compliance – a window of opportunity presented by : secure matrix india private limited @ isafe,...

Compliance A Window of OpportunityPresented by : Secure Matrix India Private [email protected] iSAFE, Dubai. October 30, 2008

Compliance - A Window of Opportunity1u

Compliance - A Window of Opportunity

Compliance - A Window of Opportunity* Dinesh Bareja, CISA, CISM Sr Vice President SECURE MATRIX INDIA PVT LTD Mumbai Pune Chennai - London [email protected]

Audit and Assurance Consulting and Advisory Services in the Information Security and GRC domain covering IS/IT Management / Process / Technical Services.


SecureMatrix ServicesCompliance - A Window of Opportunity*


The Compliance window grows.Compliance - A Window of Opportunity*Today We pay the price for the transgressions of the C-level criminals.

Today we see unknown unknowns around the globe and must brace ourselves for greater regulatory control internal and external

Will this stop more unknowns from hitting us in future is another unknown

As professionals in technology Security and Audit we are moving into a newer dimension with increased responsibility for Governance, Risk and Compliance

"Any intelligent fool can make things bigger, more complex, and more violent. It takes a touch of genius -- and a lot of courage -- to move in the opposite direction." E. F. Schumacher / Albert Einstein


Not My Organization !Compliance - A Window of Opportunity*Source: Open Compliance & Ethics Group


Compliance TodayCompliance - A Window of Opportunity*Compliance with Compliance requirements takes up too much resourcesMeeting Compliance needs with technology provides a window of opportunity for the organization to reap tangible and intangible ROIOrganizations (worldwide) have numerous Compliance obligations and these are growingRegulatoryStandards / Best Practice Frameworks Policies IndustrialContractual


ISACA Survey - Top seven business issues Compliance - A Window of Opportunity*

Organizations are faced with more challenges now than ever; they must grow and maximize market opportunities while at the same time complying with an ever-increasing number of regulations and standards. Keeping on top of legislative and regulatory requirements is a significant task, and regulatory compliance still operates in project mode and has not yet been embedded in business processes. IT must design and maintain systems to comply with these legislative and regulatory requirements, despite the lack of an integrated framework.Enterprise-based IT management and IT governance Managing efficient and effective IT departments requires IT governance the disciplines and capabilities that bring consistent and reliable delivery of IT services to the business. IT governance requires the alignment of IT operations with the goals and objectives of the business. In addition, delivery of IT services requires well-designed IT processes and coordination among the IT team members. However, while there is some recognition of the importance of IT governance at the executive level, further awareness is needed.Information security management After many spectacular breaches and losses, and enormous spending on state-of-the-art security technologies, enterprises are finally realizing that information security has more to do with managing people and process and less to do with implementation of technology. In so doing, enterprises can leverage international information security management standards (such as ISO/IEC 27001) that provide guidelines and common practices rather than reinventing the wheel each time.Disaster recovery/business continuity All business activity is subject to disruptions, such as technology failure, flooding, utility disruption and terrorism. In response, some enterprises implement business continuity management (BCM) programs to improve their resilience in the event of disaster. Unfortunately, these enterprises are in the minority and BCM still remains an elusive goal for most organizations.IT value management IT projects often lack alignment with business goals and objectives; as a result, they are unable to realize business benefits. In some cases, there is a lack of business involvement in IT projects, while in others, there is simply a breakdown in communication between what the business has asked for and what IT has delivered. Implementing processes to help bridge these gaps allows IT to service the needs of business and deliver value.Challenges of managing IT risks Risk management practices are poorly understood at the best of times so it is no surprise that IT risk management fares no better. Unfortunately, IT risks are pervasive across enterprises, so the impact of poor IT risk management can be disastrous.Compliance with financial reporting standards Global financial reporting standards, such as the US Sarbanes-Oxley Act, have been in place since 2004; however, they continue to be an area of focus for IT departments. While improvements have been made to the standards that help focus efforts on areas of higher risk, enterprises continue to experience challenges in complying in a cost-effective manner.

Source: Top Business/Technology Issues Survey Results, ISACA 2008

Overall RankBusiness IssueAudit TeamIT MgtSecurity team1Regulatory compliance1522Enterprise-based IT management and IT governance2143Information security management3414Disaster recovery/business continuity4235IT value management36Challenges of managing IT risks57Compliance with financial reporting standards5Source: Top Business/Technology Issues Survey Results, ISACA 2008


Compliance - A Window of Opportunity*Source: Top Business/Technology Issues Survey Results, ISACA 2008


ISACA Survey - Top seven business issues Compliance - A Window of Opportunity*

Organizations are faced with more challenges now than ever; they must grow and maximize market opportunities while at the same time complying with an ever-increasing number of regulations and standards. Keeping on top of legislative and regulatory requirements is a significant task, and regulatory compliance still operates in project mode and has not yet been embedded in business processes. IT must design and maintain systems to comply with these legislative and regulatory requirements, despite the lack of an integrated framework.Enterprise-based IT management and IT governance Managing efficient and effective IT departments requires IT governance the disciplines and capabilities that bring consistent and reliable delivery of IT services to the business. IT governance requires the alignment of IT operations with the goals and objectives of the business. In addition, delivery of IT services requires well-designed IT processes and coordination among the IT team members. However, while there is some recognition of the importance of IT governance at the executive level, further awareness is needed.Information security management After many spectacular breaches and losses, and enormous spending on state-of-the-art security technologies, enterprises are finally realizing that information security has more to do with managing people and process and less to do with implementation of technology. In so doing, enterprises can leverage international information security management standards (such as ISO/IEC 27001) that provide guidelines and common practices rather than reinventing the wheel each time.Disaster recovery/business continuity All business activity is subject to disruptions, such as technology failure, flooding, utility disruption and terrorism. In response, some enterprises implement business continuity management (BCM) programs to improve their resilience in the event of disaster. Unfortunately, these enterprises are in the minority and BCM still remains an elusive goal for most organizations.IT value management IT projects often lack alignment with business goals and objectives; as a result, they are unable to realize business benefits. In some cases, there is a lack of business involvement in IT projects, while in others, there is simply a breakdown in communication between what the business has asked for and what IT has delivered. Implementing processes to help bridge these gaps allows IT to service the needs of business and deliver value.Challenges of managing IT risks Risk management practices are poorly understood at the best of times so it is no surprise that IT risk management fares no better. Unfortunately, IT risks are pervasive across enterprises, so the impact of poor IT risk management can be disastrous.Compliance with financial reporting standards Global financial reporting standards, such as the US Sarbanes-Oxley Act, have been in place since 2004; however, they continue to be an area of focus for IT departments. While improvements have been made to the standards that help focus efforts on areas of higher risk, enterprises continue to experience challenges in complying in a cost-effective manner.

Source: Top Business/Technology Issues Survey Results, ISACA 2008

Overall RankBusiness IssueAudit TeamIT MgtSecurity team1Regulatory compliance1522Enterprise-based IT management and IT governance2143Information security management3414Disaster recovery/business continuity4235IT value management36Challenges of managing IT risks57Compliance with financial reporting standards5Source: Top Business/Technology Issues Survey Results, ISACA 2008


Compliance - A Window of Opportunity*Source: Top Business/Technology Issues Survey Results, ISACA 2008


Compliance - A Window of Opportunity*CHALLENGES

TIMES LIKE THIS WERE EXPECTED

BUT THEN THE SAME QUESTIONS, THE SAME DIFFERENT PEOPLE, THE SAME TIME OF THE YEAR, THE SAME FORMS, THE SAME REPORTS (ALBEIT NEWER DATES), THE SAME NCS

WELCOME TO THE ANNUAL C - EVENTS


Compliance - A Window of Opportunity*CHALLENGESTIMES LIKE THIS WERE EXPECTED BUT I NEVER THOUGHT THEYD BE PERPETUALLY TOUGHTHOUGHT FOR COMPLIANCE IS DRIVEN BY REGULATORY / LEGAL OBLIGATIONSINTERNAL PUSHBACK DUE TO REPETITIVE ACTIVITIES, REPORTING, RESOURCE INTENSIVE EFFORTSBUDGETS USUALLY SHRINK IN PROPORTION TO INCREASING COSTS !NON-UNIFIED EFFORTS LEAD TO INCREASED COMPLEXITY OF COMPLIANCE MANAGEMENTPROJECTIZED APPROACH : COMPLIANCE IS A PROJECT E.G. SOX OR SAS70 R BCP PROJECT ETC.DYNAMICALLY CHANGING REGULATORY REQUIREMENTS


The FalloutCompliance - A Window of Opportunity*


Unifying Compliance Compliance - A Window of Opportunity*Crosslinked Compliance Requirements


Compliance The Business OpportunityCompliance - A Window of Opportunity*Use the opportunity to build Compliance efforts into the business processes, using automation with best practice frameworks enabledOpportunity Lights are on !


The Business Benefits Compliance - A Window of Opportunity*Maturity of IT Governance

Business results among firms with the most mature practices 17 percent higher revenues 14 percent higher profits 18 percent higher customer satisfaction rates 17 percent higher customer retention levels 96 percent lower financial losses from the loss or theft of data 50 times less likely to lose or have customer data stolen 50 percent less spent on regulatory compliance annuallySource: IT Policy Compliance Group Report 2008


The Business Benefits Compliance - A Window of Opportunity*Maturity of IT Governance

Increase Shareholder and Market ConfidenceStakeholders Awareness of Responsibility Continuous Risk Management enables ERM Compliance is Timely as MandatedAutomated and Unified Compliance Lowers CostsBest Practices embedded in the Organization DNAProcess Efficiencies due to Best PracticesAchieve Governance Goals & Industry CertificationsNon Compliance Financial Risks eliminated Learning Reduces Compliance cyclesCorrelation of Obligations Across Business Units


Compliance - A Window of Opportunity*-Engineer a culture of risk and responsibility in the organizationEnsure high level of awareness amongst stakeholders and demonstrate that it is not difficult if we build the culture of collective responsibilityTo build enterprise level system(s) that address multiple compliance requirements across multiple regulatory authorities Create a lean compliance program that delivers to legal mandates (good-enough compliance) without reducing business effort and leverages silver linings which can bring extra business value-Plan the integration process step-by-step-Introduce and build on best practice frameworks like CobiT Even if you have a low level of automation in some areas you can enable hybrid reporting and build onwards-Managed risk means managed compliance mandates and here we are getting Enterprise level inputs so we can manage the risk across the organizationEfficient Management means better business


Business ResultsCompliance - A Window of Opportunity*


Compliance - A Window of Opportunity*At first look,

As we step into addressing security-oriented compliance mandates we find they need high resource and cost commitments and seem to be a burden on the organization and stakeholders.

However, a strong compliance management system will ultimately pay for itself by averting costs associated with security breaches and savings associated with increased efficiency and productivity.


GRC Business Efficiency IndicatorsCompliance - A Window of Opportunity*


Compliance - A Window of Opportunity*INTEGRATE YOUR COMPLIANCE EFFORTS . A TECHNOLOGY ENABLED UNIFIED COMPLIANCE MANAGEMENT PROGRAM

Central Compliance Repository / Database holds documentation, information, policies, workflow across identified requirementsChange Management on all repository and process artifacts in respect of their versions, access and controls for distribution, retention, or archiving Workflow Management allowing assignment of responsibilities Updating and Optimization compliance business process management allows grouping of common controls for unified collectionCommunication Management - policies and controls are communicated and published across the enterprise to stakeholdersReporting - Interfaces and Templates are designed for ease-of-use for reporting requirements in risk management / prioritization, metrics and auditCustomization - Interfaces and workflow assignments can be built for each mandateManage and Track Progress - of compliance efforts with metrics and automated alerts Audit Trails


Compliance - A Window of Opportunity*Solution : Integrate Compliance Mandates Many names one system : Unified Compliance; Integrated Management System; Integrated Compliance.. Risk based automation aligned with compliance mandates defined by PoliciesBusinessLegal RegulationsIndustryContractual

Companies that select individual solutions for each regulatory challenge they face will spend 10 times more on the IT portion of compliance projects than companies that take on a proactive and more integrated approach. - Gartner Reporting responsibilities are directly assigned to concerned stakeholders through workflow management


Compliance - A Window of Opportunity*X-referenced Safeguards


Common Regulatory Reqmts /Standards / Frameworks / GuidelinesCompliance - A Window of Opportunity*A brief listing (30 out of a list of 340) of Regulatory / Standards from the world of Compliance Mandates

Sarbanes-Oxley Act (SOX)PCAOB Auditing Standard No. 2AICPA SAS 94AICPA/CICA Privacy FrameworkAICPA Suitable Trust Services CriteriaRetention of Audit and Review Records, SEC 17 CFR 210.2-06 Controls and Procedures, SEC 17 CFR 240.15d-15 Reporting Transactions and Holdings, SEC 17 CFR 240.16a-3The GAIT MethodologyBasel II:HIPAAGramm-Leach-Bliley Act (GLB)Standards for Safeguarding Customer Information, FTC 16 CFR 314 Privacy of Consumer Financial Information, FTC 16 CFR 313Safety and Soundness Standards, Appendix of OCC 12 CFR 30 CAN SPAM ActChildren's Online Privacy Protection Act (COPPA), 16 CFR 312 Driver's Privacy Protection Act (DPPA), 18 USC 2721Family Education Rights Privacy Act (FERPA), 20 USC 1232Privacy Act of 1974, 5 USC 552a Video Privacy Protection Act (VPPA), 18 USC 2710 Clause 49 (SEBI Guideline, Government of India)CobiTIslamic Banking RulesNERCPIPEDAISO:27001ISO:25999ITILISO:20000


Presented byCompliance - A Window of Opportunity*Dinesh BarejaCISA, CISM, ITIL, IPR, ERM, BS: 7799 (Imp & LA)Senior Vice President Secure Matrix India Pvt Ltd

Email: [email protected]: +91.93710-64741Tel: +91.22.3253-7579Web: www.securematrix.in

=


Contact InformationCompliance - A Window of Opportunity*

Registered OfficeMumbai:12 Oricon House, 14, K. Dubash MargFort, Mumbai 400 001Tel: +91 22 3253 7579; Fax:+91 22 2288 6152; Email: [email protected]

Internet: http://www.securematrix.inTechnology CentrePune:Trident Towers2nd Floor, Pashan RoadBavdhan, Pune - 411021Email: [email protected] CentreChennai:Plot No. 1, Door No. 5, Venkateshwara Street, Dhanalakshmi Colony, Vadapalani, Chennai 600026Email: [email protected]ematrix.in Dubai:P O Box 5207DubaiEmail: [email protected]:16-20 Ealing RoadWembley Middlesex Hao 4TLEmail: [email protected]


ReferencesCompliance - A Window of Opportunity*http://www.securematrix.in (Integrated Management System and various references)http://isaca.org (Top Business-Tech Survey Aug 08 and various references)http://www.itpolicycompliance.com/pdfs/ITPCGAnnualReport2008.pdfhttp://www.unifiedcompliance.com


Compliance - A Window of Opportunity*Thank You


Compliance - A Window of Opportunity*


**Correlation of Obligations Across Business Units - Compliance obligations across BUs can be correlated to build a common regulatory database model. Cross unit functional responsibilities, reporting and such functions can be determined and an optimum workflow can be established.

**Correlation of Obligations Across Business Units - Compliance obligations across BUs can be correlated to build a common regulatory database model. Cross unit functional responsibilities, reporting and such functions can be determined and an optimum workflow can be established.

******