Compliance strategy: Cutting to the chase


Confused and disheartened by the explosion in regulatory hoops your organisation must jump through? Alan Calder points to an easier way.

Confused and disheartened by the explosion in regulatory hoops your organisation must jump through? Alan Calder points to an easier way.

Even just five years ago, governance and regulatory compliance were not major concerns in the boardroom. Certainly, ensuring that the IT department was up to the job of delivering compliance was peripheral, when compared to what was regarded as its traditional security role of keeping out viruses, hackers and other threats.

Since then, a number of corporate scandals and the resulting legislation have combined to push compliance to the top of the corporate agenda and, with it, the board's expectation that the CIO and the systems can guarantee total compliance.

Staying within the law is only part of the story, however, as business begins to see a real competitive advantage in good governance and compliance. A well-executed information security strategy can help the company position itself ahead of its competitors.

Against a background of increasingly complex regulatory environment, more organisations are exposed to rapidly mutating, sophisticated threats to their information and information assets.

These threats, which originate more often inside the organisation than outside it, exploit a range of technical vulnerabilities in corporate IT systems as well as loopholes in procedures and the behavioural characteristics of employees.

However, while the regulatory and commercial penalties of failing to secure information and information assets can be severe and value-destroying, regulatory guidance on compliance requirements is still very limited.

Organisations have traditionally responded to regulatory compliance requirements on a law-by-law, or department-by-department basis. That was, last century, a perfectly adequate response. There were relatively few laws, compliance requirements were generally firmly established and well-understood, and the jurisdictions within which businesses operated were well-defined.

Over the past decade, however, all that has changed. Rapid globalisation, increasingly pervasive information technology, the concerns of governments, the nature of western capital markets, and the worries of consumers within an evolving business risk and threat environment have, between them, created a rapidly-growing, worldwide and complex body of laws and regulations.

While global companies are in the forefront of finding effective compliance solutions, every organisation, however small and in whatever industry, is challenged by the same broad range of state, national and international governance and regulatory requirements.

To one extent or another, these requirements all deal with the confidentiality, integrity and availability of electronically-held information, some of which might be held or managed elsewhere within an organisation's supply chain.

The various regulations, which themselves are technology-neutral, describe what must be done, but not how. Organisations have been left to establish for themselves how to meet each of the requirements. What's more, they have to do this in an uncertain compliance environment where the rewards for success don't grab headlines, but the penalties for failure certainly do.

Many of the new laws appear to overlap. Not only is there very little established legal guidance as to just what constitutes compliance, new laws and regulatory requirements continue to emerge. Increasingly, these laws (such as many of the US state privacy laws) have an apparent geographic reach that extends to organisations located far beyond the immediate jurisdiction of the originating legislative or regulatory body.

Corporate governance requirement are even more important than information-related regulation. Sarbanes-Oxley (SOX), the Combined Code and Basel 2 all require company boards to address risk at both the strategic and operational level, and specifically identify information and technology as areas within which risk must be managed. Internal control frameworks no longer deal only with financial risk. Their objective is the overall control of all risks to the business plan.

Regulatory compliance is seen as part of the internal control environment. Corporate governance requirements depend on the efficacy of an organisation's IT systems and IT general controls providing the control environment within which specific controls operate. In other words, the accuracy of a financial system depends as much on who has access to it as it does on the integrity of the information processing: SOX s404 compliance is impossible without an adequate general control environment.

Network inter-connectivity, remote and mobile working, the importance and value of information up and down the supply chain, and the growing use of outsourced suppliers, all create areas of additional information risk. Organisations respond to these risks by requiring suppliers to demonstrate improved governance and compliance performance (for instance, the UK government's e-Gif framework), and more and more, this expectation is written into the procurement process. Companies that are unable to prove they have at least made a start on the implementation of appropriate compliance processes can find themselves precluded from pursuing new business opportunities.

In most instances, there is not yet a body of tested case law and proven compliance methodologies to which organisations can turn in order to calibrate their efforts to comply with all these regulations.

Neither is there technology which, of itself, can make an organisation compliant with any of the data security regulations or governance requirements, because all data security controls consist of a combination of technology, procedure and human behaviour.

In other words, installing a firewall will not protect an organisation if there are no procedures for correctly configuring and maintaining it, or if users habitually bypass it (through, for instance, instant messaging or the deployment of rogue wireless access points).

In the absence of a coherent, comprehensive, risk-based internal control structure, financial auditors are likely to impose one of their own, however inappropriate it might be for the organisation concerned.

Some organisations simply want low-cost compliance, others see competitive advantage in how they address the challenge. Some want to reduce the cost and disruption of multiple compliance initiatives, and want to minimise the impact on customer-focused business operations. Others want to go further, and look for positive business returns – including growing market share – from their investment in closing information loopholes and improving the security of their information systems.

The way to do this, without having to develop their own custom solution through trial and error, is by adopting an externally-validated, best-practice approach – one that provides a single, coherent, multi-layered framework that supports simultaneous compliance with multiple regulatory requirements.

A best-practice IT governance framework should, therefore, support the co-ordination of enterprise compliance and risk mitigation strategies across multiple channels and guide control responses to multiple threats to all sorts of information assets. It should also simplify compliance and free internal resources for value-adding activities.

Critically, as indicated by recent SOXcompliance research, compliance is more cost-effective when it is built into business processes, rather than being dependant on expensive, after-the-fact checking. In today's competitive business environment, internal control structures must meet the governance requirements of the organisation's listing jurisdiction, as well as requirements of data protection, privacy and other regulations applicable to its business sector and the geographic areas within which it operates.

As it must also deliver tangible business benefits, it must therefore operate at a meta-regulatory level.

ISO/IEC 17799:2005, ITIL and CobiT are the three most important best-practice IT-related frameworks. While they each have different origins, owners and objectives, they all provide established, recognised, publicly-available and respected best-practice guidance. They are all, clearly, part of a potential best-practice IT approach to regulatory and corporate governance compliance.

The challenge, for many organisations, has been to establish a co-ordinated, integrated framework that draws on all of these standards. The recently released Joint Framework, ( uk/page.compliance) put together by the IT Governance Institute (the owners of CobiT) and the Office of Government Commerce (owners of ITIL) has been a significant step in the right direction.

Organisations that decide to use the Joint Framework will have an integrated, compliance approach that delivers corporate governance general control objectives and meets the regulatory requirements of data-related and privacy-related regulation. It prepares the organisation for future/emerging regulatory requirements, and is demonstrably a coherent attempt to comply with competing regulations and to meet complex compliance requirements.

Increased standardisation can lead to reduced costs, improved efficiency and increased quality. Because the framework applies cross-company, it reduces vertical siloes of expertise and practice, thus improving communication and business effectiveness. The fact that the framework can be deployed relatively quickly (because it avoids much “trial and error” re-inventing of the wheel), can reduce an organisation's dependence on expensive technology experts and proprietary methodologies.

This framework helps organisations to improve their business performance, because it focuses on business processes and builds controls into the process. It enables a broad-based shift from reactive to proactive IT operations as well as enabling the effective external training and qualification of staff, and provides a standard measure of assessing both skills and knowledge.

Most importantly, it demonstrates an attempt to satisfy the current and developing governance and compliance expectations of their customers and, therefore, puts them in a great position to seize market share from those who make the mistake of taking it less seriously.


Organisations are subject to two different sets of regulations: corporate governance requirements and information-related regulation. Governance regulation includes the US Sarbanes Oxley Act of 2002 (SOX) and the UK Combined Code of Corporate Governance; then there are the SEC, the FSA and Basel 2 rule books.

Information-related regulation is more extensive. EU regulation includes the Data Protection Directive 2000 (US “safe harbour” regulations), the UK Data Protection Act 1998 and the UK Privacy and Electronic Communications Directive 2003. In the UK, there's the Computer Misuse Act; the Copyright, Designs and Patent Act; the Electronic Communications Act; the Regulation of Investigatory Powers Act and the Freedom of Information Act.

US federal organisations must comply with the Federal Information Security Management Act (FISMA). Significant US regulation includes GLBA and HIPAA. California's SB1386, and many individual state-level data security breach laws, have world-wide implications.

Why compliance has become so important

Corporate governance regulation has been a traditional response to insider-led financial market abuse. The UK's Combined Code of Corporate Governance emerged after the BCCI, Polly Peck and Maxwell scandals had rocked public and investor confidence.

It was, however, catastrophic financial failures such as Enron and WorldCom in the early 2000s that triggered the Sarbanes Oxley Act (SOX). Failures, fraud and accounting irregularities elsewhere – such as Parmalat in Italy, Adecco, the National Australia Bank, and Royal Ahold in the Netherlands – led to the adoption of corporate governance codes throughout the OECD after 2002.

Government pressure on institutional investors, driven by worries over long-term pension fund performance, has raised the corporate governance bar – a majority of the largest UK asset managers now factor corporate governance into their investment decisions. While UK governance is on a “comply or explain” basis, SOX is statutory and enforced with stiff penalties for both companies and executives. The global reach of companies subject to SOX is driving their compliance obligations down their international supply chains.

As a result, effective corporate governance has, around the world, become a basic price of entry for companies and institutions that wish to access Western financial and commercial markets.

Information-related regulation, which emerged in parallel with the development of computers and the internet, reflects growing consumer concern about the protection of personal information. Hacker, virus, spyware, spam, identify theft and phishing scare stories in the national press all increase levels of consumer concern. Credit card-related financial fraud led to the emergence of the Payment Card Industry (PCI) standard.

These regulations are also managed differently in the US and UK. HIPAA, GLBA and the various US state breach laws, all of which are actively enforced by career-focused prosecutors or profit-committed class-action lawyers, carry stiff financial and commercial penalties for compliance failure. UK regulation is more light-touch, with under-resourced regulators and over-stretched authorities, the commercial penalties for failure are not nearly so dramatic – yet.

The joint framework in detail

Aligning CobiT, ITIL and ISO 17799 for Business Benefit was jointly published in late 2005 by the IT Governance Institute and the OGC. It formalises the relationship between CobiT (Control Objectives for Information Technology), ITIL (IT Infrastructure Library) and ISO/IEC 17799, the information security code of practice. Its publication also initiates an ongoing joint work programme, which should lead to further improvements. The key recommendations of this document are:

  • CobiT should be used to provide “an overall control framework based on [generic] IT-process model”, defining what should be done at the governance (high) level;
  • ISO 17799 defines what must be done in terms of information security controls;
  • ITIL is business-focused and describes how IT service management aspects should be handled;
  • ITIL and ISO 17799 are mapped to high-level CobiT process and control objectives;
  • Enables ITIL, CobiT and ISO 17799 projects should be cross-linked and integrated.
  • While the ISO 17799 component of the joint framework is not as precise as it needs to be, it does provide clear guidance about how the controls of ISO 27001 (the information security management standard that is supported by ISO 17799) can be built into an integrated IT governance control framework. This framework should have, at its heart, the principle that IT should be providing a service to the business – not getting in its way!

    The Joint Framework can give organisations the basis for a single, integrated, compliance approach that delivers corporate governance general control objectives, meets the regulatory requirements of data-related and privacy-related regulation, and supports preparation for external certification to ISO 27001 and ISO 20000, both of which demonstrate compliance. It prepares the organisation for future/emerging regulatory requirements, and is demonstrably a coherent attempt to comply with competing regulations and to meet complex compliance requirements.


    Find this article useful?

    Get more great articles like this in your inbox every lunchtime

    Upcoming Events