Managing compliance can seem like managing a menagerie of exotic animals. To the casual observer, each appears to have specialist requirements, but there will be commonalities that enable the zoo to operate efficiently, from feeding routines, to exercise, health checks, safety procedures etc. Similarly, disparate compliance regulations and legislation that may appear completely unrelated, requiring separate management and dedicated resources, can often have elements in common. Identifying these common traits and using them to collectively manage compliance can release resources, decrease spend, reduce complexity and ultimately provide insights that improve the business.
To function effectively and efficiently whilst making use of resource pragmatically, organisations must adhere to standards that promote best practices in security, storage and network configuration. By demonstrating that conformity is where compliance comes in, (Standards can provide a critical reference for the organisation when bidding for a new contract.) that compliance functions as part of a ‘greener ICT’ strategy, and/or that professionalism becomes apparent via quality management, they can also appear to be bureaucratic, box-ticking exercises that monopolise resources.
Managing disparate standards is set to become even more of a problem as standards multiply and evolve. Companies House is reviewing regulations for the keeping of financial records, with many expecting legislation similar to Sarbanes-Oxley to be brought into force. New iterations of existing standards also routinely emerge, such as ISO27001:2013, a critical compliance element for those wishing to demonstrate diligent data management in the light of new cyber attacks. All the while, the European General Data Protection Regulation (GDPR), due to come into effect by 2016, will cal for data breaches to be reported within 24 hours where feasible. Such geographic compliance regulations, together with sector-specific obligations and best practice standards, are creating an ever more restrictive, multi-layered millstone of compliance.
The cost and complexity of compliance has seen some sleek technological solutions to automate the processes involved, using systems to track and report changes and ensure these are compliant, for example. But it’s equally important to address disparate standards strategically and provide board-level visibility of Governance, Risk and Compliance (GRC) so that efficiencies can be realised and steered to deliver measurable return on investment (MROI) to the business.
There is no catch-all solution, however, and many automated systems tend to overlap in their functionality. Some may cover change management at the server level but not at other network elements, such as network domains or network storage, for instance. Without an integrated approach, it can become difficult to effectively manage these systems and retain an overall view of the network. Surveys suggest that only one in ten organisations effectively measures infrastructure compliance, implying that compliance audits are largely carried out in isolation and with very little overall visibility. Such isolationism rapidly increases the potential for system downtime or outages.
An Integrated Management System (IMS) is often used to deliver compliance and certification across the Information Security (ISO27001), Quality (ISO9001) and Environmental (ISO14001) standards and can and should be tailored to the sector the data is utilised in. However, it is common practice for an IMS to be set up for each certification, resulting in multiple data silos, a mismatch in process and a resource-intensive approach. Consequently, IMS can be costly to manage, does not deliver a holistic view of the enterprise and, because of its isolated remit, cannot be used to compare data sets, inform management or feed into the overarching Corporate Risk Strategy.
Multiply them up, and it’s easy to see how these systems can result in the application of inconsistent practices, policies and procedures as each strives to satisfy the requirements of its particular standard. Yet it is possible to rationalise and streamline provisions for compliance. A new approach is emerging dubbed Collective Compliance Management that allows various standards to be supported at the same time, without duplication, enabling the organisation to accommodate change cost effectively and efficiently.
By using PAS99, a world recognised specification for developing a unified IMS, the complexity of these separate audit and compliance regimes can be reduced by creating acombined management programme for compliance standards which, when combined with a strategic approach that maps the needs of the business, can offer real improvements to how compliance is managed. Using the PAS99 specification as the basis to identify commonalities in each standard, it is possible to create a single unified framework.
Compliance standards often have many aspects in common despite focusing on very different areas and IMS also have commonalities that lend themselves to being managed in an integrated way. For example, there will often be areas of overlap between compliance requirements such as:
– Policy and Procedural Authoring
– Risk Management and Methodology
– Formal management system implementation
– Certification matrices
– Auditing practices
Experienced PAS99 practitioners can apply the specification to map synergies between compliance standards and IMS to more economically manage this information and pool resources. Having identified and unified the shared requirements of these compliance standards it becomes possible to increase efficiency by eliminating duplicate data, reducing resource allocation, and reusing common documentation requirements. It then becomes relatively simple to improve visibility at board level, allowing GRC policies to be informed and executed using a top-down approach. Improvements may include the introduction of controls aligned to departmental or corporate policies, for example, which satisfy internal or external requirements. Policies can be mapped to controls and auditing and reporting requirements fulfilled without duplication. The result is greater efficiency, reduced costs and freed resources, as well as more collaboration, all of which help the business to function more successfully.
Collective Compliance Management provides a real opportunity to get to grips with the business and gain insight into how the organisation functions as a whole. By helping to lower system maintenance costs, reduce training and support, improve consistency and structure, model process and create a transparent enterprise, board level management are able to make better, more informed decisions. It is a longsighted approach and one that requires conviction, but for those who recognise its validity and run with it, the rewards are manifold.
By Louise T. Dunne, Managing Director, Auriga
Prior to founding Auriga, Louise undertook a number of high-profile public sector projects, successfully seeing the UK’s largest organisation through Stage 1 ISO 270001 before going on to conduct information assurance and compliance projects for the Home Office and the RPA.
Louise has extensive governance, risk and compliance knowledge and was previously a member of the Management Committee for the Tiger Penetration Testing Scheme and a Founder Member of the CREST Scheme. She is also a CESG Marketing Management Forum Member, a full IISP member with ITPC status, a BSI BS 25999 Business Continuity Practitioner, Prince2 Practitioner, Management Facilitator, CESG CLAS consultant a BSI Qualified ISO27001 Lead Auditor, and a Professional Member of the BCS as well as BCS Qualified Business Process Modeller.
Louise T. Dunne can be contacted at louise.dunne@aurigaconsulting.com.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.