7 Steps to Build an Effective Corporate Compliance Strategy
-
Upload
maarten-boonen -
Category
Documents
-
view
216 -
download
3
Transcript of 7 Steps to Build an Effective Corporate Compliance Strategy
The world around us is changing rapidly as it's hard to stay on top of it all and be successful at the same time by respecting compliance rules, like we are all facing. This webinar is a ramp up and awareness session to Corporate Compliance Strategy based on our know-how at Cambridge Technology Partners.
We answer questions like, o “How do we discover which information values our organization?” o “How can we protect our assets in a pro-active manor?” o “Which tool will bring some real added value”
In a quick 7 step process we take apart the basic compliance importance. This way you can get a great view on information to get you started and focus on the things that matters to your organization most.
If your organization has tons of content and a high need for compliance but you don’t know where to start, than this webinar is just what you need!
What is this webinar about?
Who am [email protected] or LinkedInCambridge Technology Partners Me
Emmy, Elodie and Sinto
Our deep-dive todayLets go ……
AWARENESSUnderstanding Compliance COMPLIANCE
JUNGLE
WHERE DO WE GO FROM
HERE?
BRILIANT DEMO
AvePoints Compliance
Guardian
“Governance is the set of policies, roles,
responsibilities, and processes that guides,
directs, and controls how an
organization’s business divisions and I.T. teams cooperate to achieve business goals.”
- Microsoft
Definition of Governance
What about Compliance?
Critical Data
Personal Data
Sensitive Data
Intellectual Property
Regulatory
Contractual
Legal
Industry standards
Things we need or create Things we we’re told to do by
Governance Magic
set of policies, roles, responsibilities, and processes
ToolsTo help us protect our assets
+
Compliance means incorporating standards that conform to specific requirements
64%Of data breaches are tied to human error or out-dated system.
€ 301MLast year’s financial loss for not having control on the situation in western Europe alone.
Why start taking compliance serious after you feel the pain?
11%Have some sort of Governance, Risk or Compliance process in place. But none have any idea where the gaps are?
56%Of organizations are hacked or information is stolen without them realizing it.
73%Of organizations are unaware of the type of information they’re producing and it’s value.
Preventing is always better
Reputational Damage
Penalties and Fines Data breaches
Most threats come from the inside
o The information produced is growing to fast.
o Rapid change or expansion of rules and regulations.
Compliance Audits
Challenges organizations face
SecurityNo visibility
Manual Processo Failed before or will fail when an
audit is held.o Problems with reporting.o Limited staff and resources.
o Don’t know what other business processes are doing or what’s important to them.
o No alerting when information is expired or need to be reviewed.
o No idea of the type of information and it’s value.
o No security or encryption to protect data.
o Physical information visible to non-employees.
o Permission and security model is a mess or unclear.
o No warning or alert mechanism.
Drivers, Motivators and Benefits
INCREASE SECURITY
NECESSITY FOR INDUSTRY CERTIFICATION
VISABILITY ON INFORMATION STREAMS
ABILITY TO BE PRO-ACTIVE
SUPPORT BUSINESS PROCESSES
Collaboration with confidenceIt’s a balancing act and a trade-off at the same time
Transparency Collaboration Data Protection Data Management
Too strict or Too loose
Compliance is not boring, it’s cool
The risk is out there,
start taking it seriouslyDon’t over do it
and let it become a paper
process Start today!
Key takeaways
Accessibility Complianceo Section 508 and 508 Refresho Web Content Accessibility Guidelines (WCAG) 1.0o Web Content Accessibility Guidelines (WCAG) 2.0o Canadian Government common Look and Feel (CLF)
Privacy Compliance o COPPAo Gramm-Leach Bliley Act (GLBA)o California SB1386 and AB 1950o European Union Safe Harbor o US Section 208o Privacy Act of the USAo UK Data Protection Act
Records Managemento Sarbanes Oxley (SOXs)o Operational Security (OPSEC)o Export Control Requirementso Brand and Site monitoringo Bad or Broken Linkso Metadata Policyo Improper words or phraseso Identity mismanagemento Marketing Standards
Metadata Policyo Risk Level Taggingo Dublin Core Metadata Initiative o Z39.50 Taggingo Custom Vocabularieso Pointer Records
Health and Safety
Accessibility
Security
Types of regulationsRegulations arise or change very rapid
Quality Control
PrivacyClick me to show some examples
Where does this come from?Goverments and organizations who define standards like, NIST, AIIM, ISO, FINMA and others
Information must be accessible and available to the people who should have access to it and protected from the people
who should not!
HIPAAHealth Insurance Probabilityand Accountability Act
A few Key criteriao Data encryptiono Information can never be losto Only accessable to authorized people
Industry focusPharmaceuticals / Health Care / Insurance
SummaryRegulations protecting the privacy and security of certain health information
PCI DSSPayment Card Industry Data Security Standard
A few Key criteriao Build and maintain a secure networko Encrypt transmissionso Strong access control measureso Track and monitor all access
Industry focusFinance / Retail or any industry which is involved in some sort of financial transaction
SummaryThe PCI Data Security Standard represents a common set of industry tools and measurements to help ensure the safe handling of sensitive information.
SOXPublic Company Accounting Reform and Investor Protection Act
Industry focusEvery organisation which wants to be listed on the US stock exchange or do business with the US government
SummaryIn a nutshell it comes down to “Corporate Accountability and Responsibility”. You know what’s going on in the organization and have a complete control and overview at all times. This includes financials, products and services.
FDA Part 11 specifies a number of requirements for software systems to enable
trustworthy and reliable electronic records and signatures. Part 11 applies to
records in electronic form that are created, modified, maintained, archived,
retrieved, or transmitted. Its primary benefit is to assure quality and performance
of the systems deployed to manage any cGxP process.
Electronic Records, Electronic Signatures, Scope and Application
21 CFR Part 11
Industry focusAll industries which have to have some sort of quality control and trace system in-place
Summary
NEW TREND OR RISK FOR THE FUTURE
DIGITAL TRANSFORMATION
IN ORDER TO STAY AHEAD OF THE GAME
CUSTOMER ENGAMENT SERVICES
COMPLIANCE NEEDS TO BE COME A SERVICE PARTNER
/
ALIGN WITH THE BUSINESS
MAKE IT MORE CUSTOMER-FOCUSED
PROTECT COMPANIES ASSEST
AND
Similarities between
regulations
Adjust to business
needs and speed
Know your regulations and
know your business
processes
Key takeaways
How to keep a grip on the situationCompliance Life-cycle
Prevent
Detect
Track
Respondand
Resolve
o Know what to prevento Know from what to prevent ito Know why to prevent it
o Security policieso Rights Management Policieso Separation of dutieso Four-eyes checks o Secure and encrypted access
o Classification by metadata o Content IDo Image recognitiono QR or Barcodeso Scan for keywords or phraseso Custom triggers and rules
o Direct Lock or Quarantineo Alert and notificationso Real-time scanning
o Gain understanding and insights, compliance dashboards
o Automation of Reportso Monitoring and Notifyingo Use metrics that make sense
Compliance recipeHigh-level focus where to start
Preparation
Identification of information and it’s value
Standards and Regulations
Match the Similarities
Turn it into a daily processPositioning
Automated tooling
1 2 3 4 5 6 7
1. PositioningCompliance shouldn’t be treated as a project or as a bolt-on, but should be at the center of a business
COMPLIANCE
2. PreparationThose who fail to prepare should prepare to fail
Define your compliance goals, set a visiono Tighter Securityo Efficient collaboration with
partnerso Transparencyo Industry Certification
Understand Criteria and Benchmarkso How do I know if I’m
compliant?o What does the information tell
me?o How can I use it to support
business activities?
Gather your team of experts o From within and outside the
company. (Legal, HR, IT, etc.)o Know what they are doing and
what’s important to them.
Commitment and Authorityo If the driver holds the keys,
they drive and not the owner or passengers
o Management Commitment and Signoff
3. Identification of information and it’s value
Identify the type of data your organization produces o What’s the value to the user
and the company?o What product, process or
service depends on it?
Accuracyo Check if the information is still
accurate and reliable.o Are we all working with the
same version?o When was it last checked?
Automatic toolingo Use the right tools in
conjunction with the existing infrastructure to enforce and control policies.
o Guide people through a process to reduce mistakes.
o Classification and auto tagging
4. Standards and RegulationsThey are all different
Identificationo Summarize all the regulations
you need to be compliant with.o Figure out the similarities.o Find out your company’s
strong points and weaknesses
Industry overlapo The term industry is really
broad. If you’re an airline and clients can book tickets directly. You also need to be compliant with certain financial regulations.
Countryo Regulations are derived from
each other but might be stricter depending on your country your supplier or your client’s location.
Industry Certificationo Do you need to be certified in
a specific field?o Do the industry certification
differ per country?
Regulation Type BCountry A
Regulation Type ACountry B
Regulation Type ACountry A
5. Match the similarities
o Prioritize, which one is most important o Overlaps with which product or serviceo Who’s responsible for whato What are quick winso Categorize them by
6. Turn it into a daily processEveryone is responsible so get them involved
How compliant are youo Analyze and fill in the gaps to
improve?
Monitoro Monitor regulation changeso Monitor Business needso Align with company vision and
strategy
Reportingo Build useful reportso Build compliance dashboards
for live changes (Power BI)o Know what information you
produce and who uses it.o Where is it stored now?
Activitieso Report the right information to
the right peopleo Delegate taskso Compliance and protecting
your organization’s assets is a team effort
How do you know if your compliancy is going the right way?
Constant monitoring and reporting is key
Not yet compliant
Compliant to criteria ABC
63%
37%
o Define the different reports you need for the regulationso Define your criteria on what you need to reporto Create compliance dashboards (Power BI)o Know who’s responsible for the part of the business
process and delegate the task
Identify the capabilities of the tools within your existing software portfolio what it can do and how it can help you on your compliance journeyAnalyse the gaps
User Repository
Workflow
Full fidelity Data Protection and Recovery
Audit trailing
Logging
Separation of Duties
Notification
Identity and Access Management
Authentication mechanism
Azure Intune Bring Your Own Device
Alerts
Azure Rights Management
SAP
Mobile and MobilityPowerShell
Social Media
eDiscovery and Vault mechanisms
Hardware Appliances
OneDriveSlype for Business
Data Loss Prevention
SharePoint
Office 365
Exchange
7. Automated tooling
Most of them will help you in a preventive
way with the acceptation of DLP and IRM
AvePoint, filling the gapsSharePoint, Office 365, Yammer, File shares and more
Prevent
Detect
Track
Respondand
Resolve
o Governance Automationo Compliance Reportso Administrator
o Compliance Guardian
o Vaulto eDiscoveryo Compliance Reportso Administrator
o Compliance Guardiano eDiscoveryo Compliance Reports
AvePoint Compliance Guardian Provides Automated Risk Mitigation
System to Scan, Classify, Protect, and Audit Collaborative Environments
Key takeaway summary
Align with business needs
Balance and
Trade-offs
Don’t wait
Know your organizations values and importance
Keep it Simple
Compliance is broader, look further than
the tip of your nose
Now it’s your turn to become compliant!If you need some help we’re just a few mouse clicks away….
Questions and Feedback are highly appreciated
Not a big talker? Just send us an
[email protected]@outlook.com
Thank you for your interest
Resources and ReferencesAbbreviations
Compliance Guardian introduction video
Resource linksAIIM Association for Information and Image Management
NIST National Institute of Standards and Technology
CFR Code of Federal Regulations
cGxP Current Good X Practice (FDA compliance; X can mean: Clinical, Laboratory, Manufacturing, Pharmaceutical,)
FINMA The Swiss Financial Market Supervisory Authority
GRC Governance, Risk and Compliance
What is Microsoft Azure Rights Management