Accomplishing a secure business environment—meaning a work culture backing proactive risk management and accurate risk decision making—is the stepping stone toward reaching the risk management goals of an organization. To achieve it, you need an efficient enterprise risk management (ERM) software system, which looks into your business intricacies.
There are many ERM software products available in the market, but you need to pick out the one solution that facilitates the ERM requirements of your enterprise. The ERM software you choose should enable you to convert risk intelligence to support the development of your decisions.
Here are the crucial features you should be looking for in your ERM software:
Absolute integration
Risk management architecture plays a major role in integration. There is plenty of data pertaining to risk identification, assessment and management, documentation, operations and execution, testing, audit management, report generation, controls and solutions, and IT support. They have to be synchronized under one platform. An application that provides a central source for risk documentation, which includes risks, processes, entities, controls, tests and results, is ideal for a well-coordinated work setting. Boards and management largely rely on these reports to make business decisions. Only an integrated ERM platform can provide accurate data to support decision-making practices.
Software that embraces plan and strategy
Adopt an ERM tool that is designed to embrace business goals and objectives, regulatory norms, workflow, specific industry functions, and the best practices of your organization. The design should be equipped with automated monitoring and compliance report generation, as you need to be prompt in identifying, analysing and responding to risks.
Event tracking and point of origination
Event tracking wins a significant brownie point for ERM applications. You can use loss event tracking to track loss incidents and near misses, record amounts, and identify root causes and ownership. It helps in validating the risk profiles of business units.
An ERM platform should be capable of taking you through the event sequences and timeframes, and should independently detect the source of risk origination. It should be programmed to expose the vulnerable areas of an organization and pinpoint risk triggers and catalysts. That enables you to carry out risk mitigation treatments with a definitive approach.
Scenario analysis
ERM software should be programmed to examine the business environment, from eminent past events to changes in the current market, for an extensive record of scenario analysis. Impending risks based on real-time events should be charted for analysis and mitigated.
Loss prediction
The platform should empower you with information on expected future losses for individuals, each business unit, a group of entities, as well as the entire organization.
Risk and control self-assessment
The ERM platform should enable all business units to participate in risk and control self-assessment processes. A comprehensive operational risk profile of the enterprise can be derived using this approach. Identifying and evaluating risks and assessing the controls are important for risk management. The solutions should follow up on control measures and evaluate their success or failure rate. Thus, a risk and control self-assessment feature helps you enhance the control environment.
Risk library
Having a risk library facilitates future efforts for risk identification.
Key risk indicators (KRIs)
Your ERM application should have the ability to set KRIs taking into account the risk appetite and risk threshold of the enterprise.
Flexible configuration
Risk landscapes are changing constantly. New risks are emerging out of the latest tools and technology used by enterprises. This means there will be fluctuations in risk profiles, risk appetite, KRIs and other disciplines. A flexible ERM solution is indispensable in the current business scenario. Moreover, the deluge of more and more regulatory reforms and policies can also be incorporated if the software solution is built with a flexible approach.
Purchasing the most expensive or the best brand’s ERM software solution may not help your risk management objectives. Look at features in detail and check how they fit with your risk management framework and assessment techniques.
Mohammed Nasser Barakat
Partner at CAREWeb and BRS Service Line Leader for the ME region
With security attacks dominating news headlines, it’s no secret that global cybersecurity professionals are in high demand. According to the (ISC)² 2013 Global Information Security Workforce Study, two out of three C-level respondents reported security staff shortages. The lack of skilled and qualified information security professionals is having a negative economic impact, with 56% of respondents saying the staffing shortage is causing a huge impact on their organizations.
The call to action is clear: We need a global call to arms within academia to develop enough talent to fulfill this critical industry need. I’ve certainly heard the call loud and clear at the (ISC)² Foundation. In fact, this is one of the key reasons that we developed the Information Security Scholarship program, and also why we continue to look for partner organizations to help fund additional scholarship programs. We are making a direct impact on the global staffing crisis in information security by bringing more people into the information security field.
A multitude of Information Security Scholarships are offered year-round through the (ISC)² Foundation. In fact, the application period for our Undergraduate and Graduate Scholarships just opened. Students can apply for an Undergraduate or Graduate Scholarship now through June 17, 2015. Our Women’s Scholarship and Faculty Exam Voucher application periods are open through March 31, 2015.
I’m honored to have the privilege of offering students an opportunity to afford an education through the (ISC)² Foundation. They will go on to join a global workforce that desperately needs top talent to protect our most critical information, systems and networks. Here’s what some of our previous recipients had to say about how receiving a scholarship from the Foundation positively influenced their education and ultimately, their lives:
Anna Truss, Turkmenistan (Graduate Scholarship recipient)
“I’ve been through a lot of challenges throughout my life to get to where I am now, and getting this scholarship will definitely help me achieve my goals in life. One of my many goals is to receive a Master of Science degree in cybersecurity. This scholarship, for me, is not the end, but rather the beginning of a brighter future.”
“This scholarship is a wonderful reminder to me that good things do happen to good people. This scholarship is a reminder of the endless possibilities out there for me. Being a first generation college student has been a struggle but now I am more motivated than ever to follow my dreams and conquer my goals.”
These and so many other students are provided with an opportunity to go to college because of generous donations from the public and partner organizations. If you would like to make a personal contribution to help students like Anna and Dulce, you can make a tax-deductible (for those in the U.S.) donation at: https://donatenow.networkforgood.org/isc2cares.
So the question is, do you have what it takes to become an information security professional? Or do you know someone who is trying to earn a degree in this growing field, but cannot afford it? Please help us spread the word of this enriching program to help students realize their dream of a college education. The protection of the future cyber world is counting on it.
John Hales, Global Knowledge VMware, SDN, and SoftLayer instructor, A+, Network+, CTT+, MCSE, MCDBA, MOUS, VCP, VCAP, VCI, EMCSA
Introduction
To gain refined skills and expertise and to increase pay, many IT professionals choose to pursue a certification.
Based on the findings of the 2015 IT Skills and Salary Survey conducted by Global Knowledge and Windows IT Pro in the fall of 2014, I’ve compiled a list of the 15 top-paying certifications for 2015. Certifications in IT security, networking, and systems management are at the top of the certification pay scale. What may surprise you are the business-related certifications holding their own on this year’s list.
The rankings are derived from certifications that received the minimum number of responses to be statistically relevant. Certain certifications pay more but are not represented due to their exclusive nature. Examples include Cisco Certified Internetworking Expert (CCIE) and VMware Certified Design Expert (VCDX).
With each certification, you’ll find the average (mean) salary and a brief description.
The IT Skills and Salary Survey is a nationwide survey. Variations exist based on respondents’ work location, years of experience, and company type (government, nonprofit, etc.).
1. Certified in Risk and Information Systems Control (CRISC)
$119,227
The nonprofit group ISACA offers CRISC certification, much in the way that CompTIA manages the A+ and Network+ certifications. Formerly, “ISACA” stood for Information Systems Audit and Control Association, but now they’ve gone acronym only.
The CRISC certification is designed for IT professionals, project managers, and others whose job it is to identify and manage risks through appropriate Information Systems (IS) controls, covering the entire lifecycle, from design to implementation to ongoing maintenance. It measures two primary areas: risk and IS controls. Similar to the IS control lifecycle, the risk area spans the gamut from identification and assessment of the scope and likelihood of a particular risk to monitoring for it and responding to it if/when it occurs.
Since CRISC’s introduction in 2010, more than 17,000 people worldwide have earned this credential. Because of the demand for people with these skills and the relatively small supply of those who have them, CRISC is the highest-paying certification on the list this year.
To obtain CRISC certification, you must have at least three years of experience in at least three of the five areas that the certification covers, and you must pass the exam, which is only offered twice a year. This is not a case where you can just take a class and get certified. Achieving CRISC certification requires effort and years of planning.
2. Certified Information Security Manager (CISM)
$118,348
ISACA also created CISM certification. It’s aimed at management more than the IT professional and focuses on security strategy and assessing the systems and policies in place more than it focuses on the person who actually implements those policies using a particular vendor’s platform.
More than 24,000 people have been certified since its introduction in 2002, making it a highly sought-after area with a relatively small supply of certified individuals. In addition, the exam is only offered three times a year, making taking the exam more of a challenge than with many other certification exams. It also requires at least five years of experience in IS, with at least three of those as a security manager. As with CRISC, requirements for CISM certification demand effort and years of planning.
3. Certified Information Systems Security Professional (CISSP)
$110,603
Offered by the International Information Systems Security Certification Consortium (ISC)2, CISSP is designed to provide vendor-neutral security expertise, similar to the certifications ISACA offers. Launched in 1994, CISSP consists of an exam based around ten different areas in computer security, including risk analysis, cloud computing, security when developing applications, mobile, cryptography, physical security, business continuity and disaster recovery planning, and legal and compliance issues.
CISSP candidates must have at least five years of full-time experience in at least two of the ten areas tested. If you don’t have the work experience, you can earn an Associate of (ISC)2 designation while working toward the full certification.
CISSP certification has a broad focus, covering many areas in a single certification. There is also a requirement to earn Continuous Professional Education (CPE) credits every year to remain certified. There are nearly 96,000 CISSPs worldwide, with approximately two-thirds of them in the United States.
4. Project Management Professional (PMP®)
$109,405
The fourth highest paying and the first that is not security related, the PMP certification was created and is administered by the Project Management Institute (PMI®). It is the most recognized project management certification available. There are more than 630,000 PMPs worldwide.
The PMP certification exam tests five areas relating to the lifecycle of a project: initiating, planning, executing, monitoring and controlling, and closing. PMP certification is for running any kind of project, and it is not specialized into sub types, such as manufacturing, construction, or IT.
To become certified, individuals must have 35 hours of PMP-related training along with 7,500 hours of project management experience (if they have less than a bachelor’s degree) or 4,500 hours of project management experience with a bachelor’s or higher. PMP certification is another that requires years of planning and effort.
5. Certified Information Systems Auditor (CISA)
$106,181
The fifth highest-paying certification is also from ISACA, and this one is for IS auditors. CISA certification is ISACA’s oldest, dating back to 1978, with more than 106,000 people certified since its inception. CISA certification requires at least five years of experience in IS auditing, control, or security in addition to passing an exam that is only offered three times per year.
The CISA certification is usually obtained by those whose job responsibilities include auditing, monitoring, controlling, and/or assessing IT and/or business systems. It is designed to test the candidate’s ability to manage vulnerabilities, ensure compliance with standards, and propose controls, processes, and updates to a company’s policies to ensure compliance with accepted IT and business standards.
6. Certified Scrum Master
$101,729
Another project management-related certification to make the list this year, Certified Scrum Master was originally focused on software application development. Today it is often applied to many areas outside development.
Scrum is a rugby term; it’s a means for restarting a game after a minor rules violation or after the ball is no longer in play (for example, when it goes out of bounds). In project management, Scrum is a process designed to act in a similar manner for projects in which a customer often changes his or her mind during the development process, common in many courseware, programming, manufacturing, and similar projects.
In traditional project management, the request to change something impacts the entire project and must be renegotiated, a time-consuming and potentially expensive way to get the changes incorporated. There is also a single project manager.
In Scrum, however, there is not a single project manager. Instead, the team works together to reach the stated goal. The team should be co-located so members may interact frequently, and it should include representatives from all necessary disciplines (for example, in software design, developers, product owners, experts in various areas required by the application, etc.).
Where PMP tries to identify everything up front and plan for a way to get the project completed, Scrum takes the approach that the requirements will change during the project lifecycle and that unexpected issues will arise. Rather than holding up the process, Scrum takes the approach that the problem the application is trying to solve will never be completely defined and understood, so team members must do the best they can with the time and budget available and by quickly adapting to change.
So where does the Scrum Master fit in? Also known as a servant-leader, the Scrum Master has two main duties: to protect the team from outside influences that would impede the project (the servant) and to chair the meetings and encourage the team to continually improve (the leader).
Certified Scrum Master certification was created and is managed by the Scrum Alliance and requires the candidate to attend a class taught by a certified Scrum trainer and to pass the associated exam. There are fewer than 3,000 Certified Scrum Masters.
7. Cisco Certified Design Associate (CCDA)
$99,701
Cisco’s certification levels are Entry, Associate, Professional, Expert, and Architect. Those who obtain this Associate-level certification are typically network design engineers, technicians, or support technicians. They are expected to design basic campus-type networks and be familiar with routing and switching, security, voice and video, wireless connectivity, and IP (both v4 and v6). They often work as part of a team with those who have higher-level Cisco certifications.
To achieve CCDA certification, you must have earned one of the following: Cisco Certified Entry Networking Technician (CCENT), the lowest-level certification and the foundation for a career in networking; Cisco Certified Network Associate (CCNA) Routing and Switching; or any Cisco Certified Internetwork Expert (CCIE), the highest level of certification at Cisco. You must also pass a single exam.
8. Citrix Certified Professional – Virtualization (CCP-V)
$97,998
CCP-V is a newer certification from Citrix, replacing Citrix Certified Enterprise Engineer (CCEE) certification that was retired in November 2014. Focused around XenDesktop 7, CCP-V requires that candidates have already earned Citrix Certified Associate – Virtualization (CCA-V) certification. CCP-V certifies that you can deploy applications and virtual desktops using a variety of Citrix technologies, including XenDesktop 7, XenServer, and NetScaler.
While other Citrix certifications-including many for older versions of the software-are among the top 25 highest-paying this year, this new certification ranking so highly suggests that being certified on the latest version of a platform yields a higher salary than being certified on older versions.
9. Cisco Certified Network Professional (CCNP) Routing and Switching
$97,038
CCNP Routing and Switching certification is a follow on to Cisco Certified Network Associate (CCNA) Routing and Switching certification and a prerequisite to Cisco Certified Internetwork Expert (CCIE) Routing and Switching. Many CCNA-level engineers move on to CCNP Routing and Switching to show greater knowledge and depth in networking and to earn higher salaries.
CCNPs in routing and switching typically have at least a couple of years of experience (though that experience is not required) and have demonstrated the ability to plan, deploy, and troubleshoot both LAN and WAN scenarios and work with experts in related fields, such as voice and wireless. CCNP Routing and Switching certification requires separate exams in switching, routing, and troubleshooting.
10. Juniper Networks Certified Internet Associate – Junos (JNCIA-Junos)
$96,734
The JNCIA-Junos certification certifies knowledge of networking fundamentals, basic routing and switching, and Junos OS. It is the only entry-level certification in the top 10, and it is valid for two years.
11. Microsoft Certified Systems Engineer (MCSE)
$96,198
This certification ranked number 11 with an average salary of $96,121 for those who didn’t list an associated Windows version and $96,726 for those who listed MCSE on Windows 2003, for the weighted average of $96,198 listed above.
The Microsoft Certified Systems Engineer is an old certification and is no longer attainable. It has been replaced by the Microsoft Certified Solutions Expert (yes, also MCSE). The Engineer certification was valid for Windows NT 3.51 – 2003, and the new Expert certification is for Windows 2012. There is an upgrade path if you are currently an MCSA or MCITP on Windows 2008. There is no direct upgrade path from the old MCSE to the new MCSE.
12. ITIL v3 Foundation
$95,434
ITIL® was created by England’s government in the 1980s to standardize IT management. It is a set of best practices for aligning the services IT provides with the needs of the organization. It is broad based, covering everything from availability and capacity management to change and incident management, in addition to application and IT operations management.
ITIL is composed of a set of books. Over the last 30 years, it has become the most widely used framework for IT management in the world. ITIL standards are owned by AXELOS, a joint venture company created by the Cabinet Office on behalf of Her Majesty’s Government in the United Kingdom and Capita plc, but they have authorized partners who provide education, training, and certification. The governing body defined the certification tiers, but they leave it to the accredited partners to develop the training and certification around that framework.
ITIL Foundation certification is the entry-level one and provides a broad-based understanding of the IT lifecycle and the concepts and terminology surrounding it. Anyone wishing for higher-level certifications must have this level first, thus people may have higher certifications and still list this certification in the survey, which may skew the salary somewhat.
13. Certified Ethical Hacker (CEH)
$95,155
The International Council of E-Commerce Consultants (EC-Council) created and manages CEH certification. It is designed to test the candidate’s abilities to prod for holes, weaknesses, and vulnerabilities in a company’s network defenses using techniques and methods that hackers employ. The difference between a hacker and a CEH is that a hacker wants to cause damage, steal information, etc., while the CEH wants to fix the deficiencies found. Given the many attacks, the great volume of personal data at risk, and the legal liabilities possible, the need for CEHs is quite high, hence the salaries offered.
14. VMware Certified Professional – Data Center Virtualization (VCP-DCV)
$94,181
The entry-level VMware Certified Professional (VCP) is the oldest certification from VMware. As the VMware product portfolio has grown in the last several years, it was decided that a single certification was not sufficient. Now several VCP tracks exist, enabling VCPs to specialize.
The only VCP track that broke the top 15 this year is the Data Center Virtualization track, the largest and oldest of the VCP tracks. VCP-DCV certifies one’s knowledge of and ability to perform basic deployment and administration of vCenter and ESXi.
A policy established in 2014 requires that every two years, VCPs must recertify on their current track, take an exam in another VCP track, or take a higher-level exam to remain certified. With this new requirement, there will probably be fewer VCPs next year. Also, the release of vSphere version 6 provides an opportunity to upgrade VCP 5 skills to VCP 6 quickly and less expensively this year.
15. Certified Novell Engineer (CNE)
$93,856
The CNE certification was very popular in the 1990s and fell out of favor as Microsoft Windows became a dominant server vendor in the 2000s. Now that there are many more platforms and fewer CNEs, as many moved on to other areas, this certification is back in demand.
CNE certification confirms your ability to design, implement, troubleshoot, and upgrade networks based on SUSE Linux Enterprise Server (SLES). Those who have the Novell NetWare 6 CNE may upgrade to the Novell Open Enterprise Server for NetWare. Open Enterprise Server is based on SLES and offers server management and file storage that NetWare was known for.
Rounding Out the Top 25
A few popular certifications just missed the Top 15 cut due to a low total number of responses or an average (mean) pay just outside the threshold. Due to their popularity, I have included them for informational purposes.
16. Citrix Certified Advanced Administrator (CCAA) for XenApp 6
19. Citrix Certified Administrator (CCA) for Citrix XenServer 6
$92,695
20. CCA for Citrix XenDesktop 6
$92,411
21. Microsoft Certified IT Professional (MCITP): Enterprise Administrator
$92,252
22. CCA for Citrix XenApp 6
$91,069
23. Red Hat Certified System Administrator (RHCSA)
$89,427
24. Certified Novell Administrator (CNA)
$89,018
25. Microsoft Certified Systems Administrator (MCSA)
$87,667
Honorable Mention
AWS Certified Solutions Architect – Associate
$114,935
The AWS Certified Solutions Architect – Associate is a relatively new certification that debuted in mid-2013. While it did not receive enough responses to qualify for our “Top 15” list, it is definitely a certification that warrants a mention based on the salaries of those who did respond.
AWS’s baseline certification, AWS Certified Solutions Architect – Associate is intended for individuals with experience designing distributed applications and systems on the AWS platform. The certification addresses a range of topics, including designing on AWS, selecting the appropriate AWS services for your situation, estimating AWS costs, and identifying cost control measures.
Since the release of the AWS Certified Solutions Architect – Associate certification, AWS has rolled out three additional certifications, including the AWS Certified Solutions Architect – Professional, and they have one more in beta (AWS Certified DevOps Engineer – Professional). In this year’s salary survey, each of the four active AWS certifications has an average salary of more than $100,000, but they did not meet the minimum number of responses to make our list. Based on the number of companies moving to the cloud and the growth of AWS, I would certainly expect to see a few AWS certifications in next year’s list.
Notable Trends
Of this year’s top-paying certifications:
Five are in security (1, 2, 3, 5, and 13).
Three are in business (4, 6, and 12).
Three are in networking (7, 9, and 10).
Conclusion
If you’re looking to improve your skills (and your pay!), consider adding one or more of the certifications above. Consider your current skill set and see if a related skill or a management skill may help power your career to the next level. For example: If you already know storage or networking, consider a certification in virtualization. Or, break out of your technical track into a management track by taking ITIL or PMP training and getting certified in one of those areas.
About the Author
John Hales, VCP, VCP-DT, VCAP-DCA, VCI, is a VMware instructor at Global Knowledge, teaching most of the vSphere classes that Global Knowledge offers, including the View classes. John is also the author of many books, including involved technical books from Sybex, exam preparation books, and many quick reference guides from BarCharts, in addition to custom courseware for individual customers. His latest book on vSphere is entitled Administering vSphere 5: Planning, Implementing and Troubleshooting. John has various certifications, including the VMware VCA-DCV, VCA-DT, VCA-Cloud, VCP, VCP-DT, VCAP-DCA, VCI, and VCI Level 2; the Microsoft MCSE, MCDBA, MOUS, and MCT; the EMC Storage Administrator (EMCSA); and the CompTIA A+, Network+, and CTT+. John lives with his wife and children in Sunrise, FL.
After attending the White House Summit on Cybersecurity and Consumer Protection, I agree with the paradox raised by President Barack Obama—the very technology that can be used to do great good can also be used to imperil us and do great harm. The President labeled cybersecurity threats as one of the most serious economic national security challenges today.
While the resolve of CEOs and government leaders for more global collaboration and information sharing was encouraging, I found it even more reassuring to hear them recognize the need for significantly more skilled cybersecurity professionals. Cyberattacks are damaging enough when intellectual property, personal information and emails are stolen; but the potential for attacks on water and electrical systems and even your car or pacemaker would be far more catastrophic. Cybersecurity is a matter of public safety and must be treated as such.
There is no question that businesses, academic institutions, civil society and governments must, as President Obama emphasized, work together like never before. This unprecedented level of collaboration is essential to stay ahead of our cyber adversaries. The bad actors share information when launching global attacks, so we must improve real-time information sharing among industry sectors and nations. This will help proactively identify attacks and techniques, and enable cyber experts to take immediate action.
To effectively do this we need more skilled professionals on the front lines and a cyber-safety mindset throughout every organization. For far too long, companies have either avoided dealing with the threat from cyberspace or have quietly tried to address it alone. But this is no longer enough. The risk has grown exponentially and substantially greater investment in technology and training for new cybersecurity professionals is urgently needed.
ISACA first identified this gap more than 10 years ago and has teamed with leaders in business and government to develop relevant training and certifications in information security and cybersecurity. Last year’s launch of Cybersecurity Nexus (CSX) brought together guidance, career development, skills-based certification and ongoing training for cybersecurity professionals at every stage of their careers. We will continue to evolve CSX as the role itself evolves and the skills requirements and threat landscape continue to change.
It is also vital for organizations to partner and develop high-impact public awareness campaigns that create a more cyber-aware society. People of all ages and walks of life play a very important role in reducing the effects of cyberthreats.
In the wake of the White House Cybersecurity Summit, I see the following as top priorities:
Conversations lead to solutions. Government and industry alike must continue to gather the insights of experts and translate these ideas into action.
If it is connected, it is vulnerable. Manufacturers need to build security in from the inception of new connected products.
Beat the drum. Consumers need to be made more aware of the importance of security when they’re considering connected cars, appliances, medical devices and other items.
Train and educate. Increase investments in building cybersecurity skills and knowledge among all members of the workforce.
Cybersecurity is everybody’s business—it is a global issue, a critical need, and it deserves our undivided attention.
Organizations today are being burdened with an unprecedented volume of regulatory and compliance requirements leading to increased operational complexity, challenging production capability and occupying key resources. Integrated compliance frameworks offer a mechanism for these organizations to implement a single enterprise wide solution that allows you to “control once, comply with many.” While the concept is simple, implementation of these frameworks fails as often as it succeeds due to circumstances that could be prevented with up-front planning and coordination. Below are five basic points to consider before you begin your integrated compliance journey:
Start small, think broadly. It is tempting to try and tackle all compliance requirements across the entire organization in one pass. However, integrated compliance solutions take significant up-front time and effort to succeed. While a solution should be built with an organizational scope in mind, demonstrating incremental successes through smaller pilot efforts will help build support and keep momentum throughout the framework development and roll-out.
Consider the pros and cons of “off-the-shelf” frameworks versus custom built. You will find several solutions in the market that offer “off-the-shelf” integrated compliance frameworks. Careful consideration should be given to how these frameworks fit your organization, the applicability of all regulations/requirements included in the frameworks, and whether your organization truly understands the applicability of specific requirements if dependent on a package solution. On the flip side, while a custom framework can allow increased flexibility in scoping, control design and roll-out, there may also be increased overhead with maintaining a custom solution.
Identify organizational stakeholders. It is critical to identify who key stakeholders are within compliance, legal, audit, business units and IT, as the success of integrated compliance frameworks depends on support of all functions that are impacted by the various compliance and regulatory requirements included in the framework. Often times a steering committee made up of key organization representatives can help not only with the initial design of your integrated compliance framework, but also with the successful ongoing support of the program going forward.
Understand the applicability of requirements. Whether attempting to comply with SOX, PCI, HIPAA or other requirements, the effort of scoping each requirement for your organization in detail remains important to the effectiveness of your framework. While the purpose of an integrated compliance framework is to allow one common set of controls to achieve all applicable requirements, that does not mean all controls apply to the entire organization. Understanding and capturing the scope of each applicable requirement is crucial to demonstrating that the appropriate level of control has been applied to the environment while not over controlling.
Consider the outputs at the start. It is easy to get buried in the details when designing and implementing your integrated compliance framework. Careful thought should be given at the start of your program to define goals, reporting and key metrics that will measure success. Integrated compliance frameworks can help achieve a reduction in controls, improved compliance reporting, a reduction in hours spent on compliance efforts, and improve the ability to strategically address compliance and regulatory remediation efforts. Identifying key outputs for your organization at the start will allow you to design your framework in a way that will help best realize these benefits and be able to effectively communicate them to management.
Implementation of an integrated compliance framework is a complex undertaking that cannot be solved with a quick-fix solution. As is the case with any large project, management can improve the likelihood of a successful implementation through careful planning and consideration of the organization’s objectives and risks to those objectives. Proper consideration of the points above can help you start on your journey to a simplified and integrated compliance landscape.
Nick Blaesing, CISA
Director, Risk Assurance, PricewaterhouseCoopers LLP
