Compliance – A Window of Opportunity

1. Compliance – A Window of Opportunity Presented by : Secure Matrix India Private Limited @ iSAFE, Dubai. October 30, 2008 u Compliance - A Window of Opportunity

2. DineshBareja, CISA, CISM Sr Vice President SECURE MATRIX INDIA PVT LTD Mumbai – Pune – Chennai - London dinesh@securematrix.in Audit and Assurance Consulting and Advisory Services in the Information Security and GRC domain covering IS/IT Management / Process / Technical Services. Compliance - A Window of Opportunity

3. SecureMatrix Services Compliance - A Window of Opportunity

4. The Compliance window grows…. Today … We pay the price for the transgressions of the C-level criminals. Today we see unknown unknowns around the globe and must brace ourselves for greater regulatory control – internal and external Will this stop more unknowns from hitting us in future is another unknown As professionals in technology Security and Audit we are moving into a newer dimension with increased responsibility for Governance, Risk and Compliance "Any intelligent fool can make things bigger, more complex, and more violent. It takes a touch of genius -- and a lot of courage -- to move in the opposite direction." E. F. Schumacher / Albert Einstein Compliance - A Window of Opportunity

5. Not My Organization ! Source: Open Compliance & Ethics Group Compliance - A Window of Opportunity

6. Compliance Today • Regulatory • Industry • Standards • Best Practices • Contractual • Organizations (worldwide) have numerous Compliance obligations and these are growing • Regulatory • Standards / Best Practice Frameworks • Policies • Industrial • Contractual • Policies • Compliance with Compliance requirements takes up too much resources • Meeting Compliance needs with technology provides a window of opportunity for the organization to reap tangible and intangible ROI Compliance - A Window of Opportunity

7. ISACA Survey - Top seven business issues Organizations are faced with more challenges now than ever; they must grow and maximize market opportunities while at the same time complying with an ever-increasing number of regulations and standards. Keeping on top of legislative and regulatory requirements is a significant task, and regulatory compliance still operates in “project” mode and has not yet been embedded in business processes. IT must design and maintain systems to comply with these legislative and regulatory requirements, despite the lack of an integrated framework. Enterprise-based IT management and IT governance Managing efficient and effective IT departments requires IT governance— the disciplines and capabilities that bring consistent and reliable delivery of IT services to the business. IT governance requires the alignment of IT operations with the goals and objectives of the business. In addition, delivery of IT services requires well-designed IT processes and coordination among the IT team members. However, while there is some recognition of the importance of IT governance at the executive level, further awareness is needed. Information security management After many spectacular breaches and losses, and enormous spending on “state-of-the-art” security technologies, enterprises are finally realizing that information security has more to do with managing people and process and less to do with implementation of technology. In so doing, enterprises can leverage international information security management standards (such as ISO/IEC 27001) that provide guidelines and common practices rather than reinventing the wheel each time. Disaster recovery/business continuity All business activity is subject to disruptions, such as technology failure, flooding, utility disruption and terrorism. In response, some enterprises implement business continuity management (BCM) programs to improve their resilience in the event of disaster. Unfortunately, these enterprises are in the minority and BCM still remains an elusive goal for most organizations. IT value management IT projects often lack alignment with business goals and objectives; as a result, they are unable to realize business benefits. In some cases, there is a lack of business involvement in IT projects, while in others, there is simply a breakdown in communication between what the business has asked for and what IT has delivered. Implementing processes to help bridge these gaps allows IT to service the needs of business and deliver value. Challenges of managing IT risks Risk management practices are poorly understood at the best of times so it is no surprise that IT risk management fares no better. Unfortunately, IT risks are pervasive across enterprises, so the impact of poor IT risk management can be disastrous. Compliance with financial reporting standards Global financial reporting standards, such as the US Sarbanes-Oxley Act, have been in place since 2004; however, they continue to be an area of focus for IT departments. While improvements have been made to the standards that help focus efforts on areas of higher risk, enterprises continue to experience challenges in complying in a cost-effective manner. Source: Top Business/Technology Issues Survey Results,ISACA 2008 Compliance - A Window of Opportunity

8. Source: Top Business/Technology Issues Survey Results,ISACA 2008 Compliance - A Window of Opportunity

9. ISACA Survey - Top seven business issues Organizations are faced with more challenges now than ever; they must grow and maximize market opportunities while at the same time complying with an ever-increasing number of regulations and standards. Keeping on top of legislative and regulatory requirements is a significant task, and regulatory compliance still operates in “project” mode and has not yet been embedded in business processes. IT must design and maintain systems to comply with these legislative and regulatory requirements, despite the lack of an integrated framework. Enterprise-based IT management and IT governance Managing efficient and effective IT departments requires IT governance— the disciplines and capabilities that bring consistent and reliable delivery of IT services to the business. IT governance requires the alignment of IT operations with the goals and objectives of the business. In addition, delivery of IT services requires well-designed IT processes and coordination among the IT team members. However, while there is some recognition of the importance of IT governance at the executive level, further awareness is needed. Information security management After many spectacular breaches and losses, and enormous spending on “state-of-the-art” security technologies, enterprises are finally realizing that information security has more to do with managing people and process and less to do with implementation of technology. In so doing, enterprises can leverage international information security management standards (such as ISO/IEC 27001) that provide guidelines and common practices rather than reinventing the wheel each time. Disaster recovery/business continuity All business activity is subject to disruptions, such as technology failure, flooding, utility disruption and terrorism. In response, some enterprises implement business continuity management (BCM) programs to improve their resilience in the event of disaster. Unfortunately, these enterprises are in the minority and BCM still remains an elusive goal for most organizations. IT value management IT projects often lack alignment with business goals and objectives; as a result, they are unable to realize business benefits. In some cases, there is a lack of business involvement in IT projects, while in others, there is simply a breakdown in communication between what the business has asked for and what IT has delivered. Implementing processes to help bridge these gaps allows IT to service the needs of business and deliver value. Challenges of managing IT risks Risk management practices are poorly understood at the best of times so it is no surprise that IT risk management fares no better. Unfortunately, IT risks are pervasive across enterprises, so the impact of poor IT risk management can be disastrous. Compliance with financial reporting standards Global financial reporting standards, such as the US Sarbanes-Oxley Act, have been in place since 2004; however, they continue to be an area of focus for IT departments. While improvements have been made to the standards that help focus efforts on areas of higher risk, enterprises continue to experience challenges in complying in a cost-effective manner. Source: Top Business/Technology Issues Survey Results,ISACA 2008 Compliance - A Window of Opportunity

10. Source: Top Business/Technology Issues Survey Results,ISACA 2008 Compliance - A Window of Opportunity

11. ChallengeS Times Like This Were Expected But Then … The Same Questions, The Same Different People, The Same Time Of The Year, The Same Forms, The Same Reports (Albeit Newer Dates), The Same NC’s … Welcome To The Annual C - Events Compliance - A Window of Opportunity

12. Thought for Compliance is Driven by Regulatory / Legal Obligations Budgets Usually Shrink In Proportion to Increasing Costs ! Dynamically Changing Regulatory Requirements Projectized Approach : Compliance is a Project e.g. SOX or SAS70 r BCP project etc. Non-Unified Efforts Lead To Increased Complexity of Compliance Management Internal Pushback Due to Repetitive Activities, Reporting, Resource Intensive Efforts ChallengeS Times Like This Were Expected – But I Never Thought They’d Be Perpetually Tough Compliance - A Window of Opportunity

13. The Fallout Much of the increase in cost is due to duplication of regulation and ambiguous or inconsistent rules -Securities Industry Association, 2006 Compliance - A Window of Opportunity

14. Unifying Compliance Crosslinked Compliance Requirements Opportunity! Opportunity! Compliance - A Window of Opportunity

15. Compliance – The Business Opportunity Use the opportunity to build Compliance efforts into the business processes, using automation with best practice frameworks enabled Opportunity Lights are on ! Compliance - A Window of Opportunity

16. The Business Benefits • Business results among firms with the most mature practices • 17 percent higher revenues • 14 percent higher profits • 18 percent higher customer satisfaction rates • 17 percent higher customer retention levels • 96 percent lower financial losses from the loss or theft of data • 50 times less likely to lose or have customer data stolen • 50 percent less spent on regulatory compliance annually Source: IT Policy Compliance Group Report 2008 Compliance is Technology Enabled Maturity of IT Governance Compliance - A Window of Opportunity

17. The Business Benefits • Increase Shareholder and Market Confidence • Stakeholder’s Awareness of Responsibility • Continuous Risk Management enables ERM • Compliance is Timely as Mandated • Automated and Unified Compliance Lowers Costs • Best Practices embedded in the Organization DNA • Process Efficiencies due to Best Practices • Achieve Governance Goals & Industry Certifications • Non Compliance Financial Risks eliminated • Learning Reduces Compliance cycles • Correlation of Obligations Across Business Units Compliance is Technology Enabled Maturity of IT Governance Compliance - A Window of Opportunity

18. OpportunitY • -Engineer a culture of risk and responsibility in the organization • Ensure high level of awareness amongst stakeholders and demonstrate that it is not difficult if we build the culture of collective responsibility • Tobuild enterprise level system(s) that address multiple compliance requirements across multiple regulatory authorities • Create a lean compliance program that “delivers” to ‘legal’ mandates (good-enough compliance) without reducing business effort and leverages silver linings which can bring extra business value • -Plan the integration process step-by-step • -Introduce and build on best practice frameworks like CobiT® • Even if you have a low level of automation in some areas you can enable hybrid reporting and build onwards • -Managed risk means managed compliance mandates and here we are getting Enterprise level inputs so we can manage the risk across the organization • Efficient Management means better business OpportunitY Compliance - A Window of Opportunity

19. Business Results Compliance - A Window of Opportunity

20. At first look, As we step into addressing security-oriented compliance mandates we find they need high resource and cost commitments and seem to be a burden on the organization and stakeholders. However, a strong compliance management system will ultimately pay for itself by averting costs associated with security breaches and savings associated with increased efficiency and productivity. Compliance - A Window of Opportunity

21. GRC Business Efficiency Indicators Compliance - A Window of Opportunity

22. TechnologY INTEGRATE YOUR COMPLIANCE EFFORTS …. A TECHNOLOGY ENABLED UNIFIED COMPLIANCE MANAGEMENT PROGRAM • Central Compliance Repository / Database – holds documentation, information, policies, workflow across identified requirements • Change Management – on all repository and process artifacts in respect of their versions, access and controls for distribution, retention, or archiving • Workflow Management allowing assignment of responsibilities • Updating and Optimization – compliance business process management allows grouping of common controls for unified collection • Communication Management - policies and controls are communicated and published across the enterprise to stakeholders • Reporting - Interfaces and Templates are designed for ease-of-use for reporting requirements in risk management / prioritization, metrics and audit • Customization - Interfaces and workflow assignments can be built for each mandate • Manage and Track Progress - of compliance efforts with metrics and automated alerts • Audit Trails TechnologY Compliance - A Window of Opportunity

23. Solution : Integrate Compliance Mandates Many names… one system : Unified Compliance; Integrated Management System; Integrated Compliance….. • Risk based automation aligned with compliance mandates defined by • Policies • Business • Legal Regulations • Industry • Contractual TechnologY “Companies that select individual solutions for each regulatory challenge they face will spend 10 times more on the IT portion of compliance projects than companies that take on a proactive and more integrated approach.” - Gartner • Reporting responsibilities are directly assigned to concerned stakeholders through workflow management Compliance - A Window of Opportunity

24. X-referenced Safeguards Compliance - A Window of Opportunity

25. Common Regulatory Reqmts /Standards / Frameworks / Guidelines A brief listing (30 out of a list of 340) of Regulatory / Standards from the world of Compliance Mandates Compliance - A Window of Opportunity

26. Presented by DineshBareja CISA, CISM, ITIL, IPR, ERM, BS: 7799 (Imp & LA) Senior Vice President Secure Matrix India Pvt Ltd Email: dinesh@securematrix.in Mob: +91.93710-64741 Tel: +91.22.3253-7579 Web: www.securematrix.in = Compliance - A Window of Opportunity

27. Contact Information Compliance - A Window of Opportunity

28. References • http://www.securematrix.in (Integrated Management System and various references) • http://isaca.org (“Top Business-Tech Survey Aug 08” and various references) • http://www.itpolicycompliance.com/pdfs/ITPCGAnnualReport2008.pdf • http://www.unifiedcompliance.com Compliance - A Window of Opportunity

29. Thank You Compliance - A Window of Opportunity

30. Compliance - A Window of Opportunity