Monday, July 29, 2013

Creating an Information Security Compliance Capability

In my last post I wrote about compliance and 3rd party providers and this time I want to go deeper into what it takes to have a good compliance capability. Please note that this post doesn't go into detail but will provide sufficient guidance (I guess).

So first of all, why we need a compliance capability or function? Organisations today have regulatory requirements that they must comply with. As an example, if the organisation’s mission is to provide healthcare services in the US, then HIPPA and/or FDA will be a regulatory requirement. Now, if part of the organisation’s business strategy is to go public (IPO) in the US, you will need to comply with SOX requirements.

Also there are industry best practices or frameworks that an organisation can adopt as part of its business or IT strategy such as ISO, NIST, COBIT which will then be part of its compliance requirements. Also, last but not least, an organisation’s internal policies should also be considered as part of its compliance requirements. The following figure illustrates what I’ve just mentioned:




Why it is important to be compliant?
Well, to simply put it, being non-compliant with regulation requirements might imply quantifiable losses to your organisation (financial sanctions, impossibility to offer in the NYSE, etc) along with non-quantifiable losses, such as image and reputation loss. So, in other words, non-compliance creates a risk to an organisation. If you do some googling for HIPPA or privacy breach and you’ll get what I’m meaning.

What happens when you are not complaint with your own policies? Well, internal or external auditors will have a finding (risk), which will require a remediation plan and funding to rectify the non-compliance… Plus someone above you in the corporate chain will not be happy.

Why implementing a compliance capability is good?
A compliance capability will provide the organisation the resources required to understand compliance requirements, communicate them, assist in achieving a complaint state, maintain it, manage the risks associated with non-compliance situations and track their rectification.

In order to implement this capability, it is necessary to define a framework, like the one shown in the following figure:






Process Management

The first step for implementing a compliance capability is to plan the capability itself in terms of policies, procedures and human resources. Depending on the organisation and the compliance scope, the number of human resources will vary.

Also, the capability’s policies and procedures need to be developed. These will specify how the capability’s governance is to be achieved and how it will relate to other capabilities at an enterprise level and other governance functions (i.e. IT and Information Security).

Things like principles, roles and responsibilities, KPIs, assess compliance (determine compliance requirements, build SOA), track and rectify non-compliance issue (register) amongst others.

Changes in processes across the enterprise might be required in order to create interfaces for compliance reporting.


Risk Management
Any non-compliance issue will trigger a risk to the enterprise. Because of this, it is very important that the compliance framework is inline with the enterprise risk management or IT risk management framework. Each non-compliance situation must have it’s risk assessed tracked as part of the organisation’s risk profile until rectified.

Based on the organisation’s risk appetite and tolerance it is possible to assign to each non-compliance issue a risk rating.

The compliance policy and non-compliance issue management procedures should establish how this interface will work.



Monitor and Evaluate
In order to evaluate the organisation’s current compliance posture, information can be fed from the following sources:
  • Using internal / external audit reports
  • Using self-assessments
  • Executing internal compliance assessments
  • Reviewing operational KPIs.
Enterprise interfaces are key to monitoring activities that could generate non-compliance situations (and as such, risks). These interfaces are process modifications across the enterprise that would feed the compliance capability of current activities that are happening which may impact the compliance posture. Activities such as outsourcing a service done by a business unit should be detected and analysed for compliance.




Communication and Training
The organisation needs to be aware of the compliance requirements and the capability itself. In order to achieve a good compliance, the people need to know where to go with questions.


Key things to consider are:

  • Create a compliance focal role: This role will be responsible to answer all questions on compliance requirements and can also interface between business units and the organisations compliance capability. It can be one resource or many resources distributed across the organisation.
  • Awareness and training: The compliance capability must ensure that awareness and training happens at an organisational level. Why? What? When? and How’s should be part of the awareness and training.
The compliance capability on the other hand needs to report to Governance boards (IT / Information Security) or key stakeholders on the current compliance situation. Dashboards and reports are good ways to show how the organisation is doing on its compliance aspects.


Hope it helps!