What Are Compliance, Governance, and Risk Management?
To understand compliance in a personal sense, think of receiving a yearly privacy notice from your bank, signing a HIPAA form at your doctor visit, or experiencing a lockout for using a password incorrectly. For the IT professional, compliance includes the activities that maintain and provide systematic proof of both adherence to internal policies and the external laws, guidelines, or regulations imposed upon the company.
This is done through a defensible process. There are two elements of compliance: one focuses on the management of compliance, and the second manages the integrity of the system used to adhere to and prove compliance. Today, the role of IT compliance continues to grow as the electronic sharing and storing of information impacts departments such as finance, human resources, and operations that all depend on the services of IT in their information gathering, dissemination, and reporting.
IT Compliance is taking appropriate control of and protecting information, including how it is obtained and stored, how it is secured, its availability (how it is distributed internally and externally), and how the data is protected. The internal compliance functions revolve around the policies, goals, and organizational structure of the business. External considerations include satisfying the customer/end user while protecting the company and end user from harm. Specialized tools are used to continuously identify, monitor, report, and audit to achieve and remain in compliance.
In relation to IT compliance, IT Governance is the function of managing and addressing the overriding technical, strategic, and procedural processes. IT governance is a subset of the overall corporate governance process and is overseen in most cases by the appropriate C-suite professional such as a Chief Compliance Officer (CCO) with increasing cross-functional responsibilities from a Chief Technical Officer (CTO).
Risk management is the practice of mitigating and managing risk through system controls and is therefore closely aligned as an integral function of IT governance and IT compliance. GRC (Governance, Risk, and Compliance) is an integrated strategy to effectively and appropriately manage policies, processes, and controls. The collective management of these three functions - rather than as independent objectives - can eliminate duplication and facilitate secure dissemination of information and communications.
Who Is ISACA?
As the regulatory environment grows, so do institutions that assist professionals in finding information to better understand this environment (this includes IT managers and executives). The Information Systems Audit and Control Association (ISACA) is one such organization. The ISACA is a member-driven, non-profit organization that provides news, journals, tools, education, resource sharing, and dialogue on compliance, risk management, audits, and cyber security. The organization also promotes certifications for IT compliance professionals that include:
- Certified Information Systems Auditor
- Certified in Risk and Information Systems and Control
- Certified in the Governance of Enterprise IT
- Certified Information Manager
These certifications from ISACA and other organizations can assist professionals in understanding and implementing compliance best practices. In the book Auditing IT Infrastructures for Compliance, authors Martin Weiss and Michael G. Solomon discuss the complexities for today’s professionals: “…First, information technology personnel rarely have a legal background. Second, most requirements lack technical depth…(and) many regulations are vague in their requirements.” They go on to say that many times it is up to the industry, individual company, legal team, C-Suite executives, and the compliance practitioners and auditors to develop the methods to conform to the laws and regulations.
Understanding the Numerous Regulatory Compliance Standards
There are numerous regulatory statutes enacted by Congress. The acts are usually a response to a social or economic problem and as such are considered “enabling legislation.” The appropriate government agencies are then tasked with creating and enforcing the regulations authorized by the statute. The protections mandated in most have specific regulation and protection of information embedded to guard privacy, prevent fraud, provide security, and protect identities through standardization, mandates, and accountability.
Corporations providing products and services in the US are expected to know and adhere to these regulations. Corporate legal entities and C-Suite executives, including CCOs or CTOs, are responsible for policies to achieve and defend adherence to relevant regulations. In some cases, these executives take on personal responsibility for lawful adherence and reporting and can be held personally liable via stiff penalties or even jail time. There are also other provisions for compliance that include protections against the unlawful destruction of information that could be subject to e-discovery, where information is sought in legal proceedings and subject to processes before providing the data.
In addition to federal policies, many companies must comply with international standards, as well as local, regional, and state restrictions. It can be difficult to identify which laws, regulations, statutes, or mandates are required. Most agree that the legal team and C-Suite executives, under the guidance and recommendations of the compliance officer, are charged with determining the scope of compliance.
Some of the most well-known standards affecting IT compliance include:
The Sarbanes -Oxley Act (SOX) of 2002 is a sweeping statute to regulate financial transparency and reporting. It was enacted by Congress as a direct response to the Enron and WorldCom misconduct. Section 404 is of significance for IT in the area of financial reporting controls.
Gramm-Leach-Bliley Act (GLBA) was signed in 1999 and mandates that financial institutions manage consumer protections (via yearly notices) of their privacy policies. It also requires appropriate internal and external safeguards, even against the threat of pretext (the unlawful gaining of information by fraudulent means, pretense, or guesswork).
The Federal Information Security Management Act (FISMA) passed in 2002, and mandates information security for federal bureaucracy by requiring an annual review of systems.
HIPAA, or Health Insurance Portability and Accountability Act’s Title II section articulates policies and guidelines for regulating information, especially Protected Health Information (PHI) by insurers, medical providers, and employers who provide health care insurance.
The Payment Card Industry Data Security Standard of 2001 (PCI DSS) is an industry deployed recommendation instituted by MasterCard, Visa, and other credit card companies to provide identity protections for members and service providers.
Statement on Standards for Attestation Engagements (SSAE 16) became effective in 2011, replacing SAS 70 as the reporting on controls for service organizations. Data centers, ISPs, and web hosting service providers are common IT-related entities where SSAE 16 applies.
Basel III applies to the banking industry and helps determine the amount of capital they need to reserve in order to recover in the case of a loss. This regulation impacts IT, as it needs software that can perform more advanced calculations.
Which Compliance Regulations Apply to Your Organization?
Dealing with the multitude of regulations across numerous industries is daunting for many organizations. In the US a company may be subject to the authority of one or several regulating bodies, including the Securities and Exchange Commission (SEC), the Federal Communications Commission (CC), and the Federal Trade Commission (FTC). The industries most affected are the financial, retail and e-commerce, health insurance and services, other insurance institutions, banking, defense, utilities, and credit card issuers who have access to sensitive information. But the list also includes any organization that keeps sensitive information - for example, any organization that has social security numbers; this encompasses most employers, government entities, and colleges and universities.
It is difficult to identify enterprises, especially global ones, that are not subject to local, regional, state, federal, or international regulations. HIPAA mandates affect health care insurers and practitioners, but there are also provisions that affect any employer that offers health insurance to its employees. In addition to formal laws and regulations, be aware of industry standards (such as financial accountability standards of Basel III and PCI DSS in the credit card industry). The bottom line is if an IT department is charged with protecting information to ensure confidentiality, integrity, reliability, or availability of information, the chances are there are numerous regulations that demand compliance.
Compliance Audits and Reports
Assessments and audits are a method for determining compliance. Performed by an audit committee, a compliance audit can determine if a company is adhering to the applicable laws by a systematic review of policies, procedures, operations, and controls. Since IT has company-wide reach, an audit is usually done across numerous departments. The scope of an IT compliance audit identifies the laws and requirements, assesses how specific laws, requirements, or standards are being met, and provides recommendations and remedies for non-compliance.
IT compliance reports are often required during audits in order to provide a correlated log of data that contains evidence of compliance. In addition to audits, compliance reports will be used by the IT team to uncover security breaches, underlying threats, and policy violations that need to be corrected before severe damage occurs. A balanced scorecard is one option for measuring whether your compliance strategy is being executed successfully without impacting the mission of your business.
Governance Best Practice Frameworks
Gartner Research defines IT Governance as “the processes that ensure the effective and efficient use of IT enabling an organization to achieve its goals.” There are numerous frameworks that already exist to assist with governance. These include:
- Information Technology Infrastructure Library (ITIL) has five core principles that align IT services with business objectives: strategy, design, transition, operation, and service. These combine to provide the basis for a strong IT governance structure. To support the growing needs and complexities of information security, the International Organization for Standardization (ISO) provides standards to address controls that support security and risk.
- The CobiT framework (Control Objectives for Information and Related Technologies) was developed by the IT Governance Institute (ITGI), a research arm of ISACA. It is a governance and management framework for IT that facilitates the logical implementation and organization of controls. It can be used to effectively link both the goals of the business and IT goals through a set of four process domains.
- ISO 27001 identifies twelve objectives for information security control. It takes a technology neutral approach to developing an integrated security management system (ISMS).
Who Is Responsible for Compliance?
Although best practice frameworks are available to guide adherence to compliance regulations, people are necessary to make it all happen. The roles of compliance strategy and implementation are evolving within enterprises with departments and C-Suite positions, including a dedicated compliance department who, along with the CCO, can be tasked with overseeing, planning, and managing elements that work towards IT compliance. Let’s take a closer look at the roles of a CCO and the overall compliance team.
Chief Compliance Officer (CCO): The CCO will be responsible for identifying and managing compliance risk, including developing internal and external controls to manage and resolve compliance problems. Oftentimes, a CCO will put a compliance department in place to provide complete compliance services to the business and staff.
Chief Technology Office (CTO): Unlike a CCO, the CTO oversees the entire technology framework and infrastructure including compliance, governance, and risk assessment.
Compliance Department: If an organization has a dedicated compliance department, they will be charged with managing and overseeing compliance with all applicable regulations and mandates. Duties may include:
- Risk identification
- Implementing risk controls
- Reporting on the effectiveness of controls
- Resolving compliance problems
- Providing regulatory advisement to the business
However, it should be noted that while the technical, procedural, and strategic management resides with those with the greatest liability risk (IT staff, CIO, CFO, and CEO), all constituents in the corporate structure are responsible for complying with the regulations that protect sensitive information.
IT Compliance: Goals and Challenges
The overall goal of IT compliance is to build a technical, procedural, and strategic framework that provides the means to attain and prove a company’s legal and ethical integrity. Providing defensible mechanisms, policies, and procedures can help avoid the following:
- Damage to corporate image standing or consumer trust
- Lost revenue, market opportunity, or stock value
- Remediation expenditures (legal costs, fines, and judgments, purchased consumer protections, capital acquisitions, and lost productivity)
However, achieving this goal is met with many challenges. First and foremost, the complexity and scope of new statutes are subject to interpretation. Since the regulations themselves do not come with a concrete roadmap, there are numerous industry-specific guidelines and best practices available that provide clarity and guidance.
Other challenges include:
- Lack of employee education
- Shadow IT issues, such as personal mobile devices that circumvent corporate IT systems.
- Unauthorized applications
- Difficulties with service providers (cloud services and data centers)
- The role of social media
- Number of current regulations, updates, and new laws
IT Governance, Risk, and Compliance Management and Software Solutions
To manage the many growing and changing needs of IT compliance, many organizations implement solution strategies. Regardless of the type of solution you choose (a theoretical framework or a software platform), ensure that it will work in today’s business landscape. An IT compliance solution should be adaptable (so you can update it as regulations change), allow for continuous internal investigation, dialogue, and education of those involved, and effectively manage any non-compliance issues.
The term GRC combines the interwoven functions of IT compliance with the overarching responsibilities of corporate governance to enhance the activities of risk management. Gartner Research places additional emphasis on the importance of supporting risk management through their “Hype Cycle” and identifies seven market segments focused on overall Integrated Risk Management (IRM):
- Operational Risk Management (ORM)
- IT Risk Management
- IT Vendor Risk Management
- Business Continuity Management Planning (BCM)
- Audit Management
- Corporate Compliance and Oversight
- Enterprise Legal Management
Of the seven areas, two are directly related to IT and in Gartner’s 2016 Market Guide for Integrated Risk Management Solutions, analyst John A. Wheeler states that “…IT risks have been managed in silos, but are increasingly being recognized as leading indicators for failure in other risk areas, such as fraud, and resiliency.” Gartner has also begun using Integrated Risk Management as a phrase to better define the functions of a strong system for governance, risk management, and compliance.
In adopting an Integrated Risk Management Solution (IRMS) there are numerous frameworks (CobiT and ITIL) and organizations (COSO)available to assist in developing best practices and procedures.
Many organizations also opt to adopt a software solution to manage IT compliance. IT compliance software can support critical functions and provide micro and macro functionality, integrated features and controls, and mobile solutions to assist in both compliance and risk management. Capabilities you may seek when evaluating compliance management software include:
- Identification of vulnerabilities
- Systems controls and application security functions
- Quick recovery functions after failure or incident
- Risk assessment and threat identification
- Document and project management
- Ongoing operations and maintenance management
- Audit logs and authentication
- Root cause analytics and forensics
- Firewalls, network security, and malware detection
- Change management and trouble ticket tracking
- Disaster recovery
- Email archiving
When considering adopting a software solution, you first need a clear plan, assessment, and review of the goals, process, and procedures already in place. For example, identify which compliance issues need to be added or strengthened, and how you will employ the software to assist. To guide this process, there are numerous industry organizations and specialists that can help formulate the questions or glean information as a solution is researched. For example, the Gartner Magic Quadrant for IT Risk Management Solutions, covers the corporate compliance segment, listing software vendors and assesses their product’s strengths and appropriate applications.
Before making a final software choice, be sure to:
- Evaluate vendor history and reputation
- Ask the vendor the complex compliance questions to ensure their understanding of your needs and requirements
- Demo the product and involve key personnel
- Work with industry analysts and experts
- Perform an assessment based on specific organization governance, risk, and compliance requirements
Ultimately, a thorough exploration of the available software solutions will lead you to the product that best fits your needs. Remember not to be swayed by fancy add-on functionalities (that you might not even need); let your research results be the deciding factor.
Benefits and Best Practices of an IT Compliance Solution
As we’ve discussed, failure to adhere to compliance regulations can have great impact on your organization’s bottom line. Therefore, establishing a robust IT compliance strategy along with supporting solutions is critical to your organization’s future success. A strong IT compliance solution can enable you to:
- Stay up to date on current compliance requirements through integrations with GCR data sources
- Standardize processes across all required IT GRC regulations
- Improve effectiveness with automated processes and workflow
- Provide leadership with real-time IT compliance reports
- Maintain accurate records for audits
- Maximize investment in IT compliance services
- Incorporate relevant compliance best practices into processes and workflow
- Manage IT resources and ensure accountability
Avoiding Compliance and IT Risk – Tips for Compliance Leaders
As noted earlier, there are many challenges associated with IT compliance. Here are several tips that will help avoid expensive fines, penalties, and other legal consequences associated with non-compliance:
- Educate employees on all aspects of data privacy and provide them with the tools for protection.
- Provide mobile employees with laptops and devices that contain security policies and prevention mechanisms, such as remote-wipe capabilities, and secure access to corporate data.
- Put authorization mechanisms in place to limit access to downloadable applications. Only allow approved software and applications to be downloaded.
- Enforce encryption for security and prevent access by devices without secure access.
- Utilize only secure and modern cloud storage solutions.
And, finally, a good IT compliance system involves the realities and intricacies of today’s highly-connected environment. All employees play a role in protecting data and using equipment ethically (for example, laptops and computer use and safeguarding them even when off-site). More than ever, IT compliance demands strong governance frameworks, appropriate policies and protections, and defensible processes to protect the company if incidents arise.
Discover a Better Way to Manage IT and Operations With Smartsheet
Empower your people to go above and beyond with a flexible platform designed to match the needs of your team — and adapt as those needs change.
The Smartsheet platform makes it easy to plan, capture, manage, and report on work from anywhere, helping your team be more effective and get more done. Report on key metrics and get real-time visibility into work as it happens with roll-up reports, dashboards, and automated workflows built to keep your team connected and informed.
When teams have clarity into the work getting done, there’s no telling how much more they can accomplish in the same amount of time. Try Smartsheet for free, today.
Any articles, templates, or information provided by Smartsheet on the website are for reference only. While we strive to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability, or availability with respect to the website or the information, articles, templates, or related graphics contained on the website. Any reliance you place on such information is therefore strictly at your own risk.
These templates are provided as samples only. These templates are in no way meant as legal or compliance advice. Users of these templates must determine what information is necessary and needed to accomplish their objectives.