Making sense of the maze

With Adrian Bowles, Ph.D., Program Director, Regulatory Compliance, Object Management Group. The OMG Regulatory Compliance Alliance (ORCA) recently began a project known as Compliance GRID or Global Regulatory Information Database.

Question: What motivated the project?

Bowles: Over the past several years, clients from global firms kept asking similar questions. They were all variations on the theme "If my firm operates different types of businesses in multiple countries, how do I keep up with which rules apply to me, and how do I know what other people are doing to comply?" My thought was that the combination of a global repository for rules, combined with standards for modeling the rules to facilitate analysis of their IT impact, would enable automated answers to these questions. As a result, the OMG launched a regulatory compliance SIG last April to develop the modeling standards, and I began work on the basic model for an open repository while talking to prospective sponsors who would benefit from having access to this type of resource. IBM Global Services signed on as our first sponsor in December, and now we have a team working on development of the C-GRID. Of course, we're open to additional sponsors and actively seeking volunteers to contribute information, which we'll vet internally before posting.

More information on regulatory compliance Get tips for complying with multiple regulations and contending with conflicts Learn how to comply with Sarbanes-Oxley's evolving demands in SOX Security School

Question: Media coverage has mentioned the database will help customers resolve conflicts between regulations in different geographic markets. How will that be accomplished?

Bowles: When the C-GRID is released, users will be able to identify which rules apply to them and manually review the descriptions of IT requirements to detect conflicts. Ultimately, we expect this process to become automated by tool vendors who use the C-GRID and emerging OMG standards for regulatory modeling. This will enable a generation of compliance tools far more powerful than anything on the market today.

Question: Do you have a timeline for release? Are there mechanisms in place to update or modify the data when the need arises?

Bowles: We plan a first release, focused on financial services rules in 23 countries, in Q3. After that we'll tackle other vertical markets such as pharma and energy. We will continue to use a combination of volunteer resources, partners and internal staff to monitor changes that necessitate updates to the C-GRID.

This 3 Questions originally appeared in a weekly report from IT Business Edge.

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Sarbanes-Oxley Act Information security book excerpts and reviews RSA attendees see data classification, rights management projects stumble Hannaford breach illustrates dangerous compliance mentality PCI compliance drives identity management spending, says IBM's GRC chief How to conduct an efficient and thorough employee access review. IBM to boost security spending, push PCI DSS program What types of software can help a company perform a security risk assessment? Industry group uses awareness month to lobby for data breach laws Code Green pitches data protection for SMBs Report: Companies still stumped by PCI DSS Sarbanes-Oxley Act Research FISMA Learn from NIST: Best practices in security program management At RSA, feds seek help to close widening cybersecurity gaps House legislators rip Bush's Cyber Initiative plan Industry group uses awareness month to lobby for data breach laws TJX should have had stronger Wi-Fi encryption, say Canadian officials Data breaches, compliance drive intellectual property protection HP targets energy compliance with appliance Private sector should learn from government insecurity Feds get average FISMA grade View Point FISMA Research Gramm-Leach-Bliley Act (GLBA) The road to compliance IBM to boost security spending, push PCI DSS program ISO 27001 could bridge the regulatory divide, expert says Policies and regulatory compliance Where hard drives go to die, or do they? Compliance guide for managers: Lessons learned and best decisions Become compliant -- without breaking the bank Compliance Guide for Managers CSOs seek regulatory sanity in 2006 Separating fact from fiction: Security technologies for regulatory compliance Gramm-Leach-Bliley Act (GLBA) Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Federal Information Security Management Act  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary