Governance and the Case for Automating the Compliance Cycle

Gary Swindon

3/20/2009

This NEMEA whitepaper discusses the relationship between two elements of the governance cycle, compliance and remediation, and the need to automate the cycle in order to achieve continuous compliance by enterprises at all levels. ©Copyright 2009 by NEMEA Security Services LLC all rights reserved.

2

NEMEA Security Services, LLC

White Paper

Governance and the Case for Automating the Compliance Cycle

Any organization, enterprise or collection of likeminded individuals understands survival at some very

basic level; indeed, most conduct their affairs with this notion somewhere in their thinking. Those who

aspire to greater achievements as companies or governmental agencies and activities have looked for

years for a ‘silver bullet’ to protect and manage their processes, intellectual capital and other assets.

Sadly, like so many who refuse to tackle the difficult challenges presented by life; they failed in the quest

and will continue to fail because there is no single all encompassing solution to help an organization

stand out against their competition. Those who pay even the slightest attention to the changing

regulatory landscape should recognize that requirements are increasing and new regulations and

standards bring with them new enforcement penalties and other unpleasantness. Even organizations

that have been held up to the rest of the world as models of good process management sometimes fail

to understand the overarching importance of good governance built on solid compliance, remediation

and risk assessment. Nevertheless, what many have overlooked is that even the tone and tenor of the

regulations have changed. No longer written as proscriptive lists of do’s and don’ts they seek instead to

place the burden for compliance and the related decisions squarely on the shoulders of those who must

comply. Over the last twelve years or more, the Federal Government has mandated desired results

while moving toward allowing businesses to choose, enforce and document the processes that they

adopt. Interestingly enough, the Federal Government in the Executive Branch agencies has chosen to

voluntarily adhere to some of these regulations (HIPAA is a good example of voluntary compliance).

While Congress changed the method of constructing business regulatory legislation to a focus on

outcomes based actions that require a proactive stance on the part of the regulated, they also explicitly

recognized the need for regular compliance and risk assessments as the underpinnings of any actions

taken to reach compliance. That focus on outcomes represents an excellent first step in the process of

achieving the control that is the hallmark of a well governed enterprise.

At NEMEA we believe that governance has four core ideas or components, in order of priority they are:

compliance, remediation, risk and audit. Each of these components is essential to crafting a complete

governance effort (or strategy) on the part of an enterprise and its senior leadership. Although there

are some who argue that governance is already practiced by many organizations it is at best a process

beset by a lack of relevant current information upon which to base decision making. In every case

compliance must come first simply because of the far reaching consequences facing organizations that

would like to forget compliance or perform it only on an ‘as needed’ basis. More to the point, failing to

understand the compliance posture of the organization and dealing with it proactively is, at worst, a

recipe for failed intentions and at best, pure guesswork. Each step in the cycle builds on the previous

one; compliance assessments highlight remediation needs, the remediated weaknesses contribute to

the overall risk posture of the enterprise and the audit step is used to verify the adequacy and effect of

remediation efforts and the compliance program overall. Collectively these steps represent the

3

foundation for making informed business decisions regarding the expenditure of resources and the

commitment of the organization to long term, achievable goals. The true power of this governance

cycle is outlined in figure 1, below.

Figure 1

Governance Cycle

NEMEA believes that good governance confers a distinct advantage to those who practice it; their

organizations are proactive, compliance activities are ingrained in the day to day processes and

unpleasant surprises either in the form of audit results or weaknesses exploited by outside agencies are

kept to an absolute minimum. The organization’s senior leadership has the information that they need

to make informed decisions concerning the allocation of assets and being able to undertake new

initiatives to strengthen the position of the enterprise. Carried to the next logical step, truly well

governed organizations with good compliance programs ensure that middle managers and directors also

share in the information so that the quality of operating budget decisions can be enhanced in the day to

day efforts by the workforce. This idea is as relevant for governmental organizations as it is for business

at large because governmental agencies and offices must find better ways to provide services to the

4

constituents that they serve every day. Both need to become more resource efficient; governance can

help insure that that goal is achieved.

The Current Compliance Landscape

All of government and industry is more sensitive to security and compliance concerns, aware of the

topic, and to some extent more aware of their posture since the events of September 11, 2001. This is

especially true of those organizations that already had an appreciation of the need for sound compliance

management as a part of their existing business operations. There are several other factors that

contribute to a sharper focus on the need for better information on which to base investment decisions,

among them are: regulatory changes, especially those dealing with privacy, the cost of settlements

based on violations of regulations and policy, the impact of adverse publicity and press on the basic

trust relationship that exists between organizations, their existing customers, and the public in general,

and the need for competitive advantage in a given industry or endeavor. Without a solid understanding

of the need for compliance and how to manage and fix problems companies are reduced to making

potentially costly decisions on little relevant information.

Regulatory Changes: in the last 18 months the Federal Government has passed or updated landmark

laws dealing with several industries that were already burdened with the need for demonstrating good

compliance; the best known and publicized of these are: the major update to the FFIEC (Federal

Financial Institutions Examination Council) Examiners Handbook for banks and the Comptroller of the

Currency’s update of the Bank Secrecy/Anti Money Laundering rules. A new characteristic of these and

probably more laws to come is that the Congress has opened some of the laws to the states to set

enforcement standards, (there could be 50 different rules for compliance with GLBA). In addition, there

are unexpected requirements such as the mandate levied on industry to create new organizations and

force the hiring of new people such as Privacy and Compliance Officers. Congress has unexpectedly

extended laws that appeared at first glance to apply to only a part of an industry to that industry’s

business partners regardless of the line of business--as found in HIPAA (Health Insurance Portability and

Accountability Act). This is not a problem that is unique to industry, however, government agencies at

all levels must comply with the likes of FISMA (Federal Information Security Management Act), OMBs

POAM (Program Objectives and Milestones) requirements and NIST 800-53 Revision 2.

Settlement Costs: the press is replete with stories of companies and government agencies that ignored

rules because of the cost or convenience of implementation and then paid many times the cost to settle

lawsuits in order to get on with everyday business. Excellent examples come from the Healthcare

Industry; Kaiser-Permanente paid several million dollars to settle suits brought for releasing personal

health information on patients to a small group of email addresses. The cost of doing it right the first

time was less than $30K. Several of the larger care organizations have paid upwards of $10 million to as

much as several hundred million dollars to the Federal Government because of sloppy unaudited

business practices that would have cost the companies in question almost nothing in comparison to the

cost of settlement. The McDonalds Corporation lost a landmark suit to an elderly customer over

5

whether or not it is reasonable to expect coffee to be hot! (The initial award from the jury settlement

was more than two million dollars.) On the Federal side, the Veterans Administration permitted a

laptop containing the records of millions of Veterans to be stolen; they wound up paying for credit

monitoring services for people whose data was suspected of being compromised. The Department of

Energy experienced an incident where several disk drives containing nuclear program materials were

lost, or misplaced. There are many more examples in all industries; insurance carriers are very aware of

the situation and what they pay out every year for their client companies. Client companies are

becoming painfully aware of the cost of property and casualty insurance coverage. Costs are so high

that virtually every medium to large company is self-insuring for at least some of the risk that they carry

in doing business. As mentioned before the concomitant issue is that enterprises including government

agencies are making major policy decisions without critical information.

Impact of Adverse Publicity and Press: any business or government organization that depends on trust

between the customer and the organization to survive is aware of the tremendous potential impact of

adverse press on business growth and agency operations. Imagine the consumer experience involved in

going to a doctor for whom there was no trust, or a bank, brokerage house, or insurance company under

the same conditions. Even organizations that don’t typically consider public trust as having any part in

their business due to the nature of what they do are sometimes unpleasantly surprised at the impact.

Double-Click almost went out of business because of publicity surrounding the collection and use of

consumer healthcare information on the Internet without either the permission from potential targeted

individuals, or even the awareness on the part of the public that the information was being gathered. It

required a public explanation of business practices, an apology and a posted notice of practices on

gathering information and the use of the collected information before Double-Click’s customers or other

businesses would continue to buy their products. Medical practices have been driven out of business

over adverse publicity, government officials have been replaced, and the collateral effects on businesses

like Double-Click’s who didn’t even think about the fact that the public would pressure Double-Click’s

customers not to buy are well documented.

Competitive Advantage: every business and government agency is aware of their competitive

landscape to some extent. Those organizations that are aggressive about their business and products

are forced to pay attention to new changes on the part of the competition or competitive forces or face

the steady and sometimes rapid eroding of their market share or public trust. Competitive advantage

can come from anywhere; IT infrastructure, new product features that make it a de facto standard in its

industry, lower cost of operations including selling, the ability to deliver better service, and the ability of

the organization to give customers, business partners, and the public a sense of security and the

resulting trust that evolves from it are among the most effective. The need to engender trust, especially

in their target market segments, is of paramount importance. The ability to have better and timelier

information on which to make decisions is critical to the success of any enterprise. The ability to look at

Compliance from the standpoint of economic and policy trade-offs with objective information is a

competitive advantage of no mean stature.

6

Obstacles to Good Compliance Programs

Regardless of the size of the enterprise there are one or more obstacles to achieving a solid, useful

compliance program with repeatable processes and metrics. These obstacles come in the form of

‘institutional’ barriers such as the organizational attitude and structure, process barriers such as lack of

good program design with proper scope and metrics, to problems with the scope and frequency of

outside enforcement. Finally, the dearth of good automated toolsets with which to build sustainable

compliance programs limits the efforts and consequent success of organizations for whom a good

compliance program is recognized as valuable.

Organizational Attitude: a disproportionately large number of organizations whether they are

businesses or government agencies pay, at best, lip service to compliance. There is no belief among

senior mangers that compliance with any specific set of requirements is worthwhile beyond passing an

audit or staying out of the press. A major part of the problem exists in the message and manner in

which compliance and security professionals try to gain mindshare with senior management—using the

principal message of FUD (Fear, Uncertainty, and Doubt) often delivered in obscure terms. The manner

in which they attempt to present the message is immediately called into question because compliance

and security professionals can seldom converse with the affected managers using the language of the

business or enterprise instead of using the ‘techno-speak’ that is the common lingua franca of the

compliance and security organizations. This lack of a common understanding and language between the

senior managers and their compliance and security staffs continues to have an immediate and long

lasting impact on compliance efforts, namely that most compliance programs were consigned to failure

from the outset. Unfortunately, once credibility is lost by the compliance and security staff, it is almost

never regained. This lack of a common framework and approach to the importance of having a good

compliance program is the quintessential ‘last nail in the coffin’ of meaningful compliance efforts. It

should also be noted that if senior management doesn’t believe in the necessity for compliance, then it

is highly unlikely that the rest of the organization will pay more that minimal attention to it.

Audit Process versus Operational Process (built in compliance): a subset of the organizational attitude

is embodied in the pervasive dichotomy between what is provided by the audit function as opposed to

having a well established set of compliance aware operational processes. The internal audit function is

expected to be able to find and identify problem areas and to issue reports that can then be used to

address those findings. This simple idea however, more often than not, is overcome by a variety of

impediments such as a lack of available resources, a lack of appropriate tracking mechanisms, and the

grandfather of them all-the notion that no sense of urgency is necessary since the auditors won’t be

around for at least another year except to do minor spot checking on the progress of remediation.

Finally, it is a well documented fact that auditors, whether they are internal or external can only assess a

relatively small subset of all of the requirements that a business or government agency must address in

order to be considered ‘compliant’.

7

Organizational Structure: the structure and flow of information in an organization or agency frequently

contributes to frustrating compliance efforts. If the compliance function itself does not report high

enough in the ‘food chain’ few will view it as more than a potential interruption to their daily lives. In

addition, if compliance is perceived as a support organization instead of a ‘line’ function, it seldom has

the impact that is needed to put lasting programs in place and will compete (usually unsuccessfully) with

the likes of the auditors for a place on senior management calendars. Until compliance can be shown to

be a business enhancer or multiplier it will be relegated to a position no higher than a ‘necessary evil’.

Sadly, compliance functions lack the institutional history that internal auditors or Inspectors General

have, they have ‘come to the party late’ and that coupled with a lack of enforcement capability, the

compliance organization is solidly behind the organizational power curve.

Lack of Good Metrics: ask any management analyst, consultant, or expert what good metrics means to

an organization and you will find general agreement that they are critical to the sustainable success of

the business or program. They will also agree that it is a rare enterprise indeed that actually has good

metrics beyond some well defined financial and perhaps personnel related ones that most everyone

agrees on. These existing metrics are the result of years of financial and management practice and have

stood the proverbial test of time, meaning that they usually are good indicators of performance. When

it comes to compliance efforts no such agreement between experts exists, probably because compliance

has almost universally been treated as a potentially expensive afterthought. Vanishingly few enterprises

have an established and recognized baseline from which to measure their progress or lack thereof in

their compliance efforts. Second, the ability to compare one large data set against another as is

represented by compliance surveys etc. is a very difficult and time consuming process even given the

potentially great value in such a capability. The organizations that choose to use outside consultants to

measure their compliance and risk efforts discover very quickly that the process is very expensive, time

consuming, and that the data gets progressively more ‘stale’ as time goes on. It also fosters the notion

that compliance should only be measured once a year because it is so expensive and difficult and this

perception leads to a corollary outcome; most enterprises lack the ability or willingness to really track

the remediation efforts that they undertake in any kind of systematic fashion. The net result is that

board members and senior managers continue to be asked to fund major programs and initiatives

(including remediation efforts) without the information that they need to make an informed decision.

Scope of Enforcement: ironically, regulators sometimes unwittingly contribute to the lack of good

compliance efforts because they lack enough resources to do a thorough investigation or they are

hampered by their own decisions regarding the scope of the regulatory effort, the timing of the effort or

the lack of public exposure to the results of their investigations. It is also true that sometimes the law,

rule, or regulation lacks sufficient or appropriate penalties for the lapses uncovered in an investigation.

An excellent example of all of the above behaviors is found in HIPAA, (the Health Insurance Portability

and Accountability Act of 1996 as amended). Few healthcare organizations truly believe that regulatory

efforts on the part of the Federal Government, the States or the penalties associated with the Act are

sufficient cause for worry, let alone compliance action or effort. This last is not idle speculation, a study

8

done three years after the implementation dates of the Privacy, Security and Transactions and Codes

Sets provisions revealed that one third of all hospitals had undertaken no effort to comply with HIPAA.

Lack of Good Toolsets for Compliance Programs: with all of the companies that profess to be in the GRC

(Governance, Risk, and Compliance) space one might be tempted to assume that there would be at least

a couple of approaches to the problem that would yield good toolsets. To date no one company or two

companies has emerged with a solution that appears to be mostly or even widely usable or applicable

across many types of organizations such as government and business whether private or public. There

are other issues with the toolsets available; some interpret regulations for their customers instead of

rendering requirements faithfully, many price each part of the solution in such a way as to make user

flexibility nearly impossible, and finally, some are extremely difficult and time consuming to use.

Audit versus Compliance Mentality: in order to be successful in building compliance programs that have

lasting value to the enterprise the organization must come to grips with the embedded ideas and

attitudes surrounding both audit and compliance. The audit program depends upon the attitudes,

experience and opinions of the auditor to examine processes, people (employee behavior) and

determine and verify conditions and procedures that they are sent to evaluate. A compliance program,

on the other hand, relies upon the experience, training, opinions and attitudes of the employees who

must perform the everyday work and rely on established business procedures and process in order to

achieve the objectives and aims of the enterprise. To put it another way, in an audit situation, the

auditor’s opinion matters, not the employees who must stand the audit, whereas compliance

measurement relies on the employee or end user experience to measure effectiveness and success not

the auditors. While at first glance the foregoing may seem like heresy, both the auditor and the end

user have a well defined place in compliance efforts; it is only when the distinction becomes blurred that

the organization is headed for trouble. Compliance is best measured by those responsible for the day to

day activity of the enterprise.

Compliance, Remediation and the Need for Automation

If organizations are going to be successfully governed they must have the tools to do the job efficiently

and provide assessment information in an on demand environment over time to senior managers. The

wide ranging needs are many and in most cases can only be addressed in a highly automated

environment. The nine needs areas that follow are illustrative of the environmental requirements that

any good compliance and remediation toolset should not just allow but actively facilitate in order to

provide long lasting value to the enterprise.

1. The need to dramatically shorten cycle times for compliance assessments: based on experience,

the typical manual compliance assessment for one functional area such as IT (Information Technology)

in a medium sized organization (10,000 or so employees), often takes between 12 and 16 weeks to

complete. Even then, the usual tools are likely to be a combination of spreadsheets, both manual and

PC based, and word processing documents. Given this type of cycle time it is small wonder that the

9

pervasive attitude on the part of senior managers everywhere is that this should only be undertaken

once a year. As a reference point, in a large organization it can take most of a year to do the same thing.

2. The need to reach affected participants at all levels of the organization: in the case of a small

assessment a survey manager might actually know all of the right people to act as participants in a

survey; in a large organization it is extremely unlikely that a survey manager knows who the correct

participants are across all departments, divisions or offices. Unfortunately, whether the survey manager

knows them or not they must still find them in order for the survey to achieve its full value to the

organization. The only way that suggests itself is through automation.

3. The need to track changes in the compliance posture over time: in order to determine whether or

not remediation efforts, training efforts or other resource intensive activities are being successfully

implemented requires the ability to track changes over time. To illustrate the idea in a different way,

when a senior manager asks a subordinate ‘what did you do with the money I gave you to fix the

problem?’ it would be nice for everyone concerned if the subordinate had a good answer and could

prove their point with facts. In order to do this kind of tracking implies another capability—the ability of

the organization to assign responsibility for remediation, know what resources are required and where,

and when to expect that the desired results will be achieved.

4. The need to establish repeatable results and comparisons: as noted earlier, using outside agencies

such as consultants works against an organization trying to determine their long term compliance

posture. The expense, the departure of the institutional knowledge when the consultant team leaves,

and the fact that the consulting report was rendered as of a point in time with little or no hope of

updating it to reflect current changes in the organization, all work against the enterprise. An

organization that wants to build long term productive, value added compliance programs must have a

stable baseline against which to measure their efforts—and the survey methods, requirements, and

reporting should ideally be the same no matter how often or how long the results are rendered or

tracked.

5. The need to track responsibility and expenditures of assets to remediate issues: keeping track of

who is responsible for fixing identified problems, what they are spending in money and effort, what

success they might be achieving, what milestones can be tracked, and when to expect that the effort will

be successfully concluded is at the heart of this need. Considering the sheer volume of compliance

related information generated by even a modest sized survey, this portion of the toolset must be

automated in such a way that information in the form of ‘on demand’ reports can be rendered when

and where they are most needed.

6. The need to mimic the actual workflow as closely as possible: any toolset that provides the

information an organization needs may have some utility and value to the enterprise. The most useful

approach would be one that did not require the user to have to learn a different way of doing business

just to make the tool work. As much as possible the survey creation, distribution, analysis and reporting

10

should work in the same stepwise fashion that most individuals use every day when solving problems. If

the user can see how things fit together they are much more prone to use the tools to achieve their

aims.

7. The need to access and assess requirements or controls quickly: it is no secret that different groups

within organizations approach compliance information in different ways. At polar ends of this

dichotomy we have auditors who typically deal in controls and assess their robustness, and practitioners

who typically deal in requirements and how to implement them. Any toolset must be useable by both

groups in order to provide the maximum utility to the organization: this capability helps to insure that

there is a common framework or approach for the compliance process and that this process is grounded

in common methods of analysis, common reporting, and common sources and structure in Authority

Documents. Toolsets that allow the seamless crosswalk from requirements to controls while preserving

all of the related data such as which vulnerabilities are being addressed is vital to the success of the

compliance process

8. The need to add local authority documents of importance to the organization: simply put, any

toolset that supports the compliance cycle must be flexible enough to incorporate locally important

sources of standards such as policy and procedure or other requirements important to the successful

functioning of the enterprise. Ideally, authoring tools should be available to allow the organization to do

their own input or allow an outside party to do the input under the direction of the owning organization.

9. The need to aggregate and analyze large amounts of compliance data: data aggregation and

analysis for any medium to large organization is a problem because of the sheer size and volume of

information generated. Enterprises need the capability to analyze and report on current information

and analyze and compare it to preceding period data in order to assess progress. At a minimum, users

should be able to compare surveys created over time whether or not they were identical in their scope.

To say it differently, comparisons between data sets should be possible when using an automated

toolset and the toolset should know and be able to highlight the differences as well as compare the

same types of data.

Compliance Process and Automation

In order to apply the benefits of automation to address the needs of an organization, the compliance

data gathering process must be well documented and clearly understood. What level of process

decomposition is required is important because the ideal solution would be to wind up with tools that

follow the way people work to the greatest extent possible. One approach would be to list the major

components with the absolute minimum of detail necessary in order to obtain a working model that

covers the known and anticipated needs of the organization. In the section that follows, the compliance

assessment and remediation processes are outlined at a high level and the links to user workflow

requirements are explored in the context of automating the essential processes to optimize the value of

an automated toolset.

11

The first process is the survey creation and management portion that consists of 5 steps: creating the

survey structure or template; choosing the content; distributing the survey; collecting and analyzing the

results; and reporting on the results. The survey data collection process depends upon the input of

many users who are directly involved in managing these issues on a daily basis. This process is

highlighted in figure 2 below.

Compliance Steps

Creating the Survey Structure: the survey structure determines many things: the type of statistics

available for analysis and reporting; the degree of compliance achieved by the organization based on the

target survey audience; the graphics used for dashboard reporting; the time for gathering responses;

and ideally, the use of workflow items such as automated reminders for the participants.

Choosing the Survey Content: the content for the survey should be variable and customizable

depending on the needs of the organization; the survey manager should be able to choose a single or

multiple authority documents; sections from one or more documents; and single requirements or

questions from any document that may be needed. The system should allow the survey manager to

choose content from existing authority documents already provided for use or allow the survey manager

to create their own specific content to be used in a survey or surveys.

Distributing the Survey: there are two basic scenarios to consider when it comes to distributing the

survey: in the first scenario, the survey manager would know all of the recipients to whom the survey

12

should be sent; in the second scenario, the survey manager cannot possibly know all of the proper

recipients due to the size of the organization, vendor partners who may need to participate etc. In

either case, the distribution should be as automated and direct as possible.

Collecting and Analyzing the Results: the basic data analysis of the output provided by the survey

respondents should be automated and automatic and provide both summary and detail information as a

result of the survey. Further, the data itself should not be editable by the survey manager or the

respondents and any and all attached documentation submitted by the respondents should also be

carried forward as a part the output of this process.

Reporting on the Results: the survey output reports should faithfully reflect the data analysis and be

customizable and editable by the survey manager based on the needs of their particular organization.

This should include the ability to attach documents and comments provided by the survey respondents

in answer to the questions concerning the requirements covered.

Remediation Process and Automation

The base process that governs remediation activities consists of 4 steps: identifying the weaknesses to

be addressed as reported in the survey; assigning responsibility for remediation; determining the

resources and milestones; and reporting on progress. Unlike the survey process, the remediation

process depends on the management of an organization to determine what will be undertaken. This

process is outlined in the figure below (figure 3).

13

Remediation Steps

Identifying the Weaknesses to be Remediated: weaknesses identified for remediation should consist

of vulnerabilities, controls or both depending on the size and the needs of the organization. For

example; a small organization may wish only to address a global vulnerability such as ‘Policy &

Procedure’, while a larger organization may have a need to address the underlying controls as part of

the remediation process. For example, the vulnerability ‘access controls’ may have several uniquely

identified controls as part of the vulnerability such as ‘password length’, ‘strong passwords’, ‘password

expiration’, etc. The second aspect of this process is that of determining which weaknesses to

remediate based on organizational needs such as resource constraints.

Assigning Responsibility for Remediation: a system should allow assigning responsibility based on

individuals or members of a team that each has a particular control or controls to remediate as part of

addressing a larger vulnerability. This assignment should be editable so that as old points of contact

move on to other duties or responsibilities a new person or persons can be assigned to see the project

through to a successful conclusion.

Determining the Resources and Milestones: for any assigned responsibility, whether or not it is a single

or multiple vulnerabilities, or the underlying control or related controls, the assigned point of contact

should be able to determine and record the major resource and milestone requirements and allow other

team members to add their input as it becomes appropriate.

14

Reporting on Progress: the remediation point of contact should be able to report on a continuing basis

what progress is being made, what additional resources or time might be needed and allow those with

subordinate responsibilities to add their input as well. The survey manager should be able to obtain on

demand reports on any or all of the remediation efforts and be able to perform comparisons from a

baseline survey to the next survey in any or all of the areas to highlight progress or the lack of it.

Second, the survey manager should be able to compare multiple surveys to each other even when the

content may not be identical; in other words, surveys with any overlap at all in their design or focus

should be able to be compared on the items common to other surveys of interest.

The Compliance Cycle and Automation

In order to derive the most usability and value for adopting a continuous compliance cycle, the software

platform should be designed to follow normal workflow or problem solving steps while providing as

much flexibility as possible in the selection, management, and use of the tools features and functions.

The software architecture should embody current technology, simplicity of maintenance and

enhancement, scalability on demand and a robust data export capability in order to protect the client or

user, as well as, the developer’s investment. Other hallmarks of the architecture should include

maximizing data handling to include the seamless addition of external related documentation and

information, extensive on demand reporting, both ad hoc and templated, and a robust security model

that exists at all of the necessary levels in the hosted environment. The security model should

incorporate features to protect the user, the environment and the data in such a way that the user

doesn’t have to think about how to ensure security, but rather how to use the software tools to achieve

their compliance assessment and remediation goals. In short, the security features taken together

should be as transparent as possible consistent with a highly secure environment and not get in the way

of doing the work that needs to be done. Finally, the software should require the least amount of

physical and logical assets in order to be used: with this in mind, NEMEA chose to implement the

toolsets as a Software as a Service (SaaS) offering. The survey manager needs only to have a browser

and email capability in order to access and use the NEMEA solutions; respondents need the same

internet and email connection capability.

The NEMEA solution to automating the compliance cycle consists of two related toolsets, Compliance

Center and Remediation Center, that follow the architectural principles outlined above. Compliance

Center automates the compliance survey management process and follows the cycle in figure 2 while

allowing the maximum control by the survey manager over creation, content, distribution, analysis and

reporting of survey information. The survey manager can create a survey template rapidly and populate

the survey with known requirements that define what is being assessed and with a high degree of

probability, distribute the survey to the appropriate respondents even when the survey manager does

not know who they are. Remediation Center automates the remediation assignment and tracking

process outlined in figure 3. In addition, Remediation Center can use any survey, current or not, to

automatically pre-populate vulnerability or control weaknesses identified in the subject survey and

allows for assigning both the vulnerability and the related controls dynamically if an organization so

15

chooses. It also allows the survey manager to assign a point of contact for remediating selected

weaknesses, identify resources needed to correct the problem, allow selected individuals to establish

and modify milestones and identify and link any other external or internal assessment such as an audit

to the tracking system. The toolset also allows the survey manager to compare surveys to an existing

baseline survey even if the controls and vulnerabilities in the surveys being compared do not exactly

duplicate one another. In cases where two or more surveys are compared to a baseline survey, the

system automatically compares the areas that can yield relevant information and ignores the balance.

These two toolsets are the first of a series of complimentary products that NEMEA intends to offer to

potential clients.

From an architectural perspective, NEMEA chose to develop the toolsets using web standards including

AJAX. This is implemented using .NET and SQL running under a Microsoft operating system (OS) in a

clustered configuration. NEMEA code follows web standards for development and does not allow the

use of potentially insecure technologies such as Active-X or Java. The NEMEA infrastructure is

redundant at all levels; data center, server, communications and networking, and data storage. In

addition, the appropriate use of load balancing, IDS/IPS and other monitoring tools help to insure the

security of information at all times. NEMEA does not allow unencrypted access to the network or

toolsets and ensures logical segregation and separation between clients using the NEMEA SaaS tools.

The NEMEA solution to automating the compliance and remediation cycle is robust, cost effective and

secure while meeting the needs of organizations that are serious about compliance. NEMEAs products

directly address the most pressing issues that organizations face in trying to build effective and enduring

compliance, remediation and governance programs while giving users complete control over their

information. Using the NEMEA solution reduces the compliance cycle time by a minimum of 70% while

reducing the overall costs associated with assessment and remediation by more than 50%. Clearly, the

NEMEA product set can help virtually any organization, business or government agency establish and

maintain control over their governance processes through the provision of timely information for sound

decision making.

16

About NEMEA

NEMEA Security Services provides on-demand software solutions for enterprise-wide governance, risk management, and compliance (GRC) that empower security-sensitive organizations to sustain a compliance environment, limit risk without sacrificing business effectiveness, enhance shareholder value, and improve corporate integrity by advancing GRC initiatives. An industry thought-leader in understanding compliance standards, frameworks, and regulations, NEMEA understands the benefits to be gained and the challenges that may be encountered in managing enterprise-wide GRC initiatives on an on-going basis. NEMEA knows what is needed to operate efficiently and effectively in a highly regulated business environment and firmly believes that organizations should be free to focus on what they do best – managing their business and compliance, risk, and audit initiatives without the encumbrances of implementing and maintaining rigid and complex proprietary software solutions that require extensive customizations. It’s for these reasons that NEMEA created a portfolio of innovative and intuitive web-based software tools modeled on the way businesses actually work. NEMEA's automated toolsets allow powerful collaboration across all departments, leading to better business decisions, lower costs, and empowered management. Because the tools are built to suit unique business needs, organizations in regulated industries can be confident that they can address their compliance requirements in a way that best fits their environment and reap the benefits of effective governance, risk, and compliance management. What Sets NEMEA Apart Recognizing early on the advantages inherent in the “Software as a Service” (SaaS) delivery model as a more cost-effective alternative for enterprises to achieve their business objectives, NEMEA is not so much a software developer as it is a process integrator, freeing itself to focus on bringing solutions that integrate GRC processes that are sustainable, reliable, efficient, and transparent to market. NEMEA’s deep industry knowledge is gained from over 50 years of experience in designing risk management programs, defining information security policies and processes, conducting security audits, and defining GRC processes for diverse organizations in industries ranging from financial services, healthcare, and manufacturing to internet services, the US military, and federal agencies. NEMEA COMPLIANCE Center® is a compliance solution featuring a full suite of tools to create and manage compliance surveys, collect and analyze results, create standard or custom reports, and tackle essential remediation efforts. Its fully-featured user interface lets management rapidly compare the laws and regulations pertinent to their industry and business and supports the use of numerous standards simultaneously. NEMEA REMEDIATION Center® is based on a simple and elegant concept – identify the issues to be resolved; determine the milestones, resources, and participants who will perform the work; and track the progress in a live reporting environment. REMEDIATION CENTER provides the ability to remediate issues discovered during the use of COMPLIANCE CENTER that are considered to be immediately unacceptable to the organization – and to make these remediation decisions on the basis of actual and projected losses.

17

Committed to Your Success NEMEA's product offerings are constantly being upgraded and expanded to meet the needs of the most demanding governance program. To that end, NEMEA is developing two new products: NEMEA RISK Center® and NEMEA AUDIT Center®. NEMEA RISK Center® is designed to help organizations understand and manage risk. Making informed decisions about risk and its potential impact on business and performance is critical. RISK Center features tools to construct a risk profile that supports business efforts; align risk perspectives across all departments; organize risk mitigation strategies; assess current requirements, capabilities, and vulnerabilities; monitor the risk management processes; and establish links between compliance and risk. NEMEA AUDIT Center® is an automated, on-demand software tool designed to streamline the auditing process. AUDIT Center provides the ability to shorten audit cycle time, gain control of compliance efforts, reduce costs and time to implement changes, shorten the compliance survey cycle time, and enhance reporting to the board. Highest Levels of Availability, Reliability and Security NEMEA is committed to providing the highest levels of availability, reliability, and security. To this end, NEMEA partnered with Equinix to establish two data centers, both managed and operated through a contractual arrangement with Equinix data centers and mindSHIFT data center services. These Equinix facilities, located in the mid-Atlantic and mid-West, provide a secure platform for the reliable deployment of NEMEA’s GRC applications as well as the highest level of physical security, power availability, and infrastructure flexibility. Because NEMEA understands that security requires constant vigilance, it engaged mindSHIFT to provide technology peace of mind by delivering premier IT infrastructure