7 Steps to Build an Effective Corporate Compliance Strategy

The world around us is changing rapidly as it's hard to stay on top of it all and be successful at the same time by respecting compliance rules, like we are all facing. This webinar is a ramp up and awareness session to Corporate Compliance Strategy based on our know-how at Cambridge Technology Partners.

We answer questions like, o “How do we discover which information values our organization?” o “How can we protect our assets in a pro-active manor?” o “Which tool will bring some real added value”

In a quick 7 step process we take apart the basic compliance importance. This way you can get a great view on information to get you started and focus on the things that matters to your organization most.

If your organization has tons of content and a high need for compliance but you don’t know where to start, than this webinar is just what you need!

What is this webinar about?

Who am Imaarten.boonen@ctp.com or LinkedInCambridge Technology Partners Me

Emmy, Elodie and Sinto

Our deep-dive todayLets go ……

AWARENESSUnderstanding Compliance COMPLIANCE

JUNGLE

WHERE DO WE GO FROM

HERE?

BRILIANT DEMO

AvePoints Compliance

Guardian

AwarenessUnderstanding Compliance

Compliance should not be a burden nor be an obstacle for daily business activities

First some clarifications

“Governance is the set of policies, roles,

responsibilities, and processes that guides,

directs, and controls how an

organization’s business divisions and I.T. teams cooperate to achieve business goals.”

- Microsoft

Definition of Governance

What about Compliance?

Critical Data

Personal Data

Sensitive Data

Intellectual Property

Regulatory

Contractual

Legal

Industry standards

Things we need or create Things we we’re told to do by

Governance Magic

set of policies, roles, responsibilities, and processes

ToolsTo help us protect our assets

+

Compliance means incorporating standards that conform to specific requirements

AND ADAPTS AT BUSINESS SPEED

FROM THIS MOMENT ON COMPLIANCE

COOL, SERIOUSIS

64%Of data breaches are tied to human error or out-dated system.

€ 301MLast year’s financial loss for not having control on the situation in western Europe alone.

Why start taking compliance serious after you feel the pain?

11%Have some sort of Governance, Risk or Compliance process in place. But none have any idea where the gaps are?

56%Of organizations are hacked or information is stolen without them realizing it.

73%Of organizations are unaware of the type of information they’re producing and it’s value.

Preventing is always better

Reputational Damage

Penalties and Fines Data breaches

Most threats come from the inside

LearnRespond

and!!

Who’s responsible for the information produced?

o The information produced is growing to fast.

o Rapid change or expansion of rules and regulations.

Compliance Audits

Challenges organizations face

SecurityNo visibility

Manual Processo Failed before or will fail when an

audit is held.o Problems with reporting.o Limited staff and resources.

o Don’t know what other business processes are doing or what’s important to them.

o No alerting when information is expired or need to be reviewed.

o No idea of the type of information and it’s value.

o No security or encryption to protect data.

o Physical information visible to non-employees.

o Permission and security model is a mess or unclear.

o No warning or alert mechanism.

Drivers, Motivators and Benefits

INCREASE SECURITY

NECESSITY FOR INDUSTRY CERTIFICATION

VISABILITY ON INFORMATION STREAMS

ABILITY TO BE PRO-ACTIVE

SUPPORT BUSINESS PROCESSES

Collaboration with confidenceIt’s a balancing act and a trade-off at the same time

Transparency Collaboration Data Protection Data Management

Too strict or Too loose

Compliance is not boring, it’s cool

The risk is out there,

start taking it seriouslyDon’t over do it

and let it become a paper

process Start today!

Key takeaways

Compliance jungleWhat’s out there

Accessibility Complianceo Section 508 and 508 Refresho Web Content Accessibility Guidelines (WCAG) 1.0o Web Content Accessibility Guidelines (WCAG) 2.0o Canadian Government common Look and Feel (CLF)

Privacy Compliance o COPPAo Gramm-Leach Bliley Act (GLBA)o California SB1386 and AB 1950o European Union Safe Harbor o US Section 208o Privacy Act of the USAo UK Data Protection Act

Records Managemento Sarbanes Oxley (SOXs)o Operational Security (OPSEC)o Export Control Requirementso Brand and Site monitoringo Bad or Broken Linkso Metadata Policyo Improper words or phraseso Identity mismanagemento Marketing Standards

Metadata Policyo Risk Level Taggingo Dublin Core Metadata Initiative o Z39.50 Taggingo Custom Vocabularieso Pointer Records

Health and Safety

Accessibility

Security

Types of regulationsRegulations arise or change very rapid

Quality Control

PrivacyClick me to show some examples

Where does this come from?Goverments and organizations who define standards like, NIST, AIIM, ISO, FINMA and others

Compliance follows Common themes

Confidentiality Integrity Availability

Information must be accessible and available to the people who should have access to it and protected from the people

who should not!

HIPAAHealth Insurance Probabilityand Accountability Act

A few Key criteriao Data encryptiono Information can never be losto Only accessable to authorized people

Industry focusPharmaceuticals / Health Care / Insurance

SummaryRegulations protecting the privacy and security of certain health information

PCI DSSPayment Card Industry Data Security Standard

A few Key criteriao Build and maintain a secure networko Encrypt transmissionso Strong access control measureso Track and monitor all access

Industry focusFinance / Retail or any industry which is involved in some sort of financial transaction

SummaryThe PCI Data Security Standard represents a common set of industry tools and measurements to help ensure the safe handling of sensitive information.

SOXPublic Company Accounting Reform and Investor Protection Act

Industry focusEvery organisation which wants to be listed on the US stock exchange or do business with the US government

SummaryIn a nutshell it comes down to “Corporate Accountability and Responsibility”. You know what’s going on in the organization and have a complete control and overview at all times. This includes financials, products and services.

FDA Part 11 specifies a number of requirements for software systems to enable

trustworthy and reliable electronic records and signatures. Part 11 applies to

records in electronic form that are created, modified, maintained, archived,

retrieved, or transmitted. Its primary benefit is to assure quality and performance

of the systems deployed to manage any cGxP process.

Electronic Records, Electronic Signatures, Scope and Application

21 CFR Part 11

Industry focusAll industries which have to have some sort of quality control and trace system in-place

Summary

NEW TREND OR RISK FOR THE FUTURE

DIGITAL TRANSFORMATION

IN ORDER TO STAY AHEAD OF THE GAME

CUSTOMER ENGAMENT SERVICES

COMPLIANCE NEEDS TO BE COME A SERVICE PARTNER

/

ALIGN WITH THE BUSINESS

MAKE IT MORE CUSTOMER-FOCUSED

PROTECT COMPANIES ASSEST

AND

Similarities between

regulations

Adjust to business

needs and speed

Know your regulations and

know your business

processes

Key takeaways

Let’s put Simple and Flexible back to work !

Where do we go from here?

How to keep a grip on the situationCompliance Life-cycle

Prevent

Detect

Track

Respondand

Resolve

o Know what to prevento Know from what to prevent ito Know why to prevent it

o Security policieso Rights Management Policieso Separation of dutieso Four-eyes checks o Secure and encrypted access

o Classification by metadata o Content IDo Image recognitiono QR or Barcodeso Scan for keywords or phraseso Custom triggers and rules

o Direct Lock or Quarantineo Alert and notificationso Real-time scanning

o Gain understanding and insights, compliance dashboards

o Automation of Reportso Monitoring and Notifyingo Use metrics that make sense

Compliance recipeHigh-level focus where to start

Preparation

Identification of information and it’s value

Standards and Regulations

Match the Similarities

Turn it into a daily processPositioning

Automated tooling

1 2 3 4 5 6 7

1. PositioningCompliance shouldn’t be treated as a project or as a bolt-on, but should be at the center of a business

COMPLIANCE

2. PreparationThose who fail to prepare should prepare to fail

Define your compliance goals, set a visiono Tighter Securityo Efficient collaboration with

partnerso Transparencyo Industry Certification

Understand Criteria and Benchmarkso How do I know if I’m

compliant?o What does the information tell

me?o How can I use it to support

business activities?

Gather your team of experts o From within and outside the

company. (Legal, HR, IT, etc.)o Know what they are doing and

what’s important to them.

Commitment and Authorityo If the driver holds the keys,

they drive and not the owner or passengers

o Management Commitment and Signoff

3. Identification of information and it’s value

Identify the type of data your organization produces o What’s the value to the user

and the company?o What product, process or

service depends on it?

Accuracyo Check if the information is still

accurate and reliable.o Are we all working with the

same version?o When was it last checked?

Automatic toolingo Use the right tools in

conjunction with the existing infrastructure to enforce and control policies.

o Guide people through a process to reduce mistakes.

o Classification and auto tagging

4. Standards and RegulationsThey are all different

Identificationo Summarize all the regulations

you need to be compliant with.o Figure out the similarities.o Find out your company’s

strong points and weaknesses

Industry overlapo The term industry is really

broad. If you’re an airline and clients can book tickets directly. You also need to be compliant with certain financial regulations.

Countryo Regulations are derived from

each other but might be stricter depending on your country your supplier or your client’s location.

Industry Certificationo Do you need to be certified in

a specific field?o Do the industry certification

differ per country?

Regulation Type BCountry A

Regulation Type ACountry B

Regulation Type ACountry A

5. Match the similarities

o Prioritize, which one is most important o Overlaps with which product or serviceo Who’s responsible for whato What are quick winso Categorize them by

6. Turn it into a daily processEveryone is responsible so get them involved

How compliant are youo Analyze and fill in the gaps to

improve?

Monitoro Monitor regulation changeso Monitor Business needso Align with company vision and

strategy

Reportingo Build useful reportso Build compliance dashboards

for live changes (Power BI)o Know what information you

produce and who uses it.o Where is it stored now?

Activitieso Report the right information to

the right peopleo Delegate taskso Compliance and protecting

your organization’s assets is a team effort

How do you know if your compliancy is going the right way?

Constant monitoring and reporting is key

Not yet compliant

Compliant to criteria ABC

63%

37%

o Define the different reports you need for the regulationso Define your criteria on what you need to reporto Create compliance dashboards (Power BI)o Know who’s responsible for the part of the business

process and delegate the task

Identify the capabilities of the tools within your existing software portfolio what it can do and how it can help you on your compliance journeyAnalyse the gaps

User Repository

Workflow

Full fidelity Data Protection and Recovery

Audit trailing

Logging

Separation of Duties

Notification

Identity and Access Management

Authentication mechanism

Azure Intune Bring Your Own Device

Alerts

Azure Rights Management

SAP

Mobile and MobilityPowerShell

Social Media

eDiscovery and Vault mechanisms

Hardware Appliances

OneDriveSlype for Business

Data Loss Prevention

SharePoint

Office 365

Exchange

7. Automated tooling

Most of them will help you in a preventive

way with the acceptation of DLP and IRM

AvePoint, filling the gapsSharePoint, Office 365, Yammer, File shares and more

Prevent

Detect

Track

Respondand

Resolve

o Governance Automationo Compliance Reportso Administrator

o Compliance Guardian

o Vaulto eDiscoveryo Compliance Reportso Administrator

o Compliance Guardiano eDiscoveryo Compliance Reports

AvePoint Compliance Guardian Provides Automated Risk Mitigation

System to Scan, Classify, Protect, and Audit Collaborative Environments

Sh w time!

Key takeaway summary

Align with business needs

Balance and

Trade-offs

Don’t wait

Know your organizations values and importance

Keep it Simple

Compliance is broader, look further than

the tip of your nose

Now it’s your turn to become compliant!If you need some help we’re just a few mouse clicks away….

Questions and Feedback are highly appreciated

Not a big talker? Just send us an

emailroberto.delgado@avepoint.commaarten.boonen@outlook.com

Thank you for your interest

Resources and ReferencesAbbreviations

Compliance Guardian introduction video

Resource linksAIIM Association for Information and Image Management

NIST National Institute of Standards and Technology

CFR Code of Federal Regulations

cGxP Current Good X Practice (FDA compliance; X can mean: Clinical, Laboratory, Manufacturing, Pharmaceutical,)

FINMA The Swiss Financial Market Supervisory Authority

GRC Governance, Risk and Compliance

What is Microsoft Azure Rights Management

Use CTRL together with + or – to zoom

Com

plia

nce

Gua

rdia

n on-p

rem

ise

Use CTRL together with + or – to zoom

Com

plia

nce

Gua

rdia

n on-p

rem

ise

Use CTRL together with + or – to zoom

Com

plia

nce

Gua

rdia

n onl

ine

Ave

Poin

t cl

oud

ser

vice

Use CTRL together with + or – to zoom

Com

plia

nce

Gua

rdia

n onl

ine

Ave

Poin

t cl

oud

ser

vice