2. www.teaminternational.com
CTO/CIO at Team International Services,
www.teaminternational.com.
Information Security
Data Protection
Corporate IT infrastructure
Process Management
Achievements:
Leading role in CMMI L3 implementation
PMI PMP
ISO 27001 Expert
GDPR Practitioner
Hobbies
Auto travels
Cinema
5. www.teaminternational.com
Compliance trends
Information Security, Data Protection, Application Security, Audits
Now
Scale 1 – 10:
Practical implementation concerns: 1 -> 6
Contractual requirements: 1 -> 8
Personal Data protection : 1 -> 8 (EU), 1 -> 4 (US)
Certifications and 3rd party audit requirements: 1 -> 6
6. www.teaminternational.com
Popular standards requested
ISO 27000
GDPR, DPO need
SSAE-18 SOC 1, 2 Type 1, 2
PCI-DSS, PA-DSS
OWASP
EU-US Privacy Shield
Remove irrelevant standards
CLOUD Act
COBIT
ISO 9000
ISO 14000
ISO 20000
SIG Questionnaire Tools
201 CMR 17.00
(“Massachusetts PI Standards”)
7. www.teaminternational.com
Typical conditions
The right for Audit
The need of assigned DPO, InfoSec Officer, etc.
The need to comply with customer’s standards
Cross border data transfer regulations
The need to have InfoSec framework
8. www.teaminternational.com
Typical irrelevant conditions
Customers propose their contract templates
Contract reviews is a must, 90% of templates are not relevant!
Most popular irrelevancies (software development outsourcing):
Cloud product provider requirements
Call center provider requirements
The need for DPO
Meet or exceed commonly used InfoSec standards
We watch TV about Ukraine, how do you mitigate risks?
No data can leave US/EU
Remove irrelevant conditions
9. www.teaminternational.com
Reducing compliance co$t$
Remove irrelevant costs
Direct cost
ISO 27000 - $30-50K a year
GDPR, DPO need - $12-60K a
year
SOC - $30-60K a year
InfoSec staff - $24-120K a year
Indirect cost
InfoSec staff - $2-10K a year
Staff involvement - $10-30K a
year
10. www.teaminternational.com
Reducing compliance co$tS
Remove irrelevant everything
Smart arguments for cost reduction:
Standards and conditions relevancy
The type and the size of cooperation vs compliance efforts
Multi customer environment vs compliance needs
Reasonable compatibility with standards
Who pays for the party?
11. www.teaminternational.com
Compliance procedures e$timation$
Most likely vendor pays:
1st and following direct and indirect “certification” costs
Administrative and technical measures
Staff awareness program
Monitoring and control cost
Most likely customer pays:
Work processes
OWASP principles, data anonym., code reviews
Customer’s audits
Special equipment
12. www.teaminternational.com
You have nothing on Compliance. Where to start?
If you want to start – you need to start
Understand if your business requires compliance. What compliance?
ISO 27000 framework for generic InfoSec (incl. SOC 2, GDPR, ISO
27000)
Appoint/hire a specialist, grant authorities, educate
Implement framework to the extent you really need
Org/technical measures, defined policies, awareness
Brag in your marketing materials
Do contract reviews
Remove irrelevant everything
Enjoy!