How to Reduce the Burden of Compliance - Part 3
OVERVIEW In the third and final article from Orthus on the using software tools to assist in attaining and maintaining compliance levels; we continue focus upon the final set of considerations that need to be made when evaluating and selecting compliance tools.
CONTINUOUS COMPLIANCE Talking about compliance as if it is a 'snapshot' event is now obsolete.
Continuous compliance is what is required, even if the audit event is itself a 'snapshot'.
Continuously exercising, monitoring and measuring compliance levels is needed and, usually, demanded.
Be sure that the system you use is as 'real-time' as you can get, that it is well structured, accurately reflects your organizational structure and controls and is deployed and used 'continuously'.
It is likely that the finish line will move year on year due to improving standards of best practice, changes in your technology platform, and evolving regulation.
Where as in the past compliance may have been seen as a one off exercise, in effect today it is a continuous 'business as usual' activity that must always be high up on the CIO/CISO agenda and performance objectives.
INTELLIGENCE A compliance system should ideally include features that allow control, section and programme owners to see the impact of not completing update tasks on time.
Look for a solution that integrates with internal messaging systems - particularly email - so that alerts to key tasks approaching completion deadlines can be automated.
Look for a system that can alert individuals to impending non-compliance.
If reports within the document management sub-system have a shelf life of 12 months, then a solution should generate reminders well in advance of the content becoming out-dated with alerts as the update deadline approaches.
SCALABILITY A compliance system needs to scale from a single auditor using the tool to a multi-national company with business units in multiple territories - and potentially 100's of users.
So many compliance programmes start off within one business unit or function and are then rolled-out.
Look for a product that will not only scale but can do so horizontally and vertically within an enterprise.
It should be capable of scaling up as well as across the organization with the ability to deploy further instances alongside those already in production for business units on the same level within the organization's hierarchy, as well as above for a holding or group company.
Changes to the context or level at which the solution is used should be simple and easy to effect.
EASE OF USE Any compliance management solution had to reduce rather than add to the complexity of what it was replacing.
In order to be effective a compliance system should be easy to use.
Users are these days very familiar with the browser interface.
And web applications tend to scale well too.
Total cost of ownership is reduced on several fronts: there is no thick client software to install, update and support on end-points; user education and 'how to' questions are minimized.
Because often compliance programmes span multiple countries, look for a solution that has customizable context-sensitive help features.
CUSTOMIZATION Look for a solution that is extensible and can be customized.
The system should have the ability to load 'modules' for multiple standards - and be able to de-duplicate effort where overlapping controls exist.
In larger organizations this can result in a significant streamlining of the overall compliance effort and minimize the costly creation of compliance silos in which tasks are often duplicated.
There are several compliance management solutions that come pre-configured for specific standards - most notably BS7799:2005 (IOS/IEC 27001) and PCI DSS.
These solutions are often too restrictive for larger organizations.
The most advanced and well-thought out systems also provide the ability to create custom controls allowing company-specific internal standards and policies to be imported.
Once populated such a solution can meet the regulatory, compliance and legislative needs of an organization exactly.
CROSSING THE FINISH LINE Prudent modern businesses will always need to minimize costs and add value through innovative technology solutions like virtualization and cloud computing.
However, they will also need to make these changes in such a way which manages risk within acceptable boundaries and within the restrictions imposed by relevant regulation.
Compliance activity will be continuous, year on year with the likelihood that a new finish line is set by either the auditors or regulators.
Therefore, structuring your compliance programme properly and investing in a compliance management solution will prove to be a shrewd investment that will continue to reap benefit in future years.
If organizations follow the advice outlined by Orthus in this article they will go some way to ensuring that they select a fit for purpose solution that will go some way to answering that tricky 'are we there yet?' question posed by the CEO next time you are lucky enough to share a lift!.
We hope that these articles have been helpful in assisting you with solving compliance program problems and selecting program management solutions.
CONTINUOUS COMPLIANCE Talking about compliance as if it is a 'snapshot' event is now obsolete.
Continuous compliance is what is required, even if the audit event is itself a 'snapshot'.
Continuously exercising, monitoring and measuring compliance levels is needed and, usually, demanded.
Be sure that the system you use is as 'real-time' as you can get, that it is well structured, accurately reflects your organizational structure and controls and is deployed and used 'continuously'.
It is likely that the finish line will move year on year due to improving standards of best practice, changes in your technology platform, and evolving regulation.
Where as in the past compliance may have been seen as a one off exercise, in effect today it is a continuous 'business as usual' activity that must always be high up on the CIO/CISO agenda and performance objectives.
INTELLIGENCE A compliance system should ideally include features that allow control, section and programme owners to see the impact of not completing update tasks on time.
Look for a solution that integrates with internal messaging systems - particularly email - so that alerts to key tasks approaching completion deadlines can be automated.
Look for a system that can alert individuals to impending non-compliance.
If reports within the document management sub-system have a shelf life of 12 months, then a solution should generate reminders well in advance of the content becoming out-dated with alerts as the update deadline approaches.
SCALABILITY A compliance system needs to scale from a single auditor using the tool to a multi-national company with business units in multiple territories - and potentially 100's of users.
So many compliance programmes start off within one business unit or function and are then rolled-out.
Look for a product that will not only scale but can do so horizontally and vertically within an enterprise.
It should be capable of scaling up as well as across the organization with the ability to deploy further instances alongside those already in production for business units on the same level within the organization's hierarchy, as well as above for a holding or group company.
Changes to the context or level at which the solution is used should be simple and easy to effect.
EASE OF USE Any compliance management solution had to reduce rather than add to the complexity of what it was replacing.
In order to be effective a compliance system should be easy to use.
Users are these days very familiar with the browser interface.
And web applications tend to scale well too.
Total cost of ownership is reduced on several fronts: there is no thick client software to install, update and support on end-points; user education and 'how to' questions are minimized.
Because often compliance programmes span multiple countries, look for a solution that has customizable context-sensitive help features.
CUSTOMIZATION Look for a solution that is extensible and can be customized.
The system should have the ability to load 'modules' for multiple standards - and be able to de-duplicate effort where overlapping controls exist.
In larger organizations this can result in a significant streamlining of the overall compliance effort and minimize the costly creation of compliance silos in which tasks are often duplicated.
There are several compliance management solutions that come pre-configured for specific standards - most notably BS7799:2005 (IOS/IEC 27001) and PCI DSS.
These solutions are often too restrictive for larger organizations.
The most advanced and well-thought out systems also provide the ability to create custom controls allowing company-specific internal standards and policies to be imported.
Once populated such a solution can meet the regulatory, compliance and legislative needs of an organization exactly.
CROSSING THE FINISH LINE Prudent modern businesses will always need to minimize costs and add value through innovative technology solutions like virtualization and cloud computing.
However, they will also need to make these changes in such a way which manages risk within acceptable boundaries and within the restrictions imposed by relevant regulation.
Compliance activity will be continuous, year on year with the likelihood that a new finish line is set by either the auditors or regulators.
Therefore, structuring your compliance programme properly and investing in a compliance management solution will prove to be a shrewd investment that will continue to reap benefit in future years.
If organizations follow the advice outlined by Orthus in this article they will go some way to ensuring that they select a fit for purpose solution that will go some way to answering that tricky 'are we there yet?' question posed by the CEO next time you are lucky enough to share a lift!.
We hope that these articles have been helpful in assisting you with solving compliance program problems and selecting program management solutions.
Source...