Applying for and maintaining standards and complying with regulations is not
just a formality or a style statement any more. Any organization that wants to
compete in the global marketplace has to adhere to certain norms. Today,
organizations are obtaining certifications for making their internal processes
more effective, reducing paperwork, and even becoming more environmental
friendly. That's not all, global compliances have also assumed a whole new
meaning recently. They are now aimed at reducing the clutter created in the IT
infrastructure, mainly caused by having to coordinate between multiple vendors,
managing so many software versions, contracts and their validity dates, and of
course the hardware. Companies have begun to realize that managing the IT
infrastructure is not as easy as it used to be and therefore a certain level of
standardization is imperative.
At the end of the day, organizations want to increase their business, reduce
failure rates and simplify the monitoring of different processes. All this can
be made possible through compliance. In this story, we'll focus on the latest
compliance trends, the need for complying, and much more.
Need and benefits of compliance
There are many valid reasons to go for compliance, which could be different
for different industries. For some industries like banking and finance, it's
required because govt. regulations demand for it. Likewise, those catering to
clients abroad might have to abide by the laws of the foreign countries. Then of
course, there are reasons that would be applicable to any industry. One of them
is to ensure business continuity. If your IT infrastructure is very vast with
lots of equipment, and is growing complex by the day, then you need to ensure
that this complexity is managed properly so that you know what's located where.
Otherwise you're just sitting on a time bomb waiting to explode. The only way to
deactivate this bomb is by making your IT infrastructure become more compliant.
The question therefore arises, what all should be done to become more
compliant? For one, there are some internationally accepted standards for IT
infrastructure, which can be followed. Two, look for non-IT standards specific
to your industry. Three, have an objective that you want to achieve with both.
So for IT infrastructure, one objective could be business continuity, and
another could be data security. While for non-IT standards, the objective could
be to increase Increasing performance and profit, or have the ability to fine
tune your products so that they suit specific customer needs.
Who's responsible for compliance?
Like an ISO certification, should the administrative department be
responsible for maintaining standardization, and will the compliance bodies
'visit' your facility every quarter to boss over you? No. IT compliance should
ideally be handled by a manager (anybody in a managerial position), since it
will involve understanding of relatively complex processes-both organizational
processes and processes exclusive to the certification agency. Alternatively, a
key IT user (which refers to the head of the information department) or a senior
auditor should plan, execute and monitor the compliance.
Global compliance standards
Currently, there are two big standards that the world is following, along
with a few smaller, industry-specific ones. These are COBIT and ITIL. Let's
understand what they're about briefly.
COBIT
Information Systems Audit and Control Association (ISACA) formulated COBIT
in 1996 with an aim to “research, develop, publicize and promote an
authoritative, up-to-date, international set of generally accepted information
technology control objectives for day-to-day use by business managers and
auditors.' In simpler words, this only meant reiterating the concept of
organizational structure and behavior, to strike the right balance between the
nature of business, the goals of the organization, and the various technical and
non-technical processes involved. COBIT edition 4.1 was released in May 2007.
Among the major add-ons with the new offering are a company's Maturity model
support, simplified goal descriptions, and cascading the relationship between
business, goals and processes.
At a basic level, COBIT features processes across 34 levels, in turn covering
210 control objectives that are part of one of the four domains: Planning and
Organization; Acquisition and Implementation; Delivery and Support; and
Monitoring. And who are these processes targeting? Managers, IT users and
auditors. COBIT aims to provide managers with a foundation upon which IT related
decisions and investments can be based. This in turn is aimed at more effective
and precise decision making, leading ultimately to a strategic IT plan, or in
other words, a roadmap defining the information architecture, acquiring the
necessary IT hardware and software to execute an IT strategy, ensuring
continuous service, and monitoring the performance of the IT system. IT users,
on the other hand, use COBIT's 'defined controls', security, and process
governance, or monitoring. Finally, it helps auditors identify IT control issues
within a company's technology infrastructure (www.isaca.org/COBIT.htm).
ITIL-going local
Along similar lines is the Information Technology Infrastructure Library (ITIL),
which positions itself as a 'customizable framework of best practices designed
to promote quality computing services in the Information Technology sector.
Interestingly, the ITIL has been around as the default international standard
for IT Service Management.
Currently in its version 3, ITIL has recently adopted an integrated service
lifestyle approach to IT Service management. Another interesting fact is that
like its predecessors, ITIL v3 is formulated as chapters of a book, with
specific volumes on service strategy, design, transition and operation. In
addition, the entire content is available also in Hindi and Urdu, besides
Arabic, Dutch and other languages. The availability in Hindi is being slated by
experts to be a major propellant for companies working in domestic, local
language markets, and SMBs to be encouraged to adopt international standards.
ITIL has an interesting system of qualifying and appraisal. There are four
levels -The foundation level, intermediate level, the ITIL diploma and finally
the advanced service management professional diploma. Each of these stages comes
with a 'syllabus' where the 'candidate' has to apply, earn credits and graduate
from one stage to another. More information can be found on
www.itil-officialsite.com/home/
Rest of the gang Besides this, there are specific international standards
catering to specific components of business. An ideal example is the BS 7799-an
international security standard, which allows an organization to understand and
measure threats, understand the nature of potential threats, vulnerabilities and
how it would impact the business it performs. Its aim also is to safeguard the
information security assets and to ensure that 'controls' are in place to manage
any subsequent risk. Third party certification bodies such as BSI, DNV, BVQI,
STQC, KPMG offer this certification on demand. In its latest edition, the BS
7799 follows a PDCA model, which stands for Plan, Do, Check, Act. Plan refers to
creating the basic blue print, Do corresponds to implementing the standard,
Check means monitoring and reviewing the Plan and Act refers to maintaining and
more importantly improving the structure of the standard, according to the
unique needs of the business that is getting 'standardized'.
Looking ahead
Compliance experts believe that for the next few months, standardization and
ensuring compliance will happen voluntarily from companies, and will not really
be forced down by the government. Nilesh Kumar, a compliance analyst says, “More
than anything, COBIT, BS 7799 and the rest are aimed at structuring the business
for an enterprise, irrespective of size and nature of operation. It is like the
CFC-free refrigerators. Half of us have already switched over to the
new-generation refrigerators before the government has banned the old ones.
Compliances at the IT offices can be expected to fall into place more as a
voluntary effort to streamline processes. True, governments sooner or later will
pass the buck of maintaining security and safeguarding IP etc on to the
companies, but the current trend does not indicate that too many companies-at
least not the big ones-will wait for a rule to be thumped down on them.”
Currently, the US and the UK have various laws and regulations in place,
pertaining to intellectual property, privacy and copyright, such as Health
Insurance Portability and Accountability Act (HIPAA), GrammLeachBliley Act (GLBA),
and many more. Companies based here have to comply with these laws, depending
upon the industry they serve. Some countries have extended these standards even
to offshore vendors, who compulsorily have to meet the standards of the
companies they are representing. Non-compliance with these laws attracts both
civil and criminal penalties.
Scene in India
Specifically on the Indian scenario, compliance standards are expected to be
generalized for a while to come. This means that there will be a broad need and
conscious effort to conform to a particular set of rules, they will be
independent of particular segments of business. Nilesh explains, “Unlike other
aspects of business that start small and expand over a period of time,
compliance is something that starts at a very broad level, and fine-tunes itself
as per the requirements of a particular industry. Furthermore, if it is an
industry like retail or banking, where big money is involved, the governments
and financial bodies like the Reserve Bank of India will look to have a grip on
the cash flow, unless a compliance level is met. In other words, a day will soon
come when the RBI in all probability ill refuse me a loan if I have not met an
international standard within my business model.”
And what does the government gain in return? A high level of simplicity and
easy monitoring of the businesses, ease in trade with other countries since
'them' and 'us' will be following the same process model, an unavoidable
transparency in finance operations, besides a huge reduction in data management
risks. The world has started conforming to these laws, and there is nothing
really that is preventing your company from doing the same. Visit any of the
sites mentioned in this article and join the game in a global business
playground.