Wednesday, June 27, 2012

The Compliance Consensus

Per my previous blogs about the Summer of Compliance, we completed our multi-week joint IS/Compliance planning effort today.  

To recap, first we listed regulatory and compliance risks and the policies/technologies needed to mitigate them.   We then assigned these projects to 3 work teams to prioritize, estimate level of effort, and assign risk scores.  

We then examined the total costs necessary to complete the prioritized projects.

The end result was that we identified 55 projects with $7.8 million dollars in capital costs.    Our FY13 capital budget for security/compliance related projects is $4.2 million so we had to reduce the list of projects by $3.6 million.

The end result is that we identified malware controls as the highest priority, followed by mobile device encryption.   All projects related to these general categories will be done first.

Other key items are data loss prevention for emails sent to commercial email providers, blocking of cloud storage services, restriction on outbound internet traffic (machines sending data to unauthorized organizations), and adaptive authentication.

Items to consider deferring due to capital expense include additional e-discovery infrastructure, network access control technologies, and enterprise mobile device management applications.  These are desirable and likely will be done next year.

The end result of this exercise  - a jointly agreed upon list of priorities, budgets, and timelines for compliance work over the next year.

With a mutual understanding of the time, scope, and resources, we can triage any new requests with the perspective of the work we've already agreed to do.   Given that time and resources are known, adding scope means taking something off the list.

I look forward to the year ahead and policy/technology work needed to ensure we not only follow standard practices, but best practices.


chale99 said...

Hi John,

How did you come up with the compliance budget for 2013? It seems you came up with the budgetary number before you had a full understanding of everything you wanted to perform in compliance. Did you arbitrarily choose 33% of your capital budget and dedicate this to compliance? Or, had you performed a risk analysis that showed you required XYZ amount of work to mitigate security concerns?

I'm trying to educate my clinic with reasonable levels of compliance budgets not only to keep up with compliance standards but also to catch up to present compliance levels. I want to base these standards and budgets on industry standards (and try to lean towards basing our standards on organizations with a "culture of compliance").

Thanks for any help on developing a methodology.


John Halamka said...

We ran a series of multidisciplinary retreats to rank 55 proposed projects by risk, cost, level of effort, and user impact. The capital budget was based on this analysis and a consensus of what we could actually get done in a year.