Business and IT Compliance Strategy


Published on

Presentation Delivered at the Silicon Valley Chapter of ISACA on February 21, 2013

Published in: Business
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Business and IT Compliance Strategy

  1. 1. Business and IT Compliance Strategy A Conceptual Framework Allyn McGillicuddy The Office Of The CIO
  2. 2. Enterprise Compliance Process • Is it sufficiently scalable to encompass functions within the enterprise ? • Is funding for compliance remediation adequate? • Is it fully integrated into day-to-day business operations? • Does it have the appropriate executive sponsorship/ownership? • Has the compliance process achieved a reasonable level of simplicity? • Is the program cost appropriate?Office of the CIO® © Proprietary 2013
  3. 3. Compliance Process Challenges • Compliance management processes are labor-intensive • Compliance automation is often fragmented among disparate systems and data structures • Widespread organizational agility is evolving too slowly to keep pace with dynamic business and technology demands such as mobile payments • Shortcomings cannot be attributed to lack of either effort or good intentions.Office of the CIO® © Proprietary 2013
  4. 4. Stakeholder View of Compliance?Office of the CIO® © Proprietary 2013
  5. 5. For Others, It’s Like Taking the DMV Road Test Without the Benefit of a Driver’s Manual…Office of the CIO® © Proprietary 2013
  6. 6. …Or Like Trying to Get From Point A to B in Ireland Without a Michelin Guide.Office of the CIO® © Proprietary 2013
  7. 7. Established Frameworks Help To Organize the Process… COBIT ISO/IEC 27002 Common Security Framework (CSF) DSCI Security Framework (DSF©) EU Data Security Framework NIST COSOOffice of the CIO® © Proprietary 2013
  8. 8. … But Establishing a Single, Unified Enterprise Strategy That Fits Can Be Daunting.Office of the CIO® © Proprietary 2013
  9. 9. A Pragmatic Alternative: Distill and Decompose the Process • Group Major Compliance Process Elements • Define Core Competencies for Each Process Group • Set Process Group Competency Goals • Enable Skills Focus via Division of LaborOffice of the CIO® © Proprietary 2013
  10. 10. A Compliance Process Framework Reliable and efficient business framework to assess, execute, monitor, and audit enterprise compliance ASSESS EXECUTE MONITOR AUDIT FIND GAPS REMEDIATE • MONITOR NETWORK PROVE PROVE REMEDIATE • RESULTS DATA COMPLIANCE COMPLIANCE • ACCESS • APPLICATIONS • THREATSOffice of the CIO® © Proprietary 2013
  11. 11. The ASSESS Process • Controlled Self-assessment • Risk Frameworks and Scripts • Asset Inventories • Configuration Management Library/database • Business Process Mapping A core goal of this process is to find evidence of compliance controls and gaps, to prove they do/do not exist.Office of the CIO® © Proprietary 2013
  12. 12. The EXECUTE Process • Actions to remediate the observed gaps • Real-time evidence of control mechanisms • Evaluate/quantify risk tailored to compliance objectives • Tools, such as self-assessment software and scripts • Training • Programs to support complianceOffice of the CIO® © Proprietary 2013
  13. 13. The MONITOR Process Validate Monitor and measure to validate previous decisions and remedial controls Direct Monitor and measure to set direction for activities in order to meet compliance targets Justify Monitor and measure to justify, with factual evidence or proof, that a course of action is/is not required Intervene Monitor and measure to identify a point of intervention, including subsequent changes and corrective actionsOffice of the CIO® © Proprietary 2013
  14. 14. The AUDIT Process • Prove compliance: Measure and prove the effectiveness of the compliance programs • Evidence of Policies and their Dissemination • Evidence Repository for Assessments • Results – evidence of control mechanisms • ReportsOffice of the CIO® © Proprietary 2013
  15. 15. Process Competence Plan • Identify, target improved skills and capabilities for each of the four process groups • Establish tactical and strategic goals, plans to close gaps • Identify evidence/metrics of target goal achievement • Report results, evaluate achievement Assess/measure Assess/measure startOffice of the CIO® © Proprietary 2013
  16. 16. Process Capability Escalator* Minimum level of prerequisite items are available to support the process activities Organizational policy statements, business objectives providing purpose & guidance Process Capability – Evidence that defined steps are being carried out Internal Integration - activities are integrated sufficiently to fulfill the process intent Products - Actual output of the process, evidence that relevant products are produced Quality Control - Review and verification of the process output Management Information - Adequate and timely information to support management decisions External Integration – All process interfaces are identified and understood Validation - External review and validation of the process * This is an ITIL capability framework example, with a view toward progressive capability achievement. Other frameworks can be useful.Office of the CIO® © Proprietary 2013
  17. 17. The Underlying Capability Strategy… V V efficiency V organization VOffice of the CIO® © Proprietary 2013
  18. 18. … Achieved Via Managing Defined Process Competency … Rules and Policy Tools, Inventory Training, and Process Programs efficiency organization Assessment Risk Methods, Identification, automation Management Best-in-Breed ApplicationsOffice of the CIO® © Proprietary 2013
  19. 19. … And By Integrating Business and IT Compliance Controls 1. Define “Top-down”, broad business processes 2. Decompose broad processes to identify in-scope business process activities 3. Map in-scope process activities to compliance policies 4. Define and integrate business control procedures 5. Focus IT capabilities on automating required IT controls, automating business controls, assessment, and reportingOffice of the CIO® © Proprietary 2013
  20. 20. Example: Integrated Business - IT Controls Business Process Payer Payment/Deductible/Denial Posting & Reconciliation Transaction Auto-Posting Transaction Processing billing or payment information on a timely basis Business Policy 8.5.8. Use of another person’s login to gain access to Policy company systems and network is prohibited. Do not use group, shared, or generic accounts and passwords. Compliance Requirement PCI-DSS-002 Password Control Business Compliance Control Implement Strong Access Control Measures 8.3 Implement two-factor authentication for remote access to the network by employees, administrators, and third IT Compliance parties Control Policies 8.4 Encrypt all passwords during transmission and storage on all system components 8.4 Encrypt all passwords during transmission and storage 8.5.4 Immediately revoke access for any terminated usersOffice of the CIO® © Proprietary 2013
  21. 21. Defining Business Controls 1. The Business Activity is documented as a establish patient’s model comprising account in billing • Process Activities • Governance Activities Update a 2. The Compliance Policy requires the patient’s business process to incorporate Governance account Activities at specific points Strong Access Y 3. The Business Entity determines the specific Communicate Measures in Place? integration of the Governance Activity within Ambulatory Payment the business process Classification (APC) 4. The Compliance Process grouping NO • Verifies the presence of the Governance Notify Supervisor Activity within the business process and Delete a patient’s billing/accounts • Documents the evidence of the controls receivable recordsOffice of the CIO® © Proprietary 2013
  22. 22. Business Processes with Compliance ControlsDetermine Patient Obtain Client’s Establish Download Patient Eligibility Compliance Y Electronically Verify Eligibility Eligibility Eligibility Eligibility Data Information for Control? Criteria Payment NA/P Reimbursement Determine Calculate Amount Type of of Reimbursement Compliance Y Provide Payment Reimbursement Control? NPharmaceutical/Medic al Management Formulate a Process Payment Medication Information on a Compliance Y Manage Generate Report Services Medication Treatment Plan Timely Basis Control? Inventory N
  23. 23. Control Point Example: Limit access to billing information via designated payment workstation* PCI/P05.01- Limit ability to view/update member’s account to PCI-DSS Compliant Workstations Modify application access to check for PCI-DSS Description compliant workstation Strong Access Measures YES in Place? View/update billing Member Number Inputs transaction flag Outputs Plan Type Workstation identifier Billing Clerk A/R Supervisor In-scope Roles A/R Specialist Region Controller * Example, for illustration purposesOffice of the CIO® © Proprietary 2013
  24. 24. Steps to Create Business Governance Control Processes Employ a ReferenceProcess Model Map Reference Model Processes to Actual Identify the Processes in-scope Compliance Processes Define and Implement the Required Controls
  25. 25. Integrate the Four Compliance Processes via a Risk-Prioritized Process Foundation ASSESS EXECUTE MONITOR AUDIT MONITOR PROVE FIND GAPS REMEDIATE REMEDIATE COMPLIANCE RESULTS RISK-PRIORITIZED PROCESS FOUNDATION Prioritize all process activities based on relative risk • Perform quarterly, structured risk recalibration and adjust plans accordingly
  26. 26. Transition Steps/Considerations• Establish and Leverage Compliance Process Dashboards • Dashboards designed for each of the 4 process groups • Map current activities to one or more process groups • Appoint enterprise process leaders for each process group• Integrated Enterprise View of Compliance Process Data • Single data view of aggregated compliance –relevant data • Enterprise view of compliance risk vectors • External risk • Internal risk
  27. 27. Discussion: the Big Picture • What’s Missing? • What’s Wrong? • Anything Right? • Thank You!