Considering the future of compliance at Compliance Decisions

The Compliance Decisions Summit taking place in Newton, Mass., got off to a great start this morning. Eric Holmquist and Richard Mackey both provided deep, engaging presentations on “future-proofing” an organization against compliance challenges and managing third-party risk.

Over the course of the morning, we posted to Twitter on our ITCompliance account more than 40 times, in lieu of a single blog post. As we noted to @cmneedles, #CSD09 is the hashtag we’ve chosen to track tweets related to today’s seminar. For a full explanation of what a hashtag is and how it works, please consult last week’s weekly digest of compliance headlines from Twitter.

Introductions

Breakfast & registration in Newton, MA at Compliance Decisions. We’ll be live-tweeting the talks, starting at 9AM. http://twitpic.com/20yxx

Kelley Damore, Ed. Dir for the #TTGT Security Media Group, kicks off #CSD09 by noting recent data breaches at Hannaford, TJX & Heartland.

Damore notes the breadth of compliance challenges: health, financial & proprietary data must all be secured with auditable processes.

Future-Proof Your Compliance Session

Eric Holmquist is up, explaining how to future-proof a compliance program vs. new regulations, including mitigating risk & GRC best practices.

“Compliance management is one aspect of risk management. It’s about risk alignment. It’s never about checklists.” -Eric Holmquist | #CSD09

“Every version of regulatory guidance around risk management boils down to three things: awareness, accountability & actionability.” #CDS09

Risk management boiled down to a continuum: Inherent Risk -> Controls -> Residual Risks | Compliance doesn’t just rest in controls. | #CSD09

“The 4 most important words for improving a compliance program: What could go wrong?” -Eric Holmquist | #CDS09

RT @scotpe 99% of compliance failures are because “somebody did something stupid” | #CSD09 [Key to plan for people being people]

Key elements of an effective compliance program: subject matter expert, compliance committee (real or virtual), control library | #CSD09

More key elements of an effective compliance program: documentation, risk-aware culture, incident response team, wrap-around analysis #CSD09

Eric Holmquist is reflecting on the details of how Advanta implemented an effective compliance program. Gap analysis & visibility key #CSD09

“No regulation is only relevant to IT. There is a business component to every single one.” -Eric Holmquist | #CSD09

“We set the bar at a risk management & governance level. Regulatory guidance, frameworks & standards are a test.” -Eric Holmquist | #CSD09

#GRC best practices: leverage existing processes & map them, focus on risk, secure executive sponsorship, use control libraries | #CSD09

“The costs of #ediscovery are staggering. Get a data retention program for email done. Now.” -Holmquist | #CSD09

PrivacyProf: A related issue is retention of full email threads; possibility of changes in early thread msgs likely creates ediscovery issues (Reply from contributing expert Rebecca Herold)

What does Holmquist see in the future for compliance? More infosec & BCP challenges, updates to PCI & state data protection laws. | #CSD09

Good question from the audience on email retention: What’s too much, too little? Establishing which emails = official documents is key. #CSD09

Sponsored Session from Symantec

Ethan Kelleher up from #Symantec to speak to their approach & notes support for an online resource: http://ITpolicycompliance.com | #CSD09

We’re listening to a live “message from our sponsor” ( #Symantec) regarding version 9.0 of their Control Compliance Suite (CCS). | #CSD09

Managing Third-Party Risk

Richard Mackey now up at #CSD09 on managing third party risk. #Video on building a framework-based#compliance program: http://bit.ly/PqXcd

An IT guy here at #CSD09 is especially interested in the MA data protection law. Our podcast w/state: http://bit.ly/105L3E (free reg. req.)

Mackey talking about impact of regulatory project requirements on service providers. If they handle regulated info, compliance is key #CSD09

Mackey notes that “standards like ISO 27002 & #COBIT describe lifecycles that can be applied to service providers” | #CSD09

“The first step in understanding risk is understanding the information shared.” -Richard Mackey | Data mapping & tools help. | #CSD09

“FFIEC, PCI & GLB all require due diligence in assessing provider controls. Depth should correspond to risk.” -Richard Mackey | #CSD09

“When evaluating service providers for compliance, establish rules for evaluations. View them as a partnership.” -Richard Mackey | #CSD09

“Most regulations require YOU to be the regulator of service providers.” PCI, HIPAA & GLB all require co.’s to ensure compliance. #CSD09

“Standards-based assessments, like ISO 27002, are useful tools. Consumers of the reports, however, must understand what results mean” #CSD09

Key questions when a #CIO receives a compliance report (SAS 70, ISO, etc): Scope of assessment? Metrics used? Control objectives? | #CSD09

When conducting #compliance assessments, concentrate on risk, avoid generic assessments & focus on consistency/operational #security. #CSD09

Mackey continues to focus on associate, partner & service provider #compliance; frequently mandatory but potentially overlooked. #CSD09

IT is critical to service provider #compliance: firewalls, VPNs, intrusion detection, encryption, scanners & data loss prevention | #CSD09

Excellent seminar on third-party risk management for meeting compliance by Richard Mackey. Video will be available later this month. #CSD09

We’ll be posting more to Twitter this afternoon when Holmquist presents again, this time on a “Risk-Based Approach to Information Security Governance,” and Laurence Anker talks about “Managing the Cost and Complexity of Compliance through Governance.”