Leveraging a Maturity Model to Achieve “Proactive Compliance”
Proactive compliance calls for deploying the right mix of tools and resources needed to deliver secure, high quality IT services. From a compliance and audit perspective, a more secure network allows organizations to anticipate and plan for compliance and audit needs well in advance resulting in minimal or no audit deficiencies. From a business perspective, the net result is better availability of the systems and data needed to run the business.
Changing this mindset from reactive to proactive is no small challenge. This paper examines how organizations can use a Capability Maturity Model to help drive this change. The paper explores how an organization can move from the lower levels of the model, where the focus is typically on process alignment and mechanisms for assessing risk to the higher levels where the needs of Compliance Managers and CISOs come together through a joint focus on data and system availability. Guidelines are provided for the kinds of solutions that can be put in place at each stage of the maturity model in order to meet compliance requirements while achieving operational excellence. Drawing on recent research from the IT Policy Compliance Group, the benefits of such operational excellence are examined. Finally, this paper highlights how one Fortune 500 company realized significant cost-savings in the areas of audit scoping, preparation and testing as it moved towards adopting a truly proactive approach to compliance.