Managing Risk Enabling Growth Through Compliance! Alex Sinvani Copenhagen, 30.10.2012
Headline are written here in one line Section title (Arial Regular, 24/26 pt) Second section title Third section title goes here Fourth section title to follow the third Fifth section Sixth section
Nu & fremtid 1. Threat levels will grow and there will be more serious breaches. 2. Cloud computing will continue to grow and require new security solutions. 3. Mobile devices will challenge traditional security solutions. 4. Security platforms will continue to converge. 5. Regulation of personally identifiable information (PII) will increase including expanding definitions of what PII means. 6. Organisations will increasingly pursue business-centric compliance. Kilde: Security 360 Risks and Realities: Inside and Out, 2011
Compliance landskabet PCI 2.0 27001 ARROW BS 25999 SOX MIFID BASEL 2 SAS 70 COBIT ITIL 3.0 nerc CLERP 9 Rosh /wee SOLVENCY 2 HIPAA FERC SEC ERM C49 14001 9001 38001 OMB 123A HITECH GLBA RAC 27799 27009 NIST800 14 NIST800 18 NIST800 30 NIST800 33 NIST800 41 FIPS 200 NIST 800 FIPS 199 SAS 109 SAS 110 JSOX CSOX Patriot ACT ESOX PRIVACY LAW COSO 31000 PM BOK SOX ITGC 17799 Tabaks- blat 27005 27002 27010 FFCRA FDA 357 FCPA FAA HACCP 257 AML ICM CAPA Goshen ICM Stark III
Fra Compliance til Forretning Efterleve regulativer På forkant med trusler Fokus på top prioriteter Bygge bæredygtig risk program Forbindelse til forretningen
Fra Compliance til Forretning Efterleve regulativer På forkant med trusler Fokus på top prioriteter Bygge bæredygtig risk program Forbindelse til forretningen Average enterprise explores 17 standards and frameworks Council, 2011 38% rely on spreadsheets and manual documents Kilde: Symantec 2011 State of the Enterprise Security Report
Fra Compliance til Forretning Efterleve regulativer På forkant med trusler Fokus på top prioriteter Bygge bæredygtig risk program Forbindelse til forretningen 88% of data breaches are related to poor IT and Information security controls Kilde: Internet Security Alliance, 2011 report add picture or graphic info
Fra Compliance til Forretning Efterleve regulativer På forkant med trusler Fokus på top prioriteter Bygge bæredygtig risk program Forbindelse til forretningen When everything is a priority, nothing is a priority! Kilde: Almen visdom
Fra Compliance til Forretning Efterleve regulativer På forkant med trusler Fokus på top prioriteter Bygge bæredygtig risk program Forbindelse til forretningen It all starts by building and maintaining your systems in a secure state only then will you have the flexibility to adapt quickly. Kilde: C Financial Organization
Fra Compliance til Forretning Efterleve regulativer På forkant med trusler Fokus på top prioriteter Byg bæredygtig risk program Forbindelse til forretningen Only 1 in 8 best performing organizations feel Info Sec can influence business decisions Kilde: Information Risk Executive Council, 2011
Forretningsfordele Outcomes Level 1 Level 2, 3 & 4 Level 5 Audit deficiencies in IT Spend on audit* > 16 $0.60 9 $1.00 < 3 $0.30 Business downtime - IT disruptions > 60 hours 28 hours < 4 hours Associated financial loss 10% of revenue 1% of revenue 0.1% of revenue Theft or loss of sensitive information Associated financial loss > 16 losses 9.6% of revenue 9 losses 6.4% of revenue < 3 losses 0.4% of revenue IT Policy Compliance Group * Spend on audit: Audit spend increases for average performing organizations because they start to assess controls more frequently but they still have not automated many of these assessments
Risiko/omkostning Hurtigere identifikation = lavere risiko/omkostninger Hvor lang tid tager det at handle fra det tidpunkt et problem opdages? Reducere risiko og omkostninger dramatisk ved at reducere den tid det tager for en effektiv respons! Udbedringstid
Compliance modenhed
Compliance behov Business Risk REGULATIVER Eksterne Interne COMPLIANCE IT Tekniske Kontroller Manuelle Processer og rutiner IT Risk og Compliance udfordringer
Compliance ift. Risk Information Compliance Governance Financial Organisational Risks Integrity Operational Human Ressources
Tak for opmærksomheden Alex Sinvani ais@dubex.dk