Posted by: GuyPardon
business, compliance, compliance decisions, conference, Information security, Information Security Governance, regulatory compliance, risk management, Security, Statement on Auditing Standards No. 70: Service Organizations, Symantec, Twitter, Virtual private network
The Compliance Decisions Summit taking place in Newton, Mass., got off to a great start this morning. Eric Holmquist and Richard Mackey both provided deep, engaging presentations on “future-proofing” an organization against compliance challenges and managing third-party risk.
Over the course of the morning, we posted to Twitter on our ITCompliance account more than 40 times, in lieu of a single blog post. As we noted to @cmneedles, #CSD09 is the hashtag we’ve chosen to track tweets related to today’s seminar. For a full explanation of what a hashtag is and how it works, please consult last week’s weekly digest of compliance headlines from Twitter.
Damore notes the breadth of compliance challenges: health, financial & proprietary data must all be secured with auditable processes.
Future-Proof Your Compliance Session
Eric Holmquist is up, explaining how to future-proof a compliance program vs. new regulations, including mitigating risk & GRC best practices.
“Every version of regulatory guidance around risk management boils down to three things: awareness, accountability & actionability.” #CDS09
Risk management boiled down to a continuum: Inherent Risk -> Controls -> Residual Risks | Compliance doesn’t just rest in controls. | #CSD09
“The 4 most important words for improving a compliance program: What could go wrong?” -Eric Holmquist | #CDS09
Key elements of an effective compliance program: subject matter expert, compliance committee (real or virtual), control library | #CSD09
More key elements of an effective compliance program: documentation, risk-aware culture, incident response team, wrap-around analysis #CSD09
Eric Holmquist is reflecting on the details of how Advanta implemented an effective compliance program. Gap analysis & visibility key #CSD09
“No regulation is only relevant to IT. There is a business component to every single one.” -Eric Holmquist | #CSD09
“We set the bar at a risk management & governance level. Regulatory guidance, frameworks & standards are a test.” -Eric Holmquist | #CSD09
Good question from the audience on email retention: What’s too much, too little? Establishing which emails = official documents is key. #CSD09
Sponsored Session from Symantec
Managing Third-Party Risk
Mackey talking about impact of regulatory project requirements on service providers. If they handle regulated info, compliance is key #CSD09
“The first step in understanding risk is understanding the information shared.” -Richard Mackey | Data mapping & tools help. | #CSD09
“FFIEC, PCI & GLB all require due diligence in assessing provider controls. Depth should correspond to risk.” -Richard Mackey | #CSD09
“When evaluating service providers for compliance, establish rules for evaluations. View them as a partnership.” -Richard Mackey | #CSD09
“Most regulations require YOU to be the regulator of service providers.” PCI, HIPAA & GLB all require co.’s to ensure compliance. #CSD09
“Standards-based assessments, like ISO 27002, are useful tools. Consumers of the reports, however, must understand what results mean” #CSD09
Excellent seminar on third-party risk management for meeting compliance by Richard Mackey. Video will be available later this month. #CSD09
We’ll be posting more to Twitter this afternoon when Holmquist presents again, this time on a “Risk-Based Approach to Information Security Governance,” and Laurence Anker talks about “Managing the Cost and Complexity of Compliance through Governance.”