|
According to an industry survey conducted in 2008, companies in India are
lagging behind the rest of Asia Pacific with regard to the implementation of
regulatory compliance programs. It found that less than a fifth (18%) of
companies in India have implemented regulatory compliance programs, compared to
the current Asia Pacific average of 42%.
So how is the other 82% managing to ensure that policies are complied with?
Until recently, the common solution was to appoint an auditor to keep track of
the varied industry mandated rules, government regulations and internal
policies; when put together, keep organizations on the right track.
Research conducted with more than 2,600 organizations worldwide found that
organizations which manage their controls environment achieve better outcomes,
and consistently post much better resultsincluding:10% more revenue; 9% higher
profits; 94% reduction in the loss or theft of data; 52% lower spending on the
annual audit-related expenses.
The IT policy compliance group has revealed in its latest benchmark research
report that 68% of firms are under-spending on information security relative to
the financial risks and losses that they are experiencing. Yet incremental
increases toward the funding of best practices are responsible for financial
returns, ranging from 200% to more than 1,00,000% for an average organization.
Indian Scenario
The increasing complexity of the globalized business environment is making
it increasingly important for Indian enterprises to manage IT compliance. Indian
organizations need to comply with mandates of the industry that they operate in,
ensure compliance to guidelines laid down by the industry regulator, and more
importantly, need to comply with the laws of the land where they are doing
business.
For instance, a player in the IT/ITeS vertical will need to comply with
Sarbanes-Oxley if it is listed in the US, apart from the privacy laws of the
countries where it operates. Similarly, banking and financial sectors need to
comply with BASEL II, GLBA, PCI/DSS and SOX (if the bank is listed in the US),
and rules laid down by the regulator. Healthcare players are required to comply
with HIPPA. Besides the above, most organizations are internally setting up best
practices to comply with frameworks like ITIL, ISO 27001, COSO, and COBIT. These
multiple mandates are best managed with IT solutions.
Managing IT Compliance
Define policies: The first step in managing compliance is to establish clear
policies that need to be adhered to. This needs to take into account government
regulations, industry standards as well as internal controls defined to ensure
the security of data and transactions.
Establish Responsibility: Next, organizations must allocate
responsibility and ensure that every incident is clearly accounted for. This
ensures that in case of a policy breach, the owner of the event is identified
immediately for initiation of the remediation process.
Build Compliance with Defined Policies into Every Process: The third
step involves identifying processes to ensure they are not performed in the
event of non-compliance. The compliance requirement should be met during the
execution of every action, automatically.
Identify Breaches: A process by which any breach is identified and
reported should be put in place. Following this, a timely and automatic
remediation procedure should be established.
Logging and Auditing: Auditing is a critical component of maintaining
compliance. Various logging and auditing controls are meant to create a
reporting trail that will allow an audit team to determine who did what, and
when the action occurred. These requirements include logging of administrative
actions, authorizations, and access to data.
Vishal Dhupar
The author is managing director, Symantec India
maildqindia@cybermedia.co.in
Page(s) 1
| 
Print
Comment
Email
Digg
Del.icio.us
Reddit
Twitter
