Perform a search on compliance and you will find that there are many definitions. People have a slightly different view of what compliance means and what is included or not. In general, compliance means conforming, satisfying or adhering to a rule. This rule can be a specification, a policy, a standard, a law, a procedure or a requirement.
The latest Verizon PCI Compliance Report 2015 and states that: “Many companies still treat compliance as a one-off tick-box exercise or fire drill that the security team owns and the rest of the organisation begrudges.”
In this report Verizon concludes that compliance must be made sustainable. Although this report focuses on PCI compliance, the conclusions are applicable to any compliance framework. You can replace PCI with any framework (e.g. ITIL, CobIT, ISO 27001) or your organisation’s own business requirements as the compliance framework and you will find that the findings are the same.
Compliance should not be seen in isolation, it is closely linked to Governance and Risk Management. Activities within these three areas are intrinsically linked, they overlap in some places and feed into each other. None of them are one-time tasks either, they form a continuous and iterative process and should not be performed in isolation.
To be able to achieve its goals and objectives a business must take control of and manage their organisation. Three pillars that will provide a framework to take control and assure that business objectives are achieved and that requirements are satisfied are Governance, Risk Management and Compliance.
Governance is the overall management approach of an organisation, through which the senior management can direct and control the business. This includes a strategy, goals and objectives, management direction, policies, standards, processes and procedures, an organisation’s structure (i.e. who is accountable or responsible and what authority do they have?) and reporting structure.
Risk Management provides the business with the ability to identify risks to the business, analyse them in light of the business context, assess them against business’ appetite for risk, and take sufficient action to reduce or mitigate unacceptable risks as well as taking opportunities (where the risk is acceptable). Decisions on how business risks are managed feed into the business requirements of an organisation.
Compliance is the process that enables senior management to gain assurance that the business as usual (BAU) processes are run in conformance with the identified and approved business requirements, that processes are effective, efficient and appropriately robust to achieve the business goals and objectives.
These three pillars complement each other and together provide senior management with the confidence that their organisation:
- can achieve their objectives;
- is compliant with legal, regulatory and contractual obligations;
- manages risks and takes opportunities appropriately;
- has correct and timely management information for strategic decision making.
GRC process applied to information and information security
So how does this relate to information? Well…business processes generally depend on information, without information or data, processes will halt. This information or data could be client information, sensitive business information, intellectual property, design and configuration data, or any other information and data that you don’t want to expose or loose. Remember the business requirements identified earlier? Some of these will be requirements to appropriately protect your (sensitive) business information, sharing what needs to be shared and taking all opportunities when they appear.
Applied to information security this iterative GRC process can be depicted as follows:
GRC and business requirements
So where does it all start? And how can an organisation best achieve their objectives? The answer seems simple, implement a governance structure based on all your business requirements. But this answer needs some explanation.
There are many different types of requirements: legal, regulatory, contractual, technical and non-technical requirements. Which requirements are applicable or appropriate to you, depends on your business. Here are some examples of considerations when identifying your business requirements:
- What is your business strategy and what are the goals and objectives it supports?
- Identify if there are any legal or regulatory obligations that the business processes must meet.
- Assess your clients and identify their requirements? Are there any contractual obligations?
- Perform a business risk assessment. How can you reduce or mitigate the risks while still being able to take opportunities?
- Decide if certifying your business processes to any framework would bring any additional value and leverage your investments in satisfying the identified requirements.
All these considerations fall in the governance and risk areas of the GRC cycle. Every business wants to measure progress and achievements, so the next step will be to decide on a framework to measure, review and improve. In other words you create a compliance framework, based on the identified business requirements.
Once you have performed the above activities, the result will be a list of business requirements that you must conform with while running your business. The most cost-effective way to adequately satisfy business requirements is to make them part of your BAU processes, part of your strategy and objectives and ultimately part of your company culture.
So Governance, Risk and Compliance are closely linked, where your business requirements are the linking pin. And as businesses are not static, the environment in which a business operates changes all the time: GRC activities are not a one-off task. They are an iterative process that incorporates new technologies, new threats, new opportunities, organisational changes, changes is client base, and changes to laws and regulatory requirements.
Running a business around an established GRC processes provides assurance to senior management and shareholders that:
- You can achieve their objectives;
- The BAU processes are compliant with legal, regulatory and contractual obligations;
- You manage risks and take opportunities appropriately; and
- You have correct and timely management information for strategic decision making.
These GRC processes will also provide assurance to your clients and ultimately can increase your client base. Your business will be regarded as a trusted provider of services, who continually proves that the business is run professionally, in a controlled and well-managed fashion and compliant to all applicable legal and regulatory requirements.
From an information security perspective you will provide assurance to your clients that you can be trusted to safeguard their information and at the same time ensuring that the information will be correct and available when needed.