Making sense of the maze

With Adrian Bowles, Ph.D., Program Director, Regulatory Compliance, Object Management Group. The OMG Regulatory Compliance Alliance (ORCA) recently began a project known as Compliance GRID or Global Regulatory Information Database.

Question: What motivated the project?

Bowles: Over the past several years, clients from global firms kept asking similar questions. They were all variations on the theme "If my firm operates different types of businesses in multiple countries, how do I keep up with which rules apply to me, and how do I know what other people are doing to comply?" My thought was that the combination of a global repository for rules, combined with standards for modeling the rules to facilitate analysis of their IT impact, would enable automated answers to these questions. As a result, the OMG launched a regulatory compliance SIG last April to develop the modeling standards, and I began work on the basic model for an open repository while talking to prospective sponsors who would benefit from having access to this type of resource. IBM Global Services signed on as our first sponsor in December, and now we have a team working on development of the C-GRID. Of course, we're open to additional sponsors and actively seeking volunteers to contribute information, which we'll vet internally before posting.

More information on regulatory compliance Get tips for complying with multiple regulations and contending with conflicts Learn how to comply with Sarbanes-Oxley's evolving demands in SOX Security School

Question: Media coverage has mentioned the database will help customers resolve conflicts between regulations in different geographic markets. How will that be accomplished?

Bowles: When the C-GRID is released, users will be able to identify which rules apply to them and manually review the descriptions of IT requirements to detect conflicts. Ultimately, we expect this process to become automated by tool vendors who use the C-GRID and emerging OMG standards for regulatory modeling. This will enable a generation of compliance tools far more powerful than anything on the market today.

Question: Do you have a timeline for release? Are there mechanisms in place to update or modify the data when the need arises?

Bowles: We plan a first release, focused on financial services rules in 23 countries, in Q3. After that we'll tackle other vertical markets such as pharma and energy. We will continue to use a combination of volunteer resources, partners and internal staff to monitor changes that necessitate updates to the C-GRID.

This 3 Questions originally appeared in a weekly report from IT Business Edge.

BROWSE BY TAG Security Audit, Compliance and Standards,   Sarbanes-Oxley Act,   FISMA,   Gramm-Leach-Bliley Act (GLBA),   HIPAA,   VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Sarbanes-Oxley Act SOX compliance burdens midmarket security teams Ex-SEC chief Pitt decries state of Sarbanes-Oxley, risk management Information security book excerpts and reviews Internal audits for Sarbanes Oxley and internal IT support Internal auditors and CISOs mitigate similar risks Implement security and compliance in a risk management context Does password sharing in international branches violate SOX? Consensus Controls project aims to set benchmarks for compliance Security visualization helps make log files work The Little Black Book of Computer Security, 2nd Edition Sarbanes-Oxley Act Research FISMA GAO report cites government weaknesses, data leakage DHS fills National Cybersecurity Center post Experts optimistic of Obama cybersecurity plan WH cybersecurity plan needs private sector guidance White House cybersecurity czar faces major hurdles Feds should get private sector advice on cybersecurity ICE Act would create White House cybersecurity post Experts alarmed over U.S. electrical grid penetration Group identifies top 20 security controls to thwart cyberattacks FISMA compliance made easier with OpenFISMA FISMA Research Gramm-Leach-Bliley Act (GLBA) Implement security and compliance in a risk management context The road to compliance IBM to boost security spending, push PCI DSS program ISO 27001 could bridge the regulatory divide, expert says Policies and regulatory compliance Where hard drives go to die, or do they? Compliance guide for managers: Lessons learned and best decisions Become compliant -- without breaking the bank Compliance Guide for Managers CSOs seek regulatory sanity in 2006 Gramm-Leach-Bliley Act (GLBA) Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Federal Information Security Management Act  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary