IT GOVERNANCE GSI 615
|
|
- Barbara Lewis
- 8 years ago
- Views:
Transcription
1 IT GOVERNANCE GSI 615 Carmen R. Cintrón Ferrer 2014
2 IT Governance 2 Scope Governance Risk Management Compliance IT Resources Management IT Governance IT Leadership and Innovation Governance and Ethics
3 3 Compliance
4 What is compliance? 4 Compliance is a desired outcome with regard to: Laws and regulations Internal policies and procedures Commitments to stakeholders Mission Reliability and Assurance of information Achieved through managed investment of time and resources by inserting into day to day processes: Controls Legal and Tactical activities Metrics
5 Compliance 5 Compliance definition: (Video) Conformance to established or generally accepted regulations, standards and/or legislation Compliance components: Awareness of boundaries Structure support for accountability Culture and consistency Automated processes and controls to avoid gaps and prevent failure Metrics that enable compliance Technology integration to alert/prevent possible incompliance
6 Compliance with Laws and Regulations 6 Which Laws & Regulations Those which the entity is subjected to follow Challenges Lacking in harmony Complex & decentralized Dependent on manual controls Implement via: Policies and Procedures Insert technology to support compliance Rely upon ethical behavior and transparency
7 Comply with what? 7 National & International Laws and Regulations Standards and Best Practices Governmental regulatory agencies rules Codes of Ethics Organizational Policies, Procedures, Guidelines Business Code of Ethics Professional Code of Conduct
8 Regulatory compliance areas (sample list) 8 Financial transactions and records: Gramm-Leach-Bliley Privacy Act (GLBA) Payment Card Industry Standards (PCI) Basel I & II Sarbanes Oxley Act (SOX) Health Transactions and records: Health Records Insurance Portability & Accountability Act (HIPAA) Health Information Technology for Economic and Clinical Health (HITECH) Act Intellectual property: Digital Millenium Copyright Act (DMCA) Personal Data Privacy: Family Education Rights and Privacy Act (FERPA - Buckley Amm.) Electronic Communications Privacy Act (ECPA) The Lisbon Treaty Data Protection framework as a fundamental human right National Security, Information Security and Telecommunications: Federal Information Securty Management (FISMA) Computer Fraud and Abuse Act USA Patriot Act
9 What, Who, When? 9 What? Determine the level of compliance required Identify responsible parties (Roles & Responsibilities) Adopt (modify) Policies and Procedures Communicate, Train and Monitor Who? Organization as a whole Board, Officers, Senior and Line Management and staff Compliance Officer, Internal Auditor and Legal Counsel When? Continuous compliance process By request of Regulatory Agency, contractual agreement and/or lawsuit
10 Responsibility 10 Dimension of Responsibility Strict (Directly responsible) Indirect and vicarious Fiduciary responsible Negligent acts or absence of Standard of Due Care: States the measures that should be in place to mitigate or reduce the responsibility Requires to Act as expected (within the legal/regulatory framework) SOX Standards ISO 17799
11 Compliance Exercise 1 11 Choose a regulation from the Personal Data Protection List Determine dimension of responsibility for: Board Officers & Managers IT Management and Staff Staff What would the Standard of Due Care be if there is a: Breach of security and clients data is exposed? Scenario of industrial espionage? Major fraud involving securities transactions (SEC)? Unethical behavior by an Officer/Manager/Staff Employee?
12 Compliance Laws and Regulations Personal Data and Privacy Protection (limited listing) Electronic Communications Privacy Act PL (1986) Children's Online Privacy Protection Act PL (1998) Health Insurance Portability & Accountability Act Health Information Technology for Economic and Clinical Health (HITECH) Act Family Education Rights and Privacy Act (Buckley Amm.) (1974) PL (1996) PL 111-5(2009) Sarbanes Oxley Act PL (2002) Gramm-Leach Bliley Financial Privacy Act (GLB) PL (1999) Digital Millenium Copyright Act (DMCA) PL (1998) Control Assault of Non-Solicited Pornography & Marketing Act PL (2003) Electronic Signatures in Global & National Commerce Act PL (2000) Communications Assistance for Law Enforcement Act PL (1994) Real ID Act PL (2005) The Lisbon Treaty significantly affects the data protection framework. It establishes that Personal dat protection is a fundamental human right Federal Information Securty Management (FISMA) Computer Fraud and Abuse Act Cyber Security Enhancement Act Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act Cyber stalking, Cyber Harrasment & Cyber Bullying laws PL (2002) PL (2002) PL (2001) Federal Information Security Management Act PL (2002) Electronic Freedom of Information Act PL (1996) Carmen R. Cintron Ferrer, 2014, Reserved Rights
13 Compliance Exercise 1(a) 13 Dimension of Responsibility Board of Directors Officers Managers IT Mangement & Staff Other Staff Strict/Direct Indirect/ Vicarious Fiduciary Negligent actions
14 Compliance Exercise 1(b) 14 Expected Standard of Due Care Board of Directors Officers Managers IT Mangement & Staff Other Staff Client s Data Exposed Industrial Espionage SEC fraud Unethical behaviour
15 Compliance Management 15 Identify Regulatory requirements Select Compliance Frameworks Document Business processes and controls: Implement or update Processes & Controls Determine Control Gaps Address - close gap(s) Monitor control status and effectiveness: Identify and remediate issues Review and update control environment Certify effectiveness Communicate results of analysis to key stakeholders: Train for Compliance Generate evidence to support audit requirements Assess impact of events on controls
16 Compliance Management Process 16 Regulatory Requirements Compliance Framework Business Processes Monitor Controls Communicate & Train
17 Compliance Management Issues 17 No Compliance oversight function and/or very low confidence level in risk management Lack of Compliance Awareness and Education Outdated Policies and Procedures Informal Procedures and Practices Unknown and/or not well informed and understood Policies, Procedures, Strategic Plans, Budget and Resources Allocation-Management Inconsistent application of policies and practices among different areas/departments Ineffective/Inefficient controls Personal accountability is unenforceable or wrongly placed
18 Environment for Compliance 18 Establish an incentive and reward system based on excellence and hard work. Develop an ethical environment that can foster and sustain responsible decisions. Build a system of ethical practice throughout the compliance program and the organization. Assign the resources and communicate a clear message Move the cultural change: Compliance is the right thing to do Michael Volkov, Creating a Culture of Ethics and Compliance
19 SOX Compliance 19 Sec Faulty Financial Reporting (Data Safeguard) Prevent data tampering Accurate reporting and timelines Track data access Operational safeguards Safeguards effectiveness Security breaches detection Sec 404: Disclosure and transparency (Data Security) Disclose security safeguards Disclose security breaches Disclose failure of safeguards
20 Sox Compliance Frameworks 20 Cobit 5 ( ISO ( COSO ( SANS Approach: An Overview of SOX A Compliance Primer SOX IT Compliance Audit Some IT Support Solutions: Computron CorreLog Oracle
21 SOX Compliance References 21 Computron, Sarbanes-Oxley Compliance: A Checklist for Evaluating Internal Controls Correlog, Sarbanes-Oxley (SOX) Compliance Checklist Deloitte, Taking Control, A Guide to Compliance with Section 404 of the Sarbanes-Oxley Act of 2002 Ernst & Young, The Sarbanes-Oxley Act at 10, Enhancign the reliability of financial reporting and audit quality KPMG, Sarbanes-Oxley Section 404: Summary of key points from submissions to the SEC J. StephenMcNally, CPA, The 2013 COSO Framework & SOX Compliance, One Approach to Effective Transition Protiviti, Guide to the Sarbanes-Oxley Act: Internal Control Reporting Requirements, FAQ s Regarding section 404 SPLUNK, SOX Compliance
22 COSO 2013 (Committee of Sponsoring Organizations - Threadway Commission) Update considers changes in business and operating environments Environments changes... have driven Framework updates Expectations for governance oversight Globalization of markets and operations Changes and greater complexity in business Demands and complexities in laws, rules, regulations, and standards Expectations for competencies and accountabilities Use of, and reliance on, evolving technologies Expectations relating to preventing and detecting fraud COSO Cube (2013 Edition)
23 COSO 2013 Updated Model Control Environment Risk Assessment Control Activities Information & Communication Monitoring Activities 1. Demonstrates commitment to integrity and ethical values 2. Exercises oversight responsibility 3. Establishes structure, authority and responsibility 4. Demonstrates commitment to competence 5. Enforces accountability 6. Specifies suitable objectives 7. Identifies and analyzes risk 8. Assesses fraud risk 9. Identifies and analyzes significant change 10. Selects and develops control activities 11. Selects and develops general controls over technology 12. Deploys through policies and procedures 13. Uses relevant information 14. Communicates internally 15. Communicates externally 16. Conducts ongoing and/or separate evaluations 17. Evaluates and communicates deficiencies
24 COSO - Example on how controls effect principles Component Control Environment Principle (1) The organization demonstrates a commitment to integrity and ethical values. Controls embedded in other components may effect this principle Human Resources review employees confirmations to assess whether standards of conduct are understood and adhered to by staff across the entity Control Environment Management obtains and reviews data and information underlying potential deviations captured in whistleblower hot-line to assess quality of information Information & Communication Internal Audit separately evaluates Control Environment, considering employee behaviors and whistleblower hotline results and reports thereon Monitoring Activities
25 25 GR&C Wrap-up
26 GRC or ECRG 26 Governance Risk and Compliance (Video) Why a GRC Framework? (Video) GRC: The Power to decide (Video) Ethics, Compliance, Risk Management & Governance: Should it be GRC or ECRG? (Why/Why not?) What does the Ethical Component introduce? How can Ethical Governance become the axis?
27 27 Ethics and Compliance or Compliance and Ethics Society of Corporate Compliance and Ethics, Sally March, Compliance in Europe Alstom, Ethics and Compliance: "clean business is great business" Lilly, Ethics and Compliance Program Ethics & Compliance Officer Association, Standards of Conduct for Ethics and Compliance Professionals Education Portal, Corporate Social Responsibility Dilbert on Ethics for e-cpe DigiPharm, The relationship between compliance and ethics Funny FCPA trainings Click4Compliance, Global Anti-corruption laws
28 28 Governance Cases Teamwork Exercise
29 Cases in Governance 29 Enron Lee Ann Obringer - Stuffworks Robert Jon Petersen Sophia.org The Economist - The FBI, Crime in the Suites: A look back at the Enron Case - Leigh Tesfatsion Iowa State University -
30 30 Cases in Governance Tyco International Lee Ann Obringer Stuffworks - Tyco Fraud InfoCenter - Daniels Fund Ethics Initiative University of New Mexico - Law Teacher Unethical issues or legal issues in Tyco International - Study Mode - Case-Study html
31 31 Cases in Governance WorldCom Lee Ann Obringer Stuffworks - Romar et als Santa Clara University World Com Case Study _Case_Study_April_2009.pdf Kristin A. Kennedy An Analysis of Fraud - University of New Hampshire
32 32 Cases in Governance Adelphia The Adelphia Case Scandal - 3&cad=rja&ved=0CDQQFjAC&url=http%3A%2F%2Fwww.aicpa.org%2FI nterestareas%2faccountingeducation%2fresources%2fdownloadabledocu ments%2fadelphia.ppt&ei=8i_wuthdmzg8kqfjuidycg&usg=afqjcnehp tlobmqe4mmgbg0luops6tikxq CNN Money The Adelphia Story / C.P. Carter et als. The Adelphia Fraud American Accounting Association, Adelphia Communications Case Study Case-Study
33 33 Cases in Governance Peregrine Systems FBI Peregrine Systems Indictment
What Should IS Majors Know About Regulatory Compliance?
What Should IS Majors Know About Regulatory Compliance? Working Paper Series 08-12 August 2008 Craig A. VanLengen Professor of Computer Information Systems/Accounting Northern Arizona University The W.
More informationImpact of New Internal Control Frameworks
Impact of New Internal Control Frameworks Webcast: Tuesday, February 25, 2014 CPE Credit: 1 0 With You Today Bob Jacobson Principal, Risk Advisory Services Consulting Leader West Region Bob.Jacobson@mcgladrey.com
More informationCyber Risk Checklist: Compliance with Legal Obligations Grand Rapids Cyber Security Conference April 23, 2014
Cyber Risk Checklist: Compliance with Legal Obligations Grand Rapids Cyber Security Conference April 23, 2014 2014, Mika Meyers Beckett & Jones PLC All Rights Reserved Presented by: Jennifer A. Puplava
More informationWHITEPAPER. Compliance: what it means for databases
WHITEPAPER Compliance: what it means for databases Introduction Compliance is the general term used to describe the efforts made by many (typically larger) organizations to meet regulatory standards. In
More informationExecutive's Guide to
Executive's Guide to IT Governance Improving Systems Processes with Service Management, COBIT, and ITIL ROBERT R. MOELLER WILEY John Wiley & Sons, Inc. Contents Preface xiii PART I: IT GOVERNANCE CONCEPTS
More informationA Sarbanes-Oxley Roadmap to Business Continuity
A Sarbanes-Oxley Roadmap to Business Continuity NEDRIX Conference June 23, 2004 Dr. Eric Schmidt eschmidt@controlsolutions.com Control Solutions International TECHNOLOGY ADVISORY, ASSURANCE & RISK MANAGEMENT
More informationCA HalvesThe Cost Of Testing IT Controls For Sarbanes-Oxley Compliance With Unified Processes.
TECHNOLOGY BRIEF: REDUCING COST AND COMPLEXITY WITH GLOBAL GOVERNANCE CONTROLS CA HalvesThe Cost Of Testing IT Controls For Sarbanes-Oxley Compliance With Unified Processes. Table of Contents Executive
More informationCompliance and Industry Regulations
Compliance and Industry Regulations Table of Contents Introduction...1 Executive Summary...1 General Federal Regulations and Oversight Agencies...1 Agency or Industry Specific Regulations...2 Hierarchy
More informationSelf-Service SOX Auditing With S3 Control
Self-Service SOX Auditing With S3 Control The Sarbanes-Oxley Act (SOX), passed by the US Congress in 2002, represents a fundamental shift in corporate governance norms. As corporations come to terms with
More informationSurviving an Identity Audit
What small and midsize organizations need to know about the identity portion of an IT compliance audit Whitepaper Contents Executive Overview.......................................... 2 Introduction..............................................
More informationIT Security & Compliance Risk Assessment Capabilities
ATIBA Governance, Risk and Compliance ATIBA provides information security and risk management consulting services for the Banking, Financial Services, Insurance, Healthcare, Manufacturing, Government,
More informationAN OVERVIEW OF INFORMATION SECURITY STANDARDS
AN OVERVIEW OF INFORMATION SECURITY STANDARDS February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced
More informationCloud Computing: A Primer on Legal Issues, Including Privacy and Data Security Concerns. Privacy and Information Management Practice / Washington, DC
Cloud Computing: A Primer on Legal Issues, Including Privacy and Data Security Concerns Privacy and Information Management Practice / Washington, DC Disclaimer THIS PRESENTATION IS TO ASSIST IN A GENERAL
More informationDesign of Database Security Policy In Enterprise Systems
Design of Database Security Policy In Enterprise Systems by Krishna R Singitam Database Architect Page 1 of 10 Table of Contents 1. Abstract... 3 2. Introduction... 3 2.1. Understanding the Necessity of
More informationSecuring your Corporate Infrastructure What is really needed to keep your assets protected
Securing your Corporate Infrastructure What is really needed to keep your assets protected Joseph Burkard CISA, CISSP October 3, 2002 1 Securing your Corporate Infrastructure Management Dilemma or Technical
More informationHarmonizing Your Compliance and Security Objectives. Bonnie A. Goins Adjunct Professor, Illinois Institute of Technology
Harmonizing Your Compliance and Security Objectives Bonnie A. Goins Adjunct Professor, Illinois Institute of Technology Make sure efforts serve multiple purposes Use standards to guide effort Repeatable
More informationSarbanes Oxley and IT
Sarbanes Oxley and IT Threat or Opportunity? Lee Thornbury J.D. Sarbanes Oxley and IT Threat or Opportunity? By Lee Thornbury J.D. In 2002, Congress passed, and the president signed into law, a House bill
More informationIT audit updates. Current hot topics and key considerations. IT risk assessment leading practices
IT audit updates Current hot topics and key considerations Contents IT risk assessment leading practices IT risks to consider in your audit plan IT SOX considerations and risks COSO 2013 and IT considerations
More informationInternational Institute of Management
Executive Education Executive Action Learning Seminars Executive Seminars Executive Courses International Institute of Management Executive Education Courses CIO & Sarbanes Oxley Compliance SOX Implementation
More informationSOX and its effects on IT Security Governance
SOX and its effects on IT Security Governance Rosslin John Robles 1, Min-kyu Choi 1, Sung-Eon Cho 2, Yang-seon Lee 2, Tai-hoon Kim 1 School of Multimedia, Hannam University, Daejeon, Korea 2 Dept of Information
More informationMaintaining PCI-DSS compliance. Daniele Bertolotti daniele_bertolotti@symantec.com Antonio Ricci antonio_ricci@symantec.com
Maintaining PCI-DSS compliance Daniele Bertolotti daniele_bertolotti@symantec.com Antonio Ricci antonio_ricci@symantec.com Sessione di Studio Milano, 21 Febbraio 2013 Agenda 1 Maintaining PCI-DSS compliance
More informationSarbanes-Oxley Compliance: Section 404-Past, Present, and Future
Sarbanes-Oxley Compliance: Section 404-Past, Present, and Future BADM 590/395 IT Governance MS1 Professor Michael Shaw Submitted by: Amy Smith BA in MIS University of Illinois at Urbana-Champaign Smith
More informationSECURELINK.COM COMPLIANCE AND INDUSTRY REGULATIONS
COMPLIANCE AND INDUSTRY REGULATIONS INTRODUCTION Multiple federal regulations exist today requiring government organizations to implement effective controls that ensure the security of their information
More informationMapping COBIT 5 with IT Governance, Risk and Compliance at Ecopetrol S.A. By Alberto León Lozano, CISA, CGEIT, CIA, CRMA
Volume 3, July 2014 Come join the discussion! Alberto León Lozano will respond to questions in the discussion area of the COBIT 5 Use It Effectively topic beginning 21 July 2014. Mapping COBIT 5 with IT
More informationwww.pwc.com Third Party Risk Management 12 April 2012
www.pwc.com Third Party Risk Management 12 April 2012 Agenda 1. Introductions 2. Drivers of Increased Focus on Third Parties 3. Governance 4. Third Party Risks and Scope 5. Third Party Risk Profiling 6.
More informationSarbanes-Oxley: Challenges and Opportunities in the New Regulatory Environment
Doculabs White Paper Sarbanes-Oxley: Challenges and Opportunities in the New Regulatory Environment The Sarbanes-Oxley Act of 2002 (Sarbanes-Oxley) has ushered in sweeping changes to corporate governance,
More informationAlienVault for Regulatory Compliance
AlienVault for Regulatory Compliance Overview of Regulatory Compliance in Information Security As computers and networks have become more important in society they and the information they contain have
More informationInformation Protection Framework: Data Security Compliance and Today s Healthcare Industry
Information Protection Framework: Data Security Compliance and Today s Healthcare Industry Executive Summary Today s Healthcare industry is facing complex privacy and data security requirements. The movement
More informationVENDOR MANAGEMENT. General Overview
VENDOR MANAGEMENT General Overview With many organizations outsourcing services to other third-party entities, the issue of vendor management has become a noted topic in today s business world. Vendor
More informationXBRL & GRC Future opportunities?
XBRL & GRC Future opportunities? Suzanne Janse Deloitte NL Paul Hulst Deloitte / Said Tabet EMC Presenters Suzanne Janse Deloitte Netherlands Director ERP (SAP, Oracle) Risk Management GRC software Paul
More informationRISK MANAGEMENT PROGRAM THAT WORKS FOUR KEYS TO CREATING A VENDOR. HEADQUARTERS 33 Bradford Street Concord, MA 01742 PHONE: 978-451-7655
FOUR KEYS TO CREATING A VENDOR RISK MANAGEMENT PROGRAM THAT WORKS HEADQUARTERS 33 Bradford Street Concord, MA 01742 PHONE: 978-451-7655 FOUR KEYS TO CREATING A VENDOR RISK MANAGEMENT PROGRAM THAT WORKS
More informationA Flexible and Comprehensive Approach to a Cloud Compliance Program
A Flexible and Comprehensive Approach to a Cloud Compliance Program Stuart Aston Microsoft UK Session ID: SPO-201 Session Classification: General Interest Compliance in the cloud Transparency Responsibility
More informationengage. empower. evolve. SARBANES-OXLEY COMPLIANCE
engage. empower. evolve. SARBANES-OXLEY COMPLIANCE engage. empower. evolve. OVERVIEW OF THE SARBANES-OXLEY ACT The Sarbanes-Oxley Act of 2002 is the single most important piece of legislation affecting
More informationSOC Readiness Assessments. SOC Report - Type 1. SOC Report - Type 2. Building Trust and Confidence in Third-Party Relationships
Building Trust and Confidence in Third-Party Relationships Today s businesses rely heavily on outsourcing certain business tasks or functions to service organizations, even those that are core to their
More informationAchieving Business Imperatives through IT Governance and Risk
IBM Global Technology Services Achieving Business Imperatives through IT Governance and Risk Peter Stremus Internet Security Systems, an IBM Company Introduction : Compliance Value Over the past 15 years
More informationThis article will provide background on the Sarbanes-Oxley Act of 2002, prior to discussing the implications for business continuity practitioners.
Auditing the Business Continuity Process Dr. Eric Schmidt, Principal, Transitional Data Services, Inc. Business continuity audits are rapidly becoming one of the most urgent issues throughout the international
More informationKeeping watch over your best business interests.
Keeping watch over your best business interests. 0101010 1010101 0101010 1010101 IT Security Services Regulatory Compliance Services IT Audit Services Forensic Services Risk Management Services Attestation
More informationIT Governance, Risk and Compliance (GRC) : A Strategic Priority. Joerg Asma
IT Governance, Risk and Compliance (GRC) : A Strategic Priority Joerg Asma Agenda Introductions An Overview of IT Governance Risk & Compliance (IT-GRC) The Value Proposition Implementing an IT-GRC Program
More informationCOSO 2013 Internal Control Framework
COSO 2013 Internal Control A Guide to Implementation July 24, 2014 Justin Adamson Agenda COSO Background Changes to the Roadmap to Implementation Implementation Considerations & Lessons Learned 2 1 Who/What
More informationCOSO 2013 Internal Control Integrated Framework FRED J. PETERSON, PARTNER MOSS ADAMS LLP
COSO 2013 Internal Control Integrated Framework FRED J. PETERSON, PARTNER MOSS ADAMS LLP Disclaimer The material appearing in this presentation is for informational purposes only and should not be construed
More informationSarbanes-Oxley: Beyond. Using compliance requirements to boost business performance. An RIS White Paper Sponsored by:
Beyond Sarbanes-Oxley: Using compliance requirements to boost business performance The business regulatory environment in the United States has changed. Public companies have new obligations to report
More informationI. U.S. Government Privacy Laws
I. U.S. Government Privacy Laws A. Privacy Definitions and Principles a. Privacy Definitions i. Privacy and personally identifiable information (PII) b. Privacy Basics Definition of PII 1. Office of Management
More informationStrong IT Governance: Ethical Arguments & GRC Convergence Strategies. A Crash Course in IT Governance & Compliance
Strong IT Governance: Ethical Arguments & GRC Convergence Strategies Chrisan Herrod, CISA VP, Business Development, Executive Editor, The Compliance Authority Aaron Parks, CISA, CISM, CCEP Assoc. Director,
More informationThe Road to Compliance: Signing Your SOX Certification with Confidence
The Road to Compliance: Signing Your SOX Certification with Confidence This white paper discusses high-level requirements for complying with the Sarbanes-Oxley Act, with a specific focus on the next major
More informationAdding Cloud Solutions to Customer Contracts Robert J. Scott
Adding Cloud Solutions to Customer Contracts Robert J. Scott MSP vs. Cloud Who owns the hardware? Where does the data reside? Dedicated vs. Multi tenant? Who contracts with 3 rd parties? How are services
More informationGLOBAL STANDARD FOR INFORMATION MANAGEMENT
GLOBAL STANDARD FOR INFORMATION MANAGEMENT Manohar Ganshani Businesses have today expanded beyond local geographies. Global presence demands uniformity within the processes across disparate locations of
More informationClients Legal Needs in HIPAA Security Compliance
Clients Legal Needs in HIPAA Security Compliance Robyn A. Meinhardt, JD, RN FOLEY & LARDNER LLP 2004 Preserving Attorney-Client Privilege and Work Product Protections 1 Relevance to Security Compliance
More informationSecurity Controls What Works. Southside Virginia Community College: Security Awareness
Security Controls What Works Southside Virginia Community College: Security Awareness Session Overview Identification of Information Security Drivers Identification of Regulations and Acts Introduction
More informationOutsourcing & Regulatory Compliance Risks
Outsourcing & Regulatory Compliance Risks By Matthew Sullivan Today s marketplace dictates that Financial Services Institutions (FSIs) consider using offshore IT services to remain competitive. However,
More informationEmail Archiving for the Financial Industry
jatheon technologies whitepaper hot ISSUE Email Archiving for the Financial Industry 2... I ntroduction 2... Challenges Faced b y the Financial Sector 2... Why Financial Firms Need to Comply 3... Compliance
More informationHow To Ensure Financial Compliance
Evolving from Financial Compliance to Next Generation GRC Gary Prince Principal Solution Specialist - GRC Agenda Business Challenges Oracle s Leadership in Governance, Risk and Compliance Solution Overview
More informationUsing COBiT For Sarbanes Oxley. Japan November 18 th 2006 Gary A Bannister
Using COBiT For Sarbanes Oxley Japan November 18 th 2006 Gary A Bannister Who Am I? Who am I & What I Do? I am an accountant with 28 years experience working in various International Control & IT roles.
More informationIT Governance Dr. Michael Shaw Term Project
IT Governance Dr. Michael Shaw Term Project IT Auditing Framework and Issues Dealing with Regulatory and Compliance Issues Submitted by: Gajin Tsai gtsai2@uiuc.edu May 3 rd, 2007 1 Table of Contents: Abstract...3
More informationCOBIT 5 For Cyber Security Governance and Management. Nasser El-Hout Managing Director Service Management Centre of Excellence (SMCE)
COBIT 5 For Cyber Security Governance and Management Nasser El-Hout Managing Director Service Management Centre of Excellence (SMCE) Cybersecurity Governance using COBIT5 Cyber Defence Summit Riyadh, KSA
More informationEMC CONSULTING SECURITY STANDARDS AND COMPLIANCE SERVICES
EMC CONSULTING SECURITY STANDARDS AND COMPLIANCE SERVICES Aligning information with business and operational objectives ESSENTIALS Leverage EMC Consulting as your trusted advisor to move your and compliance
More informationFraud-Related Compliance
Fraud-Related Compliance Areas of Compliance, Part 1: FCPA, SOX, PCAOB, Dodd-Frank 2015 Association of Certified Fraud Examiners, Inc. Foreign Corrupt Practices Act (FCPA) Enacted to prohibit corrupt payments
More informationInformation Security Management System (ISMS) Overview. Arhnel Klyde S. Terroza
Information Security Management System (ISMS) Overview Arhnel Klyde S. Terroza May 12, 2015 1 Arhnel Klyde S. Terroza CPA, CISA, CISM, CRISC, ISO 27001 Provisional Auditor Internal Auditor at Clarien Bank
More informationCertified Identity and Access Manager (CIAM) Overview & Curriculum
Identity and access management (IAM) is the most important discipline of the information security field. It is the foundation of any information security program and one of the information security management
More informationCompliance Doesn t Mean Security Achieving Security and Compliance with the latest Regulations and Standards
Compliance Doesn t Mean Security Achieving Security and Compliance with the latest Regulations and Standards Paul de Graaff Chief Strategy Officer Vanguard Integrity Professionals March 11, 2014 Session
More informationDELAWARE GOVERNANCE PRINCIPLES Steptoe & Johnson LLP (Overview) David Roll Richards, Layton & Finger, P.A. Samuel A. Nolen
Last Updated: June 2013 DELAWARE GOVERNANCE PRINCIPLES Steptoe & Johnson LLP (Overview) David Roll Richards, Layton & Finger, P.A. Samuel A. Nolen Table of Contents 1. The Sarbanes-Oxley Good Governance
More informationUnderstanding Enterprise Risk Management. Presented by Dorothy Gjerdrum Arthur J Gallagher
Understanding Enterprise Risk Management Presented by Dorothy Gjerdrum Arthur J Gallagher Learning Objectives Understand the components of a wellrun ERM program Review scope and process Explore the role
More informationGetting Executive Buy-in. Tips & Strategies
Getting Executive Buy-in Tips & Strategies Program Management & Planning Overview Why security is important to the organization Why management buy-in is needed Strategies for obtaining executive buy-in
More informationBuilding a Culture of Compliance
Charles H. Le Grand, CHL Global Associates Sponsored by IBS America, Inc.* http:// Building a Culture of Compliance i Overview 1 What Is Compliance? 1 A Culture of Compliance 2 Attributes of a Culture
More informationCASRO Digital Research Conference Data Security: Don t Risk Being the Weak Link
CASRO Digital Research Conference Data Security: Don t Risk Being the Weak Link Peter Milla CASRO Technical Consultant/CIRQ Technical Advisor peter@petermilla.com Background CASRO and Standards CASRO takes
More informationThe Importance of Privacy & Data Security in a Changing World
Cyber, PrivaCy & Data SeCurity 360 www.mpplaw.com about our PraCtiCe Data is the lifeblood of our global economy. Collected, stored and transmitted, digital data not only imparts great opportunities, but
More informationBADM 590 IT Governance, Information Trust, and Risk Management
BADM 590 IT Governance, Information Trust, and Risk Management Information Technology Infrastructure Library (ITIL) Spring 2007 By Po-Kun (Dennis), Tseng Abstract: This report is focusing on ITIL framework,
More informationHow To Get A Whistleblower Pass On A Corporation
FLORIDA SARBANES OXLEY ACT What a Whistleblower Needs to Know Corporations have a legal and moral obligation to both their employees and their investors to ensure that the company is both profitable and
More informationMASSIVE NETWORKS Online Backup Compliance Guidelines... 1. Sarbanes-Oxley (SOX)... 2. SOX Requirements... 2
MASSIVE NETWORKS Online Backup Compliance Guidelines Last updated: Sunday, November 13 th, 2011 Contents MASSIVE NETWORKS Online Backup Compliance Guidelines... 1 Sarbanes-Oxley (SOX)... 2 SOX Requirements...
More informationCOSO 2013: WHAT HAS CHANGED & STEPS TO TAKE TO ENSURE COMPLIANCE
COSO 2013: WHAT HAS CHANGED & STEPS TO TAKE TO ENSURE COMPLIANCE COMMITTEE OF SPONSORING ORGANIZATIONS (COSO) 2013 The Committee of Sponsoring Organizations (COSO) Internal Controls Integrated Framework,
More informationHow to use Alertsec to Enable SOX Compliance for Your Customers
How to use Alertsec to Enable SOX Compliance for Your Customers Alertsec offers Cloud Managed - Policy Controlled - Security Modules for Ensuring Compliance at the Endpoints Contents Executive Summary...
More informationBuilding Trust and Confidence in Healthcare Information. How TrustNet Helps
Building Trust and Confidence in Healthcare Information The management of healthcare information in the United States is regulated under the HIPAA (Health Insurance Portability and Accountability Act)
More informationThe Importance of IT Controls to Sarbanes-Oxley Compliance
Hosted by Deloitte, PricewaterhouseCoopers and ISACA/ITGI The Importance of IT Controls to Sarbanes-Oxley Compliance 15 December 2003 1 Presenters Chris Fox, CA Sr. Manager, Internal Audit Services PricewaterhouseCoopers
More informationCOSO Internal Control Integrated Framework (2013)
COSO Internal Control Integrated Framework (2013) The Committee of Sponsoring Organizations of the Treadway Commission (COSO) released its updated Internal Control Integrated Framework (2013 Framework)
More informationCITY OF SAN ANTONIO INTERNAL AUDIT DEPARTMENT
CITY OF SAN ANTONIO INTERNAL AUDIT DEPARTMENT Audit of SAP Customer Relationship Management Project No. AU05-008 Release Date: Prepared By: Patricia Major CPA, CIA, CTP, CGFM Frank Cortez CIA, CISA, CISSP
More informationESET Secure Authentication
ESET Secure Authentication Second factor authentication and compliance Document Version 1.2 6 November, 2013 www.eset.com ESET Secure Authentication - second factor authentication and compliance 2 2 Summary
More informationBDO NORDIC. Investigation, fraud prevention and computer forensics. You can guess. You can assume. Or you can know. And knowing is always better.
BDO NORDIC Investigation, fraud prevention and computer forensics You can guess. You can assume. Or you can know. And knowing is always better. CONTENT OUR SERVICES 3 Investigation - Identifying the facts
More informationHITRUST CSF Assurance Program
HITRUST CSF Assurance Program Simplifying the information protection of healthcare data 1 May 2015 2015 HITRUST LLC, Frisco, TX. All Rights Reserved Table of Contents Background CSF Assurance Program Overview
More informationLogging the Pillar of Compliance
WHITEPAPER Logging the Pillar of Compliance Copyright 2000-2011 BalaBit IT Security All rights reserved. www.balabit.com 1 Table of Content Introduction 3 Open-eyed management 4 ISO 27001 5 PCI DSS 5 Sarbanes
More informationVendor Risk Management Financial Organizations
Webinar Series Vendor Risk Management Financial Organizations Bob Justus Chief Security Officer Allgress Randy Potts Managing Consultant FishNet Security Bob Justus Chief Security Officer, Allgress Current
More informationFebruary 2015. Sample audit committee charter
February 2015 Sample audit committee charter Sample audit committee charter This sample audit committee charter is based on observations of selected companies and the requirements of the SEC, the NYSE,
More informationGuide to Public Company Auditing
Guide to Public Company Auditing The Center for Audit Quality (CAQ) prepared this Guide to Public Company Auditing to provide an introduction to and overview of the key processes, participants and issues
More informationHow to Lead the People in a Program Based Environment
SESSION ID: GRC-W01 Balancing Compliance and Operational Security Demands Steve Winterfeld Bank Information Security Officer CISSP, PCIP What is more important? Compliance with laws / regulations Following
More informationPractical and ethical considerations on the use of cloud computing in accounting
Practical and ethical considerations on the use of cloud computing in accounting ABSTRACT Katherine Kinkela Iona College Cloud Computing promises cost cutting efficiencies to businesses and specifically
More informationIFRS in Asia 2008 Driving the Capital Markets of Tomorrow 10-11 October 2008, Beijing, China
International Accounting Standards Committee Foundation, Ministry of Finance (PRC), and Shulun Pan Certified Public Accountants IFRS in Asia 2008 Driving the Capital Markets of Tomorrow 10-11, Beijing,
More informationCFE 2. Enterprise Risk Management. Study Guide - Supplemental Background Material
P a g e 1 CFE 2 Enterprise Risk Management Study Guide - Supplemental Background Material The passing score for this test is 74% Reference Guides: Enterprise Risk Management Best Practices: From Assessment
More informationSAFEGUARDS FOR PROTECTING PRIVATE DATA - SERVICE PROVIDERS AND CONTRACTORS
SAFEGUARDS FOR PROTECTING PRIVATE DATA - SERVICE PROVIDERS AND CONTRACTORS THE UNIVERSITY OF NEW MEXICO October 17, 2013 Audit Committee Members J.E. Gene Gallegos, Chair Lt. General Bradley Hosmer, Vice
More informationHow To Implement Data Loss Prevention
Data Loss Prevention Implementation Initiatives THE HITACHI WAY White Paper By HitachiSoft America Security Solutions Group September, 2009 HITACHI SOFTWARE ENGINEERING AMERICA, LTD. Executive Summary
More informationUbiquity of Email Security Compliance and Content Management
CIBC Global Services Ubiquity of Email Security Compliance and Content Management Stephen Dodd Director Enterprise Accounts dodd@echoworx.com 416-226-8616 404-551-3077 2006, Echoworx Corporation Agenda
More informationCyber Risks in the Boardroom
Cyber Risks in the Boardroom Managing Business, Legal and Reputational Risks Perspectives for Directors and Executive Officers Preparing Your Company to Identify, Mitigate and Respond to Risks in a Changing
More informationWeighing in on the Benefits of a SAS 70 Audit for Third Party Data Centers
Weighing in on the Benefits of a SAS 70 Audit for Third Party Data Centers With increasing oversight and growing demands for industry regulations, third party assurance has never been under a keener eye
More informationInternal Control Integrated Framework. May 2013
Internal Control Integrated Framework May 2013 0 Table of Contents COSO & Project Overview Internal Control-Integrated Framework Illustrative Documents Illustrative Tools for Assessing Effectiveness of
More informationUncheck Yourself. by Karen Scarfone. Build a Security-First Approach to Avoid Checkbox Compliance. Principal Consultant Scarfone Cybersecurity
Uncheck Yourself Build a Security-First Approach to Avoid Checkbox Compliance by Karen Scarfone Principal Consultant Scarfone Cybersecurity Sponsored by www.firehost.com (US) +1 844 682 2859 (UK) +44 800
More informationWhite Paper. Imperva Data Security and Compliance Lifecycle
White Paper Today s highly regulated business environment is forcing corporations to comply with a multitude of different regulatory mandates, including data governance, data protection and industry regulations.
More informationFramework for Enterprise Risk Management
Framework for Enterprise Risk Management 2013 Johnson & Johnson Contents Introduction.... 4 J&J Strategic Framework... 5 What is Risk?.......................................................... 7 J&J Approach
More informationHealth Sciences Compliance Plan
INDIANA UNIVERSITY Health Sciences Compliance Plan 12.18.2014 approved by University Clinical Affairs Council Table of Contents Health Sciences Compliance Plan I. INTRODUCTION... 2 II. SCOPE... 2 III.
More informationThe Advantages of ISO 9001 Certification
Standards, d Certification and Regulations Reprisal: Types of Requirements Functional requirements: requirements that specify a function that a system or system component must be able to perform The watch
More informationHow To Manage Risk
Oracle Applications Day Zürich, 1. Juli 2009 Risk und Performance Management in Stürmischen Zeiten mit Oracle GRC Steven Hagner EMEA GRC Sales Organization 1 Safe Harbor Statement The following is intended
More informationCIO, CISO and Practitioner Guidance IT Security Governance
CIO, CISO and Practitioner Guidance IT Security Governance June 2006 (Revision 1, August 2007) 1 CIO, CISO and Practitioner Guidance Whatever your business, security and privacy are key matters that affect
More informationAchieving Governance, Risk and Compliance Requirements with HISP Certification Course
Achieving Governance, Risk and Compliance Requirements with HISP Certification Course in corporation with A unique information security and regulatory compliance certification course that provides IT security
More information