Presentation is loading. Please wait.

Presentation is loading. Please wait.

G R C The Science of Compliance ® ®. Craig Isaacs CEO, Unified Compliance Framework The world's largest and most reviewed legal framework. 2.

Published byEric Lyn Modified over 10 years ago

Similar presentations

Presentation on theme: "G R C The Science of Compliance ® ®. Craig Isaacs CEO, Unified Compliance Framework The world's largest and most reviewed legal framework. 2."— Presentation transcript:

1 G R C The Science of Compliance ® ®

2 Craig Isaacs CEO, Unified Compliance Framework The world's largest and most reviewed legal framework. 2

3 G R C Strict Adherence to a Standard Will Leave You Exposed 3

4 Areas of Exposure: Comparison of Standards to… 1.PCI 2.SOX 3.Healthcare 4.Banking 4

5 ISO 27002 5 238 Direct Controls

6 PCI DSS 3.0 6 293 Direct Controls

7 ISO 27002 vs PCI DSS 3.0: Overlapping Controls 7 162 Unique Controls 217 Unique Controls 76 17% Overlap

8 PCI DSS 3.0 Unique Controls Sample of Unique Controls: 1.Establish and maintain a media inventory. 2.Test the system for buffer overflows. 3.Incorporate breach of the security of data incident response notification into the incident response plan. 8 217 Unique Controls

9 ISO 27002 Unique Controls Sample of Unique Controls: 1.Separate systems that store or process restricted data from those that do not by deploying Physical access controls. 2.Define the executive policy, executive mission, and executive vision of the continuity planning process. 3.Verify that the continuity plan includes purchasing enough insurance. 9 162 Unique Controls

10 “Sarbanes-Oxley” Isn’t One Authority Document 1.Sarbanes-Oxley Act (only 19 direct controls in audit, records management, and monitoring) 2.COSO ERM 3.17 CFR Parts 210, 240. 4.PCAOB Auditing Standards 5.Etc… 10

11 SOX Guidance 11 174 Direct Controls

12 ISO 27002 vs SOX Group: Overlapping Controls 12 162 Unique Controls 10% Overlap 136 Unique Controls 38

13 121 Unique Controls ISO 27002 vs PCI DSS 3.0 vs SOX 13 133 Unique Controls 202 Unique Controls 9 15 67 29 SOX ISO PCI

14 Sarbanes-Oxley Unique Controls Sample of Unique Controls: 1.Establish and maintain data processing integrity through segregation of duties. 2.Assign the audit to impartial auditors. 3.Establish and maintain a compliance monitoring policy and audit policy. 14 121 Unique Controls

15 Comparison of Standards 1.NIST 800-53R4 2.ISO 27002 15

16 ISO 27002 16 238 Direct Controls

17 721 Direct Controls NIST 800-53R4 17

18 588 Unique Controls ISO 27002 vs NIST 800-53 R4 18 105 Unique Controls 133 16% Overlap

19 677 Unique Controls 130 Unique Controls SOX Guidance vs NIST 800-53 R4 19 44 5% Overlap

20 577 Unique Controls 149 Unique Controls PCI DSS 3.0 vs NIST 800-53 R4 20 144 17% Overlap

21 Healthcare & Life Sciences vs. NIST 800-53 R4 21

22 721 Direct Controls NIST 800-53R4 22

23 Healthcare & Life Sciences Guidance 23 1214 Direct Controls

24 1214 Unique Controls 1214 Unique Controls NIST 800-53 R4 vs. Healthcare & Life Sciences 24 23% Overl ap 364 357 Unique Controls

25 Banking Guidance vs. ISO 27002 25

26 ISO 27002 26 238 Direct Controls

27 Banking Guidance 27 935 Direct Controls

28 729 Unique Controls 729 Unique Controls ISO 27002 vs. Banking Guidance 28 21% Overlap 206 32

29 Recommendations Reduce audit and compliance costs by properly defining system scope and related control requirements. Leverage standards where overlaps exist. Determine business case for implementing controls without mandates. Automate evidence gathering, compliance correlation, and ongoing compliance review. Audit once as much as possible. 29

Download ppt "G R C The Science of Compliance ® ®. Craig Isaacs CEO, Unified Compliance Framework The world's largest and most reviewed legal framework. 2."

Similar presentations

IT Security Policy Framework

IT Security Policy Framework
Agenda What is Compliance? Risk and Compliance Management

Agenda What is Compliance? Risk and Compliance Management
Federal Risk and Authorization Management Program (FedRAMP) Lisa Carnahan, Computer Scientist National Institute of Standards & Technology Standards Coordination.

Federal Risk and Authorization Management Program (FedRAMP) Lisa Carnahan, Computer Scientist National Institute of Standards & Technology Standards Coordination.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.
Chapter 10 Accounting Information Systems and Internal Controls

Chapter 10 Accounting Information Systems and Internal Controls
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Control and Accounting Information Systems

Control and Accounting Information Systems
Control and Accounting Information Systems

Control and Accounting Information Systems
Effective Internal Control, Establishing an Internal Audit Function, and Compliance Plans 2014 Governmental Accounting For Local Public Health September.

Effective Internal Control, Establishing an Internal Audit Function, and Compliance Plans 2014 Governmental Accounting For Local Public Health September.
ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.

ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.
The Regulation Zoo: Dealing With Compliance Within The Firewall World

The Regulation Zoo: Dealing With Compliance Within The Firewall World
Chapter 1: Auditing, Assurance, and Internal Control

Chapter 1: Auditing, Assurance, and Internal Control
© 2004 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Sarbanes-Oxley and IT Service Management.

© 2004 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Sarbanes-Oxley and IT Service Management.
1 Sarbanes-Oxley Section 404 June 29, 2005. 2  SOX 404 Background 3  SOX 404 Goals 4  SOX 404 Requirements 5  SOX 404 Assertions 6  SOX 404 Compliance.

1 Sarbanes-Oxley Section 404 June 29,  SOX 404 Background 3  SOX 404 Goals 4  SOX 404 Requirements 5  SOX 404 Assertions 6  SOX 404 Compliance.
Sarbanes-Oxley Compliance Process Automation

Sarbanes-Oxley Compliance Process Automation
Security Controls – What Works

Security Controls – What Works
Update on Interoperability Roadmap Comments Sections E, F, and G Transport & Security Standards Workgroup Dixie Baker, chair Lisa Gallagher, co-chair March.

Update on Interoperability Roadmap Comments Sections E, F, and G Transport & Security Standards Workgroup Dixie Baker, chair Lisa Gallagher, co-chair March.
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.

COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.
Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.

Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.

Similar presentations

Ads by Google