New Infrastructures and Functionality -Compliance Mapper, Consult2Comply’s Enterprise GRC application recently added new pre built infrastructures that make it easier and quicker to get a manageable and sustainable compliance strategy running. If there is an infrastructure you would be interested in, please let us know!
New infrastructures included:
NFPA 1600
FFIEC BCP
NERC CIP
BS 25999 BCM
Various India regulations
Cert Resiliency Framework
Compliance Mapper functionality has also been updated to include:
Workflow and Project management – assignments to individual
Resourcing and costing
Compliance checking and sign off for mappings
Capability for audit scheduling
Ability to see when project activities are outstanding, pending or complete
BCM 25999 ACP Appointment -
Consult2Comply has been appointed an ACP for Business Continuity Management (BS 25999) in the US, in addition to its equivalent ACP status in the UK. Consult2Comply is now the only BSI member of the Associate Consultancy Program to carry both US and UK (Global) status for ISO 27001 Information Security Management System, ISO 20000 IT Service Management and BS 25999 Business Continuity Management. We are proud of this and it shows our commitment to support British and ISO standards that have relevance to organizations worldwide.
Before embarking on a true GRC initiative, organizations and professionals should adhere to the following rules of engagement to aid their understanding and identification of the appropriate needs required to be successful.
Information Technology does not dictate the (GRC) compliance initiatives. IT does have a role to play, but the board and stakeholders are the groups responsible to ensure GRC is being met and conducted in the appropriate way throughout the organization.
Develop your GRC strategy and document your intent.
Do not “silo” GRC; it’s an organization-wide issue. Ensure whoever needs to be involved is involved. Putting Risk in one silo and Legislation in another and Best Practices in another, and not understanding the relationships among them can be detrimental to the overall success of GRC initiatives.
Understand who will be asking for the budget. Business and IT are in competition for budget – business is most often seen as a contributor; IT is perceived as an overhead – business will normally win the budget battles.
Unified control infrastructures put a spin on the real controls and potentially cost an organization more money in the long term (too many controls to worry about, and unified control infrastructures are not normally nationally or internationally recognized).
Set the baseline control infrastructure (e.g. ISO/IEC 27001, CobIT, NIST, and ISF) and work out across the regulations, standards and best practices.
Do not stop at control infrastructures. Include everything that’s needed (e.g. Policy; Procedures; Process Maps; Training Records and so on).
Do not exclude Management Controls (these tend to be excluded in technology solutions that address IT rather than the business). These are extremely important when understanding responsibilities and metrics.
Understand the international implications of your GRC initiative (if they apply). Ensure the appropriate regulations, standards and best practices align to the laws of the land nationally and internationally and can work with your organizational requirements.
Paper mappings (spreadsheets) or out-of-date diagrams are difficult to utilize and use; find something that can automate your requirements.
Loose mappings do not offer compliance – ensure your mappings are not too high level. Loose mappings tend to skip the actual control and concentrate on the control objective which could mean implementing more controls than necessary.
Having GRC solutions and associated people in silos is not a good practice to ensure compliance for an organization. A consolidated view is a must, due to the “knock-on” effect if something changes (a new control is implemented; a control is discontinued for whatever reason or changes in the regulation, standards and best practices dictate a major change).
Myth #1 - IT is the center of GRC Reality: IT is not the driver of GRC. Business is the only driver and where the buck stops. IT is only a component of the overall picture.
Myth #2 - It is acceptable to operate GRC in silos Reality: If GRC is placed in silos, then coordinated efforts will undoubtedly fail. Placement in silos may also lead to political games being played out and competition for budget being fought for and potentially lost.
Myth #3 - Technology is the basis for GRC Reality: Technology has in reality been a serious contributor to the GRC issues addressed earlier in this paper. Having technology solutions to assist with assessing is a requirement, but remember, GRC must support the people efforts as well. You can’t take a firewall to court; GRC is a “people issue” to deal with.
Myth #4 - Risk assessments ensure all GRC requirements are met Reality: Like IT, Risk is another component of GRC and cannot be depended upon for the final work on compliance across the organization. Risk has many guises; it is imperative that the organization understands the risk methods being employed and that the coordinated results are combined to provide an overall risk posture and understanding to the organization.
Myth #5 - The more controls you have the easier it is to adhere to regulations Reality: Having many controls to choose from is like going to a restaurant that has an extensive menu. The dilemma is too many choices, and when you eventually order the meal you think you want you quickly find out it’s not what you really wanted. Too many controls can drive a company down this road. All of the main control infrastructures are designed to support business and be internationally recognized, providing a good level of assurance and trust.
Myth #6 - Unified Control Infrastructures save money and make life easy Reality: Unified control infrastructures are a combination of many control infrastructures and have been created primarily to try to ease the use of control infrastructures across an organization. The thought behind unified control infrastructures is to work with only one infrastructure rather than many. Unfortunately, the more controls you create the bigger your problem becomes. There is a saying in the compliance industry, “Every control you implement has a cost to the organization.” Using unified infrastructures could force organizations to implement controls where controls are not necessarily needed, incurring unwarranted costs. One GRC technology solutions provider has 2,500 main controls and 10,000 sub controls supporting their infrastructure. To work with this number of controls is a potential issue and can be extremely costly to organizations trying to comply.
Myth #7 - International regulations applied to national requirements is an acceptable practice Reality: Only the actual laws of the land are acceptable to each area. During Consult2Comply’s review process in GRC, we have seen vendors offering alignment to regulation and standards from other countries, specifically Australia and New Zealand – the AS/NZ prefix.
Myth #8 - If a business adheres to regulations alone, the business is compliant Reality: Regulations are the “tip of the iceberg.” (Refer to the Consult2Comply GRC Model and definition of terms for additional requirements.)
Myth #9 - Self Assessment is a waste of time Reality: Self assessment and self review of results are essential parts of complying with GRC requirements.
Myth #10 - Once a control infrastructure is implemented you can forget it Reality: GRC is a moving target. GRC must be coordinated throughout the organization to ensure overall adherence. Continual improvement is a specific requirement of GRC activities. Unless this is undertaken, the chances are your GRC initiatives will become redundant and the organization will be:
- Wasting money, and Open to litigious opportunities from the outside.
Myth # 11 - You don’t need policy to adhere to GRC Reality: Policy is the foundation of all GRC activities. Without effective policy there is no intent in the organization to effectively monitor measure and manage GRC. Before embarking on any GRC initiative, ensure policy that supports the initiative is present and has been endorsed by the appropriate management.
Myth #12 - Conforming to certain controls of a control infrastructure ensures compliance to the infrastructure Reality: Technology solutions have a tendency to offer a compliance score based on a minimal number of controls being implemented in specific areas. These scores can be extremely misleading and provide management with an incorrect assumption on compliance adherence. For example: Physical Security of a computer facility - Locks and controls for physical access ensure conformance to the specific controls but do not offer compliance to the overall standard. In other words, receiving a 77% score for compliance to a standard instead of receiving a conformance score of 77% to the specific controls misleads compliance professionals and provides a false sense of security (In security terms a “false positive”).
Myth #13 - People aren’t important; technology is the way forward Reality: People are the mainstay of GRC – Compliance. GRC covers many aspects of the business from hardware, information, software, people, facilities, branding and so on. People are the ones to undertake GRC activities and report on the overall compliance – technology can only support this.
Myth #14 Delegation of accountability and responsibility is acceptable Reality: This happens all too often. Management must accept accountability for GRC. Responsibility can be delegated but only if there are measures to ensure GRC responsibilities are being met.
Myth #15 – Budget won’t be a problem Reality: Budget is always an issue with Management. Common faults are:
Buying technology solutions that only serve part of the GRC landscape
Buying Risk tools that need significant amounts of training for staff before they become effective
Underestimating the GRC requirements
Having unskilled or untrained staff responsible for, and actively involved in GRC initiatives
The long awaited ISO/IEC 27005:2008 Information technology — Security techniques — Information security risk management has been published. As part of the overall ISO/IEC 27000 family of standards for Information Security Management Systems, it will now be used to determine compliance to ISO/IEC 27001:2005 requirements for Risk Assessment and Risk Treatment. Previously, BS 7799-3:2006 Guidelines for information security risk management was the standard used for this process for either alignment or certification. ISO/IEC 27005:2008 has a number of significant subtle changes that the alignment or certification will now require. The standard has taken each process area and include the following criteria that was be used to check compliance. For each process, there is now a requirement for; “Input” – this is what is being used as the input to the process. “Action” – the establishment of what needs to be completed.“Implementation Guidance” – Purpose and effect – what needs to be done.“Output” – the expected outcome from the process All of these areas can now be measured more effectively by the auditor prior to alignment or certification, whereas before the auditor had to understand more about the risk process that the company had adopted. More information can be found at http://www.iso.org/iso/search.htm?qt=iso+27005&searchSubmit=Search&sort=rel&type=simple&published=on Cost is CHF 154.00 (Swiss Francs)
CEO Steve Crutchley writes: I have been a consultant for over 30 years providing Business Protection, Security Management, Governance and Compliance services. Over those years I struggled to find supporting products that could help me achieve success with my clients. The tools I experienced seem to lack the required functionality and were a always a bit expensive.
Having struggled for many years, I decided to dedicated myself to assisting consultants worldwide by leveraging my hands on experience and collective knowledge into inexpensive and functional tools that address the issues facing consultants and organizations alike.
I invite you to try these applications at no cost and believe you will see the immediate value to the Risk, Compliance and Regulation industry.
ISO38500, the international standard for the corporate governance of information technology (IT) is due for publication shortly. The original draft number of ISO 29382 has been discarded, and the official number of the new standard is now ISO/IEC 38500. ISO 38500 draws upon a number of sources, specifically AS 8015:2005, which defines six principles (establish responsibilities, plan to best support the organization, acquire validly, ensure performance when required, ensure conformance with rules to ensure respect for human factors). ISO/IEC 29382, Corporate Governance of Information and Communication Technology, was first published early in 2007 as a fast track candidate from the existing Australian standard AS 8015. It was officially re-named ISO/IEC 38500 in April 2008. Other documents related to this publication are: AS 8000:2003 - Good Governance PrinciplesAS 3806:2006 – Compliance Programs
To get the blog going – I recently experienced an auditor from a large banking group – who undertook a Compliance audit at one of my clients. The auditor, I must admit, was not a bank employee but a contractor that had satisfied the bank that he was capable of performing a compliance audits. During the audit, I requested a review to ensure we were all on the same page. The auditor swaggered into my office and promptly sat himself down, as if he owned my office, and promptly started to tell us how bad we were. Listening in disbelief and utter confusion, I stopped the auditor in his tracks and asked what the issues were. To my horror, he promptly handed me a number of non conformities that had no bearing on the audit whatsoever. When questioned he said this was his scope and we were in non conformance with a number of items. In reality, he had decided to extend his scope and look at what he was interested in. When questioned about his findings, it was obvious he was making it up as he went along. For example- he stated that one side of our buildings had to have bullet proof windows because it was aligned with the multi-storey car park and a sniper could easily shoot someone in the office. I asked the auditor what he believed the cost would be to do this – he said that wasn’t his problem, we just had to do it. We also discussed other supposed non-conformities which in the end were all rescinded. I promptly decided to call an end to the meeting and requested we resume the next morning to review this particular NCR – I really wanted to find out what cost we were talking about.
I contacted the maintenance guys and asked the question about the bullet proof windows – I actually thought they were thinking I had been drinking and were jerking them around. I really needed to get a ‘gut-feel’ for the cost so I could confront an auditor with some ammunition against the NCR (please excuse the pun)!
The maintenance guys luckily had a contact and we were able to get a rough price for this type of work. Let’s say in was over $500,000 and would take approximately 2 months to get the job done.
The next day came around all too quickly, the auditor came to see me at the prescribed time and I then decided to play a game. I gave the auditor the costing and then asked to see his working papers and baseline controls that indicated we needed to have bullet proof windows. To my absolute dismay, he told me that it was his decision and that the bank would back him up regardless of working papers and controls (which he didn’t have). To be completely truthful – I really had a good idea he was just trying to prove a point and stamp his authority on my client. I decided that I would ask him to reconsider and rescind this NCR as well. To my disbelief he said no and that the NCR stood. I really didn’t know if to laugh or cry because my experience was staring to show that there were many audit bullies out there and that they are running ‘rough-shot’ over organizations with little to no auditor skill in dealing with NCRs.
The outcome
I decide to contact the bank, (the audit manager) to discuss this situation. What transpired was that the audit manager for this auditor was astounded that one of his team was taking a stance like this and was working outside of the audit scope. He was also astounded that the auditor had insisted that the work needed to be done and the auditor had stated the bank would back him up. In reality we had found a rogue auditor (and there are lots out there) trying to make organization do what the auditor wants with no regard for cost of NCR versus benefit. One good thing did come out of it – the auditor was promptly removed form site and promptly removed as a contractor for the bank.
Lessons learned
Do not be afraid to question what an auditor is telling you, there is a tendency to accept the NCRs and then run off to fix the problem – sometimes fixing the problem or so-called problem can cost more than the overall benefit and risks involved.
Before letting an auditor on site
Make sure you have an audit plan and you understand what is in the scope of the audit.
Check auditor competency – specifically – knowledge and understanding of the audit scope, and business sectors being audited. Do not be afraid to question the auditor and findings – REMEMBER – management determines and carries the risk of the business not the auditor.
I look forward to reading stories of Audit Bullies and bad auditing experiences that can be shared with the community!
The use of CAP to establish a baseline as part of the early phases of IS027001 or ISO20000 project will not only determine the current status in terms of a standard, but the subsequent reports can assist in quantifying the initial budgets and resource forecasts necessary for the next phases of a project.
Using these reports as input to management’s decision making will also prove the involvement and support of management in the key decision making processes necessary for the ultimate certification of these types of projects
