control, and governance
7 Steps to a Highly Effective IT Compliance Program
Documenting internal policies and controls, assigning appropriate compliance management oversight, and ensuring compliance through training are three of the seven steps incorporated into highly effective IT compliance programs.
Vice President of Enterprise Risk & Compliance Management
Forrester Research Inc.
Regulatory compliance pressures are plaguing organizations around the world. Unfortunately, because compliance challenges often affect multiple areas of an organization and can span across different industries, there is no silver-bullet technology package that will bring companies into compliance. In addition, recent corporate disasters and growing government regulatory action have heightened the focus on corporate governance and are driving the centralization of compliance oversight within today's organization. Because most IT functions permeate the organization and its processes, IT compliance is also a process that requires continuous oversight and management.
To meet IT compliance obligations, many companies are looking for a structured approach that allows them to identify and prioritize IT controls and establish a compliance record system. But, implementing an IT compliance program that is effective and responds to the dynamic business environment can be challenging. Nevertheless, having a structured approach is a major step toward compliance with different standards and legislation, such as the U.S. Sarbanes-Oxley Act of 2002, the International Organization for Standardization (ISO) 27001 standard, and the European Union (EU) Directive on Data Protection of 1995. To ensure their IT infrastructure is compliant year-round, organizations can incorporate a series of seven steps to existing operations. When combined with a formal risk assessment process and IT asset management strategy, these seven steps can bring companies one step closer to compliance.
THE 7 STEPS
In 1991, the U.S. Sentencing Commission (USSC) established the Organization Sentencing Guidelines to assist courts in setting fines for organizations and sentences for executives in criminal regulatory cases. The USSC based its model on seven core elements. In 2001, the original USSC guidelines went into revision to include Sarbanes-Oxley compliance and sentencing information.
Using the USSC guidelines as a basis, Forrester Research — a technology and market research company that advises organizations about technology's impact on businesses and consumers — extended the seven elements by integrating compliance best practices in large organizations. When examined in detail, however, these seven practices or steps are equally useful in small and mid-size enterprises. The extended guidelines provide a framework around which organizations can structure their IT compliance management programs, as well as information that could help organizations in their compliance efforts with non-US regulations, such as ISO 27001 and the EU Directive on Data Protection. Below is a description of each step and key points organizations need to keep in mind when implementing each of these recommendations.
Step No. 1: Document the Policy and Control Environment
To demonstrate IT compliance, firms must start by identifying how they document the compliance process and their IT control architecture. The overall compliance documentation architecture should be implemented through a control framework, such as the Information Systems and Audit Control Association's Control Objectives for Information and related Technology (CobiT), and should document all corporate IT policies, controls, standards, and procedures that align with compliance objectives and requirements.
The policy and control architecture establishes the compliance foundation upon which the remaining seven habits are built. Without a proper governance model of policies and controls, organizations may have a hard time overseeing, communicating, monitoring, enforcing, or responding to gaps. It is the policy and control architecture for compliance that provides the framework for everything else to work within the IT environment. This architecture is unique to each organization, reflecting its culture of control and industry requirements.
After drafting the necessary IT policy and control documentation, organizations need to communicate any relevant documentation clearly to those expected to comply with established policies, procedures, standards, and supporting controls. In addition, companies need to update and maintain all documentation, as well as use an operational control and compliance platform that helps them to manage the complexity of corporate IT policies and compliance controls. This documentation also should include a framework to manage operational risks, define policies and supporting controls to meet risks, conduct control self-assessments to validate IT control implementation and efficiency, and track existing control gaps and incidents within the IT environment.
Step No. 2: Assign Appropriate Compliance Management Oversight
The second element necessary for effective IT compliance is the establishment of appropriate oversight for compliance. In many organizations, the compliance role is divided among different parts of the firm. This results in substantial technology and effort duplication, as well as lack of compliance visibility across the organization.
Effective IT compliance oversight in an organization must achieve the mission and charter of the compliance program. To this end, companies should define IT compliance as a corporate function that has proper authority and governance, as well as create appropriate lines of communication to convey important compliance efforts to all operational areas. The board and executive management team must develop this structure with care and review it at least once per fiscal year for effectiveness. To be successful, organizations should develop a compliance oversight model that:
Step No. 3: Require Personnel Screening and Access Control
Ensuring that the organization is not giving access to information and business processes to an individual likely to exhibit unethical behavior is crucial when establishing an effective IT compliance program. One of the greatest risks that organizations face when trying to enforce compliance with regulations is the internal threat from employees, contractors, and business partners. To ensure that appropriate and authorized access is established across the board, organizations should:
Step No. 4: Ensure Compliance Through Training and Communications
Forrester Research's fourth recommendation is the establishment of effective compliance awareness through active training and communication to employees, contractors, and business partners. To avoid corporate wrongdoing and fraud, as well as to reduce liability, organizations must implement effective compliance training programs that help to promote compliance with regulations and rules of corporate conduct. Characteristics of an effective compliance communication and training program include:
In essence, companies have to ensure that individuals with access to regulated processes and information understand what they need to do to comply with internal and external regulations.
Step No. 5: Implement Regular Monitoring and Auditing of IT Controls
Monitoring and auditing IT controls for efficiency and effectiveness is the fifth step toward establishing an effective IT compliance program. Where the first recommendation focused on documenting controls, this step focuses on the working operation of those controls. The proper controls to monitor that may affect IT compliance vary in type. Some include:
Firms should monitor and audit controls regularly through a manual or automated process, which validates that the control is in place and is operating effectively. When monitoring the management of IT system controls, many organizations prefer automated control monitoring and enforcement to ease the burden of control validation. When controls cannot be automated, organizations should conduct control self-assessments that are facilitated through workflows on compliance management systems. Furthermore, control self-assessments should be augmented by independent verification of audit controls.
Documented controls are meaningless and could become a business liability if they are not implemented or functioning properly. As a result, the role of compliance management is to implement a process of monitoring control implementation and effectiveness. The critical factors in monitoring and auditing IT controls an organization must have are:
In addition, organizations need to establish a process that helps them incorporate any recommendations accepted by management regarding the control monitoring process, and implement an escalation procedure that details how to proceed when agreed-upon recommendations are not implemented.
Step No. 6: Enforce the Control Environment Consistently
The sixth step identifies some of the ways effective compliance programs may promote a consistent enforcement of policies and controls throughout the company. Consistent enforcement of the control environment allows internal controls to be applied appropriately throughout the organization, its business processes, and relationships, as well as make sure specific control violations are not ignored and are enforced according to policy. The organization’s approach to ensure consistent enforcement should drive the success of the overall compliance program. It is through consistent enforcement that the organization’s culture of compliance is achieved and that employees understand there will be zero tolerance for unethical and noncompliant behavior.
If management does not consistently enforce controls and discipline unethical and noncompliant behavior, the compliance program will fail. Penalties for noncompliance increase with regulators and the courts when organizations do not exhibit effective governance and enforcement practices. Vital factors for consistent enforcement of the control environment include:
Step No. 7: Prevent and Respond to Incidents and Gaps in IT Controls
An effective IT compliance program prevents and responds to compliance violations and gaps in controls and includes a lessons-learned process to prevent further violations. For instance, identified control deficiencies or incidents should be corrected in an efficient and effective manner. To prevent and respond to IT control incidents, organizations must:
Disregarding control gaps and compliance violations amounts to negligence. Therefore, it is essential that an effective compliance program actively identifies and closes all control gaps, as well as contains or eliminates potential damage or loss to the organization incurred by any violations.
BEYOND THE 7 STEPS
Following the seven guidelines above will help organizations build effective IT compliance programs that improve confidence in business performance. In addition, the seven steps help companies manage operational risks and compliance efforts, as well as measure compliance consistently. To implement the steps, organizations need to involve the use of policy, approach compliance as a process as opposed to individual projects, and consider the use of technology to automate compliance management activities.
Furthermore, organizations need to establish a formal risk assessment process so they can take a more comprehensive approach to information security management. This formal risk assessment process will help organizations expand the effectiveness of the seven recommendations above. After conducting an organizationwide information security risk assessment, companies should implement an information asset management strategy, as well as put into practice a business continuity plan that incorporates IT disaster recovery strategies.
ARCHITECTURE FOR SUSTAINABLE COMPLIANCE
Organizations that do not embrace IT compliance management as a defined business process will approach compliance as fragmented projects. Although this mindset may appear to work for a short time, gaps that can push an organization out of compliance may arise quickly. In fact, one of the 11 control areas mentioned in the ISO 27001 standard is compliance with relevant legislation and regulations that affect the organization's activities. Unfortunately, many organizations don't realize what the consequences of noncompliance are until it's too late: When regulators come asking questions, and there is no central person ready to answer them, the organization looks confused and unorganized and receives more scrutiny.
On the other hand, organizations that incorporate the seven steps make effective IT compliance a cost of doing business — not a one-time business event. For these firms, spending money on a compliance program averts far greater expense resulting from losses and penalties. These organizations also establish greater operational control oversight, enabling them to pour more funding into expanding their activities into new areas with confidence. These well-run organizations will contrast sharply with those that remain reactive and tackle compliance problems as isolated and reactionary initiatives. The end game is a culture of IT compliance and controls and a structured approach that demonstrates the business is practicing IT compliance, while managing information security from the most senior level.
Michael Rasmussen is a vice president and analyst in Forrester's IT Management and Services research group. A risk professional with more than 12 years' experience, Rasmussen advises clients around the world on issues pertaining to enterprise risk and compliance management, as well as public policy, legislation, and regulation.
COMMENT ON THIS ARTICLE
Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.