Compliance @ Velocity

Justin Arbuckle VP EMEA, Chief Enterprise Architect - CHEF

The promise of the coded business

journey time

qual

ity

std.

SCALE

VELO

CIT

YCONSISTENCY

Transformation to high-velocity through standards

std.

Regulatory compliance frameworks

OFAC USA PATRIOT Act Gramm-Leach-Bliley Act Red Flags Rule

Bank Secrecy Act Sarbanes-Oxley Regulation E Dodd-Frank

False Claims Act HIPAA European Central Bank regulations

Prudential Regulation Authority

Financial Conduct Authority HITECH PCI DSS

All of these entail action by IT Security, Internal Audit, IT Audit and Compliance officers.

The compliance cycle

4 Rule Types

Now Later

How

What

Sequence •  Authentication before action •  Authentication in AD and ITSM •  Security review before production

deployment

State •  Customer data and Form data not

logically co-resident •  NTP installed •  SE Linux installed AND Centrify Agent •  Digital Guardian and NOT sudo

Supervision •  Audit trail of changes and approval

Scope •  Third party access via named

accounts. •  Splunk access to global logs only.

Reconciling compliance and velocity

changing stereotypes of compliance / audit / security

Chicken Pig

Interpret Express

Periodic Continuous

A single accelerated cycle

Practical Stuff

1.  Identify an initiative that is on your compliance dashboard 2.  Scope a narrow pilot to implement policy-as-code 3.  Embed appropriate compliance staff in the project 4.  Jointly define what you wish to standardize with policy 5.  Improve standardization over multiple iterations 6.  Re-allocate the team to spawn other policy-as-code

projects in other areas

@dromologue #CATV #Compliance@Velocity