EVERYONE SHOULD HAVE AN IT COMPLIANCE OFFICER OR SUFFER THE CONSEQUENCES. About Ralph Villanueva. Objectives

Transcription

1 EVERYONE SHOULD HAVE AN IT COMPLIANCE OFFICER OR SUFFER THE CONSEQUENCES Why the IT compliance function matters and how it can boost company-wide compliance efforts Ralph Villanueva CISA CISM ITIL PCI-ISA PCI-P IT Security and Compliance Analyst, Diamond Resorts International About Ralph Villanueva Various IT audit and security certifications such as CISA, CISM, ITIL, PCI-ISA and PCI-P Worked in IT compliance for gaming and hospitality companies in Las Vegas Spoke in various SCCE, ISACA, IIA and ACFE conferences Believes that compliance professionals are the most important people in the company Objectives Reasons why IT compliance can make or break within the company How to make IT compliance enhance overall compliance Discuss problems and remedies in implementing a robust IT compliance program 1

2 Poll How many of you have full time IT compliance functions? IT Compliance Functions Monitor compliance to IT control objectives and various regulations across IT Analyze current controls and recommend remediation measures for control gaps or process inefficiencies Adhere to regulations and submit routine documentation to third parties Coordinate external and internal auditing activities Work closely with various IT business process owners to determine impact and status of open deficiencies and lead remedial actions Conduct various audits as required by IT controls, PCI DSS and other frameworks Provide inputs during Change Advisory Board and other meetings regarding applications, databases, operating systems, network, infrastructure and related matters Map compliance elements to IT compliance components and regulatory requirements Essential Elements of a Compliance Program Standards of conduct/policies and procedures Compliance officer and compliance committee Education Monitoring and auditing Reporting and investigating Enforcement and discipline Response and prevention 2

3 Sales Applications Legal Finance Active Directory Database Human Resources Compliance Element Compliance IT Compliance Standards of conduct/policies and procedures for Active Directory accounts Password Policy File Access Policy Network Traffic Password parameters File share rules Firewall policy Password parameters File share rules Firewall policy 3

4 Compliance IT Compliance Regulatory Requirement Password Policy File Access Policy Network Traffic Password parameters File share rules Firewall policy PCI HIPAA ISO Password parameters Firewall policy File share rules Compliance Element Compliance IT Compliance Monitoring and auditing for Finance Track activity User privileges Log file User profile 4

5 Log file User profile Compliance IT Compliance Regulatory Requirement Track activity User privileges Log file User profile COBIT User profile Log file User profile 5

6 Compliance Element Regulatory Requirement Avoid company losses Avoid fines and reputational damage Reduce external audit cost Understand IT risks and controls Compliance with IT aspect of regulations Greater audit cost Losses Fines and fees Reputation damage Without IT Compliance component 6

7 From Deloitte = $$$$$$$$$$$$$$$$$$$$$$$$$$$$$ Poll How many of you deal with IT components in your compliance functions? 7

8 How to make IT compliance enhance overall compliance People Process Technology How to make IT compliance enhance overall compliance People problems Resistance from business process owners Lack of coordination between compliance & IT Impaired or absence of independence Organizational structure hinders collaboration Compliance averse IT function How to make IT compliance enhance overall compliance Process problems Process not synced with regulatory requirement Absence of standard roles, rights and responsibilities Outdated process documentation Inadequate monitoring and auditing Collaboration issues with other departments 8

9 How to make IT compliance enhance overall compliance Technology problems Technology not synced with regulatory requirements Technology for its own sake Inadequate change management Absence of complete asset information Obsolete technology How to make IT compliance enhance overall compliance Holistic Solution People Process Technology Continual Service Improvement (CSI) Approach Source: ITIL 9

10 Integrate CSI with IT framework Advantages of adopting a framework: Tried and tested Widely used Well supported Can be benchmarked against peer companies IT Compliance Frameworks 10

11 Source: ISACA Source: Deloitte Source: ISO 11

12 Vision Achieve complete IT compliance Baseline Assessments Various PPT (People, Process & Technology Problems) Measurable targets Adopt targets from framework such as ISO 27001, COBIT, COSO etc. Service & Improvement Process Various PPT problems that can be solved by adopted framework Measurement and metrics Percentage of targets hit. How can we exceed target? 12

13 Poll How many of you are familiar with IT frameworks? Problems and remedies in implementing IT Compliance programs Management Inertia Lack of management support Inconsistent tone at the top Laissez faire C-suite Problems and remedies in implementing IT Compliance programs From Project Management Institute s (PMI) 2017 Pulse of the Profession 13

14 Problems and remedies in implementing IT Compliance programs From conference paper Open your strategic horizon and gain organizational agility, or how to overcome organizational inertia by Olivier Lazar, October 10, 2015, PMI Global Congress 2015 Problems and remedies in implementing IT Compliance programs Perhaps scareware will make management inertia visible Recap Understand relationship of your organization s IT components to compliance elements and regulatory requirements Combining CSI approach with IT compliance frameworks eases your PPT (people, process & tech) compliance problems Use scareware (fear of malware or ransom ware) to elicit management support 14

15 Quote for the day Resources