This presentation describes how contract compliance service can be provided to aid organisations working on bids can quickly and effectively achieved. The key compliance areas include: Data Protection, Information security (ISO27001), PCI DSS, SOX & FSA. The author is a season risk management consultant with experience of quick win strategies and tactics to achieve the aims and goals of an exercise.
1. Contract compliance service
(Pre & post contract compliance)
Ben Oguntala, LLB Hons, LL.M
CEO
www.riesgoriskmanagement.com
Ben.oguntala@riesgoriskmanagement.com
PCI FSA DPA SOX 27K
2. • Education
About the Author –
–
LLB Hons
LL.M
• Financial/Securities regulation
• UK/EC competition law
• Forte
– Risk Management specialist
– Fraud compliance Consultant
– Compliance specialist
– Data Protection specialist
– Information Security Consultant
– Outsourcing compliance
– Merger & acquisition due diligence
• Previous clients
– British Gas
– Vodafone
– Orange
– O2 Telefonica UK
Ben.oguntala@riesgoriskmanagement.com – RWE NPower
CEO – Riesgo Risk Management – BNP Paribas
– Ministry of Justice (London Probation)
Telephone – 07812 039867
– Revenue & Customs
– Nortel/Motorola/Ericsson/Nokia
“Contract compliance is a value add solution that assists
– CapGemini
Organisations involved in the activities of gathering compliance
– BT
Evidence in support of a bid or contract.”
– KPMG & Cisco
3. Introduction Riesgo
Compliance
solution
• Riesgo Risk Management solution is a
service that is designed to Framework
setup
continuously monitor & maintain an
organisation’s compliance to key
Ongoing
regulatory standards in a bid to compliance
support project tenders.
• It monitors and maintains compliance Core Add on
compliance compliance
in order to ensure that project functions functions
requirements are dealt with as time
efficiently as possible. PCI FSA DPA SOX 27K
Gaps & remediation
• The solution offers assurance to the
parties in a contract and enables a fast
response to project requirements for
compliance.
Projects Projects Projects
4. 1 – New or recurring client
Project bid
initiated
Compliance 2 – Recurring clients
End client set up
report
on Riesgo RM would start at 6
generated
8 – Generation of compliance
report in accordance with
customer requirements in 3.
Riesgo RM
Final compliance
Audit
compliance cycle 3 – Definition of
Scope definition the client’s
agreed
requirements
7 – Final audit confirmation
that the gaps are filled
initial
4 – Initial setup and audit
Remedial work
compliance
implementation
audit
6 – Remedial work to
Compliance
fill the gap identified report with
remedial work 5 – Compliance report based on 4
5. Compliance in Contract bids/tenders
Regulatory Organisation Processes
DPA ISMS forum Policies and procedures
SOX Incident management
Security management
FSA Business continuity planning
Management structure
PCI Audit
ISO 27001 3rd parties & outsourcing Security operations
Every contract has an element of compliance requirement associated with it. In view of the
fact that quite often, contract will include access to client data, it is reasonable to assume
at minimum there are a few sets of standards, regulatory requirements that would apply.
The service we provide is an ongoing compliance monitoring that allows an organisation to cost
effectively respond to project requirements for compliance report & evidence.
6. Our services: Regulatory compliance
• The solution we provide will enable a client to
demonstrate their compliance with the
following regulatory requirements:
– DPA – Data Protection Act
• Applicable in the UK and Europe
– SOX
• Applicable to companies trading in the US stock
exchange
– FSA – financial services Authority
• Applicable to organisations that are regulated by the
Financial services Authority
– PCI
• Applicable to organisations that handle or transmit
payment card services
– ISO 27001
• Applicable to all organisations with IT system that have
an obligation to operate a secure system
7. Our services: Organisational framework
• The solution we provide can demonstrate an
organisation’s, information security structure
and architecture fairly easily as well as a
continuous assessment of compliance.
– ISMS forum
• A management structure that handles information
security issues and access to senior management on
security related matters
– Security management
• The involvement of security in the operation of the
organisation, the like between business units and the
management team.
– Management structure
• Demonstrating the link between business management
teams and their security responsibilities as well as
engagement.
– 3rd parties and outsources
• Demonstrating that adequate processes and controls are
in place between the organisation and 3rd parties.
• Where there is outsourcing in place, can demonstrate
that there tentacles of security are extended to the
outsourcing parties in the form of policies and
procedures.
8. Our services: Processes
• The solution we provide can demonstrate the client has
adequate processes in place to meet the project
requirements.
– Policies
• Policies are listed in a central repository and reviewed frequently
• Policies are associated with procedures and guidelines and also
frequently reviewed
– Incident management
• Incident reporting from the client’s business units, 3rd parties or
outsourcing partners
• Incident management register
• Risk register
– Business continuity plan
• BCP policies, procedures and test schedules
– Audit
• Internal and External audits with fixes for non compliances
– Security operations
• Security management structure
• Security points of contact per business unit
• 3rd party security points of contact
• Asset register
• Risk management framework
11. Implementation project
Gap analysis Project design Implementation Roll out
Stage 1
Stage 2
Stage 3
Stage 4
• Assess your current • Designing your • Once the HLD is Taking stage 3
estate & your requirements based designed and signed
objectives on the result of off, we initiate the
and
• Release of your BRS stage1 implementation and methodically
• Scope definition • Release of the HLD across a portion of rolling out the
to be signed off your estate
solution to the
• We confirm that all
the adaptors can rest of your
trigger alerts. estate.
The implementation project can take up to 6 months and 3 Man resources. The number of
resources may vary due to the scope of the project.
The costs associated include:
-Software licence
- incident management licence
-Support and maintenance
The solution is designed to be a cost effective means to curtailing fraud within your estate.