Automated Regulatory Compliance Mapping Solution

For organizations subject to more than one regulation or standard, mapping of compliance requirements to controls and assessment questions is a significant challenge. The problem is compounded by the fact that regulations and standards change over time, as do the controls that organizations use. Good governance requires that organizations maintain a current understanding of risks and compliance gaps. In order to do this, senior executives require current and actionable information on risk and compliance. Developing and maintaining associations between specific regulatory requirements, standards, controls, and assessment questions requires significant effort, and is a costly part of the compliance challenge. For organizations that undertake compliance mapping using manual tools such as spreadsheets, with static, brittle two-dimensional matrices, changes to a single regulation mean having to change the mappings to all other regulations. First generation compliance software tools also suffer from this problem, and they can be expensive to implement and maintain as regulations, standards, controls, and assessment questions change. The compliance regulations, standards and frameworks that organizations measure themselves against are updated at different intervals. This can make the job of maintaining mappings seem never-ending. The mapping challenge is compounded by the fact that it doesn’t end with just mapping the regulations, standards, frameworks and requirements to controls. The only practical means of determining compliance is to develop assessment questionnaires that test the existence and maturity of the controls. So mapping of these assessment questions must be maintained as well. In addition, many organizations treat compliance as individual projects within organizational silos. This approach is inefficient, and results in a duplication of effort and unnecessary expense. A recent survey of CEO’s of NYSE companies found that excessive compliance costs were the number one internal factor impacting profitability of their corporations. Avior’s, patent-pending, ClearView solution provides a new automated approach to developing and maintaining dynamic compliance mappings. Provided as a Software as a Service application (SaaS), ClearView delivers sophisticated analytics and data management to model compliance reg-ulations and standards. ClearView helps organizations to understand their current risk and compliance status, enabling better governance. ClearView provides an extensive set of controls with dynamic, automated and flexible mappings to the various regulations and standards. In addition, ClearView provides an extensive library of assessment questions and questionnaires that can be used to test the compliance status of controls. Avior maintains these dynamic mappings as compliance regulations and standards change so that your regulatory framework is always current. ClearView groups the various data elements into Discrete Compliance Objectives (DCO’s- patent-pending). These are logical groupings of related compliance requirements, controls, and assessment questions. For example, all requirements from all supported regulations dealing with business continuity are associated with the Business Continuity DCO. DCO’s make it easier for compliance managers to find all controls and assessment questions related to their specific compliance mandates, and to select an efficient set of controls and assessment questions. The Avior ClearView solution can help you to bridge organizational silos, and to develop a unified compliance process. With Avior ClearView and BenchMark, organizations can finally model policies, develop a standard set of controls and assessment questions. With this functionality, they can assess various parts of their organization and their key vendors once, while documenting and demonstrating compliance simultaneously to multiple regulations.

Consider a scenario where a financial organization must comply with GLBA, FFIEC guidelines, PCI DSS, and BITS SIG. Avior ClearView allows the creation of an optimized control set and associated assessment questions that test simultaneously for comp-liance with all of these regulations. From this one assessment, compliance “hot spot” views can dynamically be produced by any regulation, standard, framework, business unit, vendor class, risk category, etc. This is a management resource for actionable information on governance, risk and compliance.

AVIOR ClearView Automated Compliance Matrix
vs. other static mapping solutions

Click on table above to enlarge

ClearView Data Management Functionality
Avior ClearView provides advanced querying, grouping, and reporting capabilities for regulations, standards, controls, and assessment questions. Data stored in ClearView may be accessed in a variety of ways, including by regulation or standard, and by Discrete Compliance Objective (DCO). Accessing the data by Discrete Compliance Objectives will enable the compliance manager to easily determine the optimal set of assessment questions. These data management capabilities allow the organization to Assess Once, Comply Many Times™:

• Start by selecting the frameworks, standards, or regulations that concern you. ClearView has pre-generated questionnaires to provide the assessment coverage you require.
• Alternately, start by selecting from the list of DCOs. ClearView provides all of the questions available, allowing you to select assessment questions from the list.
• Or use free text queries searching the subject matter or assessment question pool. Use the search result set to generate custom questionnaires for a specific purpose.
• Build custom questionnaires and associations

Avior ClearView is also extensible to allow the organization to create its own assessment questions and associated mapping.

Key Benefits:
The Avior ClearView solution delivers clear and compelling benefits to organizations affected by compliance regulations:

• Eliminates duplication of effort in the compliance process - reduces costs for compliance mapping, and for the entire compliance process
• Enables a “assess once, comply many times” compliance process
• Provides a single, authoritative reference for all compliance regulations, controls, and assessment questions for the organization
• Helps reduce costs from external auditors by providing a well defined set of controls and
  assessment questions
• Makes business owners lives easier, by eliminating overlapping and redundant assessments
• Reduces the burden on businesses to maintain mappings as regulations change—the ClearView service does this for you

Avior ClearView provides a cost-effective way to organize your regulatory compliance program. By eliminating much of the cost of developing and maintaining mappings between regulations, standards, frameworks, and specific controls and assessment questions, Avior ClearView helps you to dramatically reduce the cost and aggravation associated with this Governance Risk and Compliance (GRC) function. Avior ClearView provides dynamic and automated mapping. Avior ClearView is the perfect complement to the Avior BenchMark compliance process management solution. In addition, Avior ClearView can easily be used with other 3rd-party GRC software products to greatly enhance their utility, and to finally deliver a superior ROI for your compliance program. Avior ClearView is built as a web service to facilitate easy integration into all application environments. Click here to view supported regulations, standards and frameworks Discrete Compliance Objectives Governance and Structure Risk Assessment and Treatment Security Policy Organization of Information Security Asset Management Human Resource Security Physical Security Communications and Operations Management Access Control Information Systems Acquisition, Development, Maintenance Information Security Incident Management Business Continuity Compliance

ClearView Enhances Compliance Visibility