Business and IT Compliance Strategy

Business and IT Compliance Strategy

A Conceptual FrameworkAllyn McGillicuddy

The Office Of The CIO

Office of the CIO® © Proprietary 2013

• Is it sufficiently scalable to encompass functions within the enterprise ?

• Is funding for compliance remediation adequate?• Is it fully integrated into day-to-day business operations?• Does it have the appropriate executive

sponsorship/ownership?• Has the compliance process achieved a reasonable level of

simplicity?• Is the program cost appropriate?

Enterprise Compliance Process


• Compliance management processes are labor-intensive

• Compliance automation is often fragmented among

disparate systems and data structures

• Widespread organizational agility is evolving too slowly to

keep pace with dynamic business and technology demands

such as mobile payments

• Shortcomings cannot be attributed to lack of either effort

or good intentions.

Compliance Process Challenges


Stakeholder View of Compliance?


For Others, It’s Like Taking the DMV Road Test Without the Benefit of a Driver’s Manual…


…Or Like Trying to Get From Point A to B in Ireland Without a Michelin Guide.


Established Frameworks Help To Organize the Process…

DSCI Security Framework (DSF©) EU Data Security Framework

COBIT ISO/IEC 27002 Common Security Framework (CSF)

COSONIST


… But Establishing a Single, Unified Enterprise Strategy That Fits Can Be Daunting.


A Pragmatic Alternative: Distill and Decompose the Process

• Group Major Compliance Process Elements

• Define Core Competencies for Each Process Group

• Set Process Group Competency Goals

• Enable Skills Focus via Division of Labor


A Compliance Process FrameworkReliable and efficient business framework to assess, execute,

monitor, and audit enterprise compliance

ASSESS EXECUTE MONITOR AUDIT

FIND GAPS REMEDIATE MONITOR RESULTS

PROVE COMPLIANCE

REMEDIATE • NETWORK• DATA• ACCESS• APPLICATIONS • THREATS

PROVE COMPLIANCE


• Controlled Self-assessment

• Risk Frameworks and Scripts

• Asset Inventories

• Configuration Management Library/database

• Business Process Mapping

The ASSESS Process

A core goal of this process is to find evidence of compliance controls and gaps, to prove they do/do not exist.


The EXECUTE Process

• Actions to remediate the observed gaps

• Real-time evidence of control mechanisms

• Evaluate/quantify risk tailored to compliance objectives

• Tools, such as self-assessment software and scripts

• Training

• Programs to support compliance


The MONITOR ProcessValidate Monitor and measure to validate previous decisions and remedial controlsDirect Monitor and measure to set direction for activities in order to meet compliance targetsJustifyMonitor and measure to justify, with factual evidence or proof, that a course of action is/is not required InterveneMonitor and measure to identify a point of intervention, including subsequent changes and corrective actions


The AUDIT Process

• Prove compliance: Measure and prove the

effectiveness of the compliance programs

• Evidence of Policies and their Dissemination

• Evidence Repository for Assessments

• Results – evidence of control mechanisms

• Reports


Process Competence Plan• Identify, target improved skills and capabilities for each

of the four process groups

• Establish tactical and strategic goals, plans to close gaps

• Identify evidence/metrics of target goal achievement

• Report results, evaluate achievement

startAssess/measure

Assess/measure


Process Capability Escalator*

Minimum level of prerequisite items are available to support the process activitiesOrganizational policy statements, business objectives providing purpose & guidanceProcess Capability – Evidence that defined steps are being carried outInternal Integration - activities are integrated sufficiently to fulfill the process intentProducts - Actual output of the process, evidence that relevant products are producedQuality Control - Review and verification of the process outputManagement Information - Adequate and timely information to support management decisionsExternal Integration – All process interfaces are identified and understoodValidation - External review and validation of the process

* This is an ITIL capability framework example, with a view toward progressive capability achievement. Other frameworks can be useful.


efficiency organization

The Underlying Capability Strategy…

VV

VV


Rules and Policy

Inventory and Process

Assessment Methods,

automation

Tools, Training, Programs

Risk Identification, Management

Best-in-Breed Applications

efficiency organization

… Achieved Via Managing Defined Process Competency …


… And By Integrating Business and IT Compliance Controls

1. Define “Top-down”, broad business processes

2. Decompose broad processes to identify in-scope business process activities

3. Map in-scope process activities to compliance policies

4. Define and integrate business control procedures

5. Focus IT capabilities on automating required IT controls, automating business controls, assessment, and reporting


Example: Integrated Business - IT ControlsBusiness Process Payer Payment/Deductible/Denial Posting & Reconciliation

Transaction

Business Policy

Auto-Posting TransactionProcessing billing or payment information on a timely basis

Business Compliance Control

Policy 8.5.8. Use of another person’s login to gain access to company systems and network is prohibited. Do not use group, shared, or generic accounts and passwords.

PCI-DSS-002 Password Control Compliance RequirementImplement Strong Access Control Measures

8.3 Implement two-factor authentication for remote access to the network by employees, administrators, and third parties8.4 Encrypt all passwords during transmission and storage on all system components8.4 Encrypt all passwords during transmission and storage 8.5.4 Immediately revoke access for any terminated users

IT Compliance Control Policies


Defining Business Controls

1. The Business Activity is documented as a model comprising

• Process Activities• Governance Activities

2. The Compliance Policy requires the business process to incorporate Governance Activities at specific points3. The Business Entity determines the specific integration of the Governance Activity within the business process4. The Compliance Process • Verifies the presence of the Governance

Activity within the business process and • Documents the evidence of the controls

establish patient’s account in billing

Update a patient’s account

Communicate Ambulatory Payment Classification (APC) grouping

Delete a patient’s billing/accounts receivable records

Strong Access Measures in

Place?

Y

NO

Notify Supervisor

Business Processes with Compliance ControlsPh

arm

aceu

tical

/M

edic

al M

anag

emen

t Se

rvic

es

Download Patient Eligibility Data

Electronically Verify Eligibility

Establish Eligibility Criteria

Obtain Client’s Eligibility

Information for Payment

Compliance Control?

Y

N

A/P

Reim

burs

emen

tD

eter

min

e Pa

tient

El

igib

ility

N

Y

N

Y

Calculate Amount of Reimbursement Provide PaymentDetermine

Type of Reimbursement

Formulate a Medication

Treatment Plan

Process Payment Information on a

Timely Basis

Manage Medication Inventory

Generate Report

Compliance Control?

Compliance Control?


PCI/P05.01- Limit ability to view/update member’s account to PCI-DSS Compliant Workstations

Description

Inputs

In-scope Roles

Outputs

Modify application access to check for PCI-DSS compliant workstation

View/update billing transaction flagWorkstation identifier

Member NumberPlan Type

Billing Clerk

A/R Specialist

A/R Supervisor

Region Controller

Control Point Example: Limit access to billing information via designated payment workstation*

Strong Access Measures in Place?

YES

* Example, for illustration purposes

Steps to Create Business Governance Control Processes

Employ a Reference

Process ModelMap Reference

Model Processes to

Actual Processes

Identify the in-scope

Compliance Processes Define and

Implement the Required

Controls

Integrate the Four Compliance Processes via a Risk-Prioritized Process Foundation

ASSESS EXECUTE MONITOR AUDIT

FIND GAPS REMEDIATE PROVE COMPLIANCEREMEDIATE

MONITOR RESULTS

RISK-PRIORITIZED PROCESS FOUNDATION

Prioritize all process activities based on relative risk

• Perform quarterly, structured risk recalibration and adjust plans accordingly

Transition Steps/Considerations• Establish and Leverage Compliance Process Dashboards

• Dashboards designed for each of the 4 process groups

• Map current activities to one or more process groups

• Appoint enterprise process leaders for each process group

• Integrated Enterprise View of Compliance Process Data • Single data view of aggregated compliance –relevant data

• Enterprise view of compliance risk vectors

• External risk

• Internal risk

Discussion: the Big Picture

• What’s Missing?

• What’s Wrong?

• Anything Right?

• Thank You!