This article originally appeared on the BeyeNETWORK.
Why is Compliance Important?
Enron, Tyco and Qwest are three of many cases where manipulation of information led to very serious consequences for investors. Congress and the executive branch reacted with the Sarbanes-Oxley Act (SOA) and a wide range of costly regulations.
Identity theft, computer viruses and spam e-mail are three problems made worse by inadequate corporate security measures. Again, Congress and the executive branch are reacting with legislation and regulations that increase the cost of business.
The “Cornerstones of Compliance” is our method for complying with SOA, securing the database and managing corporate risk cost-effectively.
What is Information Compliance?
The headline reads:
“Subscriber List and Credit Card Information Sold by Disgruntled Employee; CEO Imprisoned and CIO Fired”
Think it can’t happen? think again. Businesses now rely on their internal data for a wider range of profitable activities; some are turning previously internal data into external profit centers. It is more important than ever to understand, characterize, document and measure your data. In addition, it is critical to institute well-understood procedures to block incorrect use, mitigate risk and trace changes to data. SOA places the CEO at direct personal risk – don’t be the CIO or CFO that puts your boss in jail.
Other regulations, contract terms and industry practices go beyond SOA and create a complex web of compliance and interoperability requirements. Audit costs, internal and external decrease when data is well-documented or delivered in an interoperable form.
There have always been situations in which bodies external to a company impose requirements for tracking, controlling and validating statements derived from information or the processes by which information is captured and managed within that company. Whether those requirements emanate from legislation, regulatory boards, standards groups, industry electronic data interchange (EDI) guidelines, web services specifications, or some other recognized authority, whenever there is some expectation of adherence of a company’s data to a set of guidelines, we refer to that as information compliance.
The interpretation of information is essentially what compliance of any kind is about: Interpretation of the regulation or policy and how it affects your particular business, and illustrating and proving to an external source that you have met the requirements of the regulation. The requirements themselves, and the justification of complying with the regulation, are all information. Information does not have to take the form of electronic data, but this is its most common form. Therefore, a Framework has been proposed that outlines ideas that can be used in the tracking of compliance measures in information systems, but it is much broader than this. It articulates a method for understanding policies and regulations and how to go about ensuring that you are doing the best you can to enforce these policies within your organization, to the degree that makes sense to your business. Therefore, the method is customizable for each individual organization, and the methodology shows how this can be done, in a sound, measurable way.
In addition, the Framework can assist small and large government entities and companies alike by providing guidelines for responding to an audit. It provides advice on how to be proactive and do your own internal auditing so you will be prepared for external audits and can provide the necessary documentation required to show diligent compliance.
Examples of Important Regulations
High profile regulations abound, and they touch all of us, not just government entities or corporations. For example, you cannot go to your local grocery store anymore and pay for your prescriptions along with your groceries: The Health Insurance Portability Act (HIPAA) mandates that you must pay for these prescriptions separately, in the pharmacy.
Obviously, new regulations are coming on the scene very fast. Some regulations are very broad, and affect all industries, regardless of vertical market segment, such as Sarbanes-Oxley. Others are very specific to a particular industry segment, for example 21 CFR Part 11. Here is a brief description of a few high profile regulations:
- The Federal Anti-Kickback statute, relating to the health care industry, which prohibits payments or compensation of any kind to any person in return for referrals. The goal of the law is to protect patients from fraud by preventing the use of money as an inducement to exert undue influence on making health care decisions. An example might be if a pharmaceutical company funds a particular research lab with grants in return for that lab’s recommending the use of that company’s products.
- The US Food and Drug Administration enforces a section (Title 21 of the Code of Federal Regulations, Part 11, also referred to as 21 CFR Part 11, related to electronic signatures and the transmission of electronic records.
- The recently-passed Sarbanes-Oxley Act (SOA or SOX), which (in a nutshell) dictates corporate responsibility for financial reporting by requiring the CFO and CEO of a company to certify the "appropriateness of the financial statements and disclosures contained in the periodic report, and that those financial statements and disclosures fairly present, in all material respects, the operations and financial condition of the issuer."
- The Healthcare Insurance Portability and Accountability Act of 1996 (HIPAA) imposes guidelines for the representation of data records forwarded from companies to health care insurers for many different kinds of communications. These guidelines have been formally standardized; for example, the standard referred to as 834 imposes the structure and rules for electronic data interchange regarding benefit enrollment and maintenance, and the standard, ASC X12N 834, provides fine details about the information compliance requirements.
- The Department of the Interior (DOI) has imposed a rigorous process of computer security compliance called Certification and Accreditation. The Guidelines for this compliance use standards developed by NIST as the template.
Although these cases all deal with different business implementation areas, they share some interesting attributes:
- The policies and guidelines are specified by an external organization.
- Although the compliance deals with business issues, the implementation relates directly to underlying information assets.
- The risks of noncompliance are understood.
- Probability of discovery on noncompliance is correlated to a well-defined enforcement scheme.
- The policies, definitions, and requirements are written in a natural language that is subject to interpretation at the business level followed by an implementation analysis at the data level.
The Framework will introduce the business issues that drive the need for an information compliance methodology, as well as describe the iterative process of interpreting policies, determining what information resources are affected, translating the interpretation into a collection of formally-defined business rules, followed by an implementation scheme to validate information based on those rules.
Regulatory Compliance in the Government
The government has always had regulations for itself, but in recent years this has been taken to a new level. Compliance in many areas for all government entities, federal, state, and local has been all-inclusive. And of course, the government monitors non-government entities. Therefore, the government is in an interesting position in relationship to compliance, in essence being on either side of the regulations as either the regulating body or the entity being regulated.
Best Practices and Compliance
Compliance has some wonderful residual benefits. You may be surprised, that as your organization adopts Best Practices for Compliance, you will see additional results and improvements that have nothing to do with compliance as a result of your compliance initiatives. This is due to the fact that Best Practices are universal and they cross disciplines. For example, a small project team within Fish and Wildlife had wanted to reorganize their server hardware and consolidate some applications, thereby reducing the number of servers, due to a host of reasons. Complexity of the environment was causing problems with software upgrades: at one instance in time each server had a different version of Oracle and Oracle development tools, which in turn caused incompatibilities across servers. Maintenance costs were high, and management of the environment became more chaotic. This group found that security compliance provided them with the additional justification to simplify their environment, because the resulting simplification assisted the group in meeting the security compliance guidelines.
A Framework for Information Compliance
Figure 1 illustrates the Cornerstones of Compliance Framework. The first noticeable feature is the cyclical and feedback nature of the methodology. The Framework is meant to provide its own feedback, and the methodology itself is self-modifying.
The following briefly describes each Cornerstone. The Cornerstones consist of verbs, implying action is involved in each one. Nouns are used to describe the inputs and outputs (for example, Regulation and Guidance), both internal and external.
Regulation & Guidance
Policy is defined by the American Heritage Dictionary as:
A plan or course of action, as of a government, political party, or business, intended to influence and determine decisions, actions, and other matters: American foreign policy; the company's personnel policy.
A Regulation is a little stronger:
A principle, rule, or law designed to control or govern conduct.
For the purposes of the Cornerstones Framework™, we will use the word “regulation” to refer to a regulation (as defined above) with a little more added, namely, “mandating compliance of some sort”, and “usually originating external to the organization or group to which it pertains”. A regulation is usually imposed on a group from the outside, but it depends upon how you define “group to which it pertains”. One possible exception to this is when the organization itself has a regulatory body within it that imposes standards with which the rest of the organization is required to comply. An example of this is the Information Systems development standards which are imposed on IT groups within the organization. If the IT group proposes an information systems project or application, they must show conformance to internal policies in order to received funding. Even in this case, the regulation originates external to the IT group upon whom it was imposed. The assumption is that the group that must comply with the regulation has little or no power to change the regulation.
Therefore, a Regulation is defined as a principle, rule, or law designed to control or govern conduct, mandating compliance of some sort, and usually originating external to the organization or group to which it pertains.
A Policy, on the other hand, is created by the group itself. It refers to the approach the group determines that it feels is necessary and sufficient to comply with the regulation. For the purposes of the Framework therefore, we will impose a modifier on the definition of Policy and define a term called Compliance Policy. It is defined as:
A plan or course of action, created by a group or organization, intended to influence and determine decisions, actions, and other matters relating to compliance of a certain external regulation.
One of the most important assertions made in the Cornerstones Framework™ is that the language used in the business is critically important, because language contains meaning. The underlying meaning of a regulation must be communicated unambiguously to all parties, otherwise one party can be considered in violation. Since regulatory compliance involves two parties, the regulatory body issuing the regulation and the regulated entity (the party attempting to comply with the regulation), the burden is on the latter (regulated entity) to prove that the meaning (semantics) has been communicated and assimilated properly into the fabric of the organization. This is why the semantics and definition of terms is so critical.
Guidance is defined by Wordnet (Princeton University) as:
- direction or advice as to a decision or course of action
- the act of guiding or showing the way.
For the purposes of the Framework, Guidance is defined as a set of guidelines or help principles which assist organizations in conforming to the regulation and enforcing the policy. Guidance usually originates external to the organization enforcing the policy, and sometimes comes directly from the organization creating the policy. Sometimes the guidance comes from an external organization separate from the policymaking body; such is the case from certain standards bodies such as National Institute of Standards (NIST). Often, conformance to the Guidance is critical to the demonstration of compliance with the regulation. This is the case with government agencies and many Computer Security regulations, such as Certification and Accreditation (C&A) originated by the United States Department of the Interior (DOI).
The first Cornerstone is Research. Research is defined by Webster’s Revised Unabridged Dictionary as follows:
Diligent inquiry or examination in seeking facts or principles; laborious or continued search after truth; as, researches of human wisdom.
Research involves compilation of all regulatory sources, and all information sources within the organization that can support the compliance effort, both structured and unstructured. Structured information refers to information stored in a format which imposes a structure on the type of information stored. It usually refers to a database, but other forms of structured data and/or information exist. To some extent, a file system is loosely structured, because it acts as an index (albeit an incomplete, not very comprehensive one) for information/document retrieval. The most useful source of information concerning the compliance effort usually is in the form of unstructured data, such as text documents, emails, policy documents, and regulatory documents. The organization must perform as complete a search as possible for these types of documents and have them handy to be referenced.
The American Heritage Dictionary defines Interpret (a verb) as:
- To explain the meaning of: interpreted the ambassador's remarks.
- To conceive the significance of; construe: interpreted his smile to be an agreement; interpreted the open door as an invitation.
Inherent in the notion of interpretation, for compliance work, is explaining the meaning of the regulation and conceiving the significance of the regulation as it applies to the organization or group involved. We will add the modifier “regulatory” to the verb interpretation, and add the notion of determining the regulation’s significance to the specific organization so that compliance policy can be constructed.
Regulatory Interpretation is the act of explaining the meaning of a regulation, and conceiving the regulation’s significance to the organization or group, for the purposes of Compliance Policy creation.
As you can surmise, the importance of semantics in interpretation cannot be over-emphasized. The organization must ensure and verify that they understand the meaning of the regulation first. Published guidance, if it is available, can be used to construe the meaning of the regulation. The Interpretation Cornerstone involves tying together all the relevant sources within the organization (compiled during the Research Cornerstone) and determining the current state of compliance, then formulating policies that will assist compliance efforts in the future.
The third Cornerstone is Balance. This implies making a decision. The American Heritage Dictionary defines the verb balance as:
- To determine the weight of something or, as if in a weighing device.
- To compare by, or as if, by turning over in the mind: balanced the pros and cons before making a choice.
No one can ever force anyone to do anything. Regulations can be ignored or the organization can make a conscious choice to not comply. However, such actions may have consequences. Risk Assessment is about measuring the cost of noncompliance.
The American Heritage Dictionary defines Risk as:
- The possibility of suffering harm or loss; danger.
- A factor, thing, element, or course involving uncertain danger; a hazard: “the usual risks of the desert: rattlesnakes, the heat, and lack of water” (Frank Clancy).
Regulatory Risk therefore is defined as the possibility of suffering harm or loss when the regulation in question is not obeyed.
The verb assess is defined (the fifth definition) as:
To determine the value, significance, or extent of; appraise.
One of the tasks that must be completed in the context of the Balance Cornerstone is determining the cost of noncompliance. This cost must be measured as best as possible. The DOI and NIST publish documents which assist in security risk assessment. There are formal processes that can help in the determination of many different risks to an Information System. Certain government agencies are mandated to use these measurements, but they can also be useful to private industry.
Compliance is not free. It comes with a cost. Each regulation should be measured in terms of both cost of compliance and risk. It should then be balanced to determine the best approach. The outcome of the balancing process is the policy that the organization will adopt for the regulation.
Implement is the next Cornerstone. The first and third definitions from Webster’s Dictionary are enlightening:
- To accomplish; to fulfill.
- (Scots Law) To fulfill or perform, as a contract or an engagement.
Implementation of the policy involves a project management discipline. An execution plan should be devised and a rigorous methodology should be used to ensure its success.
Traceability helps an organization establish an audit trail of events and processes so the steps conducted for compliance purposes can be followed later. Traceability is very critical in proving compliance to regulations.
American Heritage defines the verb “to trace” as follows:
- To follow the course or trail of: trace a wounded deer; tracing missing persons.
- To ascertain the successive stages in the development or progress of: tracing the life cycle of an insect; trace the history of a family.
- To locate or discover by searching or researching evidence: trace the cause of a disease.
Therefore, Regulatory Trace is defined as the ascertaining of the successive stages in the development or progress of an organization’s steps to reach compliance with a specific regulation.
Trace usually involves data, but it could refer to the steps taken to ensure compliance. The main intention is to have the data and its lineage be traceable. The history of a specific value in a report, invoice, etc. should be traceable. Especially with accounting functions, this traceability is essential. A value on a purchase order was changed. When? Why? Who changed it? Did the client call up and request an adjustment in the quantity ordered? Who on the client side authorized this change?
The final Cornerstone is Assess. This verb was defined above, in the context of Risk Assessment and the Cornerstone of Balance. At the “risk” of being redundant (sorry about the pun!), Assess means:
To determine the value, significance, or extent of; appraise.
Assessments were used earlier in the determination of risk and balancing out the cost of compliance with the cost/penalty of non-compliance. Assessment in this context is used to put measurements in place to determine the effectiveness of the compliance efforts. This measurement can be used as feedback to the entire compliance process to determine what further research needs to be done. This, in turn, will lead to new interpretations. These interpretations will feed into risk assessments and will determine a different balance. This will require a different implementation with new traceability requirements. It will also feed into new metrics and assessments and start the whole process once again.
Using the Framework in Government Work
I recently used the basic methodology to assist a small project group within the Fish and Wildlife Service, which is an agency of the Department of the Interior (DOI). The next article in this series will describe how the Cornerstones Framework™ assisted our compliance efforts.
I would like to thank David Loshin and Joseph Hudicka for their assistance with this article.