I haven't seen any discussion or articles on how companies who are incorporating LEAN are also staying in compliance with information security regulatory and standards requirements. I work for a printing firm that has been implementing LEAN for a year now. Some of our customer are financial companies or health care organizations and we are being told by them that we must be in compliance with SOX, GLBA, HIPAA (for printing, not our own HR area) and ISO 27001 in order to do printing for them.I have contacted our subject matter experts here at work and have asked if they know how to incorporate information security regulatory compliance with LEAN initiatives and they have not run across that issue and are not sure where I can find information about it.Any information would be helpful.Rae.
I am not an expert in these areas but from what I know, GLB protects consumers' personal financial information, HIPAA protects the Privacy of Personal Health Information, and SOX oversees and regulates accounting practices in public companies. From a LEAN perspective, each of these bureaucracies is full of waste, but that does not give one license to eliminate their requirements. In my opinion there must be a representative from your organization from each of these disciplines actively involved with the Lean Team to prevent unknowingly eliminating something that would be a violation of the rules.
Iso 27001 Wikipedia
That being said I think there is still an opportunity for the team to challenge wasteful practices. Rae,All those requirements fall under 'customer requirements'. The government is just one more stakeholder we must satisfy. Lean does not jeopardize any of that.
What lean jeopardizes is people's comfort levels.Arguing SOX,or any other regulation, is just a way to prevent change. Change is always difficult and it is human nature to oppose it. But recognize that all these regulations and guidelines are just things to hide behind so we do not have to change.
You will probably hear 'we tried that before and it did not work' and 'the auditors won't approve it' and 'you don't understand.we're different'. All can be overcome.SOX in particular. Reports by all the big four accounting firms show that Lean is benefitial and completely in compliance with GAAP and SOX.Enjoy the journey.
To become a successful business in today’s market, optimized information security controls may be the panacea for unmet security needs. One way to achieve optimized information security control is to perform and assess the organization security posture based on code of practice and map each control with Capability Maturity Model Integration (CMMI) to find out the current CMMI level for each control. The goal is to address the organization security needs as a whole, and assess how different departments and business functions are addressing the current business security requirements.
The CMMI has five levels and evaluate security controls based on levels, not on specific objectives. Each level provides the basis for the next level where it is not possible to get to the next level without complying with previous level. Is a comprehensive framework which can be utilized to obtain the baseline upon which to build each level. For each control in, maturity levels are defined using maturity definition found in CMMI.
Sox Iso 27001 Mapping Your Future Video
In the assessment report maturity level of each control of standard can be evaluated. Utilizing the color coded scheme provided by CMMI model, create a one page ISO control summary for executives which will not only help them to understand the current security posture but also can be instrumental for measuring progress and resource allocation.The scope of the ISO27k standards includes various aspects of IT. The introduction to states clearly: “Information can exist in many forms. It can be printed or written on paper, stored electronically, transmitted by post of using electronic means, shown on films, or spoken in conversation.