Professional Documents
Culture Documents
I. 3. ISO 19600
• High level structure: (i) Context of the organization (ii) Leadership (iii) Planning (iv) Support (v)
Operation (vi) Performance evaluation (vii) Improvement Information security activities shall be coordinated
by representatives from different parts of the organization with relevant roles and job functions. Whether
measures are taken to ensure that the security controls, service definitions and delivery levels, included in
the third party service delivery agreement, are implemented, operated and maintained by a third party.
curity roles and responsibilities. The Office 365 security policies address purpose, scope, roles,
responsibilities, compliance requirements, and required coordination among the various Microsoft
organizations providing some level of support for the security of Office 365. Office 365 security policies
contain rules and requirements that must be met in the delivery and operation of Office 365. Office 365
employees and contingent staff are accountable and responsible for complying with these guiding principles
in their designated roles.
Control An appropriate set of procedures for information labelling and handling shall be developed and
implemented in accordance with the classification scheme adopted by the organization.
Audit procedure
Whether an appropriate set of procedures are defined for information labelling and handling, in
accordance with the classification scheme adopted by the organization.
Management shall actively support security within the organization through clear direction,
demonstrated commitment, explicit assignment, and acknowledgment of information security
responsibilities. Ensure whether management demonstrates active support for security measures within the
organization. This can be done Information security activities shall be coordinated by representatives from
different parts of the organization with relevant roles and job functions.
ISO 37001
HIGHLY DIRECTED DELEGATIONS IN PENAL RISK AREAS> LOW DEMAND PROCEDURES AND CONTROLS
THAT GUARANTEE DECISIONS FREE OF CONFLICT OF REAL OR POTENTIAL INTEREST
to. Leadership
CULTURE AND FUNCTION OF COMPLIANCE
cc: FXaver - https://www.flickr.com/photos/38473755@N07
b. C
Send feedback
History
Saved
Community
Compliance policy
• Compensation systems for compliance achievements
• Evaluations to employees before hiring
•Continuous training
• Communication continues, open and adequate
• Visible recognition of the achievements of compliance management
• Ethical leadership. "Tone at the top"
• As the hierarchical responsibility of a person in an organization increases, it increases their visibility and
ability to influence the behavior of others.
b. Compliance Culture
• The way of acting (behavior) of the members of Senior Management moves the way of acting of the
rest of the individuals that make up the organization: visible, consistent and sustained commitment over
time with a standard of common behavior
b. Compliance Culture
• The business culture must be an element that positively influences the behavior and attitude of all
those who make up the organization: culture of compliance
b. Compliance Culture
b. Compliance Culture
Change perception detection and punishment
Reduce / eliminate behavior bias
Improve the role of moral considerations
Improve culture (eliminate undue environmental influences / group pressure)
• Application of fast and proportionate disciplinary measures
• Consistency in treatment regardless of position
• Clear criminal compliance policy
• Compensation systems that assess achievement of criminal compliance objectives
• An appropriate initiation or orientation program that emphasizes criminal compliance and the values
of the organization
• Tone in the direction (respect and application from above) • Recognition achievements in compliance •
Continuous, open and adequate communication
The SGCP: Context and Planning
cc: jaumescar - https://www.flickr.com/photos/28842017@N00
c. The SGCP - Context
• The SGCP must be appropriate to the circumstances of the organization in which it operates.
• Chapter 4 deals with aspects related to it (design the management system and maintain it and
continuous improvement).
c. The SGCP - Context
• Understand the organization and its context
• Understand the needs and expectations of the groups of interest
• Determine the scope of the SGCP
c. The SGCP - Context
16-abr-19
•Art. 4.1: adequate knowledge of the internal and external circumstances of the organization, as they
condition the design, maintenance and improvement of its management system.
• A criminal compliance management system is only adequate when it is proportional to the
circumstances of the organization and is projected on risks that truly threaten it.
c. The SGCP - Context
• Size and structure of the organization
• Locations and sectors in which it operates or plans to operate
• Nature, scale and complexity of activities
• Members of the organization and business partners
c. The SGCP - Context
• The "Circular 1/2016 on the criminal liability of legal persons in accordance with the Reform of the
Criminal Code made by the Organic Law 1/2015": "the models of organization and management must be
perfectly adapted to the company and its specific risks "
c. The SGCP - Context
•Art. 4.2: necessary to determine the interest groups and their requirements to be considered within the
SGCP (for example: regulator, administrative authorities, shareholders / investors, consumers and users)
c. The SGCP - Context
•Art. 4.3: Objective and subjective scope of the SGCP.
• The scope of the SGCP is related to the criminal risks that affect the perimeter formed by the members
of the organization and the business partners.
c. The SGCP - Context
•Art. 4.4: The organization adopts, implements, maintains and continuously improves a SGCP, which
includes the necessary policies, processes and procedures as well as their interactions, in accordance with
the requirements established by the Standard.
c. The SGCP - Planning
•Chapter 6
• 6.1 Actions to deal with risks and opportunities
• 6.2 Identification, analysis and evaluation of criminal risks
• 6.3 Crime prevention objectives and planning to achieve them
Section 6.2 of the UNE Standard adopts the classic division of criminal risk assessment in three activities:
identification, analysis and evaluation. Identification: It consists in knowing what potentially criminal
behaviors could entail the criminal responsibility of the juridical person, taken care of the concrete
circumstances of the organization. Analysis: It consists in analyzing what probability exists that they are
materialized and what its consequences would be, in such case. This analysis is what finally allows us to
assess criminal risks. Valuation: Consists in the prioritization of criminal risks and, therefore, of the resources
destined to their prevention, detection and management, emphasizing those that suppose a greater than
low risk.
c. The SGCP - Planning
The SGCP: Planning and operational control
cc: fensterbme –
Saved
Community