| 2.8 Compliance Manager: | | We are not lawers and we do not offer legal advice, but what we do complies with legal advice and good practice. | | Every application service has certain legal obligations that transend all other business requirements. | | It is a legal obligation to only deliver computer application services that fully comply with the law of the country that they operate in - ignorance of the law is no defence. | | The Compliance Manager must ensure that only legal application services are delivered and those application services cannot be used for illegal purposes - by sticking to industry best practices is the best way to stay on the right side of the law. |
| Compliance Management: | | Every business has a legal obligation to protect its own information. | | * It is not acceptable for any business email to be stored on any laptop, smart phone or mobile device that may be lost or stolen. It is very easy to retain all business emails in the cloud where they cannot be deleted and cannot be accessed by unauthorized persons. | | * It is not acceptable for any business document to be stored on any laptop, smart phone or mobile device that may be lost or stolen. All business documents are retain in the cloud in compliance with the Data Protection Act where they caannot be lost, overtyped, corrupted or stolen. |
| Compliant: | | Compliant means that the threat of fraud has been designed out of all application services - by design; all application services can be trusted by all parties. Trust is created by all parties becoming aware that fraud is physically not possible no matter what people do. | | By definition, nobody knows a way for a fraud to take place, but if a weakness is identified in an application service and data design, then please raise it as an application support request before compliance penetration consultants discover the weakness. |
| Threat Analysis: | | Years of in-depth analysis by security auditors has identified that 90% of all fraud is caused by in-house staff who discover ways to hide their criminal actions. The role of compliance is to remove all possibilities of staff becoming criminals and removing any possibility that a fraudulent action could remain undiscovered. | | A task of the compliance officer is to root out any possible application service that may be defective and have it corrected so it could never be used for fraudulent purposes. Internal penetration tests will test all paths and services to verify that no matter what a user does, they could not change what has been approved or change what has been billed. At least four times each year, compliance testing is undertaken using every user role to discover if a user could emulate what should be done by a different user role or if a change could be made that was undetectable by others. |
| Legal Obligations: | | SIS data flows across national boundaries and so it must be designed to military compliance and security specification. Inter-Government legal audits could be involved and so each and every European Directive must be fully implemented, together with compliance with each countries local data protection laws. The Cloud Security Alliance (CSA) report can be viewed with a link from the application support page - this shows that Application Services are in the top 5% of secure application services. |
| Abstract: | | Data ownership is very simple: the person (company) that authors any data owns that data. | | Where a person from company XYZ enters some data into the service, then company XYZ own that data and have a right to have access to that data at any time. | | Facilities are available in every application for the raw data that is entered into that application to be extracted by the data owner. | | {ASP} will use best endevours at all times to help any customer extract all application data that they have authored. | | Every company has the right to extract all application data and move it to another service at any time. |
| Warrant Canary: | | The Compliance Manager issues a notice each month to CanaryWatch.Org that a gagging court order has NOT been issued. If a gagging court order has been issued, the Compliance Manager will NOT issue a notice that it has not been gagged. The lack of a notice each month is a fair and legal method to keep customers informed as to when a gagging legal order has been issued. CaneryWatch.Org shows a canary when all is well and shows a single feather if no notice has been issued. This is a trivial but very important activity that the Compliance Manager must do with diligence every month. |
| Law of the Land: | | To cover ASP liabilities, the ASP place greater emphasis on compliance that may be implied from ITIL reference material. | | One thing that is never done is to deliver a service that enables other people to break the law, even by accident. | | For example, procedures must ensure that events cannot be back-dated to give the mistaken impression that they were done before they were actually done - history cannot be changed. | | The APS may get a lot of pressure from some users to permit errors to be corrected by changing the date on a document - the risk is that fraud may be enabled by such actions. |
| Business Emails and Documents: | | Business emails and documents can contain critical information that would be illegal to be stored on any laptop, smart phone or mobile device that will be lost or stolen. | | The Information Commissioner is now imposing big fines on companies that have a laptop stolen and it transpires that the company knowingly permitted the laptop to contain business information. | | The Data Protection Act imposes very simple obligations on a company to protect business emails and documents, to ensure that they are not deleted at inappropriate times or could be accessed by a somebody who steals the mobile device. |
| Data Access: | | Data access may be restricted by company, branch, department and team. | | Where a person enters application data, the company that pays that person will own title to the application data, but data access may be restricted as: | | 1. To the authors team - other teams will only process their own application data. | | 2. To the authors department - each department will process their own application data. | | 3. To the authors branch - with each branch having its own application data that is not (normally) shared with other branches. | | 4. To the authors company - with each company owning title to its own application data. | | In all cases, certain head office people may be granted administrative (read-only) access to all application that is normally restricted to a team, department or branch. | | People can be granted access to data that they do not own, such as postcode reference, exchange rate reference, vehicle model reference, insurance rates reference, country code reference, etc.. |
| Policy State: | | Once a policy has become approved cover state, then it is on a timer for payment to be made in a certain number of days. Where payment is not made by the appropriate date, the policy is automatically cancelled and all associated financial transactions are automatically cancelled. | | The internal architecture of the financial accounting services means that no change can ever take place and if one transaction was ever changed, it would quickly be detected as it would not balance with all the other associated transactions for the policy. Trust is built on the backs of people understanding the compliance architecture and taking time to explore all services to ensure that other parties could not be defrauding the application service in any way. | | Once a policy has achieved a certain state where it is approved, then all changes must be frozen, but if a change was made, that change would not have any way to change the financial accounting service. By replicating certain data, an interlocking mechanism of compliant security is created that is beyond what a criminal could attack and fraudulently change. |
| Cloud Security Alliance: | | Application design begins with an extensive set of sign in layers of security that comply and exceed all documented business requirements. What is certain is that any criminal behaviour will be detected and the criminal will be blacklisted. The dual interlocking audit trails of "What Did I Do" and "History" means that each and every field value change can be identified with a specific person at a specific date and time - and any change can be reversed. Financial transactions take on an extra layer of security in that not a single change can be made and if a criminal did find a way to change a transaction, it would quickly be detected because large sets of transactions in different location must balance. What was known as double entry bookkeeping has evolved to multiple entry bookkeeping with a unique account for each party, but management information that must strike a balance across all accounts. |
| Panama Data Breach: | | The panama bank at the center of the tax avoidance issue suffered an email server attack - many terabytes of emails going back 40 years were stolen. No private and company confidential information must ever be communicated by email - it will be copied, it will be read and it will be sold on to other parties. |
| | | Compliance Solution: | | All business emails and documents are stored in remote secure archives there emails can be accessed by authorized people from any location using any computer or smart phone. | | Emails and documents cannot be deleted, but they can be marked as read and processed so they no longer popup for action. | | The email and documents archive can be searched and data matching selection criteria are retrieved - this is a legal obligation. | | Business emails and documents may be shared and may be indexed so they can be accessed from a customer point of view without any regard who sent or received the email. | | When a person is on vacation, authorized business users can access any email or document and deal with the topic without the need for people to share passwords. | | Fraud is minimised by removing the ability for people to hide (and delete) critical business emails and documents on their local mobile device that cannot be accessed by other authorized people. |
| Data Extract | | Data extract is a facility provided with every application service where authorized people may extract a copy of all application data that has been authored by the application owner. | | The amount of data stored in an application service may not be practical to extract (download) as a single transaction, so data may be extracted by date range or some other suitable selection critieria. | | Depending on Internet connection speeds and capactity, it can be prudent to extract application data on a monthly or annual basis. | | Where applicable, an extract of application data may be delivered on CD or DVD media. | | Data copy is quite independent of business continuity services that are automatically included within all application services. |
| Compliance Manager: | | ITIL 2.8 defines the scope of work that must be undertaken by the Compliance Manager. ITIL defines the method of working that must be undertaken for each procedure and how work is coordinated with other Managers. Coordination with ITIL 2.4 Capacity Manager, ITIL 2.7 Information Security Manager and ITIL 2.1 Catalogue Manager is required. | | Principal: | | 1. ITIL change control of operational scheme data demands that the Owner specifies and authorizes each and every scheme data change. | | 2. ITIL secure operations ensure that scheme data cannot be accidentally or fraudulently changed. | | 3. Regulation requires that the manager who approves the change must not be the person who implements the change. | | 4. Regulation requires that the manager who validates that the change has been completed must not be the person who implemented the change. | | 5. Techniques must be employed to ensure that additional changes that were not authorized have not been implemented. |
| Change Control System: | | ITIL has been accepted as the standard and best practice for operating Information Technology Infrastructure providing application services. The ASP has implemented ITIL with more than 30 job roles that ensure best practice is delivered for all customers. | | Every operational data change is stored as an archive so an audit trail can be used as evidence in any audit. Operational data releases are validated before delivery, but must also be verified by the data owner as the Owner or agent of the Owner. |
| Summary: | | Operational Owner scheme data and associated business document templates are subject to compliant change control procedures implemented by the Owner (or agent acting for and on behalf of the Owner). The ASP may be provided with a Improvement Request by the Owner for a change to be applied to the scheme data using the documented ITIL change control procedure. | | Information security procedures ensure that the ASP do not have rights to make changes to operational data; however the ASP may be requested by data owners to make changes on behalf of the Owner. The ASP shall only implement a change to an application service where that change is requested by the Owner. Continual improvements to application services are included for the owner and subject to normal deployment and release control procedures. | | An application service improvement is not the same as a change to operational data. |
| Compliance: | | This cloud based web service consists of one or more operational application services and one or more demonstration application services. While ad-hoc changes can be applied to any demonstration application service, a compliant change control system is mandated by law for any operational application service. |
| Agency Data Collection: | | Regulations specify: Race, Ethnicity, Political Thought, Philosophical Beliefs, Religious Affiliation, Outward Appearance, Membership of Foundations, Associations, Unions, Health, Sexual Life, Criminal Record, Security Data, Biometrics, Names. Family name, date of birth, place of birth, economic position, identity number, tax numbers, employment numbers, security numbers, health numbers, passport numbers, driving licence numbers, photo ID, voice recordings, fingerprints, genetic data, CV, linkedin key, facebook key, email addresses. What you do and say in one country may become illegal in another country in 40 years time. UK Health records are being sold to insurance companies. Citizens rights are immaterial when it comes to the protection and intelligence activities related to national defence, national security, public security, public order or economic security. What laws enable security intrusion for one country are quickly replicated to make it legal for other countries to do the same - Germany has the best malware installed on personal computers in many countries. |
|