impossible for ideas to compete in the marketplace if no forum for
IT Regulatory Compliance & Risk Management
Contributed by Brabeion Software, Inc.
Organizations today are waking up to the realities of
managing a fast-moving business in a permanent regime of complex regulatory
HIPAA, Basel II and a myriad of other regulations are driving companies to implement sophisticated compliance frameworks in record timescales and with unprecedented levels of budget and resource. Compliance functions are on a steep learning curve to design cost-efficient processes that can be easily repeated across a changing business and technology landscape. Organizations are asking the question. How can we reduce the ongoing cost and complexity of compliance? The answer is: By taking a smarter approach that draws on established best practices and exploits the tools and knowledge base that already exists.. This paper sets out the principles and pointers to enable organizations to develop an efficient, long-lasting and adaptable compliance framework that will mitigate risks, reduce the costs of incidents, and meet the requirements of the most demanding auditors.
Taking the pain out of Regulatory Compliance
Why security and compliance requirements are growing today's reality
Organizations today are also under mounting pressure to raise their game in information security and IT compliance. This pressure is coming from four directions:
How long will these pressures last? The answer is that they will most likely continue to increase even further, at least for the foreseeable future and perhaps well beyond that. As the futurist Alvin Toffler once put it: The 21st Century will be dominated by information wars and increased economic and financial espionage. (1) This is because we are slowly entering a new Information Age, in which information and its exploitation will become pivotal to business success and survival. We can already see a number of trends on the horizon that will encourage a much tougher security and compliance environment for organizations. Examples of this include:
How to respond?
Faced with these pressures, organizations have been pressed into action to implement new compliance management frameworks in very tight timescales. In many cases, this has led to unsustainable costs and resource requirements. Compliance functions are now on a steep learning-curve to determine how to develop more cost-efficient compliance processes that can be easily repeated each year across a business and technology landscape that is constantly evolving. They are asking the question: .How can we reduce the ongoing cost and complexity of compliance?. The answer to this important issue is to take a much smarter approach to regulatory compliance. The rest of this paper aims to explain how this can be achieved by setting out the .tricks of the trade,. the key guiding principles developed by the professionals for developing long-lasting, cost-efficient compliance management frameworks.
The smart approach to compliance
Smart compliance management is based on applying the principles from a set of key learning points from organizations that have successfully developed, implemented and managed large scale compliance management initiatives. Applying these learning points and the key underlying principles of good documentation design enable the implementation of efficient, adaptive and long-lasting compliance management frameworks. Following are six key lessons-learned that should be front of mind for all security and compliance managers.
By appreciating the above learning points and applying the underlying principles for the design of efficient, long-lasting compliance management frameworks, organizations should find that the burden of regulatory compliance is considerably reduced, resulting in substantial cost savings and significantly reducing the risk of non-compliance.
Risk-based versus Compliance-based approaches to IT controls selection
Up until the mid-nineties there was no generally-accepted source of appropriate IT control descriptions. Organizations were forced to carry out expensive, bespoke security risk assessments from first principles or they were condemned to discover by trial and error the painful penalties of not incorporating security controls in their information systems. Legacy security solutions for commercial systems tended to be customized, tactical and often full of holes. On the other hand, military systems relied on minimum standards based on security classifications that greatly increased their implementation costs. The publication and progressive uptake of BS7799, COBIT and ITIL, coupled with the emergence of more sophisticated risk assessment packages radically changed the nature of the problem space. Organizations today now have the benefit of many hundreds of man years of experience contained within published control frameworks and commercial software tools. But they have also inherited a patchwork quilt of similar, overlapping solutions that may offer comprehensive guidance on the choice of controls but that also require substantial filtering, analysis and interpretation for implementation.
At two opposite ends of the spectrum are the risk-based and compliance-based approaches to controls selection. The risk-based approach involves assessing the full range of potential threats, vulnerabilities and business impacts associated with an information system in order to select the most appropriate set of security and IT controls. In contrast, the compliance-based approach (also called the baseline approach) builds on the well-established principle that the vast majority of security control requirements are largely the same for all systems. Since there are already well-established collections in standards such ISO 17799, why not just implement these standards across all applications and infrastructure services? In practice, the optimum solution lies somewhere in between these two extremes, though there are still advocates of both approaches.(2)
The most important learning point is to appreciate the limitations and benefits of the two different approaches. Risk assessments produce a more tailored solution, but they are expensive and time-consuming to apply. They can lead to inconsistent results across an organization (which can be a threat to security and also drive up overall costs), and the results are only as effective as the practitioner who assessed the risks and impacts. On the other hand, the compliance-based approach will deliver faster and more consistent results (important for encouraging standardized enterprise-wide security solutions). But in the absence of a risk assessment, there may be inadequate information to determine the strength-of-mechanism for a particular control.
The optimum approach is to combine the best of both approaches:
Principles for designing long-lasting, low maintenance control frameworks
One the most important learning points in compliance management is to understand and exploit the key underlying principles for designing long-lasting, low-maintenance control frameworks. (3)
Over the years, in designing, implementing and managing control frameworks for leading organizations such as Royal Dutch/Shell Group and Royal Mail Group, I have identified a number of key principles for achieving long-lasting, low maintenance frameworks. The most important ones are as follows.
How to structure documentation and guidance
A sound architecture is the key to easy navigation by users and efficient maintenance by policy and compliance managers. The top level presentation of all models and frameworks is often a political decision, as it generally reflects the preferences of its designers and their perceived view of the relative importance and hierarchy of particular subject areas and functions. What really counts in any architecture is the underlying structure, the grouping of information and the presentation of the detailed content to the actual users. A layered approach to all documentation is essential for efficient development and management. These layers should be selected based on the length of the life cycle for refreshing the information content, otherwise long-lasting content will be mixed with fast-changing text, increasing the maintenance burden. Documents that mix frequently-changing organizational and technology details with more long-lasting, broad policy statements quickly become out-of-date, requiring frequent revision.
A more sensible and recommended approach is to structure your documentation on the following lines.
Develop guidance for both technology and people
It is tempting to develop a single set of guidance for a particular compliance requirement. However, one size does not fit all and the needs of technology and people are very different. Information systems and computer platforms require precise, unambiguous, technical instructions. People require clear, non-technical guidance on the controls for which they are responsible. They also want to know why they are doing it (i.e. which precise law, regulation or corporate policy demands it) and what might happen if they fail to deliver. Technical detail will not impress them. The ideal portfolio of control guidance requires very different presentations for people and technology, each tailored to the specific characteristics and needs of the audience.
Maintain clear mappings across each layer of control
Unstructured content is difficult to navigate and maintain without a clear index of relationships between compliance requirements, policies and controls. It is tempting but short-sighted to develop policies, standards, control requirements and audit checklists as free-standing, ad hoc documents, designed to satisfy a specific purpose, at a particular time. Today's compliance requirements are not one-off requirements; they are here to stay and will only become more complex and more demanding. It will pay dividends to construct and maintain mappings of high level requirements to the detailed technical controls that are actually applied to information systems and their supporting infrastructure. Not only will this simplify future content management, it will also facilitate compliance audits and the associated pre-audit planning and preparation work.
Spell out the precise status of standards and guidance
This might seem obvious but it's surprising how many organizations fail to get this right. Guidance can be mandatory or desirable. It can be prescriptive (do it this way) or flexible (in interpretation). These characteristics often change across the various layers of control. For example it is relatively common to apply the requirements of a mandatory regulation through a flexible code of practice, which in turn is translated into a rigid technical standard. Inconsistency or lack of clarity in control descriptions is a primary cause of failure in implementing controls. The answer is to maintain a clear, consistent approach at all levels, adopting a common language that makes it completely clear whether an instruction must be followed to the letter, or can be flexibly interpreted, or can even be ignored (for example if the risk is low or the costs are high).
When to adopt external practices and when to craft your own
Building on the very first learning point: .Do not reinvent the wheel,. it is important to avoid the temptation of either importing an entire, and perhaps inappropriate, control framework from another organization, or handcrafting a complete new controls structure from scratch. These options might sound extreme, but they are not uncommon. I know one leading Fortune 100 organization who initially set out to develop a new controls framework from scratch but then quickly adopted the slogan .we will steal with pride. after being quoted tens of millions of dollars for the development of a bespoke architecture. The key to developing a successful controls framework is to understand when and what to import from the outside world and what is best developed in-house.
For example, items that do not vary much across organizations and can be safely based on external best practices would include:
On the other hands, items that vary to a much greater degree across organizations and are best tailored to the enterprise would include:
Managing risks and controls across complex, outsourced supply chains
Having developed, negotiated and managed contract schedules for large-scale outsourcing, I can claim direct experience of the issues managing risks and controls across complex, outsourced supply chains. I have found this to be one of the most difficult areas of compliance management, as the control of change is in the hands of the outsourcer, whereas the responsibility for meeting the compliance requirements remains firmly with the user. The secret of successful management of risks across outsourced services is in careful preparation of the contract schedules and in maintaining good relationship management with the outsourcer. Key principles for achieving this include:
Smart use of software solutions
Faced with the .alphabet soup. of complex, overlapping regulatory compliance requirements and the growing portfolio of corporate policies, standards and control frameworks, most organizations will naturally look to some form of automation or software solution. Spreadsheets might appear to be an obvious starting point, but their limitations will quickly become clear as inconsistent variants begin to proliferate across the organization. A specialized software solution based on an established, authoritative knowledge base will quickly emerge as the preferred solution. However, any new compliance management solution (whether automated or not) is costly in resources to implement across an organization and can be even more expensive to change. You may only get one shot at selecting or designing a software solution. After that, your business case and implementation budget will be exhausted. It's essential therefore to understand the key features to look for in a commercial compliance management product. Although the detailed user requirements will vary to some extent across organizations (depending on factors such as size, geography, degree of outsourcing, maturity of governance processes, etc.) there are certain key requirements that are universally needed, and if not required immediately by your organization, will most likely be useful for future phases of your compliance program.
What to look for in software solutions
It is important to focus not just on the immediate task at hand but also on how a software solution can support the organization throughout the full compliance lifecycle. Large-scale regulatory compliance is still a developing art, and there are few established and mature methodologies in this area. However there is a common cycle for process improvement activities that can be applied to any business improvement initiative. A good example of this is the classic Deming Cycle (7) of "Plan, Do, Check, Act". Software solutions should be designed to support all phases of this cycle, from the planning stage to the correction phase. Here are some examples of specific requirements to look for when selecting a software solution for regulatory compliance. They are features that can be found in contemporary compliance management software.
A smart choice of software solution will deliver major cost benefits across the organization by speeding up and eliminating unnecessary duplication of effort in identifying compliance requirements and in planning, implementing, checking and monitoring the actual implementation of controls. This can mean a difference of several man years and many months of elapsed time in achieving a compliant status.
The state-of-the-art in compliance management software
Brabeion Compliance Center is a good example of a state-of-the-art compliance management solution. Originally developed by PricewaterhouseCoopers LLP in the late nineties, and now in its sixth generation, it is one of the few commercial solutions that can deliver detailed guidance and mapping on all major regulatory compliance requirements from the high-level control description to the detailed implementation of controls at the actual computer platform level. Powered by comprehensive information risk and audit content developed and maintained by PricewaterhouseCoopers LLP, it is a professional and authoritative source on specific compliance requirements. The current package contains 600 policy standards and more than 5,000 IT controls and implementation guidelines. It provides full life-cycle support to the compliance management process across the organization. Software solutions such as Brabeion Compliance Center enable substantial savings in the time required to research regulatory requirements and translate them into policy, controls and technical implementation guidance, tailored specifically to the requirements of the organization.
Critical success factors in implementing smart compliance management
Examples from leading organizations
Understanding the critical success factors in achieving efficient, effective large-scale IT compliance management systems is best done by looking at real examples from large organizations that have successfully developed and implemented long-term compliance management strategies. The following examples outline the characteristics and critical success factors of the compliance approaches taken by three different organizations.
Royal Dutch/Shell Group
Throughout the 1990s the Royal Dutch/Shell Group pioneered the compliance-based approach to security controls selection, beginning in 1990 with an outline Information Security Management framework, extending from high-level Group policy, through a generalized set of around 100 baseline controls (based on collected best practices from Shell operating companies) and extending to a growing portfolio of .implementation standards. (for IT platforms) and .interpretation guides. (for managers and staff). This controls framework was progressively developed and refined over the next fifteen years as new security risks, new technologies and new security solutions evolved. The content and structure of the generalized baseline controls became the primary basis of the British Standard BS7799 and enabled Shell to achieve the world's first BS7799 certification (for Shell IT services delivered across Europe). The platform standards became the basis of the Shell .Trust Domain. - an ambitious and successful scheme to certify the infrastructure controls across 200 sites in 130 countries in support of global connectivity and knowledge management. Shell's approach to information security compliance was characterized by relatively low maintenance costs, true global reach and full life-cycle compliance management. The architecture, though refreshed several times, has lasted for more than fifteen years. New compliance requirements and platform standards have been incorporated alongside existing material with minimal reworking. The critical success factors in achieving such high levels of longevity and global applicability include the following:
Royal Mail Group
The British Royal Mail Group (formerly the Post Office Group) is one of the largest employers in the UK and operates the largest retail network in Europe. It currently holds what is probably the world's largest formal BS7799 certification, extending to around 8,000 end-users in 500 buildings and encompassing an outsourced supply chain of three major vendors (CSC, BT and Xansa) who have been certified for all services delivered to the Royal Mail Group. This level of large-scale compliance management was built up from scratch over a period of around five years following the launch of a new information security function in 1999. The Royal Mail Group approach to security compliance is characterized by very low maintenance costs (indicated by a KPMG benchmarking exercise with other leading UK organizations carried out in 2003) and a marked reduction in security incidents (based on four years of historical incident data). There has also been a progressive improvement each year both in the scope, quality and presentation of security guidance and in the visibility of compliance achieved across the organization. Critical success factors in achieving this impressive level of achievement include the following.
Chevron Corporation purchased the PricewaterhouseCoopers LLP Enterprise Security Architecture System (ESAS) in 2000, initially to help it document its information security strategies. Since then, the software (subsequently acquired by Brabeion) has helped Chevron to develop and efficiently maintain a comprehensive, central repository for all of its security policies and controls. This approach paid dividends when Chevron was later required to meet Sarbanes-Oxley compliance requirements. The company was delighted to discover that ESAS compliance was more than enough to demonstrate SOX IT Compliance. Chevron has subsequently obtained multiple benefits from their compliance management solution, which go well beyond simply documenting the security controls that are necessary to comply with Section 404. Their software solution has served as a prescriptive instruction manual for the organization that underpins the formulation of new information security strategy and policy. Critical success factors in achieving this include the following.
Regulatory compliance is a major burden for many organizations. Current and emerging trends suggest that the demands will most likely become tougher, more numerous and harder to apply within a fast-moving business environment. Most companies are looking to streamline their compliance management process to reduce the time and costs of meeting and demonstrating compliance. This paper has demonstrated that there are many practical learning points and proven principles that can be applied to streamline the compliance management process. Critical success factors include the strategic approach, the exploitation of external know-how, the design of the controls framework, and the choice of software solution. Examples from leading organizations demonstrate that the achievement of simple, efficient, long-lasting and low maintenance compliance management solutions is within the grasp of any organization.
About Brabeion Software
Brabeion Software is the expert in enabling regulatory compliance for information and risk management. We help organizations achieve and sustain compliance through a full lifecycle policy, standards and IT control management software platform powered by comprehensive information risk and audit content developed and maintained by PricewaterhouseCoopers LLP. Over 300,000 users have deployed Brabeion solutions to accelerate time to compliance, protect information assets and mission-critical systems, lower costs, and optimize IT controls. Brabeion Software is successfully deployed across a wide range of vertical markets including Financial Services, Oil and Gas, Healthcare, Pharmaceutical, Government and Transportation.
About the author
David Laceyis an international authority on Information Security Management with more than 20 years professional experience, most recently as Director of Information Security and Risk Management for the Royal Mail Group. Prior to that, he was responsible throughout the nineties for Information Security policy and standards for the Royal Dutch/Shell Group. Before that he was Head of IT Security for the British Foreign & Commonwealth Office. David is a keen futurist and innovator, firmly believing that the best way to predict the future is to invent it. Amongst other things, David played a major role in the development of the British Standard BS7799 and the design of the associated certification schemes. He is a regular keynote speaker at international conferences and has served on numerous professional Boards concerned with Information Security and Compliance, including the APACS Security Advisory Group, the BCS Security Forum, the Jericho Forum (which he founded) and the UK National Identity Card Private Sector User Group (which he chaired). David is also a joint founder of the Institute for Information Security Professionals (IISP) and is the first Honorary Fellow of The Jericho Forum.
(1) Alvin Toffler,
(2) Donn Parker of SRI International, an early pioneer and strong advocate ofthe .baseline approach., campaigned vigorously throughout the nineties for the demise of the risk-based approach despite the fact that he was an original pioneer of risk assessment methodologies during the seventies.
(3) By .long-lasting. I mean at least ten years without major restructuring, because that ispossible and has in fact been achieved by organizations such as the Royal Dutch/Shell Group. By .low maintenance. I mean an overall framework that is fast and easy to update and requires a minimum of reworking of existing material to accommodate the changes.
(4) In my experience it is far better to implement platform security against a professionally-developed, independent target standard, as service managers are generally reluctant to consider those security controls that restrict application functionality or present additional work for system operators.
(5) If this is done against a prescriptive target standard, then it will be necessary to maintain a "step-out" process and identify additional .work-around. controls for systems that cannot, for operational or financial considerations, meet the target standard.
(6) It is often best to start with an agreed specific description that you can later negotiate changes to, rather than be faced with the situation of failing to get the outsourcer to agree to anything new.
(7) W. Edwards Deming in the 1950â€™s proposed that business processes should be analyzed and measured to identify sources of variations that cause products to deviate from customer requirements. He recommended that business processes be placed in a continuous feedback loop so that managers can identify and change the parts of the process that need improvements. Deming created a simple diagram to illustrate this continuous process, commonly known as the PDCA cycle for "Plan, Do, Check, Act".
(8) Good control descriptions should spell out the objectives, implications, implementationprocedure and audit procedure for each control.
Any technical information that is made available by Brabeion Inc. is the copyrighted work of Brabeion Inc. and is owned by Brabeion Inc. NO WARRANTY. The technical information is being delivered to you as-is and Brabeion Inc. makes no warranty as to its accuracy or use. Any use of the technical documentation or the information contained herein is at the risk of the user.
Visit the Authors Web Site
Search Our Site
Search the ENTIRE Business
Forum site. Search includes the Business