Multi Compliance Framework Click to see next slide

Multi Compliance Framework Click to see next slide Maintain your GDPR program Develop your IT Management System Enable your required Audit Reporting Accelerate your Information Security System … WITHOUT expensive consultancy fees…. . ! Greet Volders Managing Consultant Voquals N. V.

Purpose of this Multi Compliance Framework u u u Reduce time needed to prepare for internal & external audits Reduce manual activities to prepare reporting by automating reporting through BI Facilitate evidence collection for control testing Increase customer & stakeholder confidence by continuous Compliance checks, monitoring and reporting Easily build relations according to the Business Needs between: – People – Business & IT Processes – Compliance Requirements Greet Volders _ Voquals N. V. Multi Compliance Framework Slide 2

Deliverables included in this Multi Compliance Framework u A complete set of IT-related processes (37 in all) – Based on the content of COBIT 5, ITIL and Voquals’ experience – Presentable on your website – With cross-references to » Various ISO-standards (see next slide) » ITIL » COBIT 4. 1 - for a smooth transition to COBIT 5 – Additional integrated content » Process Capability Assessment » IT related goals and metrics » Specific templates and examples of deliverables for certain processes Greet Volders _ Voquals N. V. Multi Compliance Framework Slide 3

Deliverables included in this Multi Compliance Framework u Add-on’s are available for – ISO-reporting » With mapping all IT-related processes aligning to: u u u ISO 9001: 2015 (Quality) ISO 27001: 2013 (Security) ISO 20000: 2012 (ITIL) » Reports with links to your company processes are pre-defined » Can be easily tailored to other standards and control frameworks by yourself – GDPR compliant processes & documents » Necessary GDPR procedures » Awareness raising through built-in information, practical examples and templates » Required GDPR reports, e. g. u u Data Register Record of requests from Data Subjects Greet Volders _ Voquals N. V. Multi Compliance Framework Slide 4

Deliverables included in this Multi Compliance Framework u For each process, we provide – – High level description, purpose, audience and scope Visio charting all steps in a process Detailed descriptions for these steps RACI linking People to Processes » Responsible – Accountable – Consulted – Informed – Relationships with all defined regulations, standards, control frameworks, etc. Greet Volders _ Voquals N. V. Multi Compliance Framework Slide 5

Potential Savings with this Multi Compliance Framework u For the development of your IT-related processes – For all 37 processes, a complete description is available, which can be used to describe your IT-related processes, simply by adapting the description to your organization. – No need to start with a blank sheet and you don’t have to be an expert in COBIT 5, ITIL to define your processes compliant to these best practices! Ø A potential saving of a few Man-days per process. Ø For 20 processes this yields to a saving of 60 Man-days. Greet Volders _ Voquals N. V. Multi Compliance Framework Slide 6

Potential Savings with this Multi Compliance Framework u Support the changes in your organization – In all the processes, process-steps and activities you can indicate who (person, role or function) is Responsible and Accountable, who should be Consulted and Informed (RACI). – These are pre-defined for all 37 IT-related processes. – How is functions : » When the function of a person changes, or a person leaves the organization, you only need to adapt the link from the person to the function, or change the name of the person. » The result is that in all related processes, process-steps and activities, enables the continued tracking of the correct person, who remains identified. Ø Each change in your organization is managed with 1 action, which yields to a saving of 1 Man-day per change, providing the assurance that all links to functions, roles and persons are always up-to-date ! Greet Volders _ Voquals N. V. Multi Compliance Framework Slide 7

Potential Savings with this Multi Compliance Framework u Facilitating your internal & external audits – A link is foreseen to several Standards, Control Frameworks, and other “best practices”, such as : » ISO 9001 - ISO 27001 - ISO 2000 » The DNB Control Objectives - GDPR requirements - …. . – Since the complete content of these standards and frameworks is available within the framework, these links can also be made to all other business processes. – In the portal (publication site) overviews are available for each of the standards, with links to related processes and documents. – This can be made available to the internal & external auditors, without any additional work, in the preparation of each audit. Ø Saving for each audit the time that’s spent now, without this Framework, to prepare the audits! Greet Volders _ Voquals N. V. Multi Compliance Framework Slide 8

Multi Compliance Framework - homepage The home page gives you access to the most important parts of this Multi Compliance Framework, being: - The processes, their flow and descriptions - Financial Reporting, based on DNB, and expandable with your own control requirements - KPI’s based on the IT-related goals and KPI’s defined by Voquals - Level 1 Process Capability Assessment execution & results - RACI based on the standard RACI provided in COBIT 5 - ISO-reporting, with links to the related processes - ISAE reporting and Cyber Reslisience compliance reports. Greet Volders _ Voquals N. V. Multi Compliance Framework Slide 9

Multi Compliance Framework - Processes • • • In this solution, you manage ALL company processes in an integrated and coherent way. All organisational structures are linked with the processes. Reporting is done in a consistent way. SELECT the first topic you want to see Do you want to learn a about. . . IT-related Processes and Reporting Greet Volders _ Voquals N. V. Control Reporting GDPR Multi Compliance Framework Info Security The END Slide 10

Multi Compliance Framework - ICT Processes IT processes are part of the Supportive Processes • In this part, you find 5 possible views on the complete set of 37 COBIT 5 processes • If you click in ICT, you receive the COBIT 5 Process Reference Model Greet Volders _ Voquals N. V. Multi Compliance Framework Slide 11

Multi Compliance Framework - COBIT Processes All 37 COBIT 5 processes are present in this overview • Via this schema you can consult all the processes • This can be done by clicking on the process-box Greet Volders _ Voquals N. V. Multi Compliance Framework Slide 12

Multi Compliance Framework - COBIT Processes, example After clicking on the process, you receive the detailed flow, with – at the right, the introduction to this process. For each of the detailed boxes exists a description, which can be seen by clicking on each box. These are the steps for “Manage Security Services” Process DSS 05 in COBIT 5. Greet Volders _ Voquals N. V. Multi Compliance Framework Slide 13

Multi Compliance Framework - COBIT Processes, example By clicking on a box, you receive the detailed content of that process. For example look at the last practice in “Managing Security Services”, Periodic Reporting. Greet Volders _ Voquals N. V. Multi Compliance Framework Slide 14

Multi Compliance Framework - COBIT Processes By clicking on the tree-structure, you find the processes grouped into : - Primary - Management - Supportive processes Greet Volders _ Voquals N. V. Multi Compliance Framework Slide 15

Multi Compliance Framework - IT Service Processes Another view on your IT processes can easily be created. • This schema shows the example for IT Service Management • The next schema is focusing on IT Development • All the processes mentioned on this schema refer to the COBIT 5 processes, which already exist. • In this way it’s easy to create your own process overview. Greet Volders _ Voquals N. V. Multi Compliance Framework Slide 16

Multi Compliance Framework - IT Project Delivery Greet Volders _ Voquals N. V. Multi Compliance Framework Slide 17

Multi Compliance Framework - Management & Reporting Other management / reporting tools available are : - Level 1 Process Capability Assessment - KPI’s (Key Performance Indicators) - RACI (Responsibility matrix) Greet Volders _ Voquals N. V. Multi Compliance Framework Slide 18

Multi Compliance Framework - Level 1 Process Capability Assessment is based on the COBIT 5 Process Assessment Model (PAM). This Model enables your organization to assess processes and facilitate continuous improvement. Level 1 is the assessment against the practices and work products specific for each process. Greet Volders _ Voquals N. V. Multi Compliance Framework Slide 19

Multi Compliance Framework - KPI’s The Key Performance Indicators are: • IT-related goals, • Goals & Metrics per process, and • Voquals’ extensive professional expertise. Greet Volders _ Voquals N. V. Multi Compliance Framework Slide 20

Multi Compliance Framework - RACI charts Identifies who is Responsible or Accountable for the Practice / Activities, and who is Consulted and Informed about the Practice / Activities Greet Volders _ Voquals N. V. Multi Compliance Framework Slide 21

Multi Compliance Framework - ISO-standards & Reporting The Relations with 3 ISO-standards are defined in the IT-related processes - You can easily upload other, additions, standards - Via de relations, you can define the processes and sub-processes that respond to the ISO-requirements Greet Volders _ Voquals N. V. Multi Compliance Framework Slide 22

Multi Compliance Framework - ISO-standards & Reporting The report contains all requirements, with indication of the processes, or other documents, that respond to these requirements. Some more examples on the next slides. In the portal, all the documents are clickable, and are thus easily accessible for internal & external auditors Greet Volders _ Voquals N. V. Multi Compliance Framework Slide 23

Multi Compliance Framework - ISO-standards & Reporting Greet Volders _ Voquals N. V. Multi Compliance Framework Slide 24

Multi Compliance Framework - ISO-standards & Reporting Greet Volders _ Voquals N. V. Multi Compliance Framework Slide 25

Multi Compliance Framework SELECT the next topic you want to see Do you want to learn a about. . . IT-related Processes and Reporting Control Reporting GDPR Info Security The END

Multi Compliance Framework - DNB Control Domains Starting page shows an overview of the DNB Control Domains Overview of the Domains, with links to the Standards / Control Measures Greet Volders _ Voquals N. V. Multi Compliance Framework Slide 27

Multi Compliance Framework - DNB Control Domains For each DNB Control Domain, the description is available with a link to the sub-topics. Greet Volders _ Voquals N. V. Multi Compliance Framework Slide 28

Multi Compliance Framework - DNB Control Domains For each sub-topic, there is the description with a link to the required controls. Greet Volders _ Voquals N. V. Multi Compliance Framework Slide 29

Multi Compliance Framework - DNB Control Domains For each sub-topic, there is the description Greet Volders _ Voquals N. V. Multi Compliance Framework Slide 30

Multi Compliance Framework - DNB Control Domains For each control there is the description, fields to manage the control Greet Volders _ Voquals N. V. Multi Compliance Framework Slide 31

Multi Compliance Framework - DNB Control Domains For each control there is the description, fields to manage the control and all related references All these topics are clickable, to see the content !! Greet Volders _ Voquals N. V. Multi Compliance Framework Slide 32

Multi Compliance Framework - DNB Control Domains For each control there is the description, fields to manage the control and all related references + additional guidance These points are also clickable, to see the content !! Greet Volders _ Voquals N. V. Multi Compliance Framework Slide 33

Multi Compliance Framework - DNB Reporting remains to be done with the DNB excel file Greet Volders _ Voquals N. V. Multi Compliance Framework Slide 34

Multi Compliance Framework - DNB Reporting Collection of the maturity rating is done by sending tasks via the Multi Compliance Framework Greet Volders _ Voquals N. V. Multi Compliance Framework Slide 35

Multi Compliance Framework - DNB Reporting The Control Owner • has to fill in the maturity level, • can add some comments and relevant sources Greet Volders _ Voquals N. V. Multi Compliance Framework Slide 36

Multi Compliance Framework - DNB Reporting The control administrator can easily follow the status of the tasks completed by the control owner. Greet Volders _ Voquals N. V. Multi Compliance Framework Slide 37

Multi Compliance Framework - DNB-related COBIT Processes DNB- related COBIT processes are presented in in 1 of the pre-defined views Greet Volders _ Voquals N. V. Multi Compliance Framework Slide 38

Multi Compliance Framework - DNB-related COBIT Processes All these processboxes are clickable, to consult your process-content !! Greet Volders _ Voquals N. V. Multi Compliance Framework Slide 39

Multi Compliance Framework SELECT the next topic you want to see Do you want to learn a about. . . IT-related Processes and Reporting Greet Volders _ Voquals N. V. Control Reporting GDPR Multi Compliance Framework Info Security The END Slide 40

Multi Compliance Framework - GDPR is part of the management processess Greet Volders _ Voquals N. V. Multi Compliance Framework Slide 41

Multi Compliance Framework - GDPR contains all required processes, and useful information, such as definitions, templates, examples Greet Volders _ Voquals N. V. Multi Compliance Framework Slide 42

Multi Compliance Framework - GDPR example process Example : Manage Data Processor Agreeement With detailed descriptions Greet Volders _ Voquals N. V. Multi Compliance Framework Slide 43

Multi Compliance Framework - GDPR example process With detailed description of the 2 sub-parts • Including links to Data Processor information • And an example Data Processors’ Agreement Greet Volders _ Voquals N. V. Multi Compliance Framework Slide 44

Multi Compliance Framework - GDPR Reporting u We provide fields to identify the GDPR-sensitive processes – These are available in the various data sets – Each data set contains the required values >> some examples Greet Volders _ Voquals N. V. Multi Compliance Framework Slide 45

Multi Compliance Framework - GDPR Reporting u These fields are selected for each process u And other information is registered Greet Volders _ Voquals N. V. Multi Compliance Framework Slide 46

Multi Compliance Framework - GDPR Reporting u For example, to register the Requests from Data Subjects u And the related report Greet Volders _ Voquals N. V. Multi Compliance Framework Slide 47

Multi Compliance Framework SELECT the next topic you want to see Do you want to learn a about. . . IT-related Processes and Reporting Greet Volders _ Voquals N. V. Control Reporting GDPR Multi Compliance Framework Info Security The END Slide 48

Multi Compliance Framework - Security & Compliance 1 of the pre-defined views is related to Information Security & Compliance Greet Volders _ Voquals N. V. Multi Compliance Framework Slide 49

Multi Compliance Framework - Security & Compliance Greet Volders _ Voquals N. V. Multi Compliance Framework Slide 50

Multi Compliance Framework - Security & Compliance Greet Volders _ Voquals N. V. Multi Compliance Framework Slide 51

Multi Compliance Framework - Security & Compliance This is the available description of the Manage Security process The same exist for all the other processes on the schema Greet Volders _ Voquals N. V. Multi Compliance Framework Slide 52

How to protect from Logical Attacks We explain some examples to mitigate threat of Logical Attacks : • Security Process Goals, • related metrics, resulting in • Security Specific Actions Greet Volders _ Voquals N. V. Multi Compliance Framework Slide 53

How to protect from Logical Attacks Related Metrics Security Specific Process Goals • Number of exceptions to information Information security requirements security architecture standards • are embedded within the enterprise • Number of deviations between architecture and translated into a Security Specific Activities information security architecture and formal information security 1. Ensure inclusion of information security enterprise architecture artefacts, policies and standards in the • Date of last review and/or update to Information security architecture is information security controls applied architecture repository. • understood as part of the overall to enterprise architecture 2. Ensure that information security is enterprise architecture • Percent of projects that use the • is aligned and evolves with changes to integrated across all architectural domains information security architecture the enterprise architecture (e. g. , business, information, data, framework and methodology Information security architecture applications, technology). • Number of people trained in the framework and methodology are used to information security framework and enable reuse of information security methodology components across the enterprise. Greet Volders _ Voquals N. V. Multi Compliance Framework Slide 54

How to protect from Logical Attacks Related Metrics 1. • Number of updates of the 2. information security policy • Number of updates of the • Management approval of the information security policy • 3. Management approval of the • information security policy Percent and number of initiatives for which a value metric (e. g. , ROI) has been 4. calculated Enterprise stakeholder • • Percent of projects in the satisfaction survey feedback on enterprise and IT project the effectiveness of the portfolios that involve information security strategy information security • Percent of IT initiatives/projects that have information security Greet Volders _ Voquals N. V. Security Specific Process Goals 1. An information security policy framework is defined and maintained. 2. A comprehensive information security strategy is in place and is • aligned with the overall enterprise and IT strategy 3. cost-effective, appropriate, realistic, achievable, enterprisefocused and balanced 4. aligned with long-term enterprise Security Specific Activities strategic goals and objectives. 1. Ensure that information security requirements are included in the definition of target IT capabilities. 2. Define the target state for information security. 3. Define and agree on the impact of information security requirements on enterprise architecture, Multi Compliance Framework acknowledging the relevant stakeholders. Slide 55

Multi Compliance Framework SELECT the next topic you want to see Do you want to learn a about. . . IT-related Processes and Reporting Greet Volders _ Voquals N. V. Control Reporting GDPR Multi Compliance Framework Info Security The END Slide 56

More Information - Coordinates Voquals N. V. Greet Volders Genebroek 34 2450 Meerhout, Belgium Phone Mobile E-mail Website +32 14 22 54 04 +32 475 63 45 06 Gvolders@voquals. be www. voquals. be MAVIM See video’s for more information on MAVIM and their other solutions u Webinar explaining the reasons for using Mavim to support our Multi Compliance Framework u u u Business Process & Quality Management and demonstration Governance, Risk & Compliance and demonstration Application Implementation Management and demonstration IT Portfolio Management and demonstration Strategic Portfolio Management and demonstration Enterprise Architecture and demonstration Greet Volders _ Voquals N. V. Multi Compliance Framework Slide 57