Upload
vicente-aceituno
View
3.986
Download
3
Embed Size (px)
DESCRIPTION
Citation preview
Zenobia Consulting
Compliance vs Continuous Improvement
Vicente Aceituno, October 2012
1
Zenobia Consulting
Semmelweis
2
Zenobia Consulting
Semmelweis
3
Zenobia Consulting
ComplianceContinuous ImprovementSecurity Objectives
4
Zenobia Consulting
•Represents Best Practices.
5
Compliance Advantages
Zenobia Consulting
•Easy to justify «It is what you are supposed to do».
6
Compliance Advantages
Zenobia Consulting
•One size fits all: It doesn’t always meet the changing needs of the business.
7
Compliance Disadvantages
Zenobia Consulting
•The use of resources might be higher that necessary.
8
Compliance Disadvantages
Zenobia Consulting
•Slow improvement cycle• Between Audits• Between updates of the Standard.
9
Compliance Disadvantages
Zenobia Consulting
•It is difficult to turn business needs into security requirements using traditional concepts.•…but that doesn’t stop you from implementing compliance.
10
Continuous Improvement Disadvantages
Zenobia Consulting
•It is difficult to turn business needs into security requirements using traditional concepts.•…but that doesn’t stop you from implementing compliance.•…and that is why compliance is so popular.
11
Continuous Improvement Disadvantages
Zenobia Consulting
•It is a brake for innovation.
12
Compliance Disadvantages
Zenobia Consulting
Compliance For compliance you need:
• Perform Gap Analysis between what you do and what the standard says.
• Action plan to fill the gaps.
Incidents are seen as a failure…but management is not to blame….We are compliant!
Improvement comes through better compliance
Zenobia Consulting
ComplianceContinuous ImprovementSecurity Objectives
14
Zenobia Consulting
•You can still use Best Practices.
15
Continuous Improvement Advantages
Zenobia Consulting
•It meets the changing needs of the business.
16
Continuous Improvement Advantages
Zenobia Consulting
•It uses an appropiate amount of resources.
17
Continuous Improvement Advantages
Zenobia Consulting
•Fast improvement cycle:• Between Follow-up reports.
18
Continuous Improvement Advantages
Zenobia Consulting
•It is difficult to turn business needs into security requirements using traditional concepts.
•…but there is a solution: O-ISM3 Security Objectives.
19
Continuous Improvement Disadvantages
Zenobia Consulting
•It requires a high level of maturity, including the use of metrics.
•…but there is a solution: O-ISM3 Metrics.
20
Continuous Improvement Disadvantages
Zenobia Consulting
Continuous Improvement For compliance you need:
• A thorough understanding for the security needs of the organization.
• A high level or maturity to deliver those needs.
Incidents are an opportunity for improvement. Management is to blame if improvements are not introduced.
Improvement comes through meeting the needs better or with fewer resources.
Zenobia Consulting
ComplianceContinuous ImprovementSecurity Objectives
22
Zenobia Consulting
Use of services and physical and logical access to repositories and systems is restricted to authorized users;
Access Control
Zenobia Consulting
Secrets (industrial, trade) are accessible to authorized users only;
Access Control
Zenobia Consulting
Personal information of clients and employees is accessible for a valid purpose to authorized users only, preserves their anonymity if necessary, and is held for no longer than required.
Access Control
Zenobia Consulting
Intellectual property (licensed, copyrighted, patented and trademarks) is accessible to authorized users only;
Third party services and repositories are appropriately licensed and accessible only to authorized users;
Access Control
Zenobia Consulting
Users are accountable for the repositories and messages they create or modify;
Users are accountable for their acceptance of contracts and agreements.
Users are accountable for their use of services.
Access Control
Zenobia Consulting
Accurate time and date is reflected in all records;
Access Control
Zenobia Consulting
Availability of repositories, services and channels exceeds Customer needs;
Reliability and performance of services and channels exceeds Customer needs;
Volatility of services and channels within Customer needs;
Priority Objectives
Zenobia Consulting
Repositories are retained at least as long as Customer requirements;
Expired or end of life-cycle repositories are permanently destroyed;
Durability Objectives
Zenobia Consulting
Precision, relevance (up-to-date), completeness and consistency of repositories exceeds Customer needs;
Quality Objectives
Zenobia Consulting
Technical Objectives
* Keep systems free of weaknesses.* Keep systems that need to be visible from not trusted systems the least visible possible.* Have systems run trusted services only.* Keep electricity, temperature and humidity within controlled limits.
Press Any Key to Continue
Zenobia Consulting
Learn to implement High Performance Security Management Processes http://cli.gs/ism3
Web www.inovement.esVideo Blog youtube.com/user/vaceitunoBlog ism3.comTwitter twitter.com/vaceitunoPresentationsslideshare.net/vaceituno/presentations
Articles slideshare.net/vaceituno/documents
Zenobia Consulting