IT Compliance After Hours Seminar September 2007 Zurich. Improving IT Risk & Compliance Management (RCM)

Transcription

1 IT Compliance AHS After Hours Seminar Zurich Improving IT Risk & Compliance Management (RCM) Bruno J. Wiederkehr Member of the Board ISACA Switzerland Chapter Agenda 1. Understanding the RCM Requirements Definitions & Semantics 2. Validation of the RCM Process Strategy, Organisation & Processes 3. Using Risk & Compliance Practices Good vs Best Practices & Conclusion Seite 2 Bruno Wiederkehr 1

2 IT Compliance Elements of RCM Areas of improvement Influences Key factors Levels: IT Risk & Compliance Strategic Management Operational Organisation Processes Culture, Vision & Mission Strategic Program & Plans IT Risk & Compliance Define, Assess & Maintain Information Communication ICS Monitoring & Measurement Seite 3 Current Trends in IT Factors of Influence Ongoing pressure from business on IT cost and IT s business alignment Scepticism from the Board about their IT risk exposure and IT compliance management At present, discussion on risk and compliance management focuses on regulatory issues Regulatory pressure for greater transparency for shareholders Technology as an important component to enable responses to authority pressure Increase in the use of metrics for justifying IT performance There is an increased focus on the adequacy of ERM & ICS Seite 4 Bruno Wiederkehr 2

3 IT Compliance Laws & Regulations Factors of Influence Law & Regulations: Regulatory requirements: e.g. SOX, Basel II Money laundry Act Insider trades Breach/Violation of Confidentiality Guidelines & Standards: Tax Declarations and Regulations Accounting Standards e.g. IFRS Information Security, Protection & Privacy e.g. FISMA Code of Conduct, Code of Compliance, Code of Integrity Seite 5 Privacy Compliance Validation of Information Content of the OECD guidelines Limited collection of data Data quality requirements Purpose specification Use limitation Security safeguard Openness Individual participation Accountability Personal Identified Information (PII) Challenges faced by organisations Defining PII within each organisation Knowing where PII comes from Knowing PII s applicable requirements Knowing where PII is stored Knowing where PII can be accessed Tracking PII data flows Keeping up with all the laws and regulations Currently there is no listing of what constitutes PII! Seite 6 Bruno Wiederkehr 3

4 IT Compliance Definitions Definitions & Semantics IT Governance: IT governance is the responsibility of the board of directors and executive management. It is an integral part of enterprise governance and consists of the leadership, organizational structures and processes that ensure that the organization s IT sustains and extends the organization s strategy and objectives. [ITGI 2004] IT Risk Management: IT Risk management is the process of planning, organizing, leading, and controlling the activities of an IT organization in order to minimize the effects of risk on an organization's capital and earnings. IT Compliance Management: The state of being in accordance with the relevant legal and regulatory requirements and the IT rules, principles and guidelines derived from those. Seite 7 IT Compliance Semantics Definitions & Semantics Totality of all controls and measures in order to comply with: Externally applicable domestic and international laws, regulations and rules Internal guidelines and codes (of ethics, conduct etc.) An answer to the expectations of SOX and PCAOB 1) Company Level Controls Application Controls IT General Controls Program development Program changes Computer operations Access to programs and data 1) Public Company Accounting Oversight Board Seite 8 Bruno Wiederkehr 4

5 IT Compliance Enterprise Model Validation of RCM Technological Progress Capital markets Political environment Laws & Regulations Strategic Management Product Risk Mgmt IT Corporate Security / Audit Distribution MIS Strategy Organisation / Governance Core functions Support processes Controlling Investments HR Asset Management Business Objectives / Projects Operations Compliance Legal Knowledge Management Environmental requirements Market / Competition Image / Reputation Fraud / Offences Seite 9 RCM Requirements Validation of RCM What should an RCM System contain? Understandable RCM Vision, Mission and Strategy Continuous RCM Processes Documented Org. Structure, Rules and Activities Adequate Information- and Reporting-System Transparent RCM-Assessment & Plans of Measures Robust Monitoring, Measurement & Control Customised Awareness programs at all Levels Seite 10 Bruno Wiederkehr 5

6 IT Compliance ECM Requirements Organisation & Processes Example: Enterprise Compliance Management Assignment of Accountability on Sr. Executive Level The Chief Compliance Officer (CCO) is fully responsible regardless of the hierarchical position Task sharing: Business, Controlling and IT Staffing of compliance unit: at least 2 FTE at corporate level and (if applicable) 1 FTE per BU-Unit Documentation: Compliance-Manual & Code of Compliance Content: - Legal & Regulation - Policy and strategy - Organisation chart - Risk type table - Data classifications - Activities / capabilities Content: - Philosophy - Conduct & Principles - Leadership - Integrity - Excellence - Efficiency - Sustainability Seite 11 Organisational Structure Organisation & Processes e.g.: Corporate Governance, Risk & Compliance Board Group Audit Audit Committee AC CEO CCO Compliance Legal CFO CIO Domestic / International CTO CRO Risk IT Governance Financial Risk Market Risk Operational Risk IT Risk & BCM IT Risk & Security Phys. Security Other Groups: Board & Executive Committees, Risk Mgmt Group, Compliance Group Seite 12 Bruno Wiederkehr 6

7 IT Compliance Compliance Officer s Profile Organisation & Processes Basic education: degree of a law school Deep understanding of legal structure of enterprise Thorough experiences in RM, Controlling, Audit Also knowledge about Corporate Culture, Code of Ethics, Code of Conduct or Code of Compliance or Integrity Main Tasks: Development of awareness programs Development of trainings programs Development of organisational measures to support lawful and sustainable (business) actions Monitoring and tracking of corrective actions stemming from internal / external compliance audit reports Promote / improve close collaboration with HR, RM, QM and SE (Security Management), EM (Environment Management) & Audit Seite 13 Risk & Control Assessment Correlation of COBIT Domains Quelle: COBIT Focus, 4. Seite 14 Bruno Wiederkehr 7

8 IT Compliance Organisation & Processes Improving the Compliance Process Input External requirements ME3 Ensure regulatory compliance Output PO1, PO4, PO9 ME1, ME4 Internal Documents: - Legal catalogue - Policy and strategy - Regulation inventory - Organisation (RACI) - Risk type table - Data classifications - Activities & capabilities - Reports and metrics No Define & maintain compliance plan Maintain & communicate procedures Monitor & evaluate risks and controls Correct? PO1 Strategic alignment PO4 Human resources PO9 Manage risks ME1 Monitor and evaluate Performance ME4 IT Governance and Independent assurance based on COBIT 4.0 Stop Seite 15 Risk & Compliance Practices Fusion of Risk and Compliance Source: NetIQ s methodology of compliance and risk management Seite 16 Bruno Wiederkehr 8

9 IT Compliance Extensive metrics and reporting Compliance Center providing risk-based metrics Information & Communication Seite 17 Questions learned Risk & Compliance Practices Have you ever: Analysed the compliance process? Asked and received correct risk and complete compliance information and descriptions? Compared the international and local law with the internal compliance instructions? Taken the chance to interview legal and compliance responsible? Compared the global compliance activities and the local awareness programs? Used assurance practices and tools for business and IT compliance? Seite 18 Bruno Wiederkehr 9

10 IT Compliance Conclusion Conclusion of good Practicies 1. Today, COBIT is regarded more and more as a generally accepted framework for IT Governance which includes RCM. 2. The essence of COBIT lies in the fact that IT processes must support IT and business goals. This implicates that COBIT is not a cookbook with very precise recipes. It s a pitfall to implement it out of the box. 3. The organisation-specific environment is starting point for implementing a good IT Governance. 4. Therefore it is important to take out those processes, components and elements from COBIT that could help achieving the organisation s own business and IT objectives such as RCM. 5. An other advantage of COBIT is its continuous development and refinement by gathering best practices such as COSO FW, Standards like ISO and ITIL as well as the regulation SOX, Basel II based on the experiences of different managers in the IT Governance field. 6. Finally, while building upon its previous editions, Cobit 4.1 went through a substantial review, making the framework more practical in its usage. Seite 19 For More Information: Conclusion of good Practicies IT Risk & Compliance Bruno J. Wiederkehr Member of the Board ISACA Switzerland Chapter bru.wiederkehr@bluewin.ch Organisation Processes Culture, Vision & Mission Strategic Program and Plans IT Risk & Compliance Define, Assess & Maintain Information Communication ICS Monitoring & Measurement Links to: IT Governance - COBIT 4.0 / IT Compliance - Privacy, Compliance and International Data Flow & The fusion of Compliance and Risk Management - Seite 20 Bruno Wiederkehr 10