Developing IT Compliance Program

Abstract

Information Technology compliance is a formal program which addresses the specific policies, actions and procedures collectively from a process to protect and remove the violations of laws and regulations of a company. The primary purpose of an IT Compliance program is to establish that the company’s 4P’s People, Procedures, Policies and Performance are consistent to achieve goals, reduce the risks, and maintain healthy connections with customers and vendors.

This paper discusses topics on how to handle an IT architecture along with challenges an organization comes across in terms of achieving compliance. Furthermore, the effectiveness of IT governance in improving the IT division is discussed. The detailed life cycle concept that an IT organization should follow in order to maintain regulatory compliance is also discussed.

Introduction

A simple way to define compliance is that it is a methodology followed by organizations to find and fix problems. The word compliance can mean different things based on who the audience is. An organization that serves as a software provider for pharmaceutical companies might be more aligned towards the FDA and GMP regulations for their compliance and a manufacturing organization might have different compliance regulations.

Regulating bodies like Sarbanes-Oaxley, HIPAA and PCI provide guidelines on how a compliance program should be established and maintained. This paper touches upon areas that an IT organization should consider while implementing a compliance program that is in line with their standards and business model.

It also lists the advantages and disadvantages of maintaining a compliance program while also adhering to all the organizational ethics and policies.

Challenges IT divisions face in achieving regulatory compliance.

IT Governance.

It comprises of a formal system, which aligns the IT strategy with the business strategy by following a formal framework. This program also considers the interests of the stakeholders and the associates and aligns it to be an integral part. IT governance these days is implemented to keep the information, accounts, business and financial accounts protected and to meet the requirement, most of the companies implement a formal IT governance framework. IT governance is implemented by most of the organizations including public sector and private sector. Every organization implements a different framework from the following types (Butler, T., & McGovern, D.,2012).

1. COBIT
2. ITIL
3. COSO
4. CMMI
5. FAIR

There are also certain challenges frequently faced while achieving the regulatory compliance involving IT governance. The five main challenges are:

1. BYOD
2. Software Management
3. GDPR
4. EDI/Vendor Management
5. IoT

BYOD i.e. ‘Bring Your Own Device’ could create a security vulnerability by breaching the data in the mobile or laptop devices, which are not backed up by the IT security systems. Device backed by the IT security can be prevented from security breach of the data. Software management also plays a very important role as there are patches that are frequently released for the operating systems, which shall always be applied to keep the operating systems firewall updated and secured. GDPR i.e., General Data Protection Regulation effect which was made effective since 2015 which has now been made mandatory throughout all the organizations can help keep the data protected and goes beyond and respects an individual’s privacy as well.  EDI/Vendor management is yet another possible challenge leading to the compliances of IT governance as, according to a study, 60% of the data breach happens through the third-party vendor. It is always a better idea to have a preferred vendor who can be trusted and who has been with the organization for a long period and have no record of any kind of issues registered. The most challenging part of compliance of IT governance is the ‘Internet of Things (IoT)’ as there is a massive growth in endpoints and interconnected devices. Until now, the most lagging security standards are with the internet, this is most commonly used in all the sectors, and which could possibly lead to business, financial, inventorial and sensitive information breach (Butler, T., & McGovern, D.,2012).

IT governance and complying with it is a task involving a number of challenges but it is recommended that every organization should go through the implementation, face the challenges and successfully implement the IT governance as it saves an organization from most of the ways that a security breach could happen and helps keep the organizations and their clients’ data safe and secure (Sadikin, M., & S. K., P.,2018).

Assess how IT governance will improve the effectiveness of the IT Division to attain regulatory compliance.

Ensuring that the IT governance would definitely improve the regulatory compliance in an organization is of utmost importance to the compliance team. The bare minimum that anyone can do to start is to make sure that the written SOPs (Standard Operating Procedures) are followed and that any auditor would not be taken aback by any discrepancies. Clients are always anxious and concerned about their suppliers being compliant with the regulations and if they are not, regulatory sanctions can damage the organization’s credibility in an irreversible way.

Where there is an opportunity to cut costs and make necessary organizational changes, it is important to make sure that all the compliance procedures are always followed (Sadikin, M., & S. K., P.,2018).

Regulatory consistency includes numerous IT activities. A viable IT governance helps in prioritization of these IT activities. The motivation behind IT governance is to guarantee that IT assets and the data contained in those assets is actualized in a way that meets an institution’s objectives. Each institution whether substantial or little, open or private needs an approach to guarantee that the IT work manages the association’s methodologies and objectives. Regulatory consistency is about control and appropriate progression of individuals and processes. The IT governance framework gives that structure of jobs and responsibilities, forms, controls, rules implementation framework, auditing those frameworks and much metal besides administration abilities and all these are extremely useful in achieving administrative consistence (Sadikin, M., & S. K., P.,2018).

Advantages of implementing a quality IT governance initiative.

There are various advantages to executing an IT administration activity. The first is in adjusting IT resources with the general business targets. ISACA has revealed the accompanying five advantageous results got from a solid IT administration structure (Lindros. K,2017):

• Enhanced straightforwardness and responsibility that encourages ideal basic leadership.
• Distinguishing partner esteem and territories for more prominent ROI.
• Improved esteem openings, organizations, and joint endeavors.
• Benchmarked execution upgrades that measure business esteem.
• Diminished hazard and enhanced outside consistence controls.

Develop a broad vision, an architecture, and a detailed plan of action that follows a life cycle concept.

To develop and implement compliance program, we have to follow certain standards to make it up to the mark so that the IT meets its requirements. We must create an effective compliance and ethics program. We call it as (C &E) program.

The project life cycle definition will likewise figure out which transitional activities toward the finish of the undertaking are incorporated and which are most certainly not. The stage arrangement characterized by most undertaking life cycles for the most part includes some type of innovation exchange or hand-off, for example, necessities to de-sign, development to activities, or plan to assembling. Now and again when the hazard included are exceedingly satisfactory, consequent stages will start preceding past stage expectations (Suardi, L., 2004).

Life cycle of a project generally defines

1. What technical work to be delivered in each phase
2. Resources involved in each phase

Project life cycle portrayal ought to be extremely point by point including various structures, outlines, and agendas to give structure and consistency. Most venture life cycle depictions share various basic qualities: Cost and staffing levels are low toward the begin, higher towards the end, and drop quickly as the task reaches to an inference. A general life cycle is given below (Suardi, L. 2004):

• The probability of successfully completing the project is lowest, and hence risk and uncertainty are highest, at the start of the project. The probability of successful completion generally gets progressively higher as the project continues.

• The capacity of the partners to impact the last qualities of the task item and the last expense of the undertaking is most noteworthy toward the begin and gets continuously lower as the venture proceeds. A noteworthy supporter of this wonder is that the expense of changes and mistake correc-tion for the most part increments as the undertaking proceeds. Care ought to be taken to recognize the venture life cycle from the item life cycle. For instance, a venture attempted to put up another work station for sale to the public is nevertheless one stage or phase of the item life cycle (Suardi, L.,2004).

The figure below describes a construction project life cycle:

• Feasibility of the project — formulation of the plan, studying whether it is feasible or not, and the strategic approval. A go/no-go decision is made at the end.

• Design and Planning— the original design, cost and plan (the schedule), the terms of the conditions, and the detailed planning. Contracts will be developed in this phase.

• Production—the actual manufacturing, delivery of the product , installation, and testing of the product will be done in this phase.

• Startup and turnover—the final testing and maintenance of the product.

In data innovation, design assumes a noteworthy job in the parts of business modernization, IT change, programming improvement, and also other significant activities inside the undertaking. IT design is utilized to actualize a proficient, adaptable, and brilliant technology answer for a business issue, and is grouped into three distinct classifications: venture engineering, arrangement design and framework design. Every one of these characterizations differs in their execution and configuration, contingent upon the logical business scope, association structure, and corporate culture (Q. He, 2013).

Below figure shows the architecture development life cycle:

Assess all key business processes and IT compliance factors and link to all business processes (financial and non-IT) to develop an aggregate vision of IT compliance.

Aggregate Vision of IT Compliance.

To develop an aggregate and effective IT compliance program is a task, which involves multiple research and consideration of a number of key factors involving its implementation which can keep the organization compliant and secure. Few key areas need to be concentrated upon while aiming for an effective IT compliance and few of such areas are business/organization benefits, return of investments, business/organization value, business/organization case, realized benefits of the business/organization. Before we dig down deep into the necessity of having an effective IT compliance there are also few key factors that always need to be considered according to a research made by a senior analyst Joe Hayes and such are build a positive reputation, improve productivity and establish an effective IT governance which can secure the organization and the clients as well respecting everyone’s privacy. Coming to the elements involving the effectiveness there are some key points that needs to be considered (Awad A., Pascalau E., Weske M, 2010).

1. Alliance with corporate mission.
2. Risk identification within and outside the organization.
3. Conducting appropriate training.
4. Conducting appropriate internal monitoring and auditing.
5. Develop open lines of communication and enforce disciplinary standards throughout the organization.

After a thorough research on all of the factors and elements mentioned above and making a clear vision of effectiveness of the IT governance implementation comes the main part of monitoring and reviewing the implementation of the IT governance and this needs to be done in a very professional way under the guidance and monitoring of a senior business analyst who has a very keen knowledge of the organization and who can be trusted upon as this is where anything cannot be compromised upon and few duties involving this are (Awad A., Pascalau E., Weske M, 2010))

1. Testing effectively versus the compliance effectiveness

a)      Ensure all the employees have signed and promote to adherence of the laws and regulations.

b)     Making sure of the licenses and insurance coverages involving the compliance.

2. All the monitoring should be done by someone who is independents of any factors within and outside the organization.
3. Both the organization and the regulatory bodies should set monitoring activities.
4. Fraud training also needs to be done according to the laws enforced in the area where the organization is established.

Putting all together this can be concluded stating that the IT compliance effectiveness is dependent on many factors that are involved from within and outside of the organization and also involve multiple factors from satisfying the clients and the whole organization and respecting each individual’s privacy with the data.

Conclusion

The IT compliance program cannot be conceived in isolation and devoid of the key links to non-IT and financial compliance. Effective IT compliance requires an aggregate vision and architecture to achieve compliance that goes beyond becoming infatuated with a given control framework.

Working with all stakeholders involved in the compliance program implementation and understanding the long-term implications of the program would go a long way in ensuring that compliance is not just something that has to be followed but it is in fact something that is an integral part of everyday duties.

References

• Implementing IT Governance to Ensure Regulatory Compliance. (n.d.). Retrieved from https://er.educause.edu/articles/2017/4/implementing-it-governance-to-ensure-regulatory-compliance
• https://www.cio.com/article/2382445/compliance/compliance-7-biggest-it-compliance-headaches-and-how-cios-can-cure-them.html By Kim Lindros (July 31, 2017) what is IT governance? A formal way to align IT & business strategy
• ITIL – the IT Infrastructure Library for IT Service Management (ITSM): https://www.itgovernance.co.uk/itil
• http://0-eds.b.ebscohost.com.library.acaweb.org/eds/ebookviewer/ebook/bmxlYmtfXzM5MTE0MF9fQU41?sid=83ae78ec-52fa-4eb4-9494-ec6fce871adc@sessionmgr120&vid=2&format=EB&rid=17
• DeZoort, F. T., (1997), An Investigation of Audit Committee’s Oversight Responsibilities, Abacus, 33, pp. 208-227
• Organizations for Economic Cooperation and Development (OECD), (1999), Principles of Corporate Governance, OECD, France.
• L.T. Ly, C. Indiono, J. Mangler, S. Rinderle-Ma, Data transformation and semantic log purging for process mining, in: International Conference on Advanced Information Systems Engineering, 2012, pp. 238–253.
• Awad A., Pascalau E., Weske M. Towards instant monitoring of business process compliance. EMISA Forum. 2010;30(2):10–24.
•  Q. He, Detecting runtime business process compliance with artifact lifecycles, in: Service-Oriented Computing Workshops, 2013, pp. 426–432.
• https://compliance.com/industry-news/advice-converting-compliance-plans-compliance-programs/
• Sadikin, M., & S. K., P. (2018). The Implementation of E-learning System Governance to Deal with User Need, Institution Objective, and Regulation Compliance. Telkomnika, 16(3), 1332. Retrieved from http://0search.ebscohost.com.library.acaweb.org/login.aspx?direct=true&AuthType=ip,cpid,url&custid=s4338230&db=edb&AN=129380857
• Butler, T., & McGovern, D. (2012). A conceptual model and IS framework for the design and adoption of environmental compliance management systems. Information Systems Frontiers, 14(2), 221. Retrieved from http://0search.ebscohost.com.library.acaweb.org/login.aspx?direct=true&AuthType=ip,cpid,url&custid=s4338230&db=edb&AN=74574484
• Brown, B. (n.d.) Step-by-step enterprise risk management. Risk Management Magazine. Retrieved May 14, 2007, from http://www.rmmag.com/MGTemplate.cfm
• Ward, B. (n.d.). The new accountability: Part 1. Retrieved November 21, 2007, from http://templates.haleymail.com/haley%5Ftemplates/index.smpl?art=2998&aid=242&database=company
• Dean, J. W. & Sharfman, M. P. (1996). Does decision process matter? A study of strategic decision-making effectiveness. Academy of Management Journal, 39, 368-396. Retrieved April 26, 2007,
• Suardi, L. (2004). How to Manage Your Software Product Life Cycle with Maui. Communications of the ACM, 47(3), 89. Retrieved from http://0search.ebscohost.com.library.acaweb.org/login.aspx?direct=true&AuthType=ip,cpid,url&custid=s4338230&db=edb&AN=12456357