FIRST - Improving Security Together

Corporate Executive Programme

back to the Conference

Compliance Auditing\nArmando Leite

Over the past few years, organizations and governments have been increasing the expenditure in protecting their proprietary information assets. One of the main drivers was the adherence to directives from regulators but overall, compliance is one of the elements of governance and is one of the main controls to ensure information security assets are being protected inline with management expectations.

However, there is still a struggle to demonstrate adequate levels of risk reduction. Organizational complexity contributes to the problem, with units being geographically dispersed or due to unique and different operational requirement for the different areas of business.

Independent of the organization or area of business, a common set of requirements can be itemized:

  • Measure and report on their compliance to regulations, e.g. Sarbanes-Oxley, standards, such as ISO17799, and partner agreements, e.g. as defined in the credit card industry;
  • Measure adherence to internal standards and procedures;
  • Demonstrate the value for the organization of information security related expenditures;
  • Manage remediation activities to use resources efficiently; and
  • Define processes that will allow to deliver all of the above in a time and cost effective manner

All these are requirements independent of current business or information-security conditions and emphasize the need for a comprehensive, consistent and repeatable methodology to measure and report on compliance in a way that satisfies not only regulatory requirements but also management.

During the presentation, we will try to identify the different areas of compliance; its importance in the overall business and different approaches to actually measure and evaluate it.



About this presentation