Telecoms: Evolving Compliance Programs to Outpace New Risks

Comments

2 comments

  • Avatar
    Jenna Thomas

    From Yvonne: "I would encourage the person to follow-up on any red flags or (temporarily) by-passed controls as soon as possible to close gaps.  OFAC is the only regulator I am aware of that has said it will be somewhat flexible due to the corona crisis.  Which is to say, corona does not provide a defense to breach of law.

    So, let’s say, the bypass was restricted party screening.  The US company entered into a contract signed by Igor Sechin (an SDN) without identifying this in advance.  It is better to identify it after the fact than not at all.

    Also, unless the company wants to regularize a change in internal standards, the business may also struggle to pass an internal audit if a bypass in controls is not self-corrected."

     

    0
    Comment actions Permalink
  • Avatar
    Jenna Thomas

    From Steve: "The nature of the services (and contractual provisions) are going to be the main drivers - which necessarily are going to involve a case-by-case analysis.

     
    That said, when I look at the phrase "loosening of controls (e.g. data protection and home working)" my mind immediately goes to call center work / clean room work / etc.  We have historically had a number of physical controls that we have had to revisit.  
     
    I go back to the importance of rigor in decision-making, and having a seat at the table so that operational factors are not the sole drivers.  The business is going to drive change quickly to meet their various objectives - thinking through compensating controls is not always top of mind, thus why it's beneficial to have good documentation of what is being changed, who the involved parties are, etc.  From there, ethics/compliance can review to determine risk.  
     
    For example, individuals who handle government-related data who normally work in highly secured environments likely should not be simply allowed to work from home with no additional protections in place.  For other less sensitive data, prospective protections may be less viable, so I would want to understand how we are monitoring and whether we have resourced that appropriately.  And I'd want business owners who have direct accountability (and know they will be held accountable) for addressing the risks.

    Reframing in more actionable terms:
    • Catalogue - in a rigorous way, understand the nature of the changes that are being made, and the role of both the company and 3rd parties 
    • Partner - make informed decisions about compensating controls, expectations for who is doing what work, how decisions will be operationalized --- and document this (goes to Yvonne's audit point to establish the new baseline for auditing) 
    • Communicate - make sure that the company and 3rd parties are aligned on what is happening operationally, and what expectations are for controls/monitoring/remediation
    • Track and Monitor - make sure implementation (both company and 3rd party) is sufficiently monitored/reported - expand where needed based on risk priorities
    • Determine Future State - have a defined plan for various permutations of how controls will be reassessed/reinstated in the future"
    0
    Comment actions Permalink

Please sign in to leave a comment.