Upload
allyn-mcgillicuddy
View
561
Download
0
Embed Size (px)
DESCRIPTION
Presentation Delivered at the Silicon Valley Chapter of ISACA on February 21, 2013
Citation preview
Business and IT Compliance Strategy
A Conceptual FrameworkAllyn McGillicuddy
The Office Of The CIO
Office of the CIO® © Proprietary 2013
• Is it sufficiently scalable to encompass functions within the enterprise ?
• Is funding for compliance remediation adequate?• Is it fully integrated into day-to-day business operations?• Does it have the appropriate executive
sponsorship/ownership?• Has the compliance process achieved a reasonable level of
simplicity?• Is the program cost appropriate?
Enterprise Compliance Process
Office of the CIO® © Proprietary 2013
• Compliance management processes are labor-intensive
• Compliance automation is often fragmented among
disparate systems and data structures
• Widespread organizational agility is evolving too slowly to
keep pace with dynamic business and technology demands
such as mobile payments
• Shortcomings cannot be attributed to lack of either effort
or good intentions.
Compliance Process Challenges
Office of the CIO® © Proprietary 2013
Stakeholder View of Compliance?
Office of the CIO® © Proprietary 2013
For Others, It’s Like Taking the DMV Road Test Without the Benefit of a Driver’s Manual…
Office of the CIO® © Proprietary 2013
…Or Like Trying to Get From Point A to B in Ireland Without a Michelin Guide.
Office of the CIO® © Proprietary 2013
Established Frameworks Help To Organize the Process…
DSCI Security Framework (DSF©) EU Data Security Framework
COBIT ISO/IEC 27002 Common Security Framework (CSF)
COSONIST
Office of the CIO® © Proprietary 2013
… But Establishing a Single, Unified Enterprise Strategy That Fits Can Be Daunting.
Office of the CIO® © Proprietary 2013
A Pragmatic Alternative: Distill and Decompose the Process
• Group Major Compliance Process Elements
• Define Core Competencies for Each Process Group
• Set Process Group Competency Goals
• Enable Skills Focus via Division of Labor
Office of the CIO® © Proprietary 2013
A Compliance Process FrameworkReliable and efficient business framework to assess, execute,
monitor, and audit enterprise compliance
ASSESS EXECUTE MONITOR AUDIT
FIND GAPS REMEDIATE MONITOR RESULTS
PROVE COMPLIANCE
REMEDIATE • NETWORK• DATA• ACCESS• APPLICATIONS • THREATS
PROVE COMPLIANCE
Office of the CIO® © Proprietary 2013
• Controlled Self-assessment
• Risk Frameworks and Scripts
• Asset Inventories
• Configuration Management Library/database
• Business Process Mapping
The ASSESS Process
A core goal of this process is to find evidence of compliance controls and gaps, to prove they do/do not exist.
Office of the CIO® © Proprietary 2013
The EXECUTE Process
• Actions to remediate the observed gaps
• Real-time evidence of control mechanisms
• Evaluate/quantify risk tailored to compliance objectives
• Tools, such as self-assessment software and scripts
• Training
• Programs to support compliance
Office of the CIO® © Proprietary 2013
The MONITOR ProcessValidate Monitor and measure to validate previous decisions and remedial controlsDirect Monitor and measure to set direction for activities in order to meet compliance targetsJustifyMonitor and measure to justify, with factual evidence or proof, that a course of action is/is not required InterveneMonitor and measure to identify a point of intervention, including subsequent changes and corrective actions
Office of the CIO® © Proprietary 2013
The AUDIT Process
• Prove compliance: Measure and prove the
effectiveness of the compliance programs
• Evidence of Policies and their Dissemination
• Evidence Repository for Assessments
• Results – evidence of control mechanisms
• Reports
Office of the CIO® © Proprietary 2013
Process Competence Plan• Identify, target improved skills and capabilities for each
of the four process groups
• Establish tactical and strategic goals, plans to close gaps
• Identify evidence/metrics of target goal achievement
• Report results, evaluate achievement
startAssess/measure
Assess/measure
Office of the CIO® © Proprietary 2013
Process Capability Escalator*
Minimum level of prerequisite items are available to support the process activitiesOrganizational policy statements, business objectives providing purpose & guidanceProcess Capability – Evidence that defined steps are being carried outInternal Integration - activities are integrated sufficiently to fulfill the process intentProducts - Actual output of the process, evidence that relevant products are producedQuality Control - Review and verification of the process outputManagement Information - Adequate and timely information to support management decisionsExternal Integration – All process interfaces are identified and understoodValidation - External review and validation of the process
* This is an ITIL capability framework example, with a view toward progressive capability achievement. Other frameworks can be useful.
Office of the CIO® © Proprietary 2013
efficiency organization
The Underlying Capability Strategy…
VV
VV
Office of the CIO® © Proprietary 2013
Rules and Policy
Inventory and Process
Assessment Methods,
automation
Tools, Training, Programs
Risk Identification, Management
Best-in-Breed Applications
efficiency organization
… Achieved Via Managing Defined Process Competency …
Office of the CIO® © Proprietary 2013
… And By Integrating Business and IT Compliance Controls
1. Define “Top-down”, broad business processes
2. Decompose broad processes to identify in-scope business process activities
3. Map in-scope process activities to compliance policies
4. Define and integrate business control procedures
5. Focus IT capabilities on automating required IT controls, automating business controls, assessment, and reporting
Office of the CIO® © Proprietary 2013
Example: Integrated Business - IT ControlsBusiness Process Payer Payment/Deductible/Denial Posting & Reconciliation
Transaction
Business Policy
Auto-Posting TransactionProcessing billing or payment information on a timely basis
Business Compliance Control
Policy 8.5.8. Use of another person’s login to gain access to company systems and network is prohibited. Do not use group, shared, or generic accounts and passwords.
PCI-DSS-002 Password Control Compliance RequirementImplement Strong Access Control Measures
8.3 Implement two-factor authentication for remote access to the network by employees, administrators, and third parties8.4 Encrypt all passwords during transmission and storage on all system components8.4 Encrypt all passwords during transmission and storage 8.5.4 Immediately revoke access for any terminated users
IT Compliance Control Policies
Office of the CIO® © Proprietary 2013
Defining Business Controls
1. The Business Activity is documented as a model comprising
• Process Activities• Governance Activities
2. The Compliance Policy requires the business process to incorporate Governance Activities at specific points3. The Business Entity determines the specific integration of the Governance Activity within the business process4. The Compliance Process • Verifies the presence of the Governance
Activity within the business process and • Documents the evidence of the controls
establish patient’s account in billing
Update a patient’s account
Communicate Ambulatory Payment Classification (APC) grouping
Delete a patient’s billing/accounts receivable records
Strong Access Measures in
Place?
Y
NO
Notify Supervisor
Business Processes with Compliance ControlsPh
arm
aceu
tical
/M
edic
al M
anag
emen
t Se
rvic
es
Download Patient Eligibility Data
Electronically Verify Eligibility
Establish Eligibility Criteria
Obtain Client’s Eligibility
Information for Payment
Compliance Control?
Y
N
A/P
Reim
burs
emen
tD
eter
min
e Pa
tient
El
igib
ility
N
Y
N
Y
Calculate Amount of Reimbursement Provide PaymentDetermine
Type of Reimbursement
Formulate a Medication
Treatment Plan
Process Payment Information on a
Timely Basis
Manage Medication Inventory
Generate Report
Compliance Control?
Compliance Control?
Office of the CIO® © Proprietary 2013
PCI/P05.01- Limit ability to view/update member’s account to PCI-DSS Compliant Workstations
Description
Inputs
In-scope Roles
Outputs
Modify application access to check for PCI-DSS compliant workstation
View/update billing transaction flagWorkstation identifier
Member NumberPlan Type
Billing Clerk
A/R Specialist
A/R Supervisor
Region Controller
Control Point Example: Limit access to billing information via designated payment workstation*
Strong Access Measures in Place?
YES
* Example, for illustration purposes
Steps to Create Business Governance Control Processes
Employ a Reference
Process ModelMap Reference
Model Processes to
Actual Processes
Identify the in-scope
Compliance Processes Define and
Implement the Required
Controls
Integrate the Four Compliance Processes via a Risk-Prioritized Process Foundation
ASSESS EXECUTE MONITOR AUDIT
FIND GAPS REMEDIATE PROVE COMPLIANCEREMEDIATE
MONITOR RESULTS
RISK-PRIORITIZED PROCESS FOUNDATION
Prioritize all process activities based on relative risk
• Perform quarterly, structured risk recalibration and adjust plans accordingly
Transition Steps/Considerations• Establish and Leverage Compliance Process Dashboards
• Dashboards designed for each of the 4 process groups
• Map current activities to one or more process groups
• Appoint enterprise process leaders for each process group
• Integrated Enterprise View of Compliance Process Data • Single data view of aggregated compliance –relevant data
• Enterprise view of compliance risk vectors
• External risk
• Internal risk
Discussion: the Big Picture
• What’s Missing?
• What’s Wrong?
• Anything Right?
• Thank You!