compliance a window of opportunity n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Compliance – A Window of Opportunity PowerPoint Presentation
Download Presentation
Compliance – A Window of Opportunity

Loading in 2 Seconds...

play fullscreen
1 / 30

Compliance – A Window of Opportunity - PowerPoint PPT Presentation


  • 96 Views
  • Uploaded on

Compliance – A Window of Opportunity. Presented by : Secure Matrix India Private Limited @ iSAFE , Dubai. October 30, 2008. u. Dinesh Bareja , CISA, CISM Sr Vice President SECURE MATRIX INDIA PVT LTD Mumbai – Pune – Chennai - London dinesh@securematrix.in

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Compliance – A Window of Opportunity' - rosine


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
compliance a window of opportunity

Compliance – A Window of Opportunity

Presented by : Secure Matrix India Private Limited

@ iSAFE, Dubai. October 30, 2008

u

Compliance - A Window of Opportunity

slide2

DineshBareja, CISA, CISM

Sr Vice President

SECURE MATRIX INDIA PVT LTD

Mumbai – Pune – Chennai - London

dinesh@securematrix.in

Audit and Assurance Consulting and Advisory Services in the Information Security and GRC domain covering IS/IT Management / Process / Technical Services.

Compliance - A Window of Opportunity

securematrix services
SecureMatrix Services

Compliance - A Window of Opportunity

the compliance window grows
The Compliance window grows….

Today … We pay the price for the transgressions of the C-level criminals.

Today we see unknown unknowns around the globe and must brace ourselves for greater regulatory control – internal and external

Will this stop more unknowns from hitting us in future is another unknown

As professionals in technology Security and Audit we are moving into a newer dimension with increased responsibility for Governance, Risk and Compliance

"Any intelligent fool can make things bigger, more complex, and more violent. It takes a touch of genius -- and a lot of courage -- to move in the opposite direction." E. F. Schumacher / Albert Einstein

Compliance - A Window of Opportunity

not my organization
Not My Organization !

Source: Open Compliance & Ethics Group

Compliance - A Window of Opportunity

compliance today
Compliance Today
  • Regulatory
  • Industry
  • Standards
  • Best Practices
  • Contractual
  • Organizations (worldwide) have numerous Compliance obligations and these are growing
    • Regulatory
    • Standards / Best Practice Frameworks
    • Policies
    • Industrial
    • Contractual
  • Policies
  • Compliance with Compliance requirements takes up too much resources
  • Meeting Compliance needs with technology provides a window of opportunity for the organization to reap tangible and intangible ROI

Compliance - A Window of Opportunity

isaca survey top seven business issues
ISACA Survey - Top seven business issues

Organizations are faced with more challenges now than ever; they must grow and maximize market opportunities while at the same time complying with an ever-increasing number of regulations and standards. Keeping on top of legislative and regulatory requirements is a significant task, and regulatory compliance still operates in “project” mode and has not yet been embedded in business processes. IT must design and maintain systems to comply with these legislative and regulatory requirements, despite the lack of an integrated framework.

Enterprise-based IT management and IT governance

Managing efficient and effective IT departments requires IT governance— the disciplines and capabilities that bring consistent and reliable delivery of IT services to the business. IT governance requires the alignment of IT operations with the goals and objectives of the business. In addition, delivery of IT services requires well-designed IT processes and coordination among the IT team members. However, while there is some recognition of the importance of IT governance at the executive level, further awareness is needed.

Information security management

After many spectacular breaches and losses, and enormous spending on “state-of-the-art” security technologies, enterprises are finally realizing that information security has more to do with managing people and process and less to do with implementation of technology. In so doing, enterprises can leverage international information security management standards (such as ISO/IEC 27001) that provide guidelines and common practices rather than reinventing the wheel each time.

Disaster recovery/business continuity

All business activity is subject to disruptions, such as technology failure, flooding, utility disruption and terrorism. In response, some enterprises implement business continuity management (BCM) programs to improve their resilience in the event of disaster. Unfortunately, these enterprises are in the minority and BCM still remains an elusive goal for most organizations.

IT value management

IT projects often lack alignment with business goals and objectives; as a result, they are unable to realize business benefits. In some cases, there is a lack of business involvement in IT projects, while in others, there is simply a breakdown in communication between what the business has asked for and what IT has delivered. Implementing processes to help bridge these gaps allows IT to service the needs of business and deliver value.

Challenges of managing IT risks

Risk management practices are poorly understood at the best of times so it is no surprise that IT risk management fares no better. Unfortunately, IT risks are pervasive across enterprises, so the impact of poor IT risk management can be disastrous.

Compliance with financial reporting standards

Global financial reporting standards, such as the US Sarbanes-Oxley Act, have been in place since 2004; however, they continue to be an area of focus for IT departments. While improvements have been made to the standards that help focus efforts on areas of higher risk, enterprises continue to experience challenges in complying in a cost-effective manner.

Source: Top Business/Technology Issues Survey Results,ISACA 2008

Compliance - A Window of Opportunity

slide8

Source: Top Business/Technology Issues Survey Results,ISACA 2008

Compliance - A Window of Opportunity

isaca survey top seven business issues1
ISACA Survey - Top seven business issues

Organizations are faced with more challenges now than ever; they must grow and maximize market opportunities while at the same time complying with an ever-increasing number of regulations and standards. Keeping on top of legislative and regulatory requirements is a significant task, and regulatory compliance still operates in “project” mode and has not yet been embedded in business processes. IT must design and maintain systems to comply with these legislative and regulatory requirements, despite the lack of an integrated framework.

Enterprise-based IT management and IT governance

Managing efficient and effective IT departments requires IT governance— the disciplines and capabilities that bring consistent and reliable delivery of IT services to the business. IT governance requires the alignment of IT operations with the goals and objectives of the business. In addition, delivery of IT services requires well-designed IT processes and coordination among the IT team members. However, while there is some recognition of the importance of IT governance at the executive level, further awareness is needed.

Information security management

After many spectacular breaches and losses, and enormous spending on “state-of-the-art” security technologies, enterprises are finally realizing that information security has more to do with managing people and process and less to do with implementation of technology. In so doing, enterprises can leverage international information security management standards (such as ISO/IEC 27001) that provide guidelines and common practices rather than reinventing the wheel each time.

Disaster recovery/business continuity

All business activity is subject to disruptions, such as technology failure, flooding, utility disruption and terrorism. In response, some enterprises implement business continuity management (BCM) programs to improve their resilience in the event of disaster. Unfortunately, these enterprises are in the minority and BCM still remains an elusive goal for most organizations.

IT value management

IT projects often lack alignment with business goals and objectives; as a result, they are unable to realize business benefits. In some cases, there is a lack of business involvement in IT projects, while in others, there is simply a breakdown in communication between what the business has asked for and what IT has delivered. Implementing processes to help bridge these gaps allows IT to service the needs of business and deliver value.

Challenges of managing IT risks

Risk management practices are poorly understood at the best of times so it is no surprise that IT risk management fares no better. Unfortunately, IT risks are pervasive across enterprises, so the impact of poor IT risk management can be disastrous.

Compliance with financial reporting standards

Global financial reporting standards, such as the US Sarbanes-Oxley Act, have been in place since 2004; however, they continue to be an area of focus for IT departments. While improvements have been made to the standards that help focus efforts on areas of higher risk, enterprises continue to experience challenges in complying in a cost-effective manner.

Source: Top Business/Technology Issues Survey Results,ISACA 2008

Compliance - A Window of Opportunity

slide10

Source: Top Business/Technology Issues Survey Results,ISACA 2008

Compliance - A Window of Opportunity

slide11

ChallengeS

Times Like This Were Expected

But Then …

The Same Questions,

The Same Different People,

The Same Time Of The Year,

The Same Forms,

The Same Reports (Albeit Newer Dates),

The Same NC’s …

Welcome To The Annual C - Events

Compliance - A Window of Opportunity

slide12

Thought for Compliance is Driven by Regulatory / Legal Obligations

Budgets Usually Shrink In Proportion to Increasing Costs !

Dynamically Changing Regulatory Requirements

Projectized Approach : Compliance is a Project e.g. SOX or SAS70 r BCP project etc.

Non-Unified Efforts Lead To Increased Complexity of Compliance Management

Internal Pushback Due to Repetitive Activities, Reporting, Resource Intensive Efforts

ChallengeS

Times Like This Were Expected – But I Never Thought They’d Be Perpetually Tough

Compliance - A Window of Opportunity

the fallout
The Fallout

Much of the increase in cost is due to duplication of regulation and ambiguous or inconsistent rules

-Securities Industry Association, 2006

Compliance - A Window of Opportunity

unifying compliance
Unifying Compliance

Crosslinked Compliance Requirements

Opportunity!

Opportunity!

Compliance - A Window of Opportunity

compliance the business opportunity
Compliance – The Business Opportunity

Use the opportunity to build Compliance efforts into the business processes, using automation with best practice frameworks enabled

Opportunity Lights are on !

Compliance - A Window of Opportunity

the business benefits
The Business Benefits
  • Business results among firms with the most mature practices

• 17 percent higher revenues

• 14 percent higher profits

• 18 percent higher customer satisfaction rates

• 17 percent higher customer retention levels

• 96 percent lower financial losses from the loss or theft of data

• 50 times less likely to lose or have customer data stolen

• 50 percent less spent on regulatory compliance annually

Source: IT Policy Compliance Group Report 2008

Compliance is Technology Enabled

Maturity of IT Governance

Compliance - A Window of Opportunity

the business benefits1
The Business Benefits
  • Increase Shareholder and Market Confidence
  • Stakeholder’s Awareness of Responsibility
  • Continuous Risk Management enables ERM
  • Compliance is Timely as Mandated
  • Automated and Unified Compliance Lowers Costs
  • Best Practices embedded in the Organization DNA
  • Process Efficiencies due to Best Practices
  • Achieve Governance Goals & Industry Certifications
  • Non Compliance Financial Risks eliminated
  • Learning Reduces Compliance cycles
  • Correlation of Obligations Across Business Units

Compliance is Technology Enabled

Maturity of IT Governance

Compliance - A Window of Opportunity

slide18

OpportunitY

  • -Engineer a culture of risk and responsibility in the organization
  • Ensure high level of awareness amongst stakeholders and demonstrate that it is not difficult if we build the culture of collective responsibility
  • Tobuild enterprise level system(s) that address multiple compliance requirements across multiple regulatory authorities
  • Create a lean compliance program that “delivers” to ‘legal’ mandates (good-enough compliance) without reducing business effort and leverages silver linings which can bring extra business value
  • -Plan the integration process step-by-step
  • -Introduce and build on best practice frameworks like CobiT®
  • Even if you have a low level of automation in some areas you can enable hybrid reporting and build onwards
  • -Managed risk means managed compliance mandates and here we are getting Enterprise level inputs so we can manage the risk across the organization
  • Efficient Management means better business

OpportunitY

Compliance - A Window of Opportunity

business results
Business Results

Compliance - A Window of Opportunity

slide20

At first look,

As we step into addressing security-oriented compliance mandates we find they need high resource and cost commitments and seem to be a burden on the organization and stakeholders.

However, a strong compliance management system will ultimately pay for itself by averting costs associated with security breaches and savings associated with increased efficiency and productivity.

Compliance - A Window of Opportunity

grc business efficiency indicators
GRC Business Efficiency Indicators

Compliance - A Window of Opportunity

slide22

TechnologY

INTEGRATE YOUR COMPLIANCE EFFORTS …. A TECHNOLOGY ENABLED UNIFIED COMPLIANCE MANAGEMENT PROGRAM

  • Central Compliance Repository / Database – holds documentation, information, policies, workflow across identified requirements
  • Change Management – on all repository and process artifacts in respect of their versions, access and controls for distribution, retention, or archiving
  • Workflow Management allowing assignment of responsibilities
  • Updating and Optimization – compliance business process management allows grouping of common controls for unified collection
  • Communication Management - policies and controls are communicated and published across the enterprise to stakeholders
  • Reporting - Interfaces and Templates are designed for ease-of-use for reporting requirements in risk management / prioritization, metrics and audit
  • Customization - Interfaces and workflow assignments can be built for each mandate
  • Manage and Track Progress - of compliance efforts with metrics and automated alerts
  • Audit Trails

TechnologY

Compliance - A Window of Opportunity

solution integrate compliance mandates
Solution : Integrate Compliance Mandates

Many names… one system : Unified Compliance; Integrated Management System; Integrated Compliance…..

  • Risk based automation aligned with compliance mandates defined by
        • Policies
        • Business
        • Legal Regulations
        • Industry
        • Contractual

TechnologY

“Companies that select individual solutions for each regulatory challenge they face will spend 10 times more on the IT portion of compliance projects than companies that take on a proactive and more integrated approach.”

- Gartner

  • Reporting responsibilities are directly assigned to concerned stakeholders through workflow management

Compliance - A Window of Opportunity

x referenced safeguards
X-referenced Safeguards

Compliance - A Window of Opportunity

common regulatory reqmts standards frameworks guidelines
Common Regulatory Reqmts /Standards / Frameworks / Guidelines

A brief listing (30 out of a list of 340) of Regulatory / Standards from the world of Compliance Mandates

Compliance - A Window of Opportunity

presented by
Presented by

DineshBareja

CISA, CISM, ITIL, IPR, ERM, BS: 7799 (Imp & LA)

Senior Vice President

Secure Matrix India Pvt Ltd

Email: dinesh@securematrix.in

Mob: +91.93710-64741

Tel: +91.22.3253-7579

Web: www.securematrix.in

=

Compliance - A Window of Opportunity

slide27

Contact Information

Compliance - A Window of Opportunity

references
References
  • http://www.securematrix.in (Integrated Management System and various references)
  • http://isaca.org (“Top Business-Tech Survey Aug 08” and various references)
  • http://www.itpolicycompliance.com/pdfs/ITPCGAnnualReport2008.pdf
  • http://www.unifiedcompliance.com

Compliance - A Window of Opportunity

slide29

Thank You

Compliance - A Window of Opportunity