Governance For Compliance The Convergence of Central and Distributed IT Compliance Presented to VASCAN Conference 2009



Similar documents
ISE Northeast Executive Forum and Awards

AN OVERVIEW OF INFORMATION SECURITY STANDARDS

ISO Information Security Management Systems Foundation

University of Oregon Policy Statement Development Form

Building A Framework-based Compliance Program. Richard E. Mackey, Jr. Vice President, SystemExperts Corp. dick.mackey@systemexperts.

The Convergence of IT Security and Compliance with a Software as a Service (SaaS) approach

March 12th, 2009 Chapter Meeting - HIPAA, SOX, PCI, GLBA Presented by LogiSolve

IT Governance, Risk, and Compliance Survey, 2014

Tutorial: Towards better managed Grids. IT Service Management best practices based on ITIL

Harmonizing Your Compliance and Security Objectives. Bonnie A. Goins Adjunct Professor, Illinois Institute of Technology

Computer Security Auditing

OVERVIEW. In all, this report makes recommendations in 14 areas, such as. Page iii

Information Security Policy and Handbook Overview. ITSS Information Security June 2015

Richard Gadsden Information Security Office Office of the CIO Information Services

Italy. EY s Global Information Security Survey 2013

Think like an MBA not a CISSP

A Cybersecurity Strategy

INFORMATION SYSTEMS. Revised: August 2013

Information Security Plan May 24, 2011

SAFEGUARDS FOR PROTECTING PRIVATE DATA - SERVICE PROVIDERS AND CONTRACTORS

Recent Advances in Automatic Control, Information and Communications

IT Security & Compliance Risk Assessment Capabilities

University Information Technology Security Program Standard

Domain 5 Information Security Governance and Risk Management

Amid Ongoing Transformation and Compliance Challenges, Cybersecurity Represents Top IT Concern in Financial Services Industry

ADMINISTRATIVE POLICY # (2014) Information Security Roles and Responsibilities

Information Technology Governance. Steve Crutchley CEO - Consult2Comply

In the first three installments of our series on Information Security

COBIT Helps Organizations Meet Performance and Compliance Requirements

De Nieuwe Code voor Informatiebeveiliging

iso20000templates.com

Cloud Security Keeping Data Safe in the Boundaryless World of Cloud Computing

Executive Summary Program Highlights for FY2009/2010 Mission Statement Authority State Law: University Policy:

Trends in Information Technology (IT) Auditing

CLASSIFICATION SPECIFICATION FORM

Information Technology Security Program

Security & IT Governance: Strategies to Building a Sustainable Model for Your Organization

Information Technology Auditing for Non-IT Specialist

Information Security Program CHARTER

The Advantages of a Technology Governance

GLOBAL STANDARD FOR INFORMATION MANAGEMENT

Creating Effective Security Controls: A Ten Year Study of High Performing IT Security

The Role of Internal Controls to achieve Highly Available Systems

Gobierno de TI Enfrentando al Reto. IT Governance Facing the Challenge. Everett C. Johnson, CPA International President ISACA and ITGI

Minnesota State Colleges and Universities System Procedures Chapter 5 Administration. Guideline Information Security Incident Response

Stepping Through the Info Security Program. Jennifer Bayuk, CISA, CISM

Hans Bos Microsoft Nederland.

Building Security In:

The Value of Vulnerability Management*

How to Lead the People in a Program Based Environment

Security Controls What Works. Southside Virginia Community College: Security Awareness

Generally Accepted Recordkeeping Principles

Guide: Meeting HIPAA Security Rules

The Power of BMC Remedy, the Simplicity of SaaS WHITE PAPER

A Comparison of IT Governance & Control Frameworks in Cloud Computing. Jack D. Becker ITDS Department, UNT & Elana Bailey

CDOs Should Use IT Governance and Risk Compliance Management to Advance Compliance

Achieving Business Imperatives through IT Governance and Risk

Top Ten Keys to Gaining Enterprise Configuration Visibility TM WHITEPAPER

CSU INFORMATION SECURITY. Presentation for 2012 CSU Auxiliary Conference January 11, 2012

In the launch of this series, Information Security Management

Information Security as a Business Practice. John Enamait East Carolina University jenamait@charter.net

IIA Conference. September 18, Paige Needling Director, Global Information Security Recall, Inc.

Report Book: Retina Network Security Scanner Unlimited

Rowan University Data Governance Policy

Next. CDS 2015 Survey Module 7 Information Security Survey Errata

Computer Security Incident Response Plan. Date of Approval: 23- FEB- 2015

Next. CDS 2015 Survey Module 7 Information Security Survey Errata

INFORMATION SECURITY STRATEGIC PLAN

IT Governance: The benefits of an Information Security Management System

Cumbria Constabulary. Business Continuity Planning

WHITE PAPER. What Every CIO Needs to Know About HIPAA Compliance

Auditing your institution's cybersecurity incident/breach response plan. Baker Tilly Virchow Krause, LLP

White paper September Realizing business value with mainframe security management

Information Security Program

Achieving Compliance with the PCI Data Security Standard

BADM 590 IT Governance, Information Trust, and Risk Management

Security in the Cloud: Embracing the Technology While Minimizing Risk. For Conference Purposes Only

Surviving an Identity Audit

TNHFMA 2011 Fall Institute October 12, 2011 TAKING OUR CUSTOMERS BUSINESS FORWARD. The Cost of Payment Card Data Theft and Your Business

5 IT Security Planning and Practice

Security aspects of e-tailing. Chapter 7

Tutorial on Service Level Management in e- Infrastructures State of the Art and Future Challenges. The FedSMProject Thomas Schaaf & Owen Appleton

A Proposed Information Technology Audit Framework For Microfinance Kumasi

Governance Simplified

R345, Information Technology Resource Security 1

Information Resources Security Guidelines

Consulting Services Efficient Security Processes Made to Measure.

University of California San Diego. Audit & Management Advisory Services

APPLICATION OF INFORMATION TECHNOLOGY SERVICE MANAGEMENT WITHIN SELECTED LOGISTICS AND TRANSPORT SERVICES

Using Information Shield publications for ISO/IEC certification

3rd Party Assurance & Information Governance outlook IIA Ireland Annual Conference Straightforward Security and Compliance

SI Special Topics: Data Security and Privacy: Legal, Policy and Enterprise Issues, Winter 2010

9/14/2015. Before we begin. Learning Objectives. Kevin Secrest IT Audit Manager, University of Pennsylvania

WHITE PAPER ON SECURITY TESTING IN TELECOM NETWORK

NetIQ FISMA Compliance & Risk Management Solutions

SHARING BEST PRACTICES IN INFORMATION SECURITY PREVENTION TIPS & RESPONSE TECHNIQUES

Top Ten Technology Risks Facing Colleges and Universities

Cyber Security and Privacy Services. Working in partnership with you to protect your organisation from cyber security threats and data theft

ITSM Governance In the world of cloud computing

Transcription:

Governance For Compliance The Convergence of Central and Distributed IT Compliance Presented to VASCAN Conference 2009 JASON C. RICHARDS CHIEF INFORMATION SECURITY OFFICER VIRGINIA COMMUNITY COLLEGE SYSTEM JRICHARDS@VCCS.EDU

Dilbert s Take on Governance/Compliance

What is Governance? Depends on who you ask " the leadership and organizational structures and processes that ensure that the organization's IT sustains and extends the organization's strategies and objectives." * *IT Governance Institute 2003, "Board Briefing on IT Governance, 2nd Edition". Retrieved January 18, 2006 from http://www.isaca.org/content/contentgroups/itgi3/resources1/board_briefing_on_it_governan ce/26904_board_briefing_final.pdf

Governance Framework COBIT - Control Objectives for Information and related Technology (COBIT) is regarded as the worlds leading IT governance and control framework. ITIL - The IT Infrastructure Library (ITIL) is a detailed framework with hands-on information on how to achieve a successful operational Service management of IT, developed and maintained by the United Kingdom's Office of Government Commerce, in partnership with the IT Service Management Forum. ISO 27002 - The ISO/IEC 27002 (ISO 27002) is a set of best practices for organizations to follow to implement and maintain a security program. It started out as British Standard 7799 ([BS7799]), which was published in the United Kingdom and became a well known standard in the industry that was used to provide guidance to organizations in the practice of information security.

What is IT Compliance? IT compliance usually refers to two areas: how well an organization follows its own rules (internal compliance), and how well an organization follows the rules imposed on it by outside groups (external compliance). Both are important and can impose restrictions on an organization.

What is IT Compliance? Cont d Internal Audit (SEC501-01 or Internal Program) APA (Best Practices) PCI (Credit Cards) HIPAA (Health Information)

Why Do You Need To Worry About Compliance There are some worthwhile Gartner statistics that illustrate why companies need to be concerned with compliance: Two-thirds of all companies discovered material weaknesses in controls this year Fraud cases cost companies about $15,000 for each occurrence IT departments spend an average of 175 hours on remediation following a security incident By 2006, 20 to 30 percent of Global 1000 companies have suffered exposure due to privacy mismanagement. Companies could easily spend $5 to 20 million to recover from each incident.

Where to Start Governance for compliance often requires coordination between multiple departments, these can be departments such as IT, academics, and finance but it can also extend to multiple campuses and even schools. This can put intense pressure on the central organization to ensure that disparate organizations have the necessary security program and controls in place to be compliant with various legal and regulatory initiatives. To accomplish this, a strong well, organized, and supported governance program must be in place.

VCCS Model 23 Community Colleges System Office 1 Agency

VCCS Model cont d SEC501-01 Our Current Standard Pursuing Level 2 Authorization System Office ISO Designated to VITA Each College designates an ISO and Alternate

VCCS Governance For Compliance VCCS Governance Structure System Office Develops guidance to the colleges Chancellor s Goals Tech Council Meets 4 times per year Chair - System Office Vice Chancellor, Information Technology Services Members - CIO from each college plus representation from Institutional Research, Institutional Advancement, Workforce Development, Chancellor s Faculty Committee, Academic and Student Affairs Council, System Office Vice Chancellors and Director of Internal Audit Staff System Office IT Directors ACOP Advisory Council Of Presidents Meets 6 times per year

How Do We Maintain Compliance? IT Security Compliance Office 3 Staff Security Reviews Coordinate required reviews (ARMICS, 3 Year Audit Plan) Perform pre-apa reviews Annual Statement of Compliance Implement Enterprise Solutions System Log Monitoring System Vulnerability Scanning

How Is It Going? So Far So Good Still growing as an organization Zero Major Findings From Our Last APA Audit That just sets the bar that much higher

Where Do We Go From Here? Identify Centralized vs. Decentralized Opportunities What processes and functions work best where? Regionalization Improve Our Processes Metrics Measure levels of compliance

Challenges Not Enough Standardization Not Everything Can Be Standardized 24 Organizations Governance Structure Can Be Cumbersome Need more efficiency Current Compliance Standard SEC501-01 doesn t always fit well in education Level 2

Conclusion Need Buy-In Representation Centralize/Decentralize What Makes Sense

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information