information security policies and compliance – simplified? · ›firmenich is an information...
TRANSCRIPT
2 2
› Peter Merker, Corporate Information Security Officer [email protected]
+41 22 780 2211
Introduction
3 3
› Security Policy Framework based
on ISO/IEC 27002:2005;
organic growth, published but
mostly not enforced
› Policy adherence and compliance
… a challenge
› Firmenich is an Information
Security Forum member since 2011
and in 2012 decision taken to
review and update all Information
Security Policies based on ISF’s
Universal Control Framework:
Standard of Good Practice
Security Policy Framework - old
4 4
Standard of Good Practice
Universal Control Framework: Covers all ISO 27002:2013 topics
Covers all COBIT5 for ISEC topics
Comprehensive coverage of other
control frameworks
Regular update to include emerging topics
5 5
Firmenich Policy Framework - new
Balance Filter *
Applicability Filter
Risk Filter
Standard of Good Practice
(118 Topics) ----------- Top IS Risks -----------
------ Topics applicable to IS ------
------ Balance ------
*Balance Filter:
• Multi-national vs. Small
• Regulated vs. Non-Regulated
Outcome:
7 top-level policies covering 64
topics out of the 118 in SoGP
Endorsed and approved by
Corporate Governance
6 6
› The Benchmark is an online security assessment tool using questionnaires.
› These questionnaires linked to the controls from the Standard of Good Practice
› The Benchmark provides reports in formats that include compliance levels to the ISF
Standard of Good Practice for Information Security, ISO/IEC 27002 and COBIT 5 for
Information Security.
How to measure compliance ?
12 12
Overview / Recap
Security Policies
ISF Benchmark
The Standard
Policy compliance
questionnaire 2x per year
Regular control framework
review and Policies update
Regular questionnaire refresh
based on SoGP update
13 13
› Regular updates of SOGP will allow for regular review and updates of Security Policies
› Benchmark is a web tool, easy to use and updated in accordance with SoGP revisions
› Firmenich policies are based on globally recognized standards and control frameworks
› Link between SoGP, Policies and Benchmark will allow to qualify:
› Compliance status and progress/trend in regards to Security Policies
› Have a standard way of measuring compliance and progress/trend against
overall and individual security policies
› Identify Firmenich position in relation to other members in same/different
industries (Benchmark ourselves, identify deficiencies, …)
› Next step: Integrate IRAM2 into the process to verify Benchmark results for
Infrastructure and Systems
What do we hope to get out of it?