Technology for regulatory compliance processes

Microsoft has published a Regulatory Compliance Planning Guide which maps processes to the key regulatory obligations of a business and then suggests Microsoft technology (of course) for performing those processes.

It identifies the key processes as follows:
•    Document Management
•    Business Process Management
•    Project Management
•    Risk Assessment
•    Change Management
•    Network Security
•    Host Control
•    Malicious Software Prevention
•    Application Security
•    Messaging and Collaboration
•    Data Classification and Protection
•    Identity Management
•    Authentication, Authorization, and Access Control
•    Training
•    Physical Security
•    Vulnerability Identification
•    Monitoring and Reporting
•    Disaster Recovery and Failover
•    Incident Management and Trouble-Tracking

Even though it refers to US laws and uses Microsoft resources and products only this is a useful framework for IT managers and compliance officers.

June 27, 2006 in Compliance toolkit, Web/Tech | Permalink | Comments (0) | TrackBack

The Australian Guidelines for Electronic Commerce

The Australian Guidelines for Electronic Commerce, were released by the Parliamentary Secretary to the Treasurer on 17 March 2006. More

March 23, 2006 in Compliance toolkit, Web/Tech | Permalink | Comments (0) | TrackBack

Impact of software changes on compliance: internal controls

Many compliance functions, especially those related to finances, are embedded in and automated by software.

So how do you ensure that a minor software change doesn't have unintended consequences? Internal controls.

In Use Best Practices for Keeping Your SOX in Compliance Niel Robertson discusses the issue in the context of the US Sarbanes-Oxley (SOX) Act but the principles are general:
1. Each development process related to making a change in a software system needs to be well documented.
2. Require approvals: The three most common approval control points that have emerged in the development process are: feature selection (or prioritization of service requests such as patches), testing signoff, and rollout to production.
3. Auditing: ensure all types of changes are monitored and audited.
4. Testing: The value of testing as an internal control is simple: A test can validate that key financial-related business processes still work as planned.
5. Separation of duties: Separation of duties is the simple concept of sandboxing different users from different parts of a software system. For example, a developer would not be able to sign off on testing for his product.

November 28, 2005 in Compliance toolkit, Web/Tech | Permalink | Comments (0) | TrackBack