Development And Implementation Of IT Compliance Program

Your plan should include the following:
1. Discuss the challenges IT divisions face in achieving regulatory compliance
2. Assess how IT governance will improve the effectiveness of the IT Division to attain regulatory compliance
3. Develop a broad vision, an architecture, and a detailed plan of action that follows a life cycle concept
 

Challenges in IT Compliance Maintenance

The problem encounter is that in the business activities, the members of IT department have no clear regulations to follow and compliance maintenance is missing. It is also determined that proper training is not provided according to standard and regulations, which is resulting in poor compliance levels of the resources and legal obligations for the organization.  

The problem is referred by the following- All the organizations must implement the necessary policies and must approach IT compliance for effectively managing the business activities. It is necessary for the organizations to have policy and control measures; have suitable compliance management; ensure screening of personnel; control assessment; provide training and communication for compliance; for IT controls ensure constant monitoring and auditing; consistently enforce control environment and; prevent and respond to incidents and gaps in IT Controls. Any organization requires these steps for building IT compliance program, which can help to boost the confidence of its business performance (Rasmussen, 2006). Based on this, the project refers to the development and implementation of IT compliance program for an organization, for its IT department to meet the regulatory compliance and standards.

The objective is to determine how to design a Compliance Project with the egulation of HIPPA, Gramm-Leach-Bliley, PCI, Ethical and professional codes of conduct and Sarbanes-Oxley Act, where effective communication for the key regulations to all the members of IT department will be provided. The necessary steps will be defined for maintaining the compliance. The steps to motivate and guide the members in following the regulations will be provided.  

The identified issues and challenges for achieving the regulatory compliance are related to the IT division’s members who are not provided with proper regulation to follow the business activities ("4 Challenges of Maintaining Regulatory Compliance & How To Overcome Them", 2017):

• An effective flow for reviewing the routine processes in the business, for improving the process with new actions is missing.

For this problem, the effective solution is to implement real-time intelligence record system, alerts, charts and notification can benefit. Because, it helps in visualizing the data and helps to automate the requests for the service.

• Unawareness of the legal obligations and risks with respect to non-adherence to the regulations.

This issues can be addressed by designing an easy to follow and organized process. Along with a proper training program that educates key standard, regulations, and methodology that has to be followed.

• Unorganized processes without any standardized measures like routine monitoring of the members is missing.

This problem can be resolved by enforcing a routine monitoring repository with information security (Guzman, 2017).

• The IT department faces problems related to disorganized data in the data retention system. This leads to confidential information risk of both the organization and the customers.  

This problem can be dealt by just prompting access to relevant data with a protected platform (Guzman, 2017).

• Prioritizing the regulatory priorities is missing.

The solution is to re-draft the company policies and procedures. It is necessary to evaluate the current overall compliance program. If, regulatory information management is missing, ensure to mitigate the risks, take advantages of the coming opportunities and maintain compliance.

• Increasing compliance cost (Weinberg, 2011).

Solutions for IT Compliance Maintenance

To cope up with the cost of compliance, following the below mentioned steps can help:

1. Metrics defining: – What will you use to measure the success of your compliance program and the ROI? Examples include legal expenditures and fines that are avoided or reduced and efficiency gains in compliance processes.
2. Baseline setting: It’s difficult to demonstrate improvements without baseline measures, so if you haven’t done so, collect them now.
3. Benchmarking: Benchmark the best practice of the industry.
4. Compliance review: Various company’s compliance must be reviewed.
5. Reviewing and amending the plan and strategies: This helps the business areas to be reviewed and can easily assess its compliance.  

The IT governance can be improve its effectiveness in the IT division, with regulatory compliance by risk assessment (Graham, 2018). The IT Governance experts are required to provide the necessary approval on the IT Compliance Program and must provide assistance its development (Calder & Moir, 2009).

The IT related risk management require the help of IT risk managers, IT compliance managers and IT security managers, where all the managers manage the single role of IT risk manager ("HOPEX IT Risk Management", 2018):

1. Recognize the possible threats and vulnerabilities related to IT assets.
2. Identify and assess the risks for IT applications and its deployment.
3. For applications, identify and assess the IT security controls.
4. Briefly note down the IT control levels and regulatory compliance.
5. Make sure to perform qualitative assessments of IT suppliers. 

The following arguments are important to create the structure of IT governance:

• IT resources must be optimized.
• The risks must be reduced.
• Ensure accuracy and data consistency in routine practices followed by the business.
• Data security.  

Before implementing IT Governance Policy, IT governance structure of the company must be evaluated. The further steps must be taken based on the internal audit report of IT policy. The IT project management must be prioritized. IP plan initiatives must be taken to form an effective IT governance program, which has regulatory compliance (Lobato, 2017).

It is observed that, setting Institutional policy, prioritizing opportunities, taking right decisions, and establishing clear roles can help to improve IT governance (Lobato, 2017).

IT Governance can be improved with the following tips:

• Identification of best practices from research sources like ISACA and ISC2, for peer institutions, for IT governance practice.
• Ensure to accept constructive criticism along with the honest feedbacks related to new IT governance’s feasibility.
• Increasing IT governance awareness with the help of presentations and discussions.
• Ensure to have the required investment, for planning and implementing IT governance.
• By developing IT governance policy the official authority can help the executive management.
• Ensure clarity in the advantages that the IT governance can offer.  

The following are the (Lobato, 2017):

• Sarbanes-Oxley Act: This Act was developed in 2002 and is applicable to all the public companies in the United States of America. The regulation ensures to provide network security and safety of the information that is transmitted via network, for maintaining confidentiality and integrity of information (Chorafas, 2009).
• HIPAA refers to Health Insurance Portability and Accountability Act of 1996 provides protection from privacy of PHI (protected health information) (Happy Grenert, 2002) (Wang, 2013). It also enforces regulation to maintain privacy. HIPAA’s Privacy Rule stresses on saving, accessing and sharing of medical and personal information of the individual. It highlights the national security standards for protecting the electronic data related to health, which is received and maintained i.e., electronic protected health information (ePHI) ("HIPAA Regulations 2018", 2018).
• Payment Card Industry Data Security Standards (PCI) provides protection of credit card information.
• Gramm-Leach-Bliley Act (GLBA), protects nonpublic data such as personally identifiable information (PII).
• The ethical and professional codes of conduct is necessary for compliance for maintaining ethical principles like honesty, professionalism, integrity, professional development and competence among members.

In a process, the risk assessment assists identification and documentation of critical business processes along with the internal controls ("Risk Assessment Maps and Prioritizing Business Processes", 2017). It is important to track the risks related to compliance (Ludwick, 2006).

The IT Compliance is ensuring to take control for protecting the information, along with its storage, security, and its availability. It also works on distributing the data both internally and externally. As a whole it works on protection of data. When it comes to the function of internal compliance, it revolves around organization’s goals, policies and its business structure. When the external compliance is considered it ensures to satisfy the customer or the end user, where both the company and the users are protected against any kind of threats. On the other hand, it stresses on using specialized tools for constant identification, monitoring, reporting, and auditing to maintain compliance ("Maintain, Protect, and Diminish Risk with a Comprehensive IT Compliance Strategy", 2018).   

The regulations discussed in the earlier section are applied for sharing the information and for communication purpose like in network exchange, for payments and card processing, for design and development of financial services and products. It also helps to monitor and review the processes, and the operational activities.

Overview of Regulations and Requirements

The risk assessment unit works on the following:

• Identification of risks.
• Checks the legal entities.  
• Checks the regulators.
• Analyses the jurisdictions.
• Assesses the services and products.
• Assess the business unit or division.
• Evaluates the assessment for confirming the key business activities, for driving the relevant rule’s allocation.

Managing compliance risk management is possible in three steps such as follows - (Minsky, 2013) (Tabuena, 2015):

1. Prioritizing the activities by identifying the high risk areas and combining the required risk assessment for compliance.
2. Make regulatory alerts and updates actionable
3. Business Impact: Connect regulations with policies, impacted business processes and related resources. 

Compliance management ensure the following ("Maintain, Protect, and Diminish Risk with a Comprehensive IT Compliance Strategy", 2018):

• It recognizes the vulnerabilities.
• Provides systems controls and function of application security.
• Ensures quick recovery in case of failure.
• Identifies threats and performs risk assessment.
• Delivers document.
• Facilitates with project management.
• Maintains the ongoing operations.
• Enforces the protection of firewalls, detection of malware and network security.
• Performs auditing logs and does authentication.
• Preforms the root cause analytics to find the root cause.
• Tacks the issues.
• Flexible for change management.
• Provides recovery from disaster.
• Ensure archiving the Email for security.

It is understood that the IT compliance based solution can help the organization in providing the following benefits ("Maintain, Protect, and Diminish Risk with a Comprehensive IT Compliance Strategy", 2018):

1. A standard process, based on IT regulations.
2. It improves the effectiveness of the automated processes' workflow.
3. It increases the investment for the services of IT compliance.
4. Helps to manage IT resources and guarantees accountability.
5. Compliance of best practices is incorporated in the workflow of the processes.
6. It facilitates perfect and accurate reports. 

For managing the IT compliance, it is also important to have effective design coordination, Service level management, risk management, information security has significant role, IT service management is required and continuous service improvement is necessary. Most importantly, the compliance must be reviewed, measured and corrected. It is the duty of the compliance manage to make sure that the standards are followed with the provided guidelines properly. The external legal requirements must also be fulfilled. 

Therefore, the above figure depicts the lifecycle concept for developing and deploying IT compliance process in an organization. 

The vision of the project plan is to design an IT compliance program, with HIPPA regulations. Then, to provide necessary steps for effective communication to follow the key regulations, in the IT division. To define compliance maintenance.

The initial phase includes analyzing, where the risks are analyzed. The compliance for risk assessment is carried out. The indicators of failure in the risk area will be located by analyzing the risks.

The second phase includes initiation. This phase conducts a kick-off meeting for discussing the present issues related to IT compliance and regulations, in the organization. This highlight the important step for the resolution. Various high-level project details are gathered and finalized in this phase. The feasibility study depending on the operational, economic, technical, environmental, and legal aspects are processed.

The results of the feasibility analysis and the project brief prepared in the initiation phase shall be used to plan the project.

The Development plan works on the actions like, for controlling, training, designing policies, monitoring, testing and including surveillance for management of information.

The following are provided by HIPAA regulation ("HIPAA IT Compliance", 2018):

• Workforce compliance is ensured along with guidelines.
• Confidentiality, ePHI availability and integrity is ensured.
• ePHI is protected from unauthorized use and disclosure.
• From hazards and threats the ePHI are protected.
• Provides access control and transmission security (Wang, 2013).
• Ensures audit control and integrity (Wang, 2013).  
• It helps in customization, depending on the organization's needs ("HIPAA IT Compliance - Leading Log Monitoring Software", 2018). 

The implementation phase approaches the top level resources, middle level managers and resources, and operational staff members. The purpose of approaching the mentioned staff is to provide the training to follow the rules and regulation of the newly developed and implemented process. The training session’s information is provided to the senior managers and leaders who are part of IT Compliance program. This program will ensure to educate about maintaining the compliance, then the rewards and benefits for maintaining the compliance levels, next mentions about the risks which can occur because of non-compliance, and finally violation punishments will be briefed out.

Lifecycle Concept for IT Compliance Process Development and Deployment

The program shall be made available on the organization portal and the managers shall be asked to communicate these details to their respective team members.

The compliance program will monitored and tracked according to monthly basis for understanding the success of the implemented program.   

The phase facilitates the organization with accurate documentation of reports. 

Conclusion

Without financial and non-IT compliance, it is impossible to achieve IT compliance. It is observed that the project has successfully completed its compliance with the regulations of HIPPA, Gramm-Leach-Bliley, PCI regulations, Ethical and professional codes of conduct and Sarbanes-Oxley Act. The whole process’s investigation proves that it is important to have effective IT compliance which had aggregate vision and architecture, for achieving the compliance that goes beyond becoming infatuated with a given control framework.   

This project’s investigation encountered that there are 4 types of regulations in compliance for the IT division, they are- Sarbanes-Oxley, HIPAA, Gramm-Leach-Bliley, and PCI. On the other hand, even the ethical and professional codes of conduct are necessary.  However, the final draft is designed in compliance with the HIPAA regulations.

All the necessary steps which should be defined in the project plan for ensuring improved compliance levels based on the standards, key regulations, primary issues, and roles and responsibilities are discussed in the IT Compliance Program. These steps further ensures managing the operational risks and efforts of compliance, by constantly measuring the compliance. 

A simple suggestion is that, IT disaster Recovery strategy and risk assessment process must be incorporated in the project plan.

Moreover, spending more on IT compliance can ensure the business to have security from greater risks in the future. Therefore the project plan is designed and risk assessment for compliance is determined. 

References 

Calder, A., & Moir, S. (2009). IT governance. Ely, UK: IT Governance.

Chorafas, D. (2009). IT auditing and Sarbanes-Oxley compliance. Boca Raton: CRC Press.

Tabuena, J. (2015). Conducting a Practical Compliance Risk Assessment. Complianceweek.com. Retrieved 27 April 2018, from https://www.complianceweek.com/blogs/jose-tabuena/conducting-a-practical-compliance-risk-assessment#.WuMxFdSFNdg

Wang, J. (2013). How do I become HIPAA compliant? (a checklist). Truevault.com. Retrieved 27 April 2018, from https://www.truevault.com/blog/how-do-i-become-hipaa-compliant.html

Weinberg, S. (2011). Cost-contained regulatory compliance. Hoboken, N.J.: John Wiley & Sons.

4 Challenges of Maintaining Regulatory Compliance & How To Overcome Them. (2017). OnRule. Retrieved 27 April 2018, from https://onrule.com/blog/4-challenges-maintaining-regulatory-compliance-overcome/

Graham, A. (2018). How to achieve an effective risk assessment. IT Governance Blog. Retrieved 27 April 2018, from https://www.itgovernance.co.uk/blog/how-to-achieve-an-effective-risk-assessment/

Guzman, J. (2017). Five Compliance Challenges Facing Your Organization in 2017. OpenText Blogs. Retrieved 27 April 2018, from https://blogs.opentext.com/five-compliance-challenges-facing-organization-2017/2/

Happy Grenert, R. (2002). HIPAA-compliant configuration guidelines for Information Security in a Medical Center environment. SANS Gateway Arch.

HIPAA IT Compliance. (2018). AllCode. Retrieved 27 April 2018, from https://www.allcode.com/hipaa-it-compliance/

HIPAA IT Compliance - Leading Log Monitoring Software. (2018). Solarwinds.com. Retrieved 27 April 2018, from https://www.solarwinds.com/topics/it-hipaa-compliance

HIPAA Regulations 2018. (2018). Hipaasurvivalguide.com. Retrieved 27 April 2018, from https://www.hipaasurvivalguide.com/hipaa-regulations/hipaa-regulations.php

HOPEX IT Risk Management. (2018). Enterprise Architecture Software for Digital Transformation. Retrieved 27 April 2018, from https://www.mega.com/en/product/hopex-it-risk-management

Lobato, C. (2017). Implementing IT Governance to Ensure Regulatory Compliance. er.educause.edu. Retrieved 27 April 2018, from https://er.educause.edu/articles/2017/4/implementing-it-governance-to-ensure-regulatory-compliance

Ludwick, K. (2006). Tackling risk?based compliance. Journal Of Investment Compliance, 7(4), 61-64. https://dx.doi.org/10.1108/15285810610719961

Maintain, Protect, and Diminish Risk with a Comprehensive IT Compliance Strategy. (2018). Smartsheet. Retrieved 27 April 2018, from https://www.smartsheet.com/understanding-it-compliance

Minsky, S. (2013). 3 Steps to a Compliance Risk Management Approach - Manage Tomorrow's Surprises Today. Ebizq.net. Retrieved 27 April 2018, from https://www.ebizq.net/blogs/chief_risk_officer/2013/04/3_steps_compliance_risk_management.php

Rasmussen, M. (2006). 7 Steps to a Highly Effective IT Compliance Program. Iaonline.theiia.org. Retrieved 27 April 2018, from https://iaonline.theiia.org/7-steps-to-a-highly-effective-it-compliance-program

Risk Assessment Maps and Prioritizing Business Processes. (2017). Info.knowledgeleader.com. Retrieved 27 April 2018, from https://info.knowledgeleader.com/risk-assessment-maps-and-prioritizing-business-processes

Rooke, T., & Evans, I. (2015). Compliance Risk Assessment. Retrieved from https://static1.squarespace.com/static/559fb5d6e4b0b8eb00f70a64/t/55b231d2e4b0f48e249a5fea/1437741522647/W03.pdf