"It is impossible for ideas to compete in the marketplace if no forum for
  their presentation is provided or available."           Thomas Mann, 1896

Organizations today are waking up to the realities of managing a fast-moving business in a permanent regime of complex regulatory compliance. SOX, HIPAA, Basel II and a myriad of other regulations are driving companies to implement sophisticated compliance frameworks in record timescales and with unprecedented levels of budget and resource. Compliance functions are on a steep learning curve to design cost-efficient processes that can be easily repeated across a changing business and technology landscape. Organizations are asking the question.  How can we reduce the ongoing cost and complexity of compliance? The answer is: By taking a smarter approach that draws on established best practices and exploits the tools and knowledge base that already exists.. This paper sets out the principles and pointers to enable organizations to develop an efficient, long-lasting and adaptable compliance framework that will mitigate risks, reduce the costs of incidents, and meet the requirements of the most demanding auditors.

Organizations today are also under mounting pressure to raise their game in information security and IT compliance. This pressure is coming from four directions:

• First, there are growing security threats to information systems because hackers, virus writers and criminals have become much more sophisticated at identifying and exploiting the security vulnerabilities in IT applications and the infrastructure that underpins them.
   

• Second, there are serious security exposures in many enterprise infrastructures because of legacy control weaknesses, greater use of public Internet services and increased sharing of information, systems and infrastructure across organizational boundaries.
   

• Third, the potential impact on business operations from a single security incident is increasing, with growing business dependency on technology and higher levels of standardization and network connectivity.
   

• Fourth - and most significantly - there are tougher regulatory compliance demands (backed up by heavy penalties) to ensure that organizations have implemented appropriate controls to safeguard the confidentiality, integrity and availability of sensitive or critical information.

How long will these pressures last? The answer is that they will most likely continue to increase even further, at least for the foreseeable future and perhaps well beyond that. As the futurist Alvin Toffler once put it: The 21st Century will be dominated by information wars and increased economic and financial espionage. (1) This is because we are slowly entering a new Information Age, in which information and its exploitation will become pivotal to business success and survival. We can already see a number of trends on the horizon that will encourage a much tougher security and compliance environment for organizations. Examples of this include:

• Tomorrow's business, technology and security landscapes will be even more challenging, with faster product cycles, volatile business partnerships, complex supply chains and new technologies that introduce new sources of risk.
   

• Clients and servers will be increasingly connected by wireless networks and public Internet services that will require additional security controls to be incorporated into application systems.
   

• We will shortly see the progressive emergence of .zero-day. attacks (i.e. ones that can exploit recently announced vulnerabilities) that will enable criminals to carry out sophisticated attacks on information systems well before IT functions are able to apply corrective patches or anti-virus updates.
   

• There will be a substantial increase in regulatory compliance requirements as more countries, states and sectors appreciate these growing information security risks and recognize the need for disciplined compliance demands.

Faced with these pressures, organizations have been pressed into action to implement new compliance management frameworks in very tight timescales. In many cases, this has led to unsustainable costs and resource requirements. Compliance functions are now on a steep learning-curve to determine how to develop more cost-efficient compliance processes that can be easily repeated each year across a business and technology landscape that is constantly evolving. They are asking the question: .How can we reduce the ongoing cost and complexity of compliance?. The answer to this important issue is to take a much smarter approach to regulatory compliance. The rest of this paper aims to explain how this can be achieved by setting out the .tricks of the trade,. the key guiding principles developed by the professionals for developing long-lasting, cost-efficient compliance management frameworks.

Smart compliance management is based on applying the principles from a set of key learning points from organizations that have successfully developed, implemented and managed large scale compliance management initiatives. Applying these learning points and the key underlying principles of good documentation design enable the implementation of efficient, adaptive and long-lasting compliance management frameworks. Following are six key lessons-learned that should be front of mind for all security and compliance managers.

1. Do not reinvent the wheel. Designing, implementing and auditing complex control structures is not a new science. It is a well-understood and well-practiced subject that has been quietly implemented by auditors, certification bodies and security managers for many years. So do not aim to reinvent the wheel or develop new methodologies from scratch. All of the principles and tools for designing and implementing efficient security and compliance management frameworks are out there already. You should aim to identify and learn from those authorities who have done it successfully before. The last section of this paper sets out some critical success factors for successful programs that have been implemented by three leading organizations (Royal Dutch/Shell Group, Royal Mail Group and Chevron Corporation).

2. Take a strategic approach. Appreciate that proliferating compliance demands should not be addressed in a tactical, ad hoc way. There are always large overlaps in the scope, techniques and tools needed to address different regulatory or functional demands. It will pay dividends to take a strategic approach to security and compliance based on a common architecture that enables individual control solutions to be mapped to specific regulatory requirements. You should ensure that corporate governance processes, risk management methods, technical standards, and management control frameworks implemented across the organization are consistent and dovetail easily. Otherwise, there will be widespread duplication, uncertainty and compliance gaps.

3. Be aware of the pros and cons of different approaches. Understand the different approaches for determining the controls required in an information system. There have long been two schools of thought, one favoring the universal use of risk assessment to determine IT controls, and the other preferring a more prescriptive approach based on pre-defined control descriptions. Most organizations apply a combination of the two, but it is important for efficiency and consistency that you understand the costs, benefits and limitations of both approaches in order to achieve the optimum balance for your organization.

4. Learn the secrets of efficient framework design. Understand and fully exploit the underlying principles for designing efficient, long-lasting and low-maintenance control frameworks. These are set out in the fourth section of this paper.

5. Outsourcing presents special problems. Understand that outsourced supply chains present additional problems for compliance management, as control over facilities and services is severely limited, according to the conditions set out in the contract schedules and the willingness of your service provider to respond to new demands. However, the risks and consequences of non-compliance remain clearly in your court. This situation requires a more strategic, disciplined and long-term approach. Guidance on how to approach complex, outsourced supply chains are given in the fifth section of this paper.

6. A good software solution can substantially ease the burden. Appreciate when and how to exploit software solutions and what features to look for in a good commercial package. Section 6 sets out the key considerations in selecting a software solution and provides an example of a modern, state-of-the-art compliance solution (e.g. Brabeion Compliance Center).

By appreciating the above learning points and applying the underlying principles for the design of efficient, long-lasting compliance management frameworks, organizations should find that the burden of regulatory compliance is considerably reduced, resulting in substantial cost savings and significantly reducing the risk of non-compliance.

Up until the mid-nineties there was no generally-accepted source of appropriate IT control descriptions. Organizations were forced to carry out expensive, bespoke security risk assessments from first principles or they were condemned to discover by trial and error the painful penalties of not incorporating security controls in their information systems. Legacy security solutions for commercial systems tended to be customized, tactical and often full of holes. On the other hand, military systems relied on minimum standards based on security classifications that greatly increased their implementation costs. The publication and progressive uptake of BS7799, COBIT and ITIL, coupled with the emergence of more sophisticated risk assessment packages radically changed the nature of the problem space. Organizations today now have the benefit of many hundreds of man years of experience contained within published control frameworks and commercial software tools. But they have also inherited a patchwork quilt of similar, overlapping solutions that may offer comprehensive guidance on the choice of controls but that also require substantial filtering, analysis and interpretation for implementation.

At two opposite ends of the spectrum are the risk-based and compliance-based approaches to controls selection. The risk-based approach involves assessing the full range of potential threats, vulnerabilities and business impacts associated with an information system in order to select the most appropriate set of security and IT controls. In contrast, the compliance-based approach (also called the baseline approach) builds on the well-established principle that the vast majority of security control requirements are largely the same for all systems. Since there are already well-established collections in standards such ISO 17799, why not just implement these standards across all applications and infrastructure services? In practice, the optimum solution lies somewhere in between these two extremes, though there are still advocates of both approaches.(2)

The most important learning point is to appreciate the limitations and benefits of the two different approaches. Risk assessments produce a more tailored solution, but they are expensive and time-consuming to apply. They can lead to inconsistent results across an organization (which can be a threat to security and also drive up overall costs), and the results are only as effective as the practitioner who assessed the risks and impacts. On the other hand, the compliance-based approach will deliver faster and more consistent results (important for encouraging standardized enterprise-wide security solutions). But in the absence of a risk assessment, there may be inadequate information to determine the strength-of-mechanism for a particular control.

The optimum approach is to combine the best of both approaches:

• Apply a lightweight risk assessment process for each system to determine if the risks are significant enough to warrant a more thorough analysis.
   

• Employ a set of generalized controls as a baseline for all systems to promote consistency and standardization of controls. Screen and prioritize these controls based on predetermined risk factors such as the business criticality of the application and the security classification of the data.

One the most important learning points in compliance management is to understand and exploit the key underlying principles for designing long-lasting, low-maintenance control frameworks. (3)

Over the years, in designing, implementing and managing control frameworks for leading organizations such as Royal Dutch/Shell Group and Royal Mail Group, I have identified a number of key principles for achieving long-lasting, low maintenance frameworks. The most important ones are as follows.

A sound architecture is the key to easy navigation by users and efficient maintenance by policy and compliance managers. The top level presentation of all models and frameworks is often a political decision, as it generally reflects the preferences of its designers and their perceived view of the relative importance and hierarchy of particular subject areas and functions. What really counts in any architecture is the underlying structure, the grouping of information and the presentation of the detailed content to the actual users. A layered approach to all documentation is essential for efficient development and management. These layers should be selected based on the length of the life cycle for refreshing the information content, otherwise long-lasting content will be mixed with fast-changing text, increasing the maintenance burden. Documents that mix frequently-changing organizational and technology details with more long-lasting, broad policy statements quickly become out-of-date, requiring frequent revision.

A more sensible and recommended approach is to structure your documentation on the following lines.

• Top-level: The overall vision, scope, objectives and architecture of the compliance scheme itself which should be designed to be good for ten years.
   

• Second-level: The general organizational policies and high-level standards necessary to enforce the control requirements. These require more frequent updating, but should be good for five years, which is the typical cycle for updating established national and international standards.
   

• Third-level: The technical standards and guidance required to apply controls at the platform level. These require updating for each major release of software, and should be good for 18 months.
   

Fourth-level: The patches and other advice on recently discovered vulnerabilities in platforms, which must be addressed in real-time and applied at least weekly or monthly. By separating out these layers of control specification the content becomes easier to develop and faster to revise, as frequent updates will generally be restricted to the lower levels. It also enables standard templates to be developed for each layer, speeding the development time for new platform control guidance.

It is tempting to develop a single set of guidance for a particular compliance requirement. However, one size does not fit all and the needs of technology and people are very different. Information systems and computer platforms require precise, unambiguous, technical instructions. People require clear, non-technical guidance on the controls for which they are responsible. They also want to know why they are doing it (i.e. which precise law, regulation or corporate policy demands it) and what might happen if they fail to deliver. Technical detail will not impress them. The ideal portfolio of control guidance requires very different presentations for people and technology, each tailored to the specific characteristics and needs of the audience.

Unstructured content is difficult to navigate and maintain without a clear index of relationships between compliance requirements, policies and controls. It is tempting but short-sighted to develop policies, standards, control requirements and audit checklists as free-standing, ad hoc documents, designed to satisfy a specific purpose, at a particular time. Today's compliance requirements are not one-off requirements; they are here to stay and will only become more complex and more demanding. It will pay dividends to construct and maintain mappings of high level requirements to the detailed technical controls that are actually applied to information systems and their supporting infrastructure. Not only will this simplify future content management, it will also facilitate compliance audits and the associated pre-audit planning and preparation work.

This might seem obvious but it's surprising how many organizations fail to get this right. Guidance can be mandatory or desirable. It can be prescriptive (do it this way) or flexible (in interpretation). These characteristics often change across the various layers of control. For example it is relatively common to apply the requirements of a mandatory regulation through a flexible code of practice, which in turn is translated into a rigid technical standard. Inconsistency or lack of clarity in control descriptions is a primary cause of failure in implementing controls. The answer is to maintain a clear, consistent approach at all levels, adopting a common language that makes it completely clear whether an instruction must be followed to the letter, or can be flexibly interpreted, or can even be ignored (for example if the risk is low or the costs are high).

Building on the very first learning point: .Do not reinvent the wheel,. it is important to avoid the temptation of either importing an entire, and perhaps inappropriate, control framework from another organization, or handcrafting a complete new controls structure from scratch. These options might sound extreme, but they are not uncommon. I know one leading Fortune 100 organization who initially set out to develop a new controls framework from scratch but then quickly adopted the slogan .we will steal with pride. after being quoted tens of millions of dollars for the development of a bespoke architecture. The key to developing a successful controls framework is to understand when and what to import from the outside world and what is best developed in-house.

For example, items that do not vary much across organizations and can be safely based on external best practices would include:

• Descriptions of external compliance requirements and their translation into more specific control descriptions.
   

• High-level, generalized control descriptions as contained in standards such as ISO 17799 which are designed to be applied across a wide-range of organizations and environments.
   

• General guidance on how to translate higher-level controls into technical standards for specific platforms.(4)

On the other hands, items that vary to a much greater degree across organizations and are best tailored to the enterprise would include:

• The specific wording of corporate policy statements that need to reflect the values, culture and governance style of the organization.
   

• The actual implementation of technical standards for a particular information system or service, which may require a little tailoring to take into account the limitations imposed by the application software.(5)

Having developed, negotiated and managed contract schedules for large-scale outsourcing, I can claim direct experience of the issues managing risks and controls across complex, outsourced supply chains. I have found this to be one of the most difficult areas of compliance management, as the control of change is in the hands of the outsourcer, whereas the responsibility for meeting the compliance requirements remains firmly with the user. The secret of successful management of risks across outsourced services is in careful preparation of the contract schedules and in maintaining good relationship management with the outsourcer. Key principles for achieving this include:

• Be specific. In my experience you cannot be specific enough.(6) Write everything down. Set out every policy and standard (at every level) otherwise nothing will be guaranteed to be done.
   

• Visibility is everything. If your outsourcers do not know your requirements, then you cannot possibly know the status of their achievement against them. In the absence of clear specifications of requirements and compelling evidence of conformance then you have to assume that nothing is in place.
   

• Agree on living standards that are non-controversial and will be automatically revised. Your policies and standards will progressively become obsolete and non-compliant if you have not negotiated an agreed reference standard that is regularly updated.
   

• Maintain an improvement program for managing your legacy systems. Your outsourcer will not automatically apply new policy requirements to new systems. Expect very high charges for any changes not addressed in the original contract. You will need an agreed approach for addressing upgrades to legacy systems to meet new control requirements.
   

• Plan ahead. You cannot expect instant changes by your outsourcers to existing applications and infrastructure. They will need to be carefully negotiated and implemented at a time acceptable to your outsourcer. Demanding deadlines will naturally attract high charges.
   

• Agree on a code of practice for audits and risk assessments. Outsourcers do not like their managers and staff being constantly interrupted and they will not guarantee to make them available for audit interviews at the drop of a hat. Sudden, unscheduled demands may have an impact on contractual service levels.
   

• Agree on a joint risk management process for identifying and addressing residual risks that might not otherwise be mitigated by business-as-usual management processes.

Faced with the .alphabet soup. of complex, overlapping regulatory compliance requirements and the growing portfolio of corporate policies, standards and control frameworks, most organizations will naturally look to some form of automation or software solution. Spreadsheets might appear to be an obvious starting point, but their limitations will quickly become clear as inconsistent variants begin to proliferate across the organization. A specialized software solution based on an established, authoritative knowledge base will quickly emerge as the preferred solution. However, any new compliance management solution (whether automated or not) is costly in resources to implement across an organization and can be even more expensive to change. You may only get one shot at selecting or designing a software solution. After that, your business case and implementation budget will be exhausted. It's essential therefore to understand the key features to look for in a commercial compliance management product. Although the detailed user requirements will vary to some extent across organizations (depending on factors such as size, geography, degree of outsourcing, maturity of governance processes, etc.) there are certain key requirements that are universally needed, and if not required immediately by your organization, will most likely be useful for future phases of your compliance program.

It is important to focus not just on the immediate task at hand but also on how a software solution can support the organization throughout the full compliance lifecycle. Large-scale regulatory compliance is still a developing art, and there are few established and mature methodologies in this area. However there is a common cycle for process improvement activities that can be applied to any business improvement initiative. A good example of this is the classic Deming Cycle (7) of "Plan, Do, Check, Act". Software solutions should be designed to support all phases of this cycle, from the planning stage to the correction phase. Here are some examples of specific requirements to look for when selecting a software solution for regulatory compliance. They are features that can be found in contemporary compliance management software.

• A knowledge base that indicates the set of compliance requirements associated with all major international laws and regulations.
   

• A means of tailoring the compliance requirements to your organization based on the specific laws and regulations that apply to your businesses.
   

• An efficient means of identifying and applying updates to the corporate policies, standards and controls that are required to meet your current compliance requirements.
   

• For IT service providers, a means of identifying the specific controls required to be implemented for a particular platform or technology. For business managers, a list of the controls required to meet the compliance requirements that apply to them. (8)
   

• A means of measuring the organization's actual, current level of compliance with the specific requirements that each part of the business is expected to meet.
   

• Documentation that supports the audit process, for example by mapping a specific implemented control onto the compliance requirement that demands it.
   

• Support for translating compliance gaps into corrective actions and for prioritizing this remedial action based on risk factors such as the business criticality of the application or the security classification of the information being processed.
   

• An indication of the specific corrective action required of a particular part of the organization to pass the next audit.

A smart choice of software solution will deliver major cost benefits across the organization by speeding up and eliminating unnecessary duplication of effort in identifying compliance requirements and in planning, implementing, checking and monitoring the actual implementation of controls. This can mean a difference of several man years and many months of elapsed time in achieving a compliant status.

Brabeion Compliance Center is a good example of a state-of-the-art compliance management solution. Originally developed by PricewaterhouseCoopers LLP in the late nineties, and now in its sixth generation, it is one of the few commercial solutions that can deliver detailed guidance and mapping on all major regulatory compliance requirements from the high-level control description to the detailed implementation of controls at the actual computer platform level. Powered by comprehensive information risk and audit content developed and maintained by PricewaterhouseCoopers LLP, it is a professional and authoritative source on specific compliance requirements. The current package contains 600 policy standards and more than 5,000 IT controls and implementation guidelines. It provides full life-cycle support to the compliance management process across the organization. Software solutions such as Brabeion Compliance Center enable substantial savings in the time required to research regulatory requirements and translate them into policy, controls and technical implementation guidance, tailored specifically to the requirements of the organization.

Figure 1
Brabeion's solution enables control-based risk management, measures IT compliance, and identifies gaps.

Understanding the critical success factors in achieving efficient, effective large-scale IT compliance management systems is best done by looking at real examples from large organizations that have successfully developed and implemented long-term compliance management strategies. The following examples outline the characteristics and critical success factors of the compliance approaches taken by three different organizations.

Throughout the 1990s the Royal Dutch/Shell Group pioneered the compliance-based approach to security controls selection, beginning in 1990 with an outline Information Security Management framework, extending from high-level Group policy, through a generalized set of around 100 baseline controls (based on collected best practices from Shell operating companies) and extending to a growing portfolio of .implementation standards. (for IT platforms) and .interpretation guides. (for managers and staff). This controls framework was progressively developed and refined over the next fifteen years as new security risks, new technologies and new security solutions evolved. The content and structure of the generalized baseline controls became the primary basis of the British Standard BS7799 and enabled Shell to achieve the world's first BS7799 certification (for Shell IT services delivered across Europe). The platform standards became the basis of the Shell .Trust Domain. - an ambitious and successful scheme to certify the infrastructure controls across 200 sites in 130 countries in support of global connectivity and knowledge management. Shell's approach to information security compliance was characterized by relatively low maintenance costs, true global reach and full life-cycle compliance management. The architecture, though refreshed several times, has lasted for more than fifteen years. New compliance requirements and platform standards have been incorporated alongside existing material with minimal reworking. The critical success factors in achieving such high levels of longevity and global applicability include the following:

• Controls architecture designed and structured for long-range use and ease of updating.
   

• Consistent formats for control descriptions and guidance across all platforms and business areas.
   

• Authoritative content based on collected best practices across multiple sites.
   

• Life-cycle compliance management including formal certification processes.

The British Royal Mail Group (formerly the Post Office Group) is one of the largest employers in the UK and operates the largest retail network in Europe. It currently holds what is probably the world's largest formal BS7799 certification, extending to around 8,000 end-users in 500 buildings and encompassing an outsourced supply chain of three major vendors (CSC, BT and Xansa) who have been certified for all services delivered to the Royal Mail Group. This level of large-scale compliance management was built up from scratch over a period of around five years following the launch of a new information security function in 1999. The Royal Mail Group approach to security compliance is characterized by very low maintenance costs (indicated by a KPMG benchmarking exercise with other leading UK organizations carried out in 2003) and a marked reduction in security incidents (based on four years of historical incident data). There has also been a progressive improvement each year both in the scope, quality and presentation of security guidance and in the visibility of compliance achieved across the organization. Critical success factors in achieving this impressive level of achievement include the following.

• Forward-looking architecture designed to deliver substantial long-range improvements, rather than less ambitious short-term fixes.
   

• Maximum use of external, industry-recognized standards and certification processes.
   

• Early acceptance at Board level of compliance processes such as BS7799 certification as a target for the organization.
   

• Strong focus on .closing the loop. with enterprise-wide compliance monitoring and analysis of incident data.
   

• Strong business case for educational and compliance activities based on clear evidence of savings from reduced security incidents.

Chevron Corporation purchased the PricewaterhouseCoopers LLP Enterprise Security Architecture System (ESAS) in 2000, initially to help it document its information security strategies. Since then, the software (subsequently acquired by Brabeion) has helped Chevron to develop and efficiently maintain a comprehensive, central repository for all of its security policies and controls. This approach paid dividends when Chevron was later required to meet Sarbanes-Oxley compliance requirements. The company was delighted to discover that ESAS compliance was more than enough to demonstrate SOX IT Compliance. Chevron has subsequently obtained multiple benefits from their compliance management solution, which go well beyond simply documenting the security controls that are necessary to comply with Section 404. Their software solution has served as a prescriptive instruction manual for the organization that underpins the formulation of new information security strategy and policy. Critical success factors in achieving this include the following.

• Decision to adopt a centralized, software-based solution to develop and maintain security policies and controls.
   

• Use of externally-maintained knowledge base to deliver continuous stream of prescriptive, up-to-date instructional guidance.
   

• Authoritative source of material providing confidence in the appropriate interpretation of control requirements to support compliance demands.
   

• Strategic approach to information security and IT compliance, using the same solution to satisfy both requirements.

Regulatory compliance is a major burden for many organizations. Current and emerging trends suggest that the demands will most likely become tougher, more numerous and harder to apply within a fast-moving business environment. Most companies are looking to streamline their compliance management process to reduce the time and costs of meeting and demonstrating compliance. This paper has demonstrated that there are many practical learning points and proven principles that can be applied to streamline the compliance management process. Critical success factors include the strategic approach, the exploitation of external know-how, the design of the controls framework, and the choice of software solution. Examples from leading organizations demonstrate that the achievement of simple, efficient, long-lasting and low maintenance compliance management solutions is within the grasp of any organization.

Bibliography

(1) Alvin Toffler,
Powershift: Knowledge, Wealth and Violence at the Edge of the 21st Century . (New York: Bantam Books, 1990)

(3) By .long-lasting. I mean at least ten years without major restructuring, because that is possible and has in fact been achieved by organizations such as the Royal Dutch/Shell Group. By .low maintenance. I mean an overall framework that is fast and easy to update and requires a minimum of reworking of existing material to accommodate the changes.

Visit the Authors Web Site