The Governance Mandate
Mohit Bhishikar, CIO, Persistent Systems
Complex landscape of GRC
There is no doubt that the industry has witnessed significant adoption of information technology over the course of last two and half decades. Successful enterprises have proved that leveraging IT has given them a competitive advantage and enabled their businesses to grow rapidly.Of late, there has been growing awareness about increasing regulatory compliance and controls that need to be monitored. Governments and regulatory authorities around the world have already created, or are in the process of creating, regulations that impose conditions on data storage, access, privacy, retention, data movement and data updates. There are huge penalties for organizations who fail to comply with these regulations. There is also a direct impact on the confidence and trust of customers. Businesses that sell products or services to customers are required to maintain multitude of standards and certifications. ISO, IEC, PCI-DSS, CMM, SASE etc. are some commonly sought after certifications by the customers who award contracts to outsource their work. What makes it complex and operationally challenging is that several of these standards don't have interoperability and are often required to be maintained independently.Most recently, there has been increased focus on individual privacy and handling of sensitive personally identifiable information. There has been significant awareness about data privacy in the public and private sector in the recent years. Various entities have come together and collaborated to create what we now know as `IT Act 2000' and its amendments. The spirit of this act is in its most basic form lays the foundation for governing the collection and use of personal information including banking and medical details. The law addresses a long-pending demand of the IT industry and Social Awareness Groups for a legal framework for data protection in India. And it brings India at par with American and European world.
The new measures were designed to ensure that all personal information that a company collects is secure. It obliges those who handle sensitive personal information such as passwords, bank accounts, credit card numbers, medical records, and biometric data to implement an elaborate technical, managerial, physical and operational information security practice and set up a dispute resolution process.
Need for a structured approach
Most often, this kind of work is disguised by giving additional responsibility to someone in IT, Quality or in a worst case, admin departments. However, this is usu-ally not a `day job' for them. The dedicated governance charter is not aligned with such departments and it often results into reactive management fixated around events such as recertification audits or compliance inquiries. Unknowingly, it becomes an annual activity instead of maintaining continuous state of compliance and pro-active risk management.
With the complexity involved in managing and maintaining several standards at once and governance of the same, there is an inherent need for a dedicated, well de-fined role in the organization to overlook governance controls and maintain state of compliance. There needs to be a CXO level sponsorship to drive it top down and needs to have unbridled access throughout the organization.
It may sound cliché but People, Process & Technology constitute the three basic components of governance control framework. There needs to be a strong collaboration between IT, Legal and HR departments and good understanding of the nature of the business that we are doing with the customer.
From technology perspective, there should be a very strong technology foundation at every layer of the architecture stack. Each layer in the architecture must have a clearly defined, indisputable security standard, solution, protocol and governance. There should be a very strong perimeter security using intrusion prevention system. There should be a well-defined process for NOC, SOC and Incident Management. The database meant for storing SPI should be designed in such a way that it will not allow interpreting meaning of data easily, just like employee name and employee salary cannot be easily correlated in the finance system. There should be a very strict password policy and access rights management process for the database, file systems and other online assets of the customer. There should be 24x7 vigilance and immediate reporting of a breach, if any. And there should be a clearly communicated escalation chain.
In terms of cloud, business to business cloud computing does raise a number of important policy questions concerning how people, organizations, and governments handle information and interactions in the cloud environment. Present scenario of regulatory framework in India and other parts of the world must be considered when using cloud solution for sensitive, confidential applications and data.
Most importantly, the employees responsible for this area of the technology should be empowered to raise the flag immediately. One must not promote a culture of 'shooting the messenger’; rather they should be rewarded for their efforts.
There should be a welldefined governance policy, robust internal control framework and risk management process where everyone concerned across all departments participate actively.The data classification policy must be understood and followed by everyone. ‘Being Aware’ is the key to defend non-compliance and reduce financial exposure. As part of the prevention framework, Annual Risk Assessments must be carried out to identify compliance risks and mitigate them. This framework should allow the risks to be reported to the executive management. Account Management and Legal team should work hand in hand with the customer to identify and document all legal requirements to protect the confidentiality and privacy of business data. Governance requirements may vary from person to person or business to business. And then there should be well defined Audits and Assurance program to ensure an effectivenessof a business policy. This program must have an oversight of company’s Board of Directors and the Audit Committee. An important charter for this team is to develop a training program and mandate it across the organization to seek 100% participation from the employees and increase overall awareness for compliance management. Employees who violate the governance policy or controls should be subject to disciplinary action up to and including termination.
It is evident that this is not for someone who typically focuses on auditing domain and prepares organizations to face external audits. This demands a complex multi-discipline knowledge and exposure. It requires deep expertise in business functions, technology, people management and operational excellence. For the consultants who are aspiring to work in this domain, there is a great opportunity to develop a core competency in this new emerging field and offer it to help organization success in keeping up with the mandate.