IT risks and controls
|
|
- Bethany Hood
- 5 years ago
- Views:
Transcription
1 Università degli Studi di Roma "Tor Vergata" Master of Science in Business Administration Business Auditing Course IT risks and controls October 2017
2 Agenda I IT GOVERNANCE IT evolution, objectives, roles and process model of an IT governance framework II IT RISK MANAGEMENT Risk context, key elements of an IT Risk management framework, risk and measure examples III IT AUDIT CASE STUDY Approach, planning and results of a real IT audit activity IV NEW EU PRIVACY REGULATION RISK APPROACH The new regulation risk based approach and applicable risk scenario examples 2
3 Section I IT GOVERNANCE 1. Main references adopted 2. IT evolution 3. IT governance definition and objectives 4. Governance enablers 5. Governance roles 6. Process reference model 3
4 IT governance Main references adopted 4
5 BUSINESS ENABLEMENT IT governance IT evolution
6 IT governance Why IT Governance? 1. High-quality information 2. Business value 3. Operational excellence 4. IT-related risk 5. Cost of IT 6. Compliance 6
7 IT governance the responsibility of the board of directors and executive management. It is an integral part of entrprise governance and consist of the leadership and organisational structures and processes that ensure that the organisation s IT sustains and extends the organisation s strategies and objectives.» 7
8 IT governance Drivers for IT Governance Activities ITGI - Global Status Report on the Governance of Enterprise IT 8
9 IT governance Governance objective
10 IT governance Governance enablers 10
11 IT governance Governance roles 11
12 IT governance Process reference model
13 IT governance 13
14 IT governance 14
15 Section II IT RISK MANAGEMENT 1. Key points of context 2. Risk / IT risk definitions 3. IT risk categories 4. IT risk evaluation 5. IT risk and organisational structures 6. Information items and risk management 7. Risk management process 8. Risk scenario structure and risk factors 9. Risk scenario and response examples 15
16 IT risk management Key points of context 1. IT as a key element for creating value 2. Regulations govern information technology 3. Growing need to manage risks related to IT 4. IT risk management requires to address the full scope of strategic impacts 16
17 IT risk management IT risk levels MoR - Management of Risk - Office of Government Commerce (UK) 17
18 IT-related Issues Experienced in the Past 12 Months IT risk management ITGI - Global Status Report on the Governance of Enterprise IT 18
19 IT risk context Global Risks Report 2017 The Global Risks Landscape
20 IT risk management Risk / IT risk definitions RISK Risk is the combination of the probability of an event and its consequence. Consequences are that enterprise objectives are not met. INFORMATION and related Technologies (IT) RISK IT risk is a business risk, specifically, the business risk associated with the use, ownership, operation, involvement, influence and adoption of IT within an enterprise. 20
21 IT risk management IT risk categories 1. IT Benefit / Value Enablement 2. IT Programme and Project Delivery 3. ITOperations and Service Delivery 21
22 IT risk management IT risk evaluation
23 IT risk management IT risk and business value BUSINESS VALUE Fail to Gain / Lose Gain / Preserve 23
24 IT risk management IT risk and organisational structures RISK 24
25 IT risk management IT risk and organisational structures Business process owners IT process / service owners 1. Risk evaluation 2. Risk ownership Risk owner - Person or entity with the accountability and authority to manage a risk ISO Risk management Principles and guidelines 25
26 Information items and risk management IT risk management 7. Risk profile 3. Risk universe 1. Risk scenarios 2. Risk analysis results 4. Risk action plan 6. Risk factors 5. Loss events 26
27 IT risk management Risk management process Practices 1. Collect data 2. Analyse risk Main outputs Data on the operating environment relating to risk Data on risk events and contributing factors IT risk scenarios Risk analysis results 3. Mantain a risk profile Aggregated risk profile, including status of risk management actions 4. Articulate risk Risk analysis and risk profile reports for stakeholders 5. Define an action portfolio Project proposals for reducing risk 6. Respond to risk Risk-related incident response plans 27
28 IT risk management Risk scenario structure
29 IT risk management Risk factors Risk factors 1. Internal context 2. External context 29
30 IT risk management Risk factors Category 1. Internal context Risk factor 1. Enterprise goals and objectives 2. Strategic importance of IT for the business 3. Complexity of IT 4. Complexity of the entity 5. Degree of change 6. Change management capability 7. Operating model 8. Strategic priorities 9. Culture of the enterprise 10. Financial capacity 11. Risk management capability 12. IT-related capabilities 30
31 IT risk management Risk factors Category 1. External context Risk factor 1. Market and economic factors 2. Rate of change in the market/product life cycle 3. Industry and competition 4. Geopolitical situation 5. Regulatory environment 6. Technology status and evolution 31
32 IT risk management Risk scenario examples from COBIT Risk Category Risk scenario Cobit Ref 1. Portfolio establishment and maintenance 2. Programme/projects life cycle management 3. IT investment decision making 4. IT expertise and skills 5. Staff operations (error and malicious intent) 6. Information (data breach: damage, leakage and access) 7. Architecture (architectural vision and design) There is duplication between initiatives There is an IT project budget overrun The wrong software, in terms of cost, performance, features, compatibility, etc., is selected for implementation. There is a lack of or mismatched IT-related skills within IT, e.g., due to new technologies Hardware components were configured erroneously Portable media containing sensitive data (CD, USB drives, portable disks, etc.) is lost/disclosed. The enterprise architecture is complex and inflexible, obstructing further evolution and expansion leading to missed business opportunities. 8. Infrastructure The systems cannot handle transaction volumes when user volumes increase Software Intentional modification of software leading to wrong data or fraudulent actions
33 IT risk management Risk scenario examples from COBIT Risk Category Risk scenario Cobit Ref 10. Business ownership of IT 11. Supplier selection/performance, contractual compliance, termination of service and transfer 12. Regulatory compliance 13. Infrastructure theft or destruction Business does not assume accountability over those IT areas it should, e.g., functional requirements, development priorities, assessing opportunities through new technologies. Support and services delivered by vendors are inadequate and not in line with the SLA. There is non-compliance with regulations, e.g., privacy, accounting, manufacturing Destruction of the data centre (sabotage, etc.) occurs Malware Regularly, there is infection of laptops with malware Logical attacks There is a service interruption due to denial-of-service attack Industrial action Facilities and building are not accessible because of a labour union strike Acts of nature There is flooding
34 IT risk management Risk scenarios by category IT Programme and Project Delivery 15% IT Operations and Service Delivery IT Benefit / Value Enablement 36% RISK SCENARIOS 50% 13% Cybersecurity 87% Others 34
35 IT risk management Risk response examples from COBIT Risk Category Risk responses (Cobit Processes) Cobit Ref 1. Portfolio establishment and maintenance 2. Programme/projects life cycle management Prioritise resource allocation. Maintain a standard approach for programme and project management. APO06.02 BAI IT investment decision making Manage stakeholder engagement. BAI IT expertise and skills Plan and track the usage of IT and business human resources. APO Staff operations (error and malicious intent) 6. Information (data breach: damage, leakage and access) 7. Architecture (architectural vision and design) Manage contract staff. Ensure traceability of Information events and accountabilities. Define reference architecture. APO07.06 DSS06.05 APO Infrastructure Monitor and scan the technology environment. APO Software Evaluate, prioritise and authorise change requests. BAI
36 IT risk management Risk response examples from COBIT Risk Category Risk responses (Cobit Processes) Cobit Ref 10. Business ownership of IT Monitor and report service levels. APO Supplier selection/performance, contractual compliance, termination of service and transfer Monitor supplier performance and compliance. APO Regulatory compliance Identify external compliance requirements. MEA Infrastructure theft or destruction Manage physical access to IT assets. DSS Malware Monitor the infrastructure for security-related events. DSS Logical attacks Monitor IT infrastructure. DSS Industrial action Identify key IT personnel. APO Acts of nature Exercise, test and review the Business Continuity Plan. DSS
37 Section III IT AUDIT CASE STUDY 1. IT audit approach 2. Needs of the key players 3. Audit scope and planning 4. Risk assessment 5. Audit areas 6. Methods adopted 7. Audit report and improvement points 8. Key points 37
38 IT audit Case study IT audit approach 1. Overall analysis 2. Effective checks 3. Search of logic vulnerabilities 38
39 IT audit Case study Needs of the key players 1. Management 2. Audit and control functions 3. IT department 39
40 IT audit Case study Audit scope 1. Foreign branch of a leading company in the industrial sector 2. Internal control system against cybercrimes 3. Company has 20 foreign branches on several continents 40
41 IT audit Case study Information system audited Audited branch Applications: Tenders Design Production Support processes Headquarter 41
42 IT audit Case study Audit planning 1. Preliminary survey 2. Risk assessment 3. Audit plan Documentation analysis Interviews IT systems IT management processes Cybercrimes Audit areas Checks 42
43 IT audit Case study Risk assessment Cybercrimes (as of Italian Penal Code) Unauthorized access to an IT system art.615-ter c.p. (Cobit risk scenario 1601) Risk Scenarios 1. Competitors IT system violation in order to acquire, for industrial espionage purposes, documentation regarding products/projects 2. Unauthorized access to IT protected systems, by company internal users, to activate services that were not solicited by customers. 3. Unauthorized access to invoice systems in order to alter information and programs with the aim to achieve illicit profits. Risk Evaluation 43
44 IT audit Case study Audit areas Area Cobit Ref 1. System administrators DSS Management of users and authorisations DSS Software licensing management BAI Security of IT workstations DSS Electronic signature DSS
45 IT audit Case study Audit area 1 - System Administrators Audits Population / Sample 1 - Identification of administrators Contract documents 2 - Name-registered administrator accounts List of users in the administrators authentication group 3 - Rules of minimum complexity of passwords Settings for authentication of administrator accounts 45
46 IT audit Case study Audit area 2 - Management of User Accounts Audits 1 - Correspondence between user accounts and the employees 2 - Traceability of the requests relating to user accounts 3 - Minimum complexity of passwords 4 - Name-registered accounts Population / Sample List of user accounts and employees / collaborators of the branch-office Procedure adopted for the traceability of the subjectmatter requests Settings for the authentication of user in the centralized authentication system List of user accounts in the centralized authentication system 46
47 IT audit Case study Audit area 3 - Management of access authorizations 1 - Use of the folder Public Audits Population / Sample List of the folders and files contained in the shared folder Public 2 - Shared folders in the PCs Sample of PCs 3 - Adequacy of the authorizations List of the authorization and users for a selected sample of shared folders 47
48 IT audit Case study Audit area 4 - Software Licences Audits Population / Sample 1 - Inventory of software licences Archiving of software setup supports Software licences Sample of PCs and software licences 48
49 IT audit Case study Audit area 5 - Cybersecurity of PCs Audits Population / Sample 1 - Update of antivirus software 2 - Security updates Sample of PCs 3 Installing authorizations 49
50 IT audit Case study Audit area 6 - Electronic signature Audits Population / Sample 1 - Electronic signature devices Signature authorizations Revocation of the electronic certificate - 50
51 IT audit Case study Methods adopted 1. Analysis of company regulations 2. Surveying practices and IT systems 3. Process walk-throughs 4. Verifying IT system 51
52 IT audit Case study Audit report 1. Methods used to plan and carry out the activities 2. Improvement points 3. Suggestions for action 52
53 IT audit Case study Improvement points 1. Contractual definition of System Administrators 2. Use of shared folders 3. Inventory of software in use 4. Traceability of new user requests 53
54 IT audit Case study Critical factors 1. Co-existence of local and central IT systems 2. Outsourced IT administration 3. Temporary nature of the production sites 4. Specific needs of each production site 54
55 IT audit Case study Key points 1. Value of information / dimension of infrastructures 2. IT risk & control policy 55
56 Section IV NEW EU PRIVACY REGULATION RISK APPROACH 1. Brief introduction to regulation 2. Risk based approach adopted 3. Key concepts 4. COBIT Risk scenarios applicable 56
57 GDPR risk based approach The new european data protection regulation (GDPR) 1. Data protection legislation unchanged since 1995 (current Directive) 2. GDPR adopted on May GDPR directly applicable from May New concepts (e.g. profiling, right to be forgotten), obligations on businesses and rights for individuals 5. Fines are increased exponentially (to 20 M / 4% of turnover) 57
58 GDPR risk based approach GDPR and risk based approach implement protective measures corresponding to the level of risk of data processing activities 58
59 GDPR risk based approach GDPR risk based approach Key concept 1 - ACCOUNTABILITY Article Taking into account the [ ] risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing [of data] is performed in accordance with this Regulation. 59
60 GDPR risk based approach GDPR risk based approach Key concept 2 - DATA PROTECTION BY DESIGN Article 25 1.Taking into account [ ] the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures [ ] 60
61 GDPR risk based approach GDPR risk based approach Key concept 3 PERSONAL DATA SECURITY Article In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed. 61
62 GDPR risk based approach Example Data security risk categories from 1. IT investment decision making 2. IT expertise and skills 3. Staff operations (human error and malicious intent) 4. Information (data breach: damage, leakage and access) 5. Infrastructure 6. Software 7. Supplier selection, performance, contractual compliance, termination and transfer 8. Malware & Logical attacks 9. Acts of nature 62
63 DISCUSSION 63
64 Discussion Assessing the risk connected to personal data security see article 32 of GDPR below which are the risk scenarios to consider among the ones detailed in the following slide? Article In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed. 64
65 Discussion Risk Category Risk scenario Cobit Ref 1. Portfolio establishment and maintenance 2. Programme/projects life cycle management There is duplication between initiatives There is occasional late IT project delivery by an internal development department. 3. IT investment decision making Redundant software is purchased IT expertise and skills 5. Staff operations (error and malicious intent) 6. Information (data breach: damage, leakage and access) 7. Architecture (architectural vision and design) There is a lack of or mismatched IT-related skills within IT, e.g., due to new technologies Hardware components were configured erroneously Portable media containing sensitive data (CD, USB drives, portable disks, etc.) is lost/disclosed There is a failure to adopt and exploit new infrastructure in a timely manner Infrastructure The systems cannot handle transaction volumes when user volumes increase
66 Thank you! Alessandro Salibra Bove Partner 66
COBIT 5. COBIT 5 Online Collaborative Environment
COBIT 5 Product Family COBIT 5 COBIT 5 Enabler Guides COBIT 5: Enabling es COBIT 5: Enabling Information Other Enabler Guides COBIT 5 Professional Guides COBIT 5 Implementation COBIT 5 for Information
More informationInformation Security Policy
Information Security Policy Issue sheet Document reference Document location Title Author Issued to Reason issued NHSBSARM001 NHS Business Services Authority Information Security policy Head of Security
More informationCOBIT 5. COBIT 5 Online Collaborative Environment
COBIT 5 Product Family COBIT 5 COBIT 5 Enabler Guides COBIT 5: Enabling es COBIT 5: Enabling Information Other Enabler Guides COBIT 5 Professional Guides COBIT 5 Implementation COBIT 5 for Information
More informationSOLUTION BRIEF EU GENERAL DATA PROTECTION REGULATION COMPLIANCE WITH RSA ARCHER
EU GENERAL DATA PROTECTION REGULATION COMPLIANCE WITH RSA ARCHER ARRIVAL OF GDPR IN 2018 The European Union (EU) General Data Protection Regulation (GDPR), which takes effect in 2018, will bring changes
More informationAnnex 1 (Integrated frameworks on Business/IT alignment) Annex 2 Goals Cascade, adapted from COBIT5
Annex (Integrated frameworks on Business/IT alignment) Annex 2 Goals Cascade, adapted from COBIT5 Annex 2 RACI chart for EDM0, Retrieved from COBIT5 Description: R Responsible The one(s) who performs the
More informationInternal Control and the Computerised Information System (CIS) Environment. CA A. Rafeq, FCA
Internal Control and the Computerised Information System (CIS) Environment CA A. Rafeq, FCA 1 Agenda 1. Internal Controls and CIS Environment 2. Planning audit of CIS environment 3. Design and procedural
More informationSOLUTION BRIEF EU GENERAL DATA PROTECTION REGULATION COMPLIANCE WITH RSA ARCHER
EU GENERAL DATA PROTECTION REGULATION COMPLIANCE WITH RSA ARCHER ARRIVAL OF GDPR IN 2018 The European Union (EU) General Data Protection Regulation (GDPR) that takes effect in 2018 will bring changes for
More informationExternal Supplier Control Obligations. Records Management
External Supplier Control Obligations Records Management Page 1 Governance and Roles and The Supplier must define and communicate roles and responsibilities for Records Records Management requires high-level
More informationExternal Supplier Control Obligations. Information Security
External Supplier Control Obligations Information Security Version 8.0 March 2018 Control Area / Title Control Description Why this is important 1. Roles and Responsibilities The Supplier must define and
More informationDocument Ref: Issue Date: March 2018 Review Date: March 2020 Policy Lead: Stephanie Vasey, Data Governance Manager
Policy Data Protection Policy Document Ref: 471.4 Issue Date: March 2018 Review Date: March 2020 Policy Lead: Stephanie Vasey, Data Governance Manager Data Protection Policy Entity This policy applies
More informationfalanx Cyber PCI-DSS: How can your organisation achieve and maintain compliance?
falanx Cyber PCI-DSS: How can your organisation achieve and maintain compliance? Contents What is PCI-DSS? 3 What type of organisation needs to be PCI-DSS compliant? 3 What do you need to achieve PCI-DSS
More informationGeneral Personal Data Protection Policy
General Personal Data Protection Policy Contents 1. Scope, Purpose and Users...4 2. Reference Documents...4 3. Definitions...5 4. Basic Principles Regarding Personal Data Processing...6 4.1 Lawfulness,
More informationConsulting Champions
Consulting Champions Get GDPR Ready with SOLA Consulting A bespoke GDPR compliance offering covering people, process, technology and data www.solagroup.com SOLA Consulting is part of SOLA Group Ltd Contents
More informationPERSONAL DATA SECURITY GUIDANCE FOR MICROENTERPRISES UNDER THE GDPR
PERSONAL DATA SECURITY GUIDANCE FOR MICROENTERPRISES UNDER THE GDPR The General Data Protection Regulation ( the GDPR ) significantly increases the obligations and responsibilities of organisations and
More informationGet ready. A Guide to the General Data Protection Regulation (GDPR) elavon.ie
Get ready A Guide to the General Data Protection Regulation (GDPR) elavon.ie The General Data Protection Regulation (GDPR) will regulate the privacy and handling of the personal data of individuals in
More informationSupplier Security Directives
Page 1 (8) Supplier Directives 1 Description This document (the Directives ) describes the security requirements applicable to Suppliers (as defined below) and other identified business partners to Telia
More informationComputerised Systems. Alfred Hunt Inspector. Wholesale Distribution Information Day, 28 th September Date Insert on Master Slide.
Computerised Systems Wholesale Distribution Information Day, Alfred Hunt Inspector Date Insert on Master Slide Slide 1 Index What is a computerised system Updates to EU GDPs Expectations Case studies Slide
More informationCITY UNIVERSITY OF HONG KONG
CITY UNIVERSITY OF HONG KONG (Approved by the Information Strategy and Governance Committee in December 2013; revision 1.1 approved by Chief Information Officer in September 2015) PUBLIC Date of Issue:
More informationTECHNOLOGY POLICY SUMMARY FOR THIRD PARTY SUPPLIERS
TECHNOLOGY POLICY SUMMARY FOR THIRD PARTY SUPPLIERS RATIONALE Group Policy Rationale This Policy has been designed to assist in managing the risk that Lloyds Banking Group (the Group) fails to simultaneously
More informationIntroduction. Case for SAP Cybersecurity Framework
Agenda 3 Introduction Case for SAP Cybersecurity Framework Current state 5 ENTERPRISE SECURITY VULNERABILITY MANAGEMENT CISO NO EFFECTIVE OVERSIGHT SAP SECURITY SEGREGATION OF DUTIES NO VISIBILITY SLIPPED
More informationPolicy Outsourcing and Cloud-Based File Sharing
Policy Outsourcing and Cloud-Based File Sharing Version 3.3 Table of Contents Outsourcing and Cloud-Based File Sharing Policy... 2 Outsourcing Cloud-Based File Sharing Management Standard... 2 Overview...
More informationExternal Supplier Control Obligations. Information Security
External Supplier Control Obligations Information Security Version 7.0 December 2016 Control Area / Title Control Description Why this is important Roles and Responsibilities The Supplier must define and
More informationGeneral Data Protection Regulation (GDPR) Key considerations and implications for brokers
General Data Protection Regulation () Key and implications for brokers Contents at at 03 - did you know? 05 How to handle 07 Considerations for Broker Directors 08 General Data Protection Regulation ()
More informationCOBIT 5. COBIT 5 Online Collaborative Environment
COBIT 5 Product Family COBIT 5 Enabler Guides : Enabling es : Enabling Information Other Enabler Guides COBIT 5 Professional Guides Implementation for Information for Assurance for Risk Other Professional
More informationA PRACTICAL GUIDE FOR HOW AN ADVERTISER CAN PREPARE FOR GDPR JANUARY 2018
A PRACTICAL GUIDE FOR HOW AN ADVERTISER CAN PREPARE FOR GDPR JANUARY 2018 1 PURPOSE OF THIS DOCUMENT 2 This document is to be used as a guide for advertisers on how they should work with their agencies,
More informationThe GDPR and its requirements for implementing data protection impact assessments (DPIAs)
The GDPR and its requirements for implementing data protection impact assessments (DPIAs) Presented by: Alan Calder, founder and executive chairman, IT Governance 7 September 2017 Introduction Alan Calder
More informationPrivacy and Data Protection Policy
Privacy and Data Protection Policy I. INTRODUCTION This Privacy and Data Protection Policy ( Policy ) outlines the standards that the companies within the GuestTek organization ("GuestTek") adhere to when
More informationBrasenose College Data Protection Policy Statement v1.2
Brasenose College Data Protection Policy Statement v1.2 1. Introduction All documents referred to in this policy can be found online at the address below: https://www.bnc.ox.ac.uk/privacypolicies 1.1 Background
More informationSOLUTION BRIEF HELPING PREPARE FOR RISK ASSESSMENT & COMPLIANCE CHALLENGES FOR GDPR WITH RSA SECURITY ADDRESSING THE TICKING CLOCK OF GDPR COMPLIANCE
HELPING PREPARE FOR RISK ASSESSMENT & COMPLIANCE CHALLENGES FOR GDPR WITH RSA SECURITY ADDRESSING THE TICKING CLOCK OF GDPR COMPLIANCE PREPARATION FOR GDPR IS ESSENTIAL The EU GDPR imposes interrelated
More informationWhat is GDPR and Should You Care?
What is GDPR and Should You Care? Ingram Micro Inc. 1 Overview of Privacy Climate & Concerns 2 2 Today We Live In A World Where Advertisers read key words in your Facebook posts and emails and decide what
More informationSOFTWARE LICENSING POLICY
SOFTWARE LICENSING POLICY Version 12/12/2012 University of Birmingham 2012 David Deighton, IT Services CONTENTS 1. Policy on Software Licensing... 3 1.1 Software Licensing Compliance... 3 1.2 Software
More informationData protection in light of the GDPR
Data protection in light of the GDPR How to protect your organization s most sensitive data Why is data protection important? Your data is one of your most prized assets. Your clients entrust you with
More informationSAP and SAP Ariba Solution Support for GDPR Compliance
Frequently Asked Questions EXTERNAL The General Data Protection Regulation (GDPR) SAP Ariba Source-to-Settle Solutions SAP and SAP Ariba Solution Support for GDPR Compliance The European Union s General
More informationHumber Information Sharing Charter
External Ref: HIG 01 Review date November 2016 Version No. V07 Internal Ref: NELC 16.60.01 Humber Information Sharing Charter This Charter may be an uncontrolled copy, please check the source of this document
More informationThe implications of the EU General Data Protection Regulation 2016 for ICT Disposal
The implications of the EU General Data Protection Regulation 2016 for ICT Disposal (and how ADISA Certification helps data processors and data controllers meet changing regulations) Author: Steve Mellings
More informationEUROPEAN COMMISSION ENTERPRISE AND INDUSTRY DIRECTORATE-GENERAL. EudraLex The Rules Governing Medicinal Products in the European Union
EUROPEAN COMMISSION ENTERPRISE AND INDUSTRY DIRECTORATE-GENERAL Consumer goods Pharmaceuticals Brussels, 08 April 2008 EudraLex The Rules Governing Medicinal Products in the European Union Volume 4 EU
More informationGetting ready for the new data protection laws A guide for small businesses, charities and voluntary organisations
Getting ready for the new data protection laws A guide for small businesses, charities and voluntary organisations Page 1 of 22 Your business and the new data protection laws Data protection and privacy
More informationNational Disclosure Summit
www.pwc.com National Disclosure Summit Best Practices in implementing a coordinated Global Transparency Program February 7, 2014 Agenda Global transparency overview Your path to a global transparency program
More informationAn overview of EU Data Protection Regulation 2016 in terms of asset recovery / disposal.
An overview of EU Data Protection Regulation 2016 in terms of asset recovery / disposal. (including a review of the potential impact of Brexit.) Author: Steve Mellings July 2016 V1.1 Abstract on Brexit.
More informationPOLICY. Data Breach Notification Policy. Version Version 1.0. Equality Impact Assessment Status. Date approved 23 rd May 2018
POLICY Document Title Data Breach Notification Policy Version Version 1.0 Equality Impact Assessment Status TBC Approved by Senior Management Team Date approved 23 rd May 2018 Effective date 25 th May
More informationData Breach Notification Policy
Data Breach Notification Policy Agreed: At SMT 27 June 2018 To be reviewed May 2019 CONTENTS 1. SCOPE AND PURPOSE... 3 2. ACCOUNTABILITY... 3 3. DEFINITIONS... 3 4. WHAT IS A PERSONAL DATA BREACH... 4
More informationTotal Cost Management and Cloud Computing
Total Cost Management and Cloud Computing Methodologies and Quantitative Methods Bernardo Nicoletti Master in Procurement, Università di Tor Vergata, Rome, Italy Carlo Andreoli Milan 20, 21 and 22 October
More informationIT Audit Process. Prof. Mike Romeu. February 13, IT Audit Process. Prof. Mike Romeu
February 13, 2017 1 IT Assurance and COBIT 5 Enablers Enablers are factors that, individually and collectively, influence whether something will work. 2. Processes 3. Organizational Structures 4. Culture,
More informationDATA PROTECTION OFFICER (DPO) Maria Maxim Partner Bucharest October 25, 2017
DATA PROTECTION OFFICER (DPO) Maria Maxim Partner Bucharest October 25, 2017 TOPICS GDPR overview Concept of the DPO Recruitment process Job description Liability Your to do s: GDPR Responsibility and
More information1 Management Responsibility 1 Management Responsibility 1.1 General 1.1 General
1 Management Responsibility 1 Management Responsibility 1.1 General 1.1 General The organization s management with executive The commitment and involvement of the responsibility shall define, document
More informationERP Validation: War stories from the Front. Presented by Terry Jeanes 4 July, 2016
ERP Validation: War stories from the Front Presented by Terry Jeanes 4 July, 2016 Agenda Deliverables Validation deliverables GxP Impact Data Conversion Implementation Security Standard transactions ERP
More informationComments on Chapter IV Part I Controller and processor 25/08/2015 Page 1
Comments on Chapter IV Part I Controller and processor 25/08/2015 Page 1 Bitkom represents more than 2,300 companies in the digital sector, including 1,500 direct members. With more than 700,000 employees,
More informationInformation governance strategy
Information governance strategy January 2018 Version 1.0 NHS fraud. Spot it. Report it. Together we stop it. Version control Version Name Date Comment V 1.0 Trevor Duplessis 22/01/18 Due for review Dec
More informationMapping ISO/IEC 27001:2005 -> ISO/IEC 27001:2013
Mapping ISO/IEC 27001:2005 -> ISO/IEC 27001:2013 Carlos Bachmaier http://excelente.tk/ - 20140218 2005 2013 In 2005 0 Introduction 0 Process approach PDCA In 2013 0 No explicit process approach ISMS part
More informationData Protection Policy
Data Protection Policy General Data Protection Regulations (GDPR) Document control Version control / history Note: This policy requires to be reviewed at least annually from the publication of the last
More informationDATA BREACH NOTIFICATION POLICY. Last Updated: Review Date:
DATA BREACH NOTIFICATION POLICY Last Updated: Review Date: 38T 38T Data Breach Notification policy TABLE OF CONTENTS 1. OVERVIEW... 2 2. ABOUT THIS POLICY... 2 3. SCOPE... 2 4. DEFINITIONS... 2 5. WHAT
More informationPlease read the following carefully in order to understand our policies and practices regarding your personal data and how we process them.
Jordan Kuwait Bank - Cyprus Branch Data privacy statement Version: 001 This privacy notice relates to the personal data collected and processed by the Jordan Kuwait Bank Cyprus Branch (referred to as we,
More informationGDPR-CERTIFIED ASSURANCE REPORT BASED PROCESSING ACTIVITIES
GDPR-CERTIFIED ASSURANCE REPORT BASED PROCESSING ACTIVITIES CERTIFICATION CRITERIA Working draft for public consultation - 29 May 2018 Abstract Document to the attention of organizations that want to obtain
More informationOutsourcing and the Need for Supplier Audits
Outsourcing and the Need for Supplier Audits John A. Gatto Retired April 3, 2017 Agenda Why Audit Suppliers Outsourcing Supplier Risks Minimum Security Standards Audit Focus 2 1 Definitions Third Party
More informationGDPR: Is it just another strict regulation or a great opportunity for operational excellence?
GDPR: Is it just another strict regulation or a great opportunity for operational excellence? Xenofon Liapakis General manager CIO & Services of Interamerican group Chairman of Hellenic CIO forum November
More informationSeptember 17, 2012 Pittsburgh ISACA Chapter
September 17, 2012 Pittsburgh ISACA Chapter What is COBIT? Control Objectives for Information and related Technologies ISACA s guidance on the enterprise governance and management of IT. Builds on more
More informationISO/IEC 27001:2005 BASED INFORMATION SECURITY MANAGEMENT SYSTEM INFORMATION SECURITY MANAGEMENT SYSTEM MANUAL
ISO/IEC 27001:2005 BASED INFORMATION SECURITY MANAGEMENT SYSTEM INFORMATION SECURITY MANAGEMENT SYSTEM MANUAL Date of Release of current version: Oct 25, 2010 Mynd Solutions Pvt. Ltd. 280, Udyog Vihar,
More informationA PRACTICAL GUIDE TO GDPR BREACH NOTIFICATION AND SECURITY REQUIREMENTS
SESSION ID: SEM-MO1 A PRACTICAL GUIDE TO GDPR BREACH NOTIFICATION AND SECURITY REQUIREMENTS Mahmood Sher-Jan CEO and President RADAR, Inc. @msherjan Julia Jacobson Partner K&L Gates, LLP Overview Key definitions
More informationHow to Stand Up a Privacy Program: Privacy in a Box
How to Stand Up a Privacy Program: Privacy in a Box Part III of III: Maturing a Privacy Program Presented by the IT, Privacy, & ecommerce global committee of ACC Thanks to: Nick Holland, Fieldfisher (ITPEC
More informationCUSTOMER AND SUPPLIER ROLES AND RESPONSIBILITIES FOR 21 CFR 11 COMPLIANCE ASSESSMENT. 21 CFR Part 11 FAQ. (Frequently Asked Questions)
21 CFR Part 11 FAQ (Frequently Asked Questions) Customer and Supplier Roles and Responsibilities for Assessment of METTLER TOLEDO STARe Software Version 16.00, including: - 21 CFR 11 Compliance software
More informationSelftestengine COBIT5 36q
Selftestengine COBIT5 36q Number: COBIT5 Passing Score: 800 Time Limit: 120 min File Version: 16.5 http://www.gratisexam.com/ Isaca COBIT 5 COBIT 5 Foundation I have correct many of questions answers.
More informationEnsuring Organizational & Enterprise Resiliency with Third Parties
Ensuring Organizational & Enterprise Resiliency with Third Parties Geno Pandolfi Tuesday, May 17, 2016 Room 7&8 (1:30-2:15 PM) Session Review Objectives Approaches to Third Party Risk Management Core Concepts
More informationPreparation Guide to the New European General Data Protection Regulation
Preparation Guide to the New European General Data Protection Regulation 1. Introduction 2. The Application of the Regulation to Businesses The General Data Protection Regulation (GDPR) is to protect citizens
More informationPreparing for the GDPR
Preparing for the GDPR Note: These slides and the accompanying presentation contain a general summary and are not legal advice. Niall Rooney 03/11/2017 (1) Data Protection The Right to Data Protection
More informationProactively Managing ERP Risks. January 7, 2010
Proactively Managing ERP Risks January 7, 2010 0 Introductions and Objectives Establish a structured model to demonstrate the variety of risks associated with an ERP environment Discuss control areas that
More information1 Privacy by Design: The Impact of the new European Regulation on Data protection. Introduction
Introduction On April 2016 the European Parliament approved the General Data Protection Regulation (GDPR). This new regulation, with mandatory implementation by Member States (MS) and businesses that have
More informationRecords Management Policy
Records Management Policy Date Approved: September 2012 Approved By: Senior Leadership Team Ownership: Corporate Development (originally Corporate Contracts and Information Officer) Date of Issue: November
More informationSample Data Management Policy Structure
Sample Data Management Policy Structure This document has been produced by The Audience Agency. You are free to edit and use this document in your business. You may not use this document for commercial
More informationA tool for assessing your agency s information and records management
A tool for assessing your agency s information and records management Copyright Commonwealth of Australia 2010 Updated on 14 June 2012 Copyright of Check-up 2.0 rests with the Commonwealth of Australia.
More informationDATA PROTECTION POLICY
DATA PROTECTION POLICY Operational Owner: Executive Owner: James Newby Data Protection Officer Sarah Litchfield Senior Information Risk Officer Effective date: 25 th May 2018 Review date: May 2021 Related
More informationAccountability under the GDPR: What does it mean for Boards & Senior Management?
Accountability under the GDPR: What does it mean for Boards & Senior Management? Alan Calder Founder & Executive Chairman IT Governance Ltd 19 January 2017 www.itgovernance.co.uk Introduction Alan Calder
More informationISACA San Francisco Chapter
ISACA San Francisco Chapter The 2007 Privacy Panel Rena Mears, CISSP, CIPP, CPA, CISA Partner, Deloitte & Touche LLP March 23, 2007 San Francisco 0 What is Privacy and Why Now? Definition of PII The definition
More informationPart 0: Overview and vocabulary
Edition 2016 Version 2.4 This work is licensed under a Creative Commons Attribution 4.0 International License. www.fitsm.eu Document control Document Title Part 0: Overview and vocabulary Document version
More informationHumber Information Sharing Charter
External Ref: HIG 01 Insert here the logo of the signatory organisation Review date November 2016 Version No. V07 Internal Ref: ERYC CFS ILS 02 Humber Information Sharing Charter This Charter may be an
More informationChanges Reviewed by Date. JO Technology Manager - Samer Huwwari JO Manager, Risk & Control Technology: Issa Laty. CIO, Jordan- Mohammad Aburoub
Governance and Management of Information and Related Technologies Guide 2017 Revision History Changes Reviewed by Date Version Author JO Technology Manager - Samer Huwwari JO Manager, Risk & Control Technology:
More informationData protection (GDPR) policy
Data protection (GDPR) policy January 2018 Version: 1.0 NHS fraud. Spot it. Report it. Together we stop it. Version control Version Name Date Comment 1.0 Trevor Duplessis 22/01/18 Review due Dec 2018 OFFICIAL
More informationBPO Asia In ormation Security Domains & Controls
f BPO Asia In ormation Security Security Standards & Best Practices Security for Human & Physical Resources Communications & Operations Management Access Control Information Systems Acquisition, Development
More informationGuidance on Arrangements to Support Operational Continuity in Resolution
Guidance on Arrangements to Support Operational Continuity in Resolution 18 August 2016 ii Table of Contents 1. Introduction... 5 2. The concept of operational continuity... 7 Critical shared services
More informationTranslate stakeholder needs into strategy. Governance is about negotiating and deciding amongst different stakeholders value interests.
Principles Principle 1 - Meeting stakeholder needs The governing body is ultimately responsible for setting the direction of the organisation and needs to account to stakeholders specifically owners or
More informationTOP 6 SECURITY USE CASES
Solution Brief: Top 6 Security Use Cases for Automated Asset Inventory page 1 SOLUTION BRIEF TOP 6 SECURITY USE CASES for Automated Asset Inventory Solution Brief: Top 6 Security Use Cases for Automated
More information1010 La Trobe Street Docklands Victoria
Position description Position Group Reports to Location Service Desk Administrator Telecommunications IT Service Delivery Manager 1010 La Trobe Street Docklands Victoria Date 2018 Our organisation VicTrack
More informationCOMPUTERISED SYSTEMS
ANNEX 11 COMPUTERISED SYSTEMS PRINCIPLE This annex applies to all forms of computerised systems used as part of a GMP regulated activities. A computerised system is a set of software and hardware components
More informationONR GUIDE. LC 6 Documents, records, authorities and certificates. Nuclear Safety Technical Inspection Guide. NS-INSP-GD-006 Revision 0
Title of document ONR GUIDE LC 6 Documents, records, authorities and certificates Document Type: Unique Document ID and Revision No: Nuclear Safety Technical Inspection Guide Date Issued: October 2015
More informationCHAPTER -10 CIS AUDIT
CHAPTER -10 CIS AUDIT 10.1. CIS ENVIRONMENT Meaning of CIS audit Does overall objective of audit changes in CIS environment Skills and competence Work performed by others Planning CIS audit is the process
More informationNew Development Bank Information Technology Policy
New Development Bank Information Technology Policy Owner: IT Department Version: 2016 V2 Date: [16] March 2016 Corporate Procurement Policy All rights reserved. Any unauthorized use, duplication or disclosure
More informationStatement on Risk Management and Internal Control
INTRODUCTION The Board affirms its overall responsibility for the Group s system of internal control and risk management and for reviewing the adequacy and effectiveness of the system. The Board is pleased
More informationReady for the GDPR, Ready for the Digital Economy Fast-Track Your Midsized Business for the Digital Economy While Addressing GDPR Requirements
SAP Database and Data Management Portfolio/SAP GRC Solutions Ready for the GDPR, Ready for the Digital Economy Fast-Track Your Midsized Business for the Digital Economy While Addressing GDPR Requirements
More informationData Protection. Document Detail Type of Document (Stat Policy/Policy/Procedure) Category of Document (Trust HR-Fin-FM-Gen/Academy) General
Data Protection Document Detail Type of Document (Stat Policy/Policy/Procedure) Policy Category of Document (Trust HR-Fin-FM-Gen/Academy) General Index reference number Approved 26/04/18 Approved by Trust
More informationGuidelines and supervision on the use of IT tools of the University College
Guidelines and supervision on the use of IT tools of the University College Introduction The employer has the authority to set up guidelines for the use of IT tools that are available for employees and
More informationInformation Security in ITES & BPO I T S E R V I C E S B P O S O L U T I O N S
Information Security in ITES & BPO I T S E R V I C E S B P O S O L U T I O N S 1 Agenda Gaps in Information Security Information Security Risk Governance Standards Industry Regulation Information security
More informationISMS AUDIT CHECKLIST
4.1 REQUIREMENT REFER TO BS ISO / IEC 27001 : 2005 Has the organisation developed a documented ISMS based on the PDCA model? Checked at Stage 1 for development and Stage 2/surveillance for implementation,
More information(5) May carry out maintenance of the database (6) May carry out monitoring and organizing daily uploading of data and automatic issue of reports
Government of the Republic Regulation No. 92 of 8 November 2012 "Procedure for establishment of composition of posts of national authorities, classification of posts and procedure for classifying posts
More informationEU GMP - Annex 11 Computerised systems Versione corrente Nuova versione per commenti (emessa 8 aprile 2008)
EU GMP - Annex 11 Computerised systems Versione corrente Nuova versione per commenti (emessa 8 aprile 2008) Principle The introduction of computerised systems into systems of manufacturing, including storage,
More informationPreparing for the General Data Protection Regulation (GDPR)
Preparing for the General Data Protection Regulation (GDPR) ServiceNow Governance, Risk, and Compliance Table of Contents What is the GDPR?...3 Key Requirements for the GDPR...4 Accountability, Policies,
More informationJOB DESCRIPTION. Director of Finance and Corporate Services. Starting at 26,977 with progression to 31,576 per annum
JOB DESCRIPTION POST: DIVISION: RESPONSIBLE TO: SALARY: Information and Governance Officer Finance and Corporate Services Director of Finance and Corporate Services Starting at 26,977 with progression
More informationUniversity Business Classification Scheme
University Business Classification Scheme Introduction The University Business Classification Scheme is a conceptual representation of an organisation s business. It describes an organisation s business
More informationInformation and Technology. Governance. System for
2019 strategy goals size Role of IT Sourcing model for IT Compliance requirements Etc. Design Factors SME Risk DevOps Etc. Priority governance management objectives Specific guidance from focus areas Target
More informationReady for GDPR? Five steps to turn compliance into your advantage
Ready for GDPR? Five steps to turn compliance into your advantage 2017 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG
More informationInformation Governance Clauses Clinical and Non Clinical Contracts
Information Governance Clauses Clinical and Non Clinical Contracts Policy Number Target Audience Approving Committee Date Approved Last Review Date Next Review Date Policy Author Version Number IG014 All
More informationGDPR: What Every MSP Needs to Know
Robert J. Scott GDPR: What Every MSP Needs to Know Speaker Robert J. Scott Agenda Purpose GDPR Intent & Obligations Applicability Subject-matter and objectives Material scope Territorial scope New Rights
More information