"Why should we include 'IT Compliance'
verification
in our Corporate Governance Plan?"
Government Encouragement -
"How can an IT regulatory audit help bring our
infrastructure and business systems into compliance?"
Unbounded Audits
- It can't, and unfortunately, the typical "IT Compliance Audit" stands a good chance of pushing you a little further into non-compliance. This is
for two reasons: First, the audit will most likely be "unbounded" in
that there will be no formal set of standards or performance criteria against which you will be audited. The audit may be positioned
as a review of compliance with a specific regulation, but all of the regulations
are far too un-specific to permit a rigorous audit. Your systems will be reviewed
in light of the auditor's "interpretation" of the regulation, a
speculative process at best, and frequently as a segue into follow-on consulting
revenues.
Secondly, even a well designed and executed audit will only
evaluate compliance performance with respect to one regulation. You will gain little or no
information about your IT compliance with the large cohort of other regulations,
but you will have documented and auditable evidence of a subset of your IT
compliance. This may (and often does) serve as a trigger for other regulatory bodies, when they inspect you, to require
additional compliance effort by your IT staff.
"Does this mean that we require multiple audits for
compliance with multiple sets of IT regulatory requirements?"
Methodology Focus
- We have good news and better news about this. No, you don't need multiple
"IT regulatory compliance audits," and you probably don't need even
one, if we can change your organization's focus on the "compliance"
problem. Here goes:
The various regulations and laws that govern IT
compliance have a lot of commonality in their specific
requirements. Basically, they require the confidentiality, integrity, and
availability of the information systems and the records included in them. These requirements
include effective and demonstrable (translation: "documented') physical and
logical access controls. The regulations also frequently require reliable
attribution of certain records and / or actions to specific people. Lastly,
if a system is to be used for "critical" applications (life sciences,
real-time process control, financial transactions, safety & security, etc.),
the regulators insist on a rigorous, documented life-cycle development and
software / systems testing and quality assurance program.
This commonality of regulatory requirements
allows us to change our compliance target from any specific regulation to a
Systems and Software Engineering (S&SE) methodology and standards set that
fulfills all of the regulatory requirements. Instead of trying to prove
compliance on a regulation-by-regulation basis, we can adhere to a
"best practices" S&SE methodology, and compliance with ANY
regulatory requirement will be a consequential result at no added cost.
"So, you suggest that adopting a 'best practices'
methodology that fulfills all of the regulatory requirements and complying
with it..."
"Does such a methodology exist?"
"Does it really comply with all of the regulations?"
C3Q™ - Bingo, yes, and yes! In late 1997, The
Hollis Group was approached by the VP of R&D Information Systems of a large
pharmaceutical manufacturer and asked to develop a solution to this compliance
challenge. Working with four life-science companies over the next 30 months,
Hollis developed C3Q™ - The Concurrent Computer Configuration Qualification Methodology.
C3Q™ is based in large part on IEEE™ standards for software and system
development and document management, and C3Q™ includes new art for
network infrastructure qualification.
IT operations based on implementations of C3Q™
have been inspected scores of times by a long list of
regulatory agencies and dozens of client / sponsor audit teams. In more than 7 years of
deployment, C3Q™ has never had a significant finding or observation against the
methodology itself. Naturally, since humans are fallible, there have been observations
of "You forgot to sign here," or "This document seems to be
lost," but even these incidents are infrequent when compared to the typical
error and omission rates of other
methods. In fact, installations that are qualified to Hollis / C3Q™ audit
standards receive a high percentage (20%+) of unsolicited commendations for IT
compliance from the auditors and inspectors themselves.
If you'd like to know more about C3Q™, read on
or contact us to arrange a presentation of the C3Q™
methodology and its fully developed SOP set, SPRIITS™.
