NOTE: Please excuse the format of this, it is from my speaking notes for the Public Technology Institute Fall 2019 CIO Leadership forum. I was asked to speak, briefly, on IT compliance. I figured what the heck, make a blog post out of it.
Managing IT Compliance Policy and Privacy
IT Compliance can be an enabler and help you deliver better service to your customers. See if you still agree with me by the end of this chat.
QUESTION: When you hear the word "compliance" what is the first thing that pops into your brain?
Penalty. Internal Audit. Standards?
Government is the most highly regulated industry of all. Because we have the most lines of business, it stands to reason we will have the most compliance to worry about. And, because our funding is not our own, we have compliance efforts because we are just the stewards of the resources. Those are two of many reasons why compliance is important to us.
Consider as we go through these challenges whether a particular compliance activity is elective, or mandatory.
So I have three primary challenges for us to consider and some thoughts on how to handle them.
Support for IT Compliance Efforts
Part of the problem here is that the workforce and the government leaders you deal with don't understand the WHY of what you are trying to do with compliance. They Get the WHAT and they get the HOW. Always start with why! And, don't pull a mom on them and say things like "Because we have to…".
Most bureaucrats understand compliance, in their own area. Talk to an accounting director about GFOA, GAAP standards and GASB. Tell them you can't meet a certain GASB standard and watch them pucker up.
The good news is that everyone in leadership is in charge of compliance with something. Leverage that! It can help move initiatives.
Example, the AUP (acceptable use policy) that everyone in my locality has to click through before they logon to the county network, mandated by Virginia elections infosec standards. It was important for county leaders to know it was a reaction to a compliance need, for elections. Put it in terms they can relate to, get out of your office and communicate it, use your personality, they will support you whether it is an elective or mandatory compliance effort.
Compliance in a fast changing technology world
Compliance used to be simple before smartphones, clouds and distributed networks. As we have adopted technologies that have pushed the "edge" of computing out to the end user over lots of networks, compliance has become tougher. Distributed technologies were not created to enhance our ability to be compliant, just the opposite.
Compliance is one of those functions that you have to work into the culture of technology change. We all have a distinct culture for technology change. You might be adverse to it and slow to adopt, or you might find value in being an early adopter. Either way we consider a great number of aspects of the technologies when we look at them for adoption. Impact on data. Cost implications. Customer expectations. Education needs. Alignment with strategic plans.
QUESTION: Who takes care of IT compliance in your department?
If you don't have a name to answer that, or at least a group, you have a problem.
When we adopted Office 365 we reviewed the list of compliance standards, there were like 50 of them. I remember asking the question "how do we know that’s all we need? Whats missing?" It was crickets, no answer.
Make sure someone is in charge of understanding both the compliance side of the house and the technology changes, and have them advise you. In small shops that might just be you. Remember this may be a good thing for you and drive adoption of new products. AirWatch was purchased by my locality primarily because we had a compliance need, now it drives a lot of efficiencies for us.
Tension: Compliance/Privacy and Openness/Transparency
I've always been fascinated by the ying and yang of privacy & transparency in government. Government is supposed to be very transparent with the way we conduct business and spend the money that is trusted to us. At the same time we are supposed to protect the privacy of the uses of much of that money and exactly who it helps. How are we supposed to balance this? Think about it like this, for an individual piece of information (report, request, business transaction), what is the default level of openness? Two types of organizations:
Information closed/restricted by default - Open by exception (or need).
Information open/available by default - Closed by exception (or need).
QUESTION: Which are you? Do you start with yes and look for a reason to say no? Or do you start with no and ask to be convinced of a need?
My position in my IT department - Calendars, sharepoint online sites, meetings are all open by default. Make them private when you need to. I think we can all agree that government should be open and transparent while protecting the privacy of citizens. It is a lot easier to adopt "open by default" when you understand your compliance responsibilities, and have addressed the first two concerns from above.
Compliance can be an enabler of IT initiatives and help you deliver better service.