New technical case study: Creating a Systemized Approach to Regulatory Compliance at Microsoft

  • Article

One of my favorite Microsoft sites to browse through is the IT Showcase by our own IT department (MS IT). On Friday, MS IT published a new download you might find useful, Creating a Systemized Approach to Regulatory Compliance at Microsoft, which contains two whitepapers on how Microsoft is streamlining regulatory compliance.

All companies face legal and regulatory challenges in information security, privacy, reliability, and business integrity. These often require major changes to systems and processes that can be expensive and time-consuming. To deal with the complexity of such compliance programs as SOX, HIPAA, and PCI, Microsoft needed to develop an overall regulatory compliance framework that could address current regulations as well as support future regulations. The goal was to create a long-term, holistic strategy for compliance rather than creating ad-hoc processes and tools to address specific requirements.

Microsoft ended up merging some regulatory controls across multiple compliance programs to avoid duplication of efforts, and created processes for ensuring accountability. These are some of the best practices identified in the two whitepapers:

  • Consider defining a dedicated program management role (and team, if required) who is solely focused on managing the regulatory compliance process across IT.
  • Define a hierarchy that is appropriate for your business; consider designing a model along existing business groups or units.
  • Carefully define documentation, remediation, and testing responsibilities at each level.
  • Confirm that your accountability model allows both granular responsibilities and roll-up reporting.
  • Ensure performance review commitments are in place for all regulatory roles. This provides incentive for individuals to take ownership for regulatory responsibilities. Escalation is usually not needed when individuals are committed to upholding program milestones and deliverables. Make sure key executives—IT Controller and CIO/VPs—communicate their personal commitment to overall regulatory governance.
  • Maximize the value of your external audit by having your regulatory compliance project management team and compliance governance group maintain an open and honest relationship with your auditor.

Be sure to read both whitepapers in this download for more best practices!

- Andrea Weiss