The world around us is changing rapidly as it's hard to stay on top of it all and be successful at the same time by respecting compliance rules, like we are all facing. This webinar is a ramp up and awareness session to Corporate Compliance Strategy
4. Our deep-dive today
Lets go ……
AWARENES
S
Understandin
g Compliance
COMPLIANCE
JUNGLE
What’s out
there
WHERE DO
WE GO
FROM HERE?
And what’s our
objective?
BRILIANT
DEMO
AvePoints
Compliance
Guardian
8. “Governance is the set of policies, roles,
responsibilities, and processesthat
guides, directs, and controls how an
organization’s business divisions and I.T.
teams cooperate to achieve business
goals.”
- Micro so ft
Definition of Governance
9. What about Compliance?
Critical Data
Personal
Data
Sensitive
Data
Intellectual
Property
Regulatory
Contractual
Legal
Industry
standards
Things we need or
create
Things we we’re told to do
by
Governance Magic
set of policies, roles,
responsibilities, and
processes
Tools
To help us protect our assets
+
Compliance means incorporating standards that conform to specific requirements
10. AND ADAPTS AT BUSINESS
SPEED
FROM THIS MOMENT ON COMPLIANCE
COOL, SERIOUSIS
11. 64%
Of data breaches are tied to
human error or out-dated
system.
€ 301M
Last year’s financial loss for not
having control on the situation in
western Europe alone.
Why start taking compliance serious
after you feel the pain?
11%
Have some sort of Governance, Risk
or Compliance process in place. But
none have any idea where the gaps
are?
56%
Of organizations are hacked or
information is stolen without them
realizing it.
73%
Of organizations are unaware of the
type of information they’re producing
and it’s value.
12. Preventing is always better
Reputational
Damage
Penalties and
Fines Data
breaches
Most threats
come from
the inside
15. o The information produced is
growing to fast.
o Rapid change or expansion of
rules and regulations.
Compliance Audits
Challenges
organizations
face
SecurityNo visibility
Manual Process
o Failed before or will fail when
an audit is held.
o Problems with reporting.
o Limited staff and resources.
o Don’t know what other
business processes are doing
or what’s important to them.
o No alerting when information
is expired or need to be
reviewed.
o No idea of the type of
information and it’s value.
o No security or encryption to
protect data.
o Physical information visible to
non-employees.
o Permission and security
model is a mess or unclear.
o No warning or alert
mechanism.
16. Drivers, Motivators and Benefits
INCREASE SECURITY
NECESSITY FOR INDUSTRY CERTIFICATION
VISABILITY ON INFORMATION STREAMS
ABILITY TO BE PRO-ACTIVE
SUPPORT BUSINESS PROCESSES
17. Collaboration with confidence
It’s a balancing act and a
trade-off at the same time
Transparency Collaboration Data Protection Data
Management
23. Information must be accessible and
available to the people who should
have access to it and protected from
the people who should not!
24. HIPAA
Health Insurance Probability
and Accountability Act
A fewKey criteria
oData encryption
oInformation can never be lost
oOnly accessable to authorized
people
Industry focus
Pharmaceuticals /
Health Care / Insurance
Summary
Regulations protecting the
privacy and security of
certain health information
25. PCI DSS
Payment Card Industry
Data Security Standard
A fewKey criteria
oBuild and maintain a secure network
oEncrypt transmissions
oStrong access control measures
oTrack and monitor all access
Industry focus
Finance / Retail or any
industry which is involved in
some sort of financial
transaction
Summary
The PCI Data Security
Standard represents a
common set of industry tools
and measurements to help
ensure the safe handling of
sensitive information.
26. SOX
Public Company
Accounting Reform
and Investor Protection
Act
Industry focus
Every organisation which
wants to be listed on the US
stock exchange or do
business with the US
government
Summary
In a nutshell it comes down to “CorporateAccountability and
Responsibility”. You know what’s going on in the organization and
have a complete control and overview at all times. This includes
financials, products and services.
27. FDA Part 11 specifies a number of requirements for software systems to
enable trustworthy and reliable electronic records and signatures. Part
11 applies to records in electronic form that are created, modified,
maintained, archived, retrieved, or transmitted. Its primary benefit is to
assure quality and performance of the systems deployed to manage any
cGxP process.
Electronic Records,
Electronic Signatures,
Scope and Application
21 CFR Part 11
Industry focus
All industries which have
to have some sort of
quality control and trace
system
in-place
Summary
28. NEW TREND OR RISK FOR THE
FUTURE
DIGITAL
TRANSFORMATION
IN ORDER TO STAY AHEAD OF THE GAME
CUSTOMER ENGAMENT
SERVICES
COMPLIANCE NEEDS TO BE COME A SERVICE
PARTNER
/
ALIGN WITH THE
BUSINESS
MAKE IT MORE CUSTOMER-
FOCUSED
PROTECT COMPANIES
ASSEST
AND
31. Where do we go from
here?
And what’s our
objective?
32. How to keep a grip on
the situation
Compliance Life-
cycle
Prevent
Detect
Track
Respond
and
Resolve
o Know what to prevent
o Know from what to prevent it
o Know why to prevent it
o Security policies
o Rights Management Policies
o Separation of duties
o Four-eyes checks
o Secure and encrypted access
o Classification by metadata
o Content ID
o Image recognition
o QR or Barcodes
o Scan for keywords or
phrases
o Custom triggers and rules
o Direct Lock or Quarantine
o Alert and notifications
o Real-time scanning
o Gain understanding and insights,
compliance dashboards
o Automation of Reports
o Monitoring and Notifying
o Use metrics that make sense
33. Compliance recipe
High-level focus where to start
Preparation
Identification
of information
and it’s value
Our
Standards
and
Regulations
Match the
Similarities
Turn it into a
daily processPositioning
Automated
tooling
1 2 3 4 5 6 7
35. 2. Preparation
Those who fail to prepare should prepare to fail
Define your compliance
goals, set a vision
oTighter Security
oEfficient collaboration with
partners
oTransparency
oIndustry Certification
Understand Criteria and
Benchmarks
oHow do I know if I’m
compliant?
oWhat does the information tell
me?
oHow can I use it to support
business activities?
Gather your team of
experts
oFrom within and outside the
company. (Legal, HR, IT, etc.)
oKnow what they are doing
and what’s important to them.
Commitment and
Authority
oIf the driver holds the keys,
they drive and not the owner or
passengers
oManagement Commitment
and Signoff
36. 3. Identification of information
and it’s value
Identify the type of data
your organization
produces
oWhat’s the value to the user
and the company?
oWhat product, process or
service depends on it?
Accuracy
oCheck if the information is
still accurate and reliable.
oAre we all working with the
same version?
oWhen was it last checked?
Automatic tooling
oUse the right tools in
conjunction with the existing
infrastructure to enforce and
control policies.
oGuide people through a
process to reduce mistakes.
oClassification and auto
tagging
37. 4. Our Standards and Regulations
They are all different
Identification
oSummarize all the regulations
you need to be compliant with.
oFigure out the similarities.
oFind out your company’s
strong points and weaknesses
Industry overlap
oThe term industry is really
broad. If you’re an airline and
clients can book tickets
directly. You also need to be
compliant with certain financial
regulations.
Country
oRegulations are derived from
each other but might be stricter
depending on your country
your supplier or your client’s
location.
Industry Certification
oDo you need to be certified in
a specific field?
oDo the industry certification
differ per country?
38. Regulation Type B
Country A
Regulation Type A
Country B
Regulation Type A
Country A
5. Match the similarities
o Prioritize, which one is most
important
o Overlaps with which product or
service
o Who’s responsible for what
o What are quick wins
o Categorize them by
39. 6. Turn it into a daily process
Everyone is responsible so get them
involved
How compliant are you
oAnalyze and fill in the gaps to
improve?
Monitor
oMonitor regulation changes
oMonitor Business needs
oAlign with company vision
and strategy
Reporting
oBuild useful reports
oBuild compliance dashboards
for live changes (Power BI)
oKnow what information you
produce and who uses it.
oWhere is it stored now?
Activities
oReport the right information to
the right people
oDelegate tasks
oCompliance and protecting
your organization’s assets is a
team effort
40. How do you know if your compliancy
is going the right way?
Constant monitoring and reporting is key
Not yet
compliant
Compliant
to criteria
ABC
63%
37%
o Define the different reports you need for the
regulations
o Define your criteria on what you need to report
o Create compliance dashboards (Power BI)
o Know who’s responsible for the part of the business
process and delegate the task
41. Identify thecapabilitiesof the
toolswithin your existing
softwareportfolio what it can do
and howit can help you on your
compliancejourneyAnalyse the gaps
User Repository
Workflow
Full fidelity Data Protection and Recovery
Audit trailing
Logging
Separation of Duties
Notification
Identity and Access Management
Authentication mechanism
Azure Intune Bring Your Own Device
Alerts
Azure Rights Management
SAP
Mobile and MobilityPowerShell
Social Media
eDiscovery and Vault mechanisms
Hardware Appliances
OneDriveSlype for Business
Data Loss Prevention
SharePoint
Office 365
Exchange
7. Automated tooling
42. AvePoint, filling the gaps
SharePoint, Office 365,
Yammer, File shares and more
Prevent
Detect
Track
Respond
and
Resolve
o Governance Automation
o Compliance Reports
o Administrator
o Compliance Guardian
o Vault
o eDiscovery
o Compliance Reports
o Administrator
o Compliance Guardian
o eDiscovery
o Compliance Reports
45. Key takeaway summary
Align with
business
needs
Balance
and
Trade-offs
Don’t
wait
Know your
organizations
values and
importance
Keep it
Simple
Compliance
isbroader,
look further
than thetip
of your nose
46. Now it’s your turn to
become compliant!
If you need some help we’re just a few
mouse clicks away….
Questions and Feedback are highly appreciated
Not a big talker?
Just send usan
email
roberto.delgado@avepoint.com
maarten.boonen@ctp.com
roberto.delgado@avepoint.com
maarten.boonen@ctp.com
Thank you for your interest
53. Use CTRL together with + or – to zoom
ComplianceGuardianonline
AvePointcloudservice
54. Use CTRL together with + or – to zoom
ComplianceGuardianonline
AvePointcloudservice
Editor's Notes
My name is Maarten BOONEN from Cambridge Technology Partners and we help our clients with the most complicate technical and business issues they’re facing.
Even if some situations look nearly impossible we match up the wright industry professional to provide a solution that’s successful.
Lets start with something positive
Nothing wrong with rules if they are clear.
Only why do we always associate these kind of processes to an authority????
I say we need to look at governance as a service by changing out mindset.
If we’re guided through all the processes and policies there will be less room for mistakes instead of telling us what we’re NOT allowed to do. Think about buying something on Amazon. It’s a 3 step process and done. They will not tell you that if you don’t fill out an address they not sale to you!
That’s a mouth full, let’s simplify this.
It basically means that we do things according to specific standards and we have tools and processes in-place to protect and guide us.
Knowing what you have and understanding the risk is half the battle.
You need a 100% score to be compliant for an audit and not 99%
With the same information we gather to protect our assets we can also support business processes and be pro-active.
The problem with compliance is you can’t be too strict or too loose
These standards can be Recomended or Manditory depending on the process.
For instance you can gather information on patients but you cannot share it with others if it can be related to an individual.
Some types of information will make it harder on people to get treatment or insurance if it’s related to a person.
The act also determines what can and cannot be shared by health care providers. For example, according to HIPAA, professionals can share confidential information if a life or lives are in danger.
Classification is very important here to make sure who has access to the right information and who not.
Quality Control Systems
Product Catalogs, Parts and Substances
Maintenance and Production Logs
Distribution Logs
Test and Audit report systems (criteria)
cGxP - Current Good X Practice (FDA compliance; X can mean: Clinical, Laboratory, Manufacturing, Pharmaceutical,)
Align with the business, protect the companies assets
Transform the client relationship
Preventive measures are about bricking up and building a wall but the opponent will always bring a higher ladder.
Detecting is about setting up checkpoints and security policies to find out what you have inside the organization which might be sensitive information which needs to be protected.
Tracking is about knowing who’s doing what with the information and are they allowed to?
Respond and Resolve can be done pro-actively or due to real-time scanning.
Compliance goes beyond SharePoint
Most tooling will help you in the PREVENT or REPORT phase. One of the real hard tasks is the IDENTIFICATION and CLASSIFICATION part. Knowing what you have and REAL-TIME protection. With AZURE RIGHTS MANAGEMENT you can come a long way.
Every compliance officer on the planets dream is to have a tool that will do the heavy lifting. DOES IT EXIST ?