: A Tool for Managing Compliance and Risk in Government Services November 19, 2008 Slide 1
Agenda Problem Space Solution Space Describe the compliance and risk management problem Why is this relevant for the BC Government? What makes it difficult to solve? Overview of the GRC software market Describe our work: Control Framework Development tool Thoughts on future direction Purpose: Connect and exchange ideas with others facing the same problems. Slide 2
Manager, Control Practices Unit Manager, BCeID Manager, Mainframe Services Compliance and risk practice development BCeID Corporate Authentication Project Manage outsourced data centre services About me Developing and demonstrating compliance and control in IT shared services Policy and legislation compliance for authentication in e- services Compliance management in external providers Slide 3
Definition: Control and Framework Framework Compliance Requirement Program Standard Controls Organizes IT governance objectives and practices and links them to business requirements and controls. Legislation, policy, or industry standard from an external source. A program policy, standard or guideline, developed internally. A means by which an organization's resources are directed, monitored, and measured. A means to protect the organization's physical and intangible resources by preventing and detecting fraud. Slide 4
Why manage policy and compliance? Up to 174 vehicles were repaired without proper documentation or disclosure. If some fly-bynight mechanic did that he d be running a chop shop and ICBC would land on him with all its might. While the sale of vehicles to employees is standard practice at some companies, ICBC has no policies in place to govern this process. It also admitted the facility and staff time were used for non-business purposes such as repairing employee vehicles. Slide 5
Why manage risk & compliance? Head of BC Lottery Corporation Fired UK politicians want to criminalize data leaks Tainted blood scandal at Red Cross Despite reassuring the public five months ago that everything was fine, the Lottery Corporation knew there were problems and did little to correct them. (Times-Colonist) There is evidence of a widespread problem with government relating to establishing systems for data protection and operating them adequately [the Cabinet Office report] proposed that government officials could face jail if they were found to be grossly negligent in any failure to protect citizens data. (InterGovWorld) Allegations of criminal conduct utterly disproved. The conduct examined in detail over one and a half years confirms reasonable, responsible and professional actions during a difficult time, said the judge. (Times Colonist) Slide 6
Compliance Management Problem Space Threats Increasing public accountability expectations Evolving legislation for confidentiality, discovery, identity Technology change: mobile computing, payment agents Evolving standards: PCI, ISO, COBIT Vulnerabilities Accountability obscured by shared services. Accountability obscured by E-commerce and data sharing. Unstructured risk and control information. Dynamic organizations, PPPs, outsourcing, cross jurisdiction partnerships Slide 7
Owns BCeID Control Environment Identity Management Policy Owner Government Chief Information Officer (GCIO) - Owner of the Information Security Policy - Identity Management Standards and Long-Range Planning - IM/IT Standards and Legislation and Policy to adhere to privacy legislation Manages Manages Document Disposal Act Owns Information Security Policy Business Objectives Program Owner ADM, Workplace Technology Services - Linkage to WTS Objectives - Responsible for compliance to WTS policies and standards Directs Program Manager Director BCeID Program - Owner of BCeID Policies - Authoritative Source Management Core Policy Manual Income Tax Act Partnership Act FIOPPA Electronic Transaction Act Business Number Act (Bill 16 2005) Business Corporation Act Government-CIO Workplace Technology Services BCeID Auditors Service Delivery Partners Program Customers Program Clients Retention & Disposition Compliance Requirements Electronic Records Assurance Levels Collect, Validate and Store Business Numbers BC Corporate Registry Privacy Requirements Collect, Validate and Store Business Numbers Authoritative Source Responsibilities Requirements Program Clients Online Service Owners - Responsible for the security and integrity of the online services Business Objectives Compliance BCeID Operating Policies Operational Procedures Owns Executed by Program Customers Account Holding Businesses and Individuals - Enter into agreements with BCeID Requirements Requirements Implemented by Measure Compliance Report Compliance Compliance by Agreement or Contract Program Activities Compliance by policy Compliance by Agreement or Contract Business Objectives Compliance by policy Maintained by Risk and Compliance Auditors - Measure compliance - Governance issues Service Delivery Partner - WTS Internal - Delivery Units reporting to the Service Owner - Hosting compliance with infrastructure Service Delivery Partner - Government Internal - Delivery Units reporting to other parts of government Service Delivery Partner - External Suppliers - Private sector organizations Service Delivery Partners - Registration Authorities - Establish and vouch for the identity of an entity - Performs registration - Defines the identity - Provides policy content Program Staff (Employees, Contractors) - Execute operating procedures - Maintain and deploy program standards Slide 8
Policy and procedure management Risk and control management Loss and investigation management GRC analytics Facilitate policy/procedure life cycle Publish policies/procedures across roles Map policies/procedures to risks, controls, and compliance requirements Risk and controls assessment automation Manage & model risk data Business rules enforcement Audit management Support corporate investigations into loss Track loss metrics & facilitate remediation Support anonymous whistleblower apps Measure control preparedness/ effectiveness Report GRC data across the organization GRC Software Functions* PO6 PO6.4 PO6, AI2.3, AI2.4 PO9, DS5.5 ME4.5 ME2.4, ME2.5, ME2.6 DS8, DS10 ME2.5, ME3, ME4.5 * Forrester Research Inc, Forrester Wave: Enterprise Governance, Risk, And Compliance Platforms, Q4 2007, 2008 Slide 9
Current Province GRC Tools Policy and procedure management Healthcheck Risk and control management Loss and investigation management GRC analytics Facilitate policy/procedure life cycle Publish policies/procedures across roles Map policies/procedures to Citicus risks, controls, and compliance requirements Risk and controls assessment automation Manage & model risk data Business rules enforcement Audit management ACL Support corporate investigations into loss Track loss metrics & facilitate remediation Support anonymous whistleblower apps Measure control preparedness/ effectiveness Report GRC data across the organization PO6 PO6.4 PO6, AI2.3, AI2.4 PO9, DS5.5 ME4.5 ME2.4, ME2.5, ME2.6 DS8, DS10 ME2.5, ME3, ME4.5 Slide 10
Project Focus: Policy/Procedure Management Policy and procedure management Map policies/procedures to controls and compliance requirements Publish policies/procedures across roles Facilitate policy/procedure life cycle AI2.3, AI2.4 PO6.4 Risk and control management Loss and investigation management GRC analytics Risk and controls assessment automation Manage & model risk data Business rules enforcement Audit management Support corporate investigations into loss Track loss metrics & facilitate remediation Support anonymous whistleblower apps Report compliance gap PO9, DS5.5 ME4.5 ME2.4, ME2.5, ME2.6 DS8, DS10 ME2.4, ME3 * Forrester Research Inc, Forrester Wave: Enterprise Governance, Risk, And Compliance Platforms, Q4 2007, 2008 Slide 11
GRC Suppliers Governance, Risk & Compliance Package Vendors* Libraries: controls, risks, compliance Content Workflow Management Engine Relational Database * Forrester Research Inc, Forrester Wave: Enterprise Governance, Risk, And Compliance Platforms, Q4 2007, 2008 Slide 12
GRC Software Benefit: Big Business & Government IT Systems Profile Jurisdictions Compliance Accountability Big Business Fewer, larger Complementary applications Multiple Wide geographic spread enterprise level Public Sector Many, smaller Silo applications One primary Potential cross jurisdiction program level GRC packages have potential benefit for government, but likely higher (relative) implementation costs. Readiness: Policy, standards & controls ready? Clear accountability? Slide 13
Compliance & Control Environment Strategic Policy Core Policy Manual Authorities: Legislation, high-level policy directives, laws. Tactical Policy I.E. Information Security Policy, Risk Management Ministry policy & IM/IT standards Project Scope Program Standards & Guidelines Program and Service Standards: Policy interpretations, program standards & guidelines Program standards + linkages Operating procedures Role Descriptions Controls & Performance Management User Agreements Supplier Agreements Slide 14
Control Framework Data Model Core Info Compliance Electronic FOIPPA Security Policy & Requirements Trans Policy ProcAct Target Business Service Service Cost Contraints Levels Client Objectives Definition Risks Program Standards Activities Control Objectives Roles Business Objectives define the program deliverables. Compliance requirements and business objectives are interpreted to create the local program standards and program activities. Risks are used to define control objectives and specify control activities. Accountabilities are assigned. Slide 15
Software Functions Slide 16
Global Library & Admin Functions Program design functions Content & Compliance Reports Slide 17
Build a global library of compliance requirements. Example: Core Policy & Procedures. Slide 18
Build a global library of compliance requirements. Example: Payment Card Industry Slide 19
Select the compliance requirements that apply to the program. Slide 20
Create program standards (program policy) and link to compliance, roles, processes Slide 21
Detail accessible via double-click. Slide 22
Document responsibility for program standards, processes. Slide 23
Compliance status = + Program Standard status (approved, implemented, discontinued) + Relationship status (conforms, non-conform, exempt) Slide 24
Report on Program Standards and related Compliance Requirements Slide 25
Detailed report on Program Standards and related Compliance Requirements Slide 26
Summary report of Compliance Requirements showing the related Program Standards Slide 27
Who Uses a Control Framework? Management sees how operational procedures relate to laws & policies. Electronic Core Info Compliance FOIPPA Security Policy Trans & Service Cost Target Business Service Contraints Levels Client Requirements Policy Proc Act Objectives Definition Risks Employees know their tasks and responsibilities. Program Standards Roles Activities Control Objectives Employees know which policies and standards apply to their deliverables and workplace activities. Business analysts, architects, accountants, legal and HR can design procedures and controls to address changing risks. Management and audit can affirm that appropriate controls and accountabilities are in place. Slide 28
Related Areas For Improvement Interpretation Compliance Components Control Expertise Policy translation to standards, standards to standard controls. Grouping by risk categories. Rationalization of legislation, policy, guidelines, etc. to provide single source for program owners. Include compliance in shared services. Clear compliance accountabilities between service provider and receiver. Expertise to match program needs to appropriate frameworks. Expertise to draft control objectives, link policy to procedures and controls. Slide 29
Project Summary? Vision Problem Our Focus Benefits Barriers Sustainable, demonstrated compliance and control. Dynamic policy environment Unstructured, complex information Interpretation gaps Step 1 - Equipping the experts (policy analysts, business analysts, program management) to effectively manage compliance-related information. Manage and communicate complex information. Relate requirements to outcomes to interpret & bridge gaps. Accommodate change. Data collection effort. Policy and control objective development expertise. Fragmented internal policy. Slide 30