Don't sit around waiting for the next piece of legislation. It's better to be adaptable and make general compliance your aim. Rob Buckley reports.
No industry or organisation in the country is untouched by compliance. Whether it's employment law, data protection or more notorious pieces of legislation, such as Sarbanes-Oxley, the way companies and their employees behave and conduct business is under ever greater scrutiny. It's no longer enough just to say that everything is being done correctly - now you have to prove it.
How organisations do this varies, as you might expect. Some bury their collective heads in the sand, but others are facing facts and are at least looking at their compliance responsibilities. Some are even buying information technology in an effort to make themselves compliant.
However, as almost every consultant will tell you, compliance is more about process than anything else - technology, if it comes into play at all, comes much, much later. "Compliance, almost by definition, is about process. Technology just automates the process," says Steven Cox, principal consultant at CA.
So, from the outset, the first step for any organisation is simply finding out what they have to do to be compliant and what they need to be compliant with. Most pieces of compliance legislation talk about "protection of end-user data" and the prevention of data loss, but few discuss details, according to Andy Green, security solutions specialist at support services group Alfred McAlpine.
Depending on the sector, there are some clear first stops for information, such as the industry regulator itself. The Information Commissioner will offer advice on Freedom of Information Act compliance, for example, while the Financial Services Authority offers guidance on complying with its many rules and regulations.
However, for more detailed information, particularly with regard to IT systems, bodies such as the International Security Forum (ISF) can provide advice to its members. "The ISF has a database of all the laws in all the countries around the world," says Dave Martin, lead security consultant at LogicaCMG. "It is maintained by its members around the world. It's one of the best sources I've seen." He warns that few of the members are lawyers, so anyone consulting the database should also check with their legal department before acting on any information.
Another important set of regulations, the PCI rules, will affect any company processing credit-card transactions from this month. A considerable source of knowledge, thanks to the PCI Security Vendor Alliance, is the website www.pcialliance.org.
To supplement these sources, a new breed of consultants, compliance specialists, has started to arise. These will typically concentrate on specific pieces of legislation or areas of compliance. Ash Salluja of law firm CMS Cameron McKenna specialises in the pan-European financial services regulations, MiFID (Markets in Financial Instruments Directive), which are set to come into force in November. "MiFID affects so many different areas. It has a whole host of disclosure obligations. How you comply is determined by the IT person," he says.
LogicaCMG maintains a knowledge-management system based on the input of its consultants around the world. It also maintains a research facility to keep an eye on current legislation, as well as forthcoming sources of new laws. CA's Cox estimates that there is one new piece of important compliance legislation each year, with the European Commission worth watching closely: often, several pieces of compliance legislation will be passed at once and require big changes by organisations. It's a good idea to keep an eye on what is being discussed in order to be ready to comply. A pan-European replacement for the Companies Act is one such piece of legislation bubbling under.
As might be expected, technology vendors are also trying to help bridge the gap in compliance knowledge. A growing area of technology is the governance, risk and compliance (GRC) market. Forrester Research's vice-president of risk and compliance research, Michael Rasmussen, predicts that the GRC software platform market will grow steadily over the next few years to £650 million by 2011.
Unisys, for example, offers a benchmarking tool, originally developed for its own use, that requires its users to answer questions about what processes are in place in their organisations and how mature these are. The tool will then flag up areas where the organisation is non-compliant.
"If you are a CSO or a risk manager and you do not know where the risks are, your only function in the organisation is to be blamed if things go wrong," says Gerhard Knecht, security director and CSO, global outsourcing and infrastructure services, at Unisys. He also argues that it's more important to know where weaknesses are than to fix them immediately. "If the CSO focuses on the things that are wrong, this can escalate the change-management process."
Again, GRC benchmarking tools rarely cover the actual technology needed to be compliant, mainly because the legislation itself doesn't spell out these matters. However, some do: banking regulations typically require two-factor authentication for all bank employees. And the latest versions of the PCI rules are probably the most prescriptive about technology. Among a host of security requirements, these spell out firewall standards and frequency of penetration testing; they also mandate two-factor authentication for remote access and web-facing custom application code to be reviewed for common vulnerabilities if there is no web application firewall, for example.
But these are the exceptions. In lieu of detailed technical requirements, many organisations and consultancies look to other, optional compliance guidelines that are more geared to information security. In particular, ISO 17799 and 270001, COBIT and ITIL offer the gold standards in IT security technology and processes: if an organisation is certified to one of these standards, it will almost certainly be well on the way to passing an audit under higher-level compliance legislation.
Here, GRC tools can be more helpful. Companies such as IT Governance offer ISO 270001 workflow engines designed to monitor processes and help achieve compliance under the standard.
One thing is certain: companies will need to have threat protection, such as firewalls and anti-virus software; risk management; intrusion detection or prevention systems, plus access controls for logging on to organisation resources.
Indeed, identity-management systems are probably the one piece of technology all consultants agree is useful for compliance purposes. Mark Jones, associate partner and head of business risk and security services at Atos Origin, says: "Identity management offers many benefits, but crucially allows you to the beginnings of atomic-level permissions." Maintaining an audit trail is far easier with a single sign-on system and restricted permissions in place.
Regardless of how the organisation obtains its compliance information, the next step is finding out what needs to be done in order to meet the requirements. Benchmarking or risk-analysis tools such as the one from Unisys are one way of taking stock of existing processes. A range of process-mapping tools is also available. "Anything that can map processes in an efficient way will help implement compliance technically," says Jones.
This is also where more advanced GRC tools, such as French firm Mega's GRC platform, can come in useful. These include mapping tools, but they can also consist of business process management or business rules engines for the automation of business processes.
"Policies and controls are central to operational risk and compliance," says Forrester's Rasmussen. "The first thing a regulator or auditor wants to see is how the organisation has defined its adherence to external requirements." Workflow and collection capabilities allow the organisation to assess the state of controls; risk analytics, modelling and reporting functions enable managers to assess the state of risk and compliance, and investigations management facilitates central management of investigations and aggregate information.
How many of these features an organisation needs depends on the number of regulations it is subject to, as well as on its size and complexity. But Rasmussen predicts that organisations will increasingly move towards a single view of risk and compliance oversight.
An all-singing, all-dancing GRC platform is usually not necessary, and there are other, smaller or more conventional pieces of technology that can help. In many industries, retention and disposal of documents may be one of the few things that need to be considered for compliance, so a document or records management system may be all that's needed - although implementing of those is by no means a simple task.
Proving that all employees are up to speed with the organisation's policies is an important factor in most compliance regulations. A policy management system such as Netconsent's can be of help. It works by forcing all employees to agree to the policy before they can log onto the corporate network, and can also make them answer questionnaires about it to ensure they have understood it. A central database records how long each person took to read the policy, flagging up anyone who took too short a time, and who needs further training.
"Policies on paper don't stand up with legal and regulatory bodies. This is a serious emerging management problem," warns Robin Saunders, managing director of Netconsent.
All the same, with the torrent of compliance regulation unlikely to abate and an EU version of Sarbanes-Oxley still being developed, companies can either fight fires now or work on a compliance strategy for the longer term. Certainly, those affected by MiFID will find that its terms are still in flux, according to Salluja, so even if you are compliant now, you soon may not be. Involving risk and compliance thinking in IT strategy where possible is certainly wise.
If possible, evolving the architectures to the point where they can support frequent process changes through business process management, service-oriented architectures or workflow will help with future compliance. Indeed, says Cox, it can be worth taking your mind off the specific regulations you're trying to adhere to now. "Just try to comply in general. One set or another will change. When that happens, you'll be able to insert a new configuration."
However, despite great advances, the costs of trying to achieve such a "state of nirvana" might prove prohibitive, admits Paul Beach, a partner at Atos Consulting.
Lack of action
Knowing what to do and actually doing it are two different things, however. The FSA, for instance, carried out research recently to see how compliance consultants were used in small mortgage, general insurance and financial advice firms. Of the 22 companies visited by the FSA that employed compliance consultants, half still had significant weaknesses in their processes and systems. More than a third of the firms failed to act on recommendations from their consultants that would have improved their compliance, the FSA found.
Cox says compliance projects sometimes fail because of short-termist thinking. "There's a 50/50 split in companies. There are those who spend their time planning and those who ignore the problem and end up short on time." Budget is another constraint. When there is any money allocated for compliance, it tends to be too little, generally as a result of optimism on the part of the company as to how much the project would cost to implement.
As a result, says Green, most companies don't try to create an underlying compliance-friendly architecture. "The focus has been on 'getting this bit compliant'." Consequently, they don't make any of the possible gains available from wider systems changes.
Compliance - or GRC - isn't going away. It will place increasing demands on infosec professionals, to varying degrees depending on the industry they work in. The fully compliant enterprise may well be possible, but whatever happens, it won't be compliant for long unless it learns to adapt.
WHAT DO YOU KNOW? A TALE OF TWO EXTREMES
"Blissful ignorance" to "very clued-up" seem to be the two extremes of compliance knowledge encountered by consultants. The pinnacle is dealing with financial services firms.
"Financial services is streaks ahead," says Dave Martin, lead security consultant at LogicaCMG. "If they don't get it right, they lose their licence to operate." With the risk of no longer being able to conduct business acting as a suitable stick, many now have compliance officers and entire compliance or risk-management departments constantly monitoring both the state of compliance legislation and the company's efforts to comply with it.
Outside of financial services and other heavily regulated markets, such as government and healthcare, knowledge is far less pervasive, with retail particularly untouched by its effects, according to Iain McLeod, MD of compliance training firm SAI/Easyi. Sometimes particular functions, such as human resources, will know more than others, however, and the degree of knowledge present in start-ups will often vary according to the background of the founders.
Information security professionals have becoming increasingly aware of the requirements of compliance over the past few years, according to McLeod, and are one of the greatest sources of demand for his company's courses. "The great unwashed are now the senior managers and the frontline employees," he suggests.
But the days of "blissful ignorance" are fast disappearing, according to Robin Saunders, MD of Netconsent. "Companies are being bombarded by legislation and they're all having to learn what it means in practice."
CASE STUDY: NORTON ROSE
International business law firm Norton Rose has offices in 19 jurisdictions around the world, so is no stranger to compliance. Although not subject to the same level of regulation as a financial services firm, it became aware some time ago that compliance legislation was likely to become more pervasive and that it would need a more focused approach.
In 2005, the firm hired a head of compliance, Martin Scott. Jeff Joseph, director of IT at Norton Rose, meets with him regularly to discuss how the firm is meeting with compliance requirements.
"The company's systems haven't evolved with compliance in mind," says Joseph. "But we've added elements, such as a compliance engine for the new storage system for tracking documents." An e-learning system trains employees in requirements and tracks how well they're doing.
With few specific compliance targets to meet, compliance needs are organised project by project rather than by a massive ongoing effort. But with only so much time in the year, meeting compliance needs can still involve giving up another project in favour of a compliance scheme.
Nevertheless, says Joseph, it can be easier to achieve backing for an IT project with the support of the compliance manager. At the suggestion of security consultants from BT and with the compliance manager's backing, the firm is now working towards ISO270001 certification, something it's well on the way to achieving thanks to the addition of a system that tracks security events and some tweaks to processes.
"We think it's beneficial, says Joseph. "It's good for compliance, and if there are two law firms on offer, why not go for the one that's certified?"