compliance – a window of opportunity presented by : secure matrix india private limited @ isafe,...
TRANSCRIPT
Compliance – A Window of Opportunity
Presented by : Secure Matrix India Private Limited@ iSAFE, Dubai. October 30, 2008
Compliance - A Window of Opportunity
1
Compliance - A Window of Opportunity
2
Dinesh Bareja, CISA, CISM Sr Vice President SECURE MATRIX INDIA PVT LTD Mumbai – Pune – Chennai - London
Audit and Assurance Consulting and Advisory Services in the Information Security and GRC domain covering IS/IT Management / Process / Technical Services.
SecureMatrix Services
Compliance - A Window of Opportunity
3
The Compliance window grows….
Compliance - A Window of Opportunity
4
Today … We pay the price for the transgressions of the C-level criminals.
Today we see unknown unknowns around the globe and must brace ourselves for greater regulatory control – internal and external
Will this stop more unknowns from hitting us in future is another unknown
As professionals in technology Security and Audit we are moving into a newer dimension with increased responsibility for Governance, Risk and Compliance
"Any intelligent fool can make things bigger, more complex, and more violent. It takes a touch of genius -- and a lot of courage -- to move in the opposite direction." E. F. Schumacher / Albert Einstein
Not My Organization !
Compliance - A Window of Opportunity
5
Source: Open Compliance & Ethics Group
Compliance Today
Compliance - A Window of Opportunity
6
• Compliance with Compliance requirements takes up too much resources
• Meeting Compliance needs with technology provides a window of opportunity for the organization to reap tangible and intangible ROI
• Organizations (worldwide) have numerous Compliance obligations and these are growing– Regulatory– Standards / Best Practice Frameworks – Policies – Industrial– Contractual
ISACA Survey - Top seven business issues
Compliance - A Window of Opportunity
7
Organizations are faced with more challenges now than ever; they must grow and maximize market opportunities while at the same time complying with an ever-increasing number of regulations and standards. Keeping on top of legislative and regulatory requirements is a significant task, and regulatory compliance still operates in “project” mode and has not yet been embedded in business processes. IT must design and maintain systems to comply with these legislative and regulatory requirements, despite the lack of an integrated framework.
Enterprise-based IT management and IT governance
Managing efficient and effective IT departments requires IT governance— the disciplines and capabilities that bring consistent and reliable delivery of IT services to the business. IT governance requires the alignment of IT operations with the goals and objectives of the business. In addition, delivery of IT services requires well-designed IT processes and coordination among the IT team members. However, while there is some recognition of the importance of IT governance at the executive level, further awareness is needed.
Information security management
After many spectacular breaches and losses, and enormous spending on “state-of-the-art” security technologies, enterprises are finally realizing that information security has more to do with managing people and process and less to do with implementation of technology. In so doing, enterprises can leverage international information security management standards (such as ISO/IEC 27001) that provide guidelines and common practices rather than reinventing the wheel each time.
Disaster recovery/business continuity
All business activity is subject to disruptions, such as technology failure, flooding, utility disruption and terrorism. In response, some enterprises implement business continuity management (BCM) programs to improve their resilience in the event of disaster. Unfortunately, these enterprises are in the minority and BCM still remains an elusive goal for most organizations.
IT value management
IT projects often lack alignment with business goals and objectives; as a result, they are unable to realize business benefits. In some cases, there is a lack of business involvement in IT projects, while in others, there is simply a breakdown in communication between what the business has asked for and what IT has delivered. Implementing processes to help bridge these gaps allows IT to service the needs of business and deliver value.
Challenges of managing IT risks
Risk management practices are poorly understood at the best of times so it is no surprise that IT risk management fares no better. Unfortunately, IT risks are pervasive across enterprises, so the impact of poor IT risk management can be disastrous.
Compliance with financial reporting standards
Global financial reporting standards, such as the US Sarbanes-Oxley Act, have been in place since 2004; however, they continue to be an area of focus for IT departments. While improvements have been made to the standards that help focus efforts on areas of higher risk, enterprises continue to experience challenges in complying in a cost-effective manner.
Source: Top Business/Technology Issues Survey Results, ISACA 2008
Overall
Rank
Business Issue Audit Team
IT Mgt Security team
1 Regulatory compliance 1 5 2
2 Enterprise-based IT management and IT governance
2 1 4
3 Information security management 3 4 1
4 Disaster recovery/business continuity
4 2 3
5 IT value management 3
6 Challenges of managing IT risks 5
7 Compliance with financial reporting standards
5
Source: Top Business/Technology Issues Survey Results, ISACA 2008
Compliance - A Window of Opportunity
8
Source: Top Business/Technology Issues Survey Results, ISACA 2008
ISACA Survey - Top seven business issues
Compliance - A Window of Opportunity
9
Organizations are faced with more challenges now than ever; they must grow and maximize market opportunities while at the same time complying with an ever-increasing number of regulations and standards. Keeping on top of legislative and regulatory requirements is a significant task, and regulatory compliance still operates in “project” mode and has not yet been embedded in business processes. IT must design and maintain systems to comply with these legislative and regulatory requirements, despite the lack of an integrated framework.
Enterprise-based IT management and IT governance
Managing efficient and effective IT departments requires IT governance— the disciplines and capabilities that bring consistent and reliable delivery of IT services to the business. IT governance requires the alignment of IT operations with the goals and objectives of the business. In addition, delivery of IT services requires well-designed IT processes and coordination among the IT team members. However, while there is some recognition of the importance of IT governance at the executive level, further awareness is needed.
Information security management
After many spectacular breaches and losses, and enormous spending on “state-of-the-art” security technologies, enterprises are finally realizing that information security has more to do with managing people and process and less to do with implementation of technology. In so doing, enterprises can leverage international information security management standards (such as ISO/IEC 27001) that provide guidelines and common practices rather than reinventing the wheel each time.
Disaster recovery/business continuity
All business activity is subject to disruptions, such as technology failure, flooding, utility disruption and terrorism. In response, some enterprises implement business continuity management (BCM) programs to improve their resilience in the event of disaster. Unfortunately, these enterprises are in the minority and BCM still remains an elusive goal for most organizations.
IT value management
IT projects often lack alignment with business goals and objectives; as a result, they are unable to realize business benefits. In some cases, there is a lack of business involvement in IT projects, while in others, there is simply a breakdown in communication between what the business has asked for and what IT has delivered. Implementing processes to help bridge these gaps allows IT to service the needs of business and deliver value.
Challenges of managing IT risks
Risk management practices are poorly understood at the best of times so it is no surprise that IT risk management fares no better. Unfortunately, IT risks are pervasive across enterprises, so the impact of poor IT risk management can be disastrous.
Compliance with financial reporting standards
Global financial reporting standards, such as the US Sarbanes-Oxley Act, have been in place since 2004; however, they continue to be an area of focus for IT departments. While improvements have been made to the standards that help focus efforts on areas of higher risk, enterprises continue to experience challenges in complying in a cost-effective manner.
Source: Top Business/Technology Issues Survey Results, ISACA 2008
Overall
Rank
Business Issue Audit Team
IT Mgt Security team
1 Regulatory compliance 1 5 2
2 Enterprise-based IT management and IT governance
2 1 4
3 Information security management 3 4 1
4 Disaster recovery/business continuity
4 2 3
5 IT value management 3
6 Challenges of managing IT risks 5
7 Compliance with financial reporting standards
5
Source: Top Business/Technology Issues Survey Results, ISACA 2008
Compliance - A Window of Opportunity
10
Source: Top Business/Technology Issues Survey Results, ISACA 2008
Compliance - A Window of Opportunity
11
CHALLENGESTIMES LIKE THIS WERE EXPECTED
BUT THEN … THE SAME QUESTIONS,
THE SAME DIFFERENT PEOPLE, THE SAME TIME OF THE YEAR,
THE SAME FORMS, THE SAME REPORTS (ALBEIT NEWER DATES),
THE SAME NC’S …
WELCOME TO THE ANNUAL C - EVENTS
Compliance - A Window of Opportunity
12
CHALLENGESTIMES LIKE THIS WERE EXPECTED – BUT I NEVER THOUGHT THEY’D BE PERPETUALLY
TOUGH
THOUGHT FOR COMPLIANCE IS DRIVEN BY REGULATORY / LEGAL OBLIGATIONS
INTERNAL PUSHBACK DUE TO REPETITIVE ACTIVITIES, REPORTING, RESOURCE INTENSIVE EFFORTS
BUDGETS USUALLY SHRINK IN PROPORTION TO INCREASING COSTS !
NON-UNIFIED EFFORTS LEAD TO INCREASED COMPLEXITY OF COMPLIANCE MANAGEMENT
PROJECTIZED APPROACH : COMPLIANCE IS A PROJECT E.G. SOX OR SAS70 R BCP PROJECT ETC.
DYNAMICALLY CHANGING REGULATORY REQUIREMENTS
The Fallout
Compliance - A Window of Opportunity
13
Much of the increase in cost is due to duplication of regulation and ambiguous or inconsistent rules -Securities Industry Association, 2006
Unifying Compliance
Compliance - A Window of Opportunity
14
Crosslinked Compliance Requirements
Opportunity!
Opportunity!
Compliance – The Business Opportunity
Compliance - A Window of Opportunity
15
Use the opportunity to build Compliance efforts into the business processes, using automation with best practice frameworks enabled
Opportunity Lights are on !
The Business Benefits
Compliance - A Window of Opportunity
16
Maturity of IT Governance
Com
plia
nce
is
Tech
nolo
gy
Enable
d
Business results among firms with the most mature practices
• 17 percent higher revenues
• 14 percent higher profits
• 18 percent higher customer satisfaction rates
• 17 percent higher customer retention levels
• 96 percent lower financial losses from the loss or theft of data
• 50 times less likely to lose or have customer data stolen
• 50 percent less spent on regulatory compliance annually
Source: IT Policy Compliance Group Report 2008
The Business Benefits
Compliance - A Window of Opportunity
17
Maturity of IT Governance
Com
plia
nce
is
Tech
nolo
gy
Enable
d
Increase Shareholder and Market Confidence Stakeholder’s Awareness of Responsibility Continuous Risk Management enables ERM Compliance is Timely as Mandated Automated and Unified Compliance Lowers Costs Best Practices embedded in the Organization DNA Process Efficiencies due to Best Practices Achieve Governance Goals & Industry Certifications Non Compliance Financial Risks eliminated Learning Reduces Compliance cycles Correlation of Obligations Across Business Units
Compliance - A Window of Opportunity
18
-Engineer a culture of risk and responsibility in the organization
-Ensure high level of awareness amongst stakeholders and demonstrate that it is not difficult if we build the culture of collective responsibility
-To build enterprise level system(s) that address multiple compliance requirements across multiple regulatory authorities
-Create a lean compliance program that “delivers” to ‘legal’ mandates (good-enough compliance) without reducing business effort and leverages silver linings which can bring extra business value
-Plan the integration process step-by-step
-Introduce and build on best practice frameworks like CobiT®
-Even if you have a low level of automation in some areas you can enable hybrid reporting and build onwards
-Managed risk means managed compliance mandates and here we are getting Enterprise level inputs so we can manage the risk across the organization
-Efficient Management means better business
Business Results
Compliance - A Window of Opportunity
19
Compliance - A Window of Opportunity
20
At first look,
As we step into addressing security-oriented compliance mandates we find
they need high resource and cost commitments and seem to be a burden on
the organization and stakeholders.
However, a strong compliance management system will ultimately pay
for itself by averting costs associated with security breaches and savings associated with increased efficiency and productivity.
GRC Business Efficiency Indicators
Compliance - A Window of Opportunity
21
Compliance - A Window of Opportunity
22
INTEGRATE YOUR COMPLIANCE EFFORTS …. A TECHNOLOGY ENABLED UNIFIED COMPLIANCE MANAGEMENT PROGRAM
Central Compliance Repository / Database – holds documentation, information, policies, workflow across identified requirements
Change Management – on all repository and process artifacts in respect of their versions, access and controls for distribution, retention, or archiving
Workflow Management allowing assignment of responsibilities Updating and Optimization – compliance business process
management allows grouping of common controls for unified collection
Communication Management - policies and controls are communicated and published across the enterprise to stakeholders
Reporting - Interfaces and Templates are designed for ease-of-use for reporting requirements in risk management / prioritization, metrics and audit
Customization - Interfaces and workflow assignments can be built for each mandate
Manage and Track Progress - of compliance efforts with metrics and automated alerts
Audit Trails
Compliance - A Window of Opportunity
23
Solution : Integrate Compliance Mandates
Many names… one system : Unified Compliance; Integrated Management System; Integrated Compliance…..
Risk based automation aligned with compliance mandates defined by
PoliciesBusinessLegal RegulationsIndustryContractual
“Companies that select individual solutions for each regulatory challenge they face will spend 10 times more on the IT portion of compliance projects than companies that take on a proactive and more integrated approach.” - Gartner
Reporting responsibilities are directly assigned to concerned stakeholders through workflow management
Compliance - A Window of Opportunity
24
X-referenced Safeguards
Common Regulatory Reqmts /Standards / Frameworks / Guidelines
Compliance - A Window of Opportunity
25
Sarbanes-Oxley Act (SOX)PCAOB Auditing Standard No. 2AICPA SAS 94AICPA/CICA Privacy FrameworkAICPA Suitable Trust Services CriteriaRetention of Audit and Review Records, SEC 17 CFR 210.2-06 Controls and Procedures, SEC 17 CFR 240.15d-15 Reporting Transactions and Holdings, SEC 17 CFR 240.16a-3The GAIT MethodologyBasel II:HIPAAGramm-Leach-Bliley Act (GLB)Standards for Safeguarding Customer Information, FTC 16 CFR 314 Privacy of Consumer Financial Information, FTC 16 CFR 313Safety and Soundness Standards, Appendix of OCC 12 CFR 30 CAN SPAM ActChildren's Online Privacy Protection Act (COPPA), 16 CFR 312 Driver's Privacy Protection Act (DPPA), 18 USC 2721Family Education Rights Privacy Act (FERPA), 20 USC 1232Privacy Act of 1974, 5 USC 552a Video Privacy Protection Act (VPPA), 18 USC 2710 Clause 49 (SEBI Guideline, Government of India)CobiT®Islamic Banking RulesNERCPIPEDAISO:27001ISO:25999ITILISO:20000
A brief listing (30 out of a list of
340) of Regulatory /
Standards from the world of Compliance Mandates
Presented by
Compliance - A Window of Opportunity
26
Dinesh BarejaCISA, CISM, ITIL, IPR, ERM, BS: 7799 (Imp &
LA)Senior Vice President Secure Matrix India Pvt Ltd
Email: [email protected]: +91.93710-64741Tel: +91.22.3253-7579Web: www.securematrix.in
=
Contact InformationRegistered Office
Mumbai:12 Oricon House, 14, K. Dubash Marg
Fort, Mumbai 400 001Tel: +91 22 3253 7579; Fax:+91 22 2288 6152; Email: [email protected]
Internet: http://www.securematrix.in
Technology CentrePune:
Trident Towers2nd Floor, Pashan RoadBavdhan, Pune - 411021
Email: [email protected]
Technology CentreChennai:
Plot No. 1, Door No. 5, Venkateshwara Street, Dhanalakshmi Colony, Vadapalani,
Chennai – 600026Email: [email protected]
Dubai:P O Box 5207
DubaiEmail: [email protected]
London:16-20 Ealing Road
Wembley Middlesex Hao 4TLEmail: [email protected]
Compliance - A Window of Opportunity
27
References
Compliance - A Window of Opportunity
28
http://www.securematrix.in (Integrated Management System and various references)
http://isaca.org (“Top Business-Tech Survey Aug 08” and various references)
http://www.itpolicycompliance.com/pdfs/ITPCGAnnualReport2008.pdf
http://www.unifiedcompliance.com
Compliance - A Window of Opportunity
29
Thank You
Compliance - A Window of Opportunity
30