEASUREMENTGaffri Johnson
 
Iso 27001 metrics and implementation guide
Iso 27001 metrics and implementation guideIso 27001 metrics and implementation guide
Iso 27001 metrics and implementation guidemfmurat
 
ISO 19600 Section 4.5 - Know your Obligations
ISO 19600 Section 4.5 - Know your ObligationsISO 19600 Section 4.5 - Know your Obligations
ISO 19600 Section 4.5 - Know your ObligationsNimonik
 
How to determine a proper scope selection based on ISO 27001?
How to determine a proper scope selection based on ISO 27001?How to determine a proper scope selection based on ISO 27001?
How to determine a proper scope selection based on ISO 27001?PECB
 

What's hot (20)

GRC 101 ISACA Bengaluru on 28th Dec 2013
GRC 101 ISACA Bengaluru on 28th Dec 2013GRC 101 ISACA Bengaluru on 28th Dec 2013
GRC 101 ISACA Bengaluru on 28th Dec 2013
 
Risk and Regulatory Change Management - 360factors EUEC 2015 Presentation
Risk and Regulatory Change Management - 360factors EUEC 2015 PresentationRisk and Regulatory Change Management - 360factors EUEC 2015 Presentation
Risk and Regulatory Change Management - 360factors EUEC 2015 Presentation
 
Working in Compliance vs. Working On Compliance
Working in Compliance vs. Working On ComplianceWorking in Compliance vs. Working On Compliance
Working in Compliance vs. Working On Compliance
 
Simplifying IT GRC
Simplifying IT GRCSimplifying IT GRC
Simplifying IT GRC
 
Regulatory Change Management
Regulatory Change ManagementRegulatory Change Management
Regulatory Change Management
 
Case study: Why you need ISO/IEC 20000 to ensure success?
Case study: Why you need ISO/IEC 20000 to ensure success?Case study: Why you need ISO/IEC 20000 to ensure success?
Case study: Why you need ISO/IEC 20000 to ensure success?
 
REGULATORY CHANGE MANAGEMENT (RCM) In Environmental Health and Safety
REGULATORY CHANGE MANAGEMENT (RCM) In Environmental Health and SafetyREGULATORY CHANGE MANAGEMENT (RCM) In Environmental Health and Safety
REGULATORY CHANGE MANAGEMENT (RCM) In Environmental Health and Safety
 
Enterprise Governance, Risk and Compliance
Enterprise Governance, Risk and ComplianceEnterprise Governance, Risk and Compliance
Enterprise Governance, Risk and Compliance
 
The Importance of IT Compliance Management
The Importance of IT Compliance Management The Importance of IT Compliance Management
The Importance of IT Compliance Management
 
Survey results - Centrally vs Locally managed compliance
Survey results - Centrally vs Locally managed complianceSurvey results - Centrally vs Locally managed compliance
Survey results - Centrally vs Locally managed compliance
 
Information System Audit and Control
Information System Audit and ControlInformation System Audit and Control
Information System Audit and Control
 
Assessing the Impact of a Disruption: Building an Effective Business Impact A...
Assessing the Impact of a Disruption: Building an Effective Business Impact A...Assessing the Impact of a Disruption: Building an Effective Business Impact A...
Assessing the Impact of a Disruption: Building an Effective Business Impact A...
 
IT Control Objectives for SOX
IT Control Objectives for SOXIT Control Objectives for SOX
IT Control Objectives for SOX
 
NQA ISO 22301 Business Continuity Checklist
NQA ISO 22301 Business Continuity ChecklistNQA ISO 22301 Business Continuity Checklist
NQA ISO 22301 Business Continuity Checklist
 
GRC
GRCGRC
GRC
 
ISO 27001 ISMS MEASUREMENT
ISO 27001 ISMS MEASUREMENTISO 27001 ISMS MEASUREMENT
ISO 27001 ISMS MEASUREMENT
 
Donna Febriani
Donna FebrianiDonna Febriani
Donna Febriani
 
Iso 27001 metrics and implementation guide
Iso 27001 metrics and implementation guideIso 27001 metrics and implementation guide
Iso 27001 metrics and implementation guide
 
ISO 19600 Section 4.5 - Know your Obligations
ISO 19600 Section 4.5 - Know your ObligationsISO 19600 Section 4.5 - Know your Obligations
ISO 19600 Section 4.5 - Know your Obligations
 
How to determine a proper scope selection based on ISO 27001?
How to determine a proper scope selection based on ISO 27001?How to determine a proper scope selection based on ISO 27001?
How to determine a proper scope selection based on ISO 27001?
 

Viewers also liked

Compliance framework
Compliance frameworkCompliance framework
Compliance frameworkManoj Agarwal
 
Integrated Compliance
Integrated ComplianceIntegrated Compliance
Integrated ComplianceControlCase
 
Governance, risk and compliance framework
Governance, risk and compliance frameworkGovernance, risk and compliance framework
Governance, risk and compliance frameworkCeyeap
 
Corporate compliance powerpoint
Corporate compliance powerpointCorporate compliance powerpoint
Corporate compliance powerpointsmcmanus3
 
Practical Strategies to Compliance and Security with SIEM by Dr. Anton Chuvakin
Practical Strategies to Compliance and Security with SIEM by Dr. Anton ChuvakinPractical Strategies to Compliance and Security with SIEM by Dr. Anton Chuvakin
Practical Strategies to Compliance and Security with SIEM by Dr. Anton ChuvakinAnton Chuvakin
 
Bug Bounty Programs : Good for Government
Bug Bounty Programs : Good for GovernmentBug Bounty Programs : Good for Government
Bug Bounty Programs : Good for GovernmentDinesh O Bareja
 
Hiroshima University Information Security & Compliance 2017
Hiroshima University Information Security & Compliance 2017Hiroshima University Information Security & Compliance 2017
Hiroshima University Information Security & Compliance 2017imc-isec-comp
 
Cyber security: A roadmap to secure solutions
Cyber security: A roadmap to secure solutionsCyber security: A roadmap to secure solutions
Cyber security: A roadmap to secure solutionsSchneider Electric
 
Roadmap to security operations excellence
Roadmap to security operations excellenceRoadmap to security operations excellence
Roadmap to security operations excellenceErik Taavila
 
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)WAJAHAT IQBAL
 
Information Security It's All About Compliance
Information Security It's All About ComplianceInformation Security It's All About Compliance
Information Security It's All About ComplianceDinesh O Bareja
 
Roadmap to IT Security Best Practices
Roadmap to IT Security Best PracticesRoadmap to IT Security Best Practices
Roadmap to IT Security Best PracticesGreenway Health
 
NIST Cybersecurity Framework - Mindmap
NIST Cybersecurity Framework - MindmapNIST Cybersecurity Framework - Mindmap
NIST Cybersecurity Framework - MindmapWAJAHAT IQBAL
 
Compliance ppt
Compliance pptCompliance ppt
Compliance pptAlok Yadav
 
AWS Enterprise Summit Netherlands - Infosec by Design
AWS Enterprise Summit Netherlands - Infosec by DesignAWS Enterprise Summit Netherlands - Infosec by Design
AWS Enterprise Summit Netherlands - Infosec by DesignAmazon Web Services
 
Security, Risk, Compliance & Controls - Cybersecurity Legal Framework in Hong...
Security, Risk, Compliance & Controls - Cybersecurity Legal Framework in Hong...Security, Risk, Compliance & Controls - Cybersecurity Legal Framework in Hong...
Security, Risk, Compliance & Controls - Cybersecurity Legal Framework in Hong...Amazon Web Services
 

Viewers also liked (20)

Compliance framework
Compliance frameworkCompliance framework
Compliance framework
 
Integrated Compliance
Integrated ComplianceIntegrated Compliance
Integrated Compliance
 
Governance, risk and compliance framework
Governance, risk and compliance frameworkGovernance, risk and compliance framework
Governance, risk and compliance framework
 
Corporate compliance powerpoint
Corporate compliance powerpointCorporate compliance powerpoint
Corporate compliance powerpoint
 
Practical Strategies to Compliance and Security with SIEM by Dr. Anton Chuvakin
Practical Strategies to Compliance and Security with SIEM by Dr. Anton ChuvakinPractical Strategies to Compliance and Security with SIEM by Dr. Anton Chuvakin
Practical Strategies to Compliance and Security with SIEM by Dr. Anton Chuvakin
 
Bug Bounty Programs : Good for Government
Bug Bounty Programs : Good for GovernmentBug Bounty Programs : Good for Government
Bug Bounty Programs : Good for Government
 
IT Compliance & Security
IT Compliance & SecurityIT Compliance & Security
IT Compliance & Security
 
Compliance Awareness
Compliance AwarenessCompliance Awareness
Compliance Awareness
 
Hiroshima University Information Security & Compliance 2017
Hiroshima University Information Security & Compliance 2017Hiroshima University Information Security & Compliance 2017
Hiroshima University Information Security & Compliance 2017
 
Coso framework
Coso frameworkCoso framework
Coso framework
 
Cyber security: A roadmap to secure solutions
Cyber security: A roadmap to secure solutionsCyber security: A roadmap to secure solutions
Cyber security: A roadmap to secure solutions
 
Roadmap to security operations excellence
Roadmap to security operations excellenceRoadmap to security operations excellence
Roadmap to security operations excellence
 
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
 
Information Security It's All About Compliance
Information Security It's All About ComplianceInformation Security It's All About Compliance
Information Security It's All About Compliance
 
Roadmap to IT Security Best Practices
Roadmap to IT Security Best PracticesRoadmap to IT Security Best Practices
Roadmap to IT Security Best Practices
 
NIST Cybersecurity Framework - Mindmap
NIST Cybersecurity Framework - MindmapNIST Cybersecurity Framework - Mindmap
NIST Cybersecurity Framework - Mindmap
 
Functional Audit
Functional AuditFunctional Audit
Functional Audit
 
Compliance ppt
Compliance pptCompliance ppt
Compliance ppt
 
AWS Enterprise Summit Netherlands - Infosec by Design
AWS Enterprise Summit Netherlands - Infosec by DesignAWS Enterprise Summit Netherlands - Infosec by Design
AWS Enterprise Summit Netherlands - Infosec by Design
 
Security, Risk, Compliance & Controls - Cybersecurity Legal Framework in Hong...
Security, Risk, Compliance & Controls - Cybersecurity Legal Framework in Hong...Security, Risk, Compliance & Controls - Cybersecurity Legal Framework in Hong...
Security, Risk, Compliance & Controls - Cybersecurity Legal Framework in Hong...
 

Similar to Compliance Framework

Chapter 10 security standart
Chapter 10 security standartChapter 10 security standart
Chapter 10 security standartnewbie2019
 
Planning for-and implementing ISO 27001
Planning for-and implementing ISO 27001Planning for-and implementing ISO 27001
Planning for-and implementing ISO 27001Yerlin Sturdivant
 
Iso 27001 isms presentation
Iso 27001 isms presentationIso 27001 isms presentation
Iso 27001 isms presentationMidhun Nirmal
 
ISMS Part I
ISMS Part IISMS Part I
ISMS Part Ikhushboo
 
Cyber Security IT GRC Management Model and Methodology.
Cyber Security IT GRC Management Model and Methodology.Cyber Security IT GRC Management Model and Methodology.
Cyber Security IT GRC Management Model and Methodology.360factors
 
Gs Us Roadmap For A World Class Information Security Management System– Isoie...
Gs Us Roadmap For A World Class Information Security Management System– Isoie...Gs Us Roadmap For A World Class Information Security Management System– Isoie...
Gs Us Roadmap For A World Class Information Security Management System– Isoie...Tammy Clark
 
SecureAware® - Automated Risk and Compliance Solution
SecureAware® - Automated Risk and Compliance SolutionSecureAware® - Automated Risk and Compliance Solution
SecureAware® - Automated Risk and Compliance SolutionGBBLUME
 
02. cobit 41 dan iso 17799
02. cobit 41 dan iso 1779902. cobit 41 dan iso 17799
02. cobit 41 dan iso 17799Mulyadi Yusuf
 
gray_audit_presentation.ppt
gray_audit_presentation.pptgray_audit_presentation.ppt
gray_audit_presentation.pptKhalilIdhman
 
Chapter 6Information Governance policy developmentDr. Sand.docx
Chapter 6Information Governance policy developmentDr. Sand.docxChapter 6Information Governance policy developmentDr. Sand.docx
Chapter 6Information Governance policy developmentDr. Sand.docxmccormicknadine86
 
Info Security & PCI(original)
Info Security & PCI(original)Info Security & PCI(original)
Info Security & PCI(original)NCTechSymposium
 
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...PECB
 
Information Security Program & PCI Compliance Planning for your Business
Information Security Program & PCI Compliance Planning for your BusinessInformation Security Program & PCI Compliance Planning for your Business
Information Security Program & PCI Compliance Planning for your BusinessLaura Perry
 
Frameworks For Predictability
Frameworks For PredictabilityFrameworks For Predictability
Frameworks For Predictabilitytlknecht
 
Continuous Compliance Monitoring
Continuous Compliance MonitoringContinuous Compliance Monitoring
Continuous Compliance MonitoringControlCase
 

Similar to Compliance Framework (20)

Chapter 10 security standart
Chapter 10 security standartChapter 10 security standart
Chapter 10 security standart
 
Planning for-and implementing ISO 27001
Planning for-and implementing ISO 27001Planning for-and implementing ISO 27001
Planning for-and implementing ISO 27001
 
Iso 27001 isms presentation
Iso 27001 isms presentationIso 27001 isms presentation
Iso 27001 isms presentation
 
ISMS Part I
ISMS Part IISMS Part I
ISMS Part I
 
Cyber Security IT GRC Management Model and Methodology.
Cyber Security IT GRC Management Model and Methodology.Cyber Security IT GRC Management Model and Methodology.
Cyber Security IT GRC Management Model and Methodology.
 
Gs Us Roadmap For A World Class Information Security Management System– Isoie...
Gs Us Roadmap For A World Class Information Security Management System– Isoie...Gs Us Roadmap For A World Class Information Security Management System– Isoie...
Gs Us Roadmap For A World Class Information Security Management System– Isoie...
 
SecureAware® - Automated Risk and Compliance Solution
SecureAware® - Automated Risk and Compliance SolutionSecureAware® - Automated Risk and Compliance Solution
SecureAware® - Automated Risk and Compliance Solution
 
Cobit 41 framework
Cobit 41 frameworkCobit 41 framework
Cobit 41 framework
 
Iso 27001 awareness
Iso 27001 awarenessIso 27001 awareness
Iso 27001 awareness
 
02. cobit 41 dan iso 17799
02. cobit 41 dan iso 1779902. cobit 41 dan iso 17799
02. cobit 41 dan iso 17799
 
gray_audit_presentation.ppt
gray_audit_presentation.pptgray_audit_presentation.ppt
gray_audit_presentation.ppt
 
Chapter 6Information Governance policy developmentDr. Sand.docx
Chapter 6Information Governance policy developmentDr. Sand.docxChapter 6Information Governance policy developmentDr. Sand.docx
Chapter 6Information Governance policy developmentDr. Sand.docx
 
Info Security & PCI(original)
Info Security & PCI(original)Info Security & PCI(original)
Info Security & PCI(original)
 
CISSPills #3.02
CISSPills #3.02CISSPills #3.02
CISSPills #3.02
 
Process
ProcessProcess
Process
 
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
 
Information Security Program & PCI Compliance Planning for your Business
Information Security Program & PCI Compliance Planning for your BusinessInformation Security Program & PCI Compliance Planning for your Business
Information Security Program & PCI Compliance Planning for your Business
 
Frameworks For Predictability
Frameworks For PredictabilityFrameworks For Predictability
Frameworks For Predictability
 
Eurosec'2008 christophe feltus
Eurosec'2008 christophe feltusEurosec'2008 christophe feltus
Eurosec'2008 christophe feltus
 
Continuous Compliance Monitoring
Continuous Compliance MonitoringContinuous Compliance Monitoring
Continuous Compliance Monitoring
 

Compliance Framework

  • 1. Integrated Compliance Framework Dave Barnett, CISSP, CISM, CSDP, CSSLP Dave.Barnett@computer.org
  • 2. Sarbanes Oxley Financial reporting accuracy Health Insurance Portability & Accountability Act (HIPAA) Medical information for employee benefits Privacy European Union Data Protection Directive Canada Japan California Senate Bill 1386 (plus 25 other states) FDA 21 CFR Part 11 and Good Manufacturing Practice (GMP) Some Compliance Requirements…
  • 3. Federal Trade Commission Consumer protection Credit Card regulations Payment Card Industry (PCI) required by VISA CISP, MasterCard SDP, and Amex Data Security Requirement Trade Compliance Custom Trade Partnership Against Terrorism (C-TPAT) Export of materials and technology to restricted companies Environmental Health and Safety (EH&S) Hazardous materials handling and transportation DEA OSHA Continued…
  • 4. Litigation eDiscovery Intellectual Property (IP) Patents and Patent infringement litigation Certifications ISO 9001 ISO 17799 / ISO 27001 BS 15000 / ISO 20000 Continued…
  • 5. Emerging legal standard for security* T.J. Hooper case, 60 F.2d 737 (2d Cir. 1932)** In 1928, the tug boat T.J. Hooper sank in a storm. The cargo owners sued, saying the tugboat captain should have known a storm was coming. Tug owner said only way to know was to have a radio on board, which was not common practice, and not required by any law. However, Judge agreed with cargo owners – the tug owners should have had a radio on board, even though it was not required. The lack of a radio made the tug unseaworthy. Legal Strategy for Compliance * See http://www.bakerinfo.com/ecommerce/newlawis.pdf and http://www.bakerinfo.com/ecommerce/ISLEGAL.PDF ** From Tom Smedinghoff, Baker & McKenzie, at RSA 2006 presentation LAW-104
  • 6. Identify the assets to be protected Conduct risk assessment See http://en.wikipedia.org/wiki/United_States_v._Carroll_Towing_Co. Develop and implement a security program That is responsive to the risk assessment Must be in writing Reasonable, appropriate, suitable, necessary, adequate Addressthird parties Contractors, customers, suppliers, business partners, and providers of outsourced services Due diligence, contractual obligation, monitoring and auditing Continually monitor, reassess, and adjust the program Compliance Strategy* * From Tom Smedinghoff, Baker & McKenzie, at RSA 2006 presentation LAW-104
  • 7. There is considerable overlap (~ 80%) for all security and privacy related compliance requirements These and other requirements typically need documented and implemented good processes “Say what you do, do what you say” Follow compliance strategy Identify information assets to be protected Follow a risk management process For example, NIST SP 800-30 http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf How do we handle all of these compliance requirements?
  • 8. Following industry standards is a good start Provides a defensible position against regulation and litigation Best practices are beneficial and defensible Recent revisions of standards include risk management COSO ERM COSO + Risk Management CobiT 4.0 ISO 17799:2005 Create Defensible Position
  • 9. Adopt current industry standards But get ahead of the curve where possible Document and follow process Include risk management as a best practice Make sure processes are: Effective Efficient Auditable Good Practice, Good Process
  • 10. Three levels of frameworks, each operating at different degree of detail and scope, that together provide a set of controls and governance for IT Regulatory Compliance Each level down provides more detail and greater scope Level 1: COSO Enterprise Risk Management (ERM) Organization wide controls Endorsed by the SEC for Sarbanes-Oxley Level 2: CobiT® 4.x IT wide controls relating to COSO ERM PO9 and DS5.2 Level 3: Subject matter specific controls and best practices, e.g. ITIL SM (for AI6, DS9, DS10) IT Service Delivery ISO 17799:2005 (for DS5) IT Security ISO 15288:2002 (for AI2, AI3, AI7) System Development Life Cycle PMI PMBOK (for PO10) Project Management Six Sigma (for PO8) Integrated Compliance Framework
  • 11. ITIL (Information Technology Infrastructure Library) Republished in 2002 as British Standard 15000, IT Service Management Part 1 is specification for certification Part 2 is code of practice Republished in 2005 as ISO 20000, Information Technology Service Management Part 1 is specification for certification Part 2 is code of practice Compliance Standards Harmonization
  • 12. ISO 17799 Originally British Standard 7799 Part 1 is code of practice Part 2 is specification for certification Satisfies CobiT® DS5 - Ensure Systems Security ISO 17799:2005 is the code of practice Required for BS15000:2 and ISO 20000:2 Part 2 of BS 7799 (specification for certification) republished as ISO 27001:2005 Required for BS15000:1 and ISO 20001:1 Compliance Standards Harmonization
  • 13. ISO 9001 Quality Management Systems -Requirements ISO 27001 satisfies ISO 9001 for Systems Security BS15000:1, ISO 20000:1, and ISO 20000:2 satisfy ISO 9001 for service management CobiT® 4.0 (2005) Harmonized with ITIL, ISO 9001, ISO 17799, and CMM Six Sigma ISO 27001, ISO 20000:1, and ISO 20000:2 use PDCA (Deming Cycle), a learning model used in Six Sigma and other Quality Programs Provides tools for Quality Management Systems Continuous improvement keeps us ahead of the curve and satisfies monitoring and assessment requirement for legal process. Compliance Standards Harmonization
  • 14. Committee of Sponsoring Organization (COSO) of the Treadway Commission (http://www.coso.org/), “Enterprise Risk Management – Integrated Framework” (http://www.coso.org/Publications/ERM/COSO_ERM.ppt) Enterprise risk management is: A process, ongoing and flowing through an organization Effected by people at every level of an organization Applied across the enterprise, at every level and unit, and includes taking an entity level portfolio view of risk Able to provide reasonable assurance to an entity’s management and board of directors Level 1: COSO ERM
  • 15. Eight interrelated COSO components, derived from the way management runs a business Internal Environment – The internal environment encompasses the tone of an organization, and sets the basis for how risk is viewed and addressed by an entity’s people, including risk management philosophy and risk appetite, integrity and ethical values, and the environment in which they operate. Objective Setting – Objectives must exist before management can identify potential events affecting their achievement. Enterprise risk management ensures that management has in place a process to set objectives and that the chosen objectives support and align with the entity’s mission and are consistent with its risk appetite. COSO ERM Components
  • 16. Event Identification – Internal and external events affecting achievement of an entity’s objectives must be identified, distinguishing between risks and opportunities. Opportunities are channeled back to management’s strategy or objective-setting processes. Risk Assessment – Risks are analyzed, considering likelihood and impact, as a basis for determining how they should be managed. Risks are assessed on an inherent and a residual basis. Risk Response – Management selects risk responses – avoiding, accepting, reducing, or sharing risk – developing a set of actions to align risks with the entity’s risk tolerances and risk appetite. COSO ERM Components
  • 17. Control Activities – Policies and procedures are established and implemented to help ensure the risk responses are effectively carried out. Information and Communication – Relevant information is identified, captured, and communicated in a form and timeframe that enable people to carry out their responsibilities. Effective communication also occurs in a broader sense, flowing down, across, and up the entity. Monitoring – The entirety of enterprise risk management is monitored and modifications made as necessary. Monitoring is accomplished through ongoing management activities, separate evaluations, or both. COSO ERM Components
  • 18. Control Objectives for Information and related Technology (CobiT) (http://www.isaca.org/cobit.html) Covers all controls within or relevant to IT organization Level 2: CobiT® 4.x
  • 19. Level 2: CobiT® 4.x Plan and Organize (PO) PO1 Define a Strategic IT Plan PO2 Define the Information Architecture PO3 Determine Technological Direction PO4 Define the IT Processes, Organization and Relationships PO5 Manage the IT Investment PO6 Communicate Management Aims and Direction PO7 Manage IT Human Resources PO8 Manage Quality Six Sigma Standards Process PO9 Assess and Manage IT Risks PO10 Manage Projects PMBOK
  • 20.
  • 21. DS1 Define and Manage Service Levels* DS2 Manage Third-party Services* DS3 Manage Performance and Capacity DS4 Ensure Continuous Service DS5 Ensure Systems Security* ISO 17799:2005 / 27001:2005 DS6 Identify and Allocate Costs DS7 Educate and Train Users DS8 Manage Service Desk and Incidents DS9 Manage the Configuration* ITIL DS10 Manage Problems* ITIL DS11 Manage Data* DS12 Manage the Physical Environment DS13 Manage Operations* Level 2: CobiT® 4.x Deliver and Support (DS)
  • 22. ME1 Monitor and Evaluate IT Performance ME2 Monitor and Evaluate Internal Control ME3 Ensure Regulatory Compliance ME4 Provide IT Governance Level 2: CobiT® 4.x Monitor and Evaluate (ME)
  • 23. ITIL (IT Infrastructure Library) is the most widely accepted approach to IT Service Management in the world. (http://www.ogc.gov.uk/) provides a cohesive set of well defined best practices, drawn from the public and private sectors internationally. It is supported by a comprehensive qualification scheme, accredited training organizations, and implementation and assessment tools. Addresses and extends CobiT level of compliance framework: AI6 Manage Changes* DS9 Manage the Configuration* DS10 Manage Problems* AKA BS 15000, or ISO 20000 Level 3: ITIL
  • 24. Guidelines and certification for IT Security Program “Information security is the protection of information from a wide range of threats in order to ensure business continuity, minimize business risk, and maximize return on investments and business opportunities.” Address and extends CobiT level of compliance framework: DS5 Ensure Systems Security* Required for BS 15000 and ISO 20000 security AKA BS 7799, or ISO 27001 Level 3: ISO 17799
  • 25. Project Management Body of Knowledge from PMI http://www.pmibookstore.org/PMIBookStore/productDetails.aspx?itemID=358&varID=1 Describes best practices for Project Management Addresses and extends CobiT level of compliance framework: PO10 Manage projects IEEE 1490-2003, Adoption of PMI Standard: A Guide to the Project Management Body of Knowledge http://webstore.ansi.org/ansidocstore/product.asp?sku=IEEE+Std+1490%2D2003 Level 3: PMBOK
  • 26. ISO 15288:2002 is a compendium of standards and best practices for systems and software development life cycle methodologies http://www.15288.com/ Addresses and extends CobiT level of Compliance Framework: AI2 Acquire and Maintain Application Software* AI3 Acquire and Maintain Technology Infrastructure* AI7 Install and Accredit Solutions and Changes Level 3: System Development Life Cycle
  • 27. Six Sigma is a disciplined, data driven approach and methodology for eliminating defects and improving quality http://www.isixsigma.com/sixsigma/six_sigma.asp Addresses CobiT level of Compliance Framework PO8 Manage Quality Level 3: Six Sigma
  • 28. The Compliance Framework consists of generally accepted industry standards and risk management practices at multiple levels, to meet requirements for a security program in an effective, efficient, and auditable manner. Summary