In the days since that conversation I’ve put some thought into the frameworks because in the end the aforementioned CISO was committed to finding the NIST experience and eventually did.  But what did that really mean?  Having fairly recently had the occasion to have both NIST 800-53 and the ISO 27000 documents  in front of me it was striking how similar they both were with only a few obvious distinctions to be made between the two.  Essentially the differences reflected more on the cultures that created them than the risk factors they were focused on (NIST = U.S.A and ISO = European).  But information technology architectures fundamentally are identical the world over so despite formatting and spelling they both are addressing the same challenges whether or not they realise it. And for those of us who have familiarity with both, to know one is to know both, even if those who are committed to either one disagree.  If you’ve worked on audit/assessment projects leveraging ISO 2700o material you’re immediately qualified to work on projects using the corresponding NIST framework and vice versa.   And if you have experience working with PCI standards guess what?  You can pretty much step in and work with either NIST or ISO content (except of course you have to expand your sights to include the entire infrastructure, not just on whatever touches PAN data).

My preference is that we would consolidate globally into the ISO frameworks where applicable and maybe even fit that in to the SSAE 16 process.  I’ve read enough toothless SAS 70/SSAE 16 reports to know that it’s easy enough to rig the system to your advantage.  And unless you’re a government agency that has to comply with NIST there’s little meaningful value to using NIST whereas being ISO 27000 certified carries a great deal of weight within the audit/assurance community.  Plus there’s the added benefit of having InfoSec practitioners all getting trained and practiced at both building out ISO 27000 compliant solutions and also knowing how to test the related controls.  Think about that, a single global security standard regardless of where you enter into the profession.  Having run a few practices in my career and way more than my fair share of engagements I can tell you that has great appeal.  Plus it would help eliminate awkward dialogues where my sixteen years of real and relevant experience is at least partially marginalized because it hasn’t all been with one particular standard.

Ultimately in the end a frameworks only meaningful advantage is that it theoretically ensures consistency in how controls are identified and assessed.  If you have someone who knows a framework but doesn’t really understand the details within that sort of defeats the process anyway, no matter how robust or thorough it may be.  Perhaps that’s why I consider it a non-issue when it comes to which frameworks a practitioner has used.  I’d much rather work with someone who understands the technology and has a good feel for the details rather than someone who knows that SDLC is addressed in SA-3 for NIST or Section 12.5 for ISO 27002.  But than again, I’ve always been more concerned with real risk, not perceived risk so this shouldn’t be surprising to anyone who’s read my content in the past.

A security framework by any other name would be just as comprehensive, you know what I mean?

Truth be told, while I’ve spent somewhere near seventy-five percent of my time over the past ten years working for financial institutions I’ve also done a fair amount of work for insurance companies, mostly centered on SOX with occasional diversions into general risk assessment work.  The drivers in the insurance industry are different in terms of oversight and requirements and so the volume of work isn’t nearly the same.  But that by itself begs a question: Why isn’t the insurance industry as regulated as financial institutions?

I’ve now done major audit and assurance work for financial institutions, insurance companies and health care providers and for most of them the risk profile is almost identical in terms of non-public personal information.  So why isn’t the level of scrutiny equal across all three of them?  While some might start spouting about how it is, about how states routinely audit insurance companies and how the health care industry has to comply with HIPAA the truth is that banks and credit unions are held to a much higher degree of accountability than any other vertical.  Why is that?

I’m fond of routinely, almost incessantly beating the drum about how it’s all about the risk.  I get my initial client opportunities because I have a deep resume with relevant experience but I generate repeat business because I tend to whittle things down to what matters most both to my clients and to their oversight providers (auditors and examiners alike).  Compliance exists because risks need to be addressed – if the risks aren’t credible or likely the work should be adjusted to reflect that.  But where the risks are real they’re really real.  The type  of data shared with an insurance company is in many ways even more sensitive than anything shared with a bank and most of what’s shared with insurance companies is also shared with health care providers.  Yet there’s no true Federal oversight for the insurance industry and HIPAA is about as much of a toothless tiger as anything I’ve ever encountered.

I recently completed a boatload of documentation to get my family on a new health insurance plan.  I turned over every piece of sensitive information I have for every member of my family minus my bank account information because that’s what was required.  I had to provide all of this online and follow that up by sending them an impressive array of hard-copy documents with even more sensitive information that should never be kicking around in the public domain.   In the past I’ve also been required to provide my bank account information because one plan in particular would only provide coverage if they could automatically deduct monthly premiums via ACH drafts.  So now the insurance industry has access to it all; name, address, social security number, date-of-birth, maiden name, medical history and banking information.  And yet there’s no true oversight agency that’s responsible for making sure they’re protecting all of MY information.

To compound my frustration, of the four insurance companies I’ve conducted work for since 2006 (two of which are Fortune 5oo’s) exactly none of them have something akin to a Chief Information Security Officer.  They all have risk people focused on the business side of things (because that’s necessary to protect profitability) but that’s it.  There’s typically an information security manager who’s part of the infrastructure team but who almost never reports right into the senior-most technology person (e.g. CIO, CTO).  Any audit work that occurs is coordinated across multiple IT managers and on rare occasions there will be an audit/assurance manager.  However in the one example I personally know of where that position exists the person in the role was really just a converted IT manager who obtained a CISA designation – no fundamental audit or assessment experience.

The question has to be asked:  Why is it that banks and credit unions are heavily regulated regarding protection of non-public personal information but other industries with similar risk profiles are  not?  Why aren’t insurance companies required to comply with FFIEC-type guidance?  Why isn’t there a Federal regulatory agency that is responsible for keeping an eye on the insurance industry the way the FDIC, OCC, FRB and NCUA do so for their financial institutions?  And trust me, whatever oversight exists for the insurance and health care industry is largely ineffective.   Why is my sensitive information considered more at risk within a banking infrastructure than it is within an insurance infrastructure?  Having been on site for both and examined their internal controls  I can’t answer that question, that’s for certain.

Which is why I don’t much care for any manner of compliance-based assessments that are self-administered.

Companies have had this crazy notion for more than a decade now that the best way to identify and address risks inherent within the infrastructure is to ask key stakeholders a somewhat generic set of questions and use their responses to figure out what’s what.  Most of the time the people driving these initiatives are either information security professionals or corporate compliance people who either believe they already know where the problems are or are looking for the simplest and easiest way to satisfy some requirement.  But what they often fail to grasp is that it’s almost impossible to draft a common set of questions that either apply to the vast majority or worse, will be interpreted consistently across the stakeholder population.  Plus the perceived benefit of using a self-assessment approach to reduce effort and required support resources is almost always an illusion.  Most of the time saved in not having someone ask the questions and record the answers is instead consumed by needing to explain the format, explain the questions or trying to clarify and clean up the responses.  While supporting one such program recently each assessment required a kick-off meeting, a follow-up meeting to review the status of the assessment, a third meeting to review the initial draft of the questionnaire, a fourth meeting to review the resulting report(s) and a largely untracked number of hours to help generate all of the related support documentation.  Regardless of the size of the entity being assessed each one consumed somewhere close to eight hours.  While that might seem like a scary large number, the really scary part was that based on which risk analyst was responsible for the assessment and the personality/mindset of the stakeholder completing it the results looked very different from one another.  It was almost impossible to generate meaningful metrics across the assessment population because a “Yes” answer for one question might mean the same as an “N/A” in another; there was no way to know that.

Another issue I’ve always had with the self-assessment approach is that while some stakeholders take it seriously and do a remarkably thorough job, others race through it with little hesitation just to fill in the blanks and get it off their desk.  Sometimes you can detect which is which, sometimes you can’t.  Plus the approach fails to capture much of the rich and relevant information related to each question and the underlying risk behind it.  I recall conducting a team-driven risk assessment years ago where one stakeholder after the next covering a very broad sampling of the infrastructure kept lamenting on the lack of a proper disaster recovery plan.  They had something to show auditors/examiners but to a person no one believed it was a truly viable plan.  All but the CIO brought it up as a concern and when pressed a bit about why that was they all shared a common concern: If their main office was closed unexpectedly for twenty-four hours, regardless of the reason, they were likely out of business.  A related self-assessment question would ask “Do you have a current and recently tested DR plan?” – most respondents on that engagement would simply have selected “Yes” and moved on to the next question without ever being challenged to share their concerns.  Where’s the value in having a repository of questions and answers when it fails to capture the true essence or dimension of risk? 

And the biggest issue I’ve always had with self-assessment questionnaires and their related templates is that they’re so often poorly designed.  I can guarantee you that each of them has at least one question which makes zero sense to anyone who reads it.  They either answer it based on what they think it’s asking, answer with an “N/A” or require follow-up with the people managing the process to have it explained.  And you’d be amazed how many times even the author is challenged to provide a meaningful answer (including this guy).  One thing’s for certain, a self-anything needs to be designed and written so that everyone understands what they need to do without having their hand held.  Plus it’s rare that questionnaires are customized so that each stakeholder is only asked those questions that truly make sense.  An application owner should never be asked if their anti-virus solution is current and up-to-date.  A business process owner should never be asked about software change management.  Yet seldom have I encountered a self-assessment process which does anything like this and so the audience is burdened with time consuming yet unnecessary questions.

Really though in the end my overriding problem with the self-assessment approach is that it fails to capture the expertise and guiding hand of true risk and assurance people.  The process is often supported by analysts who don’t really have a feel for conducting assessments and are satisfied that all of the blanks are filled in.  I have a nose for when there’s something beyond a simple answer and know when to scratch at the surface to bring it to light.  By not allowing expert hands to guide the process potentially huge amounts of valuable and possibly critical details are being missed thus undermining any perceived value of the process.  When you consider that all tolled and tallied the self-assessment approach versus the guided assessment approach doesn’t really save you much time (if any) and that it results in a weaker finished product, why would you elect to use it?   One answer is that regulators push for it because perhaps it’s better than nothing (I can’t get any of those I know to comment).  Another is that the people sponsoring these initiatives lack the fundamental comprehension to understand their options and chose what they perceive as the less complicated approach (again, I don’t know for sure it’s just a theory).  What I do know is that when done right a risk assessment is managements best friend, a fundamental belief behind the recent spike in ERM activity.

While recently having my car serviced the mechanic discovered a nest of some sort in the engine block, he thinks it was probably squirrels.  Because of this discovery he went searching for all the wired connections to make sure they weren’t chewed up and destroyed, quite a few were as it turns out (the car had been idle for several months).  The bill only added the cost of the replacement wires but nothing significant for the time it took to first find which were affected and then replace them.  Had I attempted the repair myself I might have noticed the nest and likely would’ve cleared it but know for certain I never would’ve thought to check the wires, where to look for them or what to look for.  I was smart enough to rely on a professional with a nose for that sort of thing and it saved me time, money and best of all the aggravation of having the car break down somewhere unexpectedly.  Good thing I didn’t go the self-repair route.

Things are looking up a bit because I have a new favorite regulatory agency to follow, the Consumer Financial Protection Bureau (CFPB).  And here’s why:  They focus on things that impact my day-to-day life (and yours as well).

I started tracking what the CFPB was doing about five months ago by accident.  Someone I know who used to be an examiner for the FRB switched over to the newer agency right at its infancy and I noticed this courtesy of a LinkedIn update.  Because I consider the Fed to be the Big Kahuna of the regulatory agencies I was surprised (you don’t leave the Yankees to sign with an expansion team unless you have to, or so I thought).  Compelled a bit by the update I started poking around the CFPB website.  For the first few months of this year it seemed to have potential but was little more than brochure-ware.  But last month that all changed.

The first CFPB update that caught my attention was labeled 12 CFR Part 1070 and it was all about the protection of consumer data, only with a slight twist.  Basically it was all about how any information they received as part of their field work would be protected exactly the same way that any third party vendor would be required to.  Despite their being a Federal agency they weren’t going to hide behind that as a means to simplify their lives.  They spearheaded an update to the underlying regulation that frames their charter so that consumers and their institutions can be assured that all PII and NPPI would be protected.  For me it was a rare win-win topic; protection of PII and NPPI combined with a reference to vendor management (these are a few of my favorite things).  And really for me it was that much more significant because I’ve known of a few situations where representatives of Federal and State regulatory agencies were responsible for the outright loss of confidential and/or restricted data.  Beyond a slap on the wrist there wasn’t much else done to the offending examiner or their agency.  And the affected institution couldn’t really complain too loudly because it’s always a bad idea to challenge your regulators, even when you’re in the right.  So I thought this was all at once a compelling and remarkably sensible update by a regulator, not something I’d expect to see.  That was the first points on the board for the CFPB.

The second set of points were scored almost on the same day.  I wanted to check one of the details related to the aforementioned update and noticed this one “Consumer Financial Protection Bureau report finds confusion in reverse mortgage market“.  Because I have a parent who is a senior citizen and who I think might one day soon be open to at least exploring a reverse mortgage I read with great interest.  The report was in plain English, was oriented in such a way that I could share it with my family and have them understand the issues and concerns detailed within and most importantly it made sense.  Reverse mortgages are growing in popularity and its main audience is the senior citizens segment of society.  Seniors tend to be  more easily misled, they’re under greater pressures to find new money sources (courtesy of our recession) at a time in their lives where going back to work is often not an option.  And because a parent would do almost anything rather than turn to their children for financial assistance they see a reverse mortgage as a way out of their predicament.  So for me having this content available was quite the relief.  I can caution and advise all day and night but the risks presented by a reverse mortgage are much more credible coming from an authorized source.  And so I celebrated July 4th this year by declaring the CFPB my new FDIC (the Sheila Bair inspired version, not the current blah one).

Here’s my really bizarro advice to any of you with even the slightest interest in regulatory oversight; if you haven’t already done so visit www.cfpb.gov and take a look around.  It’s oriented towards lay people, not just lawyers and regulators (and practitioners like me) and addresses topics and concerns that affect the majority of our population.  Basically it’s what I would expect from a regulator that still has that new agency smell but nothing like I’ve come to know from those that preceded it.  To those who have had a hand in defining its charter and organizing its content, great job!   Now repay my kind words by going out and getting me some juicy enforcement stories to write about.

Of course the truth is much more complicated.  I don’t just focus on computers, my scope expands to include anything that involves sensitive information.  While that always includes a variety of devices it also includes paper-based and people processes as well.  I frequently share stories about the enormous amount of printed content that’s to be found throughout an institutions physical locations.  I occasionally tell stories about how careless people can be when on the phone or in conversation and sharing all manner of sensitive information.  It’s never just about computers, it is however always about information and how it needs to be protected.

Truthfully though what I really do is search for controls that protect information, identify those that I find and try and measure their effectiveness and more importantly identify where controls are missing and work with my clients to remedy that.  At the heart of the regulatory requirements I focus on it’s all about the risk introduced by the presence of information, from personally identifiable (PII) to non-public personally identifiable (NPPI).  Risk: It’s what drives every single project I work on, it’s what drives every product and process I help develop.  And really, if you take the time to read through the literature, it’s what’s behind just about every piece of regulation known to the banking world.  Risk, risk, risk and risk.

One of the reasons I’ve enjoyed spending so much time working with the community banking and credit union sector over the past few years is that it’s a simple enough argument to make with fewer people to convince; everything you do to comply with the regulations should be risk-based.  It doesn’t really make a difference if it’s complicated to do or time consuming, you prioritize based on where they are found and make decisions accordingly.  But that gets much more difficult to do as the institutions grow in size and complexity.  Over the fifteen years I’ve been building and supporting compliance initiatives I’ve worked with Fortune 50′s, 100′s and 500′s and a whole lot of financial institutions that merely read Fortune magazine.  But while their overall size varies widely risk is still risk and that never changes.

I wish more practitioners embraced this simple concept.  While some do, many still don’t.  There’s often a rush to come up with a standard set of decision criteria to drive the work based on factors not necessarily aligned with risk factors.   Those who have worked with or for me will tell you that when presented with questions about which vendors or applications to assess or what to look for when conducting any type of assessment my first line of logic is to try and figure out where the greatest possible exposures to be found.   Assessing a low risk application yields little value  no matter how complete it may be.  And reviewing a vendor where the dollar spend is high but the risk factors are low does little to protect the institution.

Beware the practitioner who wields a hammer for they only know to look for nails.

Your regulator doesn’t want you to blindly implement compliance programs, they want you to identify and manage risks, real risks.  They want to be able to understand the logic and approach being used and find credible evidence that you’re focusing your efforts on the right things.   Go back and read through the library of FFIEC documentation and pay close attention to the hooks inserted throughout where they talk about conducting assessments and talk about using approaches which are appropriate for the size and complexity of your institution.  Then scan through your related program inventory and figure out if you’ve designed things accordingly.  Are they actually protecting your institution from credible threats and risks or are they just filling binders on your compliance officers shelves?

For me, professionally I’d prefer to always only do meaningful work and in the audit and assurance world meaningful is code for risk-based.

That first experience has arguably tainted my opinion of the role played by internal audit for nearly twenty years.  Subsequent to that first encounter I’ve been audited a few more times, assisted clients in preparing for internal audits many times and have had hundreds of interactions either directly or indirectly with a variety of companies internal audit function.  And despite all of this experience and having eventually become an auditor myself I’m not sure I could present a credible argument as to where there’s real value being generated by the process beyond maintaining appearances.

The first problem is that for most companies there’s an unhealthy fear of auditors.  There’s often real concern that if any major issues are uncovered someone’s head will roll.  At the aforementioned Fortune 100 company, it was widely believed that if your group was found to have a material finding (or anything remotely resembling one) the highest ranking person in the group was doomed.  To their credit the company also had a mechanism in place so that if you figured out that you had a problem before anyone else and self-reported it you were allowed appropriate time to remediate.  But that wasn’t always effective enough because most application and business managers weren’t auditors and couldn’t always recognize when a control was either missing or failing and so there was still an enormous amount of work and panic leading up to a scheduled audit.  I remember thinking that the company should remove the threat of termination and encourage both auditor and auditee to work openly and honestly together so that in the end issues were surfaced, defined and repaired.  In the two decades since I’ve worked with and for a few companies who believed they had this healthier sort of dynamic in place between their internal audit department and its business and technology functions but really in the end it’s almost always the same problem.  Internal audit is viewed as an unforgiving and punishing agent and no one ever want them snooping around.

The second problem is that there’s a degree of incompetence found within many internal audit functions.  While conducting my first technical audit back in 1997 (my company was managing an outsourced audit plan) I identified a significant issue with the methodology used to make production changes in a certain database environment.  It resulted in there being virtually no clear or simple way for the DBA to back out a change if it didn’t work.  If a change failed it would require bringing down production for several hours in order to restore things to the previous state.  The first person who challenged my finding was the internal auditor who had audited the same platform for years and didn’t either understand or agree with the finding.  It took me nearly an hour to first educate him as to why the technical issue existed, prove that it did and finally to agree with the associated risks.  He had worked there for years, had never had the chance to see how other companies managed similar infrastructures and was way more concerned with his authority and capabilities being challenged than with the fact that his company had a significant risk to be repaired.  In the time since I’ve met many more people just like that one, auditors who stay at one company for years, fall into bad habits and fail to keep their skills relevant.  They wind up relying too much on the Internet to try and update their knowledge base, don’t have the perspective of understanding how other companies are managing similar challenges and are happy enough to bring out the same whipping stick and a feeling of empowerment to scare the daylights out of internal control owners while conducting their audits.  It results in poorly formed and often irrelevant findings that waste everyone’s time.  I wish I had a ten dollar bill for every instance I knew of where something was being fixed because it was easier to appease the auditor than it was to convince them their finding was flawed or even wrong.

Now I’m not saying all internal auditors are incompetent, they’re not.  I’ve met some brilliant and extremely effective internal auditors along the way.  And in those environments audits weren’t feared because there was a high degree of confidence that if an issue was identified it was something worth knowing about.  But in almost all of those cases the auditors involved had only been with their company for a few years, not decades.

The third problem is that audit needs to be seen as adding value, not creating unnecessary delays or work.  Practically speaking internal audit is playing for the same team as the control owners whose processes they assess.  Their primary goal shouldn’t be to notch as many findings as possible on the board but rather to identify weaknesses and deficiencies so that they can be remediated and help further harden the infrastructure and reduce risks.  I understand the need for the function to maintain independence and separation but only so they can remain objective not so they can operate as if though they’re the ultimate authority on right and wrong and beyond reproach.  If they’re invited to participate early in a project and find issues they should issue interim findings so that small problems don’t become bigger problems further on down the project road.  If you wait for the post-implementation audit to document early stage issues you’re not really helping anyone.  If they abuse being granted access to meetings and documentation long before the audit function is typically engaged the only predictable outcome is that access will be denied until someone forces the issue.  And one more major issue I routinely find with internal audit is that no matter how strong or weak a finding may be, no matter how poorly or strongly worded, no matter how relevant or irrelevant they all too often defend it as if though it’s gospel that’s beyond reproach.  Why is that?  Why can’t the control owner question the finding, demand clarity or try to frame it’s relevancy?  All auditors should feel an obligation to issue a final report which resonates with everyone involved as being accurate and hopefully fair.

Until internal audit is seen as part of the solution, not part of the problem it’s going to remain, well, a problem.  Until control owners gain a sense that by developing a healthy dialogue with their auditors it will only help things and not hurt them it will continue to be a problem.  And until all involved parties working for the company feel as if though they’re working towards a common goal it will remain a problem.

But why is it that no one can ever truly and honestly agree on what exactly GRC is?  I first wrote about this very issue in 2008, then again in 2009 and 2010 and once again earlier this year.  Beyond the too few thought leaders on the topic there’s very little clarity.  And most of the credible GRC sources seldom extend from the theoretical to the practical (my opinion but let’s remember, this is my blog).  For those in the trenches who have a vested interest in trying to apply the most basic elements of the discipline there’s very little out their available to help them figure out where to begin and what to do.  When you throw into the hodgepodge of concepts the dozens of vendor spawned interpretations it becomes nearly impossible for any two people to ever agree on something close to a common definition.

What a shame.

It’s a shame because conceptually GRC is too important of an evolutionary step within the audit and compliance space to be botched.  The huge pile of industry and government requirements seems to grow almost daily, the amount of resources available to manage the work only seems to shrink daily and these trends show no sign of slowing down.  The blueprint for a better and more efficient approach is right there before us practitioners and yet we can’t quite see the forest for the trees.  I’m not sure what the primary reasons are or if they can even be boiled down to just a few but I’m gonna give it a try just the same.

First, stop listening to the software vendors explain what GRC is or isn’t.  They have solutions to sell and while some of them are truly impressive they’re going to align their GRC definition with the capabilities of their product.  Second, stop reading white papers and frameworks.  There is some very important content available in the industry published by some very, very bright people but in the abstract much of it is at best daunting to internalize or understand and at worst suffocating to the point where you’ll just get frustrated and put it away for another time.  Third, don’t think you can simply bring in an advisory firm to either define or develop  a related program.  My experience in working on GRC inspired projects is that both the corporate culture and its capabilities are way too important of an element to either overlook or underestimate.  An external perspective often can’t detect these nuances and so what they design is doomed for failure because it can’t be sustained in the real world.

What can you do to overcome these all too common pitfalls?  Your homework.

There’s no real shortcut to identifying where to begin laying down your most fundamental steps for a GRC program.  Only you and others in your institution can identify both the pain points and also the most obvious opportunities.  All too often the first step involves forming a committee which is usually a recipe for delay (someone I worked with years ago once advised that if you want to make sure a project never happens bury it under a committee).  But what you can do is seek out and enlist the support of partners that share a like mind or a common goal.  I don’t usually recommend engaging internal audit at the onset but you might want to include a trusted member of its team.  You might even consider reaching out to your examiner for suggestions and where to begin.  Perhaps you have control owners within your infrastructure who spend way too much time generating content to satisfy compliance requirements and are willing to lend a hand if it means easing their burden at some future point.  But whatever you do to start forming a team and outlining ideas you need to think it through with your expert knowledge and understanding of your institutions capabilities.

Once you begin forming that plan with some deliverable’s and goals you can consider augmenting your efforts with an expert GRC hand to guide you.  Once you firm up what you think your organization is capable of and have had the chance to vet that plan with key stakeholders you can research GRC products that are closely aligned with what you’re looking to accomplish (the right vendor will want to learn about what you’re trying to do rather than tell you how to do it, trust me.  And yes, I’m biased).  And once you have a stronger sense of what you’re looking to accomplish you can engage the structured approach of a framework.

Oh and as for a single definition of GRC I’m clinging to the one I’ve been using since first reading about it several years ago.  GRC harmonizes efforts across previously detached disciplines that existed in their own silos within an organization (this is my fancy version).  In simpler laymen’s terms it’s the point of integration between related functions reducing redundant activities and allowing the left and right hand to work together. And the only wrong way to try and implement some of its elements is to not even try.

No matter its size your institution is neither too small nor too complex to benefit from GRC.  No matter how many times you may have tried to build something unsuccessfully it’s entirely possible to accomplish.  No matter how overwhelming or confusing you’ve found the concept to be at the point where you tried to get the rubber to meet the road there’s a simpler more viable approach.

Make it your corporate New Years resolution for 2012, I implore you.

But every now and again I find a situation that makes me think that maybe, just maybe, an exception can be made.

In working with a client on implementing a compliance program, it became apparent that by adhering to the exact letter of the law specified within the documentation, they’d immediately be out of compliance on day one in a very large, obvious way.  Typically when dealing with such a situation, I advise the client to develop a schedule indicating the dates by which they expect to get all their work done and be fully compliant.  For vendor management, I usually recommend twelve months, for Red Flags it’s usually six months and for security awareness it’s three months.  As long as the plan and related schedule is documented and you can prove that you’re adhering to it, examiners and auditors alike will usually give you a free pass until the next time around.

Even so, in this instance nearly half of all the in-scope work would be displayed as overdue right up front.  No one wants to see that on a screen or in a report, no one wants to risk having senior management see that information and absolutely no one ever wants to explain to an examiner/auditor why they have so much work still to do (even with a solid explanation and plan).

And so I blinked.  I considered in this instance a way to introduce a new rule that would allow the client to theoretically use my approach of scheduling all the work to be completed within a set time frame (twelve months in this case) but wouldn’t have to show anything as being overdue.  It didn’t seem so much like the right thing as much as the kind thing to do.  I even went so far as to scope out my idea in writing and share it with my fellow compliance experts in our practice.

As it turns out, I apparently have had an influence in how all of us view such matters because the first question I was asked was what would I do if I was managing the program.  I wouldn’t come up with any special rules to avoid being accurate and honest, that’s for certain; it is what it is.  I was then asked if I was willing to bend the rules in other projects, say like an audit for example.  Well considering I’ve excused myself from audits in the past because management (at previous companies) elected to remove findings or soften them in order to keep the clients happy I knew the answer was a resounding “no.”  So I was asked why I was looking to bend the rules now.  Good point.

What audit and compliance practitioners have to do is often unpopular and sometimes very difficult.  We’re often perceived as inflexible or unreasonable.  But the truth is that your compliance and/or controls framework is only as effective as its weakest link; if you start making exceptions in one area it quickly becomes expected in others.  Once one control is weakened in exchange for making things easier or more palatable, the integrity of the whole enchilada suffers.

Compliance requires hard decisions, thick skin and consistency.  If you’re more inclined to be affected by acceptance rather than respect, it may not be the right line of work for you.  Or as I’m fond of saying, it requires that you’d rather be right than popular.

And so it goes with this week’s post. Here are some nuggets that I’ve gathered over time:

Policy and procedure: I was talking to a client today about password reset lengths. Turns out for one of their products they changed the password frequency to expire after 1,000 days. Their logic was that it was low risk because the application didn’t store NPPI and the security was really only necessary to ensure proper segregation of duties. So I asked them if they had a password policy (they did) and if so were they in compliance with the policy (they weren’t). After a momentary silence, their quiet reply was “good point.” Being the auditor that I am I couldn’t help point out that the worst thing any institution could do was to deviate from a documented policy or procedure, regardless of the reason. Once an examiner discovers something like that, they figure it’s an indication of related issues and wind up digging a bit deeper. Document what it is you do and than make sure you’re doing it; while it may seem simple enough, you’d be surprised how many companies fail on that point.

Pandemic planning: There’s still heightened concern regarding the swine flu and my industry continues to beat the drum about needing to have a pandemic response plan in place. While it’s a valid point, I’ve been polling my clients over the past few months regarding their first hand experiences with the flu epidemic. Only a few have been confronted with any legitimate outbreaks and none of them have experienced an absentee rate that required unusual planning or intervention. While I’m not advocating that a pandemic response plan is superfluous, I am questioning my peers who are pushing this as a top of the list agenda item. For my money I’d rather spend time making sure that a properly vetted and tested business continuity plan is in place and spend less time and effort getting caught up in the hype.

SOX: Banks that are required to be SOX compliant need to take some time to make sure that they’re thinking things through. GLBA is a fairly rigorous and encompassing regulation and extends deeply into a financial institution’s infrastructure. To a certain extent, it serves to drive a bank’s general controls framework, be it informal or otherwise, and as a byproduct goes a long way towards establishing controls typically associated with SOX. So when I encounter clients who are tackling SOX as if though it’s its own separate set of requirements I throw up the caution flag and try and force a reset. While it may be true that larger institutions need to extend significantly from GLBA to controls around financial reporting within the infrastructure, that would only represent a subset. Before doing anything different, the bank should bring in someone who has experience working with both SOX and GLBA to identify the (many) commonalities and produce a consolidated framework so that efficiencies are both identified and realized.

Year-end activities: In my last post I discussed how there’s an uptick in services work this time of year when many banks and credit unions remember that they still need to conduct a wide range of audits and assessments in support of GLBA/NCUA regulations. If you spend some time reading through FFIEC guidance (seriously, it’s not nearly as dry and boring as you might think) there are multiple references to “your most recent audit or assessment.” For those of you who think that the need to conduct this work is suggested rather than required, consider how it looks to your examiner(s) when they discover that your most recent risk assessment was either conducted several years ago or not at all. Do you really think it reflects well on your institution that you haven’t taken a serious look at the myriad risk factors swirling about your infrastructure for any considerable length of time? In a day and age when new threats emerge almost daily if not hourly how can you justify neglecting such a critical task? The examiners expect a current set of reports not only because it’s required but also because it’s a clear indication of solid management and oversight activities.

And on a final note, I’d like to share this link to the FDIC website. You’ll find a video message from Chairman Bair on the current state of both the FDIC and the banking industry. It’s really more of a “happy recap” (with all due respect to Mets fans) of similar messages she’s released over the last year. But I think it’s worth your time (about four minutes total) to hear it for yourself and gain a sense of calm about the security of your own deposits. And for those of you who might think I’m keeping to some sort of schedule regarding Sheila Bair references, as long as she keeps doing the right things I’m going to keep bringing her name up.

]]> http://itknowledgeexchange.techtarget.com/regulatory-compliance/regulatory-compliance-bits-and-bytes/feed/ 0