Embed Size (px)
Citation preview
A NASSCOM® Initiative
Security and Quality
Kamlesh BajajCEO, DSCI
May 23, 2009
NASSCOM Quality Summit
Hyderabad
1
A NASSCOM® Initiative 2
IT Operations Shifting from a technology-led siloed structure into a process-centric service-oriented organization
Organizing Framework To link technology components in infrastructure to the process steps that exist within IT
Guiding Framework Link IT Processes to business activities and create service-level metrics
IT Management frameworks
ISO; CMMI; ITIL
Generic FWs; must be tailored to the specific needs of a company
Improve the management of IT
Allow for the systematic and least disruptive path to adoption
Support IT Governance imperatives
Integrate new technologies and architectures into a service-oriented operation
1. ISO 20000
2. CMM
3. CMMI
4. ITIL
1. Focus on certification
2. Describes process maturity
3. Emphasizes process improvements
4. Defines & leverages best practices for management and operations of IT org
IT Management Frameworks organized into 5 logical subject areas
1. Project Management (PMBOK, PRINCE2...)
2. Software development (TickIT, Agile, MSF, IT CMM...)
3. Process management (Software CMM, CobIT, ISO 15504, Six Sigma, TOGAF..)
4. Service management (ISO 20000, ISO/IEC 38500, ITIL, MOF, eTOM...)
5. Security management (ISO 27001...)
6. Strategy (Balanced Scorecard...)
IT Services Management
A NASSCOM® Initiative 3
Six Sigma and ITIL 1. Facilitate Business and IT alignment through quality2. Helps deliver high-quality IT services at min cost to business3. Provide both process and performance improvements4. Six Sigma focus on process; ITIL on best practices for delivery
and support of IT services
CMM and ITIL 1. Help streamline infrastructure and development processes2. ITIL focus on service management (Operations); CMM focus
on maturity of the organization that develops and maintains software
3. Interdependencies through three key processes: change management, configuration management, and release management
CoBIT and ITIL 1. To measure ITIL in which ‘how’ of detailed tasks and steps absent
2. CobIT defines 34 processes; its performance measures define key performance indicators that ITIL processes must deliver against
IT Frameworks benefit both business and IT
A NASSCOM® Initiative 4
SOX Compliance 1. Controls and monitoring practices required not new to QA2. Companies with strong QA groups ahead in SOX
compliance
QA’s independence
1. From applications development and the checks and balances performed by QA groups ensure adherence to best practices.
2. Implementing formal QA to standardize and document current processes for improvement and leveraging those practices for continued SOX compliance
Restructuring of organizations
1. IT shops making testers part of centralized testing teams; not of development teams
2. Moving testing out of development and into operations. 3. Similar to Security Organization and IT Operations
independence4. Many IT functions, including quality assurance, security,
architecture, and compliance, need some level of independence to avoid conflicts of interest.
Security and QA in SOX Compliance
A NASSCOM® Initiative 5
QA important for compliance
1. Adds value through formal process
2. Audit not a one-time exercise, process helps culture change
3. Continual verification, validation, and audit processes via QA assist in changing culture while improving overall delivery practices
4. Nature of QA is to develop, review, and document: test plans or SDLC practices, the essence of QA is in the auditability of processes
5. Leveraging QA practices provides assistance in ensuring IT compliance
Section 404 of SOX or in COBIT requires that internal controls be in place ; but does not specify
1. QA's primary role is to validate processes and document findings in SDLC
2. Employing similar QA practices to validate compliance with SOX can gain additional value.
3. Using existing QA processes brings visibility to detect potential risks of noncompliance, as well as planning strategies for correction and validation.
QA Role expansion App Dev and delivery processes expanded to include compliance-related issues, such as risk, change control, and release management.
QA and Security groups: synergize for Compliance
A NASSCOM® Initiative 6
Triumph of Quality Management Frameworks
A NASSCOM® Initiative
Framework for a Systematic, Comprehensive Approach to Information Security
7
A NASSCOM® Initiative
Security ManagementISO 27001
IT GovernanceCoBIT
Security StandardsITU-T X.1051
Security PracticesNIST SP 800
Risk ManagementOCTAVE | COSO | FMEA
Infrastructure MgmtITIL | ISO 20000
EU Privacy Directives
US- FTC directives, Patriot Act
GLBA
HIPAA
Aus- Privacy Act 1988, APAC
Canada- PIPEDA
IT (Amendment) Act, 2008
UK- Data Protection Act 1998
PCI-DSS
Privacy Regulations
Compliance Regulations
Security Market Research
Academic Collaborations
Industry best practices
Data Protection Authorities
Lega
l & R
egul
ator
y Re
quire
men
ts
Knowledge Collaboration
Legal Forums
Architecture Principles
Product, solution trends
Vendor forums, interactions
Technology advancement
Solution Categories
Security Technology Trends
Security Vendor Collaboration
Tech
nolo
gy a
nd
Vend
or in
tera
ction
sDSCI- Best PracticesData SecurityData Privacy
Technology Forums
DSCI- Data Protection Practices
• Mapping to compliance regulations
• Adoption of leading practices• Micro level & customized • Easy of implementation
8
A NASSCOM® Initiative
164.310(d)(2)(iv) Data backup & storage Back-Up Media Handling
164.310(d)(2)(i) Disposal Physical Sec Eqp Security
164.3122(a)(2)(i) User identification Access Cntrl User Mgmt
Privilege Account Management
Access to personal information
Controls against Mobile code
Reporting security events
Access
Mapping of Compliance Regulations
Control Identification
ISO 27001OECD Principles
Best Practice Framework
Security Privacy
Best Practices Industry Standards
Global Best Practices
Privacy PrinciplesTechnology Trends
Best Practices: Data Security and Privacy
9
A NASSCOM® Initiative
Thank You
10
