SlideShare a Scribd company logo

Compliance. Povolyashko

Download as PPTX, PDF
Lviv Startup Club
Lviv Startup Club

Compliance. Povolyashko

Leadership & Management
1 of 13
Compliance for vendors and teams Sergiy Povolyashko
www.teaminternational.com CTO/CIO at Team International Services, www.teaminternational.com.  Information Security  Data Protection  Corporate IT infrastructure  Process Management Achievements:  Leading role in CMMI L3 implementation  PMI PMP  ISO 27001 Expert  GDPR Practitioner Hobbies  Auto travels  Cinema
www.teaminternational.com Contents  Compliance trends  Popular standards and conditions  Reducing compliance co$t$  Compliance procedures e$timation$  You have nothing on Compliance. Where to start?
www.teaminternational.com Compliance trends Information Security, Data Protection, Application Security, Audits Couple years before How are you doing? Great! Ok!
www.teaminternational.com Compliance trends Information Security, Data Protection, Application Security, Audits Now Scale 1 – 10:  Practical implementation concerns: 1 -> 6  Contractual requirements: 1 -> 8  Personal Data protection : 1 -> 8 (EU), 1 -> 4 (US)  Certifications and 3rd party audit requirements: 1 -> 6
www.teaminternational.com Popular standards requested  ISO 27000  GDPR, DPO need  SSAE-18 SOC 1, 2 Type 1, 2  PCI-DSS, PA-DSS  OWASP  EU-US Privacy Shield  Remove irrelevant standards  CLOUD Act  COBIT  ISO 9000  ISO 14000  ISO 20000  SIG Questionnaire Tools  201 CMR 17.00 (“Massachusetts PI Standards”)
www.teaminternational.com Typical conditions  The right for Audit  The need of assigned DPO, InfoSec Officer, etc.  The need to comply with customer’s standards  Cross border data transfer regulations  The need to have InfoSec framework
www.teaminternational.com Typical irrelevant conditions  Customers propose their contract templates  Contract reviews is a must, 90% of templates are not relevant! Most popular irrelevancies (software development outsourcing):  Cloud product provider requirements  Call center provider requirements  The need for DPO  Meet or exceed commonly used InfoSec standards  We watch TV about Ukraine, how do you mitigate risks?  No data can leave US/EU  Remove irrelevant conditions
www.teaminternational.com Reducing compliance co$t$  Remove irrelevant costs Direct cost  ISO 27000 - $30-50K a year  GDPR, DPO need - $12-60K a year  SOC - $30-60K a year  InfoSec staff - $24-120K a year Indirect cost  InfoSec staff - $2-10K a year  Staff involvement - $10-30K a year
www.teaminternational.com Reducing compliance co$tS  Remove irrelevant everything Smart arguments for cost reduction:  Standards and conditions relevancy  The type and the size of cooperation vs compliance efforts  Multi customer environment vs compliance needs  Reasonable compatibility with standards  Who pays for the party?
www.teaminternational.com Compliance procedures e$timation$ Most likely vendor pays:  1st and following direct and indirect “certification” costs  Administrative and technical measures  Staff awareness program  Monitoring and control cost Most likely customer pays:  Work processes  OWASP principles, data anonym., code reviews  Customer’s audits  Special equipment
www.teaminternational.com You have nothing on Compliance. Where to start? If you want to start – you need to start  Understand if your business requires compliance. What compliance?  ISO 27000 framework for generic InfoSec (incl. SOC 2, GDPR, ISO 27000)  Appoint/hire a specialist, grant authorities, educate  Implement framework to the extent you really need  Org/technical measures, defined policies, awareness  Brag in your marketing materials  Do contract reviews  Remove irrelevant everything  Enjoy!
thank you! Skype: Sergiy.povolyashko Sergiy Povolyashko www.linkedin.com/in/sergiypovolyashko/

Recommended

Anti-Bribery Forensics and Compliance on a Multi-National Scale: Challenges a...
Anti-Bribery Forensics and Compliance on a Multi-National Scale: Challenges a...Anti-Bribery Forensics and Compliance on a Multi-National Scale: Challenges a...
Anti-Bribery Forensics and Compliance on a Multi-National Scale: Challenges a...
PECB
 
Is it a Risk to Be Compliant?
Is it a Risk to Be Compliant?Is it a Risk to Be Compliant?
Is it a Risk to Be Compliant?
PECB
 
The missing parts of the governance puzzle : The 2000 tide and what to expect...
The missing parts of the governance puzzle : The 2000 tide and what to expect...The missing parts of the governance puzzle : The 2000 tide and what to expect...
The missing parts of the governance puzzle : The 2000 tide and what to expect...
PECB
 
ISO 37001 : Anti Bribery Management System Fraud & Bribery Concepts, Laws & R...
ISO 37001 : Anti Bribery Management System Fraud & Bribery Concepts, Laws & R...ISO 37001 : Anti Bribery Management System Fraud & Bribery Concepts, Laws & R...
ISO 37001 : Anti Bribery Management System Fraud & Bribery Concepts, Laws & R...
Instansi
 
7 Steps to Build an Effective Corporate Compliance Strategy
7 Steps to Build an Effective Corporate Compliance Strategy7 Steps to Build an Effective Corporate Compliance Strategy
7 Steps to Build an Effective Corporate Compliance Strategy
Maarten Boonen
 
Information Security Program & PCI Compliance Planning for your Business
Information Security Program & PCI Compliance Planning for your BusinessInformation Security Program & PCI Compliance Planning for your Business
Information Security Program & PCI Compliance Planning for your Business
Laura Perry
 
Info Security & PCI(original)
Info Security & PCI(original)Info Security & PCI(original)
Info Security & PCI(original)
NCTechSymposium
 
Implementing and Auditing GDPR Series (3 of 10)
Implementing and Auditing GDPR Series (3 of 10) Implementing and Auditing GDPR Series (3 of 10)
Implementing and Auditing GDPR Series (3 of 10)
Jim Kaplan CIA CFE
 

Recommended

Anti-Bribery Forensics and Compliance on a Multi-National Scale: Challenges a...
Anti-Bribery Forensics and Compliance on a Multi-National Scale: Challenges a...Anti-Bribery Forensics and Compliance on a Multi-National Scale: Challenges a...
Anti-Bribery Forensics and Compliance on a Multi-National Scale: Challenges a...
PECB
 
Is it a Risk to Be Compliant?
Is it a Risk to Be Compliant?Is it a Risk to Be Compliant?
Is it a Risk to Be Compliant?
PECB
 
The missing parts of the governance puzzle : The 2000 tide and what to expect...
The missing parts of the governance puzzle : The 2000 tide and what to expect...The missing parts of the governance puzzle : The 2000 tide and what to expect...
The missing parts of the governance puzzle : The 2000 tide and what to expect...
PECB
 
ISO 37001 : Anti Bribery Management System Fraud & Bribery Concepts, Laws & R...
ISO 37001 : Anti Bribery Management System Fraud & Bribery Concepts, Laws & R...ISO 37001 : Anti Bribery Management System Fraud & Bribery Concepts, Laws & R...
ISO 37001 : Anti Bribery Management System Fraud & Bribery Concepts, Laws & R...
Instansi
 
7 Steps to Build an Effective Corporate Compliance Strategy
7 Steps to Build an Effective Corporate Compliance Strategy7 Steps to Build an Effective Corporate Compliance Strategy
7 Steps to Build an Effective Corporate Compliance Strategy
Maarten Boonen
 
Information Security Program & PCI Compliance Planning for your Business
Information Security Program & PCI Compliance Planning for your BusinessInformation Security Program & PCI Compliance Planning for your Business
Information Security Program & PCI Compliance Planning for your Business
Laura Perry
 
Info Security & PCI(original)
Info Security & PCI(original)Info Security & PCI(original)
Info Security & PCI(original)
NCTechSymposium
 
Implementing and Auditing GDPR Series (3 of 10)
Implementing and Auditing GDPR Series (3 of 10) Implementing and Auditing GDPR Series (3 of 10)
Implementing and Auditing GDPR Series (3 of 10)
Jim Kaplan CIA CFE
 
DLP
DLPDLP
DLP
saurabh.sood
 
Azure Privacy & GDPR @ Service Management World
Azure Privacy & GDPR @ Service Management WorldAzure Privacy & GDPR @ Service Management World
Azure Privacy & GDPR @ Service Management World
JP Clementi
 
2010 06 gartner avoiding audit fatigue in nine steps 1d
2010 06 gartner avoiding audit fatigue in nine steps 1d2010 06 gartner avoiding audit fatigue in nine steps 1d
2010 06 gartner avoiding audit fatigue in nine steps 1d
Gene Kim
 
Why care about GDPR and avoid over $20 million fines, even outside EU ?
Why care about GDPR and avoid over $20 million fines, even outside EU ?Why care about GDPR and avoid over $20 million fines, even outside EU ?
Why care about GDPR and avoid over $20 million fines, even outside EU ?
FactoVia
 
What is Employee Spend Management
What is Employee Spend ManagementWhat is Employee Spend Management
What is Employee Spend Management
Sean Goldie
 
Automating Policy Compliance and IT Governance
Automating Policy Compliance and IT GovernanceAutomating Policy Compliance and IT Governance
Automating Policy Compliance and IT Governance
Sasha Nunke
 
General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR) General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)
Karina Matos
 
The Virtual Security Officer Platform
The Virtual Security Officer PlatformThe Virtual Security Officer Platform
The Virtual Security Officer Platform
Shanmugavel Sankaran
 
Future of Audit by Pieter de Kok
Future of Audit by Pieter de KokFuture of Audit by Pieter de Kok
Future of Audit by Pieter de Kok
drs Pieter de Kok RA
 
Data Quality Rules introduction
Data Quality Rules introductionData Quality Rules introduction
Data Quality Rules introduction
datatovalue
 
Presentation to Irish ISSA Conference 12-May-11
Presentation to Irish ISSA Conference 12-May-11Presentation to Irish ISSA Conference 12-May-11
Presentation to Irish ISSA Conference 12-May-11
Michael Ofarrell
 
Identity Management: Risk Across The Enterprise
Identity Management: Risk Across The EnterpriseIdentity Management: Risk Across The Enterprise
Identity Management: Risk Across The Enterprise
Perficient, Inc.
 
Implementing and Auditing General Data Protection Regulation
Implementing and Auditing General Data Protection RegulationImplementing and Auditing General Data Protection Regulation
Implementing and Auditing General Data Protection Regulation
Jim Kaplan CIA CFE
 
EU data protection laws and impacts on healthcare applications and health data
EU data protection laws and impacts on healthcare applications and health dataEU data protection laws and impacts on healthcare applications and health data
EU data protection laws and impacts on healthcare applications and health data
Speck&Tech
 
Boards of Directors and GDPR Prof. Hernan Huwyler, MBA CPA
Boards of Directors and GDPR Prof. Hernan Huwyler, MBA CPABoards of Directors and GDPR Prof. Hernan Huwyler, MBA CPA
Boards of Directors and GDPR Prof. Hernan Huwyler, MBA CPA
Hernan Huwyler, MBA CPA
 
Solutions For PCI Compliance
Solutions For PCI ComplianceSolutions For PCI Compliance
Solutions For PCI Compliance
John Bedrick
 
Responsible AI: An Example AI Development Process with Focus on Risks and Con...
Responsible AI: An Example AI Development Process with Focus on Risks and Con...Responsible AI: An Example AI Development Process with Focus on Risks and Con...
Responsible AI: An Example AI Development Process with Focus on Risks and Con...
Patrick Van Renterghem
 
ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?
ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?
ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?
PECB
 
Cloud data security and GDPR compliance
Cloud data security and GDPR complianceCloud data security and GDPR compliance
Cloud data security and GDPR compliance
Salim Benadel
 
Feb 26 NETP Slide Deck
Feb 26 NETP Slide DeckFeb 26 NETP Slide Deck
Feb 26 NETP Slide Deck
ddcomeau
 
Artem Bykovets: 4 Вершники апокаліпсису робочих стосунків (+антидоти до них) ...
Artem Bykovets: 4 Вершники апокаліпсису робочих стосунків (+антидоти до них) ...Artem Bykovets: 4 Вершники апокаліпсису робочих стосунків (+антидоти до них) ...
Artem Bykovets: 4 Вершники апокаліпсису робочих стосунків (+антидоти до них) ...
Lviv Startup Club
 
Dmytro Khudenko: Challenges of implementing task managers in the corporate an...
Dmytro Khudenko: Challenges of implementing task managers in the corporate an...Dmytro Khudenko: Challenges of implementing task managers in the corporate an...
Dmytro Khudenko: Challenges of implementing task managers in the corporate an...
Lviv Startup Club
 

More Related Content

Similar to Compliance. Povolyashko

2010 06 gartner avoiding audit fatigue in nine steps 1d
2010 06 gartner avoiding audit fatigue in nine steps 1d2010 06 gartner avoiding audit fatigue in nine steps 1d
2010 06 gartner avoiding audit fatigue in nine steps 1d
Gene Kim
 
What is Employee Spend Management
What is Employee Spend ManagementWhat is Employee Spend Management
What is Employee Spend Management
Sean Goldie
 
Implementing and Auditing General Data Protection Regulation
Implementing and Auditing General Data Protection RegulationImplementing and Auditing General Data Protection Regulation
Implementing and Auditing General Data Protection Regulation
Jim Kaplan CIA CFE
 
EU data protection laws and impacts on healthcare applications and health data
EU data protection laws and impacts on healthcare applications and health dataEU data protection laws and impacts on healthcare applications and health data
EU data protection laws and impacts on healthcare applications and health data
Speck&Tech
 
ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?
ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?
ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?
PECB
 
Feb 26 NETP Slide Deck
Feb 26 NETP Slide DeckFeb 26 NETP Slide Deck
Feb 26 NETP Slide Deck
ddcomeau
 

Similar to Compliance. Povolyashko (20)

DLP
DLPDLP
DLP
 
Azure Privacy & GDPR @ Service Management World
Azure Privacy & GDPR @ Service Management WorldAzure Privacy & GDPR @ Service Management World
Azure Privacy & GDPR @ Service Management World
 
2010 06 gartner avoiding audit fatigue in nine steps 1d
2010 06 gartner avoiding audit fatigue in nine steps 1d2010 06 gartner avoiding audit fatigue in nine steps 1d
2010 06 gartner avoiding audit fatigue in nine steps 1d
 
Why care about GDPR and avoid over $20 million fines, even outside EU ?
Why care about GDPR and avoid over $20 million fines, even outside EU ?Why care about GDPR and avoid over $20 million fines, even outside EU ?
Why care about GDPR and avoid over $20 million fines, even outside EU ?
 
What is Employee Spend Management
What is Employee Spend ManagementWhat is Employee Spend Management
What is Employee Spend Management
 
Automating Policy Compliance and IT Governance
Automating Policy Compliance and IT GovernanceAutomating Policy Compliance and IT Governance
Automating Policy Compliance and IT Governance
 
General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR) General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)
 
The Virtual Security Officer Platform
The Virtual Security Officer PlatformThe Virtual Security Officer Platform
The Virtual Security Officer Platform
 
Future of Audit by Pieter de Kok
Future of Audit by Pieter de KokFuture of Audit by Pieter de Kok
Future of Audit by Pieter de Kok
 
Data Quality Rules introduction
Data Quality Rules introductionData Quality Rules introduction
Data Quality Rules introduction
 
Presentation to Irish ISSA Conference 12-May-11
Presentation to Irish ISSA Conference 12-May-11Presentation to Irish ISSA Conference 12-May-11
Presentation to Irish ISSA Conference 12-May-11
 
Identity Management: Risk Across The Enterprise
Identity Management: Risk Across The EnterpriseIdentity Management: Risk Across The Enterprise
Identity Management: Risk Across The Enterprise
 
Implementing and Auditing General Data Protection Regulation
Implementing and Auditing General Data Protection RegulationImplementing and Auditing General Data Protection Regulation
Implementing and Auditing General Data Protection Regulation
 
EU data protection laws and impacts on healthcare applications and health data
EU data protection laws and impacts on healthcare applications and health dataEU data protection laws and impacts on healthcare applications and health data
EU data protection laws and impacts on healthcare applications and health data
 
Boards of Directors and GDPR Prof. Hernan Huwyler, MBA CPA
Boards of Directors and GDPR Prof. Hernan Huwyler, MBA CPABoards of Directors and GDPR Prof. Hernan Huwyler, MBA CPA
Boards of Directors and GDPR Prof. Hernan Huwyler, MBA CPA
 
Solutions For PCI Compliance
Solutions For PCI ComplianceSolutions For PCI Compliance
Solutions For PCI Compliance
 
Responsible AI: An Example AI Development Process with Focus on Risks and Con...
Responsible AI: An Example AI Development Process with Focus on Risks and Con...Responsible AI: An Example AI Development Process with Focus on Risks and Con...
Responsible AI: An Example AI Development Process with Focus on Risks and Con...
 
ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?
ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?
ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?
 
Cloud data security and GDPR compliance
Cloud data security and GDPR complianceCloud data security and GDPR compliance
Cloud data security and GDPR compliance
 
Feb 26 NETP Slide Deck
Feb 26 NETP Slide DeckFeb 26 NETP Slide Deck
Feb 26 NETP Slide Deck
 

More from Lviv Startup Club

More from Lviv Startup Club (20)

Artem Bykovets: 4 Вершники апокаліпсису робочих стосунків (+антидоти до них) ...
Artem Bykovets: 4 Вершники апокаліпсису робочих стосунків (+антидоти до них) ...Artem Bykovets: 4 Вершники апокаліпсису робочих стосунків (+антидоти до них) ...
Artem Bykovets: 4 Вершники апокаліпсису робочих стосунків (+антидоти до них) ...
 
Dmytro Khudenko: Challenges of implementing task managers in the corporate an...
Dmytro Khudenko: Challenges of implementing task managers in the corporate an...Dmytro Khudenko: Challenges of implementing task managers in the corporate an...
Dmytro Khudenko: Challenges of implementing task managers in the corporate an...
 
Sergii Melnichenko: Лідерство в Agile командах: ТОП-5 основних психологічних ...
Sergii Melnichenko: Лідерство в Agile командах: ТОП-5 основних психологічних ...Sergii Melnichenko: Лідерство в Agile командах: ТОП-5 основних психологічних ...
Sergii Melnichenko: Лідерство в Agile командах: ТОП-5 основних психологічних ...
 
Mariia Rashkevych: Підвищення ефективності розроблення та реалізації освітніх...
Mariia Rashkevych: Підвищення ефективності розроблення та реалізації освітніх...Mariia Rashkevych: Підвищення ефективності розроблення та реалізації освітніх...
Mariia Rashkevych: Підвищення ефективності розроблення та реалізації освітніх...
 
Mykhailo Hryhorash: What can be good in a "bad" project? (UA)
Mykhailo Hryhorash: What can be good in a "bad" project? (UA)Mykhailo Hryhorash: What can be good in a "bad" project? (UA)
Mykhailo Hryhorash: What can be good in a "bad" project? (UA)
 
Oleksii Kyselov: Що заважає ПМу зростати? Розбір практичних кейсів (UA)
Oleksii Kyselov: Що заважає ПМу зростати? Розбір практичних кейсів (UA)Oleksii Kyselov: Що заважає ПМу зростати? Розбір практичних кейсів (UA)
Oleksii Kyselov: Що заважає ПМу зростати? Розбір практичних кейсів (UA)
 
Yaroslav Osolikhin: «Неідеальний» проєктний менеджер: People Management під ч...
Yaroslav Osolikhin: «Неідеальний» проєктний менеджер: People Management під ч...Yaroslav Osolikhin: «Неідеальний» проєктний менеджер: People Management під ч...
Yaroslav Osolikhin: «Неідеальний» проєктний менеджер: People Management під ч...
 
Mariya Yeremenko: Вплив Генеративного ШІ на сучасний світ та на особисту ефек...
Mariya Yeremenko: Вплив Генеративного ШІ на сучасний світ та на особисту ефек...Mariya Yeremenko: Вплив Генеративного ШІ на сучасний світ та на особисту ефек...
Mariya Yeremenko: Вплив Генеративного ШІ на сучасний світ та на особисту ефек...
 
Petro Nikolaiev & Dmytro Kisov: ТОП-5 методів дослідження клієнтів для успіху...
Petro Nikolaiev & Dmytro Kisov: ТОП-5 методів дослідження клієнтів для успіху...Petro Nikolaiev & Dmytro Kisov: ТОП-5 методів дослідження клієнтів для успіху...
Petro Nikolaiev & Dmytro Kisov: ТОП-5 методів дослідження клієнтів для успіху...
 
Maksym Stelmakh : Державні електронні послуги та сервіси: чому бізнесу варто ...
Maksym Stelmakh : Державні електронні послуги та сервіси: чому бізнесу варто ...Maksym Stelmakh : Державні електронні послуги та сервіси: чому бізнесу варто ...
Maksym Stelmakh : Державні електронні послуги та сервіси: чому бізнесу варто ...
 
Alexander Marchenko: Проблеми росту продуктової екосистеми (UA)
Alexander Marchenko: Проблеми росту продуктової екосистеми (UA)Alexander Marchenko: Проблеми росту продуктової екосистеми (UA)
Alexander Marchenko: Проблеми росту продуктової екосистеми (UA)
 
Oleksandr Grytsenko: Save your Job або прокачай скіли до Engineering Manageme...
Oleksandr Grytsenko: Save your Job або прокачай скіли до Engineering Manageme...Oleksandr Grytsenko: Save your Job або прокачай скіли до Engineering Manageme...
Oleksandr Grytsenko: Save your Job або прокачай скіли до Engineering Manageme...
 
Yuliia Pieskova: Фідбек: не лише "як", але й "коли" і "навіщо" (UA)
Yuliia Pieskova: Фідбек: не лише "як", але й "коли" і "навіщо" (UA)Yuliia Pieskova: Фідбек: не лише "як", але й "коли" і "навіщо" (UA)
Yuliia Pieskova: Фідбек: не лише "як", але й "коли" і "навіщо" (UA)
 
Nataliya Kryvonis: Essential soft skills to lead your team (UA)
Nataliya Kryvonis: Essential soft skills to lead your team (UA)Nataliya Kryvonis: Essential soft skills to lead your team (UA)
Nataliya Kryvonis: Essential soft skills to lead your team (UA)
 
Volodymyr Salyha: Stakeholder Alchemy: Transforming Analysis into Meaningful ...
Volodymyr Salyha: Stakeholder Alchemy: Transforming Analysis into Meaningful ...Volodymyr Salyha: Stakeholder Alchemy: Transforming Analysis into Meaningful ...
Volodymyr Salyha: Stakeholder Alchemy: Transforming Analysis into Meaningful ...
 
Anna Chalyuk: 7 інструментів та принципів, які допоможуть зробити вашу команд...
Anna Chalyuk: 7 інструментів та принципів, які допоможуть зробити вашу команд...Anna Chalyuk: 7 інструментів та принципів, які допоможуть зробити вашу команд...
Anna Chalyuk: 7 інструментів та принципів, які допоможуть зробити вашу команд...
 
Oksana Smilka: Цінності, цілі та (де) мотивація (UA)
Oksana Smilka: Цінності, цілі та (де) мотивація (UA)Oksana Smilka: Цінності, цілі та (де) мотивація (UA)
Oksana Smilka: Цінності, цілі та (де) мотивація (UA)
 
Yaroslav Rozhankivskyy: Три складові і три передумови максимальної продуктивн...
Yaroslav Rozhankivskyy: Три складові і три передумови максимальної продуктивн...Yaroslav Rozhankivskyy: Три складові і три передумови максимальної продуктивн...
Yaroslav Rozhankivskyy: Три складові і три передумови максимальної продуктивн...
 
Andrii Skoromnyi: Чому не працює методика "5 Чому?" – і яка є альтернатива? (UA)
Andrii Skoromnyi: Чому не працює методика "5 Чому?" – і яка є альтернатива? (UA)Andrii Skoromnyi: Чому не працює методика "5 Чому?" – і яка є альтернатива? (UA)
Andrii Skoromnyi: Чому не працює методика "5 Чому?" – і яка є альтернатива? (UA)
 
Maryna Sokyrko & Oleksandr Chugui: Building Product Passion: Developing AI ch...
Maryna Sokyrko & Oleksandr Chugui: Building Product Passion: Developing AI ch...Maryna Sokyrko & Oleksandr Chugui: Building Product Passion: Developing AI ch...
Maryna Sokyrko & Oleksandr Chugui: Building Product Passion: Developing AI ch...
 

Recently uploaded

Abortion pills in Jeddah |• +966572737505 ] GET CYTOTEC
Abortion pills in Jeddah |• +966572737505 ] GET CYTOTECAbortion pills in Jeddah |• +966572737505 ] GET CYTOTEC
Abortion pills in Jeddah |• +966572737505 ] GET CYTOTEC
Abortion pills in Riyadh +966572737505 get cytotec
 
Agile Coaching Change Management Framework.pptx
Agile Coaching Change Management Framework.pptxAgile Coaching Change Management Framework.pptx
Agile Coaching Change Management Framework.pptx
alinstan901
 
GENUINE Babe,Call Girls IN Baderpur Delhi | +91-8377087607
GENUINE Babe,Call Girls IN Baderpur Delhi | +91-8377087607GENUINE Babe,Call Girls IN Baderpur Delhi | +91-8377087607
GENUINE Babe,Call Girls IN Baderpur Delhi | +91-8377087607
dollysharma2066
 
BDSM⚡Call Girls in Sector 99 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 99 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 99 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 99 Noida Escorts >༒8448380779 Escort Service
Delhi Call girls
 
Beyond the Codes_Repositioning towards sustainable development
Beyond the Codes_Repositioning towards sustainable developmentBeyond the Codes_Repositioning towards sustainable development
Beyond the Codes_Repositioning towards sustainable development
Nimot Muili
 

Recently uploaded (15)

International Ocean Transportation p.pdf
International Ocean Transportation p.pdfInternational Ocean Transportation p.pdf
International Ocean Transportation p.pdf
 
Abortion pills in Jeddah |• +966572737505 ] GET CYTOTEC
Abortion pills in Jeddah |• +966572737505 ] GET CYTOTECAbortion pills in Jeddah |• +966572737505 ] GET CYTOTEC
Abortion pills in Jeddah |• +966572737505 ] GET CYTOTEC
 
Day 0- Bootcamp Roadmap for PLC Bootcamp
Day 0- Bootcamp Roadmap for PLC BootcampDay 0- Bootcamp Roadmap for PLC Bootcamp
Day 0- Bootcamp Roadmap for PLC Bootcamp
 
Agile Coaching Change Management Framework.pptx
Agile Coaching Change Management Framework.pptxAgile Coaching Change Management Framework.pptx
Agile Coaching Change Management Framework.pptx
 
Dealing with Poor Performance - get the full picture from 3C Performance Mana...
Dealing with Poor Performance - get the full picture from 3C Performance Mana...Dealing with Poor Performance - get the full picture from 3C Performance Mana...
Dealing with Poor Performance - get the full picture from 3C Performance Mana...
 
GENUINE Babe,Call Girls IN Baderpur Delhi | +91-8377087607
GENUINE Babe,Call Girls IN Baderpur Delhi | +91-8377087607GENUINE Babe,Call Girls IN Baderpur Delhi | +91-8377087607
GENUINE Babe,Call Girls IN Baderpur Delhi | +91-8377087607
 
Call now : 9892124323 Nalasopara Beautiful Call Girls Vasai virar Best Call G...
Call now : 9892124323 Nalasopara Beautiful Call Girls Vasai virar Best Call G...Call now : 9892124323 Nalasopara Beautiful Call Girls Vasai virar Best Call G...
Call now : 9892124323 Nalasopara Beautiful Call Girls Vasai virar Best Call G...
 
internal analysis on strategic management
internal analysis on strategic managementinternal analysis on strategic management
internal analysis on strategic management
 
Strategic Management, Vision Mission, Internal Analsysis
Strategic Management, Vision Mission, Internal AnalsysisStrategic Management, Vision Mission, Internal Analsysis
Strategic Management, Vision Mission, Internal Analsysis
 
Reviewing and summarization of university ranking system to.pptx
Reviewing and summarization of university ranking system to.pptxReviewing and summarization of university ranking system to.pptx
Reviewing and summarization of university ranking system to.pptx
 
BDSM⚡Call Girls in Sector 99 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 99 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 99 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 99 Noida Escorts >༒8448380779 Escort Service
 
Safety T fire missions army field Artillery
Safety T fire missions army field ArtillerySafety T fire missions army field Artillery
Safety T fire missions army field Artillery
 
Call Now Pooja Mehta : 7738631006 Door Step Call Girls Rate 100% Satisfactio...
Call Now Pooja Mehta : 7738631006 Door Step Call Girls Rate 100% Satisfactio...Call Now Pooja Mehta : 7738631006 Door Step Call Girls Rate 100% Satisfactio...
Call Now Pooja Mehta : 7738631006 Door Step Call Girls Rate 100% Satisfactio...
 
Intro_University_Ranking_Introduction.pptx
Intro_University_Ranking_Introduction.pptxIntro_University_Ranking_Introduction.pptx
Intro_University_Ranking_Introduction.pptx
 
Beyond the Codes_Repositioning towards sustainable development
Beyond the Codes_Repositioning towards sustainable developmentBeyond the Codes_Repositioning towards sustainable development
Beyond the Codes_Repositioning towards sustainable development
 

Compliance. Povolyashko

  • 1. Compliance for vendors and teams Sergiy Povolyashko
  • 2. www.teaminternational.com CTO/CIO at Team International Services, www.teaminternational.com.  Information Security  Data Protection  Corporate IT infrastructure  Process Management Achievements:  Leading role in CMMI L3 implementation  PMI PMP  ISO 27001 Expert  GDPR Practitioner Hobbies  Auto travels  Cinema
  • 3. www.teaminternational.com Contents  Compliance trends  Popular standards and conditions  Reducing compliance co$t$  Compliance procedures e$timation$  You have nothing on Compliance. Where to start?
  • 4. www.teaminternational.com Compliance trends Information Security, Data Protection, Application Security, Audits Couple years before How are you doing? Great! Ok!
  • 5. www.teaminternational.com Compliance trends Information Security, Data Protection, Application Security, Audits Now Scale 1 – 10:  Practical implementation concerns: 1 -> 6  Contractual requirements: 1 -> 8  Personal Data protection : 1 -> 8 (EU), 1 -> 4 (US)  Certifications and 3rd party audit requirements: 1 -> 6
  • 6. www.teaminternational.com Popular standards requested  ISO 27000  GDPR, DPO need  SSAE-18 SOC 1, 2 Type 1, 2  PCI-DSS, PA-DSS  OWASP  EU-US Privacy Shield  Remove irrelevant standards  CLOUD Act  COBIT  ISO 9000  ISO 14000  ISO 20000  SIG Questionnaire Tools  201 CMR 17.00 (“Massachusetts PI Standards”)
  • 7. www.teaminternational.com Typical conditions  The right for Audit  The need of assigned DPO, InfoSec Officer, etc.  The need to comply with customer’s standards  Cross border data transfer regulations  The need to have InfoSec framework
  • 8. www.teaminternational.com Typical irrelevant conditions  Customers propose their contract templates  Contract reviews is a must, 90% of templates are not relevant! Most popular irrelevancies (software development outsourcing):  Cloud product provider requirements  Call center provider requirements  The need for DPO  Meet or exceed commonly used InfoSec standards  We watch TV about Ukraine, how do you mitigate risks?  No data can leave US/EU  Remove irrelevant conditions
  • 9. www.teaminternational.com Reducing compliance co$t$  Remove irrelevant costs Direct cost  ISO 27000 - $30-50K a year  GDPR, DPO need - $12-60K a year  SOC - $30-60K a year  InfoSec staff - $24-120K a year Indirect cost  InfoSec staff - $2-10K a year  Staff involvement - $10-30K a year
  • 10. www.teaminternational.com Reducing compliance co$tS  Remove irrelevant everything Smart arguments for cost reduction:  Standards and conditions relevancy  The type and the size of cooperation vs compliance efforts  Multi customer environment vs compliance needs  Reasonable compatibility with standards  Who pays for the party?
  • 11. www.teaminternational.com Compliance procedures e$timation$ Most likely vendor pays:  1st and following direct and indirect “certification” costs  Administrative and technical measures  Staff awareness program  Monitoring and control cost Most likely customer pays:  Work processes  OWASP principles, data anonym., code reviews  Customer’s audits  Special equipment
  • 12. www.teaminternational.com You have nothing on Compliance. Where to start? If you want to start – you need to start  Understand if your business requires compliance. What compliance?  ISO 27000 framework for generic InfoSec (incl. SOC 2, GDPR, ISO 27000)  Appoint/hire a specialist, grant authorities, educate  Implement framework to the extent you really need  Org/technical measures, defined policies, awareness  Brag in your marketing materials  Do contract reviews  Remove irrelevant everything  Enjoy!
  • 13. thank you! Skype: Sergiy.povolyashko Sergiy Povolyashko www.linkedin.com/in/sergiypovolyashko/