The Essentials Series
The Business Imperatives of Compliance in the UK sponsored by
by Kevin Beaver
Article 1: Managing Compliance in the Healthcare Industry ..........................................................1 Healthcare Governance Imperatives in the UK ...................................................................1 The Realities of Transacting with the NHS and the Information Governance Statement of Compliance Requirements ...................................................................................................2 The Value of Policies and Procedures in Healthcare Organisations....................................2 Security Policy Considerations for the Healthcare Industry................................................3 Getting the Word Out to Users ............................................................................................4 Essential Requirements for Effective Information Assurance in the Healthcare Industry ..5 Article 2: Managing Financial Compliance.....................................................................................6 Financial Governance Imperatives for Businesses in the UK .............................................6 The Realities of the FSA and PCI Regulations....................................................................8 The Value of Policies and Procedures for Financial Managers...........................................9 Security Policy Considerations for the Financial Managers................................................9 Getting the Word Out to Users ..........................................................................................11 Essential Requirements for Effective Information Assurance in Financial Management.11 Article 3: Managing Compliance in Business Today ....................................................................13 What Compliance Means in Today’s UK Business Environment.....................................13 Management Concerns.......................................................................................................14 The Value of Policies and Procedures ...............................................................................15 Problems Associated with the Lack of Proper Enforcement .............................................16 Getting the Word Out to Users ..........................................................................................17 Essential Requirements for Effective Information Assurance...........................................18
i
Copyright Statement © 2008 Realtime Publishers, Inc. All rights reserved. This site contains materials that have been created, developed, or commissioned by, and published with the permission of, Realtime Publishers, Inc. (the “Materials”) and this site and any such Materials are protected by international copyright and trademark laws. THE MATERIALS ARE PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NON-INFRINGEMENT. The Materials are subject to change without notice and do not represent a commitment on the part of Realtime Publishers, Inc or its web site sponsors. In no event shall Realtime Publishers, Inc. or its web site sponsors be held liable for technical or editorial errors or omissions contained in the Materials, including without limitation, for any direct, indirect, incidental, special, exemplary or consequential damages whatsoever resulting from the use of any information contained in the Materials. The Materials (including but not limited to the text, images, audio, and/or video) may not be copied, reproduced, republished, uploaded, posted, transmitted, or distributed in any way, in whole or in part, except that one copy may be downloaded for your personal, noncommercial use on a single computer. In connection with such use, you may not modify or obscure any copyright or other proprietary notice. The Materials may contain trademarks, services marks and logos that are the property of third parties. You are not permitted to use these trademarks, services marks or logos without prior written consent of such third parties. Realtime Publishers and the Realtime Publishers logo are registered in the US Patent & Trademark Office. All other product or service names are the property of their respective owners. If you have any questions about these terms, or if you would like information about licensing materials from Realtime Publishers, please contact us via e-mail at
[email protected].
ii
Article 1: Managing Compliance in the Healthcare Industry Until recently, the healthcare industry has had little regulation regarding the protection of patient information. With the transition to electronic medical records, Internet-based patient management and collaboration solutions, and the demand for patient privacy, managers in the National Health Service (NHS), Strategic Health Authorities (SHAs), and Approved Service Recipients (ASRs) have seen a growing number of requirements for keeping healthcare records under wraps. As a result, compliance is no longer optional. Just how do healthcare managers in the UK approach the challenges of governance whilst maintaining a realistic balance of information risk against the associated costs? Simply put, they have to think about compliance in a new way. It is not a one-time grade or status. Rather, compliance is about changing perception of information risks and adjusting past ways of looking at policy and procedure management. With the growing number of reports on the loss of healthcare records, something has to change. The old ways of managing patient information are obviously not working. As experience has taught, however, making changes will undoubtedly increase the likelihood of problems. Employees working for healthcare organisations often lack the right knowledge and end up misunderstanding the rules. In addition, there are often cultural and personality barriers among healthcare professionals, making the process more difficult. With this, errors and oversights tend to occur, putting the very essence of compliance at risk. Minimising trouble and ensuring compliance long term can only be done by proactively managing these changes.
Healthcare Governance Imperatives in the UK In 2008, NHS Chief Executive David Nicholson issued a memorandum to NHS organisations regarding the latest NHS Information Governance Toolkit and information security and privacy compliance requirements. Chief Executive Nicholson said: …we cannot be complacent and continued action is necessary to ensure the adequacy of our systems, procedures, and working practices. He went on to say that all SHAs should consider an independent audit of their information governance standards associated with the NHS CFH Information Governance Statement of Compliance version 6. Furthermore, all NHS organisations must: •
Include details of incidents involving data loss or confidentiality breach in their annual reports;
•
Make specific reference to information governance in terms of identifying and managing information risks in their annual Statement of Internal Controls;
•
Identify a Senior Information Risk Owner at the Board level.
1
Furthermore, according to the NHS Information Governance Statement of Compliance, ASRs must: …have policies, standards, procedures and systems in place to ensure that they comply with all relevant UK and European legislation and be able to provide evidence, where appropriate, on demand. In addition to the NHS directives, other UK regulations affecting the privacy and security of patient information are The Common Law of Confidentiality, The Data Protection Act 1998 and The Human Rights Act 1998. Even with well thought-out compliance documentation, healthcare organisations still have to ensure that the right policies and procedures are properly managed on a consistent basis. This has proved to be the sticking point for many organisations.
The Realities of Transacting with the NHS and the Information Governance Statement of Compliance Requirements Even with the specific mandates—as with any set of information security regulations, standards frameworks, or best practices—healthcare organisations do have to take into account the following: •
Tangible costs of initial compliance;
•
Internal resources required for ongoing oversight;
•
If and how the requirements of all applicable regulations across the board can be managed at once at the same level using the same policies and similar procedures
That said, if healthcare organisations are going to transact in today’s electronic marketplace, they have to work within the parameters of these regulations. Again, compliance is not optional. How you go about implementing it and managing it will determine how simple or difficult it will be.
The Value of Policies and Procedures in Healthcare Organisations It’s one thing to have well-documented policies and procedures, but demonstrating compliance at any given time is something quite different. Healthcare managers must have the tools and processes for evidencing compliance on demand. This means being able to demonstrate that users are aware of current requirements and processes, and specifically what they have agreed to.
2
When it comes to compliance, the following are the benefits of sound policies and procedures in a healthcare setting: •
They clearly specify what can or cannot be done.
•
They assist with overall information governance and minimising patient and business risks.
•
They set expectations of everyone involved, which helps ensure that everyone is approaching things in the same way and sets up all parties for success.
•
They spell out exactly what to do and what not to do, which in turn minimises the chances of errors and oversights in daily work.
•
They can serve as proof that employees were aware and agreed to the terms in the event that a violation does occur.
•
They demonstrate to regulators and patients that the organisation is serious about compliance.
•
They help all business units across the organisation by cutting down on duplicated efforts and ongoing administration, which in turn lowers overall costs.
Policy and procedure documentation not only provides multiple benefits to the organisation, it is the only way to manage sensitive patient records safely and securely. The bottom line is that compliance-related directives and rules not documented are merely dreams and unfulfilled ideas.
Security Policy Considerations for the Healthcare Industry As in most other businesses, many managers in healthcare organisations often do not understand the information risks and compliance concerns that the organisation is up against. There are also managers who assume that just because employees passed a background check and are good workers that they are always going to do the right things. These are dangerous assumptions that often get healthcare organisations into trouble quickly. In my information security work, I see many healthcare organisations failing to adequately implement their policies and procedures. They are often on paper but rarely executed well due to the inherent administrative burden associated with traditional processes. In addition, I often see a general lack of communication between IT, compliance and management, and thus a lot of wasted effort that only serves to create compliance gaps. There are also the cultural and political issues with doctors not wanting to be told how to do their work. Many people fail to realise the fact that policies and procedures are critical for getting everyone on board and sticking to best practice. This documentation is intended to shape and change behaviour as it relates to handling sensitive healthcare information and basically outlines ‘This is how we do it here’. Unfortunately, policies and procedures are often not used in the way they should be, which ends up creating information risks rather than eliminating them.
3
It is important to remember the following when putting together compliance-related documentation in an healthcare organisation: •
The complexities of healthcare information systems, business processes, and people often make policies more difficult to enforce.
•
An annual review of all documentation is critical to ensure it is still appropriate and applicable.
•
Where possible, tie compliance into employee reviews to give people an incentive to follow them.
•
Not all policies are alike. Some are mandatory and absolutely critical. Others may not be critical for the protection of sensitive healthcare records. Therefore, it is important to use discretion with enforcement.
•
Focus on rewarding good behaviour rather than punishing bad behaviour.
•
Establish an audit trail that proves delivery of the policies and procedures to everyone involved, monitors their comprehension, and tracks their acceptance and agreement of each policy.
An integrated information governance and assurance program—supported by management— must be in place to ensure reasonable compliance with the NHS and other regulations affecting the healthcare industry.
Getting the Word Out to Users A key concern in healthcare is determining the best way to ensure that employees are aware of all the compliance-related policies and procedures. This is especially important in healthcare organisations where timing is critical. Healthcare employees can rarely afford to take time off from treating patients for policy review and training. In order to ensure that employees understand what is expected of them as efficiently as possible, there first must be central coordination via representatives from HR, Audit, or Compliance teams and facilitated by IT. This will help to ensure consistency and simplify communications across the organisation. To help with the process, a centralised and automated system should be used, which can help to provide insight into policy viewing, comprehension and enforcement. That is really the only way to make this work without incurring significant administration overhead. Always remember that getting the word out one time is not enough. The secret is to get the word out and keep it out by periodically reminding individuals of compliance concepts and their responsibilities when handling patient information.
4
Essential Requirements for Effective Information Assurance in the Healthcare Industry With all the complexities associated with the information systems and business processes in healthcare, management has to be extra vigilant to ensure compliance with all the regulations. This often requires previously unallocated resources, but it still has to be done. In fact, Chief Executive Nicholson acknowledged in his 2008 NHS memorandum that the NHS mandates “require a significant investment of time and energy but we must ensure that the public has, and can continue to have, confidence in our systems, procedures, and working practices.” Healthcare managers must be aware that just because their organisation is compliant with one regulation, that does not mean it is compliant with all the others. By the same token, compliance does not always mean that sensitive healthcare information is safe and sound and vice versa. In order to maintain the checks and balances required for information assurance and compliance in the healthcare industry, organisations must have streamlined procedures and utilise automated controls wherever possible. This will ensure that sustainable and repeatable processes are in place. It will also help to provide strong audit trails that prove delivery of the policies and procedures to everyone involved, monitor their comprehension, and track their acceptance and agreement of the applicable rules. Compliance with the NHS regulations among others starts with senior management, gets monitored by line managers, and ends with users. Minimising costs, maximising effectiveness and proving ongoing compliance in a reasonable fashion can be accomplished. It is just a matter of choosing the right tools for the job and management ensuring that protecting patient information is getting the attention it needs.
5
Article 2: Managing Financial Compliance Since its beginning, the financial sector has had deep-rooted government regulation. With the transition to Internet-based solutions and the demand for customer privacy, financial institutions have seen even stricter policies and requirements from both government agencies and industry bodies. Practically any and all financial-related information that is stored, processed, or otherwise handled falls within the scope of these regulations. Financial-based organisations both large and small are affected, and compliance with these regulations is not optional. Just how do finance directors and managers in the UK approach the challenges of governance whilst maintaining a realistic balance of information risk against the associated costs? Simply put, it is necessary to think about compliance in a new way. It is not a one-time grade or status. Rather, compliance is about changing your perception of information risks and adjusting past ways of looking at policy and procedure management. As experience has taught us, changes such as these in the business environment increase the likelihood of problems. Things are constantly evolving and shifting, especially in the financial sector. Employees working for financial institutions or dealing with financial transactions often lack the right knowledge and end up misunderstanding the rules. With this, errors and oversights tend to occur putting the very essence of compliance at risk. Minimising trouble and ensuring compliance long term can only be done by proactively managing these changes.
Financial Governance Imperatives for Businesses in the UK Of all the new laws passed in the UK and globally in recent years affecting information privacy and security, many of them affect financial institutions either directly or indirectly. The Data Protection Act and Regulation of Investigatory Powers Act, among others, create substantial compliance burdens on UK-based financial institutions and those organisations that transmit, process, or store payment card data. This oversight is especially challenging for employers in large part due to the requirements of keeping employees “in the know” and ensuring that policies and procedures are not only followed but enforced. For example, the supplementary guidance to Part 3 of the Employment Practices Data Protection Code issued by the Information Commissioner’s Office states: The capabilities of electronic systems should be used to remind workers of their responsibilities. These can be set so that workers cannot proceed to access the internet or e-mail services without acknowledging the acceptance of certain conditions. Even with well-thought-out compliance documentation, organisations still have to ensure that the right policies and procedures are properly managed on a consistent basis. This has proved to be the sticking point for many organisations.
6
Given all the laws and regulations affecting the financial sector in the UK, none has had a more direct impact on managing information risk than the Financial Services Authority (FSA) and Payment Card Industry (PCI) regulations. The FSA regulations—like most others—requires financial institutions to do what is right and adequately protect sensitive information. The FSA Principles have components that directly apply here: •
A firm must conduct its business with due skill, care and diligence.
•
A firm must take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems.
•
A firm must arrange adequate protection for clients' assets when it is responsible for them.
Another relevant regulation is the FSA Senior Management Arrangements, Systems & Controls Rules 3.2.6 that states: (1) A firm must take reasonable care to establish and maintain effective systems and controls for compliance with applicable requirements and standards under the regulatory system and for countering the risk that the firm might be used to further financial crime. This regulation is another that financial institutions can only be in compliance with by having an adequate information risk management system in place that includes the right policies and procedures. The PCI Data Security Standard (DSS) is another regulation affecting any organisation that transmits, processes, or stores payment card data in the UK. PCI DSS is an industry-specific regulation overseeing credit cardholder data. Although it has a very specific focus and relatively few requirements, the regulation still necessitates that organisations adhere to the widely accepted practices of developing a policy and properly disseminating its requirements to employees. PCI DSS Requirement 12 states ‘Maintain a policy that addresses information security’. Relevant subcomponents include: 12.1 Establish, publish, maintain, and disseminate a security policy… 12.2 Develop daily operational security procedures that are consistent with requirements in this specification… 12.3 Develop usage policies for critical employee-facing technologies (such as modems and wireless) to define proper use of these technologies for all employees and contractors. 12.4 Ensure that the security policy and procedures clearly define information security responsibilities for all employees and contractors. 12.5 Assign to an individual or team…information security management responsibilities: 12.6 Implement a formal security awareness program to make all employees aware of the importance of cardholder data security.
7
The consequences of failing to comply with the FSA and PCI directives are like many other regulations affecting information privacy and security. With FSA, individuals can be banned from the industry, businesses can lose permission to practice, and there are fines and potentially prison sentences. With PCI, there are fines and the loss of credit card privileges—the latter of which hardly any business can afford to be without. With these regulations, the message is loud and clear that management in UK-based financial institutions has undeniable fiduciary responsibilities.
The Realities of the FSA and PCI Regulations As with any set of information security regulations, standards frameworks, or best practices, financial institutions do have to look at the FSA and PCI regulations realistically. Management never has and never will just throw money and other resources to become 100% compliant with 100% of every regulation without reasonable justification. Those holding the purse strings must consider: •
Tangible costs of initial compliance;
•
Internal resources required for ongoing oversight;
•
If and how the requirements of all applicable regulations across the board can be managed at once at the same level using the same policies and similar procedures;
•
Whether or not compliance requirements mesh with the goals and intentions of the business.
With this said, if financial institutions are going to do business with the rest of the world in today’s electronic marketplace, they will undoubtedly have to work within the parameters of the government and industry regulations being thrown at them. It is also important to note the dangerous assumptions often made with regard to information assurance and compliance. By and large, most regulations say the same things and have the same requirements—the wording is just a little different. However, just because a financial institution is compliant with one regulation does not mean it is compliant with all the others. By the same token, information security and assurance do not directly correlate with compliance. In other words, compliance does not always mean that sensitive financial information is safe and sound and vice versa.
8
The Value of Policies and Procedures for Financial Managers It is one thing to have policies and procedures documented, but being able to demonstrate compliance is something quite different. Those responsible for policy and procedure oversight in financial institutions and departments must be able to provide evidence of compliance on demand. This means being able to demonstrate that users are aware of current requirements and processes, and specifically, what they have agreed to. However, without the right systems in place, this is no simple task. When it comes to compliance, the following are the real benefits of sound policies and procedures: •
They clearly specify what can or cannot be done.
•
They assist with overall corporate governance and minimising business risks.
•
They set expectations of everyone involved, which helps ensure that everyone’s thinking is aligned and sets up all parties for success.
•
They spell out exactly what to do and what not to do, which in turn minimises the chances of errors and oversights in daily work.
•
They can serve as a fall-back layer of insurance in the event that a violation does occur.
•
They demonstrate to regulators, business partners and even customers that the business is serious about compliance.
•
They help all business units across the organisation by cutting down on duplicated efforts and ongoing administration, which in turn lowers overall costs.
The bottom line is that compliance-related directives and rules not documented are merely dreams and unfulfilled ideas.
Security Policy Considerations for the Financial Managers More often than we like to think, managers in financial institutions and departments do not understand the information risks and compliance concerns the business is up against. There are also managers who assume that employees are always going to do the right thing. How is anyone supposed to support compliance within the organisation if management does not have its priorities straight and the right mindset for compliance? In my work as an information security consultant, I see many financial firms failing to adequately implement their policies and procedures; likewise with employee training and awareness. It is often on paper but rarely done well. In addition, I often see a general lack of communication between IT, compliance and internal audit, and thus a lot of wasted effort that only serves to create compliance gaps.
9
A key point often forgotten by management is that policies and procedures are living documents that must be proactively managed. Many people also fail to realise the fact that policies and procedures are needed to outline ‘This is how we do it here’. This documentation is intended to shape and change behaviour as it relates to handling sensitive financial information and doing business in such a dynamic market. Unfortunately, it is often not used in the way it should be, and therefore, creates rather than helps to eliminate business risks. It is important to remember the following when putting together compliance-related documentation in any financial institution or department: •
The complexities of financial information systems and related business processes often make policies more difficult to enforce.
•
The issue of higher employee turnover in certain financial sectors can make it difficult to get the word out and keep the word out on what is expected.
•
An annual review of all documentation is critical to ensure that it is still appropriate and applicable.
•
Tie compliance into employee reviews to give people an incentive to abide by them wherever possible.
•
Not all policies are alike. Some are mandatory and absolutely critical. Others may not be critical for the protection of sensitive financial information. Therefore, it is important to use discretion with enforcement.
•
Focus on rewarding good behaviour rather than punishing bad behaviour.
•
Establish an audit trail that proves delivery of the policies and procedures to everyone involved, monitors their comprehension, and tracks their acceptance and agreement of each policy.
An integrated information governance and assurance programme—supported by management— must be in place to ensure reasonable compliance. A key component of a solid programme is using centralised and automated technologies to simplify the process wherever possible and reasonable.
10
Getting the Word Out to Users A key concern in the financial arena is determining the best way to ensure employees are aware of all the compliance-related policies and procedures. This is due, in large part, to the myriad controls and regulations in the financial world that complicate things more than in the average business. In order to ensure that employees understand what is expected of them, you must make sure the lines of communication are always active and people are free to ask questions and submit concerns. This will help to support employees not only to sign-off on policies but also understand what the policies actually mean and how their responsibilities fit in with their daily job functions. By and large, getting the word out to everyone consistently and effectively is not as easy as it may seem. One thing is certain, the old method of documenting everything in a manual that’s placed on a shelf and never referenced again doesn’t work. To ensure consistency, communication should be coordinated by a centralised source such as HR, Audit, or Compliance teams and facilitated by IT. The responsible group can then disseminate the information. This can and should be done using automated technologies whenever possible. In fact, a centralised solution that provides insight into policy viewing, comprehension, and enforcement is the only realistic way to make this work without incurring significant administration overhead. The secret is to get the word out and keep compliance concepts and responsibilities on the top of people’s minds.
Essential Requirements for Effective Information Assurance in Financial Management With all the complexities associated with the information systems and business processes in most financial institutions and departments, management has to be extra vigilant to ensure compliance with all the regulations. This may mean investing more resources to make it happen—something that the financial institutions are not unfamiliar with. In order to maintain the checks and balances required for information assurance and compliance in the financial sector, organisations must have streamlined processes and utilise automated controls wherever possible. This will ensure sustainable and repeatable processes are in place. Be careful, though. Financial institutions with even the most advanced manual processes and technologies may be unable to meet the latest governance requirements if they’re not properly implemented and administered. In the end, strong audit trails are needed that prove delivery of the policies and procedures to everyone involved, monitor their comprehension and track their acceptance and agreement of the applicable rules.
11
Leadership in the areas of information governance and compliance has to come via a top-down approach. Senior management must support the proper policies and procedures and take ultimate responsibility. However, line managers have to implement and enforce them. When they do not have the tools or the gumption to enforce the rules, bad things inevitably happen. Many people— even those in management—shudder when they hear about all the responsibilities required. However, if an organisation is to ensure information protection and compliance, responsibility is required for everyone in the organisation—regardless of role or position within the institution. Compliance with the myriad of financial regulations starts in the boardroom and ends with users. Minimising costs, maximising effectiveness and proving ongoing compliance in a reasonable fashion can be accomplished. It is just a matter of choosing the best way to get the job done and exploring the right tools as well as management ensuring that business priorities are where they need to be.
12
Article 3: Managing Compliance in Business Today In today’s world, there is hardly anything that is not regulated in business. The governance and oversight of sensitive information stored, processed, or otherwise handled in a business setting is no exception. It used to be that best practices and best effort were thought to be enough. They really were not, but they were still the accepted norm. We now have compliance to deal with. Regulation after regulation from both government entities and industry bodies affect literally every organisation both large and small. And compliance with these regulations is not optional. But how do business managers in the UK approach the challenges of compliance whilst maintaining a realistic balance of information risk against the associated costs? Simply put, we have to think about compliance in a new way. It is not a one-time grade or status. Rather, compliance is about changing the way we think about information risks and adjusting our past ways of looking at policy dissemination and enforcement. This, in turn, involves not only changing certain business processes—the procedures and steps required to implement policies— but also looking at ways to automate and enforce them. And it takes more than just the creation of policies and procedures. Cooperation is needed at all levels of the organisation. Senior management is responsible for strategy, line managers have to help with enforcement, and users are the ones who actually have to comply. Business transformation such as this requires change and, as experience has taught us, change increases the likelihood of problems. With this change, the very essence of compliance is put at risk because employees often lack the right knowledge and end up misunderstanding new and evolving policies and procedures. We need a way to minimise errors and prevent oversights that are often avoidable. Proactively managing these changes is the only way to make it work long term. This means changing the way people work and establishing effective processes and control mechanisms such as automated electronic systems to help with monitoring and enforcement.
What Compliance Means in Today’s UK Business Environment In recent years, there have literally been hundreds of new laws passed in the UK affecting information privacy and security. Many of these require the creation and implementation of new policies and procedures. From the Data Protection Act to the Freedom of Information Act to the Regulation of Investigatory Powers Act, U.K. businesses are bombarded with numerous compliance requirements. If employees don’t know what is required of them and integrate these behaviours into their daily work, there is room for trouble. In fact, these laws send the clear message that people need to be ‘in the know.’ For example, the Regulation of Investigatory Powers Act states: (2) Conduct is authorised by paragraph (1) of this regulation only if - (c) the system controller has made all reasonable efforts to inform every person who may use the telecommunication system in question that communications...may be intercepted."
13
In the same sense, the supplementary guidance to Part 3 of the Employment Practices Data Protection Code issued by The Information Commissioner’s Office states: The capabilities of electronic systems should be used to remind workers of their responsibilities. These can be set so that workers cannot proceed to access the internet or e-mail services without acknowledging the acceptance of certain conditions. Even with the multitude of compliance requirements, there is hope. The good news is that there is often overlap between the different laws and the requirements. Frequently, many of these can be integrated into a relatively small set of internal policies—some of which are likely to exist already. It is just a matter of putting them into action. The bad news is that organisations still have to ensure that the right policies and procedures are properly managed on a consistent basis. Organisations want people to agree to follow policies but should not pressure them for acceptance. There needs to be a process by which people may not accept a policy for valid reasons. Or they may just need assistance in understanding the requirements. This is how business leaders take compliance from beyond the tick in the box and actually start to use compliance requirements to their advantage. That is, to use the policy management process to understand what people are really doing and then proactively adjust policies to meet practical operational demands and thus improve working practices.
Management Concerns It is one thing to have a set of policies and supporting procedures, but evidencing compliance and being able to show regulatory bodies and auditors that they are actually working is a whole different issue. In fact, this is often a big area of concern for those responsible for policy and procedure oversight. You need to be able to prove compliance with policies and procedures on demand. This means being able to demonstrate that users are aware of current requirements and processes and specifically what they’ve agreed to. However, doing so is not an easy task if you do not have the right systems in place. There is also the problem of avoidable errors. These are errors that occur even when written policies and procedures are in place and seemingly everyone is on board. Often caused by simple oversight and honest mistakes, many of these violations are preventable, if policies and procedures were more consistently and effectively communicated. Furthermore, many managers in IT and HR will readily admit that they do not have the right tools to properly manage compliance and information risks. Managing all the policies and procedures required for adequate information governance manually is very difficult and time consuming. It is practically impossible to do it well because there is no realistic way to keep up with all the checks and balances required. These may include such audit requirements as a list of those people to whom each policy has been communicated, those people who have accepted or declined a policy, random or systematic testing to prove comprehension, and overall compliance reports for management. In fact, with even the most streamlined manual processes, businesses are still unable to meet the latest governance requirements. Factoring in the administrative costs that have been shown to be around £10 per policy, per version, per user, it is becoming clear that businesses in the UK have to go about this differently.
14
Another concern is that many people view this business transformation edict and evidencing compliance as Big Brother coming in. Well, it is to an extent, but it is also where we just happen to be in the timeline of doing business in an electronic world. The fact is we’re choosing to work within these parameters and working towards doing what is right in a business environment. A relatively simple concept compared with the Big Brother concerns we have in our personal lives. Finally, dangerous assumptions are often made with regards to information assurance and compliance. Security and assurance do not necessarily equal compliance. Likewise, compliance does not always mean that everything is safe and sound. This is why management must take a more structured approach to managing risk to ensure that all areas involving sensitive business assets are in check.
The Value of Policies and Procedures Forward-thinking business managers understand the value of getting everyone approaching things in the same way. This is exactly what effective policies and procedures do. They set the expectations of everyone involved. Good policy and procedure documentation outlines ‘This is how we do things here’. Expectations that are properly set are the foundation of a well-run organisation—especially an organisation that manages compliance effectively and reduces information risks through sound business practices. However, when employees do not know about policies or truly understand what they are supposed to do, all parties are set up for failure. Furthermore, information risks are introduced and compliance gaps widen. From creation to destruction, sensitive electronic information must be protected. It is not only the right thing to do, it is a requirement that the regulators have their eyes on. Savvy managers know this and understand what it takes to make it happen in business today. This starts with wellwritten policies and procedures that are implemented effectively and enforced consistently. Those in business who do a good job managing compliance-related documentation and related processes not only help their own departments but also help every business unit across the organisation. This type of business transformation aided through policy management automation not only lowers costs but also contributes to minimising business risks. One of the primary benefits of policies and procedures is to improve overall corporate governance. That is to help ensure that specific controls are in place so that people and processes are kept in check. This can be demonstrated to regulators and auditors and makes the case that management takes compliance seriously. They also communicate secure practices and spell out how information risks are managed and how compliance is handled within the organisation. Specifically, they alert everyone what to look out for as well as what to do and not do— essentially spelling out the responsibilities of everyone involved.
15
Another positive aspect of good documentation that is well-communicated is to strengthen the business’ case in employee-related lawsuits. For example, when an employee is fired for violating a company policy and claims it was unjustified. If management can prove that the employee knew about the policy, understood the policy, and agreed to adhere to the policy, then the business has a stronger legal case. Policies and procedures can also help with compliance and risk management in that they outline the best ways to perform specific internal business processes that have evolved over many years. This minimises errors and oversights and in turn helps raise productivity. Overall, well-managed policies and procedures also benefit the business by minimising upkeep and eliminating duplicated efforts.
Problems Associated with the Lack of Proper Enforcement There is a universal law of business that states people will violate policies and sidestep procedures simply because they can. It does not matter what type of industry the business is in or the quality of its people. Employees can also be lazy, disagree with, or otherwise not buy into the rules. They may even observe management not enforcing policies or even violating the rules themselves. They just lack the incentive. Can you blame them? There are also the all-too-common employees whose desire to violate policies outweighs their perception of the risks involved. These employees are no doubt doing more risk calculations than their own management—obviously a big part of the problem! Compounding the issue are naïve business managers. There are certain people who assume that just because employees should comply with business policies and their associated procedures that they actually will. Unfortunately, people are not that simplistic. All too often, management doesn’t even understand the information risks and compliance concerns the business is up against. They either do not have the in-house expertise to properly assess information risks and compliance gaps or they have not bothered to outsource the right expert for the job. In other situations, the policies and procedures that are being pushed on employees are not relevant to the specific user or the context in which the business unit operates on a daily basis. People not only misunderstand what is expected of them but they also do not know what to look out for. Because of a general lack of communication or the failure of management to properly classify information and how it needs to be protected, many employees are often out of the loop. Often, the wrong person is managing the process. I have seen many situations where a company’s network administrator was the person creating and attempting to enforce policies and implement procedures. I have even seen people in IT being assigned the compliance officer position. The truth is that it cannot be done this way. Even with upper management ‘owning’ the compliance process, I often see very little enforcement of policies in most organisations I’ve worked in. People get busy and complacent. It is also human nature for people to not want to hurt the feelings of their colleagues or even put their jobs in jeopardy. Ultimately, a weaker culture is created and the cycle of non-compliance begins.
16
I’ve also seen very little follow-up when policy and procedure gaps are identified. Interestingly, many organisations are willing to pay an independent consultant or auditor good money to find out where compliance gaps exist, yet I see over and over again those very businesses not doing anything about the issues once they’re identified. Leadership has to come from the top with management backing policies and procedures and taking ultimate responsibility for compliance. However, it is line managers who bear most of the burden to ensure staff adhere to documented processes. When middle management lacks the tools and/or the gumption to enforce the rules, bad things inevitably happen. Employee priorities get misaligned, they misunderstand the business reasoning behind the policies and procedures, and the lack of respect and trust between employees and management grows. Many people shudder when they hear the word ‘responsibility.’ However, if an organisation is to ensure information protection and compliance, responsibility is required of everyone in the organisation—regardless of role or position.
Getting the Word Out to Users In the majority of organisations I’ve assessed in my work, most have some form of documented policies and procedures. In many cases, however, I see that employees often have no clue that these exist, much less what they actually mean. Often, basic policies and procedures are included in employee handbooks or referenced on Intranet sites, but that is not enough. Compounding the problem, it is rare that anyone in management (IT, HR, or elsewhere) takes true ownership of the policies and procedures in order to keep them properly maintained. The documentation is all too often there to woo the auditors on their annual visit, but there is no real audit trail showing just how the documentation is being managed and whether it is even working. So how do you get the word out to your users about what is expected? It is clear that the old method of documenting policies and procedures in a manual to be placed on a shelf and never referenced again does not work. In order to enhance overall compliance and risk management, a formal method has to be put in place to not only make documentation accessible but also kept at the top of everyone’s mind. Ignorance is not an option. Proactive notification of policies enabled by automated policy and procedure systems are proving effective in ensuring people are aware of current policies and procedures. Get the word out in simple language in terms of the employee. To ensure consistency, communication should be coordinated by a centralised source such as HR, Audit, or Compliance teams and facilitated by IT. It makes sense for authorised line of business managers to retain authoring of procedures that are then approved and automatically disseminated. This can be done using technology to advantage. A centralised solution that provides insight into policy viewing, comprehension and enforcement is the only realistic way to make this work. In the end, you must have the right tools for the job. Every business uses computers and networks in some fashion. Why not use them to advantage for something as important to business success as this?
17
Once the word is out, you can then use various reminders such as computer screensavers, banner pages on intranet sites, even posters throughout the workplace. The key is to keep these concepts and responsibilities on the top of people’s minds. Use outside trainers and incentive programmes including employee reviews where possible to help boost effectiveness. Rewarding good behaviour for jobs well done in the areas of policy awareness and compliance is much more effective than punishing bad behaviour. Regardless of how you go about keeping information fresh, just make sure it is an ongoing process. Information risk management and compliance are as much a mindset and culture as anything else.
Essential Requirements for Effective Information Assurance Regardless of industry or line of work, information assurance needs to play a key role in the business. Compliance and the containment of information risks is all about visibility and control. The following list highlights the most effective long-term solutions that any given business can put in place to start making a difference: •
Management taking ownership of compliance and having ultimate oversight of all related policies and procedures.
•
Management supporting a risk management approach to information assurance and compliance throughout the organisation.
•
Management facilitating the creation of policies and procedures that are reasonable, accurate, and fair given the context in which they’re being implemented and enforced.
•
Management getting everyone on board by properly communicating what is expected.
•
Management funding and supporting the ongoing administration of a proactive approach utilising centralised and automated software for policy management.
•
Management sponsoring the periodic review of policies and procedures to ensure they’re aligned with business goals and the latest compliance requirements.
•
Management supporting the checking and re-checking of compliance. Compliant now doesn’t mean compliant always. Likewise with the understanding of policies and procedures. Educate users now and then continually test them to ensure their level of understanding is where it needs to be.
Compliance-related policies and procedures must be created and integrated into the business in the right way. This means choosing and using the right technologies to automate the process wherever possible. Otherwise, such documentation is merely busy work providing advice that no one benefits from—overall a wasted effort for everyone involved. Compliance starts in the boardroom, is monitored by line managers, and ends with users. Minimising costs, maximising effectiveness, and proving compliance in a sustainable and repeatable way can be accomplished. It is just a matter of choosing the right tools for the job as well as management ensuring that business priorities are where they need to be.
18