News Stay informed about the latest enterprise technology news and product updates.

Considering the future of compliance at Compliance Decisions

The Compliance Decisions Summit taking place in Newton, Mass., got off to a great start this morning. Eric Holmquist and Richard Mackey both provided deep, engaging presentations on “future-proofing” an organization against compliance challenges and managing third-party risk.

Over the course of the morning, we posted to Twitter on our ITCompliance account more than 40 times, in lieu of a single blog post. As we noted to @cmneedles, #CSD09 is the hashtag we’ve chosen to track tweets related to today’s seminar. For a full explanation of what a hashtag is and how it works, please consult last week’s weekly digest of compliance headlines from Twitter.


Breakfast & registration in Newton, MA at Compliance Decisions. We’ll be live-tweeting the talks, starting at 9AM.

Kelley Damore, Ed. Dir for the #TTGT Security Media Group, kicks off #CSD09 by noting recent data breaches at Hannaford, TJX & Heartland.

Damore notes the breadth of compliance challenges: health, financial & proprietary data must all be secured with auditable processes.

Future-Proof Your Compliance Session

Eric Holmquist is up, explaining how to future-proof a compliance program vs. new regulations, including mitigating risk & GRC best practices.

“Compliance management is one aspect of risk management. It’s about risk alignment. It’s never about checklists.” -Eric Holmquist | #CSD09

“Every version of regulatory guidance around risk management boils down to three things: awareness, accountability & actionability.” #CDS09

Risk management boiled down to a continuum: Inherent Risk -> Controls -> Residual Risks | Compliance doesn’t just rest in controls. | #CSD09

“The 4 most important words for improving a compliance program: What could go wrong?” -Eric Holmquist | #CDS09

RT @scotpe 99% of compliance failures are because “somebody did something stupid” | #CSD09 [Key to plan for people being people]

Key elements of an effective compliance program: subject matter expert, compliance committee (real or virtual), control library | #CSD09

More key elements of an effective compliance program: documentation, risk-aware culture, incident response team, wrap-around analysis #CSD09

Eric Holmquist is reflecting on the details of how Advanta implemented an effective compliance program. Gap analysis & visibility key #CSD09

“No regulation is only relevant to IT. There is a business component to every single one.” -Eric Holmquist | #CSD09

“We set the bar at a risk management & governance level. Regulatory guidance, frameworks & standards are a test.” -Eric Holmquist | #CSD09

#GRC best practices: leverage existing processes & map them, focus on risk, secure executive sponsorship, use control libraries | #CSD09

“The costs of #ediscovery are staggering. Get a data retention program for email done. Now.” -Holmquist | #CSD09

PrivacyProf: A related issue is retention of full email threads; possibility of changes in early thread msgs likely creates ediscovery issues (Reply from contributing expert Rebecca Herold)

What does Holmquist see in the future for compliance? More infosec & BCP challenges, updates to PCI & state data protection laws. | #CSD09

Good question from the audience on email retention: What’s too much, too little? Establishing which emails = official documents is key. #CSD09

Sponsored Session from Symantec

Ethan Kelleher up from #Symantec to speak to their approach & notes support for an online resource: | #CSD09

We’re listening to a live “message from our sponsor” ( #Symantec) regarding version 9.0 of their Control Compliance Suite (CCS). | #CSD09

Managing Third-Party Risk

Richard Mackey now up at #CSD09 on managing third party risk. #Video on building a framework-based#compliance program:

An IT guy here at #CSD09 is especially interested in the MA data protection law. Our podcast w/state: (free reg. req.)

Mackey talking about impact of regulatory project requirements on service providers. If they handle regulated info, compliance is key #CSD09

Mackey notes that “standards like ISO 27002 & #COBIT describe lifecycles that can be applied to service providers” | #CSD09

“The first step in understanding risk is understanding the information shared.” -Richard Mackey | Data mapping & tools help. | #CSD09

“FFIEC, PCI & GLB all require due diligence in assessing provider controls. Depth should correspond to risk.” -Richard Mackey | #CSD09

“When evaluating service providers for compliance, establish rules for evaluations. View them as a partnership.” -Richard Mackey | #CSD09

“Most regulations require YOU to be the regulator of service providers.” PCI, HIPAA & GLB all require co.’s to ensure compliance. #CSD09

“Standards-based assessments, like ISO 27002, are useful tools. Consumers of the reports, however, must understand what results mean” #CSD09

Key questions when a #CIO receives a compliance report (SAS 70, ISO, etc): Scope of assessment? Metrics used? Control objectives? | #CSD09

When conducting #compliance assessments, concentrate on risk, avoid generic assessments & focus on consistency/operational #security. #CSD09

Mackey continues to focus on associate, partner & service provider #compliance; frequently mandatory but potentially overlooked. #CSD09

IT is critical to service provider #compliance: firewalls, VPNs, intrusion detection, encryption, scanners & data loss prevention | #CSD09

Excellent seminar on third-party risk management for meeting compliance by Richard Mackey. Video will be available later this month. #CSD09

We’ll be posting more to Twitter this afternoon when Holmquist presents again, this time on a “Risk-Based Approach to Information Security Governance,” and Laurence Anker talks about “Managing the Cost and Complexity of Compliance through Governance.”

Reblog this post [with Zemanta]

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.