Sie sind auf Seite 1von 8

16-abr-19

I. 3. ISO 19600
• High level structure: (i) Context of the organization (ii) Leadership (iii) Planning (iv) Support (v)
Operation (vi) Performance evaluation (vii) Improvem responsibilities. The Office 365 security policies
address purpose, scope, roles, responsibilities, compliance requirements, and required coordination among
the various Microsoft organizations providing some level of support for the security of Office 365. Office 365
security policies contain rules and requirements tha responsibilities. The Office 365 security policies address
purpose, scope, roles, responsibilities, compliance requirements, and required coordination among the
various Microsoft organizations providing some level of support for the security of Office 365. Office 365
security policies contain rules and requirements that mus organizations providing some level of support for
the security of Office 365. Office 365 security policies contain rules and requirements that must be met in
the delivery and operation of Office 365. Office organizations providing some level of support for the
security of Office 365. Office 365 security policies contain rules and requirements that mus organizations
providing some level of support for the security of Office 365. Office 365 security policies contain rules and
requirements that must be met in the delivery and operation of Office 365. Officorganizations providing
some level of support for the security of Office 365. Office 365 security policies contain rules and
requirements that mus organizations providing some level of support for the security of Office 365. Office
365 security policies contain rules and requirements that must be met in the delivery and operation of
Office 365. Offic365 employees and contingent staff are accountable and responsible for complying with
these guiding principles in their designated roles.t must be met in the delivery and operation of Office 365.
Office 365 employees and contingen responsibilities. The Office 365 security policies address purpose,
scope, roles, responsibilities, compliance requirements, and required coordination among the various
Microsoft organizations providing some level of support for the security of Office 365. Office 365 security
policies contain rules and requirements that must be met in the delivery and operation of Office 365. Office
365 employees and contingent staff are accountable and responsible for complying with these guiding
principles in their designated roles.t staff are accountable t be met in the delivery and operation of Office
365. Office 365 employees and contingent staff are accountable and responsible for complying with these
guiding principles in their designated roles.t organizations providing some level of support for the security of
Office 365. Office 365 security policies contain rules and requirements that must be met in the delivery and
operation of Office 365. Office 365 employees and contingent staff are accountable and responsible for
complying with these guiding principles in their designated roles.t must be met in the delivery and operation
of Office 365. Office 365 employees and contingen responsibilities. The Office 365 security policies address
purpose, scope, roles, responsibilities, compliance requirements, and required coordination among the
various Microsoft organizations providing some level of support for the security of Office 365. Office 365
security policies contain rules and requirements that must be met in the delivery and operation of Office
365. Office 365 employees and contingent staff are accountable and responsible for complying with these
guiding principles in their designated roles.t staff are accountable must be met in the delivery and operation
of Office 365. Office 365 employees and contingen responsibilities. The Office 365 security policies address
purpose, scope, roles, responsibilities, compliance requirements, and required coordination among the
various Microsoft organizations providing some level of support for the security of Office 365. Office 365
security policies contain rules and requirements that must be met in the delivery and operation of Office
365. Office 365 employees and contingent staff are accountable and responsible for complying with these
guiding principles in their designated roles.t staff are accountable organizations providing some level of
support for the security of Office 365. Office 365 security policies contain rules and requirements that must
be met in the delivery and operation of Office 365. Office 365 employees and contingent staff are
accountable and responsible for complying with these guiding principles in their designated roles.t must be
met in the delivery and operation of Office 365. Office 365 employees and contingen responsibilities. The
Office 365 security policies address purpose, scope, roles, responsibilities, compliance requirements, and
required coordination among the various Microsoft organizations providing some level of support for the
security of Office 365. Office 365 security policies contain rules and requirements that must be met in the
delivery and operation of Office 365. Office 365 employees and contingent staff are accountable and
responsible for complying with these guiding principles in their designated roles.t staff are accountable and
responsible for complying with these guiding principles in their designated roles.ent Information security
activities shall be coordinated by representatives from different parts of the organization with relevant roles
16-abr-19

and job functions. Whether measures are taken to ensure that the responsibilities. The Office 365 security
policies address purpose, scope, roles, responsibilities, compliance requirements, and required coordination
among the various Microsoft organizations providing some level of support for the security of Office 365.
Office 365 security policies contain rules and requirements that must be met in the delivery and operation
of Office 365. Office 365 employees and contingent staff are accountable and responsible for complying
with these guiding principles in their designated roles.security controls, service definitions and delivery
levels, included in the third party service delivery agreement, are implem responsibilities. The Office 365
security policies address purpose, scope, roles, responsibilities, compliance requirements, and required
coordination among the various Microsoft organizations providing some level of support for the security of
Office 365. Office 365 security policies contain rules and requirements that must be met in the delivery and
operation of Office 365. Office 365 employees and contingent staff are accountable and responsible for
complying with these guiding principles in their designated roles.ented, operated and maintained by a third
party.
curity roles and responsibilities. The Office 365 security policies address purpose, scope, roles,
responsibilities, compliance requirements, and required coordination among the various Microsoft
organizations providing some level of support for the security of Office 365. Office 365 security policies
contain rules and requirements that must be met in the delivery and operation of Office 365. Office 365
employees and contingent staff are ac responsibilities. The Office 365 security policies address purpose,
scope, roles, responsibilities, compliance requirements, and required coordination among the various
Microsoft organizations providing some level of support for the security of Office 365. Office 365 security
policies contain rules and requirements that must be met in the delivery and operation of Office 365. Office
365 employees and contingent staff are accountable and responsible for complying with these guiding
principles in their designated roles.countable and respons responsibilities. The Office 365 security policies
address purpose, scope, roles, responsibilities, compliance requirements, and required coordination among
the various Microsoft organizations providing some level of support for the security of Office 365. Office 365
security policies contain rules and requirements that must be met in the delivery and operation of Office
365. Office 365 employees and contingent staff are accountable and responsible for complying with these
guiding principles in their designated roles.ible for complying with these guiding principles in their
designated roles. responsibilities. The Office 365 security policies address purpose, scope, roles,
responsibilities, compliance requirements, and req responsibilities. The Office 365 security policies address
purpose, scope, roles, responsibilities, compliance requirements, and required coordination among the
various Microsoft organizations providing some level of support for the security of Office 365. Office 365
security policies contain rules and requirements that must be met in the delivery and operation of Office
365. Office 365 employees and contingent staff are accountable and responsible for complying with these
guiding principles in their designated roles.uired coordination among the various Microsoft organizations
providing some level of support for the security of Office 365. Office 365 security policies contain rules and
requirements that must be met in the delivery and operation of Office 365. Office 365 employees and
contingent staff are accountable and responsible for complying with these guiding principles in their
designated roles.
responsibilities. The Office 365 security policies address purpose, scope, roles, responsibilities,
compliance requirements, and required coordination among the various Microsoft organizations providing
some level of support for the security of Office 365. Office 365 security policies contain rules and
requirements that must be met in the delivery and operation of Office 365. Office 365 employees and
contingent staff are accountable and responsible for complying with these guiding principles in their
designated roles.

Control
Management shall actively support security within the organization through clear direction,
demonstrated commitment, explicit assignment, and acknowledgment of information security
responsibilities. Ensure whether management demonstrates active support for security measures within the
organization. This can be done Information security activities shall be coordinated by representatives from
different parts of the organization with relevant roles and job functions.
ISO 37001
16-abr-19

II. 3. ISO 37001


• Common framework for a management system for the risks of corruption and bribery.
• Important for companies with international commercial activity.
• It includes risk management as an essential part of a compliance management system and is based on
the principle of Risk-Based Approach (RBA).
• It focuses on Compliance as part of the organization's culture and emphasizes that compliance is the
responsibility of the governing body rather than simply an internal function.
• Essential in jurisdictions with extraterritorial legislations (USA, United Kingdom) to be able to operate
with companies in your country.
• Establishes a specific management system, which can be included in a general compliance
management system.
II. 3. ISO 37001
II. 3. ISO 37001
• It incorporates requirements and, therefore, is certifiable.
• It is applicable to organizations of any size and sector.
• Presents the structure of High Level, common to all international ISO standards of management
systems, which is integrated in other management systems.
II. 3. ISO 37001
• Specific controls designed to prevent bribery (gifts and invitations, facilitation and extortion payments,
hiring procedures, due diligence measures, etc.)
• It contains practical annexes with concrete and specific examples and recommendations.
UNE 19601
cc: Simone Tagliaferri -
II. 4. UNE 19601
• Has a high level structure
curity roles and responsibilities. The Office 365 security policies address purpose, scope, roles,
responsibilities, compliance responsibilities, compliance requirements, requirements, and required
coordination among the various Microsoft organizations providing some level of support for the security of
Office 365. Office 365 security policies contain rules and requirements that must be met in the delivery and
operation of Office 365. Office 365 employees and contingent staff are accountable and responsible for
complying with these guiding principles in their designated roles.
Office 365 segregates duties and areas of responsibility to reduce opportunities for unauthorized use,
unintentional modification, or misuse of the organization’s assets. Office 365 teams have defined roles as
part of a comprehensive role-based access control mechanism. Additionally, each Office 365 team has
identified role pairs that, if assigned to a single person, would
However, Annex A to '27001 outlines a suite of information security controls that the management
system would typically be used to manage, provided they are in fact applicable to the organization (which
16-abr-19

depends on its information security risks). The security controls in Annex A are explained in much more
detail in ISO/IEC 27002, and in various other standards, laws, regulations etc.
• have identified role pairs that would allow for malicious activity without collusion if assigned to a
single person Computer Emergency Readiness Team (US-CERT) to ensure appropriate action can be quickly
taken and advice obtained when necessary. Office 365 relies on Microsoft's global criminal compliance and
Corporate, External, and Legal Affairs (CELA) teams for contacts with law enforcement. Roles and
responsibilities for managing and maintaining these relationships are defined.
Office 365 establishes and institutionalizes contact with selected groups and associations within the
security community to facilitate ongoing security education and training for organizational personnel. Office
365 has partnered with the Microsoft Trustworthy Computing Team to maintain contacts with external
parties such as regulatory bodies, service providers, and industry organizations to ensure appropriate
actions can be quickly taken and advice obtained when necessary.
A management authorization process for new information processing facilities shall be defined and
implemented.
• Ease to synchronize with different standards
• Possibility of integrating management systems, eliminating duplicities
II.4. UNE 19601
• Certifiable standard
• Practical standard: commitment to the structure of the cycle DEMING P-D-C-A, it is not a project with
an end date
• Security in the legal traffic within the supply chain
• Assessment in a judicial procedure of the need for a culture of compliance
Leadership
to. Leadership
•Chapter 5
•Art. 5.1.1 Governing Body
•Art. 5.1.2 Criminal Compliance Body
•Art. 5.1.3 Senior management
• 5.2 Compliance policy
• 5.3 Roles, responsibilities and authorities in the organization
to. Leadership
5.1.1: GOVERNMENT ORGAN: 20 REQUIREMENTS - LEADERSHIP and COMMITMENT (executive decisions
that ensure the approval, application and effectiveness of the SGCP) - MUST: Whether the services, reports
and records provided by third party are regularly monitored and reviewed.
Whether audita are conducted on the above third party services, reports and records, on regular
interval.
Whether changes to provision of services, including maintaining and improving existing information
security policies, procedures and controls, are managed.
Does this take into account criticality of business systems, processes involved and re-assessment of risks
• VALUES OF THE ORGANIZATION: Promote a culture of Criminal Compliance and act according to the
Legal Order
• PENAL COMPLIANCE MANAGEMENT SYSTEM: ADOPT, IMPLEMENT, MAINTAIN, IMPROVE
• GIVE OF FINANCIAL, material and human RESOURCES
• APPROVE COMPLIANCE POLICY
• ENSURE SGCP EFFICACY: periodically review and modify as necessary
• PENAL COMPLIANCE ORGAN: Establish and endow it with autonomous powers of initiative and control
- WILL OF THE ORGANIZATION: Ensure procedures for:
• Specify the formation of the will
•Take decisions
• Execute decisions to. Leadership
16-abr-19

ORGAN OF COMPLIANCE: 28 REQUIREMENT + 5 RECOMMENDATIONS RELATED TO 4 AREAS -


FUNCTIONS: - RISK MANAGEMENT (identify and manage)
• JOBS POSITION: include responsibilities of Compliance and performance evaluation
• TRAINING: ensure formative support
• DOCUMENTED EVIDENCE: Promote an information and documentation system
• INFORMATION MANAGEMENT: adopt and implement processes
• OPERATION: Ensure employees access to resources Compliance, inform the OdG
• EVALUATION PERFORMANCE: Establish indicators, measure / analyze performance
• SGCP REVIEW: Ensure periodic review
• CONTINUOUS IMPROVEMENT: Promote and supervise - CAPABILITIES: EVIDENCE COMMITMENT
• Absence of conflict of interest
•Integrity
• Communication skills, ability to influence Whether the services, reports and records provided by third
party are regularly monitored and reviewed.
Whether audita are conducted on the above third party services, reports and records, on regular
interval.
Whether changes to provision of services, including maintaining and improving existing information
security policies, procedures and controls, are managed.
Does this take into account criticality of business systems, processes involved and re-assessment of risks
• Capacity and prestige
• Competence - GUANTE SGCP: supervision, surveillance and control + resources and personnel -
INDEPENDENCE: access to the OGD and adequate position in the organization
to. Leadership
5.1.3: 15 REQUIREMENT RELATED TO EXECUTION AND SUPPORT FUNCTIONS
-SGCP:
• Ensure implementation
• Effectively deal with criminal risks
• Guarantee the incorporation of the SGCP in the processes of the Organization - RESOURCES: -
Guarantee availability - PERSONAL:
• Comply and make them comply
16-abr-19

• Communicate internally importance


• Direct and support
-GOOD CONTINUES:
• Promote it
• Support management roles - REPORT COMMUNICATION:

• Encourage the use of reporting and reporting procedures


• Guarantee protection and indemnity of communicants
HIGHLY DIRECTED DELEGATIONS IN PENAL RISK AREAS> LOW DEMAND PROCEDURES AND CONTROLS
THAT GUARANTEE DECISIONS FREE OF CONFLICT OF REAL OR POTENTIAL INTEREST
to. Leadership
CULTURE AND FUNCTION OF COMPLIANCE
cc: FXaver - https://www.flickr.com/photos/38473755@N07
b. C
Send feedback
History
Saved
Community

Compliance policy
• Compensation systems for compliance achievements
• Evaluations to employees before hiring
•Continuous training
• Communication continues, open and adequate
• Visible recognition of the achievements of compliance management
• Ethical leadership. "Tone at the top"
• As the hierarchical responsibility of a person in an organization increases, it increases their visibility and
ability to influence the behavior of others.
b. Compliance Culture
• The way of acting (behavior) of the members of Senior Management moves the way of acting of the
rest of the individuals that make up the organization: visible, consistent and sustained commitment over
time with a standard of common behavior
16-abr-19

b. Compliance Culture
• The business culture must be an element that positively influences the behavior and attitude of all
those who make up the organization: culture of compliance
b. Compliance Culture
b. Compliance Culture
Change perception detection and punishment
Reduce / eliminate behavior bias
Improve the role of moral considerations
Improve culture (eliminate undue environmental influences / group pressure)
• Application of fast and proportionate disciplinary measures
• Consistency in treatment regardless of position
• Clear criminal compliance policy
• Compensation systems that assess achievement of criminal compliance objectives
• An appropriate initiation or orientation program that emphasizes criminal compliance and the values
of the organization
• Tone in the direction (respect and application from above) • Recognition achievements in compliance •
Continuous, open and adequate communication
The SGCP: Context and Planning
cc: jaumescar - https://www.flickr.com/photos/28842017@N00
c. The SGCP - Context
• The SGCP must be appropriate to the circumstances of the organization in which it operates.
• Chapter 4 deals with aspects related to it (design the management system and maintain it and
continuous improvement).
c. The SGCP - Context
• Understand the organization and its context
• Understand the needs and expectations of the groups of interest
• Determine the scope of the SGCP
c. The SGCP - Context
•Art. 4.1: adequate knowledge of the internal and external circumstances of the organization, as they
condition the design, maintenance and improvement of its management system.
• A criminal compliance management system is only adequate when it is proportional to the
circumstances of the organization and is projected on risks that truly threaten it.
c. The SGCP - Context
• Size and structure of the organization
• Locations and sectors in which it operates or plans to operate
• Nature, scale and complexity of activities
• Members of the organization and business partners
c. The SGCP - Context
• The "Circular 1/2016 on the criminal liability of legal persons in accordance with the Reform of the
Criminal Code made by the Organic Law 1/2015": "the models of organization and management must be
perfectly adapted to the company and its specific risks "
c. The SGCP - Context
•Art. 4.2: necessary to determine the interest groups and their requirements to be considered within the
SGCP (for example: regulator, administrative authorities, shareholders / investors, consumers and users)
c. The SGCP - Context
•Art. 4.3: Objective and subjective scope of the SGCP.
• The scope of the SGCP is related to the criminal risks that affect the perimeter formed by the members
of the organization and the business partners.
c. The SGCP - Context
•Art. 4.4: The organization adopts, implements, maintains and continuously improves a SGCP, which
includes the necessary policies, processes and procedures as well as their interactions, in accordance with
the requirements established by the Standard.
c. The SGCP - Planning
16-abr-19

•Chapter 6
• 6.1 Actions to deal with risks and opportunities
• 6.2 Identification, analysis and evaluation of criminal risks
• 6.3 Crime prevention objectives and planning to achieve them
Section 6.2 of the UNE Standard adopts the classic division of criminal risk assessment in three activities:
identification, analysis and evaluation. Identification: It consists in knowing what potentially criminal
behaviors could entail the criminal responsibility of the juridical person, taken care of the concrete
circumstances of the organization. Analysis: It consists in analyzing what probability exists that they are
materialized and what its consequences would be, in such case. This analysis is what finally allows us to
assess criminal risks. Valuation: Consists in the prioritization of criminal risks and, therefore, of the resources
destined to their prevention, detection and management, emphasizing those that suppose a greater than
low risk.
c. The SGCP - Planning
The SGCP: Planning and operational control
cc: fensterbme –

. The SGCP: Planning and operational control


HistoryWhether management authorization process is defined and implemented for any new information
processing facility within the organization.
Whether management authorization process is defined and implemented for any new information
processing facility within the organization.

Saved
Community

Das könnte Ihnen auch gefallen