Multi Compliance Framework Maintain your GDPR program Develop your IT Management System Enable your required Audit Reporting Accelerate your Information Security System … WITHOUT expensive consultancy fees….. ! Greet Volders Managing Consultant Voquals N.V. Click to see next slide

Purpose of this Multi Compliance Framework Reduce time needed to prepare for internal & external audits Reduce manual activities to prepare reporting by automating reporting through BI Facilitate evidence collection for control testing Increase customer & stakeholder confidence by continuous Compliance checks, monitoring and reporting Easily build relations according to the Business Needs between: People Business & IT Processes Compliance Requirements Greet Volders _ Voquals N.V. Multi Compliance Framework

Deliverables included in this Multi Compliance Framework A complete set of IT-related processes (37) Based on the content of COBIT5, ITIL and Voquals’ experience Presentable on your website With cross-references to Various ISO-standards (see next slide) ITIL COBIT4.1 - for a smooth transition to COBIT5 Additional integrated content Level1 Process Capability Assessment IT related goals and metrics Specific templates and examples of deliverables for certain processes Greet Volders _ Voquals N.V. Multi Compliance Framework

Deliverables included in this Multi Compliance Framework Add-on’s are available for ISO-reporting With mapping all IT-related processes aligning to: ISO9001:2015 (Quality) ISO27001:2013 (Security) ISO20000:2012 (ITIL) Reports with links to your company processes are pre-defined Can be easily tailored to other standards and control frameworks by yourself GDPR compliant processes & documents Necessary GDPR procedures Awareness raising through built-in information, practical examples and templates Required GDPR reports, e.g. Data Register Record of requests from Data Subjects Greet Volders _ Voquals N.V. Multi Compliance Framework

Deliverables included in this Multi Compliance Framework For each process, we provide High level description, purpose, audience and scope Visio charting all steps in a process Detailed descriptions for these steps RACI linking People to Processes Responsible – Accountable – Consulted – Informed Relationships with all defined regulations, standards, control frameworks, etc. Greet Volders _ Voquals N.V. Multi Compliance Framework

Potential Savings with this Multi Compliance Framework For the development of your IT-related processes For all 37 processes, a complete description is available, which can be used to describe your IT-related processes, simply by adapting the description to your organization. No need to start with a blank sheet and you don’t have to be an expert in COBIT5, ITIL to define your processes compliant to these best practices ! A potential saving of a few Man-days per process. For 20 processes this yields to a profit of 60 Man-days. Greet Volders _ Voquals N.V. Multi Compliance Framework

Potential Savings with this Multi Compliance Framework Support the changes in your organization In all the processes, process-steps and activities you can indicate who (person, role or function) is Responsible and Accountable, who should be Consulted and Informed (RACI). These are pre-defined for all 37 IT-related processes. How is functions : When the function of a person changes, or a person leaves the organization, you only need to adapt the link from the person to the function, or change the name of the person. The result is that in all related processes, process-steps and activities, the correct person is identified. Each change in your organization is managed with 1 action, which yields to a saving of 1 Man-days a per change, and with the assurance that all links to functions, roles and persons are always up-to-date ! Greet Volders _ Voquals N.V. Multi Compliance Framework

Potential Savings with this Multi Compliance Framework Preparing your to internal & external audits A link is foreseen to several Standards, Control Frameworks, and other “best practices”, such as : ISO9001 - ISO27001 - ISO2000 The DNB Control Objectives - GDPR requirements - …. . Since the complete content of these standards and frameworks is available within the framework, these links can also be made to all other business processes. In the portal (publication site) overviews are available from each of the standards, with links to the related processes and documents. This can be made available to the internal & external auditors, without any additional work, in the preparation of each audit. Saving for each audit the time that’s spent now, without this Framework, to prepare the audits ! Greet Volders _ Voquals N.V. Multi Compliance Framework

Multi Compliance Framework - homepage The home page gives you access to the most important parts of this Multi Compliance Framework, being: The processes, their flow and descriptions Financial Reporting, based on DNB, and expandable with your own control requirements KPI’s based on the IT-related goals and KPI’s defined by Voquals Level 1 Process Capability Assessment execution & results RACI based on the standard RACI provided in COBIT5 ISO-reporting, with links to the related processes. On the home page, you get access to the 4 most important parts of COBIT5, being : The processes, with flow and descriptions KPI’s based on the IT-related goals and KPI’s defined by Voquals Level 1 assessment results RACI based on the standard RACI provided in COBIT5 Greet Volders _ Voquals N.V. Multi Compliance Framework

Multi Compliance Framework - Processes In this solution, you manage ALL company processes in an integrated and coherent way. All organisational structures are linked with the processes. Reporting is done in a consistent way. SELECT the first topic you want to see Do you want to learn a about ... IT-related Processes and Reporting Control Reporting GDPR Info Security The END Greet Volders _ Voquals N.V. Multi Compliance Framework

Multi Compliance Framework - ICT Processes IT processes are part of the Supportive Processes In this part, you find 5 possible views on the complete set of 37 COBIT5 processes If you click in ICT, you receive the COBIT5 Process Reference Model Greet Volders _ Voquals N.V. Multi Compliance Framework

Multi Compliance Framework - COBIT Processes All 37 COBIT5 processes are present in this overview Via this schema you can consult all the processes This can be done by clicking on the process-box All 37 COBIT5 processes are present in this overview Via this schema you can consult all the processes presented. This can be done by clicking on the box or by clicking on the “+” Greet Volders _ Voquals N.V. Multi Compliance Framework

Multi Compliance Framework - COBIT Processes, example After clicking on the process, you receive the detailed flow, with – at the right, the introduction to this process. For each of the detailed boxes exists a description, which can be seen by clicking on each box. These are the steps for “Manage Security Services” Process DSS05 in COBIT5. After clicking on the “+”, you receive the detailed flow, with – at the right, the introduction to this process. For each of the detailed boxes exist a description, which can be seen by clicking on each box. Greet Volders _ Voquals N.V. Multi Compliance Framework

Multi Compliance Framework - COBIT Processes, example By clicking on a box, you receive the detailed content of that process. For example look at the last practice in “Managing Security Services”, Periodic Reporting. Greet Volders _ Voquals N.V. Multi Compliance Framework

Multi Compliance Framework - COBIT Processes By clicking on the tree-structure, you find the processes grouped into : Primary Management Supportive processes If you click on the tree-structure, you find the processes grouped into : Governance of IT (EDM processes) Management of IT (APO-, BAI-, DSS-processes) Monitor, Evaluate and Assess In the MAVIM db, you find the same structure. Greet Volders _ Voquals N.V. Multi Compliance Framework

Multi Compliance Framework - IT Service Processes Another view on your IT processes can easily be created. This schema shows the example for IT Service Management The next schema is focusing on IT Development All the processes mentioned on this schema refer to the COBIT5 processes, which already exist. In this way it’s easy to create your own process overview. Another view on your IT processes can easily be created. This schema shows the example for IT Service Management The next schema is focusing on IT Development All the processes mentioned on this schema refer to the – already created – COBIT5 processes. In this way it’s easy to create your own process structure. Some examples are given below. Greet Volders _ Voquals N.V. Multi Compliance Framework

Multi Compliance Framework - IT Project Delivery Another view on your IT processes can easily be created. This schema shows the example for IT Service Management The next schema is focusing on IT Development All the processes mentioned on this schema refer to the – already created – COBIT5 processes. In this way it’s easy to create your own process structure. Some examples are given below. Greet Volders _ Voquals N.V. Multi Compliance Framework

Multi Compliance Framework - Management & Reporting Other management / reporting tools available are : Level 1 Process Capability Assessment KPI’s (Key Performance Indicators) RACI (Responsibility matrix) Greet Volders _ Voquals N.V. Multi Compliance Framework

Multi Compliance Framework - Level 1 Level1 Process Capability Assessment is based on the COBIT5 Process Assessment Model (PAM). This Model enables your organization to assess processes and facilitate continuous improvement. Level 1 is the assessment against the practices and work products specific for each process. Greet Volders _ Voquals N.V. Multi Compliance Framework

Multi Compliance Framework - KPI’s The Key Performance Indicators are: IT-related goals, Goals & Metrics per process, and Voquals’ extensive professional expertise. Greet Volders _ Voquals N.V. Multi Compliance Framework

Multi Compliance Framework - RACI charts Identifies who is Responsible or Accountable for the Practice / Activities, and who is Consulted and Informed about the Practice / Activities Greet Volders _ Voquals N.V. Multi Compliance Framework

Multi Compliance Framework - ISO-standards & Reporting The Relations with 3 ISO-standards are defined in the COBIT processes You can easily upload other, additions, standards Via de relations, you can define the processes and sub-processes that respond to the ISO-requirements Greet Volders _ Voquals N.V. Multi Compliance Framework

Multi Compliance Framework - ISO-standards & Reporting The report contains all requirements, with indication of the processes, or other documents, that respond to these requirements. Some more examples on the next slides. In the portal, all the documents are clickable, and are thus easily accessible for internal & external auditors Greet Volders _ Voquals N.V. Multi Compliance Framework

Multi Compliance Framework - ISO-standards & Reporting Greet Volders _ Voquals N.V. Multi Compliance Framework

Multi Compliance Framework - ISO-standards & Reporting Greet Volders _ Voquals N.V. Multi Compliance Framework

Multi Compliance Framework SELECT the next topic you want to see Do you want to learn a about ... IT-related Processes and Reporting Control Reporting GDPR Info Security The END

Multi Compliance Framework - DNB Control Domains Starting page shows an overview of the DNB Control Domains Overview of the Domains, with links to the Standards / Control Measures All 37 COBIT5 processes are present in this overview Via this schema you can consult all the processes presented. This can be done by clicking on the box or by clicking on the “+” Greet Volders _ Voquals N.V. Multi Compliance Framework

Multi Compliance Framework - DNB Control Domains For each DNB Control Domain, the description is available with a link to the sub-topics. For each DNB Control Domain, the description is available All 37 COBIT5 processes are present in this overview Via this schema you can consult all the processes presented. This can be done by clicking on the box or by clicking on the “+” Greet Volders _ Voquals N.V. Multi Compliance Framework

Multi Compliance Framework - DNB Control Domains For each sub-topic, there is the description with a link to the required controls. For each sub-topic, there is the description All 37 COBIT5 processes are present in this overview Via this schema you can consult all the processes presented. This can be done by clicking on the box or by clicking on the “+” Greet Volders _ Voquals N.V. Multi Compliance Framework

Multi Compliance Framework - DNB Control Domains For each sub-topic, there is the description All 37 COBIT5 processes are present in this overview Via this schema you can consult all the processes presented. This can be done by clicking on the box or by clicking on the “+” Greet Volders _ Voquals N.V. Multi Compliance Framework

Multi Compliance Framework - DNB Control Domains For each control there is the description, fields to manage the control All 37 COBIT5 processes are present in this overview Via this schema you can consult all the processes presented. This can be done by clicking on the box or by clicking on the “+” Greet Volders _ Voquals N.V. Multi Compliance Framework

Multi Compliance Framework - DNB Control Domains For each control there is the description, fields to manage the control and all related references All these topics are clickable, to see the content !! All 37 COBIT5 processes are present in this overview Via this schema you can consult all the processes presented. This can be done by clicking on the box or by clicking on the “+” Greet Volders _ Voquals N.V. Multi Compliance Framework

Multi Compliance Framework - DNB Control Domains For each control there is the description, fields to manage the control and all related references + additional guidance These points are also clickable, to see the content !! All 37 COBIT5 processes are present in this overview Via this schema you can consult all the processes presented. This can be done by clicking on the box or by clicking on the “+” Greet Volders _ Voquals N.V. Multi Compliance Framework

Multi Compliance Framework - DNB Reporting Reporting remains to be done with the DNB excel file All 37 COBIT5 processes are present in this overview Via this schema you can consult all the processes presented. This can be done by clicking on the box or by clicking on the “+” Greet Volders _ Voquals N.V. Multi Compliance Framework

Multi Compliance Framework - DNB Reporting Collection of the maturity rating is done by sending tasks via the Multi Compliance Framework All 37 COBIT5 processes are present in this overview Via this schema you can consult all the processes presented. This can be done by clicking on the box or by clicking on the “+” Greet Volders _ Voquals N.V. Multi Compliance Framework

Multi Compliance Framework - DNB Reporting The Control Owner has to fill in the maturity level, can add some comments and relevant sources All 37 COBIT5 processes are present in this overview Via this schema you can consult all the processes presented. This can be done by clicking on the box or by clicking on the “+” Greet Volders _ Voquals N.V. Multi Compliance Framework

Multi Compliance Framework - DNB Reporting The control administrator can easily follow the status of the tasks completed by the control owner. All 37 COBIT5 processes are present in this overview Via this schema you can consult all the processes presented. This can be done by clicking on the box or by clicking on the “+” Greet Volders _ Voquals N.V. Multi Compliance Framework

Multi Compliance Framework - DNB-related COBIT Processes DNB- related COBIT processes are presented in in 1 of the pre-defined views Greet Volders _ Voquals N.V. Multi Compliance Framework

Multi Compliance Framework - DNB-related COBIT Processes All 37 COBIT5 processes are present in this overview Via this schema you can consult all the processes presented. This can be done by clicking on the box or by clicking on the “+” All these process-boxes are clickable, to consult your process-content !! Greet Volders _ Voquals N.V. Multi Compliance Framework

Multi Compliance Framework SELECT the next topic you want to see Do you want to learn a about ... IT-related Processes and Reporting Control Reporting GDPR Info Security The END Greet Volders _ Voquals N.V. Multi Compliance Framework

Multi Compliance Framework - GDPR GDPR is part of the management processess Greet Volders _ Voquals N.V. Multi Compliance Framework

Multi Compliance Framework - GDPR GDPR contains all required processes, and useful information, such as definitions, templates, examples Greet Volders _ Voquals N.V. Multi Compliance Framework

Multi Compliance Framework - GDPR example process Example : Manage Data Processor Agreeement With detailed descriptions Greet Volders _ Voquals N.V. Multi Compliance Framework

Multi Compliance Framework - GDPR example process With detailed description of the 2 sub-parts Including links to Data Processor information And an example Data Processors’ Agreement With detailed description of the 2 sub-parts Including links to Data Processor information With detailed description of the 2 sub-parts Greet Volders _ Voquals N.V. Multi Compliance Framework

Multi Compliance Framework - GDPR Reporting We provide fields to identify the GDPR-sensitive processes These are available in the various data sets Each data set contains the required values >> some examples Greet Volders _ Voquals N.V. Multi Compliance Framework

Multi Compliance Framework - GDPR Reporting These fields are selected for each process And other information is registered Greet Volders _ Voquals N.V. Multi Compliance Framework

Multi Compliance Framework - GDPR Reporting For example, to register the Requests from Data Subjects And the related report Greet Volders _ Voquals N.V. Multi Compliance Framework

Multi Compliance Framework SELECT the next topic you want to see Do you want to learn a about ... IT-related Processes and Reporting Control Reporting GDPR Info Security The END Greet Volders _ Voquals N.V. Multi Compliance Framework

Multi Compliance Framework - Security & Compliance 1 of the pre-defined views is related to Information Security & Compliance Greet Volders _ Voquals N.V. Multi Compliance Framework

Multi Compliance Framework - Security & Compliance Greet Volders _ Voquals N.V. Multi Compliance Framework

Multi Compliance Framework - Security & Compliance Greet Volders _ Voquals N.V. Multi Compliance Framework

Multi Compliance Framework - Security & Compliance This is the available description of the Manage Security process The same exist for all the other processes on the schema Greet Volders _ Voquals N.V. Multi Compliance Framework

How to protect from Logical Attacks We explain some examples to mitigate the threat of Logical Attacks : Security Process Goals, related metrics, resulting in Security Specific Actions Greet Volders _ Voquals N.V. Multi Compliance Framework

How to protect from Logical Attacks Security Specific Process Goals Information security requirements are embedded within the enterprise architecture and translated into a formal information security architecture Information security architecture is understood as part of the overall enterprise architecture is aligned and evolves with changes to the enterprise architecture Information security architecture framework and methodology are used to enable reuse of information security components across the enterprise. Related Metrics Number of exceptions to information security architecture standards Number of deviations between information security architecture and enterprise architecture Date of last review and/or update to information security controls applied to enterprise architecture Percent of projects that use the information security architecture framework and methodology Number of people trained in the information security framework and methodology Security Specific Activities Ensure inclusion of information security artefacts, policies and standards in the architecture repository. Ensure that information security is integrated across all architectural domains (e.g., business, information, data, applications, technology). Greet Volders _ Voquals N.V. Multi Compliance Framework

How to protect from Logical Attacks Related Metrics 1. Number of updates of the information security policy Management approval of the information security policy Security Specific Process Goals 1. An information security policy framework is defined and maintained. 2. A comprehensive information security strategy is in place and is aligned with the overall enterprise and IT strategy 3. cost-effective, appropriate, realistic, achievable, enterprise-focused and balanced 4. aligned with long-term enterprise strategic goals and objectives. 2. Number of updates of the information security policy Management approval of the information security policy 3. Percent and number of initiatives for which a value metric (e.g., ROI) has been calculated Enterprise stakeholder satisfaction survey feedback on the effectiveness of the information security strategy 4. Percent of projects in the enterprise and IT project portfolios that involve information security Percent of IT initiatives/projects that have information security Security Specific Activities Ensure that information security requirements are included in the definition of target IT capabilities. Define the target state for information security. Define and agree on the impact of information security requirements on enterprise architecture, acknowledging the relevant stakeholders. Greet Volders _ Voquals N.V. Multi Compliance Framework

Multi Compliance Framework SELECT the next topic you want to see Do you want to learn a about ... IT-related Processes and Reporting Control Reporting GDPR Info Security The END Greet Volders _ Voquals N.V. Multi Compliance Framework

More Information - Coordinates Voquals N.V. Greet Volders Phone +32 14 22 54 04 Genebroek 34 Mobile +32 475 63 45 06 2450 Meerhout, Belgium E-mail Gvolders@voquals.be Website www.voquals.be MAVIM See video’s for more information on MAVIM and their other solutions Business Process & Quality Management and demonstration Governance, Risk & Compliance and demonstration Application Implementation Management and demonstration IT Portfolio Management and demonstration Strategic Portfolio Management and demonstration Enterprise Architecture and demonstration               Greet Volders _ Voquals N.V. Multi Compliance Framework