Compliance: Ahead of the game
- Article 10 of 33
- SC Magazine, June 2007
Don't sit around waiting for the next piece of legislation. It's better to be adaptable and make general compliance your aim. Rob Buckley reports.
Page 1 | Page 2 | Page 3 | Page 4 | Page 5 | All 5 Pages
WHAT DO YOU KNOW? A TALE OF TWO EXTREMES
“Blissful ignorance” to “very clued-up” seem to be the two extremes of compliance knowledge encountered by consultants. The pinnacle is dealing with financial services firms.
“Financial services is streaks ahead,” says Dave Martin, lead security consultant at LogicaCMG. “If they don't get it right, they lose their licence to operate.” With the risk of no longer being able to conduct business acting as a suitable stick, many now have compliance officers and entire compliance or risk-management departments constantly monitoring both the state of compliance legislation and the company's efforts to comply with it.
Outside of financial services and other heavily regulated markets, such as government and healthcare, knowledge is far less pervasive, with retail particularly untouched by its effects, according to Iain McLeod, MD of compliance training firm SAI/Easyi. Sometimes particular functions, such as human resources, will know more than others, however, and the degree of knowledge present in start-ups will often vary according to the background of the founders.
Information security professionals have becoming increasingly aware of the requirements of compliance over the past few years, according to McLeod, and are one of the greatest sources of demand for his company's courses. “The great unwashed are now the senior managers and the frontline employees,” he suggests.
But the days of “blissful ignorance” are fast disappearing, according to Robin Saunders, MD of Netconsent. “Companies are being bombarded by legislation and they're all having to learn what it means in practice.”
CASE STUDY: NORTON ROSE
International business law firm Norton Rose has offices in 19 jurisdictions around the world, so is no stranger to compliance. Although not subject to the same level of regulation as a financial services firm, it became aware some time ago that compliance legislation was likely to become more pervasive and that it would need a more focused approach.
In 2005, the firm hired a head of compliance, Martin Scott. Jeff Joseph, director of IT at Norton Rose, meets with him regularly to discuss how the firm is meeting with compliance requirements.
“The company's systems haven't evolved with compliance in mind,” says Joseph. “But we've added elements, such as a compliance engine for the new storage system for tracking documents.” An e-learning system trains employees in requirements and tracks how well they're doing.
With few specific compliance targets to meet, compliance needs are organised project by project rather than by a massive ongoing effort. But with only so much time in the year, meeting compliance needs can still involve giving up another project in favour of a compliance scheme.
Nevertheless, says Joseph, it can be easier to achieve backing for an IT project with the support of the compliance manager. At the suggestion of security consultants from BT and with the compliance manager's backing, the firm is now working towards ISO270001 certification, something it's well on the way to achieving thanks to the addition of a system that tracks security events and some tweaks to processes.
Page 1 | Page 2 | Page 3 | Page 4 | Page 5 | All 5 Pages