Embed Size (px)
Citation preview
7 Steps to Build an Effective Corporate Compliance Strategy
[email protected] or LinkedInCambridge Technology Partners
Me
Emmy, Elodie and Sinto
https://ch.linkedin.com/in/maartenboonen
Our deep-dive todayLets go ……
AWARENESS
Understanding
Compliance
COMPLIANCE JUNGLE
What’s out there
WHERE DO WE GO
FROM HERE?And what’s
our objective?
BRILIANT DEMO
AvePoints Compliance Guardian
AwarenessUnderstanding Compliance
Compliance should not be a burden nor be an obstacle for daily business activities
First some clarifications
“Governance is the set of policies, roles, responsibilities, and processes that guides, directs, and controls how an organization’s business divisions and I.T. teams cooperate to achieve business goals.”
- Microsoft
Definition of Governance
What about Compliance?
Critical Data
Personal Data
Sensitive Data
Intellectual Property
Regulatory
Contractual
Legal
Industry standards
Things we need or create
Things we we’re told to do by
Governance Magicset of policies, roles,
responsibilities, and processes
ToolsTo help us protect our
assets
+
Compliance means incorporating standards that conform to specific requirements
AND ADAPTS AT BUSINESS SPEED
FROM THIS MOMENT ON COMPLIANCECOOL, SERIOUSIS
64%Of data breaches are tied to human error or out-dated system.
€ 301MLast year’s financial loss for not having control on the situation in western Europe alone.
Why start taking compliance serious after you feel the pain?
11%Have some sort of Governance, Risk or Compliance process in place. But none have any idea where the gaps are?
56%Of organizations are hacked or information is stolen without them realizing it.
73%Of organizations are unaware of the type of information they’re producing and it’s value.
Preventing is always better
Reputational Damage
Penalties and Fines Data
breaches
Most threats come from the inside
LearnRespondand !
Who’s responsible for the information produced?
o The information produced is growing to fast.
o Rapid change or expansion of rules and regulations.
Compliance Audits
Challenges organizations face
SecurityNo visibility
Manual Processo Failed before or will fail
when an audit is held.o Problems with reporting.o Limited staff and
resources.
o Don’t know what other business processes are doing or what’s important to them.
o No alerting when information is expired or need to be reviewed.
o No idea of the type of information and it’s value.
o No security or encryption to protect data.
o Physical information visible to non-employees.
o Permission and security model is a mess or unclear.
o No warning or alert mechanism.
Drivers, Motivators and Benefits
INCREASE SECURITY
NECESSITY FOR INDUSTRY CERTIFICATIONVISABILITY ON INFORMATION STREAMS
ABILITY TO BE PRO-ACTIVE
SUPPORT BUSINESS PROCESSES
Collaboration with confidenceIt’s a balancing act and a trade-off at the same time
Transparency Collaboration Data Protection Data Management
Compliance is not
boring, it’s cool
The risk is out there,
start taking it seriouslyDon’t over
do it and let it become a
paper process Start
today!
Key takeaways
Compliance jungleWhat’s out there
Health and
SafetyAccessib
ility
Security
Types of regulationsRegulations arise or change very rapid
Quality Control
Privacy Click me to show some examples
Where does this come from?Goverments and organizations who define standards like, NIST, AIIM, ISO, FINMA and others
Compliance follows Common themes
CIA Triad
Confidentiality
Integrity
Availability
Information must be accessible and available to the people who
should have access to it and protected from the people who
should not!
HIPAAHealth Insurance Probabilityand Accountability Act
A few Key criteriaoData encryptionoInformation can never be lostoOnly accessable to authorized people
Industry focusPharmaceuticals / Health Care / Insurance
SummaryRegulations protecting the privacy and security of certain health information
PCI DSSPayment Card Industry Data Security Standard
A few Key criteriaoBuild and maintain a secure networkoEncrypt transmissionsoStrong access control measuresoTrack and monitor all access
Industry focusFinance / Retail or any industry which is involved in some sort of financial transaction
SummaryThe PCI Data Security Standard represents a common set of industry tools and measurements to help ensure the safe handling of sensitive information.
SOXPublic Company Accounting Reform and Investor Protection Act
Industry focusEvery organisation which wants to be listed on the US stock exchange or do business with the US government
SummaryIn a nutshell it comes down to “Corporate Accountability and Responsibility”. You know what’s going on in the organization and have a complete control and overview at all times. This includes financials, products and services.
FDA Part 11 specifies a number of requirements for software systems to enable trustworthy and reliable electronic records and signatures. Part 11 applies to records in electronic form that are created, modified, maintained, archived, retrieved, or transmitted. Its primary benefit is to assure quality and performance of the systems deployed to manage any cGxP process.
Electronic Records, Electronic Signatures, Scope and Application
21 CFR Part 11
Industry focusAll industries which have to have some sort of quality control and trace system in-place
Summary
NEW TREND OR RISK FOR THE FUTUREDIGITAL
TRANSFORMATIONIN ORDER TO STAY AHEAD OF THE GAME CUSTOMER ENGAMENT
SERVICES
COMPLIANCE NEEDS TO BE COME A SERVICE PARTNER
/
ALIGN WITH THE BUSINESSMAKE IT MORE CUSTOMER-
FOCUSED
PROTECT COMPANIES ASSEST AND
Similarities
between regulatio
ns
Adjust to business
needs and
speed
Know your regulations and know
your business processes
Key takeaways
Let’s put Simple and Flexible back to work !
Where do we go from here?And what’s our objective?
How to keep a grip on the situationCompliance Life-cycle Prevent
Detect
Track
Respondand
Resolve
o Know what to prevento Know from what to prevent ito Know why to prevent it
o Security policieso Rights Management Policieso Separation of dutieso Four-eyes checks o Secure and encrypted access
o Classification by metadata
o Content IDo Image recognitiono QR or Barcodeso Scan for keywords or
phraseso Custom triggers and
rules
o Direct Lock or Quarantineo Alert and notificationso Real-time scanning
o Gain understanding and insights, compliance dashboards
o Automation of Reportso Monitoring and Notifyingo Use metrics that make sense
Compliance recipeHigh-level focus where to start
Preparation
Identification of information and it’s value
Our Standards and Regulations
Match the Similarities
Turn it into a daily processPositioning
Automated tooling
1 2 3 4 5 6 7
1. PositioningCompliance shouldn’t be treated as a project or as a bolt-on, but should be at the center of a business
COMPLIANCE
2. PreparationThose who fail to prepare should prepare to fail
Define your compliance goals, set a visionoTighter SecurityoEfficient collaboration with partnersoTransparencyoIndustry Certification
Understand Criteria and BenchmarksoHow do I know if I’m compliant?oWhat does the information tell me?oHow can I use it to support business activities?
Gather your team of experts oFrom within and outside the company. (Legal, HR, IT, etc.)oKnow what they are doing and what’s important to them.
Commitment and AuthorityoIf the driver holds the keys, they drive and not the owner or passengersoManagement Commitment and Signoff
3. Identification of information and it’s value
Identify the type of data your organization produces oWhat’s the value to the user and the company?oWhat product, process or service depends on it?
AccuracyoCheck if the information is still accurate and reliable.oAre we all working with the same version?oWhen was it last checked?
Automatic toolingoUse the right tools in conjunction with the existing infrastructure to enforce and control policies.oGuide people through a process to reduce mistakes.oClassification and auto tagging
4. Our Standards and RegulationsThey are all different
IdentificationoSummarize all the regulations you need to be compliant with.oFigure out the similarities.oFind out your company’s strong points and weaknesses
Industry overlapoThe term industry is really broad. If you’re an airline and clients can book tickets directly. You also need to be compliant with certain financial regulations.
CountryoRegulations are derived from each other but might be stricter depending on your country your supplier or your client’s location.
Industry CertificationoDo you need to be certified in a specific field?oDo the industry certification differ per country?
Regulation Type BCountry A
Regulation Type ACountry B
Regulation Type ACountry A
5. Match the similarities
o Prioritize, which one is most important
o Overlaps with which product or service
o Who’s responsible for whato What are quick winso Categorize them by
6. Turn it into a daily processEveryone is responsible so get them involved
How compliant are youoAnalyze and fill in the gaps to improve?
MonitoroMonitor regulation changesoMonitor Business needsoAlign with company vision and strategy
ReportingoBuild useful reportsoBuild compliance dashboards for live changes (Power BI)oKnow what information you produce and who uses it.oWhere is it stored now?
ActivitiesoReport the right information to the right peopleoDelegate tasksoCompliance and protecting your organization’s assets is a team effort
How do you know if your compliancy is going the right way?Constant monitoring and reporting is key
Not yet compliant
Compliant to criteria ABC
63%
37%
o Define the different reports you need for the regulations
o Define your criteria on what you need to report
o Create compliance dashboards (Power BI)o Know who’s responsible for the part of the
business process and delegate the task
Identify the capabilities of the tools within your existing software portfolio what it can do and how it can help you on your compliance journeyAnalyse the gaps
User Repository
Workflow
Full fidelity Data Protection and Recovery
Audit trailing
Logging
Separation of Duties
Notification
Identity and Access Management
Authentication mechanism
Azure Intune Bring Your Own Device
Alerts
Azure Rights Management
SAP
Mobile and MobilityPowerShell
Social Media
eDiscovery and Vault mechanisms
Hardware Appliances
OneDriveSlype for Business
Data Loss Prevention
SharePoint
Office 365
Exchange
7. Automated tooling
AvePoint, filling the gapsSharePoint, Office 365, Yammer, File shares and more Prevent
Detect
Track
Respondand
Resolve
o Governance Automationo Compliance Reportso Administrator
o Compliance Guardian
o Vaulto eDiscoveryo Compliance Reportso Administrator
o Compliance Guardiano eDiscoveryo Compliance Reports
AvePoint Compliance Guardian Provides Automated Risk
Mitigation System to Scan, Classify, Protect, and Audit Collaborative Environments
Sh w time!
Key takeaway summary
Align with business
needs
Balance and
Trade-offs
Don’t wait
Know your organizations values and importance
Keep it
Simple
Compliance is
broader, look
further than the
tip of your nose
Now it’s your turn to become compliant!If you need some help we’re just a few mouse clicks away….
Questions and Feedback are highly appreciated
Not a big talker? Just send us an
Thank you for your interest
Resources and ReferencesAbbreviations
Compliance Guardian introduction video
Resource linksAIIM Association for Information and Image
ManagementNIST National Institute of Standards and
TechnologyCFR Code of Federal RegulationscGxP Current Good X Practice
(FDA compliance; X can mean: Clinical, Laboratory, Manufacturing, Pharmaceutical,)
FINMA The Swiss Financial Market Supervisory Authority
GRC Governance, Risk and Compliance
© 2015 Cambridge Technology Partners, Proprietary & Confidential
What is Microsoft Azure Rights Management
Use CTRL together with + or – to zoom
Com
plia
nce
Guar
dian
on-
prem
ise
Use CTRL together with + or – to zoom
Com
plia
nce
Guar
dian
on-
prem
ise
Use CTRL together with + or – to zoom
Com
plia
nce
Guar
dian
on
line
AveP
oint
clo
ud se
rvice
Use CTRL together with + or – to zoom
Com
plia
nce
Guar
dian
on
line
AveP
oint
clo
ud se
rvice
