Transcription
ACHIEVING COMPLIANCE WITH ISO 27001, 20000, AND UAE IA STANDARDS,BUT AVOIDING THE SPEED BUMPSLearn sound best practices with ISO 27001, ISO 20000, and the United Arab Emirates’Information Assurance Standards. This session provides a road map to successful complianceimplementation and achieving these standards. Attendees will learn how to exceed expectations;avoid speed bumps that will derail implementation including fraudulent landscapes, schemes andchallenges; and depart with the tools for a successful governance, risk, and complianceprogramme as noted by the Middle East and expected by the UAE.JOSÉ LUIS CARRERA JR., CFE, CIA, CRMADirector, Governance, Risk, and ComplianceDarkMatter LLCAbu Dhabi, United Arab EmiratesJosé Carrera has more than 20 years of international, strategic, progressive, and senior-levelmanagement experience in internal auditing, HIPPA/HITECH, SOX, business integration andprocess improvement, corporate governance, risk management, forensic accounting, andinformation technology. His experience includes growing, developing, and directing internalaudit departments to achieve their utmost performance. Carrera also has significant experienceperforming global enterprise-wide risk assessments for both business process and IT controlenvironments. He has also developed monitoring and risk and control reporting oversight,controls transformation, and corporate governance functions and programs. Carrera’s additionalexperience includes the development and implementation of global SOX, HIPPA/HITECH, andinternal audit programs where he led process training and change management initiatives toensure sustainability.“Association of Certified Fraud Examiners,” “Certified Fraud Examiner,” “CFE,” “ACFE,” and theACFE Logo are trademarks owned by the Association of Certified Fraud Examiners, Inc. The contents ofthis paper may not be transmitted, re-published, modified, reproduced, distributed, copied, or sold withoutthe prior consent of the author. 2017
ACHIEVING COMPLIANCE WITH ISO 27001, 20000, AND UAE IA STANDARDSDisclaimerThis discussion is intended for educational purposes onlyand does not replace independent professional judgement insizing information security governance, risk and strategyactivities for any given organization. Statements of fact andopinions expressed are those of the presenter and notDarkMatter LLC AE.Achieving Compliance with ISO 27001, ISO 20000, andUAE IA Standards, But Avoiding the Speed Bumps!As a former Wells Fargo employee in the OperationalCompliance Department, I reflect back to September 20,2016 when United States Senator Elizabeth Warren (DMA)—during the COMMITTEE ON BANKING,HOUSING, AND URBAN AFFAIRS OPEN SESSION toconduct a hearing titled “An Examination of Wells Fargo’sUnauthorized Accounts and the Regulatory Response”—faced off with Wells Fargo CEO John Stumpf—whosemassive bank appropriated customers’ information to createmillions of bogus accounts—had sharp questions andcomments. In particular:“Here’s what really gets me about this, Mr. Stumpf.If one of your tellers took a handful of 20 bills outof the crash drawer, they’d probably be looking atcriminal charges for theft. They could end up inprison.“But you squeezed your employees to the breakingpoint so they would cheat customers and you coulddrive up the value of your stock and put hundreds ofmillions of dollars in your own pocket. 20172017 ACFE Fraud Conference Middle East1NOTES
ACHIEVING COMPLIANCE WITH ISO 27001, 20000, AND UAE IA STANDARDS“And when it all blew up, you kept your job1 youkept your multi-multimillion-dollar bonuses, andyou went on television to blame thousands of 12an-hour employees who were just trying to meetcross-sell quotas that made you rich. This is aboutaccountability. You should resign. You should giveback the money that you took while this scam wasgoing on, and you should be criminally investigatedby both the Department of Justice and the Securitiesand Exchange Commission. This just isn’t right.”Phew. It deems to ask the questions: Where was theaccountability? Where were the Three Lines of Defense?Are the internal controls working as intended? Whatstandards did Wells Fargo not adhere to?A wise man shared with me a best practice definition forcompliance, which simply states: “Compliance is either astate of being in accordance with established guidelines orspecifications, or the process of becoming so.” Thisdefinition of compliance can also encompass efforts toensure that organizations are abiding by both industryregulations and government legislation.Compliance at its core is a prevalent business concern,partly because of an ever-increasing number of regulationsthat require multinational organizations, companies, andgovernmental organizations to be vigilant aboutmaintaining a full understanding of their regulatorycompliance requirements. Some prominent regulations,1October 20, 2016; BusinessWeek SAN FRANCISCO--(BUSINESS WIRE)-Wells Fargo & Company (NYSE:WFC) announced today that Chairman andChief Executive Officer John Stumpf has informed the Company’s Board ofDirectors that he is retiring from the Company and the Board, effectiveimmediately. ellsFargo-Chairman-CEO-John-Stumpf-Retires. 20172017 ACFE Fraud Conference Middle East2NOTES
ACHIEVING COMPLIANCE WITH ISO 27001, 20000, AND UAE IA STANDARDSstandards, and legislation with which organizations mightneed to be in compliance include but are not limited to: Sarbanes-Oxley Act (SOX) of 2002: SOX wasenacted in response to the high-profile Enron andWorldCom financial scandals to protect shareholdersand the general public from accounting errors andfraudulent practices in the enterprise. Among otherprovisions, the law sets rules on storing and retainingbusiness records in IT systems. Health Insurance Portability and Accountability Actof 1996 (HIPAA): HIPAA Title II includes anadministrative simplification section that mandatesstandardization of electronic health records systems andincludes security mechanisms designed to protect dataprivacy and patient confidentiality. Dodd-Frank Act: Enacted in 2010, this act aims toreduce federal dependence on banks by subjecting themto regulations that enforce transparency andaccountability in order to protect customers. Payment Card Industry Data Security Standard(PCI DSS): PCI DSS is a set of policies andprocedures created in 2004 by Visa, MasterCard,Discover, and American Express to ensure the securityof credit, debit, and cash card transactions.UAE Second Most Targeted Country by HackersAfter the United StatesThe UAE’s days of cyber security might be behindit. The country is now the second most targetedcountry after the United States, according tostatistics shown at the UAE’s new Cyber SecurityCentre, which was opened on Monday. Dr. MounesKayyali, CEO of security solutions provider TheKernel, told Gulf News that Anonymous, aninternational group of hacktivists (hacker activist), and other hacker groups have been 20172017 ACFE Fraud Conference Middle East3NOTES
ACHIEVING COMPLIANCE WITH ISO 27001, 20000, AND UAE IA STANDARDSconducting cyber espionage attacks against stateowned energy companies.Source: Gulf News, 23rd of August 2016. Appeared also inGulf News Online.Information Technology (IT) compliance guidelines alsovary by country. As a result, multinational companies mustbe cognizant of the regulatory compliance requirements ofeach country they operate within, and adhering to suchcompliance guidelines is now a necessary engrainedprocess. “Not knowing” is not an excuse.Fast forward. Here in the United Arab Emirates (UAE),compliance standards are not an exception, they are thenorm. Case in point:On June 25, 2014, the National Electronic SecurityAuthority (NESA) announced a number of keystrategies, standards, and policies to guide, direct,and align UAE National cyber-security efforts allacross the UAE. As stated, this announcement camein shortly after a meeting between senior officialsfrom the local and federal entities. Theseorganizations represented the entire spectrum of theEmirates Government. Thereby, a “National CyberSecurity Program” was launched.NESA is a UAE federal authority that operatesunder the Supreme Council for National Security.NESA is responsible for the advancement of thenation’s cybersecurity, expanding cyber awarenessand creating a collaborative culture rooted ininformation technology and innovation. In order toachieve their objectives, NESA has devised a newset of guidelines and standards for all governmententities and other entities identified as critical 20172017 ACFE Fraud Conference Middle East4NOTES
ACHIEVING COMPLIANCE WITH ISO 27001, 20000, AND UAE IA STANDARDSnational service by NESA. Therefore, compliance toNESA is mandatory for all such entities.“Cybersecurity is one of the biggest economic andnational security challenges countries face in thetwenty-first century. NESA was established in linewith this modern reality and as soon as theAuthority was in place, we immediately initiated athorough review of federal efforts to defend andprotect the nation’s information and communicationtechnology (ICT) infrastructure. This announcementfalls in line with the process we are currentlyengaged in which puts all necessary policies andstandards in place to ensure a comprehensiveapproach to securing the nation’s digitalinfrastructure,” His Excellency Jassem Bu Ataba AlZaabi, Director General.“NESA is committed to ensuring that all UAEgovernment bodies are made fully aware of theresponsibility they now have to meet therequirements of these polices and in turn, what thismeans in practice going forward,” he added.2The new rules and regulations stem from a number ofexisting nationwide security standards and guidance (suchas NIST and ISO 27001). NESA information pack includesvarious documents, such as the Critical InformationInfrastructure Protection Policy (CIIP) and the InformationAssurance Standards (IAS).2www.zawya.com/story/The UAE National Electronic Security Authority Introduces New Strategies Policies and Standards to Enhance the Security and Resilience of UAE ICT InfrastructureZAWYA20140625101324/ 20172017 ACFE Fraud Conference Middle East5NOTES
ACHIEVING COMPLIANCE WITH ISO 27001, 20000, AND UAE IA STANDARDSNESA compliance is mandatory for UAE governmententities and other entities identified as critical nationalservice by NESA. NESA compliance will be applicable andmandatory for other participating stakeholders who supportand deal with critical national information or provide suchservices. For other UAE entities, NESA recommendsfollowing the guidelines on a voluntary basis in order toparticipate in raising the nation’s minimum security level.In a technology-driven world, cybercrimes are on the rise,and organizations face a continual threat of critical dataloss (see below). This not only includes sensitive customerdata, but also relevant legal, statutory, financial, andoperational data necessary for business operations. This iswhy NESA compliance requirements were introduced andimplemented, which include three distinct areas:International Standards Organization (ISO) 27001, PCIDSS, and Cyber Essentials.Prevention Is Better Than a Cure—Take StepsNow to Defend Against Cyber AttacksThe UAE is blazing a trail for the rest of the regionto follow but as the country has prospered, it hasalso attracted the attention of cyber-criminals.According to an article published by The Nationalnewspaper in the UAE, a local bank came underCyber-Attack in 2015, and was forced to reissuecards to its customers as a precaution against apossible breach. This wasn’t an isolated incident,attacks against the country have risen significantlyin the last few years.Source: Arabian Business, 29th of November 2016.The objective of NESA IA compliance is to adequatelymaintain entity data safe, but also to: 20172017 ACFE Fraud Conference Middle East6NOTES
ACHIEVING COMPLIANCE WITH ISO 27001, 20000, AND UAE IA STANDARDS Detect, respond, and recover from significantcybersecurity incidents and reduce its impact on thesociety and economy of the UAE; Increase cybersecurity awareness among its workforceand thus build a national capability; Strengthen security of critical information infrastructureand reduce corresponding risk levels; and Foster collaboration at sector and national levels.From a background perspective, it is necessary to understand thedifference between NESA’s two, as well as a sprinkling of theNational Institute Standards and Technology, United StatesDepartment of Commerce Special Publication 800-53 Revision 4Title: Security and Privacy Controls for Federal InformationSystems and Organizations SP800-53r4 (NIST SP800-53r4)standard, compliance frameworks. The ISO 27001 providesguidance in the form of additional and detailed documentation.The NESA IA standards, on the other hand, contain a briefguidance within different levels of control. They also summarizethe main components that constitute high-level controls and howthey should be r4 20172017 ACFE Fraud Conference Middle East7NOTES
ACHIEVING COMPLIANCE WITH ISO 27001, 20000, AND UAE IA STANDARDSHere is what your new control system should bedesigned to look like:Source: NESA UAE Information Assurance StandardsNESA does not have a defined scope for its application,adoption, and implementation. This gives criticalinformation infrastructure controllers the leverage to ensureorganization-wide NESA compliance in any way.Sophisticated hackers do not limit themselves in the sameway as organizations. This means that organizations withcontrol deficiencies are susceptible to any hacking attemptand malware from anyone across the globe. Such hackerscan attack any part of the business.As such, NESA recommends that all small-to-largeorganizations dealing in critical information begincompliance with a thorough risk assessment procedure(best practice situation). A risk assessment can assist in 20172017 ACFE Fraud Conference Middle East8NOTES
ACHIEVING COMPLIANCE WITH ISO 27001, 20000, AND UAE IA STANDARDSidentifying critical assets that need to be protected againstmalware, at all costs. It also enables management toaddress all security control-related issues withoutimplementing or pursuing an organization-wide NESAcompliance policy.NOTESNESA adopts a tiered approach towards enforcingcompliance. This is not in any way dissimilar to themerchant levels that have been dealt with under PCI DSS.It is important to note that the level of risk yourorganization will pose to the UAE informationinfrastructure will determine how closely NESA regulatorswill work with you.Here is how NESA compliance’s audit framework willwork:PROCEDUREIMPACTReportingMaturity based self-assessment by stakeholders inline with mandatory vs. voluntary requirementAuditingWhen appropriate, NESA (or NESA designate) canaudit stakeholders by requesting specific evidence insupport of self-assessment reportTestingWhen appropriate, NESA (or NESA designate) cancommission tests of information security measures inplace at stakeholdersInterventionIn extreme cases, NESA should be able to directlyintervene when an entity’s activities are leading tounacceptable national security risksNESA UAE information assurance standards providerequirements to implement information security controls toensure protection of information assets and supportingsystems across all entities in the UAE. By complying withNESA standards, organizations can ensure the following: Protection of information assets 20172017 ACFE Fraud Conference Middle East9
ACHIEVING COMPLIANCE WITH ISO 27001, 20000, AND UAE IA STANDARDS Compliance with UAE regulations Mitigation of identified information security risks Implementation of effective controls Establishment of a secure culture by raising awarenessSecuring National Critical InfrastructureMulti-factor authentication is “the Solution” tohacking, says DarkMatterInterconnectivity – be it with respect to digitalnetworks in general or banking systems – needs totake into consideration the cascading effects of abreach and mitigate against them. Given that thelatest incident in Russia was likely orchestratedusing falsified client credentials, which has becomea preferred method of bank system hacking,DarkMatter advises the use of multi-factorauthentication to accounts, so that even if apassword is stolen and access to a system gained,the hackers are not able to access any accounts ortransactions without the corresponding token orbiometric for the account.Source: CPI Financial, 5th of December 2016.The UAE is a place where new and emerging technologiesare quickly adopted by government and enterprises in aneffort to drive business growth. As reported by FridayMagazine,4 in the United Nations InternationalTelecommunications Union’s recent “GlobalCybersecurity Index” that was released back in January2016, the UAE ranked among the top 20 countries in theworld. The index measures cybersecurity aspects such aslegislation, regulation and compliance, capacity building,and international cooperation.4Friday Magazine, UAE government among top 20 in cybersecurity,by Shiva Thekkepat. 20172017 ACFE Fraud Conference Middle East10NOTES
ACHIEVING COMPLIANCE WITH ISO 27001, 20000, AND UAE IA STANDARDSMany industry experts say that the UAE government hasoutpaced European countries in cybersecurity preparedness,protecting the country’s critical national infrastructure inthe face of growing cyber threats. The country aspires to beamong the best countries in the world by 2021 throughUAE Vision 2021.ISO/IEC 27001:2013The general scope of the International Standard,International Organization for Standardization (ISO),5 andthe International Electrotechnical Commission (IEC)6under the joint ISO and IEC subcommittee 27001:2013:Information technology – Security techniques – Informationsecurity management systems – Requirements specify therequirements for establishing, implementing, maintaining,and continually improving an information securitymanagement system within the context of the organization.This International Standard also includes requirements forthe assessment and treatment of information security riskstailored to the needs of the organization. The requirementsset out in this International Standard are generic and areintended to be applicable to all organizations, regardless oftype, size, or nature.The ISO/IEC 27000 family of standards helpsorganizations keep information assets secure. Using thisfamily of standards will help your organization manage thesecurity of assets such as financial information, intellectualproperty, employee details, or information entrusted to youby third al Organization for rnational Electrotechnical Commission 20172017 ACFE Fraud Conference Middle East11NOTES
ACHIEVING COMPLIANCE WITH ISO 27001, 20000, AND UAE IA STANDARDSISO/IEC 27001 is the best-known standard in the family,providing requirements for an information securitymanagement system (ISMS). An ISMS is a systematicapproach to managing sensitive company information sothat it remains secure. It includes people, processes, and ITsystems by applying a risk management process.It can help small, medium and large businesses in anysector keep information assets secure.Brief HistoryISO/IEC 27001 is derived from BS 7799 Part 2, firstpublished as such in 1999.BS 7799 Part 2 was revised by BSI in 2002,explicitly incorporating the Plan-Do-Check-Actcyclic process.BS 7799 part 2 was adopted as ISO/IEC 27001in 2005, with various changes to reflect its newcustodians.The standard was extensively revised in 2013,bringing it into line with the other ISO certifiedmanagement systems standards and droppingexplicit reference to Plan Do Check Act (see figureon the following page). 20172017 ACFE Fraud Conference Middle East12NOTES
ACHIEVING COMPLIANCE WITH ISO 27001, 20000, AND UAE IA STANDARDSNOTESSource: Netgrowth Ltd 2014A high-level outcome of adhering to the above standard isif organizations that meet the standard may be certifiedcompliant by an independent and accredited certificationbody on successful completion of a formal complianceaudit.The structure of the ISO/IEC 27001:2013 is best depictedby: 0: Introduction—The standard uses a processapproach. 1: Scope—It specifies generic ISMS requirementssuitable for organizations of any type, size, or nature. 20172017 ACFE Fraud Conference Middle East13
ACHIEVING COMPLIANCE WITH ISO 27001, 20000, AND UAE IA STANDARDS 2: Normative references—Only ISO/IEC 27000 isconsidered absolutely essential to users of ‘27001: theremaining ISO 27000 standards are optional. 3: Terms and definitions—A brief, formalizedglossary, soon to be superseded by ISO/IEC 27000. 4: Context of the organization—Understanding theorganizational context, the needs and expectations of“interested parties,” and defining the scope of theISMS. Section 4.4 states very plainly that “Theorganization shall establish, implement, maintain, andcontinually improve” a compliant ISMS. 5: Leadership—Top management must demonstrateleadership and commitment to the ISMS, mandatepolicy, and assign information security roles,responsibilities and authorities. 6: Planning—Outlines the process to identify, analyzeand plan to treat information risks, and clarifythe objectives of information security. 7: Support—Adequate, competent resources must beassigned, awareness raised, documentation preparedand controlled. 8: Operation—A bit more detail about assessing andtreating information risks, managing changes, anddocumenting things (partly so that they can be auditedby the certification auditors) 9: Performance Evaluation—Monitor, measure,analyze and evaluate/audit/review the informationsecurity controls, processes, and management system inorder to make systematic improvements whereappropriate. 10: Improvement—Address the findings of audits andreviews (e.g. nonconformities and corrective actions),make continual refinements to the ISMS Annex A Reference control objectives and controls:A little more in fact than a list of titles of the controlsections in ISO/IEC 27002. The annex is ‘normative’, 20172017 ACFE Fraud Conference Middle East14NOTES
ACHIEVING COMPLIANCE WITH ISO 27001, 20000, AND UAE IA STANDARDSimplying that certified organizations are expected to useit, but they are free to deviate from or supplement it inorder to address their particular information risks. Bibliography—Points readers to five related standards,plus Part 1 of the ISO/IEC directives for moreinformation. In addition, ISO/IEC 27000 is identified inthe body of the standard as a normative (i.e., essential)standard, and there are several references to ISO 31000on risk management.Sometimes a Picture Is Worth a Thousand WordsSource: DarkMatterISO/IEC 20000-1:2011Further, ISO/IEC 20000 is another international ITstandard that allows organizations (Ministries) todemonstrate excellence and prove best practice in ITmanagement. ISO/IEC 20000 Information technology -Service management -- Part 1: Service management systemrequirements ensures that companies can achieve evidence- 20172017 ACFE Fraud Conference Middle East15NOTES
ACHIEVING COMPLIANCE WITH ISO 27001, 20000, AND UAE IA STANDARDSbased benchmarks to continuously improve their deliveryof IT services.ISO/IEC 20000 was released in 2005 based on the ITinfrastructure library (ITIL ) best practice framework, andupdated in 2011. By definition, Information TechnologyInfrastructure Library, which is more formally known asITIL, is a set of practices for IT service management(ITSM) that focuses on aligning IT services with the needsof business. See the ITIL Framework below.Source: WikipediaWe have seen the adoption of ISO/IEC 20000 grow rapidlywithin the UAE, especially within Abu Dhabi and Dubai.This standard has most definitely become a competitivedifferentiator for delivery of IT services. 20172017 ACFE Fraud Conference Middle East16NOTES
ACHIEVING COMPLIANCE WITH ISO 27001, 20000, AND UAE IA STANDARDSWe have seen the implementation of ISO/IEC 200001:2011 used most recently by: Organizations seeking services from service providersand requiring assurance that their service requirementswill be fulfilled; Organizations that require a consistent approach by allits service providers, including those in a supply chain; Service providers that intends to demonstrate itscapability for the design, transition, delivery andimprovement of services that fulfil servicerequirements; Service providers to monitor, measure and review itsservice management processes and services; Service providers to improve the design, transition,delivery and improvement of services through theeffective implementation and operation of the SMS;and Assessors or internal auditors as the criteria for aconformity assessment of a service provider’s SMS tothe requirements in ISO/IEC 20000-1:2011.Brief HistoryISO 20000 is comprised of two parts: aspecification for IT Service Management (ISO20000-1) and a code of practice for servicemanagement (ISO 20000-2).ISO 20000 was formerly called BS 15000 and wasdeveloped by the British Standards Institutions(BSI), an international standards testing andcertification organization.High-level benefits of ISO/IEC 20000 include but are notlimited to: Achieve international best practice standards of ITservice management. 20172017 ACFE Fraud Conference Middle East17NOTES
ACHIEVING COMPLIANCE WITH ISO 27001, 20000, AND UAE IA STANDARDS And bragging rights! Develop IT services that are driven by and supportbusiness objectives. This is where a vast number of organizations have avoid in their ITSM. Integrate people, processes, and technology to supportbusiness goals. Interaction and communication are key elements ofsuccess. Put in place controls to measure and maintain consistentlevels of service. Operating and Service Level Agreements andmonitoring of these approved agreements. ISO/IEC 20000 is compatible with ITIL to supportcontinual improvement. The continual improvement lifecycle is critical tomaintain, best practice IT Services and engagedemployees!Source: DarkMatterThe illustration above is known among ISO Lead Auditorsas a Service Management System, which includes the 20172017 ACFE Fraud Conference Middle East18NOTES
ACHIEVING COMPLIANCE WITH ISO 27001, 20000, AND UAE IA STANDARDSservice management processes. The service managementprocesses and the relationships between the processes canbe implemented in different ways by different serviceproviders. The nature of the relationship between a serviceprovider and the customer will influence how the servicemanagement processes are implemented.Closing ThoughtsAlthough ITIL was often addressed as a de facto standardin IT Service Management, it is important to statethat ITIL is a best practices library; it is NOT a standard. As such, ITIL is not fully auditable. ISO/IEC 20000,on the other hand, is an auditable norm.Revealed: Cyber Attacks That Hit UAE in 2016While businesses are investing more incybersecurity, hackers continue to penetratenetworks, pilfering money and customer data in theprocess. Cash from ATM machines are still beingstolen. Fraudulent credit cards still abound andhighly sensitive data are still being leaked. TheUAE is no exception. According to Kaspersky Lab,there were a number of cyber attacks detected inthe country this year. One of these threats targetedautomated teller machines (ATMs) in order to stealmoney from bank customers.Source: Gulf News, 19th of December 2016.Putting It All TogetherThere was a significant amount of thought and effort tocreate the UAE IA Standard. For example, the developmentof the UAE IA Standards is based on regional and globalbest practices including, but not limiting to: ISO/IEC 27001:2005, 27002:2005, 27005:2005,27010:2012, and 27032:2012 NIST 800-53 Revision 4 20172017 ACFE Fraud Conference Middle East19NOTES
ACHIEVING COMPLIANCE WITH ISO 27001, 20000, AND UAE IA STANDARDS Abu Dhabi Systems & Information Centre (ADSIC) Abu Dhabi Information Security Standards Version 1and Version 2, The Center for Internet Security Critical SecurityControls for Effective Cyber Defense is a publication ofbest practice guidelines for computer security:Top 20 Critical Security Controls for Effective CyberDefense Version 4.1 to name a few!Pictorially, there is a comparison chart that has beenprepared by the development UAE IA team. Below is asmall snippet of the Comparison Chart.Speed Bumps to Avoid on the Implementation.Speed Bumps to Avoid on the implementation of UAE IA,ISO 27001, or ISO 20000 for UAE specific organizationsinclude but are not limited to: Critical foundation Risk Assessment Organizational business services IT service catalogue Map business and IT services 20172017 ACFE Fraud Conference Middle East20NOTES
ACHIEVING COMPLIANCE WITH ISO 27001, 20000, AND UAE IA STANDARDS “Lone Assets” One to many, Many to one Scope and Objective Must be defined and agreed upon Mitigation of prior internal audits, risk assessments,penetration testing and/or vulnerability assessments Mitigation should be completed within 12 months;if possible Documentation availability and quality ofdocumentation Substance versus Form Cultural sensitivity We live in and work in a multi-cultural environment Service Level and Operation Level Agreements Service Level Agreements: Key PerformanceIndicators Operation Level Agreements: Are “they” meetingexpectation “Lost in Translation”Frequency of control versus “we’ve done it” Evidence, evidence, evidence Thank you for your participation. Questions surroundingthis paper can be directed to:José Luis Carrera Jr. , CFE, CIA, CRMADirector of Governance, Risk, and ComplianceLevel 15, Aldar HQAbu Dhabi, United Arab EmiratesT 971 2 417 1417M 971
ACHIEVING COMPLIANCE WITH ISO 27001, 20000, AND UAE IA STANDARDS, BUT AVOIDING THE SPEED BUMPS Learn sound best practices with ISO 27001, ISO 20000, and the United Arab Emirates’ Information Assurance Standards. This session provides a road map to successful
