 |
 |
 |
| |
Compliance as a
Service (CaaS) – Is it Possible?
Peter Coffee from Salesforce.com was
recently quoted in the Australian edition of Computer Weekly
talking about the prospect of Compliance as a Service (CaaS):
“There are composite solutions [to
compliance issues]: build the application in the cloud using
nothing but anonymous tokens to identify customers… but that is
not trivially easy to do,” he said.
“Instead, compliance as a service
may be offered where [the service provider] acts as an
intermediate layer of your application that takes care of a
variety of things. They could indemnify the customer against any
issues around personally identifiable information crossing
boundaries.”
Under such a compliance service, a
service provider would accept the burden of knowing the rules,
court precedents and regulations which are industry-specific,
Coffee said.
CaaS would be a value added service that
would attract plenty of customers. But how real is the
likelihood of this service being offered? There are a number of
issues associated the CaaS concept:
You can’t outsource your
responsibility, if you outsource any functions, it is your
responsibility to ensure your regulatory responsibilities
are still covered by the service provider
The AaaS
(Anything as a Service)
provider will most likely only cover a portion of the
customers regulatory requirements and will have to be VERY
specific on what is and is not covered
Most service providers
currently put the “regulatory compliance” responsibility on
the customer. One example of this is a hosting provider
providing a copy of their SAS70 to their customers with the
expectation that the customer will determine applicability
and compliance.
The current idea of AaaS
focuses on lowering the cost to the end customer. Having the
provider assume the liability for the customers regulatory
requirements would add significantly to the cost structure.
Although PCI, GLBA, SOX, and
HIPPA have similar security requirements, not many companies
have detailed knowledge of all these regulations. Other
regulations and customers concerns cover more than just
security risks.
There are a number of
regulations that change periodically and most service
providers do not have the time or staff to stay current.
There is not a single auditor
available who has the knowledge or authority to certify
multiple compliance requirements.
Unless vendors are responsible for executing or monitoring
all transactions, it will be difficult for vendors to assume
the responsibilities for someone else’s regulatory
requirements.
The financial services industry (banks,
credit unions, etc) have been looking to outsource their
regulatory requirements for some time. Being able to focus on
your core business and pay a fee for others to focus on their
own core competency makes good business sense. Except when it
comes to regulatory compliance, your regulator will hold YOU
responsible, no matter what kind of service level agreements you
may have from your auditor. The current financial services
companies that “outsourced” their compliance efforts, have
largely contracted with a firm to periodically perform a
“pre-audit”, ensure you can pass the audit BEFORE the real
auditor shows up. With the changing regulations on the horizon,
the concept of “Compliance as a Serice” is becoming more
intriguing in the Financial Services sector.
Other industries are now facing these same
challenges, especially the IaaS and SaaS providers. These
providers can potentially have customers that have to abide by
virtually any and all regulations. They do not have the
resources or the culture of dealing with regulatory requirements
and regulators. These vendors can start addressing these
challenges by:
Take an assessment of the
controls currently operational in their organization.
Map these controls to
regulations that their customers most frequently ask for
(SOX, HIPAA, PCI, etc).
Identify missing Controls
required to satisfy the regulation.
Implement the missing Controls.
Have an auditor (ISO, PCI, CPA)
issue a statement on the effectiveness of the controls.
Construct a report illustrating
controls by regulation to clearly show existing and
potential clients the AaaS provider meets their regulatory
requirements.
After the AaaS vendor decides that they do
have the knowledge of their controls and the regulations their
customers ask most about, they then can determine if they can
indeed offer CaaS to their customers.
Visage offers its own variation of CaaS.
Although Visage works on behalf of its customers and is not
responsible for the operation of their controls, Visage does
offer a service that includes:
Mapping Current Controls to
regulations deemed appropriate by the customer
Make recommendations to
remediate problems to improve regulatory compliance
Assist in remediation or
documentation activities
Provide
Independent Testing to ensure controls are working
effectively
Monitor regulations for changes that may affect your control
structure
Is CaaS impossible? Only if you expect to outsource your
responsibility to a third party. Your regulator will ALWAYS
hold your organization responsible.
About Visage Solutions –
www.VisageSolutions.com
Visage Solutions is a consulting company operating in the areas
of regulatory compliance, risk assessment, information security,
risk management and compliance processes. Utilizing our
proprietary SingleVue™ and OpsAudit™ methodologies, the company
focuses on assisting business entities in mitigating operational
risk. Visage has provided solutions to a client base ranging
from private, entrepreneurial companies to large multinationals.
Our team is comprised of experienced executives, managers and
consultants who can assist clients with the development,
implementation and execution of their risk management and
compliance strategy.
|
|
|
 |
 |  |
|
|
