NEMEA Compliance Automation


Published on

NEMEA Compliance Center - the most powerful survey creation, management, and reporting solution available. It intuitively collects responses, writes, and produces standardized regulatory compliance reports. In fact, it even supports the use of many different standards at once. Our compliance software has a fully featured user-interface that lets you rapidly compare the laws and regulations that govern your industry and business.

Published in: Business, Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

NEMEA Compliance Automation

  1. 1. Governance and the Case for Automating the Compliance Cycle Gary Swindon 3/20/2009 This NEMEA whitepaper discusses the relationship between two elements of the governance cycle, compliance and remediation, and the need to automate the cycle in order to achieve continuous compliance by enterprises at all levels. ©Copyright 2009 by NEMEA Security Services LLC all rights reserved.
  2. 2. NEMEA Security Services, LLC White Paper Governance and the Case for Automating the Compliance Cycle Any organization, enterprise or collection of likeminded individuals understands survival at some very basic level; indeed, most conduct their affairs with this notion somewhere in their thinking. Those who aspire to greater achievements as companies or governmental agencies and activities have looked for years for a ‘silver bullet’ to protect and manage their processes, intellectual capital and other assets. Sadly, like so many who refuse to tackle the difficult challenges presented by life; they failed in the quest and will continue to fail because there is no single all encompassing solution to help an organization stand out against their competition. Those who pay even the slightest attention to the changing regulatory landscape should recognize that requirements are increasing and new regulations and standards bring with them new enforcement penalties and other unpleasantness. Even organizations that have been held up to the rest of the world as models of good process management sometimes fail to understand the overarching importance of good governance built on solid compliance, remediation and risk assessment. Nevertheless, what many have overlooked is that even the tone and tenor of the regulations have changed. No longer written as proscriptive lists of do’s and don’ts they seek instead to place the burden for compliance and the related decisions squarely on the shoulders of those who must comply. Over the last twelve years or more, the Federal Government has mandated desired results while moving toward allowing businesses to choose, enforce and document the processes that they adopt. Interestingly enough, the Federal Government in the Executive Branch agencies has chosen to voluntarily adhere to some of these regulations (HIPAA is a good example of voluntary compliance). While Congress changed the method of constructing business regulatory legislation to a focus on outcomes based actions that require a proactive stance on the part of the regulated, they also explicitly recognized the need for regular compliance and risk assessments as the underpinnings of any actions taken to reach compliance. That focus on outcomes represents an excellent first step in the process of achieving the control that is the hallmark of a well governed enterprise. At NEMEA we believe that governance has four core ideas or components, in order of priority they are: compliance, remediation, risk and audit. Each of these components is essential to crafting a complete governance effort (or strategy) on the part of an enterprise and its senior leadership. Although there are some who argue that governance is already practiced by many organizations it is at best a process beset by a lack of relevant current information upon which to base decision making. In every case compliance must come first simply because of the far reaching consequences facing organizations that would like to forget compliance or perform it only on an ‘as needed’ basis. More to the point, failing to understand the compliance posture of the organization and dealing with it proactively is, at worst, a recipe for failed intentions and at best, pure guesswork. Each step in the cycle builds on the previous one; compliance assessments highlight remediation needs, the remediated weaknesses contribute to the overall risk posture of the enterprise and the audit step is used to verify the adequacy and effect of remediation efforts and the compliance program overall. Collectively these steps represent the 2
  3. 3. foundation for making informed business decisions regarding the expenditure of resources and the commitment of the organization to long term, achievable goals. The true power of this governance cycle is outlined in figure 1, below. Figure 1 Governance Cycle NEMEA believes that good governance confers a distinct advantage to those who practice it; their organizations are proactive, compliance activities are ingrained in the day to day processes and unpleasant surprises either in the form of audit results or weaknesses exploited by outside agencies are kept to an absolute minimum. The organization’s senior leadership has the information that they need to make informed decisions concerning the allocation of assets and being able to undertake new initiatives to strengthen the position of the enterprise. Carried to the next logical step, truly well governed organizations with good compliance programs ensure that middle managers and directors also share in the information so that the quality of operating budget decisions can be enhanced in the day to day efforts by the workforce. This idea is as relevant for governmental organizations as it is for business at large because governmental agencies and offices must find better ways to provide services to the 3
  4. 4. constituents that they serve every day. Both need to become more resource efficient; governance can help insure that that goal is achieved. The Current Compliance Landscape All of government and industry is more sensitive to security and compliance concerns, aware of the topic, and to some extent more aware of their posture since the events of September 11, 2001. This is especially true of those organizations that already had an appreciation of the need for sound compliance management as a part of their existing business operations. There are several other factors that contribute to a sharper focus on the need for better information on which to base investment decisions, among them are: regulatory changes, especially those dealing with privacy, the cost of settlements based on violations of regulations and policy, the impact of adverse publicity and press on the basic trust relationship that exists between organizations, their existing customers, and the public in general, and the need for competitive advantage in a given industry or endeavor. Without a solid understanding of the need for compliance and how to manage and fix problems companies are reduced to making potentially costly decisions on little relevant information. Regulatory Changes: in the last 18 months the Federal Government has passed or updated landmark laws dealing with several industries that were already burdened with the need for demonstrating good compliance; the best known and publicized of these are: the major update to the FFIEC (Federal Financial Institutions Examination Council) Examiners Handbook for banks and the Comptroller of the Currency’s update of the Bank Secrecy/Anti Money Laundering rules. A new characteristic of these and probably more laws to come is that the Congress has opened some of the laws to the states to set enforcement standards, (there could be 50 different rules for compliance with GLBA). In addition, there are unexpected requirements such as the mandate levied on industry to create new organizations and force the hiring of new people such as Privacy and Compliance Officers. Congress has unexpectedly extended laws that appeared at first glance to apply to only a part of an industry to that industry’s business partners regardless of the line of business--as found in HIPAA (Health Insurance Portability and Accountability Act). This is not a problem that is unique to industry, however, government agencies at all levels must comply with the likes of FISMA (Federal Information Security Management Act), OMBs POAM (Program Objectives and Milestones) requirements and NIST 800-53 Revision 2. Settlement Costs: the press is replete with stories of companies and government agencies that ignored rules because of the cost or convenience of implementation and then paid many times the cost to settle lawsuits in order to get on with everyday business. Excellent examples come from the Healthcare Industry; Kaiser-Permanente paid several million dollars to settle suits brought for releasing personal health information on patients to a small group of email addresses. The cost of doing it right the first time was less than $30K. Several of the larger care organizations have paid upwards of $10 million to as much as several hundred million dollars to the Federal Government because of sloppy unaudited business practices that would have cost the companies in question almost nothing in comparison to the cost of settlement. The McDonalds Corporation lost a landmark suit to an elderly customer over 4
  5. 5. whether or not it is reasonable to expect coffee to be hot! (The initial award from the jury settlement was more than two million dollars.) On the Federal side, the Veterans Administration permitted a laptop containing the records of millions of Veterans to be stolen; they wound up paying for credit monitoring services for people whose data was suspected of being compromised. The Department of Energy experienced an incident where several disk drives containing nuclear program materials were lost, or misplaced. There are many more examples in all industries; insurance carriers are very aware of the situation and what they pay out every year for their client companies. Client companies are becoming painfully aware of the cost of property and casualty insurance coverage. Costs are so high that virtually every medium to large company is self-insuring for at least some of the risk that they carry in doing business. As mentioned before the concomitant issue is that enterprises including government agencies are making major policy decisions without critical information. Impact of Adverse Publicity and Press: any business or government organization that depends on trust between the customer and the organization to survive is aware of the tremendous potential impact of adverse press on business growth and agency operations. Imagine the consumer experience involved in going to a doctor for whom there was no trust, or a bank, brokerage house, or insurance company under the same conditions. Even organizations that don’t typically consider public trust as having any part in their business due to the nature of what they do are sometimes unpleasantly surprised at the impact. Double-Click almost went out of business because of publicity surrounding the collection and use of consumer healthcare information on the Internet without either the permission from potential targeted individuals, or even the awareness on the part of the public that the information was being gathered. It required a public explanation of business practices, an apology and a posted notice of practices on gathering information and the use of the collected information before Double-Click’s customers or other businesses would continue to buy their products. Medical practices have been driven out of business over adverse publicity, government officials have been replaced, and the collateral effects on businesses like Double-Click’s who didn’t even think about the fact that the public would pressure Double-Click’s customers not to buy are well documented. Competitive Advantage: every business and government agency is aware of their competitive landscape to some extent. Those organizations that are aggressive about their business and products are forced to pay attention to new changes on the part of the competition or competitive forces or face the steady and sometimes rapid eroding of their market share or public trust. Competitive advantage can come from anywhere; IT infrastructure, new product features that make it a de facto standard in its industry, lower cost of operations including selling, the ability to deliver better service, and the ability of the organization to give customers, business partners, and the public a sense of security and the resulting trust that evolves from it are among the most effective. The need to engender trust, especially in their target market segments, is of paramount importance. The ability to have better and timelier information on which to make decisions is critical to the success of any enterprise. The ability to look at Compliance from the standpoint of economic and policy trade-offs with objective information is a competitive advantage of no mean stature. 5
  6. 6. Obstacles to Good Compliance Programs Regardless of the size of the enterprise there are one or more obstacles to achieving a solid, useful compliance program with repeatable processes and metrics. These obstacles come in the form of ‘institutional’ barriers such as the organizational attitude and structure, process barriers such as lack of good program design with proper scope and metrics, to problems with the scope and frequency of outside enforcement. Finally, the dearth of good automated toolsets with which to build sustainable compliance programs limits the efforts and consequent success of organizations for whom a good compliance program is recognized as valuable. Organizational Attitude: a disproportionately large number of organizations whether they are businesses or government agencies pay, at best, lip service to compliance. There is no belief among senior mangers that compliance with any specific set of requirements is worthwhile beyond passing an audit or staying out of the press. A major part of the problem exists in the message and manner in which compliance and security professionals try to gain mindshare with senior management—using the principal message of FUD (Fear, Uncertainty, and Doubt) often delivered in obscure terms. The manner in which they attempt to present the message is immediately called into question because compliance and security professionals can seldom converse with the affected managers using the language of the business or enterprise instead of using the ‘techno-speak’ that is the common lingua franca of the compliance and security organizations. This lack of a common understanding and language between the senior managers and their compliance and security staffs continues to have an immediate and long lasting impact on compliance efforts, namely that most compliance programs were consigned to failure from the outset. Unfortunately, once credibility is lost by the compliance and security staff, it is almost never regained. This lack of a common framework and approach to the importance of having a good compliance program is the quintessential ‘last nail in the coffin’ of meaningful compliance efforts. It should also be noted that if senior management doesn’t believe in the necessity for compliance, then it is highly unlikely that the rest of the organization will pay more that minimal attention to it. Audit Process versus Operational Process (built in compliance): a subset of the organizational attitude is embodied in the pervasive dichotomy between what is provided by the audit function as opposed to having a well established set of compliance aware operational processes. The internal audit function is expected to be able to find and identify problem areas and to issue reports that can then be used to address those findings. This simple idea however, more often than not, is overcome by a variety of impediments such as a lack of available resources, a lack of appropriate tracking mechanisms, and the grandfather of them all-the notion that no sense of urgency is necessary since the auditors won’t be around for at least another year except to do minor spot checking on the progress of remediation. Finally, it is a well documented fact that auditors, whether they are internal or external can only assess a relatively small subset of all of the requirements that a business or government agency must address in order to be considered ‘compliant’. 6
  7. 7. Organizational Structure: the structure and flow of information in an organization or agency frequently contributes to frustrating compliance efforts. If the compliance function itself does not report high enough in the ‘food chain’ few will view it as more than a potential interruption to their daily lives. In addition, if compliance is perceived as a support organization instead of a ‘line’ function, it seldom has the impact that is needed to put lasting programs in place and will compete (usually unsuccessfully) with the likes of the auditors for a place on senior management calendars. Until compliance can be shown to be a business enhancer or multiplier it will be relegated to a position no higher than a ‘necessary evil’. Sadly, compliance functions lack the institutional history that internal auditors or Inspectors General have, they have ‘come to the party late’ and that coupled with a lack of enforcement capability, the compliance organization is solidly behind the organizational power curve. Lack of Good Metrics: ask any management analyst, consultant, or expert what good metrics means to an organization and you will find general agreement that they are critical to the sustainable success of the business or program. They will also agree that it is a rare enterprise indeed that actually has good metrics beyond some well defined financial and perhaps personnel related ones that most everyone agrees on. These existing metrics are the result of years of financial and management practice and have stood the proverbial test of time, meaning that they usually are good indicators of performance. When it comes to compliance efforts no such agreement between experts exists, probably because compliance has almost universally been treated as a potentially expensive afterthought. Vanishingly few enterprises have an established and recognized baseline from which to measure their progress or lack thereof in their compliance efforts. Second, the ability to compare one large data set against another as is represented by compliance surveys etc. is a very difficult and time consuming process even given the potentially great value in such a capability. The organizations that choose to use outside consultants to measure their compliance and risk efforts discover very quickly that the process is very expensive, time consuming, and that the data gets progressively more ‘stale’ as time goes on. It also fosters the notion that compliance should only be measured once a year because it is so expensive and difficult and this perception leads to a corollary outcome; most enterprises lack the ability or willingness to really track the remediation efforts that they undertake in any kind of systematic fashion. The net result is that board members and senior managers continue to be asked to fund major programs and initiatives (including remediation efforts) without the information that they need to make an informed decision. Scope of Enforcement: ironically, regulators sometimes unwittingly contribute to the lack of good compliance efforts because they lack enough resources to do a thorough investigation or they are hampered by their own decisions regarding the scope of the regulatory effort, the timing of the effort or the lack of public exposure to the results of their investigations. It is also true that sometimes the law, rule, or regulation lacks sufficient or appropriate penalties for the lapses uncovered in an investigation. An excellent example of all of the above behaviors is found in HIPAA, (the Health Insurance Portability and Accountability Act of 1996 as amended). Few healthcare organizations truly believe that regulatory efforts on the part of the Federal Government, the States or the penalties associated with the Act are sufficient cause for worry, let alone compliance action or effort. This last is not idle speculation, a study 7
  8. 8. done three years after the implementation dates of the Privacy, Security and Transactions and Codes Sets provisions revealed that one third of all hospitals had undertaken no effort to comply with HIPAA. Lack of Good Toolsets for Compliance Programs: with all of the companies that profess to be in the GRC (Governance, Risk, and Compliance) space one might be tempted to assume that there would be at least a couple of approaches to the problem that would yield good toolsets. To date no one company or two companies has emerged with a solution that appears to be mostly or even widely usable or applicable across many types of organizations such as government and business whether private or public. There are other issues with the toolsets available; some interpret regulations for their customers instead of rendering requirements faithfully, many price each part of the solution in such a way as to make user flexibility nearly impossible, and finally, some are extremely difficult and time consuming to use. Audit versus Compliance Mentality: in order to be successful in building compliance programs that have lasting value to the enterprise the organization must come to grips with the embedded ideas and attitudes surrounding both audit and compliance. The audit program depends upon the attitudes, experience and opinions of the auditor to examine processes, people (employee behavior) and determine and verify conditions and procedures that they are sent to evaluate. A compliance program, on the other hand, relies upon the experience, training, opinions and attitudes of the employees who must perform the everyday work and rely on established business procedures and process in order to achieve the objectives and aims of the enterprise. To put it another way, in an audit situation, the auditor’s opinion matters, not the employees who must stand the audit, whereas compliance measurement relies on the employee or end user experience to measure effectiveness and success not the auditors. While at first glance the foregoing may seem like heresy, both the auditor and the end user have a well defined place in compliance efforts; it is only when the distinction becomes blurred that the organization is headed for trouble. Compliance is best measured by those responsible for the day to day activity of the enterprise. Compliance, Remediation and the Need for Automation If organizations are going to be successfully governed they must have the tools to do the job efficiently and provide assessment information in an on demand environment over time to senior managers. The wide ranging needs are many and in most cases can only be addressed in a highly automated environment. The nine needs areas that follow are illustrative of the environmental requirements that any good compliance and remediation toolset should not just allow but actively facilitate in order to provide long lasting value to the enterprise. 1. The need to dramatically shorten cycle times for compliance assessments: based on experience, the typical manual compliance assessment for one functional area such as IT (Information Technology) in a medium sized organization (10,000 or so employees), often takes between 12 and 16 weeks to complete. Even then, the usual tools are likely to be a combination of spreadsheets, both manual and PC based, and word processing documents. Given this type of cycle time it is small wonder that the 8
  9. 9. pervasive attitude on the part of senior managers everywhere is that this should only be undertaken once a year. As a reference point, in a large organization it can take most of a year to do the same thing. 2. The need to reach affected participants at all levels of the organization: in the case of a small assessment a survey manager might actually know all of the right people to act as participants in a survey; in a large organization it is extremely unlikely that a survey manager knows who the correct participants are across all departments, divisions or offices. Unfortunately, whether the survey manager knows them or not they must still find them in order for the survey to achieve its full value to the organization. The only way that suggests itself is through automation. 3. The need to track changes in the compliance posture over time: in order to determine whether or not remediation efforts, training efforts or other resource intensive activities are being successfully implemented requires the ability to track changes over time. To illustrate the idea in a different way, when a senior manager asks a subordinate ‘what did you do with the money I gave you to fix the problem?’ it would be nice for everyone concerned if the subordinate had a good answer and could prove their point with facts. In order to do this kind of tracking implies another capability—the ability of the organization to assign responsibility for remediation, know what resources are required and where, and when to expect that the desired results will be achieved. 4. The need to establish repeatable results and comparisons: as noted earlier, using outside agencies such as consultants works against an organization trying to determine their long term compliance posture. The expense, the departure of the institutional knowledge when the consultant team leaves, and the fact that the consulting report was rendered as of a point in time with little or no hope of updating it to reflect current changes in the organization, all work against the enterprise. An organization that wants to build long term productive, value added compliance programs must have a stable baseline against which to measure their efforts—and the survey methods, requirements, and reporting should ideally be the same no matter how often or how long the results are rendered or tracked. 5. The need to track responsibility and expenditures of assets to remediate issues: keeping track of who is responsible for fixing identified problems, what they are spending in money and effort, what success they might be achieving, what milestones can be tracked, and when to expect that the effort will be successfully concluded is at the heart of this need. Considering the sheer volume of compliance related information generated by even a modest sized survey, this portion of the toolset must be automated in such a way that information in the form of ‘on demand’ reports can be rendered when and where they are most needed. 6. The need to mimic the actual workflow as closely as possible: any toolset that provides the information an organization needs may have some utility and value to the enterprise. The most useful approach would be one that did not require the user to have to learn a different way of doing business just to make the tool work. As much as possible the survey creation, distribution, analysis and reporting 9
  10. 10. should work in the same stepwise fashion that most individuals use every day when solving problems. If the user can see how things fit together they are much more prone to use the tools to achieve their aims. 7. The need to access and assess requirements or controls quickly: it is no secret that different groups within organizations approach compliance information in different ways. At polar ends of this dichotomy we have auditors who typically deal in controls and assess their robustness, and practitioners who typically deal in requirements and how to implement them. Any toolset must be useable by both groups in order to provide the maximum utility to the organization: this capability helps to insure that there is a common framework or approach for the compliance process and that this process is grounded in common methods of analysis, common reporting, and common sources and structure in Authority Documents. Toolsets that allow the seamless crosswalk from requirements to controls while preserving all of the related data such as which vulnerabilities are being addressed is vital to the success of the compliance process 8. The need to add local authority documents of importance to the organization: simply put, any toolset that supports the compliance cycle must be flexible enough to incorporate locally important sources of standards such as policy and procedure or other requirements important to the successful functioning of the enterprise. Ideally, authoring tools should be available to allow the organization to do their own input or allow an outside party to do the input under the direction of the owning organization. 9. The need to aggregate and analyze large amounts of compliance data: data aggregation and analysis for any medium to large organization is a problem because of the sheer size and volume of information generated. Enterprises need the capability to analyze and report on current information and analyze and compare it to preceding period data in order to assess progress. At a minimum, users should be able to compare surveys created over time whether or not they were identical in their scope. To say it differently, comparisons between data sets should be possible when using an automated toolset and the toolset should know and be able to highlight the differences as well as compare the same types of data. Compliance Process and Automation In order to apply the benefits of automation to address the needs of an organization, the compliance data gathering process must be well documented and clearly understood. What level of process decomposition is required is important because the ideal solution would be to wind up with tools that follow the way people work to the greatest extent possible. One approach would be to list the major components with the absolute minimum of detail necessary in order to obtain a working model that covers the known and anticipated needs of the organization. In the section that follows, the compliance assessment and remediation processes are outlined at a high level and the links to user workflow requirements are explored in the context of automating the essential processes to optimize the value of an automated toolset. 10
  11. 11. The first process is the survey creation and management portion that consists of 5 steps: creating the survey structure or template; choosing the content; distributing the survey; collecting and analyzing the results; and reporting on the results. The survey data collection process depends upon the input of many users who are directly involved in managing these issues on a daily basis. This process is highlighted in figure 2 below. Compliance Steps Creating the Survey Structure: the survey structure determines many things: the type of statistics available for analysis and reporting; the degree of compliance achieved by the organization based on the target survey audience; the graphics used for dashboard reporting; the time for gathering responses; and ideally, the use of workflow items such as automated reminders for the participants. Choosing the Survey Content: the content for the survey should be variable and customizable depending on the needs of the organization; the survey manager should be able to choose a single or multiple authority documents; sections from one or more documents; and single requirements or questions from any document that may be needed. The system should allow the survey manager to choose content from existing authority documents already provided for use or allow the survey manager to create their own specific content to be used in a survey or surveys. Distributing the Survey: there are two basic scenarios to consider when it comes to distributing the survey: in the first scenario, the survey manager would know all of the recipients to whom the survey 11
  12. 12. should be sent; in the second scenario, the survey manager cannot possibly know all of the proper recipients due to the size of the organization, vendor partners who may need to participate etc. In either case, the distribution should be as automated and direct as possible. Collecting and Analyzing the Results: the basic data analysis of the output provided by the survey respondents should be automated and automatic and provide both summary and detail information as a result of the survey. Further, the data itself should not be editable by the survey manager or the respondents and any and all attached documentation submitted by the respondents should also be carried forward as a part the output of this process. Reporting on the Results: the survey output reports should faithfully reflect the data analysis and be customizable and editable by the survey manager based on the needs of their particular organization. This should include the ability to attach documents and comments provided by the survey respondents in answer to the questions concerning the requirements covered. Remediation Process and Automation The base process that governs remediation activities consists of 4 steps: identifying the weaknesses to be addressed as reported in the survey; assigning responsibility for remediation; determining the resources and milestones; and reporting on progress. Unlike the survey process, the remediation process depends on the management of an organization to determine what will be undertaken. This process is outlined in the figure below (figure 3). 12
  13. 13. Remediation Steps Identifying the Weaknesses to be Remediated: weaknesses identified for remediation should consist of vulnerabilities, controls or both depending on the size and the needs of the organization. For example; a small organization may wish only to address a global vulnerability such as ‘Policy & Procedure’, while a larger organization may have a need to address the underlying controls as part of the remediation process. For example, the vulnerability ‘access controls’ may have several uniquely identified controls as part of the vulnerability such as ‘password length’, ‘strong passwords’, ‘password expiration’, etc. The second aspect of this process is that of determining which weaknesses to remediate based on organizational needs such as resource constraints. Assigning Responsibility for Remediation: a system should allow assigning responsibility based on individuals or members of a team that each has a particular control or controls to remediate as part of addressing a larger vulnerability. This assignment should be editable so that as old points of contact move on to other duties or responsibilities a new person or persons can be assigned to see the project through to a successful conclusion. Determining the Resources and Milestones: for any assigned responsibility, whether or not it is a single or multiple vulnerabilities, or the underlying control or related controls, the assigned point of contact should be able to determine and record the major resource and milestone requirements and allow other team members to add their input as it becomes appropriate. 13
  14. 14. Reporting on Progress: the remediation point of contact should be able to report on a continuing basis what progress is being made, what additional resources or time might be needed and allow those with subordinate responsibilities to add their input as well. The survey manager should be able to obtain on demand reports on any or all of the remediation efforts and be able to perform comparisons from a baseline survey to the next survey in any or all of the areas to highlight progress or the lack of it. Second, the survey manager should be able to compare multiple surveys to each other even when the content may not be identical; in other words, surveys with any overlap at all in their design or focus should be able to be compared on the items common to other surveys of interest. The Compliance Cycle and Automation In order to derive the most usability and value for adopting a continuous compliance cycle, the software platform should be designed to follow normal workflow or problem solving steps while providing as much flexibility as possible in the selection, management, and use of the tools features and functions. The software architecture should embody current technology, simplicity of maintenance and enhancement, scalability on demand and a robust data export capability in order to protect the client or user, as well as, the developer’s investment. Other hallmarks of the architecture should include maximizing data handling to include the seamless addition of external related documentation and information, extensive on demand reporting, both ad hoc and templated, and a robust security model that exists at all of the necessary levels in the hosted environment. The security model should incorporate features to protect the user, the environment and the data in such a way that the user doesn’t have to think about how to ensure security, but rather how to use the software tools to achieve their compliance assessment and remediation goals. In short, the security features taken together should be as transparent as possible consistent with a highly secure environment and not get in the way of doing the work that needs to be done. Finally, the software should require the least amount of physical and logical assets in order to be used: with this in mind, NEMEA chose to implement the toolsets as a Software as a Service (SaaS) offering. The survey manager needs only to have a browser and email capability in order to access and use the NEMEA solutions; respondents need the same internet and email connection capability. The NEMEA solution to automating the compliance cycle consists of two related toolsets, Compliance Center and Remediation Center, that follow the architectural principles outlined above. Compliance Center automates the compliance survey management process and follows the cycle in figure 2 while allowing the maximum control by the survey manager over creation, content, distribution, analysis and reporting of survey information. The survey manager can create a survey template rapidly and populate the survey with known requirements that define what is being assessed and with a high degree of probability, distribute the survey to the appropriate respondents even when the survey manager does not know who they are. Remediation Center automates the remediation assignment and tracking process outlined in figure 3. In addition, Remediation Center can use any survey, current or not, to automatically pre-populate vulnerability or control weaknesses identified in the subject survey and allows for assigning both the vulnerability and the related controls dynamically if an organization so 14
  15. 15. chooses. It also allows the survey manager to assign a point of contact for remediating selected weaknesses, identify resources needed to correct the problem, allow selected individuals to establish and modify milestones and identify and link any other external or internal assessment such as an audit to the tracking system. The toolset also allows the survey manager to compare surveys to an existing baseline survey even if the controls and vulnerabilities in the surveys being compared do not exactly duplicate one another. In cases where two or more surveys are compared to a baseline survey, the system automatically compares the areas that can yield relevant information and ignores the balance. These two toolsets are the first of a series of complimentary products that NEMEA intends to offer to potential clients. From an architectural perspective, NEMEA chose to develop the toolsets using web standards including AJAX. This is implemented using .NET and SQL running under a Microsoft operating system (OS) in a clustered configuration. NEMEA code follows web standards for development and does not allow the use of potentially insecure technologies such as Active-X or Java. The NEMEA infrastructure is redundant at all levels; data center, server, communications and networking, and data storage. In addition, the appropriate use of load balancing, IDS/IPS and other monitoring tools help to insure the security of information at all times. NEMEA does not allow unencrypted access to the network or toolsets and ensures logical segregation and separation between clients using the NEMEA SaaS tools. The NEMEA solution to automating the compliance and remediation cycle is robust, cost effective and secure while meeting the needs of organizations that are serious about compliance. NEMEAs products directly address the most pressing issues that organizations face in trying to build effective and enduring compliance, remediation and governance programs while giving users complete control over their information. Using the NEMEA solution reduces the compliance cycle time by a minimum of 70% while reducing the overall costs associated with assessment and remediation by more than 50%. Clearly, the NEMEA product set can help virtually any organization, business or government agency establish and maintain control over their governance processes through the provision of timely information for sound decision making. 15
  16. 16. About NEMEA NEMEA Security Services provides on-demand software solutions for enterprise-wide governance, risk management, and compliance (GRC) that empower security-sensitive organizations to sustain a compliance environment, limit risk without sacrificing business effectiveness, enhance shareholder value, and improve corporate integrity by advancing GRC initiatives. An industry thought-leader in understanding compliance standards, frameworks, and regulations, NEMEA understands the benefits to be gained and the challenges that may be encountered in managing enterprise-wide GRC initiatives on an on-going basis. NEMEA knows what is needed to operate efficiently and effectively in a highly regulated business environment and firmly believes that organizations should be free to focus on what they do best – managing their business and compliance, risk, and audit initiatives without the encumbrances of implementing and maintaining rigid and complex proprietary software solutions that require extensive customizations. It’s for these reasons that NEMEA created a portfolio of innovative and intuitive web-based software tools modeled on the way businesses actually work. NEMEA's automated toolsets allow powerful collaboration across all departments, leading to better business decisions, lower costs, and empowered management. Because the tools are built to suit unique business needs, organizations in regulated industries can be confident that they can address their compliance requirements in a way that best fits their environment and reap the benefits of effective governance, risk, and compliance management. What Sets NEMEA Apart Recognizing early on the advantages inherent in the “Software as a Service” (SaaS) delivery model as a more cost-effective alternative for enterprises to achieve their business objectives, NEMEA is not so much a software developer as it is a process integrator, freeing itself to focus on bringing solutions that integrate GRC processes that are sustainable, reliable, efficient, and transparent to market. NEMEA’s deep industry knowledge is gained from over 50 years of experience in designing risk management programs, defining information security policies and processes, conducting security audits, and defining GRC processes for diverse organizations in industries ranging from financial services, healthcare, and manufacturing to internet services, the US military, and federal agencies. NEMEA COMPLIANCE Center® is a compliance solution featuring a full suite of tools to create and manage compliance surveys, collect and analyze results, create standard or custom reports, and tackle essential remediation efforts. Its fully-featured user interface lets management rapidly compare the laws and regulations pertinent to their industry and business and supports the use of numerous standards simultaneously. NEMEA REMEDIATION Center® is based on a simple and elegant concept – identify the issues to be resolved; determine the milestones, resources, and participants who will perform the work; and track the progress in a live reporting environment. REMEDIATION CENTER provides the ability to remediate issues discovered during the use of COMPLIANCE CENTER that are considered to be immediately unacceptable to the organization – and to make these remediation decisions on the basis of actual and projected losses. 16
  17. 17. Committed to Your Success NEMEA's product offerings are constantly being upgraded and expanded to meet the needs of the most demanding governance program. To that end, NEMEA is developing two new products: NEMEA RISK Center® and NEMEA AUDIT Center®. NEMEA RISK Center® is designed to help organizations understand and manage risk. Making informed decisions about risk and its potential impact on business and performance is critical. RISK Center features tools to construct a risk profile that supports business efforts; align risk perspectives across all departments; organize risk mitigation strategies; assess current requirements, capabilities, and vulnerabilities; monitor the risk management processes; and establish links between compliance and risk. NEMEA AUDIT Center® is an automated, on-demand software tool designed to streamline the auditing process. AUDIT Center provides the ability to shorten audit cycle time, gain control of compliance efforts, reduce costs and time to implement changes, shorten the compliance survey cycle time, and enhance reporting to the board. Highest Levels of Availability, Reliability and Security NEMEA is committed to providing the highest levels of availability, reliability, and security. To this end, NEMEA partnered with Equinix to establish two data centers, both managed and operated through a contractual arrangement with Equinix data centers and mindSHIFT data center services. These Equinix facilities, located in the mid-Atlantic and mid-West, provide a secure platform for the reliable deployment of NEMEA’s GRC applications as well as the highest level of physical security, power availability, and infrastructure flexibility. Because NEMEA understands that security requires constant vigilance, it engaged mindSHIFT to provide technology peace of mind by delivering premier IT infrastructure 17