Welcome Guest, Login    Commonwealth Games 2010
CJ: Ramesh C...
Total Reports : 128
Add to Favourite
Visit Ramesh C... page >>
Home   |  World  |  India  |  Sports  |  Business  |  Technology  |  Entertainment  |  Lifestyle  |  Potpourri  |  Reviews  |  Press Releases  |   Interviews  |  Citizen Journalism
Home > Technology > Article
What is the role of CIO and CISO compliance?
Point solutions for governance have sprung up throughout the corporation, as each functional area � finance, HR, sales and marketing, service, and procurement have implemented their own version to address compliance.
 
Fri, Jul 18, 2008 12:08:29 IST
Views:
1839
   Comments:
2
Rate:  1 out of 5 2 out of 5 3 out of 5 4 out of 5 5 out of 5 5.0 / 4 votes

AS YOUR company’s chief information officer (CIO) or chief information security officer (CISO), you are most concerned that governance requirements are not being well defined. There is ambiguity; there are redundancies; there are areas that are not being covered by current procedures. When this happens, risks and exposures are more likely to occur, threatening the integrity of your company’s compliance efforts. Add to this, the fact that you wish your information technology (IT) organisation could deliver information faster to executives, allowing them to better evaluate company performance.

Your task is not an easy one because you are straddling two worlds – the IT world and the business world. On one hand, you are responsible for the IT infrastructure in the organisation – the automated reporting, the IT staff manual activities, educating the end users on good security practices. On the other hand, you are now being increasingly expected to enforce a business application – governance -- across the entire enterprise. Since governance activities are pervasive throughout the organisation, IT is now being seen as the backbone or conduit for reporting on all of these departmental compliance activities. Your role is evolving into one that includes not only technology, but also business aspects. As such, you have to understand the business framework and the business rules in your organisation. You also have to figure out how to enforce governance at the IT infrastructure level. The IT function is expected to provide all business information regarding governance -- not just the IT compliance information -- for all operations and all departments.

Add to this new responsibility, the daunting complexity and costs of compliance. Point solutions for governance have sprung up throughout the corporation, as each functional area – finance, human resource (HR), sales and marketing, service, and procurement have implemented their own version to address compliance. In other cases, point solutions have been organised around specific regulations, such as Sarbanes Oxley, or around regulatory bodies, such as the Food and Drug Administration (FDA). Policies and procedures and expenses overlap. The costs for compliance are skyrocketing – even as your budget remains flat -- or more likely is being cut.

Because each of these point solutions operates independently, having their own people and processes, it is time consuming and very inefficient to get information in and out of the point solutions. In fact, it takes days or weeks just to collect data, and more time on top of that to generate reports. You attempt to construct an overview from the piecemeal information coming in from all the sources, in order to determine if the organisation is in compliance. Once that view is established, and if changes need to be made, it takes as much time to feed the changes back down the chain. Of course, other incidents and exposures may have already occurred during this process, creating a situation whereby an organisation falls farther and farther behind the governance curve.

According to Information Week’s Global Security survey, July 2006, "Regulations are forcing companies to re-evaluate their security initiatives. In America, Sarbanes-Oxley, 41 per cent, the United States Homeland Security Act, 25 per cent , and the United States Patriot Act, 23 per cent, have forced companies to change their security practices." Later in the article, it states that the real problem, in the case of the stolen Veterans Administration laptop that contained the names and social security numbers of millions of current and former military personnel, was that there was no policy in place to protect the personal information. Not that there was a violation of a policy. "That’s the real negligence – that there were no policies," said representative Bob Filner, California.

Your job would be considerably easier if you could gather data from hundreds of difference sources and get one real-time, integrated view of governance.

Take for example, the difficulty of addressing PCI compliance. PCI dictates requirements for access control, network security, data protection, monitoring and policy development, so it affects a wide range of policies and activities within your organisation. As CIO or CISO, you will be responsible for evaluating the standard and updating your policies to address the requirements. Then you are charged with implementing the new policies and procedures, communicating, educating, testing hundreds or thousands of employees on their understanding of the policy, and reporting on the enforcement. Finally, the IT systems must be monitored and audited for compliance. If changes to the PCI Standard occur, they have to be fed back into the process and the cycle starts all over again. Compound that process with a similar response to any of the other hundreds of regulations that you are subject to and you can easily see the need for an enterprise-wide solution to manage the situation.

The solution integrates and controls all aspects of governance. The cornerstone of the solution is the unique Policy Centre – it allows officers to create and store policies that fulfill regulations. All required procedures and tasks, needed to fulfill those policies, across all corporate organisations, people, processes and systems, are housed in one place. The centre determines who has access to the information, and who has reviewed and approved the policies.

Other parts of the Point Solution, inform appropriate employees, collect real-time data from all compliance activities, organise both automated and manual tasks, link the practices back to their specific policies and regulations, ensure that policies meet regulatory requirements, monitor the enforcement of all of the policies, highlight gaps in compliance, and signal management when any lapses occur so that they can be addressed immediately.

The solution integrates all the compliance data from end-to-end in one seamless software platform. The solution incorporates state-of-the-art development techniques, such as, Service Oriented Architecture (SOA), J2EE programming language, and utilising industry standard relational databases. Investments in current point solutions are also protected. If a firm has existing compliance software, this can be immediately integrated into the solution. The solution is designed to accommodate implementations, in specific functional areas along with specific regulations, and then grow to encompass all functional areas, over time, as new regulations and policies are phased in.

These are the questions you need to ask yourself about your current governance solutions:

  • Do you have an established programme to establish the right ’tone at the top’?
  • Do you have policies in place that address the regulations your company needs to abide by?
  • Can you measure your employees understanding of the policies?
  • Do your employees understand protection and privacy of data?
  • Can you prove that the rules are being properly followed? 
  • Can you prove this to external auditors?
Print | Post comment
SocialTwist Tell-a-Friend
See Also
Role of Chief Risk Officer and Compliance Officers
It is the rare company that intelligently manages the full spectrum of risk; that breaks through the organisational barriers that obscure a view of..
Ban advertisement of cola drinks
It refers to welcome decision voluntarily taken by cola-companies to stop selling cola-drinks in schools worldwide in view of increasing obesity in..
Godrej Nature's Basket flagship store in New Delhi
Godrej Nature's Basket, the Authentic World Food store has launched its flagship outlet in Defence Colony, New Delhi. Delhities with a palate for..
Come Peter, come Paul and have a Budget 2010 ball
English playwright George Bernard Shaw had once said, 'A government with the policy to rob Peter to pay Paul can be assured of the support of Paul.'..
More in Business News India
Post your comment
Post
    Be a Citizen Journalist
   Submit News & Articles
   Rewards & Recognition
  • XIX Common Wealth Games
  • US Open 2010
  • Champions League T20 2010
Live Debate
Is it right for Indian MPs to decide their own pay and perks?
  Agree: 15.62% Disagree: 84.38%  
Participate Now
Latest in Technology
more...
Citizen's Choice