40
Compliance

Compliance

Tags:

Embed Size (px)

Citation preview

Page 1: Compliance

Compliance

Page 2: Compliance

Compliance

• Compliance measures the extent to which defined policies, standards, and procedures are being followed.

• Compliance includes auditing, monitoring, and investigating at several different levels of the organization.

Page 3: Compliance

First level

• Detection of security violations minimizes the damage done to the organization.

• The information owner or individual assigned responsibility for the component must ensure that appropriate preventative and detective controls are in place and are being utilized effectively.

• Controls at this level include establishing and maintaining access, implementing monitoring and alert tools, administration of audit trail reports, management review of log-in attempts, implementing security parameters, and investigation of lockouts.

Page 4: Compliance

Second level

• Audit function.• The audit function can be performed by the

internal audit department, external auditors, or a combination of both according to industry standards.

• Audit objectives include ensuring compliance with corporate policies, standards, and procedures as well as developing programs to understand the control environment, perform risk assessment, and establish control procedures.

Page 5: Compliance

Third level

• Security Team or Committee level.• This is investigative in nature and, instead of

focusing on a particular application or component, the Security Team is responsible for ensuring that security is implemented organization wide.

Page 6: Compliance

LEVEL ONE COMPLIANCE: THE COMPONENT OWNER

• To ensure appropriate access, a procedure should be established to have component owners, network and application administrators run a listing of specified access by user on a quarterly basis, at a minimum.

• These reports are then submitted to the security liaison of each business function to review for appropriateness.

Page 7: Compliance

Additional responsibilities of the security coordinators/liaisons are to:

• Ensure that application access forms are initiated for existing and new users within the respective departmental area

• Ensure that access is modified or deleted when employees and nonemployees (consultants, contractors, business partners) operating within their business function or site are transferred or terminated

Page 8: Compliance

• Conduct user security awareness within their departmental function

• Ensure that the enterprise Confidentiality Agreement and exit interview forms are signed by all users operating within their department or area of responsibility

• Actively participate as a member of the Security Team

• Coordinate with the Security Officer on all security-related matters

Page 9: Compliance

• Network and application administrators are technically responsible for the operation of the network or application.

• The administrators set security defaults on the system and establish the baseline control standards upon completion of a risk assessment and identification of vulnerabilities.

Page 10: Compliance

LEVEL TWO COMPLIANCE: THE AUDIT FUNCTION

• The audit function is concerned with obtaining an understanding of and evaluating an organization’s internal control.

• Internal control refers to the processes established by an organization’s board of directors, management, and technical staff to provide effective and efficient operations, reliable financial reporting, and compliance with applicable laws and regulations.

Page 11: Compliance

The components of internal control include:

• The control environment• Risk assessment• Control procedures• Monitoring activities• Information and communication

Page 12: Compliance

• The integrity, ethical values, and fitness of the people within the organization establish the control environment.

• Audit seeks to ensure that the control environment is effective by assessing the stability and consistency of the factors mentioned above.

The control environment

Page 13: Compliance

Risk assessment

• Risk assessment provides identification and analysis of realistic and associated risks in achieving the organization’s business objectives.

• The audit function seeks to establish information security controls that are proportionate to the value, sensitivity, and criticality of the systems and information being protected.

• This includes the probability, frequency, and severity of loss or damage that can occur.

Page 14: Compliance

Control procedures

• Control procedures ensure that management directives are implemented.

• Control procedures include authorization, verification, approval, reconciliation, analysis of the efficiency of operations, implementation of access controls, physical security of assets, and segregation of duties.

Page 15: Compliance

Monitoring activities

• Monitoring activities include well-defined and scheduled management and supervisory activities to determine whether control procedures are performed effectively and consistently.

• Auditors monitor the control processes and procedures for indications of weakness in the control environment that has been established, while security, network, and application administrators monitor specific implementations for errors, damage, or indications of unauthorized access to systems and applications.

Page 16: Compliance

Information and communication

• Information and communication in the audit environment includes the timely processing and dissemination of operational, financial, and compliance- related information to manage the business effectively.

Page 17: Compliance

• Auditing is most often coupled with the reliability of financial reporting.

Page 18: Compliance

• The second portion of a computer audit encompasses understanding and evaluating the general computer controls for an operating environment.

Page 19: Compliance

• When testing general computer controls, there are four areas of consideration:– Information security– System acquisition, development, and

maintenance– Computer operations– Information systems support

Page 20: Compliance

• Information security includes testing for logical security of online and batch access controls.

• System acquisition, development, and maintenance include the quality of new systems design and implementation, as well as program change control.

• Computer operations entail media library management, job scheduling, physical control of devices, information and data, report distribution, backup, and recovery.

Page 21: Compliance

• Information systems support includes all of the peripherals that support an application and processing environment such as controls related to operating system software, database administration, network operations, and end-user computing.

Page 22: Compliance

Financial audit

• The auditors must determine what level of reliance they place on key controls.

• When reliance is high — which means that they trust the output data to be true and correct — a test of the key controls must be performed for completeness, accuracy, validity, and restricted access.

Page 23: Compliance

• Controls are a combination of monitoring controls, and both manual and automated application controls.

• Application controls and related control objectives are procedures designed to ensure the integrity of the accounting records.

Page 24: Compliance

Control objectives include:

• Completeness : all transactions are recorded, entered into the system, and accepted for processing once and only once. All transactions input are updated to the appropriate files, and once updated remain correct and current.

Page 25: Compliance

• Accuracy : data and information are recorded and accurately input to the computer. Changes made to data files are accurately input, and all input transactions are accepted for processing and updated to the appropriate data files.

• Validity: transactions are authorized and represent true and valid transactions related to the appropriate client. Changes to existing data are not made without appropriate authorization.

Page 26: Compliance

• Restricted access : only individuals by virtue of their job function can access data files for changes or updates. Controls protect the confidentiality of the data and physical controls protect cash and inventory.

Page 27: Compliance

• When testing the general computer controls, the auditor is looking for potential errors in completeness, accuracy, validity, and restricted access.

• Tests of validity ensure that for a process that is taking place, whether it is a calculation or allowing a user to gain access to a system, it is a relevant and legitimate process.

Page 28: Compliance

• A risk-based approach to auditing determines how often a particular application or operating system is audited and will depend on the assessed risk to the organization as well as the strength of the control environment for a particular application or operating system.

Page 29: Compliance
Page 30: Compliance

LEVEL THREE COMPLIANCE: THE SECURITY TEAM

• The Security Team or Committee is responsible for ensuring that security is implemented organization wide.

• An ISA that has been developed and implemented needs to be continuously assessed for effectiveness, changes to the environment that will require changes to the ISA, and modifications for improvement to the overall architecture.

Page 31: Compliance

• The Security Team is looking for something different than that of the system auditors.

• The Security Team is looking for implementation of the policies, standards, and procedures that have been developed under its direction.

• Auditors are looking for the effectiveness of controls as they are implemented for critical programs and applications.

• The network administrator is concerned with the specific implementation details for a particular component.

Page 32: Compliance

How does the Security Team assess the effectiveness of the ISA?

• The Security Team should be involved in reviewing the results of all audit, control, or security reviews that occur within the organization.

• The Security Team is tasked with understanding why the results may not have been so spectacular and what was the systemic reason for lax or ineffective controls.

Page 33: Compliance

• The Security Team also acts as the investigative arm to security issues and incidences.

Page 34: Compliance

LINE OF BUSINESS (LOB) SECURITY PLAN

• The LOB Security Plan should provide an overview of the operational environment, identify key controls within the organization, and provide the basis for measuring compliance to the corporate security policies, standards, and procedures.

Page 35: Compliance

• The LOB Security Plan is designed to provide a baseline document for understanding the processing environment, performing baseline security assessments of that environment, and seeking to make improvements to meet the corporate goals and objectives for security.

Page 36: Compliance

ENTERPRISE MANAGEMENT TOOLS

• Account integrity : to identify and prevent users from having security privileges that exceed the security policy

• Backup integrity : to identify files that are not being backed up

• File access : to examine files to verify security settings that are established in the security policy

• File attributes : to identify files whose attributes have changed from the baseline

Page 37: Compliance

• File find : to check files for viruses and other corruption that could lead to data loss

• Log-in parameters : to scan for log-in parameters that fall outside the security policy

• Object integrity : to identify changes in ownership and permissions for software objects

• Password strength : to check the password parameters for validation against the security policy

Page 38: Compliance

• Startup files : to examine startup files for potential security breaches

• System auditing : to monitor audit trails and system accounts

• System mail : to check known problem areas for security lapses

Page 39: Compliance

Pitfalls to an Effective ISA Program

• Lack of project sponsorship and executive management support

• Executive management’s lack of understanding of realistic risk

• Lack of resources• Impact of mergers and acquisitions on disparate

systems• Independent operations throughout business units• Discord between mainframe versus distributed

computing cultures

Page 40: Compliance

• Corporate cultures with the objective to foster trust in the organization that contradict an environment requiring more stringent controls

• Fortune 500 enterprises that have grown from mom-and-pop shop beginnings and do not completely support the constraints conducive to secure operations

• Third-party and remote network management• The rate of change in technology


Compliance Update Graeme Stewart, Compliance Partner

Compliance Update Graeme Stewart, Compliance Partner

Documents
Corporate Compliance , o ¿ Corporate Compliance Penal ?

Corporate Compliance , o ¿ Corporate Compliance Penal ?

Documents
HEALTH CARE COMPLIANCE ASSOCIATION’S nd … · Reach 2,700+ healthcare compliance professionals ... Compliance Institute HEALTH CARE COMPLIANCE ASSOCIATION’S. Prospectus ... attendees

HEALTH CARE COMPLIANCE ASSOCIATION’S nd … · Reach 2,700+ healthcare compliance professionals ... Compliance Institute HEALTH CARE COMPLIANCE ASSOCIATION’S. Prospectus ... attendees

Documents
Approval& Compliance for Flameproof : Standard Compliance

Approval& Compliance for Flameproof : Standard Compliance

Documents
RoHS II Compliance Presentation - Assent Compliance

RoHS II Compliance Presentation - Assent Compliance

Documents
Compliance, compliance, compliance

Compliance, compliance, compliance

Documents
RND Compliance | Regulatory Compliance Consulting

RND Compliance | Regulatory Compliance Consulting

Documents
Compliance Update Graeme Stewart, Compliance Partner

Compliance Update Graeme Stewart, Compliance Partner

Documents
Antitrust compliance and compliance programmes · Antitrust compliance and compliance programmes 2 3 PROMOTING A CULTURE OF COMPLIANCE WHY SET UP A COMPLIANCE PROGRAMME? HOW TO STRUCTURE

Antitrust compliance and compliance programmes · Antitrust compliance and compliance programmes 2 3 PROMOTING A CULTURE OF COMPLIANCE WHY SET UP A COMPLIANCE PROGRAMME? HOW TO STRUCTURE

Documents
Compliance Case Study Compliance & Verhaltenskodex

Compliance Case Study Compliance & Verhaltenskodex

Documents
Compliance Software For Proactive Compliance Management |

Compliance Software For Proactive Compliance Management |

Software
COMPLIANCE COMPLIANCE DOM DOMINANCE

COMPLIANCE COMPLIANCE DOM DOMINANCE

Documents
Cabling Compliance and MarksCabling Compliance and … · Cabling Compliance and MarksCabling Compliance and Marks ... • Nationally Recognized Testing Laboratories • Recognized

Cabling Compliance and MarksCabling Compliance and … · Cabling Compliance and MarksCabling Compliance and Marks ... • Nationally Recognized Testing Laboratories • Recognized

Documents
Compliance Report Construction Compliance Report 1

Compliance Report Construction Compliance Report 1

Documents
Internal Audit, Risk & Compliance Services...Internal Audit, Risk & Compliance Services Risk & Compliance compliance? compliance

Internal Audit, Risk & Compliance Services...Internal Audit, Risk & Compliance Services Risk & Compliance compliance? compliance

Documents
Policy Compliance, PCI Compliance

Policy Compliance, PCI Compliance

Education
International Health Care Systems Medtronic’s Approach to Compliance BCS Compliance Mechanisms BCS Compliance Training Distributor/Agent Compliance

International Health Care Systems Medtronic’s Approach to Compliance BCS Compliance Mechanisms BCS Compliance Training Distributor/Agent Compliance

Documents
Compliance Case Study Compliance@SCHOTT

Compliance Case Study Compliance@SCHOTT

Documents
Institutional Compliance Agreement Final Mandatory Compliance

Institutional Compliance Agreement Final Mandatory Compliance

Documents
Sword Compliance Manager...Compliance Manager’s configurable, centralized, compliance repository. Import compliance mandates using Sword Compliance Manager’s sophisticated built-in,

Sword Compliance Manager...Compliance Manager’s configurable, centralized, compliance repository. Import compliance mandates using Sword Compliance Manager’s sophisticated built-in,

Documents
ADVERTISING COMPLIANCE - Lenders Compliance …lenderscompliancegroup.com/resources/Advertising+Compliance...This is a published magazine article, entitled “Advertising Compliance:

ADVERTISING COMPLIANCE - Lenders Compliance …lenderscompliancegroup.com/resources/Advertising+Compliance...This is a published magazine article, entitled “Advertising Compliance:

Documents
MANUAL DE COMPLIANCE - patria.com · Manual de Compliance Parte 1 (“Manual”) Compliance Diretor de Risco e Compliance Trata-se de manual regulatório de Compliance, trazendo as

MANUAL DE COMPLIANCE - patria.com · Manual de Compliance Parte 1 (“Manual”) Compliance Diretor de Risco e Compliance Trata-se de manual regulatório de Compliance, trazendo as

Documents
Your Compliance Needs, Our Compliance Solution

Your Compliance Needs, Our Compliance Solution

Documents
Compliance Document Text 2017 Compliance... · Compliance Section Index .....C-155 COMPLIANCE SECTION TABLE OF CONTENTS. Oklahoma State Department of Education Compliance Section,

Compliance Document Text 2017 Compliance... · Compliance Section Index .....C-155 COMPLIANCE SECTION TABLE OF CONTENTS. Oklahoma State Department of Education Compliance Section,

Documents
Compliance Overview – Major Non-Compliance Issues

Compliance Overview – Major Non-Compliance Issues

Documents
Akademie Compliance- Management - ARS · » Compliance im Finanzbereich – Compliance-Regeln: Erfahrungen aus börsennotierten Unternehmen – Maßnahmen der Sicherstellung von Compliance

Akademie Compliance- Management - ARS · » Compliance im Finanzbereich – Compliance-Regeln: Erfahrungen aus börsennotierten Unternehmen – Maßnahmen der Sicherstellung von Compliance

Documents
Assent Compliance Environmental Compliance Ebook

Assent Compliance Environmental Compliance Ebook

Education
DEFINITIVE GUIDE TO Ethics and Compliance Programmes · 3 THE COMPLIANCE GUIDE – INTRODUCTION THE COMPLIANCE GUIDE – INTRODUCTION 4 Defining Ethics and Compliance Compliance means

DEFINITIVE GUIDE TO Ethics and Compliance Programmes · 3 THE COMPLIANCE GUIDE – INTRODUCTION THE COMPLIANCE GUIDE – INTRODUCTION 4 Defining Ethics and Compliance Compliance means

Documents
What Every Leader Should Know about Compliance, Compliance Officers and Compliance Programs

What Every Leader Should Know about Compliance, Compliance Officers and Compliance Programs

Education
Compliance Brochure - Tutis Compliance Solutions

Compliance Brochure - Tutis Compliance Solutions

Documents