Other Blogs
There are no items in this list.
Knowledge & Insights > ISACA Now > Categories
Action Plan for HIPAA-Compliant Cloud

Adnan RajaHIPAA compliance involves treating your data with extreme sensitivity, so you should view any related technology with extreme care.

Note that the security of a public cloud architecture has often been described as an asset. For instance, Tripwire wrote that “the Cloud is more secure than on-premise backup, storage, and computing systems” – citing regular audits, controlled access, security knowledge, surveillance, and perimeter defenses. However, a poll by SDxCentral found that, across industry, security and compliance was the primary challenge related to public cloud. With 62 percent of respondents indicating this, it was a higher stress than cost management (46%), lack of performance visibility (44%), and cost predictability (41%).

Since healthcare companies have to be so centrally focused on compliance, particularly with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), this concern over cloud compliance deserves special attention. How can you leverage cloud for all its positives without suffering a violation? A few chief concerns should be addressed.

Focus on the BAA.
The US Department of Health and Human Services (HHS), the federal agency that develops and enforces HIPAA regulations, has issued specific guidance related to meeting compliance with cloud systems. This guidance advises that cloud service providers (CSPs) are considered business associates when they generate, receive, send, or store electronic health data, whether they are doing so for a covered entity or business associate. In fact, HIPAA compliance is necessary for cloud vendors that are entirely handling personally identifiable health records (the electronic protected health information, or ePHI, of HIPAA) that is encrypted and for which the provider does not have a key.

Even if a cloud firm does not have any way to access data except in encrypted form (thus meeting the confidentiality requirement), it still must maintain the integrity and availability of the data. As in any other business associate relationship, a business associate agreement (BAA) must be signed by both parties (or a subcontractor BAA, if applicable). Note that the HHS also refers to this document, less commonly, as a business associate contract. The cloud vendor is legally responsible for adhering to the agreement’s provisions. Beyond meeting the BAA’s parameters, the cloud firm also must be HIPAA-compliant itself: ever since the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH) went into effect in 2013, business associates have been directly responsible for HIPAA compliance.

Know that the data is, in fact, protected health information.
Protected health information (PHI) is the information under the umbrella of HIPAA rules. Encrypted PHI is PHI. However, if it is unidentified (encrypted or unencrypted), it is not PHI.

Work with a cloud provider that is ready to scale.
With acquisitions on the rise in healthcare, it is particularly important to know that a CSP can expand with you. If an acquisition occurs, the vendor should be able to quickly spin up new servers. Scalability is important because you must have enough resources to meet your demand to comply with HIPAA’s availability requirement.

Create a dual relationship.
In signing a BAA with a CSP, you should be creating a two-part relationship that encompasses both business and technical functions. Permitting a balanced interconnection between different healthcare services and knowing about the covered entity or business associate that is contracting with them (i.e., you) are core elements of a cloud vendor that deserve your attention.

Pay attention to use cases.
Think in terms of use cases when you assess CSPs. Many cloud vendors now have HIPAA-compliant business associate agreements readily available (although certainly not all do). Even among those that have BAAs in place, they are not created equal. You especially must be concerned that the organization can customize to suit your requirements when you're looking for a data backup or disaster recovery service, noted Bill Kleyman. Plus, commitment and expertise related to compliance will vary greatly.

Verify transparency.
You want to have a reasonable view of the cloud firm’s operations and business to assess risk and meet compliance.

Check for HIPAA certification.
Does the CSP have a HIPAA compliance certification from a trusted, credible third party, based on a recent audit? Look over the provider’s implementations and control matrix.

Conduct routine risk assessments.
Do your CSPs conduct routine risk assessments? Risk assessments are fundamental to HIPAA compliance – and they must be ongoing. The HHS is extremely clear on this point. The language on risk assessments is somehow loose but specific: “Some covered entities may perform these processes annually or as needed (e.g., bi-annual or every three years), depending on circumstances of their environment,” notes the HHS.

Select the right cloud partners.
Compliance can become especially challenging when you consider your business associates – and cloud providers represent specific risks. By following the above guidance and additional insights provided through the HHS site, you can feel certain that your cloud is healthcare-compliant.

Author’s note: Adnan Raja is the Vice President of Marketing at Atlantic.Net. During his tenure, Atlantic.Net has grown from having a primarily regional presence to garnering and developing attention nationwide and internationally.

Doing the Math: The Value of Healthcare Security Controls

Adnan RajaThe Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a central concern of US organizations that are in any way involved with the creation, access, processing or storage of sensitive confidential health records – electronic protected health information (ePHI). The Security and Privacy Rules are a particular point of focus since violation of those guidelines often leads to federal fines and settlements; those parameters are covered under Title II of HIPAA.

A newer piece of healthcare legislation is the Health Information Technology for Economic and Clinical Health Act (HITECH) of 2009. The first act is typically discussed in terms of concern with security and privacy of health records, while the second is generally described as increasing the implementation of digital health records and technologies. However, Subtitle D of HITECH is specifically focused on issues of security and privacy of electronic health data; it achieves this end by modifying and elaborating on those parameters within HIPAA. Essentially, if an organization is HITECH-compliant, that means that they are compliant with the most recent HIPAA security and privacy stipulations contained within the 2013 Omnibus Rule.

HITECH gives professionals a chance to work with an access governance model so that they can better control who does and does not get access to information – particularly for any systems that contain ePHI. When companies do implement some of the lessons they can glean from HITECH into the structure of their organizations, they will see that it costs them less to operate and that they are better able to create more efficient workflow to manage access risk. Both this reduction in the cost of operation and the streamlining of workflow improve the security of the organization while boosting its value.

To consider that specific notion of value from a security system, it helps to look at the return on security investment (ROSI) of a HIPAA compliant system – and we can use the analogy of soccer.

ROI and ROSI—Like Offense and Defense
Return on investment (ROI) and return on security investment (ROSI) initially seem to be almost identical concepts. However, you can start to understand what makes them dissimilar when you think about how you arrive at an ROI figure: add up the gains, subtract the cost and divide the difference by the cost. Immediately it’s clear that formula will not work: you will not typically profit from adding security measures. Instead of focusing on gain, the intent of the ROSI concept is to limit your losses and help your organization’s value from that perspective. For that reason, rather than thinking in terms of gain and scoring goals as you would with a soccer team, think in terms of not letting the other team score.

You can figure out how much value is being achieved with your security controls by performing a quantitative risk assessment, as noted by the European Union Agency for Network and Information Security (ENISA). In order to come up with your ROSI number, you need to first look at other data: the ARO, SLEs, ALE and mALE.

Calculating ROSI
The single loss expectancy (SLE) denotes the total cost of a single security incident. The annual rate of occurrence (ARO) is the probability that the incident will take place during a single year. The annual loss expectancy (ALE) is the complete loss from security incidents throughout the year. Finally, the modified ALE (mALE) is the ALE, plus whatever losses are avoided through adoption of the security mechanism – as expressed by the mitigation ratio (the percent of threats the solution is able to counter).

To get the ROSI itself, you want to multiply the ALE by the mitigation ratio (producing the mALE), and then subtract the cost of the security apparatus. Divide that total by the cost of the security plan. The end result is the return on security investment.

In other words, you will get the ROSI figure by adding up your loss reduction numbers, subtracting how much you spent on the security mechanism to achieve that loss reduction, and then dividing by the amount you spent on the protective system. You want the number to be higher for ROI, but you want it to be lower for ROSI.

Problems with ROSI
What exactly is the loss reduction, though? By subtracting the annual loss expectancy once the security system is implemented from the annual loss expectancy prior to its adoption, you get the loss reduction. The issue is that the second figure is not easy to measure accurately, with confidence. The figure often has more to do with suggestions made within individual projections and broader polling than it does with real objective measurement.

Pete Lindstrom has said that what must be involved when looking at any solution is effectively a “gut check,” asking oneself point-blank if the amount spent on security achieves a loss reduction that justifies the cost.

Beyond ROSI
As you can see, ROSI can be problematic when it is taken too seriously as an absolute. For greater accuracy when determining value of security, it helps to think about how security can be considered – different perspectives and factors when attempting to accurately apply a value to it, as indicated by Steven J. Ross, CISA, CISSP, MBCP. First, there is the notion of a threshold condition for adequacy of security solutions, without which a business could not be sold because protections do not meet standards of “adequacy.” A higher degree of security would be sufficiency – based on an independent metric that goes beyond the needs of adequacy. Intellectual property should be factored into any estimation of the worth of security solutions, since that asset is being protected. Plus, security should be considered in terms of facilitating sales, since security solutions will often lead to greater revenue.

In the context of healthcare, you want to consider how precious the ePHI is. Because of the various costs related to compliance and general data protection, expenses incurred in a healthcare data breach are diverse, ranging from forensics to breach notifications to lawsuits to lost revenue to lost brand value to post-breach cleanup – and that doesn't even include the federal fine. By implementing industry standards such as those of ISACA, you can systematize your controls and auditing, resulting in security that you and your clients can trust – and that really is holding true as a valuable data defense.

Author’s note: Adnan Raja is the Vice President of Marketing at Atlantic.Net. During his tenure, Atlantic.Net has grown from having a primarily regional presence to garnering and developing attention nationwide and internationally.

Advancing a Symbiotic Relationship Between COBIT, ISO Governance Standards

Judd HesselrothAs a 2003 CISA recipient and a former honorary secretary of the ISACA Singapore Chapter’s board of directors, I am honored to be selected as the ISACA liaison to the International Organization for Standardization (ISO) Technical Committee 309 – Governance of Organizations.

Having served nearly three years as the chair of the US Technical Advisory Group to ISO Project Committee 278 to help develop, draft and evangelize the ISO 37001 Anti-Bribery Management System Standard, I see this as a wonderful opportunity to not only keep both the ISACA and TC-309 communities informed of significant developments in the world of governance and compliance, but also to help shape and develop newly proposed ISO standards while supporting and strengthening existing ones.

As you may already be aware, TC-309 is focused on standardization in the field of governance relating to aspects of direction, control and accountability of organizations, and is responsible for:

The symbiotic relationship of COBIT and ISO governance and compliance standards, particularly in the realms of data governance, privacy, security in the cloud and the Internet of Things, likely goes without saying. However, having the opportunity to proactively and positively engage, inform, shape and contribute to this relationship with fellow subject matter experts from 40-plus countries is rare, and I thank ISACA for enabling me to participate in this partnership. 

Author’s note:  Judd Hesselroth is a Director in Microsoft’s Office of Legal Compliance, where he has focused primarily on anti-corruption programs and ISO 37001 since 2010, and prior to that, internal audit.

Data Analytics Maturity Models and the Control Environment

Angel SerranoOrganizations have recently raised concerns on their data analytics capabilities. There are several motivations for this increased interest in data analytics, such as fulfilling regulatory requirements, increasing efficiency and reducing cost. However, the primary reason is focused on the identification of business opportunities. The most typical questions include:

   • Are we maximizing the value from the data we currently have?
   • Are we missing business opportunities because we do not use our customer data?
   • What is the competition doing?
   • What are the best practices in the market?

It is difficult to answer these questions without a structured model that defines what is “basic” and what is “advanced.” It helps to provide a simple maturity model that is easy to understand.

The maturity levels below show a basic and summarized model based on the current situation in the financial services sector, and are based on what the industry wants to achieve.

  • Level 1: Basic data analytics capability. Systems and applications working in silos and analysis performed on individual databases on end-user computing tools (e.g., spreadsheets and access databases). Limited analysis can be done at this level due to the limitation of the tools and the data used.
  • Level 2: Specific analytics function. Interaction between systems (e.g., data warehouses or data lakes) and usage of data analysis tools that allow integration of different data sets. Analysis can be reused on those systems that combine different data sets. However, there is a gap between the business and its data analytics teams.
  • Level 3: Business intelligence capability. Adding a business intelligence platform (data visualization ledger) to the previous maturity level. This allows the end users to perform their own analysis through dynamic dashboards.
  • Level 4: Prediction Analytics (artificial intelligence). Adding to the previous maturity level the usage of statistical analysis that allows for the creation of prediction models and algorithms based on parameters or scenarios.

Some organizations want to achieve the best maturity level without having basic controls in place, which can create erroneous results due to the lack of quality in the data used. An appropriate level of control and data governance function is critical for the success of the data analytics function, and helps to progress through the maturity model.

Examples of basic controls that must be in place before progressing to the next level include:

  • Input controls on entry data systems and applications, such as range controls (e.g., age must be between 18 and 100), avoid zeros and blanks, invalid characters, etc.
  • Reconciliations (or equivalent) on interfaces and transfers of data between systems applications; sometimes totals on number of transactions and total value provides enough level of comfort.
  • Assurance that calculations performed on applications are correct. Reperform calculations in an independent environment in order to ensure that calculations are performed correctly.

To summarize, the use of data analytics techniques and expertise can increase the value from the data that organizations can obtain. However, it is important to maintain data quality and a management framework to ensure that the data used for the analysis is fit for purpose.

Leveraging UAS Technology: Time is of the Essence

Unmanned aerial system (UAS) technology has the potential to revolutionize a broad cross-section of industries, ranging from media and telecommunications to agriculture and construction. In the future, a forward-leaning regulatory framework will allow businesses of all sizes to leverage this technology to maximize revenue, create efficiencies, and expand the scope of goods and services available to consumers, not to mention deliver hundreds of billions of dollars to the economy. The Small UAV Coalition was founded on the principle that ‘technology always wins,’ and that philosophy is more apropos now than ever before. However, federal regulators determine when businesses, consumers, and our economy can begin to benefit.

In June 2016, the Federal Aviation Administration (FAA) took an important step toward achieving this reality. After a nine-month delay, the FAA released its long-awaited Final Rule for commercial UAS operations (Part 107). The rule, effective 29 August, 2016, expanded opportunities for commercial drone operators and businesses to test and integrate a wider range of commercial UAS applications. While beneficial to industry, Part 107 was merely a small first step. Operators must travel to a designated FAA testing facility to take an Aeronautical Knowledge Test in order to obtain a remote pilot certificate and entities interested in integrating extended operations – including those beyond visual line of sight (BVLOS), at night, over people, and with multiple UAS – are subject to a lengthy and arduous waiver process.

In the six months since Part 107 went into effect, the FAA has granted just over 300 of these waivers, the vast majority of which only allow for highly restricted nighttime operations. These lingering limitations on expanded operations stifle innovation and truncate the vast economic and social benefits possible through widespread integration of UAS technology.

Many companies that utilize UAS technology saw a glimpse of the future when the FAA announced plans to release a notice of proposed rulemaking (NPRM) for operations over people by the end of 2016. This NPRM would open a public comment period that would allow industry, consumers, and government stakeholders to provide input in support of a forward-leaning final rule that embraces innovation, safety and security. With no sign of progress at year’s end, FAA Administrator Michael Huerta publicly acknowledged an indefinite postponement of the NPRM on 6 January.

The promise of a NPRM took another hit in early 2017 when the new US Administration implemented a regulatory freeze and announced intentions to require two regulations to be repealed for every new one that goes into effect in an effort to reduce regulatory burdens on businesses. Let’s celebrate the reduction of redundant or burdensome regulations while recognizing that some regulation provides clarity to industry and actually promotes investment, innovation, and job creation through removing government prohibitions. Huerta’s “steadfast commitment to… ensur[ing] drones can fly over people without sacrificing safety or security” remains a hollow promise to companies eager to integrate operations over people, but stalled by the delay. Even initiatives that face no uncertainty or interagency “miscommunication,” such as digital education tools, consumer information centers/representatives, and an automated and expedited waiver process are in some nebulous queue.

While there are undoubtedly sectors of the economy in dire need of reduced regulatory burdens and less red tape, many rapidly developing sectors of the 21st century economy are at a standstill amidst legal and regulatory uncertainty. Commercial UAS technology is evolving at a pace that has exceeded nascent regulations. The industry needs a forward-leaning, progressive regulatory framework to in order to realize the vast economic and social benefits of this transformative technology.

Security issues must never be taken lightly and safety is always paramount, but we can, at the very least, initiate this critical dialogue and have transparency about reasons why we are not. A NPRM would provide an opportunity for industry stakeholders to sit down at the proverbial table and consider all questions and concerns – safety, security, or otherwise – alongside key lawmakers and regulators. Countries around the world continue to adopt progressive UAS regulations and authorize expanded operations, outpacing US progress and our government’s commitment to American innovation. Aggressive pursuit of US leadership in the research, development, production and application of UAS technology is more important than ever – time is of the essence because, as we all know, technology always wins.

Editor’s note: A new ISACA white paper on drone usage and a related checklist can be downloaded at www.isaca.org/drones.

US Executive Order on information sharing:  A government security leader’s perspective

Recently, US President Barack Obama signed a new Executive Order to promote cyber security information sharing. As a government security leader and member of ISACA’s Government Relations and Advocacy Committee, I believe that this directive was significant because it demonstrates that government leaders can take bold steps to improve our security posture without an act of Congress. Some may argue that without legislative edicts, the new voluntary information sharing framework lacks the teeth to be successful. But I wholeheartedly disagree. As a longtime voluntary member of the Multistate Information Sharing and Analysis Center (MS-ISAC), I know from firsthand experience the value proposition of being part of an information sharing community, even one that is voluntary. If they build it, people will come, because in today’s threat-laden world, prompt access to actionable intelligence is vital.

So what does the Executive Order do? First, it elegantly expands the existing sector-based ISAC model to include regional and other information sharing constructs. In the order, all information sharing groups are collectively rebranded as Information Sharing and Analysis Organizations (ISAOs). The Executive Order also positions the National Cybersecurity and Communications Integration Center (NCCIC) to serve as the epicenter of ISAO information sharing. And finally, the order requires the adoption of consistent information sharing standards to be used by all ISAOs. Additional details can be found in the FAQ document on the White House website.

The US Department of Homeland Security is now soliciting feedback as it works to build out this new and vital link in our national security ecosystem. I am proud to report that I am one security leader who plans to belly up to the bar to lend my support because the more that we collaborate, the more secure we all will be.

As a member of ISACA, I am interested to hear your thoughts on this very important Executive Order.

Christopher P. Buse, CISA, CISSP, CPA
Chief Information Security Officer, MN IT Services

Addressing IT skills gap at State Audit Institution of Oman

Earlier this year, the ISACA Muscat chapter worked with the State Audit Institution (SAI) of Oman to help address a skills gap within its IT auditing team. After hearing about ISACA’s Certified Information Systems Auditor (CISA) and other certifications from chapter leaders, the SAI decided to sponsor any of its auditors who are interesting in taking ISACA certification exams.

Though SAI is responsible for carrying out audits of all Omani government entities, the more than 500 SAI auditors carrying out field audits do not have IT audit qualification. While they carry out the functional audits, they do not focus on IT audits. Seeing a gap, SAI officials approached our chapter with questions about ISACA’s IT audit qualifications and their potential relevance to the Omani State Audit Institution.

After several meetings in which the chapter president and Government and Regulatory Advocacy (GRA) coordinator and I told SAI officials about ISACA’s certifications and their benefits, SAI decided to encourage its field level auditors to pursue CISA and other ISACA certifications—including Certified Information Security Manager (CISM), Certified in the Governance of Enterprise IT (CGEIT) and Certified in Risk and Information Systems Control (CRISC)—and to fund the examinations of any SAI auditors interested in taking ISACA exams. The Muscat Chapter also offered to hold CISA training days for them.

CISA recognizes the knowledge and skills of professionals who audit, control, monitor and asses their business’s information technology and systems. When SAI auditors earn the CISA designation, they confirm the knowledge, expertise and value they add to SAI.

We are very happy with the outcome of our work with SAI, and look forward to continuing to partner with them in the future. We found that once SAI officials understood the benefits of ISACA certifications, they were eager to become more involved. I would encourage other chapters to learn from this by being proactive in reaching out to, and meeting with, the audit institution leadership, knowing that ISACA’s offerings can be of immense help.

Mohamed Nayaz
CGEIT/CRISC Director, ISACA Muscat Chapter
GRA Area 1 Committee

ISACA Madrid Chapter’s role in government and regulatory advocacy

Serving as a volunteer on ISACA’s Government and Regulatory Advocacy (GRA) Subcommittee 3 (Europe/Africa) has been a great opportunity for me to meet new people, face new challenges and look for creative ways to use ISACA deliverables and research.

ISACA chapters, as local groups, need to take care of their members and show them the value of membership. One way of providing value to chapter members is through government and regulatory advocacy activities with objectives including: having ISACA intellectual property (IP) adopted as good practice, making recommendations that help to implement national regulations or even becoming part of them by gaining ISACA professional certifications and becoming a requisite or a recommendation for particular activities.

To achieve this, the virtues of ISACA IP and professional certifications have to be known and understood by the right people in the right positions in the regulatory bodies.

In the ISACA Madrid Chapter, we have taken GRA objectives so seriously that the president and vice president are in charge of GRA activities within the chapter. During the last five years, many efforts in this area have provided some positive results, including:

  • ISACA Madrid Chapter is one of the key players in the National Digital Trust Forum, created by the Spanish Ministry of Industry, Energy and Tourism, to take care of the Digital Agenda, leading the work group dedicated to professionals. This work group has proposed a new initiative in the Digital Agenda to foster and improve “trust” professionals (auditors, information security managers, etc.). As a collateral benefit, ISACA is well known in the Ministry in charge of digital “business.”
  • ISACA Madrid Chapter has had the opportunity to make proposals to the recently modified Law for Private Security Services, which includes regulations about information security services for the first time. Regulatory development is under way and the intention is that Certified Information Security Manager (CISM) professionals become, in some way, recognized for these kinds of activities.
  • The Spanish government project to develop a framework for cybersecurity professional certification (in the development phase) has been reoriented to consider third-party certifications, such as ISACA’s CISM and Cybersecurity Nexus (CSX) program.
  • ISACA International President Robert E Stroud was invited to participate as keynote speaker in Cybercamp, the annual cybersecurity event promoted by the Spanish CyberSecurity Institute, INCIBE.
  • An agreement is under way with the Spanish Cyber Defense Unified Command, the unit in charge of cybersecurity defense and attack operations, to participate in its training program and help its members become CISM and Certified in Risk and Information Systems Control (CRISC) certified, and also acquire the appropriate new CSX certification.
  • Recently a collaboration agreement was signed with the Madrid Bar Association to allow the chapter to participate, through this lawyer association, in consultation on new laws and to act as a consultation body for the Spanish regulator.

We are confident that these activities and initiatives will help to assure the continuity of our chapter and even make it more relevant as the government can find continuing collaboration and knowledge through ISACA. As more professionals become certified in the public sector, more people will be willing to ask for ISACA certifications as a necessary condition for assurance roles.

If you or your chapter is considering working on GRA activities, I am more than happy to share my own experience working in this field with you.

Antonio Ramos
Vice President and Past President, ISACA Madrid Chapter
GRA Area 3 Committee

New US Congressional bills are an important milestone for cybersecurity professionals

News over the past year has focused the world’s attention on issues surrounding cybersecurity—notably that cyber attacks emerged as a top technology risk in the World Economic Forum’s Global Risks 2015 report. In April, US President Barack Obama declared cybercrime a national emergency and signed an executive order authorizing new sanctions against individuals and groups deemed responsible for cyberattacks.

The attention resonated with consumers, business leaders and legislators alike.

Mixed together with news of the Sony Corporation breach and other retail hacking occurrences, awareness of the need for increased cybersecurity focus has been at a high level. Now there is even more—but this time the news is about the US House of Representatives passage of two cybersecurity information sharing bills: Protecting Cyber Networks Act (PCNA) and National Cybersecurity Protection Advancement (NCPA) Act.

  • PCNA aims to defend against cyberattacks through the creation of a framework for the voluntary sharing of cyber threat information between private entities and the federal government. Importantly, it includes liability protection for those companies who choose to participate.
  • NCPA is similar to PCNA, with the distinction being that it encourages voluntary information sharing about cyber threats between the private sector and the Department of Homeland Security.

To help cybersecurity professionals understand the importance of these two new acts, ISACA has added a new CSX Special Report to its Cybersecurity Legislation Watch center as part of its Cybersecurity Nexus (CSX). I encourage you to take a look at the report to better understand the two acts and what this new legislation could mean for you in your role and for your enterprise.

For professionals in the cybersecurity profession the implication is crystal clear. The general business community is more aware of the challenges, and those charged with protecting their organizations from attack must be highly aware and trained, including being knowledgeable of evolving legislation, such as this.

Keeping current and positioning your organization to best take advantage of the evolving regulatory landscape is of utmost importance in today’s fast-moving cybersecurity environment. This is not a time to be caught flat-footed.

Douglas Rausch, CISSP
President, Aurora CyberSecurity Consultants, Inc.

Integrated compliance frameworks—avoiding common pitfalls to enable success

Organizations today are being burdened with an unprecedented volume of regulatory and compliance requirements leading to increased operational complexity, challenging production capability and occupying key resources. Integrated compliance frameworks offer a mechanism for these organizations to implement a single enterprise wide solution that allows you to “control once, comply with many.” While the concept is simple, implementation of these frameworks fails as often as it succeeds due to circumstances that could be prevented with up-front planning and coordination. Below are five basic points to consider before you begin your integrated compliance journey:

  1. Start small, think broadly. It is tempting to try and tackle all compliance requirements across the entire organization in one pass. However, integrated compliance solutions take significant up-front time and effort to succeed. While a solution should be built with an organizational scope in mind, demonstrating incremental successes through smaller pilot efforts will help build support and keep momentum throughout the framework development and roll-out.
  2. Consider the pros and cons of “off-the-shelf” frameworks versus custom built. You will find several solutions in the market that offer “off-the-shelf” integrated compliance frameworks. Careful consideration should be given to how these frameworks fit your organization, the applicability of all regulations/requirements included in the frameworks, and whether your organization truly understands the applicability of specific requirements if dependent on a package solution. On the flip side, while a custom framework can allow increased flexibility in scoping, control design and roll-out, there may also be increased overhead with maintaining a custom solution.
  3. Identify organizational stakeholders. It is critical to identify who key stakeholders are within compliance, legal, audit, business units and IT, as the success of integrated compliance frameworks depends on support of all functions that are impacted by the various compliance and regulatory requirements included in the framework. Often times a steering committee made up of key organization representatives can help not only with the initial design of your integrated compliance framework, but also with the successful ongoing support of the program going forward.
  4. Understand the applicability of requirements. Whether attempting to comply with SOX, PCI, HIPAA or other requirements, the effort of scoping each requirement for your organization in detail remains important to the effectiveness of your framework. While the purpose of an integrated compliance framework is to allow one common set of controls to achieve all applicable requirements, that does not mean all controls apply to the entire organization. Understanding and capturing the scope of each applicable requirement is crucial to demonstrating that the appropriate level of control has been applied to the environment while not over controlling.
  5. Consider the outputs at the start. It is easy to get buried in the details when designing and implementing your integrated compliance framework. Careful thought should be given at the start of your program to define goals, reporting and key metrics that will measure success. Integrated compliance frameworks can help achieve a reduction in controls, improved compliance reporting, a reduction in hours spent on compliance efforts, and improve the ability to strategically address compliance and regulatory remediation efforts. Identifying key outputs for your organization at the start will allow you to design your framework in a way that will help best realize these benefits and be able to effectively communicate them to management.

Implementation of an integrated compliance framework is a complex undertaking that cannot be solved with a quick-fix solution. As is the case with any large project, management can improve the likelihood of a successful implementation through careful planning and consideration of the organization’s objectives and risks to those objectives. Proper consideration of the points above can help you start on your journey to a simplified and integrated compliance landscape.

Nick Blaesing, CISA
Director, Risk Assurance, PricewaterhouseCoopers LLP

1 - 10 Next