AS YOUR company’s chief information officer (CIO) or chief information security officer (CISO), you are most concerned that governance requirements are not being well defined. There is ambiguity; there are redundancies; there are areas that are not being covered by current procedures. When this happens, risks and exposures are more likely to occur, threatening the integrity of your company’s compliance efforts. Add to this, the fact that you wish your information technology (IT) organisation could deliver information faster to executives, allowing them to better evaluate company performance.

Your task is not an easy one because you are straddling two worlds – the IT world and the business world. On one hand, you are responsible for the IT infrastructure in the organisation – the automated reporting, the IT staff manual activities, educating the end users on good security practices. On the other hand, you are now being increasingly expected to enforce a business application – governance -- across the entire enterprise. Since governance activities are pervasive throughout the organisation, IT is now being seen as the backbone or conduit for reporting on all of these departmental compliance activities. Your role is evolving into one that includes not only technology, but also business aspects. As such, you have to understand the business framework and the business rules in your organisation. You also have to figure out how to enforce governance at the IT infrastructure level. The IT function is expected to provide all business information regarding governance -- not just the IT compliance information -- for all operations and all departments.

Add to this new responsibility, the daunting complexity and costs of compliance. Point solutions for governance have sprung up throughout the corporation, as each functional area – finance, human resource (HR), sales and marketing, service, and procurement have implemented their own version to address compliance. In other cases, point solutions have been organised around specific regulations, such as Sarbanes Oxley, or around regulatory bodies, such as the Food and Drug Administration (FDA). Policies and procedures and expenses overlap. The costs for compliance are skyrocketing – even as your budget remains flat -- or more likely is being cut.

Because each of these point solutions operates independently, having their own people and processes, it is time consuming and very inefficient to get information in and out of the point solutions. In fact, it takes days or weeks just to collect data, and more time on top of that to generate reports. You attempt to construct an overview from the piecemeal information coming in from all the sources, in order to determine if the organisation is in compliance. Once that view is established, and if changes need to be made, it takes as much time to feed the changes back down the chain. Of course, other incidents and exposures may have already occurred during this process, creating a situation whereby an organisation falls farther and farther behind the governance curve.

According to Information Week’s Global Security survey, July 2006, "Regulations are forcing companies to re-evaluate their security initiatives. In America, Sarbanes-Oxley, 41 per cent, the United States Homeland Security Act, 25 per cent , and the United States Patriot Act, 23 per cent, have forced companies to change their security practices." Later in the article, it states that the real problem, in the case of the stolen Veterans Administration laptop that contained the names and social security numbers of millions of current and former military personnel, was that there was no policy in place to protect the personal information. Not that there was a violation of a policy. "That’s the real negligence – that there were no policies," said representative Bob Filner, California.

Your job would be considerably easier if you could gather data from hundreds of difference sources and get one real-time, integrated view of governance.

Take for example, the difficulty of addressing PCI compliance. PCI dictates requirements for access control, network security, data protection, monitoring and policy development, so it affects a wide range of policies and activities within your organisation. As CIO or CISO, you will be responsible for evaluating the standard and updating your policies to address the requirements. Then you are charged with implementing the new policies and procedures, communicating, educating, testing hundreds or thousands of employees on their understanding of the policy, and reporting on the enforcement. Finally, the IT systems must be monitored and audited for compliance. If changes to the PCI Standard occur, they have to be fed back into the process and the cycle starts all over again. Compound that process with a similar response to any of the other hundreds of regulations that you are subject to and you can easily see the need for an enterprise-wide solution to manage the situation.

The solution integrates and controls all aspects of governance. The cornerstone of the solution is the unique Policy Centre – it allows officers to create and store policies that fulfill regulations. All required procedures and tasks, needed to fulfill those policies, across all corporate organisations, people, processes and systems, are housed in one place. The centre determines who has access to the information, and who has reviewed and approved the policies.

Other parts of the Point Solution, inform appropriate employees, collect real-time data from all compliance activities, organise both automated and manual tasks, link the practices back to their specific policies and regulations, ensure that policies meet regulatory requirements, monitor the enforcement of all of the policies, highlight gaps in compliance, and signal management when any lapses occur so that they can be addressed immediately.

The solution integrates all the compliance data from end-to-end in one seamless software platform. The solution incorporates state-of-the-art development techniques, such as, Service Oriented Architecture (SOA), J2EE programming language, and utilising industry standard relational databases. Investments in current point solutions are also protected. If a firm has existing compliance software, this can be immediately integrated into the solution. The solution is designed to accommodate implementations, in specific functional areas along with specific regulations, and then grow to encompass all functional areas, over time, as new regulations and policies are phased in.

These are the questions you need to ask yourself about your current governance solutions:

• Do you have an established programme to establish the right ’tone at the top’?
• Do you have policies in place that address the regulations your company needs to abide by?
• Can you measure your employees understanding of the policies?
• Do your employees understand protection and privacy of data?
• Can you prove that the rules are being properly followed? 
• Can you prove this to external auditors?