Wednesday, November 30, 2011

CORPORATE COMPLIANCE ACTION PLAN


CORPORATE COMPLIANCE ACTION PLAN



          By John Kyriazoglou* (author’s credentials at the end of this document)

A compliance program refers to an organization's management plan for conducting all of its activities within the frameworks of law, rules and regulations.

It usually concerns:

(a) Identifying the laws, rules and regulations that apply to the activities of the organization,

(b) Identifying business areas where the activities of the organization are at risk of breaching these laws, rules and regulations,

(c) Establishing and executing systems, policies and procedures to try to avoid, prevent and protect against such breaches,

(d) Assigning specific compliance-related responsibilities to managers and professional staff and incorporating all compliance activities within the regular business operations of the organization,

(e) Changing behavior of all participants (board, managers, staff, external parties, etc.) through communication, education, training and coaching where this is necessary,

(f) Monitoring and reporting all compliance-related issues, and

(g) Reviewing, auditing and improving the whole compliance program and effort.

This compliance program could be implemented by a compliance action plan as follows:

The conceptual model that may be used for crafting the compliance action plan and ensuring its completeness, to the best and practical way possible, is the ADDIE Model, which is the acronym for analysis, design, development, implementation and evaluation, and its corresponding phases. This model (see, for more details: http://en.wikipedia.org/wiki/ADDIE_Model) gives us, from a practical perspective, an added level of confidence that we have not forgotten any phases in developing and implementing a compliance program.





Phase 1: Analysis of Compliance Requirements and Needs

The objective of this phase is to analyze the compliance requirements and needs impacting the organization and prepare it to manage its activities and operations in a compliance-effective environment. The actions required to be executed to complete this phase are:

Action 1: Carry out the analysis of the compliance landscape of the organization and the statutes, laws and regulations affecting all functions of the business the organization is involved in and the countries or states (provinces) it operates in.

Action 2: Define the constituent elements required by the specific organization in terms of funds, people, management structure, policies, systems, procedures, documentation, facilities, techniques, methods and tools to be effectively employed to carry out and implement the whole compliance process.   

Action 3: Collect all compliance rules, regulations and standards affecting the organization.

Action 4: Carry out the analysis of the communication and training aspects and the readiness of the organization regarding compliance.

Action 5: Submit a report to the board of the analysis that includes a budget for the compliance process, and obtain approval and funds from the board for designing, development and operating a compliance program for the organization.



Phase 2: Design of the Compliance Function of the Organization

The objective of this phase is to design and set up an effective compliance program and a compliance officer and often a compliance committee who are responsible for collecting all relevant rules, regulations and standards applicable to the organization, organizing, developing, operating and monitoring the compliance program. The compliance officer and compliance committee must report directly to the organization’s governing body, and CEO, periodically and on an as-needed basis. The compliance officer must oversee the program, including making revisions as the company’s needs change, coordinating and participating in training and education for employees, independently investigating compliance matters and ensuring that any necessary corrective action is taken. The actions required to be executed to complete this phase are:

Action 1: Design the duties, roles and responsibilities of a Compliance Officer.

Action 2: Design the responsibilities of a Compliance Committee.

Action 3: Appoint the Compliance Officer.

Action 4: Establish the Compliance Committee.

Action 5. Design and issue a first draft of the Compliance Strategy and Program.

Action 6. Design, if required, the specifications of a computerized system to support the compliance process of the organization.

Action 7: Submit a report to the board of the design phase, making any required changes to the initial budget, and obtain approval and funds from the board for the execution of the next phase.



Phase 3: Development of Compliance Policies and Procedures

The objective of this phase is to carry out the development and distribution, by the compliance officer, of written compliance standards, systems, policies, procedures and practices to guide the organization and its employees on a day-to-day basis. These should include a code of conduct detailing the fundamental principles, values and framework for action within the organization, general corporate policies and procedures, a summary of critical laws, regulations and standards, and specific provisions for various administrative, production, customer service, sales, marketing, financial, information technology and other business functions within the organization, including any regulations that may apply to business units in other national jurisdictions. These should be easily understood by, and posted and communicated to, all affected employees, as well as participants in the activities of the organization. The actions required to be executed to complete this phase are:

Action 1. Develop and finalize the Compliance Program.

Action 2: Develop the corporate compliance policies, procedures, codes of conduct and the compliance records maintenance and retention system of the organization.

.

Action 3. Develop or obtain a ready-made software system, if required, to support the compliance process of the organization.

Action 4: Obtain board approval of all corporate compliance policies, procedures and codes of conduct.

Action 5: Distribute all compliance policies, procedures and codes of conduct to all staff and managers.

Action 6: Develop the compliance communication procedures.

Action 7: Develop the education and training plan and procedures for all compliance issues.



3. Implementation of Compliance Program

The objective of this phase is to fully implement the compliance program. It may not be enough to appoint a compliance officer and committee, even if they are excellent in carrying out their duties and roles. The compliance officer must create and maintain effective lines of communication with all employees. This should include a process, such as a hotline or other reporting system, to encourage questions and complaints and procedures to protect the confidentiality or reports and anonymity of the complainants and to protect employees against retaliation. The actions required to be executed to complete this phase are:

Action 1: Implement all Corporate Compliance Policies, Procedures, Compliance Codes of Conduct, as well as the compliance records maintenance and retention system.

Action 2. Implement, if required, the computerized system to support the compliance process of the organization.

Action 3: Run all awareness sessions with all business functions as regards the compliance policies and procedures of the organization.

Action 4: Implement the compliance reporting system, including a Hot Line for compliance issues.

Action 5: Execute the education and training plan for all compliance issues.

Action 6: Link compliance to management and employee performance.

Action 7: Enforce compliance standards through well-publicized disciplinary guidelines.



4. Evaluation and Improvement of Compliance Program

The objective of this phase is to assess the effectiveness of the Compliance Program of the organization. The compliance program must be evaluated periodically to assess its effectiveness as a whole, including how it performs in practice to monitor the operations of the organization on a day-to-day basis. If the same problems recur time and time again, specific actions must be undertaken and compliance requirements and needs must be addressed. Compliance policies, standards and practices are only effective if they have the commitment of the management of the organization, are clearly written and communicated to staff, and are interpreted by a compliance officer with the proper skills, dexterities and experience. In the event of a regulatory investigation or potential breach, complete documentation of all aspects of the company’s compliance program is necessary to demonstrate the good faith of the company and the specific program’s effectiveness. The actions required to be executed to complete this phase are:

Action 1: Monitor the execution of all Corporate Compliance Policies and Procedures by the designated officer and committee of the organization.

Action 2: Request auditing of Corporate Compliance Policies and Procedures by internal audit.

Action 3: Review all Corporate Compliance Policies and Procedures by external auditors, including subject experts.

Action 4: Develop correctives actions and execution of responses to detected offences.

Action 5: Evaluate the effectiveness of Corporate Compliance Policies and Procedures.

Action 6: Evaluate the effectiveness of Compliance Program.

Action 7: Improve all Corporate Compliance Policies and Procedures and Compliance Program.



*Author’s Credentials

John Kyriazoglou, CICA, M.S.,B.A(Hon), is an International IT and Management Consultant, author of the book ‘IT STRATEGIC & OPERATIONAL CONTROLS’ (published in 2010 by www.itgovernance.co.uk), and co-author of the book CORPORATE CONTROLS’ ( to be published in 2/2012 by www.theiic.org), with Dr. F. Nasuti and Dr. C. Kyriazoglou.


Profiles





Blogs

Articles, Opinions, etc.: http://corporatecontrols.blogspot.com/









Thursday, November 17, 2011

Free IT Audit Material (Worth £29.95)


Free IT Audit Material (Worth £29.95)

Announcement re: Free IT Audit Material (Worth £29.95)

Hi,

Please check out the following offer.

Buy book (1) before the end of November 2011 and receive a comprehensive set of customisable IT audit programmes and checklists (the addendum to this book-book 2) absolutely FREE - worth £29.95!

Book (1): 'IT Strategic & Operational Controls’

Author: John Kyriazoglou, Publisher: IT Governance Publishing

ISBN: 978-1-84928-061-7, Pages: 686, Format: Softcover, Date: 2 September 2010

Available at: www.itgovernance.co.uk/products/3066

For a full list  of contents  and a sample of what is contained in this book, please see: http://www.linkedin.com/pub/john-kyriazoglou/0/9b/919

And follow to ‘Published Books/IT_CONTROLS_BOOK_Contents_Sample.PDF’.

Book (2): ‘ Addendum to IT Strategic & Operational Controls’

ISBN 978-1-84928-075-4. www.itgovernance.co.uk/products/3143

This separate volume contains Customisable IT audit programmes and checklists in word format.

For a full list of contents and a sample of what is contained in this book,


And follow to ‘Published Books/IT_CONTROLS_BOOK_Contents_Sample.PDF’.

Please disregard this message if you have received it twice.



Thank you for your kind support.



Sincerely,



John Kyriazoglou




Sunday, November 13, 2011

INFORMATION SENSITIVITY POLICY


INFORMATION SENSITIVITY POLICY

By John Kyriazoglou* (author’s credentials at the end of this document)

The primary objective of the Information Sensitivity Policy is to provide guidelines for the data classification issues of information collected and processed by information systems activities of an organization. This example may be used for educational purposes only and it should be amended to suit the particular organization’s legal and regulatory requirements and operating conditions, before it is put to effective use and is implemented in a real environment. The author assumes no responsibility whatsoever for the contents, suitability and accuracy of this policy.

An example of such a policy is described next.

  Company ‘XYZ-Fictitious Enterprise Corporation’ Information Sensitivity Policy

1. Purpose

The Information Sensitivity Policy of ‘XYZ-Fictitious Enterprise Corporation’ (referred to as Company, from now on), is intended to help management and staff of a corporate entity determine what information can be disclosed to non-employees, as well as the relative sensitivity of information that should not be disclosed outside of <Company Name> without proper authorization.

2. Coverage

The information covered in these guidelines includes, but is not limited to, information that is either stored or shared via any means. This includes: electronic information, information on paper, and information shared orally or visually (such as telephone and video conferencing).

3. Classification Definitions

All <Company> information is categorized into three main classifications: <Company> Public, or <Company> Confidential, or <Company> Restricted.

<Company> Public information is information that has been declared public knowledge by someone with the authority to do so, and can freely be given to anyone without any possible damage to < Company>.

<Company> Confidential contains all other information that is not public or restricted such as information stored in computer files and network servers, telephone directories, general corporate information, personnel information, etc., which is, however, critical to the every-day activities of the company.  

<Company> Restricted contains information that is more sensitive than other information, and should be protected in a more secure manner. This information includes: trade secrets, development programs, patents, copyrighted material, potential acquisition targets, and other information integral to the success of the company.

This classification, for all digital and non-digital information of the organization, should be carried out initially and reviewed and improved periodically by a management mechanism that includes: (a) Information Owners, (b) Information Systems Managers, and (c) Security Manager, with the support and advice of other corporate officers, such as data privacy officer, compliance officer, etc.

4. Encryption of Information

All <Company> Confidential and <Company> Restricted information should be encrypted in accordance with the Acceptable Encryption Policy. International issues regarding encryption are complex. Corporate guidelines on export controls on cryptography should be followed. For more details consult your manager and/or corporate legal services for further guidance.

5. Sensitivity Guidelines

The Sensitivity Guidelines below provide details on how to protect information at varying sensitivity levels.

5.1. <Company> Public: This relates to general corporate information, some personnel and technical information of a generalized nature.

Access: This information should be allowed to <Company> employees, contractors, and people with a business need to know. All accesses to this type of information should be authorized and recorded.

Distribution: Internal distribution of this information within <Company> should be carried out by standard inter-office mail, approved electronic mail and electronic file transmission methods. Distribution of this information outside of <Company’s> internal mail should be carried out by national mail and other public or private carriers, approved electronic mail and electronic file transmission methods. If this information is distributed in an electronic way, it should be sent to only approved recipients.

Storage: This information should be protected from loss. All electronic transmissions should have individual access controls where possible and appropriate.

Disposal/Destruction: Special disposal bins should be used for outdated paper information. Electronic data should be expunged, cleared and erased with specialized devices. Media should be physically destroyed.



5.2. <Company> Confidential: Business, financial, technical, and most personnel information.

Access: This information should be allowed to <Company> employees, contractors, and people with signed non-disclosure agreements who have a business need to know. All accesses to this type of information should be authorized and recorded.

Distribution: Internal distribution of this information within <Company> should be carried out by standard inter-office mail, approved electronic mail and electronic file transmission methods. Distribution of this information outside of <Company’s> internal mail should be carried out by national mail and other public or private carriers, approved electronic mail and electronic file transmission methods. If this information is distributed in an electronic way, it should be sent to only approved recipients.

Storage: This information should be protected from loss. All electronic transmissions should have individual access controls.

Disposal/Destruction: Special disposal bins should be used for outdated paper information. Electronic data should be expunged, cleared and erased with specialized devices. Media should be physically destroyed. All these actions should be authorized, recorded and reported.



5.3. <Company> Restricted: Trade secrets & marketing, operational, personnel, financial, source program code, & technical information integral to the success of <Company Name>.

Access: This information should be allowed to <Company> staff with signed non-disclosure agreements who have a specific board authorization. All accesses to this type of information should be recorded and reported.

Distribution within <Company>: This information should be delivered directly to the approved recipient upon their signatures. All envelopes should be stamped confidential. Electronic file transmissions should not be allowed.

Distribution outside of <Company> internal mail:  This information should be delivered directly, by approved private carriers, to the approved recipient upon their signatures. All envelopes should be stamped confidential. Electronic file transmissions should not be allowed.

Storage: Individual access controls to this information should be enforced for electronic information. Appropriate physical security measures should be used, and information should be encrypted and stored in a physically secured computer.

Disposal/Destruction: This information should be physically destroyed by paper shredders, and other specialized digital crunching devices. Digital media should be cleared and erased before disposal. All these actions should be authorized, recorded and reported.



6. Business Connections

Access to <Company> computers and information systems by business partners, competitors and unauthorized external personnel must be restricted so that, in the event of an attempt to access <Company> corporate information, the amount of information at risk is minimized. Connections may be set up to allow others (business partners, etc.) to see only what they need to see only when specifically authorized by the board. Unauthorized personnel should only have access to information classified as <Company> Public, upon recording their details and their needs for accessing this information. This involves setting up both applications and network configurations to allow access to only what is necessary. All these actions should be recorded and reported.



7. Penalties

The penalty for deliberate or inadvertent disclosure of any information by any staff member (management, board, professional staff, line employee, etc.) found to have violated this policy may include disciplinary action, up to and including termination of employment, possible civil and/or criminal prosecution to the full extent of the law.

8. Responsibility of management  

All <Company> personnel should use these guidelines in securing <Company> Restricted and <Company> Confidential information to the proper extent possible. All department heads are responsible to supervise the classification activities of all the information managed by their function. A register of such files should be maintained and reported to the senior management of the company. If a manager is not certain of the classification to be applied, he or she should contact a higher level of authority (such as CEO, Ethics Committee, Compliance Committee, Compliance Officer, Legal Department, etc.), as specified by the internal controls policy and practices of the company. 

9. Responsibility of staff  

If an employee is uncertain of the sensitivity of a particular piece of information, he/she should contact their manager. If an employee feels that their manager is not following these guidelines, he or she should contact a higher level of authority (such as CEO, Compliance Committee, Ethics Office, Compliance Officer, Legal Department, etc.), as specified by the internal controls policy and practices of the company. 

10. Responsibility of Compliance Officer  

It is the responsibility of the compliance officer to provide guidance to all personnel on the use of these guidelines, and ensure that these guidelines are complied with. The compliance officer should also report to both the compliance committee and the board, on the basis of the company’s reporting standards, all compliance related activities.

*Author’s Credentials

John Kyriazoglou, CICA, M.S.,B.A(Hon), is an International IT and Management Consultant, author of the book ‘IT STRATEGIC & OPERATIONAL CONTROLS’ (published in 2010 by www.itgovernance.co.uk), and co-author of the book CORPORATE CONTROLS’ ( to be published in 2/2012 by www.theiic.org), with Dr. F. Nasuti and Dr. C. Kyriazoglou.


Profiles





Blogs

Articles, Opinions, etc.: http://corporatecontrols.blogspot.com/

Saturday, November 12, 2011

PRIVACY OF INFORMATION POLICY


PRIVACY OF INFORMATION POLICY
By John Kyriazoglou* (author’s credentials at the end of this document)

The primary objective of this Privacy of Information Policy is to provide general guidelines for the privacy issues of information activities (collection, use, disclosure, monitoring, etc.) of an organization. This example may be used for educational purposes only and it should be amended to suit the particular organization’s legal and regulatory requirements and operating conditions, before it is put to effective use and is implemented in a real environment. The author assumes no responsibility whatsoever for the contents, suitability and accuracy of this policy.
An example of such a policy is described next.      

  Company ‘XYZ-Fictitious Enterprise Corporation’ Privacy of Information Policy 

1. Purpose of this policy
This policy explains how ‘XYZ-Fictitious Enterprise Corporation’ (hereby termed the company) may collect information about customers and use it in order to satisfy particular customer and regulatory requirements. It also outlines some of the security measures that the company is taking in order to protect data privacy and provide certain assurances on things that the company will not do.

2. Commitment
The Company considers the protection of the privacy of customer data to be of utmost importance and is committed to providing all customers with a personalized service that meets the requirements of the specific customers in a way that safeguards their privacy.

3. Opportunity to decline
When the company obtains personal information from you, or when you take a new service from the company, we will give you the opportunity to indicate if you do or do not (as applicable) wish to receive information from the company about other services or products.
Normally this will be done by way of a tick box on an application form or contract. You may revise the choice that you have made at any time by writing to the company informing us of the change.

4. Personal information collection
Some of the personal information the company holds about you may be sensitive personal data within the meaning of the Data Protection Act and other relevant laws. The company may collect personal information about you from a number of sources, including: (a) from you when you agree to take a service from us in which case this may include your personal and/or business contact details, (b) from you when you contact the company with an enquiry or in response to a communication from the company, in which case this may tell us something about your preferences, and (c) from publicly available sources.

5. Use of information
Information you provide to the company or the company holds about you may be used by the company to: (a) identify you when you make enquiries, (b) help administer, and contact you about improved administration of, any accounts, services and products provided by the company previously, now or in the future, (c) carry out marketing analysis and customer profiling and create statistical and testing information, (d) help the company to prevent and detect fraud or loss, and (e) contact you by any means (including mail, email, telephone, etc.) about other services and products offered by the company, and authorized selected partners.

6. Credit reference checks
The company, in some circumstances, may do certain credit checks with licensed credit reference agencies when you apply to take a service or product. If this is applicable, then it will be stated in the terms and conditions of doing business between you and the company.

7. Disclosure of information
The company may disclose information only where legitimately requested for legal or regulatory purposes, as part of legal proceedings or prospective legal proceedings.

8. Protection of information
The company maintains strict security measures and controls in order to protect personal information. This includes following certain administrative and security policies, procedures, and practices to check your identity when you telephone us, encrypting data on our websites, backing up data to offsite locations, etc., in order to ensure compliance with all applicable legal requirements.

9. Internet access
If you communicate with the company via the internet then we may occasionally use e-mail to contact you about our services and products. Please be aware that communications over the Internet, such as emails, are not secure unless they have been encrypted. The company cannot accept responsibility for any unauthorized access or loss of personal information that is beyond the company’s control. We may use "cookies" to monitor website user traffic patterns and site usage. You can normally alter the settings of your browser to prevent acceptance of cookies. However, rejecting cookies may affect your ability to use some of the products and/or services at the company’s web site.

10. Monitoring of communications
All Company communications with you (including phone conversations, emails, etc.) may be monitored and recorded by the company for security, quality assurance, legal, regulatory and training purposes.

 *Author’s Credentials
John Kyriazoglou, CICA, M.S.,B.A(Hon), is an International IT and Management Consultant, author of the book ‘IT STRATEGIC & OPERATIONAL CONTROLS’ (published in 2010 by www.itgovernance.co.uk), and co-author of the book CORPORATE CONTROLS’ ( to be published in 2/2012 by www.theiic.org), with Dr. F. Nasuti and Dr. C. Kyriazoglou.

Profiles
http://www.linkedin.com/pub/john-kyriazoglou/0/9b/919
http://www.authorsden.com/jkyriazoglou
http://www.icttf.org/profile/johnkyriazoglou
http://www.blogger.com/profile/15482029934015594259

Blogs
Articles, Opinions, etc.: http://corporatecontrols.blogspot.com/
Publications: http://johnkyriazoglou-works.blogspot.com/






Friday, November 4, 2011

IT CONTROLS BOOK-FREE MATERIAL

PLEASE SEE MY TWO IT CONTROLS BOOKS  

BOOK (1): 'IT STRATEGIC AND OPERATIONAL CONTROLS’

Author: John Kyriazoglou, Publisher: IT Governance Publishing

ISBN: 978-1-84928-061-7, Pages: 686, Format: Softcover, Date: 2 September 2010

Available at:

PRINTED VERSION:                    www.itgovernance.co.uk/products/3066

E-BOOK FORMAT VERSION:    www.itgovernance.co.uk/products/3067

These can also be purchased from other major world distributors (e.g. AMAZON), etc.) and bookstores in several countries (England, India, Switzerland, Canada, Australia, Japan, etc.).

 For a FULL LIST of CONTENTS  and a SAMPLE of what is contained in this book, please see: http://www.linkedin.com/pub/john-kyriazoglou/0/9b/919

And follow to ‘Published Books/IT_CONTROLS_BOOK_Contents_Sample.PDF’.


 Book Testimonial

'John Kyriazoglou has produced a book that is very thorough, useful and a good source of information on a complex subject area ... John Kyriazoglou has a wealth of experience in this area and he has shared this well with the wider community. His book is a welcome addition to the field.'

Rob Ratcliff, UKSMA Chair (2011)

BOOK (2): ‘ ADDENDUM to IT STRATEGIC AND OPERATIONAL CONTROLS’

ISBN 978-1-84928-075-4. www.itgovernance.co.uk/products/3143

This separate volume contains Customisable IT audit programmes and checklists in word format.

 For a FULL LIST of CONTENTS  and a SAMPLE of what is contained in this book, please see: http://www.linkedin.com/pub/john-kyriazoglou/0/9b/919

And follow to ‘Published Books/IT_CONTROLS_BOOK_Contents_Sample.PDF’.



PDF: ‘ IT_CONTROLS_EXAM_MCQs

 This document contains 100 Multiple Choice Questions (and Answers) which are based on the book by John Kyriazoglou (‘IT STRATEGIC AND OPERATIONAL CONTROLS’, as described above) and is available, free of charge, as described next.


And follow to ‘Published Books/IT_CONTROLS_EXAM_MCQs.PDF’.