By JC Cannon
Senior Program Manager, Microsoft Corporation
See other Viewpoint articles.
Compliance can appear to be a complex and overwhelming issue. Its scope spans regulatory requirements (federal, state, and local), corporate policy, industry standards, and conformance to customer expectations. So when someone asks you if your department is in compliance, you may find it difficult to respond succinctly.
This article looks at ways to address the many aspects of compliance by boiling them down into a single concept: "Are policies being followed the way I expect them to be?"
Helping your employees follow policies and helping your company meet compliance regulations is easier if you break the job down into manageable steps:
Determine where to focus your compliance efforts.
Use procedures that validate compliance.
Consolidate the management of compliance.
Create compliance policies using a hierarchical approach.
Decide to automate compliance processes.
Choose compliance-enabling technologies.
Determine Where to Focus Your Compliance Efforts
What drives compliance efforts? Regulatory legislation, corporate policy, partner agreements, industry standards, cost savings, efficiency, and customer expectations are all strong drivers for compliance. But what should you focus your efforts on?
For most companies the main focus for a compliance assessment should be processes that affect the bottom line. This assessment should be done to identify poor or missing processes that will cost the company money in fines, lost sales, and higher-than-necessary expenses. From that assessment, a prioritized plan based on risk should be developed that will satisfy each of the compliance drivers.
Use Procedures That Validate Compliance
Being able to validate that your company is compliant is an important part of choosing your compliance procedures. You must ensure that business processes are executed as expected and be able to prove that during an audit. They are two sides of the same coin: ensuring compliance and validating compliance.
When considering the deployment of technology for compliance purposes, consider two specific capabilities of the technology:
Can the technology be deployed broadly across the enterprise from a central console?
Can reports be generated centrally to validate the effectiveness of the technology?
For example, in a large enterprise, a CIO may be responsible for the protection of thousands of resources. The deployment of permission settings and encryption can help protect the resources but cannot validate compliance. If a CIO wants to prevent insider trading, the CEO could place strict access permissions on all acquisition content and even encrypt the most sensitive data. However, if an auditor asks the CIO to verify that only people who are part of the acquisition team have viewed acquisition documents, the auditor doesn't want to see an encryption setting. The CIO should be able to produce reports that validate that only members of the acquisition team had access to the acquisition documents during the acquisition period. This can be done only through access logs that can be easily fed into reports that can answer questions such as:
Who accessed protected content during the acquisition period?
Did each person have a need to access the content?
Did the membership of any security group for the content ever change?
Was all acquisition content protected during storage and transmission?
Was any acquisition content ever transmitted outside of the scrutiny of the company?
To answer these questions, you need to have procedures in place that validate compliance.
Consolidate the Management of Compliance
Each time a major piece of compliance legislation is released, some companies will create new teams to address it. This often causes a duplication of effort and can sometimes result in the creation of conflicting policies. Sarbanes-Oxley, Gramm-Leach-Bliley, and HIPAA all require restricted access to sensitive information. Companies shouldn't have to create three teams to come up with a data-protection strategy to protect sensitive data.
At Microsoft, we are faced with similar compliance issues as other large companies. To help streamline our efforts at addressing the plethora of regulatory requirements with which we are faced, we developed a regulatory compliance planning guide that consolidates the requirements from four sets of legislation into a core set of common high-level IT control objectives. Each of the IT controls are mapped to a set of technology solutions that can automate the implementation of each of the IT controls. As new legislation is released, it can be broken down into its IT control areas, which can be added to the previous mapping. Any distinct controls would have to have a new technology mapping assigned to it. This approach helps to minimize the disruption that can be caused by new mandates.
Consolidating the management of compliance can make it easier to create a single corporate compliance policy. In this manner, addressing new compliance legislation is a simpler matter of temporarily assigning a couple of people to determine the needs of the new legislation and updating the single policy where necessary.
Create Compliance Policies Using a Hierarchical Approach
For large companies, developing a corporate policy that mandates how every department is to do its job is cumbersome at best. It would take a deep understanding of the practices of each department along with the data that each department handles. In addition, when a departmental practice changes, the need to update the corporate policy may go unnoticed.
It is more practical to have a corporate policy that expresses the company's position on business practices. Each department could then look at creating a departmental policy that conforms to corporate policy and addresses the department's specific needs around compliance.
For example, a corporate policy may indicate that all sensitive data must have restricted, monitored access. In turn, each department would have a policy for handling sensitive data for which it is responsible. So the finance department would have its own policy for handling sensitive financial data, and the sales department would have its own policy for handling sensitive customer data.
Decide to Automate Compliance Processes
Once a company understands how it wants to manage its corporate policy and has put manual processes in place, it should then look for ways to automate these processes.
Automation is an important next step because implementing business processes using paper, e-mail messages, or disjointed files and applications is prone to error. There are too many opportunities for something to get lost or overlooked. In addition, audits can be expensive, laborious tasks when they have to be done manually.
When a company is ready to automate, it should look for systems that provide end-to-end control over business processes. These systems should have strong reporting capabilities. For example, you may want the provisioning for a new employee to be connected to a workflow to ensure that the employee is added to the appropriate systems with oversight. Any compliance system that is deployed should be able to answer why an action occurred and who approved it. Automated security and workflows aren't going to help much if there is no automated way to determine if they are working.
Choose Compliance-Enabling Technologies
Once an assessment has been done to determine the business processes that need to be automated, the next step is to find solutions that assist with the automation process. The following solution areas -- described in more detail in the Regulatory Compliance Planning Guide -- are commonly available and can aid a company in automating its compliance needs. In fact, Microsoft provides guidance and/or solutions for each area.
Identity Management Solutions
Being able to identify resources by type and function and employees by their job roles makes compliance much easier. Identity management solutions can manage the provisioning, transfer, and removal of employees from your corporate systems. The chosen system should tie into all other systems as a means to identify all legitimate systems users for a company. This helps in precisely identifying who is involved in each business process.
Change Management Solutions
Change management solutions provide a formal means to manage changes to corporate resources. For example, any time a customer record, spending limit, business process, or computer configuration gets modified, it could go through a submission, reviewer, and approver process that is recorded for auditing purposes. In that manner, a company will be able to determine why resources are in the state they are.
Document Management Solutions
Document management solutions manage the life cycle of a document, including such features as change management, access control, versioning, backup, and retention policies. These solutions help companies achieve SOX, HIPAA, and GLBA requirements for restricting access to documents that may contain sensitive customer or financial data.
Risk Management Solutions
A great risk management solution will help companies prioritize and monitor the deployment of compliance projects. Developing corporate policies are valuable only when they are placed into practice. Tracking compliance is key to reducing risks that could negatively affect the company.
Business Process Management Solutions
Business process management (BPM) applications help provide end-to-end visibility and control over all segments of complex, multi-step information requests or transactions that involve multiple applications and people in one or more organizations. In terms of regulatory compliance, BPM helps ensure transaction security, reliable service and availability, and service level refinement.
Project Management Solutions
Project management solutions apply knowledge, skills, tools, and techniques to a broad range of activities to help meet the requirements of the particular project. Organizations use project management solutions to help implement projects, ensure operation reliability, and maintain compliance programs.
Network Security Solutions
Network security solutions constitute a broad solution category designed to address the security of all aspects of the network for the organization, including firewalls, servers, clients, routers, switches, and access points. Many regulations require organizations to take steps to provide appropriate security for the IT environment. Because network security is a critical element to overall information security, it is important for regulatory compliance.
Host Control Solutions
Host control solutions control the operating systems in servers and workstations. Host control is fundamental to all of the core security control categories, such as confidentiality, integrity, and availability.
Malicious Software Prevention Solutions
Malicious software prevention solutions include antivirus, antispyware and antispam solutions, as well as rootkit detectors. Without applications that you can use to help detect, monitor, and remove malicious software, there is an increased risk that sensitive corporate information in your organization could be compromised or destroyed.
Application Security Solutions
Application security combines good development practices with specific software security and involves key application controls that auditors focus on as they examine critical business systems.
Messaging and Collaboration Solutions
Messaging and collaboration programs provide a large productivity improvement for teams engaged in achieving compliance objectives, and they add to the overall efficiency of the organization. Collaboration applications can range from integrated document programs, such as Microsoft® Office to portals, instant messaging, online presentation software, and peer-to-peer programs.
Data Classification and Protection Solutions
Data classification and protection deals with how to apply security classification levels to the data either on a system or in transmission. Data classification is important to compliance because it informs users about what levels indicate the relative importance of the data, how they must handle the data, and how they must safeguard and dispose of it.
Authentication, Authorization, and Access Control Solutions
This control objective is critical to helping to meet the requirements of the core security principles of confidentiality, integrity, and availability. Authentication usually involves a user name and a password, but it can include additional methods to demonstrate identity, such as a smart card, retina scan, voice recognition, or fingerprints. Authorization focuses on determining if someone, after the person is identified, is permitted to access requested resources. Access is granted or denied depending on a wide variety of criteria, such as the network address of the client, the time of day, or the browser that the person uses.
Regulatory compliance demands that organizations address security and compliance training. Security and compliance training solutions in most organizations are typically modifications of existing training software solutions. This training should cover corporate and departmental compliance.
Physical Security Solutions
Physical security solutions secure physical access and control of the systems and workstations in your organization.
Vulnerability Identification Solutions
Vulnerability identification solutions provide tools that you can use to help test for vulnerabilities in your organization's information systems. Regularly monitoring computers and servers for vulnerabilities in the organization is extremely important because it provides a controlled platform on which to run business application software. A compromised environment is not under control, making it unsuitable to run business software that is compliant.
Monitoring and Reporting Solutions
Monitoring and reporting solutions collect and audit logs that result from authentication and access to systems. These solutions are either designed to collect specific information based on compliance to certain regulations, or use existing logs built into operating systems or software packages.
Disaster Recovery and Failover Solutions
In the event of a natural or man-made disaster, the information systems for the organization must return to an operational state as quickly as possible. Many regulations and standards explicitly require disaster recovery and failover solutions.
Incident Management and Trouble-Tracking Solutions
Incident management and trouble-tracking solutions use customized systems that manage specific business processes from beginning to end. Several regulations and standards specifically require organizations to use incident management and trouble-tracking solutions.
To achieve compliance, first determine where to focus your compliance efforts, break the requirements into manageable pieces, and deploy IT controls to manage them. Next, combine compliance efforts to reduce duplication of work and define a corporate policy that addresses your company's compliance requirements. Each department should then create a policy that fits within the confines of the corporate policy. Then, create manual processes to implement the IT controls, and finally, look for opportunities to automate the manual processes with systems that are designed for compliance.