Compliance – A Window of Opportunity u
Download
Report
Transcript Compliance – A Window of Opportunity u
Compliance – A Window of
Opportunity
Presented by : Secure Matrix India Private Limited
@ iSAFE, Dubai. October 30, 2008
u
1
Compliance - A Window of Opportunity
Dinesh Bareja, CISA, CISM
Sr Vice President
SECURE MATRIX INDIA PVT LTD
Mumbai – Pune – Chennai - London
[email protected]
Audit and Assurance Consulting and Advisory Services in
the Information Security and GRC domain covering IS/IT
Management / Process / Technical Services.
2
Compliance - A Window of Opportunity
SecureMatrix Services
PIPS
Consulting
Technical
Training
Professional
Services
3
• Integrated Management System encompassing ISO 27001,
BS 25999, ISO 9001, ISO 20000
• Enterprise Risk Management
• Compliance Consulting
• Frameworks Implementation
• Vulnerability Assessment & Penetration Testing
• Technical Audit
• Compliance Audits
• cVaTM
• Cyber Forensics
• Web Application Security Testing
• Audit
• Implementation
• Operations
Compliance - A Window of Opportunity
The Compliance window grows….
Today … We pay the price for the transgressions of the C-level criminals.
Today we see unknown unknowns around the globe and must brace
ourselves for greater regulatory control – internal and external
Will this stop more unknowns from hitting us in future is another unknown
As professionals in technology Security and Audit we are moving into a
newer dimension with increased responsibility for Governance, Risk and
Compliance
"Any intelligent fool can make things bigger, more complex, and more
violent. It takes a touch of genius -- and a lot of courage -- to move in
the opposite direction." E. F. Schumacher / Albert Einstein
4
Compliance - A Window of Opportunity
Not My Organization !
Source: Open Compliance & Ethics Group
5
Compliance - A Window of Opportunity
Compliance Today
• Organizations (worldwide) have numerous Compliance
obligations and these are growing
–
–
–
–
–
Regulatory
Standards / Best Practice Frameworks
Policies
Industrial
Contractual
• Compliance with Compliance requirements
takes up too much resources
• Meeting Compliance needs with technology
provides a window of opportunity for the
organization to reap tangible and intangible
ROI
6
Compliance - A Window of Opportunity
ISACA Survey - Top seven business issues
Overall
Rank
Business Issue
Audit
Team
IT Mgt
Security
team
1
5
2
2
1
4
Organizations are faced with more challenges now than ever; they must grow and maximize market opportunities while at the same time complying with an ever-increasing number of regulations
and standards. Keeping on top of legislative and regulatory requirements is a significant task, and regulatory compliance still operates in “project” mode and has not yet been embedded in
business processes. IT must design and maintain systems to comply with these legislative and regulatory requirements, despite the lack of an integrated framework.
Enterprise-based IT management and IT governance
1
Regulatory compliance
Managing efficient and effective IT departments requires IT governance— the disciplines and capabilities that bring consistent and reliable delivery of IT services to the business. IT
governance requires the alignment of IT operations with the goals and objectives of the business. In addition, delivery of IT services requires well-designed IT processes and coordination
among the IT team members. However, while there is some recognition of the importance of IT governance at the executive level, further awareness is needed.
Information security management
2
Enterprise-based IT management and IT
governance
Disaster recovery/business continuity
After many spectacular breaches and losses, and enormous spending on “state-of-the-art” security technologies, enterprises are finally realizing that information security has more to do
with managing people and process and less to do with implementation of technology. In so doing, enterprises can leverage international information security management standards (such as
ISO/IEC 27001) that provide guidelines and common practices rather than reinventing the wheel each time.
All business activity is subject to disruptions, such as technology failure, flooding, utility disruption and terrorism. In response, some enterprises implement business continuity management
(BCM) programs to improve their resilience in the event of disaster. Unfortunately, these enterprises are in the minority and BCM still remains an elusive goal for most organizations.
3
Information security management
IT value management
3
4
1
IT projects often lack alignment with business goals and objectives; as a result, they are unable to realize business benefits. In some cases, there is a lack of business involvement in IT
projects, while in others, there is simply a breakdown in communication between what the business has asked for and what IT has delivered. Implementing processes to help bridge these
gaps allows IT to service the needs of business and deliver value.
4
Disaster recovery/business continuity
4
2
3
Challenges of managing IT risks
5
IT value management
3
Risk management practices are poorly understood at the best of times so it is no surprise that IT risk management fares no better. Unfortunately, IT risks are pervasive across enterprises,
so the impact of poor IT risk management can be disastrous.
Compliance with financial reporting standards
6
Challenges of managing IT risks
7
Compliance with financial reporting
standards
5
Global financial reporting standards, such as the US Sarbanes-Oxley Act, have been in place since 2004; however, they continue to be an area of focus for IT departments. While
improvements have been made to the standards that help focus efforts on areas of higher risk, enterprises continue to experience challenges in complying in a cost-effective manner.
Source: Top Business/Technology Issues Survey Results, ISACA 2008
5
Source: Top Business/Technology Issues Survey Results, ISACA 2008
7
Compliance - A Window of Opportunity
Source: Top Business/Technology Issues Survey Results, ISACA 2008
8
Compliance - A Window of Opportunity
ISACA Survey - Top seven business issues
Overall
Rank
Business Issue
Audit
Team
IT Mgt
Security
team
1
5
2
2
1
4
Organizations are faced with more challenges now than ever; they must grow and maximize market opportunities while at the same time complying with an ever-increasing number of regulations
and standards. Keeping on top of legislative and regulatory requirements is a significant task, and regulatory compliance still operates in “project” mode and has not yet been embedded in
business processes. IT must design and maintain systems to comply with these legislative and regulatory requirements, despite the lack of an integrated framework.
Enterprise-based IT management and IT governance
1
Regulatory compliance
Managing efficient and effective IT departments requires IT governance— the disciplines and capabilities that bring consistent and reliable delivery of IT services to the business. IT
governance requires the alignment of IT operations with the goals and objectives of the business. In addition, delivery of IT services requires well-designed IT processes and coordination
among the IT team members. However, while there is some recognition of the importance of IT governance at the executive level, further awareness is needed.
Information security management
2
Enterprise-based IT management and IT
governance
Disaster recovery/business continuity
After many spectacular breaches and losses, and enormous spending on “state-of-the-art” security technologies, enterprises are finally realizing that information security has more to do
with managing people and process and less to do with implementation of technology. In so doing, enterprises can leverage international information security management standards (such as
ISO/IEC 27001) that provide guidelines and common practices rather than reinventing the wheel each time.
All business activity is subject to disruptions, such as technology failure, flooding, utility disruption and terrorism. In response, some enterprises implement business continuity management
(BCM) programs to improve their resilience in the event of disaster. Unfortunately, these enterprises are in the minority and BCM still remains an elusive goal for most organizations.
3
Information security management
IT value management
3
4
1
IT projects often lack alignment with business goals and objectives; as a result, they are unable to realize business benefits. In some cases, there is a lack of business involvement in IT
projects, while in others, there is simply a breakdown in communication between what the business has asked for and what IT has delivered. Implementing processes to help bridge these
gaps allows IT to service the needs of business and deliver value.
4
Disaster recovery/business continuity
4
2
3
Challenges of managing IT risks
5
IT value management
3
Risk management practices are poorly understood at the best of times so it is no surprise that IT risk management fares no better. Unfortunately, IT risks are pervasive across enterprises,
so the impact of poor IT risk management can be disastrous.
Compliance with financial reporting standards
6
Challenges of managing IT risks
7
Compliance with financial reporting
standards
5
Global financial reporting standards, such as the US Sarbanes-Oxley Act, have been in place since 2004; however, they continue to be an area of focus for IT departments. While
improvements have been made to the standards that help focus efforts on areas of higher risk, enterprises continue to experience challenges in complying in a cost-effective manner.
Source: Top Business/Technology Issues Survey Results, ISACA 2008
5
Source: Top Business/Technology Issues Survey Results, ISACA 2008
9
Compliance - A Window of Opportunity
Source: Top Business/Technology Issues Survey Results, ISACA 2008
10
Compliance - A Window of Opportunity
CHALLENGES
TIMES LIKE THIS WERE EXPECTED
BUT THEN …
THE SAME QUESTIONS,
THE SAME DIFFERENT PEOPLE,
THE SAME TIME OF THE YEAR,
THE SAME FORMS,
THE SAME REPORTS (ALBEIT NEWER DATES),
THE SAME NC’S …
WELCOME TO THE ANNUAL C - EVENTS
11
Compliance - A Window of Opportunity
THOUGHT FOR COMPLIANCE IS DRIVEN BY REGULATORY / LEGAL OBLIGATIONS
BUDGETS USUALLY SHRINK IN PROPORTION TO INCREASING COSTS !
DYNAMICALLY CHANGING REGULATORY REQUIREMENTS
PROJECTIZED APPROACH : COMPLIANCE IS A PROJECT E.G. SOX OR SAS70 R BCP PROJECT ETC.
NON-UNIFIED EFFORTS LEAD TO INCREASED COMPLEXITY OF COMPLIANCE MANAGEMENT
INTERNAL PUSHBACK DUE TO REPETITIVE ACTIVITIES, REPORTING, RESOURCE INTENSIVE EFFORTS
CHALLENGES
TIMES LIKE THIS WERE EXPECTED – BUT I NEVER THOUGHT THEY’D BE PERPETUALLY TOUGH
12
Compliance - A Window of Opportunity
The Fallout
Much of the increase in cost is due to duplication of
regulation and ambiguous or inconsistent rules
-Securities Industry Association, 2006
13
Compliance - A Window of Opportunity
Unifying Compliance
Regulatory
Policies
Standards
Best Practices
Crosslinked Compliance Requirements
Opportunity!
Opportunity!
Contractual
14
Industry
Compliance - A Window of Opportunity
Compliance – The Business Opportunity
Use the opportunity to build Compliance efforts into the
business processes, using automation with best practice
frameworks enabled
Opportunity Lights are on !
15
Compliance - A Window of Opportunity
The Business Benefits
Business results among firms with the most mature practices
Compliance is Technology Enabled
• 17 percent higher revenues
• 14 percent higher profits
• 18 percent higher customer satisfaction rates
• 17 percent higher customer retention levels
• 96 percent lower financial losses from the loss or theft of data
• 50 times less likely to lose or have customer data stolen
• 50 percent less spent on regulatory compliance annually
Source: IT Policy Compliance Group Report 2008
Maturity of IT Governance
16
Compliance - A Window of Opportunity
Compliance is Technology Enabled
The Business Benefits
Increase Shareholder and Market Confidence
Stakeholder’s Awareness of Responsibility
Continuous Risk Management enables ERM
Compliance is Timely as Mandated
Automated and Unified Compliance Lowers Costs
Best Practices embedded in the Organization DNA
Process Efficiencies due to Best Practices
Achieve Governance Goals & Industry Certifications
Non Compliance Financial Risks eliminated
Learning Reduces Compliance cycles
Correlation of Obligations Across Business Units
Maturity of IT Governance
17
Compliance - A Window of Opportunity
-Engineer a culture of risk and responsibility in the organization
-Ensure high level of awareness amongst stakeholders and demonstrate that
it is not difficult if we build the culture of collective responsibility
-To build enterprise level system(s) that address multiple compliance
requirements across multiple regulatory authorities
-Create a lean compliance program that “delivers” to ‘legal’ mandates
(good-enough compliance) without reducing business effort and leverages
silver linings which can bring extra business value
-Plan the integration process step-by-step
-Introduce and build on best practice frameworks like CobiT®
-Even if you have a low level of automation in some areas you can enable
hybrid reporting and build onwards
-Managed risk means managed compliance mandates and here we are getting
Enterprise level inputs so we can manage the risk across the organization
-Efficient Management means better business
18
Compliance - A Window of Opportunity
Business Results
19
Compliance - A Window of Opportunity
At first look,
As we step into addressing security-oriented
compliance mandates we find they need high
resource and cost commitments and seem to be a
burden on the organization and stakeholders.
However, a strong compliance management system
will ultimately pay for itself by averting costs
associated with security breaches and savings
associated with increased efficiency and productivity.
20
Compliance - A Window of Opportunity
GRC Business Efficiency Indicators
21
Compliance - A Window of Opportunity
INTEGRATE YOUR COMPLIANCE EFFORTS …. A TECHNOLOGY
ENABLED UNIFIED COMPLIANCE MANAGEMENT PROGRAM
22
Central Compliance Repository / Database – holds
documentation, information, policies, workflow across identified requirements
Change Management – on all repository and process artifacts in respect
of their versions, access and controls for distribution, retention, or archiving
Workflow Management allowing assignment of responsibilities
Updating and Optimization – compliance business process
management allows grouping of common controls for unified collection
Communication Management - policies and controls are
communicated and published across the enterprise to stakeholders
Reporting - Interfaces and Templates are designed for ease-of-use for
reporting requirements in risk management / prioritization, metrics and audit
Customization - Interfaces and workflow assignments can be built for
each mandate
Manage and Track Progress - of compliance efforts with metrics and
automated alerts
Audit Trails
Compliance - A Window of Opportunity
Solution :
Integrate Compliance Mandates
Many names… one system : Unified Compliance;
Integrated Management System; Integrated
Compliance…..
Risk based automation aligned with compliance
mandates defined by
Policies
Business
Legal
Regulations
Industry
Contractual
23
Reporting responsibilities are
directly assigned to concerned
stakeholders through workflow
management
Compliance - A Window of Opportunity
“Companies
that
select
individual solutions for each
regulatory challenge they face
will spend 10 times more on
the IT portion of compliance
projects than companies that
take on a proactive and more
integrated approach.”
- Gartner
X-referenced Safeguards
24
Compliance - A Window of Opportunity
Common Regulatory Reqmts /
Standards / Frameworks / Guidelines
Sarbanes-Oxley Act (SOX)
PCAOB Auditing Standard No. 2
AICPA SAS 94
AICPA/CICA Privacy Framework
AICPA Suitable Trust Services Criteria
Retention of Audit and Review Records, SEC 17 CFR 210.2-06
Controls and Procedures, SEC 17 CFR 240.15d-15
Reporting Transactions and Holdings, SEC 17 CFR 240.16a-3
The GAIT Methodology
Basel II:
HIPAA
Gramm-Leach-Bliley Act (GLB)
Standards for Safeguarding Customer Information, FTC 16 CFR 314
Privacy of Consumer Financial Information, FTC 16 CFR 313
Safety and Soundness Standards, Appendix of OCC 12 CFR 30
CAN SPAM Act
Children's Online Privacy Protection Act (COPPA), 16 CFR 312
Driver's Privacy Protection Act (DPPA), 18 USC 2721
Family Education Rights Privacy Act (FERPA), 20 USC 1232
Privacy Act of 1974, 5 USC 552a
Video Privacy Protection Act (VPPA), 18 USC 2710
Clause 49 (SEBI Guideline, Government of India)
CobiT®
Islamic Banking Rules
NERC
PIPEDA
ISO:27001
ISO:25999
ITIL
ISO:20000
25
A brief listing (30 out
of a list of 340) of
Regulatory /
Standards from the
world of Compliance
Mandates
Compliance - A Window of Opportunity
Presented by
Dinesh Bareja
CISA, CISM, ITIL, IPR, ERM, BS: 7799 (Imp & LA)
Senior Vice President
=Secure Matrix India Pvt Ltd
Email: [email protected]
Mob: +91.93710-64741
Tel: +91.22.3253-7579
Web: www.securematrix.in
26
Compliance - A Window of Opportunity
Contact Information
Registered Office
Mumbai:
12 Oricon House, 14, K. Dubash Marg
Fort, Mumbai 400 001
Tel: +91 22 3253 7579; Fax:+91 22 2288 6152; Email: [email protected]
Internet: http://www.securematrix.in
27
Technology Centre
Pune:
Trident Towers
2nd Floor, Pashan Road
Bavdhan, Pune - 411021
Email: [email protected]
Technology Centre
Chennai:
Plot No. 1, Door No. 5, Venkateshwara Street,
Dhanalakshmi Colony, Vadapalani,
Chennai – 600026
Email: [email protected]
Dubai:
P O Box 5207
Dubai
Email: [email protected]
London:
16-20 Ealing Road
Wembley Middlesex Hao 4TL
Email: [email protected]
Compliance - A Window of Opportunity
References
http://www.securematrix.in (Integrated Management
System and various references)
http://isaca.org (“Top Business-Tech Survey Aug 08” and
various references)
http://www.itpolicycompliance.com/pdfs/ITPCGAnnualRe
port2008.pdf
http://www.unifiedcompliance.com
28
Compliance - A Window of Opportunity
Thank You
29
Compliance - A Window of Opportunity
30
Compliance - A Window of Opportunity