| |
|
|
From
multi-national corporate enterprises to closely-held family
businesses, from aerospace to utilities, all companies in all
industries today face one or more regulatory challenges. 73% of
businesses are subject to two or more conflicting regulations,
according to SecurityCompliance.com. For example a retail financial
institution has to contend with provisions of Gramm Leach Bliley,
the U.S. Patriot Act, the Identity Theft Act, the Payment Card
Industry standard, 34 different state privacy statutes, the Federal
Rules of Civil Procedure, Basel II to name just a few. There are
state banking regulators and federal financial institution agencies
with their individual rules. Public companies have the
Sarbanes-Oxley in addition to federal and state SEC regulations.
It’s easy to get lost.
On top of the regulations, a plethora of competing standards have
grown up around compliance. The standards are multi-dimensional –
which means that layers upon layers of business processes are
described in excruciating detail – defying the business concept of
“keeping it simple.” ITGS identified 232 separate categories of
processes. Overlaid on the regulations and standards are maturity
models that purport to enable businesses to conform to a compliance
initiative that matches their stage of development. The maturity
models encourage businesses to move along a continuum to greater
formality of business operations as they grow from entrepreneurial
venture to seasoned enterprise.
The cost of complying with regulatory mandates is estimated at $80
billion from 2002 to 2007. IDC estimates IT departments spend 296
man-days in non-IT related and 924 man-days per year in IT-related
compliance activities. Symantec estimates three-year IT compliance
costs for outsourced services at $7.3 million, in-house manual
processes at $1.8 million and automated solutions at $854 thousand.
With
regulatory compliance costs soaring and in order to maintain
sustainable and integrated corporate governance, leading businesses
adopt rigorous IT Governance initiatives. The first step is to
perform an IT Governance Review.
The ITGS IT Governance Review consists of an identification of a
business’ unique requirements and a comparison of its current
policies, procedures, processes to standards for compliance. The
selection of standards is based upon the company’s industry and
external requirements. The comparison results in recommendations to
more closely align IT processes with controls employed by the
leading, well-governed businesses of similar size, stage of
development and industry.
The engagement begins with a review of the regulatory mandates for a
specific company and industry. We review the myriad of regulations
and determine a compliance grid for the consultation, noting where
conflicts exist. After the particular regulations are identified, we
review a business’ existing IT policy and operations manuals. ITGS
becomes familiar with the management style, corporate culture and
appetite for risk as well as tone from the top as expressed in
written policies and directives. After reviewing written materials,
ITGS interviews key personnel to fill in gaps in written documents
with informal practices.
Next, ITGS maps the processes and controls to the standards and
performs a gap analysis of existing policies compared to the
requirements that apply specifically to the company. The
mapping provides guidance on processes for which the company may be
missing formal documentation. At this point, ITGS generates a list
of provisions that will need to be documented. |
|
The next
phase is to identify the missing policies along with the standards
required to adopt them. It encompasses the policies and procedures
that surround technology to assure adherence to business processes
going forward. This produces a list of equipment and software that
may be needed to execute the standards.
Finally, a roadmap is developed for the company to become compliant.
Time frames are outlined and take into account the company’s IT
environment and technical readiness.
At the conclusion of the consultation the roadmap serves as a
tangible demonstration to bring the company’s environment and
processes in alignment with external requirements. Businesses of all
sizes, industries and stages of organizational development find
standards essential to sustainable compliance and continuous
improvement. In recent years businesses have found best practices
instrumental to achieve efficiencies, operational savings and
revenue generation.
The consultation runs 10 days over a period of several weeks. An
on-site visit is made to corporate headquarters to review documents
and interview key personnel. The purpose of the on-site is to
discover and clarify information pertinent to the consultation and
to observe informal practices. Then, ITGS maps the existing policies
to mandates and standards specific to the company and industry. ITGS
identified over 120 separate, identifiable policies covering a
variety of laws, statutes, rules, regulations and standards. The
mapping provides a comprehensive view of the landscape within which
the IT environment competes.
-
Identify regulations specific to the
business and industry
-
Review existing policies and procedures.
-
Interview key managers about informal practices.
-
Map
business processes to standards and requirements.
-
Generate gap analysis of processes and controls.
-
Recommend remedies and continuous improvements.
-
Prioritize accomplishment of IT Governance objectives.
-
Produce a roadmap to compliance.
|
|
|
