Description

Compliance denotes a (generally) mandatory conformance to specified rules framed by institutions such as businesses, governments, accredited standards bodies and industry groups. From a technology perspective, compliance is applicable to technology enabled business processes and the underlying technology itself.

The most important use of compliance is as a risk mitigation technique where non-conformance can result in serious human, environmental, societal or economic loss. Losses from non-compliance can have impact widespread impact to a business or industry, in some cases globally. Compliance has a positive implication where adherence signifies high quality of a business and its products. Compliance is generally governed through risk management, quality controls and audits and as such, perceived as a “cost of doing business”.

Overview

Architects play an important role in advising business on meeting compliance needs through technology as well as making the right investments to ensure a “business compliant” architecture. Compliance knowledge denotes an understanding and mitigation of regulatory impacts to the organization and the design/solution being deployed, including audits, certifications, licensing, and general industry regulation types. The IT architect is expected to be “compliance aware” in business and technology dimensions and have the ability to articulate the regulatory requirements that drive design elements, including regulation, governance, legal and other binding corporate agreements.

For business process compliance, architects focus on technology enablement to better meet compliance requirements such as information capture, measurement and reporting needs for internal and external stakeholders e.g. reporting to government regulatory agencies. Conversely, they also have to ensure that technology enablement does not compromise any compliance requirements e.g. protection of personal and financial information. IT architects should work with business architects and business SMEs to identify compliance needs related to architecture layers such as user interface, information access, storage and reporting. Technology compliance means that the underlying technology adheres to norms for inter-operability and quality requirements e.g. manufacturing processes and interfaces between software and hardware products. Information and infrastructure compliance are two primary facets of technology that are governed under regulatory and legal laws. Information and infrastructure architects should play a key role to ensure compliance needs are identified and implemented as a critical use case of a technology solution.

As compliance is an on-going activity and perceived as cost of doing business, architects should also try to add value by scanning technology trends that will facilitate compliance e.g. leveraging self-aware or closed loop feedback systems, or implementing compliance monitoring and reporting solutions.

A key challenge for architects is to ensure that all facets of compliance are implemented and working as planned in the technology portfolio. Another challenge is lack of awareness of the risks introduced by non-compliant technology solutions. Compliance may get compromised due to improper planning or awareness and occasionally, by implicit behaviors allowing non-compliance (as a cost of doing business). Architects should be well aware of threats and consequences of non-compliance and should advocate uses of governance frameworks such as COBIT as well as audits which allow explicit management of technology compliance in an organization.

Best Practices

  • Addressing compliance needs in the Enterprise Architecture and setting up compliance standards.
  • Compliance verification as part of architecture review process.
  • Usage of industry recognized standards and frameworks in architecture e.g. ISO.
  • Auditing for compliance internally and by third party.
  • Using enterprise governance frameworks as COBIT.
  • Persistently making compliance a business driven activity.
  • Business sponsorship and investments for compliance.

Sub-Capabilities

Compliance Review

Compliance Review is an independent assessment of the conformity of any activity, process, deliverable, product or service to the criteria of specified standards, such as ISO 27001, local standards, best practice, or other documented requirements. Compliance review is generally a periodic activity which is conducted by internal independent audit functions and third parties. Compliance review is initiated via a baseline and certification process conducted by an accredited and independent third party, with on-going audits and reviews to verify continued compliance.

Iasa Certification Level Learning Objective
CITA- Foundation
  • Learner will be able to define architecture requirements for compliance
  • Learner will be able to classify compliance categories – corporate, statutory, regulatory, legal etc.
  • Learner will be aware of compliance standards and frameworks applicable for IT e.g. ISO 27001, COBIT
  • Learner will be able to participate in compliance reviews
CITA – Associate
  • Learner will be able explain business compliance requirements for their organization or industry.
  • Learner will be able to conduct compliance reviews and certify conformance of existing solutions.
  • Learner will be able to define architecture strategies for compliance.
CITA – Specialist
  • Learner will be familiar with compliance requirements for their area of specialization (business, information, infrastructure or software).
  • Learner will be familiar with industry, regional and international standards for compliance.
  • Learner will be able to conduct compliance reviews and certify for compliance.
CITA – Professional
  • Learner will be able to conduct compliance reviews for the Enterprise Architecture.
  • Learner will be an expert in one or more compliance frameworks relevant to their specialization and industry.
  • Learner will be able to lead compliance review and certification for the enterprise.

Technology Audit

Technology audit is a structured analysis of the risks to achievement of business objectives, including the risk that the organization fails to make effective use of new technology to improve delivery and internal effectiveness.

Iasa Certification Level Learning Objective
CITA- Foundation
  • Learner will be able to classify different categories of a technology audit.
  • Learner will be able to identify audit requirements for conformance to business compliance needs.
CITA – Associate
  • Learner will be able to model compliance needs for target architecture.
  • Learner will be able to certify compliance as well as identify risks for a project or line of business within an enterprise.
CITA – Specialist
  • Learner will be able an expert in audit requirements for their area of specialization (Business, Software, Information or Infrastructure).
  • Learner will be able to lead audits, certify compliance as well as risks and mitigation plan for non-compliance.
  • Learner will be able to lead technology audit for the enterprise.
  • Learner will be able to audit for compliance to industry frameworks and standards.
  • Learner will be able to design compliance strategies and risk mitigation strategies for the enterprise.
  • Learner will be able to design audit compliance through enterprise architecture.

Information Assurance

Information assurance covers setting high-level strategy and policy to ensure stakeholder confidence that risk to the integrity of information in storage and transit is managed pragmatically, appropriately and in a cost effective manner.

Iasa Certification Level Learning Objective
CITA- Foundation
  • Learner will be able to identify common standards and regulations that govern information assurance.
  • Learner will be able to identify information assurance requirements and relevant solutions for compliance at a project level.
CITA – Associate
  • Learner will be familiar with implicit and explicit information assurance requirements of the business and industry.
  • Learner will be able to identify implicit requirements and relevant solutions for information assurance based on common standards and regulations.
CITA – Specialist
  • Learner will be an expert in information assurance requirements for their area of specialization (Business, Software, Information and Infrastructure).
  • Learner will be able to define and implement comprehensive information assurance strategy, including controls and governance for their area of specialization.
CITA – Professional
  • Learner will be an expert in information assurance requirements for the industry.
  • Learner will be able to define and implement comprehensive information assurance strategy for the enterprise, including information security and risk framework, solutions, controls, audits and governance for their area of specialization.
  • Learner will be able to define technology strategies that will enhance information assurance for the enterprise.

Related Capabilities

Resources

Capabilities Definitions can be found at IASA ITABoK Definitions and IASA – Business Technology Strategy Course Curriculum.

The following external references have additional information on the subject of Compliance

  • Information Technology Governance – isaca.org

The following external references have list common standards and directories for industry specific compliance

Books

  • Auditing IT Infrastructures For Compliance (Information Systems Security & Assurance) by Martin Weiss(Author), Michael G. Solomon ISBN-13: 978-0763791810ISBN-10: 0763791814
  • IT Compliance and Controls: Best Practices for Implementation by James J. DeLuccia IV ISBN-13: 978-0470145012 ISBN-10: 0470145013

The Governance, Risk, and Compliance Handbook: Technology, Finance, Environmental, and International Guidance and Best Practices by Anthony Tarantino ISBN-13: 978-0470095898 ISBN-10: 047009589X

Author

maya_moreMaya More
AVP – Enterprise Architecture Center of Excellence

Maya More is an IASA member and CITA-Foundation certified architect having over 19 years experience in business technology consulting, enterprise architecture and technology implementation. She has worked with global businesses in multiple countries and industries such as insurance, healthcare and oil & gas. She currently works as Architecture and Technology SME for a leading oil & gas corporation in India.