Managing Risk Enabling Growth Through Compliance! Alex Sinvani Copenhagen, 30.10.2012

Managing Risk Enabling Growth Through Compliance! Alex Sinvani Copenhagen, 30.10.2012

Headline are written here in one line Section title (Arial Regular, 24/26 pt) Second section title Third section title goes here Fourth section title to follow the third Fifth section Sixth section

Nu & fremtid 1. Threat levels will grow and there will be more serious breaches. 2. Cloud computing will continue to grow and require new security solutions. 3. Mobile devices will challenge traditional security solutions. 4. Security platforms will continue to converge. 5. Regulation of personally identifiable information (PII) will increase including expanding definitions of what PII means. 6. Organisations will increasingly pursue business-centric compliance. Kilde: Security 360 Risks and Realities: Inside and Out, 2011

Compliance landskabet PCI 2.0 27001 ARROW BS 25999 SOX MIFID BASEL 2 SAS 70 COBIT ITIL 3.0 nerc CLERP 9 Rosh /wee SOLVENCY 2 HIPAA FERC SEC ERM C49 14001 9001 38001 OMB 123A HITECH GLBA RAC 27799 27009 NIST800 14 NIST800 18 NIST800 30 NIST800 33 NIST800 41 FIPS 200 NIST 800 FIPS 199 SAS 109 SAS 110 JSOX CSOX Patriot ACT ESOX PRIVACY LAW COSO 31000 PM BOK SOX ITGC 17799 Tabaks- blat 27005 27002 27010 FFCRA FDA 357 FCPA FAA HACCP 257 AML ICM CAPA Goshen ICM Stark III

Fra Compliance til Forretning Efterleve regulativer På forkant med trusler Fokus på top prioriteter Bygge bæredygtig risk program Forbindelse til forretningen

Fra Compliance til Forretning Efterleve regulativer På forkant med trusler Fokus på top prioriteter Bygge bæredygtig risk program Forbindelse til forretningen Average enterprise explores 17 standards and frameworks Council, 2011 38% rely on spreadsheets and manual documents Kilde: Symantec 2011 State of the Enterprise Security Report

Fra Compliance til Forretning Efterleve regulativer På forkant med trusler Fokus på top prioriteter Bygge bæredygtig risk program Forbindelse til forretningen 88% of data breaches are related to poor IT and Information security controls Kilde: Internet Security Alliance, 2011 report add picture or graphic info

Fra Compliance til Forretning Efterleve regulativer På forkant med trusler Fokus på top prioriteter Bygge bæredygtig risk program Forbindelse til forretningen When everything is a priority, nothing is a priority! Kilde: Almen visdom

Fra Compliance til Forretning Efterleve regulativer På forkant med trusler Fokus på top prioriteter Bygge bæredygtig risk program Forbindelse til forretningen It all starts by building and maintaining your systems in a secure state only then will you have the flexibility to adapt quickly. Kilde: C Financial Organization

Fra Compliance til Forretning Efterleve regulativer På forkant med trusler Fokus på top prioriteter Byg bæredygtig risk program Forbindelse til forretningen Only 1 in 8 best performing organizations feel Info Sec can influence business decisions Kilde: Information Risk Executive Council, 2011

Forretningsfordele Outcomes Level 1 Level 2, 3 & 4 Level 5 Audit deficiencies in IT Spend on audit* > 16 $0.60 9 $1.00 < 3 $0.30 Business downtime - IT disruptions > 60 hours 28 hours < 4 hours Associated financial loss 10% of revenue 1% of revenue 0.1% of revenue Theft or loss of sensitive information Associated financial loss > 16 losses 9.6% of revenue 9 losses 6.4% of revenue < 3 losses 0.4% of revenue IT Policy Compliance Group * Spend on audit: Audit spend increases for average performing organizations because they start to assess controls more frequently but they still have not automated many of these assessments

Risiko/omkostning Hurtigere identifikation = lavere risiko/omkostninger Hvor lang tid tager det at handle fra det tidpunkt et problem opdages? Reducere risiko og omkostninger dramatisk ved at reducere den tid det tager for en effektiv respons! Udbedringstid

Compliance modenhed

Compliance behov Business Risk REGULATIVER Eksterne Interne COMPLIANCE IT Tekniske Kontroller Manuelle Processer og rutiner IT Risk og Compliance udfordringer

Compliance ift. Risk Information Compliance Governance Financial Organisational Risks Integrity Operational Human Ressources

Tak for opmærksomheden Alex Sinvani ais@dubex.dk