contract compliance framework

Download Contract Compliance Framework

Post on 22-Jan-2015




3 download

Embed Size (px)


This presentation describes how contract compliance service can be provided to aid organisations working on bids can quickly and effectively achieved. The key compliance areas include: Data Protection, Information security (ISO27001), PCI DSS, SOX & FSA. The author is a season risk management consultant with experience of quick win strategies and tactics to achieve the aims and goals of an exercise.


  • 1. Contract compliance service(Pre & post contract compliance) Ben Oguntala, LLB Hons, LL.MCEO PCI FSA DPA SOX 27K

2. EducationAbout the Author LLB HonsLL.M Financial/Securities regulation UK/EC competition law Forte Risk Management specialist Fraud compliance Consultant Compliance specialist Data Protection specialist Information Security Consultant Outsourcing compliance Merger & acquisition due diligence Previous clients British Gas Vodafone Orange O2 Telefonica UK RWE NPower CEO Riesgo Risk Management BNP Paribas Ministry of Justice (London Probation) Telephone 07812 039867 Revenue & Customs Nortel/Motorola/Ericsson/Nokia Contract compliance is a value add solution that assists CapGemini Organisations involved in the activities of gathering compliance BT Evidence in support of a bid or contract. KPMG & Cisco 3. IntroductionRiesgo Compliancesolution Riesgo Risk Management solution is a service that is designed toFramework setup continuously monitor & maintain an organisations compliance to key Ongoing regulatory standards in a bid to compliance support project tenders. It monitors and maintains compliance Core Add on compliancecompliance in order to ensure that projectfunctions functions requirements are dealt with as time efficiently as possible.PCIFSADPA SOX 27KGaps & remediation The solution offers assurance to the parties in a contract and enables a fast response to project requirements for compliance.ProjectsProjects Projects 4. 1 New or recurring client Project bidinitiatedCompliance 2 Recurring clientsEnd client set up report on Riesgo RMwould start at 6 generated8 Generation of compliance report in accordance with customer requirements in 3. Riesgo RM Final compliance Audit compliance cycle 3 Definition of Scope definition the clients agreedrequirements7 Final audit confirmationthat the gaps are filled initial4 Initial setup and auditRemedial work compliance implementation audit6 Remedial work to Compliancefill the gap identified report withremedial work 5 Compliance report based on 4 5. Compliance in Contract bids/tenders RegulatoryOrganisationProcessesDPAISMS forumPolicies and proceduresSOX Incident managementSecurity management FSABusiness continuity planning Management structurePCI Audit ISO 27001 3rd parties & outsourcing Security operations Every contract has an element of compliance requirement associated with it. In view of the fact that quite often, contract will include access to client data, it is reasonable to assume at minimum there are a few sets of standards, regulatory requirements that would apply.The service we provide is an ongoing compliance monitoring that allows an organisation to cost effectively respond to project requirements for compliance report & evidence. 6. Our services: Regulatory compliance The solution we provide will enable a client todemonstrate their compliance with thefollowing regulatory requirements: DPA Data Protection Act Applicable in the UK and Europe SOX Applicable to companies trading in the US stockexchange FSA financial services Authority Applicable to organisations that are regulated by theFinancial services Authority PCI Applicable to organisations that handle or transmitpayment card services ISO 27001 Applicable to all organisations with IT system that havean obligation to operate a secure system 7. Our services: Organisational framework The solution we provide can demonstrate anorganisations, information security structureand architecture fairly easily as well as acontinuous assessment of compliance. ISMS forum A management structure that handles informationsecurity issues and access to senior management onsecurity related matters Security management The involvement of security in the operation of theorganisation, the like between business units and themanagement team. Management structure Demonstrating the link between business managementteams and their security responsibilities as well asengagement. 3rd parties and outsources Demonstrating that adequate processes and controls arein place between the organisation and 3rd parties. Where there is outsourcing in place, can demonstratethat there tentacles of security are extended to theoutsourcing parties in the form of policies andprocedures. 8. Our services: Processes The solution we provide can demonstrate the client has adequate processes in place to meet the project requirements. Policies Policies are listed in a central repository and reviewed frequently Policies are associated with procedures and guidelines and also frequently reviewed Incident management Incident reporting from the clients business units, 3rd parties or outsourcing partners Incident management register Risk register Business continuity plan BCP policies, procedures and test schedules Audit Internal and External audits with fixes for non compliances Security operations Security management structure Security points of contact per business unit 3rd party security points of contact Asset register Risk management framework 9. Solution organisation Executive summary Common functionsoverview ManagementPoliciesProcedures Processes Contract compliance dashboardPCI Added functions Non compliancesFSAGap analysis Remedial actionTheSetup DPA clientImplementation Compliance ProjectSOX Audit compliancerequirements Risk report27K PCI Compliance reportFSAReportsDPA SOX 27K 10. ComplianceFSAPCISOXDPAmatrix requirementsrequirements requirementsrequirementsCore DPACore SOXCore FSA Core PCI ISO27001Business continuitySecurity organisation Compliance monitor Training & awareness FSA100% Policies & proceduresPCI100%Asset managementSOX80%HR securityDPA97% Physical & 27K80% environmental securityIncident management ComplianceChange managementAccess control 11. Implementation projectGap analysisProject design Implementation Roll outStage 1Stage 2 Stage 3Stage 4 Assess your current Designing your Once the HLD isTaking stage 3estate & your requirements based designed and signedobjectiveson the result of off, we initiate theand Release of your BRS stage1 implementation and methodically Scope definition Release of the HLD across a portion ofrolling out theto be signed off your estatesolution to the We confirm that all the adaptors can rest of your trigger implementation project can take up to 6 months and 3 Man resources. The number of resources may vary due to the scope of the project.The costs associated include: -Software licence - incident management licence -Support and maintenanceThe solution is designed to be a cost effective means to curtailing fraud within your estate. 12. Contact details Ben Oguntala Email Telephone +44 7812 039 867


View more >