Author:
Mayurakshi Ray | Chief Information Security Officer
at Aditya Birla Minacs
Ensuring effective governance of regulatory and compliance standards is a key objective for most outsourcing organizations today, both large and small. Businesses need to follow multiple regulatory and statutory standards around
information security, data storage and operations risk management. However, the regulation(s) that outsourcing service providers need to comply with, vary depending on the nature and country of operation, source of data and a multitude of other factors.
With the proliferation of a globalized workforce and business models such as offshoring, outsourcing and shared services, the compliance standards have become more stringent and rigorous. Many regulatory standards that were country/region specific such as SoX, HIPPA, Data Privacy Act, GLBA, OFCOM, FTC, PCI DSS etc. are now mandatory for business processes involving data or systems, irrespective of the country/region/location where the processes are performed.
GAINING CONTROL OF YOUR ECOSYSTEM WITH EFFECTIVE COMPLIANCE STRATEGIES
The information security framework of leading outsourcing service organizations has matured over the years and the certifications are now taken at an enterprise level. An example is the ISO 27001 standard that helps you design an integrated and comprehensive information security management system that can be implemented across all processes within an organization.
While the most common standards in the information security space are ISO 27001:2005, frameworks such as CobiT, ITIL , BS 25999, etc. there are many other benchmarks under which compliance is measured and maintained, such as ISO 9001 certification, COPC, CMMi, PCMMi (for select projects) and process/security standards as URAC and PCI DSS.
To stay ahead of competition and maintain the highest level of efficiency in all business areas, including performance, security and
customer support , outsourcing companies must implement the right security and risk management strategies. Maintaining optimum security and ensuring compliance with the industry standards should be an ongoing process, with the best practices being implemented at every stage of the business.
DEFINING AND IMPLEMENTING AN INTEGRATED COMPLIANCE FRAMEWORK
Even with the complete dissemination of the security culture, managing various certifications across multiple sites with a diverse workforce, is indeed a daunting task. It would be difficult for an organization to manage separate certification programs, because that would entail a "new" project to be undertaken for each of them. Another challenge would be the continuous implementation of new standards and programs to meet clients' needs and internal business requirements.
Outsourcing service providers must therefore focus on designing an integrated security and compliance framework—a single repository of all information security policies, procedures and guidelines that have been mapped against different industry regulations and standards. This would not only make it easier for organizations to govern and manage their regulatory structures, but also ensure that the security and privacy standards for all their processes across multiple geographies are in line with the central compliance framework.
Monitoring and reporting parameters will also need to be designed based on the integrated compliance requirements established within the organization. This eliminates confusion and inconsistency, since the same framework and management standards are followed, demonstrated, monitored and reported for every process, irrespective of the certification or external audits being conducted.
For example, at Aditya Birla Minas we designed an integrated compliance strategy based on our clients’ contractual requirements, country specific regulations, industry best practice certifications and zero tolerance to information breaches. Post this implementation, a process was put in place for the ongoing monitoring of new compliance requirements. As soon as a new clause is identified, the same gets incorporated in the central compliance framework, so it is always updated and enriched with newer solutions in the market.
Implementing such a framework at an enterprise level can improve manageability, deliver significant cost benefits, improve ROI towards managing compliance, and ensure that the best practice standards are always in place!
How do you rate your organization's security management and compliance framework? Do you think an integrated framework will enable better compliance and risk management? Do share your thoughts with us in our comments section.