Indian companies are up against an unenviable mix of rapidly evolving threats on the one hand, and a host of multiple regulatory and compliance mandates on the other. Today, organizations have to keep pace with multiple prescriptive mandates and persistent threats—a task which is constantly becoming tougher.
In this tip, I will discuss how you can reduce the burden on your audit mechanism while managing multiple compliance mandates using certain best practices. By closely scrutinizing your control framework, you can reduce repetition, redundancy and the attendant waste of resources, as well as optimize your management of multiple compliance requirements.
To achieve optimal multiple compliance implementation and management, start with a thorough understanding of the required compliance requirements and associated control expectations. Without this, any attempt at the exercise will be futile. At Bank of India, my team has acquainted itself comprehensively with the multiple compliance and regulatory requirements that we adhere to like the Reserve Bank of India's (RBI) banking guidelines, the Indian IT Act (and its subsequent amendments), the Sarbanes–Oxley Act of 2002 (SOX), Monetary authority of Singapore's (MAS) guidelines for risk management, the Federal Financial Institutions Examination Council (FFIEC) guidelines for online authentication, National Institute of Standards and Technology (NIST) and ISF standard of good practice. We have automated Bank of India’s multiple compliance management process by developing an in-house control monitoring application/GRC client using the Microsoft .Net framework (with MySQL at the backend).
From an overall perspective, the fundamental principles for manually conducting this exercise remain the same. It revolves around two basic prerequisites.
1. The control library
To begin with, an organization planning to optimize the management of multiple compliance requirements should create a control library. The control library is a list of all controls to be implemented per compliance and policy requirements. This library should contain features like the control statement, process to be implemented for each control, designated monitor, impact of non-implementation of the control and compliance requirements associated with the control.
2. IT domains
Control libraries must be developed domain-wise for effective multiple compliance management. At Bank of India, we have separate control libraries for database management, asset management, application security, governance and so forth. Our control library has 22 separate IT domains. Controls are then assigned to these domains, and marked against the relevant compliance or regulatory requirement(s). This comprehensive control library is a part of our bank’s annual risk assessment exercise. It helps us monitor multiple compliance requirements in a single window system and track implemented controls. Additionally, Bank of India’s multiple compliance tracking mechanism can assign risk scores based on the status of controls in the library for metrics of assistance in our risk assessment exercise.
Incremental control addition
After the creation of a control library and domain classification at Bank of India, complying with new standards is now a straightforward matter of incrementally adding controls to the library. For instance, after achieving ISO 27001 compliance in 2006, Bank of India has used it as a baseline to incrementally compare subsequent compliance mandates.
Later, when Bank of India went in for PCI DSS, RBI, and MAS compliance, the corresponding controls which were already in place were noted domain-wise. We had to address only the controls specific to these mandates. These new controls are also added to the annual risk assessment exercise for every business unit under scrutiny. Incremental addition eliminates the need for risk assessment in silos.
Control interpretation is a common problem that you come across in multiple compliance implementation/management exercises. The manner in which controls are interpreted under various compliance frameworks is different. In order to effectively adhere and ensure proper implementation of a control common to multiple compliance requirements, each compliance framework’s requirements from the control should be brought under a single umbrella (within a domain). This is mandatory before attempting to implement the control.
The next significant challenge is to extensively familiarize yourself with each standard to be complied to, which may be a gargantuan task. However, remember that the requirements posed by each compliance framework should be mapped to your policy framework and environment. This is essential to properly populate the control library, and must not be ignored at any cost..
About the author: Sameer Ratolikar is the CISO of Bank of India. You can read his full profile here.
(As told to Varun Haran)