Categorizing a System: Why must this be so hard? :: The Compliance Authority - Insights, Perspectives, and Best Practices in Compliance Management for Business and Large Organizations

Addressing Multiple Compliance Regulations
BY ALEX ZADROZNY,
President and CEO, Zmen Systems, LLC

Now more than ever, organizations of all sizes struggle to comply with multiple regulatory guidelines and manage the risks and penalties of failing to operate within the rules. Establishing, maintaining and proving compliance demands money and time executives and shareholders would rather invest in business growth. The complexity of the procedures, tasks and behaviors that involve compliance can be overwhelming. Organ-izations that master managing all these activities—and demonstrate their completion—operate more efficiently and compete more effectively.

Most companies acknowledge the cost and risks of fragmented governance, risk and compliance (GRC) efforts, yet few have taken action. In the 2007 GRC Strategy Survey, conducted by the Open Compliance and Ethics Group:

Eighty-four percent of respondents reported fragmentation of compliance activities and processes.
Sixty-five percent claimed fragmented compliance caused serious business problems through duplication of efforts, redundant solutions, higher costs and increased risk.
Seventy-five percent indicated they would scrap their current programs and start over, if possible.
Seventy-one percent that acted on integration opportunities indicated they realized benefits that met or exceeded company expectations.

It is critical for senior management to consider creating a compliance framework that integrates the risk and control objectives from multiple regulatory guidelines. The reduction in complexity of multiple frameworks through an integrated approach will yield savings and speed adoption. The controls and processes established from an integrated compliance framework also allow multiple parties to adopt a common assessment, monitoring and reporting approach.

Compliance Convergence

It is not uncommon for an IT organization to be undergoing multiple audits at any given moment. But how do you manage the requirements and objectives of each set of regulations and external examiners? These days, IT management can be tasked with any of the following compliance frameworks: Control Objectives for Information and related Technology (CobiT), International Organization for Standardization (ISO) standards, the Gramm-Leach-Bliley Act, Payment Card Industry Data Security Standard and the National Institute of Standards and Technology standards. If you are part of an international company (and who isn't?), there also is Basel II. Each framework has unique compliance requirements, but the fact is most of the regulatory requirements of these frameworks are redundant.

How does IT management establish an integrated controls framework that addresses all the nuances of multiple compliance regulations? The following steps are designed to give you a methodology for adopting the optimum compliance framework for your IT organization.

1. Conduct a Self Assessment
It is critical to understand the impact of each regulatory guideline before you can begin to establish a hybrid framework. This can be accomplished through a self-assessment process. The IT Governance Institute (ITGI) has produced several CobiT-based mapping documents. They provide a detailed comparison between CobiT and various standards and best practices. Another good tool is the IT Assurance Guide, which is designed to enable efficient and effective development of IT assurance initiatives. These documents can help establish a baseline controls framework that should be used for a controls self-assessment. The results of the self assessment should be heat maps or reports on risk assessment to allow for easy identification of compliance hotspots within the organization.

2. Adopt an IT Governance Framework
Compliance is a strategic initiative; it will not succeed coming from the bottom up. You must establish upper-management support and buy-in, which is driven by a governance approach.

The right IT governance framework is key to reducing the cost of managing compliance efforts. The definition and framework of IT governance allow you to deconstruct the process into a number of activities: some specific to the board, some particular to management and some that board and management perform in concert. These activities cover: getting informed; setting direction through defining strategy, operating constraints and goals that will subsequently be measured; assigning responsibilities and providing resources; managing risk; and, finally, obtaining assurance that objectives are achieved, risks are mitigated and resources are used responsibly.

IT governance is concerned about two things: that IT delivers value to the business and that IT risks are mitigated. The first is driven by strategic alignment of IT with the business. The second is driven by embedding accountability into the enterprise. Both need measurement, for example, by a balanced scorecard.

CobiT is probably the most widely used IT control framework and has been adopted—with customization—by many large corporations as the basis for an IT governance framework.

3. Establish Common IT Controls
Classify and consolidate your IT controls into the various actions and processes being audited; for example, user and application access, operations management, change management and application management. Make sure the controls are clearly identified, auditable and tested as part of the ongoing internal audit plan. Map your controls to the standards and common security frameworks used by your organization. Identify the most common controls, and deploy and maintain these controls and operational policies across the IT infrastructure to reduce workload, cost and confusion. By implementing common IT controls, you'll make it possible to consistently, and with less effort and time, document, audit and maintain compliance for multiple mandates. Document and continuously monitor your controls-compliance status. This will help demonstrate proof of compliance to auditors, executive management and other stakeholders.

4. Automate Manual Procedures
Audits suffer because of nonautomated procedures. Using manual procedures means organizations cannot:

Identify problems beforehand
Prevent problems from arising
Evaluate whether a change to a business procedure would be sufficient to comply with a mandated requirement
Validate whether a change to IT procedures was necessary
Determine whether a change to IT controls was warranted

Most firms cannot avoid taking preventive actions based on what was learned in one audit and then applying it to another regulatory mandate. You should look to automate wherever possible when it comes to IT controls assessment, including patching systems, running network scans, automating user-account management and separating who has access to privileged accounts. The goal is to conduct more frequent audits while also reallocating IT resources to more important pursuits. Automation of repetitive tasks should be undertaken after identifying these as essential tasks that run across most of the business procedures being audited.

5. Control your Controls
Based on the acceptable risks, deploy and maintain the most common controls to reduce workload and cost. Be careful to separate and map business and technology risk as defined by the audit teams. You do not want to run into the situation in which you have redundant controls and overlapping audit testing. A good deal of the text in framework documents is dedicated to the continuing process of improvement. CobiT describes the following processes that parallel those found in other frameworks:

Define the goals specific to the organization and business context.
Select controls to accomplish the goals.
Deploy and implement the controls.
Assess the effectiveness of the controls.
Repeat the process.

6. Review your control framework
Compliance is a process, not an end state. As a business changes, the environment in which it functions changes; it grows, shrinks, deploys new products or is exposed to new threats. As the risks change, so must the corresponding controls.

What was once considered a best practice might not be good enough today. An adaptive process that recognizes the reality of change is critical to any compliance activity. This is what frameworks are all about. New legislation and regulatory rules are always in the works for information security, privacy and other related business controls. How do you keep up with the regulations?

Identify and subscribe to services that monitor and alert you to new and upcoming regulatory rulings for your specific industry.
Inventory current and upcoming (potential) regulations.
Include local, state, federal and international governing bodies in your research.
Identify upcoming or potential new laws, and determine potential impact and risk to your organization.
Keep the business management, compliance and legal departments updated on new legislation.

7. Increase Audit Frequency to Maintain Compliance
If your company has been through a major audit involving IT general controls, it is time to increase the frequency of your internal audits. Waiting another year to audit controls for the same mandate will probably result in another round of deficiencies that need to be corrected. Increase your internal audit and security control measurements to determine whether changes in business conditions, business procedures, IT processes, IT security controls, new mandates or other factors will affect the existing control environment.

8. Adopt the Right Compliance Tool

Some businesses have attempted to employ technology to streamline compliance. They have invested in one or more IT products across dozens of categories that are designed to address one or a few aspects of compliance.

The right GRC solution can reduce the cost of managing compliance, manage risk more effectively and reduce exposure to penalties that would result from failing to satisfy regulatory requirements.

You should leverage the Gartner Magic Quadrant for GRC vendors. The vendors must support a minimum level of functionality for reporting, workflow for reviews and approvals, and support for documentation pertaining to internal controls. Gartner considers these product capabilities when evaluating GRC vendors:

Reporting
Dashboarding
Document and records management
Testing
Remediation management
Other business application integration
Business process modeling (to support and maintain the mapping of rules, policies, risks, control objectives, controls, systems and applications)
Policy management
Risk management and risk assessment
Support for multiple control frameworks
Support for multiple regulations across multiple business units
Controls automation and monitoring

Why CobiT

CobiT is the place to start your IT-compliance journey. It is the most comprehensive IT-controls framework and is flexible enough to be implemented effectively. You can use the various mapping guides provided by the ITGI for many of the other frameworks and compliance regulations. CobiT helps bridge the gaps between business risks, control needs and technical issues. It provides good practices across a domain and process framework, and presents activities in a manageable and logical structure.

CobiT brings these advantages to an IT governance implementation effort:

Enables mapping of IT goals to business goals and vice versa
Better alignment, based on a business focus
A view of what IT does that is understandable to management
Clear ownership and responsibilities based on process orientation
General acceptability with third parties and regulators
Shared understanding among stakeholders, based on a common language

Other advantages of adopting CobiT include:

CobiT is aligned with other standards and good practices, and should be used with them.
CobiT's framework and supporting best practices facilitate a well-managed and flexible IT environment.
CobiT provides an IT control environment that is responsive to business needs and serves management and audit functions in terms of their control responsibilities.

As anyone who has successfully gone through this process will tell you: "It depends." CobiT might not be the silver bullet for your compliance requirements. But it is the most comprehensive framework available and will address at least 80 percent of what you need to achieve compliance with multiple regulations. By using the ITGI mapping guides as your cross-reference to the many compliance standards out there, you will certainly see that pattern and feel comfortable on the journey toward satisfying multiple compliance regulations.