Regulatory compliance pressures are plaguing organizations around the world. Unfortunately, because compliance challenges often affect multiple areas of an organization and can span across different industries, there is no silver-bullet technology package that will bring companies into compliance. In addition, recent corporate disasters and growing government regulatory action have heightened the focus on corporate governance and are driving the centralization of compliance oversight within today's organization. Because most IT functions permeate the organization and its processes, IT compliance is also a process that requires continuous oversight and management.
To meet IT compliance obligations, many companies are looking for a structured approach that allows them to identify and prioritize IT controls and establish a compliance record system. But, implementing an IT compliance program that is effective and responds to the dynamic business environment can be challenging. Nevertheless, having a structured approach is a major step toward compliance with different standards and legislation, such as the U.S. Sarbanes-Oxley Act of 2002, the International Organization for Standardization (ISO) 27001 standard, and the European Union (EU) Directive on Data Protection of 1995. To ensure their IT infrastructure is compliant year-round, organizations can incorporate a series of seven steps to existing operations. When combined with a formal risk assessment process and IT asset management strategy, these seven steps can bring companies one step closer to compliance.
The 7 Steps
In 1991, the U.S. Sentencing Commission (USSC) established the Organization Sentencing Guidelines to assist courts in setting fines for organizations and sentences for executives in criminal regulatory cases. The USSC based its model on seven core elements. In 2001, the original USSC guidelines went into revision to include Sarbanes-Oxley compliance and sentencing information.
Using the USSC guidelines as a basis, Forrester Research — a technology and market research company that advises organizations about technology's impact on businesses and consumers — extended the seven elements by integrating compliance best practices in large organizations. When examined in detail, however, these seven practices or steps are equally useful in small and mid-size enterprises. The extended guidelines provide a framework around which organizations can structure their IT compliance management programs, as well as information that could help organizations in their compliance efforts with non-US regulations, such as ISO 27001 and the EU Directive on Data Protection. Below is a description of each step and key points organizations need to keep in mind when implementing each of these recommendations.
Step No. 1: Document the Policy and Control Environment
To demonstrate IT compliance, firms must start by identifying how they document the compliance process and their IT control architecture. The overall compliance documentation architecture should be implemented through a control framework, such as the Information Systems and Audit Control Association's Control Objectives for Information and related Technology (CobiT), and should document all corporate IT policies, controls, standards, and procedures that align with compliance objectives and requirements.
The policy and control architecture establishes the compliance foundation upon which the remaining seven habits are built. Without a proper governance model of policies and controls, organizations may have a hard time overseeing, communicating, monitoring, enforcing, or responding to gaps. It is the policy and control architecture for compliance that provides the framework for everything else to work within the IT environment. This architecture is unique to each organization, reflecting its culture of control and industry requirements.
After drafting the necessary IT policy and control documentation, organizations need to communicate any relevant documentation clearly to those expected to comply with established policies, procedures, standards, and supporting controls. In addition, companies need to update and maintain all documentation, as well as use an operational control and compliance platform that helps them to manage the complexity of corporate IT policies and compliance controls. This documentation also should include a framework to manage operational risks, define policies and supporting controls to meet risks, conduct control self-assessments to validate IT control implementation and efficiency, and track existing control gaps and incidents within the IT environment.
Step No. 2: Assign Appropriate Compliance Management Oversight
The second element necessary for effective IT compliance is the establishment of appropriate oversight for compliance. In many organizations, the compliance role is divided among different parts of the firm. This results in substantial technology and effort duplication, as well as lack of compliance visibility across the organization.
Effective IT compliance oversight in an organization must achieve the mission and charter of the compliance program. To this end, companies should define IT compliance as a corporate function that has proper authority and governance, as well as create appropriate lines of communication to convey important compliance efforts to all operational areas. The board and executive management team must develop this structure with care and review it at least once per fiscal year for effectiveness. To be successful, organizations should develop a compliance oversight model that:
- Makes executives and the board accountable for compliance.
- Assigns IT compliance responsibility to an oversight manager. This individual may have the title of chief information officer or chief compliance officer.
- Delegates specific compliance areas to distribute oversight.
- Assigns adequate resources (e.g., staff and budget).
- Ensures that the compliance oversight manager has enforcement authority.
- Establishes lines of communication to the business.
- Defines reports and metrics for operational IT control and compliance.
Step No. 3: Require Personnel Screening and Access Control
Ensuring that the organization is not giving access to information and business processes to an individual likely to exhibit unethical behavior is crucial when establishing an effective IT compliance program. One of the greatest risks that organizations face when trying to enforce compliance with regulations is the internal threat from employees, contractors, and business partners. To ensure that appropriate and authorized access is established across the board, organizations should:
- Conduct a background check on employees, contractors, and business partners before allowing them access to sensitive corporate data.
- Use caution when delegating authority.
- Use identity management and provisioning when giving access to IT systems. Provisioning enables administrators to assign system resources and privileges to users, including employees, contractors, and business partners (e.g., many IT managers use provisioning software to enforce security policies).
- Implement access controls based on the person's job function, role, and responsibility.
- Change access rights when internal changes occur (e.g., an employee changes jobs within the organization).
- Revoke access upon termination.
- Conduct routine reviews to check for unethical behavior in personnel and contractors with access to sensitive resources.
- Publicize disciplinary standards. This allows employees to understand the repercussions of noncompliance with access policies and procedures.
Step No. 4: Ensure Compliance Through Training and Communications
Forrester Research's fourth recommendation is the establishment of effective compliance awareness through active training and communication to employees, contractors, and business partners. To avoid corporate wrongdoing and fraud, as well as to reduce liability, organizations must implement effective compliance training programs that help to promote compliance with regulations and rules of corporate conduct. Characteristics of an effective compliance communication and training program include:
- The integration of compliance into the corporate ethics program.
- An active policy communication.
- Required compliance training for all employees, contractors, and consultants who have access to regulated information.
- The acknowledgement of training and policy adherence.
- Up-to-date information regarding relevant changes in regulations and case law.
In essence, companies have to ensure that individuals with access to regulated processes and information understand what they need to do to comply with internal and external regulations.
Step No. 5: Implement Regular Monitoring and Auditing of IT Controls
Monitoring and auditing IT controls for efficiency and effectiveness is the fifth step toward establishing an effective IT compliance program. Where the first recommendation focused on documenting controls, this step focuses on the working operation of those controls. The proper controls to monitor that may affect IT compliance vary in type. Some include:
- Policy, operational, and technical controls.
- Contractual controls.
- Detective, preventive, and corrective controls.
- Compensating controls.
Firms should monitor and audit controls regularly through a manual or automated process, which validates that the control is in place and is operating effectively. When monitoring the management of IT system controls, many organizations prefer automated control monitoring and enforcement to ease the burden of control validation. When controls cannot be automated, organizations should conduct control self-assessments that are facilitated through workflows on compliance management systems. Furthermore, control self-assessments should be augmented by independent verification of audit controls.
Documented controls are meaningless and could become a business liability if they are not implemented or functioning properly. As a result, the role of compliance management is to implement a process of monitoring control implementation and effectiveness. The critical factors in monitoring and auditing IT controls an organization must have are:
- Ongoing validation of controls by management.
- Independent audit verification of controls.
- The establishment of key risk indicators.
- The reporting of control gaps and audit findings in the environment.
- The monitoring of corporate policy compliance.
- The retention and review of audit trails.
In addition, organizations need to establish a process that helps them incorporate any recommendations accepted by management regarding the control monitoring process, and implement an escalation procedure that details how to proceed when agreed-upon recommendations are not implemented.
Step No. 6: Enforce the Control Environment Consistently
The sixth step identifies some of the ways effective compliance programs may promote a consistent enforcement of policies and controls throughout the company. Consistent enforcement of the control environment allows internal controls to be applied appropriately throughout the organization, its business processes, and relationships, as well as make sure specific control violations are not ignored and are enforced according to policy. The organization's approach to ensure consistent enforcement should drive the success of the overall compliance program. It is through consistent enforcement that the organization's culture of compliance is achieved and that employees understand there will be zero tolerance for unethical and noncompliant behavior.
If management does not consistently enforce controls and discipline unethical and noncompliant behavior, the compliance program will fail. Penalties for noncompliance increase with regulators and the courts when organizations do not exhibit effective governance and enforcement practices. Vital factors for consistent enforcement of the control environment include:
- Establishing appropriate incentives to endorse strong ethical and compliance behavior.
- Adhering to consistent disciplinary actions.
- Providing open communication and reporting.
- Implementing a systematic approach to incident investigation.
- Establishing a post-incident evaluation process that enables organizations to learn from each incident.
Step No. 7: Prevent and Respond to Incidents and Gaps in IT Controls
An effective IT compliance program prevents and responds to compliance violations and gaps in controls and includes a lessons-learned process to prevent further violations. For instance, identified control deficiencies or incidents should be corrected in an efficient and effective manner. To prevent and respond to IT control incidents, organizations must:
- Develop a control deficiency response plan.
- Maintain an incident response team and procedures.
- Implement active detection and monitoring for gaps and violations.
- Build a lessons-learned process, so the company is not a repeat offender.
- Establish active and cooperative lines of communication with authorities, and communicate with authorities according to response procedures.
- Obtain legal counsel from a knowledgeable source when incidents occur.
Disregarding control gaps and compliance violations amounts to negligence. Therefore, it is essential that an effective compliance program actively identifies and closes all control gaps, as well as contains or eliminates potential damage or loss to the organization incurred by any violations.
Beyond the 7 Steps
Following the seven guidelines above will help organizations build effective IT compliance programs that improve confidence in business performance. In addition, the seven steps help companies manage operational risks and compliance efforts, as well as measure compliance consistently. To implement the steps, organizations need to involve the use of policy, approach compliance as a process as opposed to individual projects, and consider the use of technology to automate compliance management activities.
Furthermore, organizations need to establish a formal risk assessment process so they can take a more comprehensive approach to information security management. This formal risk assessment process will help organizations expand the effectiveness of the seven recommendations above. After conducting an organizationwide information security risk assessment, companies should implement an information asset management strategy, as well as put into practice a business continuity plan that incorporates IT disaster recovery strategies.
Architecture for Sustainable Compliance
Organizations that do not embrace IT compliance management as a defined business process will approach compliance as fragmented projects. Although this mindset may appear to work for a short time, gaps that can push an organization out of compliance may arise quickly. In fact, one of the 11 control areas mentioned in the ISO 27001 standard is compliance with relevant legislation and regulations that affect the organization's activities. Unfortunately, many organizations don't realize what the consequences of noncompliance are until it's too late: When regulators come asking questions, and there is no central person ready to answer them, the organization looks confused and unorganized and receives more scrutiny.
On the other hand, organizations that incorporate the seven steps make effective IT compliance a cost of doing business — not a one-time business event. For these firms, spending money on a compliance program averts far greater expense resulting from losses and penalties. These organizations also establish greater operational control oversight, enabling them to pour more funding into expanding their activities into new areas with confidence. These well-run organizations will contrast sharply with those that remain reactive and tackle compliance problems as isolated and reactionary initiatives. The end game is a culture of IT compliance and controls and a structured approach that demonstrates the business is practicing IT compliance, while managing information security from the most senior level.