Project Post-Gazette – COMPLIANCE CENTRAL
November Issue, Volume 2013, Issue 11
Cheryl A. Wilson, PMP, PMI-RMP, CCEP
With the vast changes in regulatory compliance today in the US (United States) it is important for organizations that are required to adhere to regulations to do their “due diligence” when documenting internal and external policies and controls, assigning appropriate compliance management oversight, and ensuring compliance through employee training.
These compliance regulations become even more challenging when implementing them within Information Technology (IT) compliance controls. IT compliance programs (C&E) are difficult to implement because they touch so many areas within an organization. One way to ensure a successful IT compliance program would be to centralize the compliance function within the organization to be able to provide continuous oversight across all areas that they apply to. Organizations need to communicate new regulations and reinforce current regulations to employees on a continuous basis to be effective in developing a higher level of ethical and lawful conduct within their organizations. It really should not take the threat of conviction on federal statues, including fines and restitution, imprisonment and probation or exclusion from participation in various federally funded programs for organizations to implement strong internal controls, but somehow this does happen.
Previous PPG articles have talked about the 1991 United States Sentencing Commission (USSC) Organization Sentencing Guidelines. The USSC developed the guidelines to promote consistent treatment of organizations (and individuals) convicted of these crimes. These guidelines assist in the model for compliance programs today and actually help set the criteria for executives in setting up their C&E programs. In past PPG Compliance Central articles, we discussed the seven core elements the Sentencing Guideline uses as their model. According to the USSC, an organization that has an effective compliance and ethics program can mitigate their sentences if they have followed through with implementing and maintaining a set of standards demonstrating an effective C&E program much like the set of seven standards set forth in the USSC.
Research has shown the organization that maintains USSC structured C&E programs could reduce fines for a criminal conviction by as much as 90%. BUT, having a compliance program does not excuse the crime, but shows that the organization took reasonable efforts to prevent, detect and correct any improper conduct to deter the crime. A good C&E program may lower the organization’s starting “culpability score” by 60%, but not having a C&E program is actually considered a negative factor which increases this culpability score.
However to have an effective C&E program, organizations need to exercise their due diligence to try and prevent and detect criminal activity. The compliance program should be designed to encourage ethical behavior. With all the US and non US regulations that IT organizations are required to adhere to such as: ISO 27001 and the EU Directive on Data Protection, it is critical organizations ensure they have a broad base to stay compliant in all areas. The area of regulatory compliance is one of the biggest pressures for IT focused-organizations. To merely apply a cookie cutter compliance framework will be immature and inconclusive of the individuality of the IT organization’s structure.
Huge fines can be imposed if organizations fail to meet compliance controls which stand to reason why many organizations are centralizing their compliance oversight within their organizations for a better success rate. IT organizations are looking for a structured approach to achieve this compliance oversight balance which is why they use the Sentencing Guidelines are their framework. An overview of the Sentencing Guidelines is not repeated here, but they can be found in a previous Compliance Central article. http://projectgazette.com/archives/pg_apr2013.pdf
To set up your IT C&E Program the following steps should be considered at a minimum:
IT C&E Program Setup
- Research and gather all USA and International regulations pertaining to your IT, physical security, and Records Management, etc. to meet compliance requirements
- Map regulations into component areas such as records management, physical security, systems continuity, human resources management, etc.
- Determine which IT actions are required by each regulation and where they span multiple regulations. Look for any gaps or overlaps in order to ensure complete coverage of your compliance requirements while reducing any redundant effort. By grouping regulatory requirements into component areas instead of working with them one by one, you reduce redundant requirements.
- Identify the minimum set of controls you need to comply with to meet your compliance requirements.
- Establish a compliance framework to track all requirements and component areas. (i.e. an Excel control spreadsheet.)
IT Risk Assessment (ITRA): As discussed in previous articles of the Compliance Central, IT organizations conduct a risk assessment tailored for their individual organization’s unique requirements that are based on their organizational strategic goals and objectives. The board of directors and c-level executives are responsible for making strategic decisions, so the pressure is on them to create a strong compliance program. Governmental regulatory mandates require annual risk assessments, but with the rapidly growing and changing IT environment that seems to be the norm for IT projects, MCLMG recommends risk assessments should be reviewed and if needed, updated at least quarterly. MCLMG suggests quarterly internal assessments tailored to the organization’s environment to discover any areas of concern or weakness early in order to put into place strong mitigation plans.
The goal of the organizational IT risk assessment should be:
- Identify the true risks to the organization based on the organization’s strategic goals and objectives. (Remember, risks are tied to the deliverables or in this case, the strategic objectives are the deliverables.)
- Ensure resources and time is allocated to develop mitigation plans for each risk, and that triggers are identified,
- Risk and trigger plans are managed, and
- Risks are quantified for cost.
MCLMG recommends a Risk Subject-Matter-Expert (SME) to assist in the risk assessment as many times organizations spend a considerable amount of time identify the wrong risks, putting into place mitigation plans that are never carried out and miss focusing on the risks that matter.
Internal IT Audits: Organizations are constantly challenged with an increasing number of IT risks including security threats, new regulatory and legislative compliance and the unexpected disruption to system availability. Internal Audits should provide assurance that appropriate controls are considered, implemented and operating effectively to manage IT risks, both today and in the future. During the internal audit, the organization should be assessing their internal procedures and processes to ensure they are in alignment with mandated compliance requirements. Some internal documents and processes that should be reviewed are:
- IT standards
- Change control
- Data security and privacy
- IT human capital hiring, on-boarding, training, and retention policies
- IT controls design, documentation, testing, remediation, implementation (including training)
- IT architecture (operating in the cloud environment)
- General computer controls
- IT policy and procedures
- System design, pre and post implementation reviews
- Data conversion, interface, and database reviews
- Sarbanes-Oxley (SOX) readiness
- Continuity of operations
- Database administration
- Computer operations
- Physical security
The goal of the IT internal audit should be to:
- Provide an environment of where the organization can accomplish their objectives,
- Improve overall operations,
- Ensure any new compliance concerns are addressed, and
- Ensure an environment to improve an organizations risk management, risk control and overall governance processes.
For any organization seeking to place themselves in a better light and position of showing their support for strong compliance and ethics environments within their operations, the above suggestions are an excellent place to begin such efforts. We will be discussing additional activities and actions that can further an organization’s alignment and satisfactory achievement of many and varied C&E regulations facing modern day business entities.