ResearchPaper
Suma
Draftcopy.docRunning Head: IT COMPLIANCE 1
IT COMPLIANCE 6
Information Technology Compliance
Name
Institution
Date
Information Technology Compliance
Introduction
Security breaches have been caused by the existence of loopholes in software architecture, especially in the head if human operators. These people are in most cases unfamiliar with the concepts of Information Technology hence they choose to ignore to establish the procedures of information technology compliance which are structured to prevent such occurrences. IT compliance is a term that encompasses two distinct but related concepts (Audit Shark, 2018). One is the use of internal compliance, which comprises of procedures established by the operational entities such as Corporations and educational institutions which stipulated strategies on how the user will operate the product as their own disposal. This principle is structured to enhance security and increase productivity. On the other hand External compliance is the issue of adherence to the principles that are laid down by entitles outside the internal network structure including the government (Bamberger, 2010). For instance, the government may impose policies of installation of supervisory controls which are mandatory in the presence of concealed backdoor that is only accessible to the law enforcement agencies. External policies establish methods of operations that companies must comply with their IT operations.
Importance of IT compliance
According to Economist Intelligence Unit (2005), there are three major roles that are driving the interest of increasing IT compliance. They include; Privacy and security, Financial regulations and document retention. Privacy and security are mostly used to emphasis on protection of information and networks that are computer based. Document retention deals with the large number of documents that have been created and stored in a digital manner. Financial regulations encompass many information Technology laden processes as outlined in the SOX 404 compliance effort which have been made plain.
Information Technology (IT) plays a pivotal role in supporting compliance systems in Companies. Many companies continue to consider compliance, governance and risk in silos and apply disparate legacy systems. Companies that fully rely on technology to enhance their legacy system, always find themselves lagging behind. This results in disparate systems and multiple independences which cannot interact with each other intelligently. Some of the IT systems involved in compliance include data recording, system security, privacy control, document management, Management Information systems and Reporting.
Currently there exist complex rules and regulations that dominate the industry of finance. There is more than one institution that is involved in the value chain of customers in the finance industry. The use of manual compliance systems is identified as both obsolete and dangerously inefficient in safeguarding the companies from threats and risks involved. The goal of very company is to establish a financial service system that is integrated by trying and testing platforms of its operations so as to define, manage and monitor the environment of the business.
Challenges faced by IT division in regulatory compliance
Companies experience challenges in establishing Information Technology compliance system. The tendency of increasing time and cost of addressing industry requirements and regulations is one of the main obstacles to effectiveness of the compliance system. The existence of new regulations that are disconnected as well and the industry mandates impose more demand and resources so as to meet the compliance standards. Companies also encounter difficulty in managing and understanding the security risk of IT. The company is required to prevent breach of data; inappropriate disclosure of data as they ensure these activities does not affect the operations of the business and its productivity (Naneth, 2014). Maintenance of the appropriate level of internal control and compliance face increase in time and efforts which are imposed on the company. Financial institutes, Health care providers and enterprises experience intense scrutiny so that they can protect confidential information from clients and patients. Regulations are regularly updated because thieves and hackers also advance their methods of exploiting them.
IT governance and its effectiveness of the IT Division to attain regulatory compliance
Governance allows the provision of structures for IT alignment strategies with business strategy. The use of the formal framework of organizations produces measurable results that are towards the achievement of their goals and strategies. The formal programs incorporate the interest of stakeholders in the account, and the need for the staffs as well as processes that follows. IT governance, in the big picture is an integral part of the overall governance enterprises. IT governance plays an integral role in the governance, compliance and risk in companies. The programs imposed in the governance, risk d compliance, which determines the framework utilized.
Both public and private firms require ways of ensuring that the IT functions are supporting business objectives and strategies. Formal IT governance programs should be in consideration of the industry or organization that intends to comply with the regulations related to technological and financial accountability. The implementation of a comprehensive IT governance programs needs increased effort and time.
Implementation of the governance programs required the existence of an expert in the industry who help the organization in phase of programs of IT governance so that they can have fewer speed bumps. There exist frameworks that are used by the industry, which include ITIL 9Infromation Technology infrastructure Library), COBIT, COSO (Committee of Sponsoring Organizations), FAIR (Factor Analysis of Information Risk), and CMMI (Capability Maturity Model Integration) (Lindros, 2017). The type framework embraced is selected depending on the overall functioning of the IT department, the key metric management needs and the IT returns to the business from the investments. COSO and COBIT are mostly used to streamline the operations and services of the It department. CMMI was originally structured to engineering software, they involve the process of service delivery, hardware development and purchasing. The FAIR is mainly used for assessment of cyber security risks and operations.
Vision, Architecture, and a Detailed Plan of Action that Follows a Life Cycle Concept
The vision of the compliance plan is to be established and implemented in a ways that it will effectively solve the challenges related to Privacy and security, financial regulations and document retention in the company. This will be attained by utilizing the appropriate architecture and planning of the IT compliance strategy as well as its implementation. The success of the program is determined by the effect will have in solving the existing problems.
The architecture used in compliance should encompass certain elements which include consistency, conformity, and relevant. They should support the identified strategies and the desired future direction. The architecture should also adhere to the standards stated which may be semantic or syntax rules that are specified. The plan should outline the functionality as stated. They should also strive to adhere to the principles stated that is being open wherever appropriate and possible and possibility of re-use of the components through building blocks where appropriate.
When designing the IT compliance program, there is need to identify the scope and severity of the issue of con-conformance which is identified during the audit reports. This information allows the assessment of the occurrence the problem of non-conformance across the existing license. The licensees are required to establish a strategy of making the assessment by describing the compliance action plan strategy and submitting it the respective leader of the audit team for review. These requirements are addressed through analysis of internal audit records, inspection of all operating areas, sampling a subset among the operation or combining all the strategies. This report will result in the identification of any appropriate corrective actions. The actions should necessary aim of correcting and mitigating the result obtained on non-compliance. The licensee will then develop a strategy and submit it to the Audit Team Leader for review.
There is a need for the identification of necessary preventive action requirement. The plan developed should aim to prevent the occurrence of non-compliances incidents in future so that the problem is solved once and for all. The license should develop these preventive strategies and submit them to the Audit team leader who is required to review them. A timeline should then be identified from the completion of the preventive and corrective action. The timeline should consider and reflect if the risk of the risk of inaction. The compliance plan should they wait for the approval of the Audit team leader before it is implemented (New Nouveau Brunswick, 2014).
Business Processes and IT Compliance
Business processes are successful due to the existence of the methodology, team, tool, and measures and, management-level involvement. This critical practice enables the business to improve on its performance. The methodology refers to the structural approach whereby the direction of the business if clearly identified and communicated to all stakeholders. This motivated the involved persons in putting efforts to ensure that the goal of the business is attained. All the strategies established must be in line with the defined methodology where it identifies the scope in which it will operate within the business, review the existing gap that the strategy intends to bridge. There should be improvement strategies for the current stage so that the aim of the strategy is attained whereby the concerned personnel need to adjust according to the program. The strategy is then implemented where the process of change and its management is ensured so that the change is adopted positively in the operations. There is a need for monitoring the effectiveness and efficiency of the program developer.
Business processes are not a one person initiative, it involves a team who integrate their efforts to ensure the methodology are attained. The business is required to identify people who have the potentiality of attaining the intended change. The team members are required to possess operational skills, Transformational skills and technical skills so that they can carry out the activities of the businesses accordingly. The company is also required to possess tools that is manageable and easy to use for the team. The tools should be equipped with document functionality, improve, analyses and monitor the processes of the business. The tool should be centered according to the function and duties carried out by the particular team. The business operations should have strategies for measuring the progress of the business and impacts of ages imposed. The measurement can be carried out through customer metrics, financial metrics, people metrics and process metrics. There is also the need for all the processed of the business to have clearly defined involvement of management levels, which should the flow of chain of commands and delegations. These allow organizations of the team and attainment of the strategies developed.
According to Naneth (2014), there are factors that influence the information technology compliance, which include integrated view, performance linkage, structured approach, a new perception of compliance, use of enablers. There is the need to integrate the IT compliance to business processed they will operate on. It compliance strategy should be defined using a particular methodology so that its scope is identified intent, improvement and implementation. The strategy is designed to solve a specific requirement, hence the proper identification of the methodology will lead to its success. They also need to identify the tools and teams necessary to successfully integrate the strategy in the business processed since some strategies require specialized skills and equipment. The impact of the strategy should be monitored regularly so as to determine its efficiency and effectiveness in solving the problem. This linkage helps in the development of a more comprehensive plan that intends to solve the identified requirements, hence help in achieving the vision of the process and plan of IT compliance.
Planning the IT compliance
The plan involves four phases which include Initiate Plan, Develop and Implement
Initiate
In every organization there exist various individuals who can be approached to respond to concerns and complaints raised by other employees. Most complaints and concerns require respond or inquiry into the issue, but others will result into internal investigations. Internal investigation or audit is the basis of initiating a plan from IT compliance since they enable the leaders to identify the requirement of strategies that will solve the dispute, since the investigation may result into the identification of the possibility of some individuals violating rules and regulation hence call for enforcement of actions. The process requires a team that possesses skills and trained to effectively conduct the audit or investigation. The analysis should involve skilled investigators so as to determine the best equipment that solve the issues as hand.
Plan
Once the audit team leader had identified the need of information technology compliance, it giver a go ahead for the team to plan the project. In most cases the developers obtain programs that have been implemented in other companies which they use to brainstorm their idea. This enables the development of a plan that will most likes solving the problem being encountered. Planning will involve the analysis of the problem or the requirement that need to be addressed by the compliance. Teams and tools to be affected by the implementation. The people to be affected by the change should be identified, and methods of measuring the impact. There is also the need of considering the organizational structure under which the programs will operate so that the management responsibilities to ensure its effectiveness is identified (Bodenger & Steiner, 2017). The plan should encompass documentation such as system security plan and ways of performing risk assessments, the outcomes of the risk assessment should be included in the plan of actions and milestone. Once the package of plan is completed it requires that the Audit leader’s reviews it as to determine whether it will be effective in solving the involve problem.
Develop
Once the plan is approved, development of policies, procedures and control strategies are formulated (Gallagher, 2017). Policies involve the formulation of policies whereby the company imposes its stand regarding certain risks. It is usually expressed in the form of simple overarching rules or mission statements. Policies in a corporate are usually the backbone of the programs of compliance. However, they lack guideline of actions to be taken when employees are faced with certain risks or temptations. Procedures come in so provide guidance to employees on actions to be taken when faced with certain situations so that they avoid violating the corporate policies. The use of software helps in generation of forms, management and tracking of these procedures for review, among other tasks. The controls are formulated which provide specific gateways or checks. They are mostly administered by the accounting personnel in order to ensure that procedures and policies are followed so as to authorize a certain transaction, safeguard assets, disbursement monitoring and support validity and accuracy of records. Policies, procedures and control establish the textual and conceptual framework of the compliance program.
Implement
Policies, procedures and control need to be implemented in the business process so that their effectiveness is determined. The way to implement the compliance is through training and risk management. Compliance training should be an integral part of every organization which aims of ensuring maximum protection of identifying potential liabilities (Initution Company, 2014). The cost of providing training to the employees is considered to be far much cheaper that the result of non-compliance. The company should not consider the cost of training, but rather the impact. Risk management will be used to alleviate potential risks and address specific compliance guidelines within the organization. For the strategies to be successful, the company needs to have clear objectives, expectations of the audience and methods of measuring the impact of change.
References
Audit Shark. (2018). IT Compliance. Retrieved May 23, 2018, from Audit Shark: https://www.auditshark.com/Education/what-is-it-compliance.aspx
Bamberger, K. A. (2010). Technologies of Compliance: Risk and Regulation in a Digital Age. Texas Law review Volume 88 (4), 669-742.
Bodenger, G., & Steiner, J. E. (2017). Developing, Implementing, and Maintaining an Effective Compliance Program. Journal of Health Care Compliance, 19-23.
Economist Intelligence Unit. (2005). The Role of IT in Compliance. London: Economist intelligence Unit.
Gallagher, S. (2017, February 2). Developing the Framework of Your Compliance Program Policies and Procedures. Retrieved May 23, 2018, from The Compliance and Ethics Group: http://complianceandethics.org/developing-framework-compliance-program-policies-procedures-slideshare/
Initution Company. (2014, August 11). Best Practice fro implementing compliance programs. Retrieved May 23, 2018, from Initution Company: https://www.intuition.com/wp-content/uploads/2014/11/Best-Practice-for-Implementing-Compliance-Programs-Global.pdf
Lindros, K. (2017, July 31). What is IT governance? A formal way to align IT & business strategy. Retrieved May 23, 2018, from CIO: https://www.cio.com/article/2438931/governance/governanceit-governance-definition-and-solutions.html
Naneth, M. H. (2014). Factors Impacting Information Security Non-Compliance When Completing Job Tasks. Nova: Nova South Eastern University.
New Nouveau Brunswick. (2014, May 2). Forest Operations Compliance Audit: Compliance Action Plan Requirement. Retrieved May 23, 2018, from New Nouveau Brunswick Canada: http://www2.gnb.ca/content/dam/gnb/Departments/nr-rn/pdf/en/ForestsCrownLands/AuditResponseStandards.pdf
