G R C The Science of Compliance ® ®. Craig Isaacs CEO, Unified Compliance Framework The world's...

The Science of Compliance®

Craig Isaacs

CEO, Unified Compliance Framework The world's largest and most reviewed legal

framework.

Strict Adherence to a Standard

Will Leave You Exposed

Areas of Exposure: Comparison of Standards to…

1. PCI

2. SOX

3. Healthcare

4. Banking

ISO 27002

238 Direct Controls

PCI DSS 3.0

293 Direct Controls

ISO 27002 vs PCI DSS 3.0: Overlapping Controls

162 Unique Controls

217 Unique Controls

17%Overlap

PCI DSS 3.0 Unique Controls

Sample of Unique Controls:

1. Establish and maintain a media inventory.

2. Test the system for buffer overflows.

3. Incorporate breach of the security of data incident response notification into the incident response plan.

217 Unique Controls

ISO 27002 Unique Controls

1. Separate systems that store or process restricted data from those that do not by deploying Physical access controls.

2. Define the executive policy, executive mission, and executive vision of the continuity planning process.

3. Verify that the continuity plan includes purchasing enough insurance.

162 Unique Controls

“Sarbanes-Oxley” Isn’t One Authority Document

1. Sarbanes-Oxley Act (only 19 direct controls in audit, records management, and monitoring)

2. COSO ERM

3. 17 CFR Parts 210, 240.

4. PCAOB Auditing Standards

5. Etc…10

SOX Guidance

174 Direct

Controls

ISO 27002 vs SOX Group: Overlapping Controls

162 Unique Controls

10%Overlap

136 Unique

Controls38

121 Unique

Controls

ISO 27002 vs PCI DSS 3.0 vs SOX

133 Unique Controls 202 Unique

Controls9

ISO PCI

Sarbanes-Oxley Unique Controls

1. Establish and maintain data processing integrity through segregation of duties.

2. Assign the audit to impartial auditors.

3. Establish and maintain a compliance monitoring policy and audit policy.

121 Unique

Controls

Comparison of Standards

1. NIST 800-53R4

2. ISO 27002

ISO 27002

238 Direct Controls

721 Direct Controls

NIST 800-53R4

588 Unique Controls

ISO 27002 vs NIST 800-53 R4

105 Unique Controls

16%Overlap

677 Unique Controls130

Unique Controls

SOX Guidance vs NIST 800-53 R4

5%Overlap

577 Unique Controls149 Unique

Controls

PCI DSS 3.0 vs NIST 800-53 R4

17%Overlap

Healthcare & Life Sciences vs. NIST 800-53 R4

721 Direct Controls

NIST 800-53R4

Healthcare & Life Sciences Guidance

1214 Direct Controls

1214Unique

Controls

NIST 800-53 R4 vs. Healthcare & Life Sciences

2423%Overl

364357

UniqueControls

Banking Guidance vs. ISO 27002

ISO 27002

238 Direct Controls

Banking Guidance

935 Direct Controls

729 Unique

Controls

ISO 27002 vs. Banking Guidance

Overlap

Recommendations

• Reduce audit and compliance costs by properly defining system scope and related control requirements.

• Leverage standards where overlaps exist.

• Determine business case for implementing controls without mandates.

• Automate evidence gathering, compliance correlation, and ongoing compliance review.

• Audit once as much as possible. 29

G R C The Science of Compliance ® ®. Craig Isaacs CEO, Unified Compliance Framework The world's...

Documents

Transcript of G R C The Science of Compliance ® ®. Craig Isaacs CEO, Unified Compliance Framework The world's...

Framework for compliance - Professional Standards Council framework for compliance.pdf · 3 A Framework for Compliance 1. Introduction 1.1 Definition of a compliance program 1.1.1

Risk Management and Compliance Framework (1)

S23 COBIT Framework Access Compliance

Regulatory Cost Compliance Measurement Framework Docs/2487/Completion … · ! 1! RegulatoryCompliance+Cost+Measurement+Framework+ + 1.+Introduction++ + Thepurposeofthe regulatory!compliance!cost!measurement!framework!is!to!

TRAINING PROGRAMME REGULATORY AND COMPLIANCE FRAMEWORK IN ISLAMIC FINANCE …€¦ · REGULATORY AND COMPLIANCE FRAMEWORK IN ISLAMIC FINANCE UNDER ... Ensuring full compliance and

Consultation Paper On Framework for Technical Compliance ... Framework … · Consultation Paper No. 5/2020 Consultation Paper On Framework for Technical Compliance of Conditional

Contract Compliance Framework

Corporate Compliance: Compliance Framework and Hot Topics

South Africa’s National Qualifications Framework · South Africa’s National Qualifications Framework Samuel BA Isaacs October 2006 ... associated assessment criteria •Moderation

Voluntary Compliance Framework EN Publish

Make Compliance Great Again - .NET Framework

PHECC quality review framework compliance REPORT

COMPLIANCE AND ASSOCIATED SERVICES FRAMEWORK …

Reading the AWS Compliance Framework

Compliance standard & framework - Western Power · designing this *Compliance Framework for Western Power’s compliance programme. Australian Standard, AS 3806-2006 - Compliance

framework For Compliance - Professional Standards framework for... · 6.3 Annual Risk Management Report process map ... A Framework for Compliance 1. Introduction 1.1 Definition of

Claims Quality Assurance and Compliance Framework

Compliance Framework - KPMG · Compliance framework Corporate culture ... Corporate ethics Risks Our approach ... Governance Compliance assessment

Tax compliance framework

Compliance Framework