So Long Silos Move Beyond Silos to an Integrated, Automated Approach BY JIM HIETALA, principal, Compliance Research Group

The Competitive Enterprise Institute calls regulation a $1.14 trillion "unbudgeted tax" on U.S. companies, hidden from public view. The U.S. Office of Management and Budget cites more than 122,000 regulations in the Federal Register, not including state, local and international regulations.

Some rationalize that compliance to regulations is optional. Senior managers should note, however, that government and market dynamics will enforce compliance. Yes, compliance is costly. But investment in compliance automation can bring profit and quality of service to regulated companies in three ways, by:

• Reducing operations costs
• Reducing information-security risk
• Improving quality of service

This article assumes that a company is committed to regulatory and standards compliance, is manually executing compliance requirements and is seeking a positive correlation between compliance, security, reputation and governance. It will not talk about the need to comply and the downside of noncompliance. Instead, it focuses on compliance drivers and requirements, and explores the opportunity to reduce compliance costs through the use of automation.

The Compliance Pressure Cooker
The U.S. federal government alone has more than 122,000 regulations. Regulatory-enforcement budgets have grown nearly 20 percent annually for the past five years, and there have been 139 major rules in the pipeline recently, each with an impact of more than $100 million on the economy. (See figure 1.)



Most experts agree that companies are not structured to follow these regulations and that executives are struggling just to "keep the lights on." Add to the federal regulations the numerous state data-privacy laws passed in the past few years. More than 40 states have now passed legislation similar to the California Financial Information Privacy Act, SB 1386 and the newly passed California AB 1298, which expands coverage of SB 1386 to include medical information and personal information in insurance applications and documents.

As shown in figure 2, the IT Compliance Institute breaks regulation into three primary categories, including privacy, security and governance.



Few companies have the time to identify and actively monitor legally binding federal, state and international regulations, when they might already spend five to 20,000 hours annually to comply with just one regulation.

Citing the massive number of U.S. federal regulations is not to suggest that all companies are subject to all regulations all of the time. Studies show that companies usually deal with between two and five regulations. The typical breakdown looks something like this:

• Federal: Sarbanes-Oxley Act (SOX)
• Industry: Payment Card Industry Data Security Standard, or the Health Insurance Portability and Accountability Act, or the Gramm-Leach-Bliley Act, or North American Regulatory Commission/Federal Energy Regulatory Commission regulations, and so on
• State: SB 1386

The challenge to cost-effectively comply grows as companies attempt to cross-reference or map regulations and controls, and interpret their requirements. This happens well before they integrate these requirements into business processes.

Compliance Drilldown
Regulations can cause organizational confusion, because they are most often high-level guidelines, not detailed specifications. This places an unrecognized burden on companies to analyze, interpret, integrate, implement, test and maintain rules that ensure compliance. Typically, regulations will point to standards to fill the specificity gap, or regulators will provide additional regulatory guidance in the form of guidelines and rules.

The Open Web Application Security Project, an organization focused on improving the security of applications software, depicts the relationships between compliance regulations, standards and the organization as follows:

Note at the bottom of this organizational view how the "Business" (the board of directors and senior management) and the CIO are tasked with developing policies and procedures that support an entire set of international, national and industry rules, regulations and standards.

The good news is that standards are well documented and already cross-referenced by a number of organizations. As seen in figure 3, ISO 17799 security domains from the International Organization for Standardization (ISO) are easily matrixed to numerous international, national and state regulations.



The bad news is the individual controls supporting these domains are much more specific and granular. The challenge of identifying, cross-referencing, documenting, distributing, maintaining and reporting on the status of these controls in policy and in actual practice in an organization is costly, because companies lack expertise and are frequently relying on manual tools and processes.



Almost always, companies manually analyze and compile this information with unsophisticated tools or attempt to build controls into processes by customizing existing applications, such as enterprise-resource-planning systems. Few of these approaches lead to sustainable and repeatable processes. A PricewaterhouseCoopers study of SOX-regulated companies found that 80 percent of financial controls are manual, which might explain why financial-services companies waste up to 7 percent of their total operational expense on manual compliance processes.

Segregated Compliance Projects in Organizational Silos
First-generation compliance tools tended to be desktop applications, such as editors, e-mail, forms, spreadsheets, presentations and databases, giving creators and users of compliance information an ad hoc way of responding to the challenge of assessing and managing compliance. Many surveys report more than 70 percent of regulated companies use e-mail, word documents and databases to attempt to manage compliance.

Using unsophisticated tools, compliance managers typically piece together a workflow of controls, people and actions.

One example of a possible workflow is depicted in figure 5.



The scaling issues associated with measuring and managing compliance across a large business should be readily apparent. Many large organizations will have hundreds or thousands of assets affected by compliance regulations.

These will include servers, applications, business processes, network elements and even IT-services vendors, all of which must be assessed and managed for compliance. Workflow complexity increases exponentially as all possible combinations of controls, stakeholder and compliance actions are taken into account.

Manual compliance programs tend to be fragmented, and they tend to produce results that are not easily repeatable. Given a compliance workflow such as the one depicted in figure 5, much of the burden of assessing compliance for all affected assets, gathering evidence, tracking remediation and reporting on compliance status falls to the compliance manager. Using simple homegrown tools to attack this problem is less than optimal. In truth, manual compliance is probably best characterized as a project rather than a continuous program or process.

Employee misunderstanding and irregular employee signoffs also result. The life of a spreadsheet, for example, is usually "unstructured, untracked, insecure and potentially inaccurate," making it more difficult to create repeatable processes.

Applications naturally stovepipe communication and collaboration, because they are built by technologists, who optimize for productivity. The concept of compliance is not designed into the application architecture from the start. Instead, de facto compliance applications, such as desktop and corporate communications, run in parallel to the applications containing compliance data. Beyond the application stovepipes shown in figure 6, data relevant to compliance might be stored in asset-management systems and in numerous IT-security systems including vulnerability-management and configuration-management systems.



Compliance-data storage in disparate systems in nonstandardized formats becomes the default architecture.

In this manual environment, compliance workflow might cross the minds of many managers and employees, but not the process, application and data boundaries where compliance action counts. Over time, inconsistency and duplication creep in, increasing integration and operation costs, and compounding other natural divides, such as departmental semantic differences and ownership issues. Long-term costs increase too, because departments individually amortize process expenses within their silo, precluding investment in the infrastructure. Compliance costs are oftentimes excessive as staff resources are consumed by unplanned compliance tasks. Lower management confidence and information quality become a byproduct. Come audit time, nonuniform tools and fractured data sources send unnecessary alarms to auditors, protracting audit time and increasing audit cost. In the end, the perceived value of the company might be threatened by poor compliance practices.

As shown in figure 7, automated and integrated compliance processes work across production platforms, rather than parallel to them. Like IT management and security management, compliance management directly or indirectly touches most transactions and controls. Many experts argue that compliance management should be placed under IT management because of this structure. An Ernst & Young survey of 520 companies concluded that 70 percent of compliance remediation occurred in IT and specifically through IT-security controls.



Part two of this article picks up with requirements for compliance automation.

Jim Hietala is principal at the Compliance Research Group.