The difficulties of complying with regulations aren’t going away; however, there is vast opportunity for organizations to gain competitive advantage by developing the right information technology infrastructure, policies and processes.
Companies looking to stay off the compliance hot seat should develop a repeatable compliance framework, a centralized control mechanism and a top-down organizational structure to implement compliance procedures across the organization. Doing so can help organizations respond to requirements in a faster, more flexible manner.
Companies that treat compliance as a one-time project, on the other hand, may spend up to 10 times more on IT-related measures than for those who take a proactive and integrated approach, according to research firm Gartner.
As threats of accounting scandals, terrorist attacks and data breaches multiply, the importance of laws such as Sarbanes-Oxley and HIPAA is more apparent than ever. Accordingly, the executive suite is becoming more involved with compliance strategy and is demanding increased oversight.
Despite this increased urgency, however, many companies still tackle compliance only when they need to meet a requirement by a certain deadline or avoid lawsuits. Smart companies see an opportunity to build a service-oriented architecture (SOA) as an IT backbone to assess the effect of compliance on business processes and develop a unified approach to replace manual siloed processes.
Employing a Centralized Control Framework
Rather than addressing individual requirements, leading organizations are looking at a centralized control infrastructure based on SOA to manage critical business processes.
To build this framework, the first challenge is the collection and analysis of compliance data that is captured across different repositories within an organization in a consistent, reliable and predictable manner. This can be exacerbated by the relentless deluge of data.
Organizations then have the difficult task of managing the enormous amounts of data effectively and making sense of the information they have collected over the years. They continue to struggle with locating and governing data, determining its worth, classifying risks and identifying whether they have adequate control measures in place. Further, many companies aren’t sure how to measure progress around these problems.
Not having an adequate method of governing and measuring data puts the organization at risk. For example, to achieve compliance, organizations should be cognizant of the business impact of an IT outage and have real-time data to assess the availability of mission-critical business capabilities.
Having a centralized control framework allows companies to effectively implement policies while providing a linkage to business controls, including controls over financial reporting. It helps protect sensitive information from unauthorized disclosure, safeguards the accuracy and completeness of information, ensures that information and vital IT services are available when required, and provides information and services with a high level of efficiency.
A smart company will ensure controls are in place for identity and access management, as well as configuration and change-management processes; in the absence of such processes, defining and linking compliance processes to IT is incredibly difficult if not impossible.
Additionally, implementing controls helps maximize consistency in processes and performance. A smart company can monitor performance against these controls for both internal knowledge and planning purposes, and also in response to compliance-driven audits. Simply put, a comprehensive automated compliance procedure allows for a continuous and repeatable method for compliance checks. It gives companies the flexibility to quickly adapt to new and changing requirements and at the same time offers the ability to better understand and control business processes.
Implementing compliance initiatives across a multitude of mandates not only helps reduce the cost of compliance, but also enables companies to respond quickly to both internal and external pressures. When a company’s data is treated as an asset, there can be clear benefits such as reduced costs, increased workforce efficiency, effective compliance, reduced risks and increased revenues.
Moreover, establishing centralized control and authorization to the companies’ information and services by establishing an effective service management platform can contribute to a successful compliance framework.
Identity and Access Management
Identity and access management is a vital aspect of compliance. Various audits and enforcement policies to control information access can dramatically increase compliance costs and overheads.
Let’s consider access control as an example. Many organizations today have multiple layers of access control within their network, operating systems, databases and application layers. But the manner in which identity services are managed is often a major vulnerability because companies don’t have sufficient control over access mechanisms.
Most companies struggle to keep tabs on which employees have access to particular applications or data, and when and how they access them. While companies invest heavily in protecting themselves from external factors, such as hackers, they often fail to recognize the internal threat. Therefore, it’s essential to establish an effective identity and access management solution in an SOA environment as part of a larger service management framework.
Mitigating potential risk from those holding the “keys to the kingdom,” so to speak, is a challenge that often goes unnoticed. For instance, an unhappy IT administrator with access to sensitive information can cause serious damage to a company in a variety of ways. Compliance addresses this risk by helping to ensure proper controls are in place to detect and prevent unauthorized changes to the company’s information, network or services. Activities should be monitored at every step to enable authorized control measures, as even your most trusted employees can make mistakes.
Lastly, compliance strategy must be considered from the top down. When lawsuits, audits and compliance requests come in, a cohesive strategy driven by the C level is imperative to have the flexibility to quickly adapt to changing market situations. Also, the technology infrastructure needs to be evaluated to avert the inherent risks and threats to which the company might be exposed.
Three spheres of influence driving compliance are the chief financial officer (CFO), the chief risk officer (CRO) and the CIO. The CFO and the CRO look at the operational metrics of the company to ensure operations are aligned to business goals. The line-of-business managers then determine the tools required for improving internal processes. The CIO aligns IT objectives to business goals and identifies tools and control measures to demonstrate compliance and effective overall IT governance. The chief executive officer is responsible for the overall mandate of corporate governance and ensuring that the organization adheres to the governance process. To apply an appropriate governance structure, management needs to look into the organizations’ compliance policies and procedures, as well as existing organizational support to implement sufficient processes and the people to drive them.
Mounting external scrutiny continues to drive the need for better alignment between the IT function and business strategy. The good news is that overall understanding of technology and security have also continued to improve, making them inherent and critical elements of the overall business function.
It is critical for organizations to understand the big picture and look beyond immediate compliance challenges. Putting the right technology, processes and people in place can not only help keep a smart company off the compliance hot seat, but also provide the flexibility to quickly adapt to changing market conditions and capitalize on new opportunities.
Is your organization prepared to gain competitive advantage around compliance?
Venkat Raghavan, director of information, storage and security, manages security and storage product development for Tivoli Software at IBM. He has more than 11 years of experience in the field of security architecture, compliance, security products, product management and product marketing.