1 1

Information Security

Policies and Compliance

– simplified?

SIGS - Technology Summit

June 2015

2 2

› Peter Merker, Corporate Information Security Officer peter.merker@firmenich.com

+41 22 780 2211

Introduction

3 3

› Security Policy Framework based

on ISO/IEC 27002:2005;

organic growth, published but

mostly not enforced

› Policy adherence and compliance

… a challenge

› Firmenich is an Information

Security Forum member since 2011

and in 2012 decision taken to

review and update all Information

Security Policies based on ISF’s

Universal Control Framework:

Standard of Good Practice

Security Policy Framework - old

4 4

Standard of Good Practice

Universal Control Framework: Covers all ISO 27002:2013 topics

Covers all COBIT5 for ISEC topics

Comprehensive coverage of other

control frameworks

Regular update to include emerging topics

5 5

Firmenich Policy Framework - new

Balance Filter *

Applicability Filter

Risk Filter

Standard of Good Practice

(118 Topics) ----------- Top IS Risks -----------

------ Topics applicable to IS ------

------ Balance ------

*Balance Filter:

• Multi-national vs. Small

• Regulated vs. Non-Regulated

Outcome:

7 top-level policies covering 64

topics out of the 118 in SoGP

Endorsed and approved by

Corporate Governance

6 6

› The Benchmark is an online security assessment tool using questionnaires.

› These questionnaires linked to the controls from the Standard of Good Practice

› The Benchmark provides reports in formats that include compliance levels to the ISF

Standard of Good Practice for Information Security, ISO/IEC 27002 and COBIT 5 for

Information Security.

How to measure compliance ?

7 7

Example – Security Awareness Policy

8 8

Example – Security Awareness Policy

9 9

Example – Security Awareness Policy

10 10

Example – Security Awareness Policy

11 11

Example – Security Awareness Policy

12 12

Overview / Recap

Security Policies

ISF Benchmark

The Standard

Policy compliance

questionnaire 2x per year

Regular control framework

review and Policies update

Regular questionnaire refresh

based on SoGP update

13 13

› Regular updates of SOGP will allow for regular review and updates of Security Policies

› Benchmark is a web tool, easy to use and updated in accordance with SoGP revisions

› Firmenich policies are based on globally recognized standards and control frameworks

› Link between SoGP, Policies and Benchmark will allow to qualify:

› Compliance status and progress/trend in regards to Security Policies

› Have a standard way of measuring compliance and progress/trend against

overall and individual security policies

› Identify Firmenich position in relation to other members in same/different

industries (Benchmark ourselves, identify deficiencies, …)

› Next step: Integrate IRAM2 into the process to verify Benchmark results for

Infrastructure and Systems

What do we hope to get out of it?

14 14

Thank you.