Presentation Delivered at the Silicon Valley Chapter of ISACA on February 21, 2013
Text of Business and IT Compliance Strategy
1. Business and IT Compliance StrategyA Conceptual FrameworkAllyn McGillicuddy The Office Of The CIO
2. Enterprise Compliance Process Is it sufficiently scalable to encompass functions within the enterprise ? Is funding for compliance remediation adequate? Is it fully integrated into day-to-day business operations? Does it have the appropriate executive sponsorship/ownership? Has the compliance process achieved a reasonable level of simplicity? Is the program cost appropriate?Office of the CIO Proprietary 2013 3. Compliance Process Challenges Compliance management processes are labor-intensive Compliance automation is often fragmented among disparate systems and data structures Widespread organizational agility is evolving too slowly to keep pace with dynamic business and technology demands such as mobile payments Shortcomings cannot be attributed to lack of either effort or good intentions.Office of the CIO Proprietary 2013 4. Stakeholder View of Compliance?Office of the CIO Proprietary 2013 5. For Others, Its Like Taking the DMVRoad Test Without the Benefit of aDrivers ManualOffice of the CIO Proprietary 2013 6. Or Like Trying to Get From Point A to B in Ireland Without a Michelin Guide.Office of the CIO Proprietary 2013 7. Established Frameworks Help To Organize the ProcessCOBIT ISO/IEC 27002 Common Security Framework (CSF)DSCI Security Framework (DSF) EU Data Security FrameworkNIST COSOOffice of the CIO Proprietary 2013 8. But Establishing a Single, UnifiedEnterprise Strategy That Fits Can Be Daunting.Office of the CIO Proprietary 2013 9. A Pragmatic Alternative: Distill and Decompose the Process Group Major Compliance Process Elements Define Core Competencies for Each Process Group Set Process Group Competency Goals Enable Skills Focus via Division of LaborOffice of the CIO Proprietary 2013 10. A Compliance Process Framework Reliable and efficient business framework to assess, execute,monitor, and audit enterprise complianceASSESS EXECUTE MONITORAUDIT FIND GAPS REMEDIATE MONITORNETWORK PROVEPROVEREMEDIATE RESULTSDATA COMPLIANCECOMPLIANCE ACCESS APPLICATIONS THREATSOffice of the CIO Proprietary 2013 11. The ASSESS Process Controlled Self-assessment Risk Frameworks and Scripts Asset Inventories Configuration Management Library/database Business Process MappingA core goal of this process is to find evidence of compliance controls andgaps, to prove they do/do not exist.Office of the CIO Proprietary 2013 12. The EXECUTE Process Actions to remediate the observed gaps Real-time evidence of control mechanisms Evaluate/quantify risk tailored to compliance objectives Tools, such as self-assessment software and scripts Training Programs to support complianceOffice of the CIO Proprietary 2013 13. The MONITOR ProcessValidateMonitor and measure to validate previous decisions and remedialcontrolsDirectMonitor and measure to set direction for activities in order to meetcompliance targetsJustifyMonitor and measure to justify, with factual evidence or proof, thata course of action is/is not requiredInterveneMonitor and measure to identify a point of intervention, includingsubsequent changes and corrective actionsOffice of the CIO Proprietary 2013 14. The AUDIT Process Prove compliance: Measure and prove theeffectiveness of the compliance programs Evidence of Policies and their Dissemination Evidence Repository for Assessments Results evidence of control mechanisms ReportsOffice of the CIO Proprietary 2013 15. Process Competence Plan Identify, target improved skills and capabilities for eachof the four process groups Establish tactical and strategic goals, plans to close gaps Identify evidence/metrics of target goal achievement Report results, evaluate achievement Assess/measure Assess/measurestartOffice of the CIO Proprietary 2013 16. Process Capability Escalator*Minimum level of prerequisite items are available to support the process activitiesOrganizational policy statements, business objectives providing purpose & guidanceProcess Capability Evidence that defined steps are being carried outInternal Integration - activities are integrated sufficiently to fulfill the process intentProducts - Actual output of the process, evidence that relevant products are producedQuality Control - Review and verification of the process outputManagement Information - Adequate and timely information to support managementdecisionsExternal Integration All process interfaces are identified and understoodValidation - External review and validation of the process * This is an ITIL capability framework example, with a view toward progressive capability achievement. Other frameworks can be useful.Office of the CIO Proprietary 2013 17. The Underlying Capability Strategy V Vefficiency V organization VOffice of the CIO Proprietary 2013 18. Achieved Via Managing Defined Process Competency Rules andPolicy Tools, Inventory Training,and Process Programs efficiency organizationAssessment Risk Methods, Identification,automationManagementBest-in-BreedApplicationsOffice of the CIO Proprietary 2013 19. And By Integrating Business and IT Compliance Controls 1. Define Top-down, broadbusiness processes 2. Decompose broad processes toidentify in-scope businessprocess activities 3. Map in-scope process activitiesto compliance policies 4. Define and integrate businesscontrol procedures 5. Focus IT capabilities onautomating required IT controls,automating business controls,assessment, and reportingOffice of the CIO Proprietary 2013 20. Example: Integrated Business - IT Controls Business Process Payer Payment/Deductible/Denial Posting & ReconciliationTransaction Auto-Posting TransactionProcessing billing or payment information on a timely basisBusinessPolicy 8.5.8. Use of another persons login to gain access toPolicycompany systems and network is prohibited. Do not use group,shared, or generic accounts and passwords. Compliance RequirementPCI-DSS-002 Password ControlBusiness Compliance ControlImplement Strong Access Control Measures8.3 Implement two-factor authentication for remote accessto the network by employees, administrators, and third IT CompliancepartiesControl Policies8.4 Encrypt all passwords during transmission and storageon all system components8.4 Encrypt all passwords during transmission and storage8.5.4 Immediately revoke access for any terminated usersOffice of the CIO Proprietary 2013 21. Defining Business Controls1. The Business Activity is documented as aestablish patientsmodel comprising account in billing Process Activities Governance Activities Update a2. The Compliance Policy requires thepatientsbusiness process to incorporate Governance accountActivities at specific pointsStrong AccessY3. The Business Entity determines the specific CommunicateMeasures in Place?integration of the Governance Activity withinAmbulatory Paymentthe business process Classification (APC)4. The Compliance Processgrouping NO Verifies the presence of the GovernanceNotify Supervisor Activity within the business process andDelete a patients billing/accounts Documents the evidence of the controlsreceivable recordsOffice of the CIO Proprietary 2013 22. Business Processes with Compliance ControlsDetermine PatientObtain Clients Establish Download PatientEligibility Compliance Y Electronically VerifyEligibility Eligibility EligibilityEligibility Data Information for Control?CriteriaPayment NA/P Reimbursement DetermineCalculate Amount Type ofof ReimbursementCompliance YProvide Payment Reimbursement Control? NPharmaceutical/Medic al Management Formulate a Process Payment MedicationInformation on a Compliance YManage Generate Report Services Medication Treatment Plan Timely Basis Control?Inventory N 23. Control Point Example: Limit access to billinginformation via designated payment workstation* PCI/P05.01- Limit ability to view/update members account to PCI-DSS Compliant Workstations Modify application access to check for PCI-DSS Description compliant workstationStrong Access Measures YES in Place?View/update billing Member NumberInputstransaction flag OutputsPlan TypeWorkstation identifierBilling ClerkA/R SupervisorIn-scopeRoles A/R Specialist Region Controller * Example, for illustration purposesOffice of the CIO Proprietary 2013 24. Steps to Create Business Governance Control ProcessesEmploy aReferenceProcess ModelMap ReferenceModel Processes toActualIdentify theProcessesin-scopeCompliance ProcessesDefine andImplement the Required Controls 25. Integrate the Four Compliance Processes via a Risk-Prioritized Process Foundation ASSESSEXECUTE MONITOR AUDITMONITOR PROVEFIND GAPS REMEDIATEREMEDIATECOMPLIANCERESULTS RISK-PRIORITIZED PROCESS FOUNDATION Prioritize all process activities based on relative risk Perform quarterly, structured risk recalibration and adjust plans accordingly 26. Transition Steps/Considerations Establish and Leverage Compliance Process Dashboards Dashboards designed for each of the 4 process groups Map current activities to one or more process groups Appoint enterprise process leaders for each process group Integrated Enterprise View of Compliance Process Data Single data view of aggregated compliance relevant data Enterprise view of compliance risk vectors External risk Internal risk 27. Discussion: the Big Picture Whats Missing? Whats Wrong? Anything Right? Thank You!