Information Technology Security. Advice from Experts
Develop Compliance Processes, Methods and Tools
Measuring compliance is critical to the overall success of the entire risk management process. Determine if the risk management methods are actually having a positive impact and be able to measure the extent to which the mitigation controls are in fact being used. Clearly, compliance measurement is somewhat onerous; however, successful implementations depend on how easy the process is and the perception that the process is useful, and will not have a negative impact. Typically, auditors are brought in at this point in the process. The key here is to ensure that the auditors are on-board with the process and their findings will not be used against the organizations being audited . Compliance monitoring should not be viewed as the penalty phase of risk management. This is why it is so important to have a separate risk management function that is a partner with the company s audit team. Consider the following when planning compliance measurement tools:
-
Scope of compliance measurement, that is, who will be measured, where and when measurements are to be taken and possibly by whom.
-
How to perform data capture, for example, self-assessment questionnaires, Web-based tools, interviews, audit results, and metrics returned from execution of routine processes. (Do not underestimate time required to capture data.)
-
How to solicit responses, for example, how to ensure responses are made to questionnaires, how to ensure data are returned as requested .
-
Methods to collate and store the responses.
-
Methods to measure responses, that is, determine how to use the data to measure compliance.
-
Follow-up actions that may be required.
-
Other information may need to be gathered in this initial planning task, including:
-
inventory of what is currently under control, and
-
the conflict resolution process and escalation process.
Summary
Risk management is an important corporate business process and sound management practice. Using IT risk management practices is critical to business success in the e-business age. Using a risk management framework to assess IT risks enables companies to make logical decisions about risk and helps to determine where to use resources to mitigate risks. Finally, and most importantly, using a process like the one described in this chapter does work. The key is to use the process consistently and make it part of the corporate culture.