< 1 >

Compliance Challenges for organizations contracting with

the Federal Government

Robert Klotz, VP of Technology at Akibia

< 2 >

Statistics

Today 200 Mandates and Regulatory laws

80 in the states and territories alone 119 federal 1 corporate

2500 + controls 85% overlap Most have monetary fines ALL have disclosure

requirements Tomorrow

Growing at a rate of 10% per year Mandates and regulations often change

< 3 >

What is the Goal of Compliance?

To Protect the rights of the individual

To protect and secure PII (Personally Identifiable information)

To instill confidence in the consumer

To educate the market on the need for controls

< 4 >

Most applicable to this group

FISMA Federal information security management act

< 5 >

Most applicable to this group

The state and territorial mandates where we are doing business (49)

Alaska Arizona Alabama Arkansas California Colorado Connecticut Delaware Virgin Islands

District of Columbia Florida Georgia Hawaii Idaho Illinois Indiana Iowa Kansas Washington

Kentucky Louisiana Maine Maryland Massachusetts Michigan Minnesota Missouri Montana West Virginia

Nebraska Nevada New Hampshire New Jersey New York North Carolina Ohio Oklahoma Oregon Wisconsin

Pennsylvania Puerto Rico Rhode Island South Carolina Tennessee Texas Utah Vermont Virginia Wyoming

< 6 >

Most applicable to this group

PCI Dss Corporate requirement for those accepting credit cards as

payment regardless of outsourcing or not SOX for publically traded companies HIPAA if you are providing employees medical

insurance or working with Hospitals

< 7 >

Why is it not Working?

Companies focus on the check box rather than the foundation

Companies manage compliance as a project rather than a process

Companies are knee jerk in how they approach compliance

Compliance is often driven at the wrong levels within the organization

Compliance has become a hindrance to doing business

< 8 >

What does this mean?

It all boils down to risk For the business For the consumer For the Government

It really is straight forward Protect the assets of the business

and by default we will find ourselves in compliance

< 9 >

How do we do that?

Number one priority: manage compliance as a process and not a project It is a cost of doing business which will not go away and

will continue to grow in complexity Incorporate it into the day to day running of the

organization

< 10 >

How do we do that?

Discover where we are weak Where does the data reside? What are we doing today?

Start with what you have Our employees are doing something document and leverage

this Document the scope of access to PII Identify the overlap in the controls

< 11 >

How do we do that?

Next Steps Identify the risk of NOT doing things to satisfy compliance Create a GAP of where you are and where you need to be

to satisfy cross compliance Monitor and document where you are throughout the

year At a bare minimum assign an individual within the

company to stay on top of this process Educate Enforce Utilize a 3rd party where possible

< 12 >

Ongoing Identify change

Regulatory Business

Assess the GAPS Simplify process Identify overlap Deliver on going training Repeat

How do we do that?

< 13 >

A Model of success

RISK

TIME

Discover Monitor Educate EnforceSensitive Data User Activity End Users

Policy and Security

Understand Risk

Reduce Risk

Governance, Risk, and Compliance Methodology

< 14 >

In Summary

Start with what you are doing today Compliance seems daunting but its not if you

incorporate as a process Compliance mandates continue to grow and

change Compliance was designed to make sure

companies are taking care of PII Compliance boils down to risk for the business Create a sustainable, repeatable process across

compliance mandates which becomes a part of doing business

Follow: DISCOVER, MONITOR, EDUCATE, ENFORCE