Zenobia Consulting

Compliance vs Continuous Improvement

Vicente Aceituno, October 2012

1

Zenobia Consulting

Semmelweis

2

Zenobia Consulting

Semmelweis

3

Zenobia Consulting

ComplianceContinuous ImprovementSecurity Objectives

4

Zenobia Consulting

•Represents Best Practices.

5

Compliance Advantages

Zenobia Consulting

•Easy to justify «It is what you are supposed to do».

6

Compliance Advantages

Zenobia Consulting

•One size fits all: It doesn’t always meet the changing needs of the business.

7

Compliance Disadvantages

Zenobia Consulting

•The use of resources might be higher that necessary.

8

Compliance Disadvantages

Zenobia Consulting

•Slow improvement cycle• Between Audits• Between updates of the Standard.

9

Compliance Disadvantages

Zenobia Consulting

•It is difficult to turn business needs into security requirements using traditional concepts.•…but that doesn’t stop you from implementing compliance.

10

Continuous Improvement Disadvantages

Zenobia Consulting

•It is difficult to turn business needs into security requirements using traditional concepts.•…but that doesn’t stop you from implementing compliance.•…and that is why compliance is so popular.

11

Continuous Improvement Disadvantages

Zenobia Consulting

•It is a brake for innovation.

12

Compliance Disadvantages

Zenobia Consulting

Compliance For compliance you need:

• Perform Gap Analysis between what you do and what the standard says.

• Action plan to fill the gaps.

Incidents are seen as a failure…but management is not to blame….We are compliant!

Improvement comes through better compliance

Zenobia Consulting

ComplianceContinuous ImprovementSecurity Objectives

14

Zenobia Consulting

•You can still use Best Practices.

15

Continuous Improvement Advantages

Zenobia Consulting

•It meets the changing needs of the business.

16

Continuous Improvement Advantages

Zenobia Consulting

•It uses an appropiate amount of resources.

17

Continuous Improvement Advantages

Zenobia Consulting

•Fast improvement cycle:• Between Follow-up reports.

18

Continuous Improvement Advantages

Zenobia Consulting

•It is difficult to turn business needs into security requirements using traditional concepts.

•…but there is a solution: O-ISM3 Security Objectives.

19

Continuous Improvement Disadvantages

Zenobia Consulting

•It requires a high level of maturity, including the use of metrics.

•…but there is a solution: O-ISM3 Metrics.

20

Continuous Improvement Disadvantages

Zenobia Consulting

Continuous Improvement For compliance you need:

• A thorough understanding for the security needs of the organization.

• A high level or maturity to deliver those needs.

Incidents are an opportunity for improvement. Management is to blame if improvements are not introduced.

Improvement comes through meeting the needs better or with fewer resources.

Zenobia Consulting

ComplianceContinuous ImprovementSecurity Objectives

22

Zenobia Consulting

Use of services and physical and logical access to repositories and systems is restricted to authorized users;

Access Control

Zenobia Consulting

Secrets (industrial, trade) are accessible to authorized users only;

Access Control

Zenobia Consulting

Personal information of clients and employees is accessible for a valid purpose to authorized users only, preserves their anonymity if necessary, and is held for no longer than required.

Access Control

Zenobia Consulting

Intellectual property (licensed, copyrighted, patented and trademarks) is accessible to authorized users only;

Third party services and repositories are appropriately licensed and accessible only to authorized users;

Access Control

Zenobia Consulting

Users are accountable for the repositories and messages they create or modify;

Users are accountable for their acceptance of contracts and agreements.

Users are accountable for their use of services.

Access Control

Zenobia Consulting

Accurate time and date is reflected in all records;

Access Control

Zenobia Consulting

Availability of repositories, services and channels exceeds Customer needs;

Reliability and performance of services and channels exceeds Customer needs;

Volatility of services and channels within Customer needs;

Priority Objectives

Zenobia Consulting

Repositories are retained at least as long as Customer requirements;

Expired or end of life-cycle repositories are permanently destroyed;

Durability Objectives

Zenobia Consulting

Precision, relevance (up-to-date), completeness and consistency of repositories exceeds Customer needs;

Quality Objectives

Zenobia Consulting

Technical Objectives

* Keep systems free of weaknesses.* Keep systems that need to be visible from not trusted systems the least visible possible.* Have systems run trusted services only.* Keep electricity, temperature and humidity within controlled limits.

Press Any Key to Continue

Zenobia Consulting

Learn to implement High Performance Security Management Processes http://cli.gs/ism3

Web www.inovement.esVideo Blog youtube.com/user/vaceitunoBlog ism3.comTwitter twitter.com/vaceitunoPresentationsslideshare.net/vaceituno/presentations

Articles slideshare.net/vaceituno/documents

Zenobia Consulting