When I hear the phrase "compliance workflow," I always think back to my days as a product-quality consultant. In many ways, the objectives of each are identical in both scope and objective.
However, these terms also make most people cringe, as they evoke images of pain and ardour for the staff. This is usually based on experience with poorly managed quality- or compliance-process implementations. There are, in fact, thousands of examples of where quality done right has saved entire industries. By most accounts, American automakers are undergoing a resurgence due in large part to their quality-improvement programs. So why not view compliance workflow in the same manner?
I view compliance mandates simply as leverage to ensure that enterprises implement the security controls that should be in place anyway. For example, the Federal Financial Institutions Examination Council FFIEC standard requires two-factor authentication for financial institutions. This mandate protects customers and minimises risk to organisations. Despite the effort that many enterprises had to undergo in order to become compliance, the end result benefited everyone.
So compliance workflow then simply ensures that all customers, new and old, receive a baseline level of protection against identity theft, data exposure, etc. Let us begin our review of this workflow process with two classic examples: COBIT and the Deming PDCA Cycle.
The workflow
The COBIT model began in 1996 as the brainchild of the ISACA organisation. Its stated purpose is to provide a framework for IT governance. This framework is comprised of four control objectives, which draw comparisons with the product-quality world. The objectives are:
- Plan and organise -- Determine the strategy of how the security organisation will meet business and compliance objectives;
- Acquire and implement s- Identify and implement compliance (and security) technologies, processes and procedures based upon your strategy;
- Deliver and support -- Enable the organisation to actively use the compliance controls implemented;
- Monitor and evaluate -- Make use of the feedback mechanism driven by the auditing process.
Now notice how similar these objectives are to the classic quality model pioneered by Deming:
- Plan -- Plan for quality;
- Do -- Implement the controls;
- Check -- Audit the process;
- Act -- Act on the audit results found and repeat the process.
Both models offer feedback mechanisms to ensure compliance with existing controls and continuous improvement in design and operation. Thus both provide models for compliance workflow.
The compliance auditors
Now that we have established the similarities, we need to know how a compliance workflow process functions in an everyday operational environment. This is where auditors become valuable assets. If we know what auditors are looking for, we can improve our controls accordingly.
Compliance auditors like to see well-documented processes and procedures being used within an organisation. (The rule of thumb for processes usually is if it's not documented, it doesn't exist.) They look for good management practices such as planning, monitoring and reporting. They look for continuous operational monitoring and supervisory review of key reports and audit results. A consistent adherence to policies by all levels of the organisation -- and senior management action when policies are not being followed -- is a key component of an auditor's review. Lastly auditors look for a balanced focus on both long- and short-term objectives and results.
While the details vary between audit types, compliance workflow programs generally include three broad areas within the organisation:
- Management (or organisational) controls
- Operational controls
- Technical controls
Within each of these sections, various subsections are reviewed based upon the controls above. For example, we might consider the "change and configuration management" subsection of the program. Management controls looks at whether an organisation has well-documented policies and procedures for these areas, and if they are being updated regularly. Operational controls review the change control process for the policies and procedures. The actual monitoring process for change and configuration management is reviewed to ensure an accurate accounting of changes made. Lastly, technical controls being audited include items such as any automation made to ensure consistency in how changes are made to systems. This, in particular, is a fast-growing segment of the security industry. These tools assist organisations in doing things in a consistent fashion.
Other areas under an auditor's review include access controls, logging/reporting, documentation, system maintenance and incident response. All are reviewed according to management, operational and technical controls.
These areas then make up the compliance workflow framework. These are the areas to review and revise continuously. It is, in fact, a product-quality cycle with a regulatory viewpoint. But this workflow also provides real benefit to the organisation by ensuring a continuous improvement system is applied across the landscape.
Conclusions
Compliance workflow is little different from the product-quality process. It serves as the feedback cycle for an enterprise's normal compliance operations. While compliance is generally viewed strictly as a cost to the enterprise, it should not be so. It is the process by which companies ensure that they are actually providing the security services they should have been doing all along. When used correctly, the compliance workflow process provides a highly valuable service to the organisation. One has only to look to the quality world to view the positive impact the "continuous improvement" movement has on the quality of goods and services today. Compliance workflow programs should be no different.