Microsoft IT Streamlines Regulatory Compliance

Technical Case Study

Published: February 2009

Learn how Microsoft Information Technology (Microsoft IT) uses a holistic approach to address the ever-increasing complexity of regulatory compliance. This continually evolving system combines IT support for different regulatory frameworks into a single overarching process, and uses standardized tools to test similar controls. By combining tools and using a clearly defined role-based accountability model, Microsoft IT streamlines business processes, reduces duplication of effort, and makes IT professionals more operationally efficient.

Download
Technical Case Study, 675 KB, Microsoft Word file

Situation	Solution	Benefits
In the past, Microsoft Corporation has relied on a regulatory compliance framework that consisted of a complex and advanced set of processes, controls, and reporting. Microsoft IT needed to update this regulatory compliance framework by reducing complexity while simultaneously improving the breadth of controls, providing more prescriptive control requirements, and supporting the continual evolution of regulatory compliance technologies and processes. Microsoft IT also had a mature model for driving SOX compliancy. As additional requirements such as HIPAA and PCI are being added, additional complexities are introduced, and separate processes and controls are created. Each additional regulation significantly increases the cost and time involved in managing IT processes for regulatory compliance.	Taking a holistic approach to IT support for regulatory compliance, Microsoft IT developed a single comprehensive strategy, or framework, for meeting regulatory compliance and reporting needs for SOX, HIPAA, PCI, and additional regulations and requirements. This framework uses common controls to address multiple compliance requirements. Implementing a standardized framework of controls, a dedicated regulatory compliance program management function, and a role-based accountability model for application/infrastructure senior owners, application/infrastructure owners, and control owners has enabled the Microsoft IT regulatory compliance program to operate more efficiently and achieve compliance performance targets set by management.	Creation of a single, overarching IT regulatory compliance control framework and a standardized approach to impacts and risks streamlines business processes Use of similar controls to satisfy different regulations reduces duplication of efforts

Situation

Solution

Benefits

In the past, Microsoft Corporation has relied on a regulatory compliance framework that consisted of a complex and advanced set of processes, controls, and reporting. Microsoft IT needed to update this regulatory compliance framework by reducing complexity while simultaneously improving the breadth of controls, providing more prescriptive control requirements, and supporting the continual evolution of regulatory compliance technologies and processes.

Microsoft IT also had a mature model for driving SOX compliancy. As additional requirements such as HIPAA and PCI are being added, additional complexities are introduced, and separate processes and controls are created. Each additional regulation significantly increases the cost and time involved in managing IT processes for regulatory compliance.

Taking a holistic approach to IT support for regulatory compliance, Microsoft IT developed a single comprehensive strategy, or framework, for meeting regulatory compliance and reporting needs for SOX, HIPAA, PCI, and additional regulations and requirements. This framework uses common controls to address multiple compliance requirements.

Implementing a standardized framework of controls, a dedicated regulatory compliance program management function, and a role-based accountability model for application/infrastructure senior owners, application/infrastructure owners, and control owners has enabled the Microsoft IT regulatory compliance program to operate more efficiently and achieve compliance performance targets set by management.

Creation of a single, overarching IT regulatory compliance control framework and a standardized approach to impacts and risks streamlines business processes
Use of similar controls to satisfy different regulations reduces duplication of efforts

Situation

Increased governmental oversight in recent years has resulted in new requirements that affect organizations in a wide range of industries. Governmental controls over companies come from a variety of sources, including local and national governments. Industry-specific oversight groups often produce guidance that can be mandatory for industry participants. This complex universe of controls is often referred to by the general term regulatory compliance. For any company that conducts business in multiple jurisdictions, their compliance obligations quickly become incredibly complex because they must comply with all applicable regulations of the locales in which they operate.

However, reacting to each new regulatory requirement by creating an individual compliance initiative is inefficient and can quickly place a burden on a business and its IT organization. This case study describes how the Microsoft IT group is addressing this challenge by introducing a holistic approach towards IT support of regulatory compliance. This document discusses the processes and tools that Microsoft IT has developed to manage the requirements mandated by Sarbanes-Oxley (SOX), the Health Insurance Portability and Accountability Act (HIPAA), and the Payment Card Industry (PCI) Data Security Standard, as well as additional regulations and requirements. It also lists the benefits Microsoft IT has derived as a result of working under this new model, and provides best practices to assist the reader in leveraging this model and applying it to their company in order to improve their own regulatory compliance efforts.

Note: This paper is based on Microsoft IT's experience and recommendations and is not intended to serve as a procedural guide or an opinion of law. Each enterprise environment has unique circumstances; therefore, each organization should adapt the plans and best practices described in this paper to meet its specific needs.

History of Microsoft IT Regulatory Compliance Efforts

All companies are facing significant legal and regulatory challenges in areas such as information security, privacy, reliability, and business integrity. These challenges can require major changes to systems and processes across companies. Companies must react to and plan for the increasing structure and regulation around corporate accountability and control in order to meet many legal and ethical objectives.

As with many companies, Microsoft IT has been challenged by the numbers of different regulatory requirements and frameworks they must manage and with which they must comply. Microsoft IT's initial simplistic methodology quickly turned complex, and they realized that they needed to develop an overall regulatory compliance framework that could address current regulations as well as support future regulations. Until recently, Microsoft IT's support of regulatory compliance efforts has been focused on each separate regulatory framework as a distinct set of rules, processes, and tools including:

SOX: As one of the first extensive regulatory frameworks Microsoft had to address, much of Microsoft IT's framework was initially created specifically for SOX. The initial program was rolled out in 2004. Soon after, the proof of process and first successful external audit and technology rollout occurred. From 2006 through 2008, the focus was on gaining efficiencies: controls were optimized, quarterly processes were streamlined, and efforts were made to improve internal tools and reduce costs. Most recently, the focus has been on rationalizing risk assessment, monitoring controls, automating controls, and shifting from a SOX-based mindset to overall internal governance.
HIPAA: The Microsoft U.S. Benefits Team initially built a Microsoft HIPAA compliance program. When technical compliance became necessary, the Benefits Team engaged Microsoft IT with the HIPAA Security Rule. Microsoft IT then began identifying accountable owners and optimized compliance using Microsoft Excel®, e-mail, and Microsoft SharePoint®. Although these tools provide an outstanding cross-group collaboration environment and support the control assessment and sign-off process, a more scalable, automated, and flexible solution needs to be developed for the long term.
PCI: As one of the latest high-profile industry regulations to be addressed, Microsoft IT had started its PCI compliance efforts as a mostly manual tracking process that included using Excel spreadsheets, e-mail messages, and other ad-hoc materials. Spreadsheets were automated in order to improve scalability, status-tracking reporting, and visibility. Scans of the production environment were implemented in order to reduce the compliancy validation work. Current efforts are underway to improve productivity by leveraging the compliancy overlap between SOX, HIPAA, and PCI controls. The objective is to establish a single regulatory compliance schedule rhythm of the business, increase the percentage of automated control compliancy scanning, and centralize control compliancy tracking and reporting.

Solution

As a very well-known publicly traded company, Microsoft realizes that not only is it under constant scrutiny, it is being looked to for guidance by other companies that are also facing the challenge of trying to remain compliant in an evolving legal and regulatory landscape. In developing and improving business and IT processes, Microsoft must proactively address regulatory compliance and lead by example.

The key to how Microsoft IT improved its regulatory compliance processes was to design a new, holistic approach whose primary objective was to simplify across processes, roles, and tools. Each of these areas is described in the following text.

A Holistic Strategy for IT Support of Regulatory Compliance

In developing a strategy to address its compliance needs, Microsoft IT examined many of its existing business and IT processes to identify regulatory compliance risks and solutions. The goal was to create a long-term, holistic strategy for compliance that could be built into business processes, rather than simply creating ad-hoc processes and tools to address specific compliance requirements.

The Annual Rhythm of the Business

Microsoft IT's approach towards support of regulatory compliance is to use a framework of common security controls, unique tools for monitoring, and IT tools for tracking and reporting compliance.

Annual rhythm of the business

The following high-level diagram illustrates the rhythm that unifies the regulatory program. While the model is holistic in approach, it is flexible enough to support tools, requirements, or activities that are not common across all supported regulatory frameworks.

Figure 1. Annual rhythm of the business

Quarterly Activities

Although regulatory compliance is an ongoing process, its tasks and milestones follow an annual cycle. The combination of developing a formalized schedule that addresses the required tasks across all regulatory frameworks, and using compliance tools to automate and streamline the processes, is the centerpiece for Microsoft IT's productivity and efficiency gains.

Each quarter's key regulatory compliance activities are summarized below:

Q1: Evaluate scope, rationalize controls, conduct training, and focus on control owner communication. Commence design effectiveness testing.
Q2: Complete design effectiveness training, followed by running the bulk of operational effectiveness testing. Compliance validation scanning scripts are run (either automated or manually), and their status are reported to their control owners.
Q3: Complete operational effectiveness testing, and work on remediating design issues and control failures identified during testing. External audit begins.
Q4: Complete external audits and review their feedback. Perform year-end inquiry, followed by Management sign-off with external audit attestation, where applicable.

Compliance Tools

Microsoft IT has developed a set of tools that help streamline its regulatory compliance process:

Regulatory Compliance Tool: This tool was initially developed for SOX, but is being modified to support the other regulatory frameworks. It functions as a control repository that integrates risks and control objectives across locations and transactions. It provides visibility to role ownership, workflow assignments, and remediation. It also tracks reviews and signoff of documentation and testing, and provides enhanced reporting. It integrates with the Issue Management tool in order to document issues and the remediation of failed controls.
Issue Management Tool: When a control is set to fail in the Regulatory Compliance tool, this application automatically prompts the tester to enter the issue into the Issue Management tool. This tool is used to create issues enterprise-wide and assigns ownership of each issue. It also allows for reporting, searching, and filtering of issues, monitoring of issue status, and tracking remediation.
Segregation of Duty Analysis Tool: A financial compliance tool used to identify segregation of duties conflicts to help prevent fraud and financial statement errors or irregularities.

Defining a Holistic Strategy Best Practices

Streamline your processes: Organize all the regulatory compliance activities and formalize a single, all-encompassing process that enables work to be performed in a predictable manner each year and schedule compliance activities accordingly.
Consolidate peoples' regulatory responsibilities: Identify where multiple controls operate in an organization and look for a single point of accountability that will oversee regulatory compliance within that organization.

Role-based Accountability Model

A key aspect of the holistic approach towards regulatory compliance is defining a role-based accountability model. This model offers a more efficient way to coordinate compliance activities, and results in increased effectiveness of control testing and adherence to regulations due to individuals taking ownership of regulatory compliance.

In order to provide an end-to-end service horizontally across IT and vertically between management and regulatory owners, a dedicated regulatory compliance program management team was created to continuously drive an aggregate compliance effort with all stakeholders.

The role-based accountability model

The diagram in the following figure provides a sample accountability model that clearly identifies who is responsible for what information. In particular, note that this is a roll-up model, where those at the bottom of the chart are responsible for the most granular level of detail for specific applications and related infrastructure. Information is rolled up to managers who are responsible for their groups, which is further rolled up by application/infrastructure senior owners, and is ultimately provided to the VP Leadership Team and CIO.

Figure 2. The role-based accountability model

The list of roles involved in regulatory compliance and their responsibilities is provided in the following table:

Table 1. Roles and Responsibilities

Role	Primary responsibilities	Remediation responsibilities	Testing responsibilities
Control Owner	Manage the day-to-day control activities. Notify Application/Infrastructure Owner and Regulatory Compliance Program Manager when controls are circumvented, require redesign, or when personnel changes occur.	Oversee remediation implementation. Ensure operations implement remediation effectively.	Facilitate testing with auditors. Ensure testing exceptions are resolved. Notify Application/ Infrastructure Owner and Regulatory Compliance Program Manager when proposed or actual changes in how a control is evidenced for testing.
Application/ Infrastructure Owner	Review design effectiveness and update documentation to reflect current processes. Sign off on regulatory surveys and regulatory workflow areas of the Regulatory Compliance Tool.	Develop remediation plans. Drive remediations to completion.	Find resources to execute testing. Evaluate test results. Sign off on application/infrastructure test results.
Application/ Infrastructure Senior Owner	Approve all documentation changes. Define control objectives and control activities, and ensure consistency of approach where there are multiple locations. Sign off on regulatory surveys and regulatory workflow areas of the Regulatory Compliance Tool.	Approve remediation plans.	Define common test plans if multiple locations. Reviews all test results. Drive signoffs of Application/Infrastructure Owners.
Regulatory Compliance Program Manager	Tier 1 support for Application/Infrastructure Owners and Application/ Infrastructure Senior Owners. Drive program milestones, metrics, and reporting, and act as main interface with Compliance Governance Group and field.	Monitor and drive remediation of deficiencies.	Review test workbooks for high-risk areas. Evaluate risk and prioritize testing. Perform quality assessments.
Compliance Governance Group	Tier 2 support for Application Owners and Application/ Infrastructure Senior Owners. Reporting and updates to senior management and interface with external auditor. Evaluate impacts to the control environment.	Lead quarterly deficiency evaluations.	Selective QA review - documentation and test workbooks.
Internal Auditor	Consulting on/evaluation of regulatory compliance processes.	SME participant in quarterly deficiency evaluations.	Testing and design evaluation within Internal Audit annual plan.

Accountability Model Best Practices

Consider defining a dedicated program management role (and team, if required) who is solely focused on managing the regulatory compliance process across IT.
Define a hierarchy that is appropriate for your business; consider designing a model along existing business groups or units.
Carefully define documentation, remediation, and testing responsibilities at each level.
Confirm that your accountability model allows both granular responsibilities and roll-up reporting.
Ensure performance review commitments are in place for all regulatory roles. This provides incentive for individuals to take ownership for regulatory responsibilities. Escalation is usually not needed when individuals are committed to upholding program milestones and deliverables. Make sure key executives–IT Controller and CIO/VPs–communicate their personal commitment to overall regulatory governance.
Maximize the value of your external audit by having your regulatory compliance project management team and compliance governance group maintain an open and honest relationship with your auditor.

Implementation of Similar Controls Across All Regulatory Frameworks

Implementation of controls and roles across frameworks

Because many controls are similar across the various frameworks, Microsoft IT carefully reviewed the complete set of controls for all frameworks and identified where such overlaps or supersets occurred, and merged them where synergies exist.

Figure 3. Implementation of controls and roles across frameworks

As the following table illustrates, merging similar controls can significantly reduce duplication of effort while simultaneously streamlining the test process.

Table 2. Reduction of Testing Effort Due to Merged Testing of Similar Controls

Scenario	Contextual diagram of control synergies	Number of testing steps		Comments
Scenario	Contextual diagram of control synergies	Pre-merge	Post-merge	Comments
Overlap		9	6	The test procedures for these controls would need to articulate the unique subset required for the specific regulatory control.
Superset		8	5	Where feasible, the more superset controls that satisfy SOX, HIPAA, and PCI would be the most beneficial to cost reduction and simplicity.

Implementing Similar Controls Best Practices

Identify control overlap by grouping similar objectives across frameworks.
Review your test steps across all regulatory controls in each framework and identify where overlaps–and thus reduced numbers of test–can be achieved.
Explore existing industry-standard frameworks that can be used as a guide to bring together multiple regulations to help you create an integrated approach.

Benefits

By taking a holistic approach to regulatory compliance, Microsoft IT has derived a number of benefits:

Increased awareness: The role-based accountability model gives insight to the overall state of compliance. Upcoming projects are communicated early and evaluated for impacts to regulatory compliance.
Improved regulatory compliance support: By dedicating a team of regulatory compliance program managers who can monitor and manage any control compliance, Microsoft IT gained the ability to look at issues broadly and ultimately provide the means to leverage best practices and make recommendations to improve the overall process.
Eased adoption of new regulatory frameworks: Microsoft IT's scalable model eases the process of on-boarding other regulatory frameworks when new laws are created or existing regulations change.
Remediation of failures: An aggregate view enables the Regulatory Compliance Team to find commonalities and allows the organization to address the root cause of potentially systemic issues.
Streamlined communications: Merging processes and controls reduces the redundancy and frequency of multiple communications, improves the prioritization of tasks, and allows for a more meaningful conversation with senior management.
Reduction in overhead costs: Merging controls reduces audit touch points.

Conclusion

Microsoft IT is developing a holistic approach to IT support of regulatory compliance by standardizing processes, creating common controls that address multiple regulatory frameworks, and implementing a role-based accountability model that allows capturing of key impacting information in the early stages of business processes.

This holistic approach starts with a single overarching regulatory compliance framework that combines all compliance frameworks (such as SOX, HIPAA, and PCI) into a single process, and uses tools that help automate and streamline the process in its entirety. In addition, Microsoft IT designed a role-based accountability model that includes a dedicated regulatory compliance program management team. This model clearly articulates each role's responsibilities and provides a streamlined "roll-up" report path that provides each person the information and reports they require.

Microsoft IT views regulatory compliance support as an ongoing effort. Microsoft IT uses compliance tools to fully optimize the program and reduce the time and effort Microsoft IT spends in support of regulatory compliance. The current model described in this case study will evolve over time to address the company's future regulatory compliance needs. In designing this new model, Microsoft IT found that taking a holistic approach to supporting regulatory compliance not only increases the efficiency of testing and appropriate reporting, it also standardizes processes and makes IT professionals more efficient in their operations.

For More Information

For more information about Microsoft products or services, call the Microsoft Sales Information Center at (800) 426-9400. In Canada, call the Microsoft Canada information Centre at (800) 563-9048. Outside the 50 United States and Canada, please contact your local Microsoft subsidiary. To access information via the World Wide Web, go to:

http://www.microsoft.com

http://www.microsoft.com/technet/itshowcase

This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY. Microsoft, Excel, and SharePoint are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.