Regulatory Compliance Planning Guide
Section 3: Applied Example
This topic provides a high-level overview of an applied example in which a company uses the Regulatory Compliance Planning Guide to understand better the processes involved when addressing regulatory compliance. The company also recognizes the benefits of using the sample control framework in the guide as an abstraction layer to define the different regulations and standards, and then determine and prioritize which technology solutions will help the company meet its regulatory compliance obligations.
Woodgrove National Bank is a financial organization with 5,000 employees that maintains its headquarters in New York. The bank is publicly traded and listed on the NYSE, and like many other financial organizations in the U.S., the bank must comply with regulations specific to the Sarbanes-Oxley Act.
Furthermore, management at the bank must also adhere to HIPAA regulations for medical and dental benefits that the bank offers its employees, and to GLBA directives because the bank is in the financial services industry.
To meet these regulatory compliance objectives, management has asked Haven Ford, the lead IT Manager for the bank, to ensure that the company's IT department passes audits that are scheduled over the next calendar year.
Haven assumes these new responsibilities with two important goals in mind:
| • | Achieve full compliance using IT controls whenever possible to address all of the regulations and standards that the bank currently faces. |
| • | Minimize the time and affect that the audits have on the bank's IT department, and achieve efficiencies wherever possible toward this end based on reliable IT controls. |
To achieve these goals for the bank, Haven:
1. | Meets with the bank’s lawyers and auditors to discuss his goals and determine the best way forward. |
2. | Researches the Regulatory Compliance Planning Guide to determine which guidance can most readily assist him in meeting the regulatory compliance objectives for the bank. |
3. | Determines that a framework-based approach is good for his organization. |
4. | Consults Table 1.0, "Major Regulations and Standards Map to Control Categories," in this section to better understand the control categories that apply to the bank, specifically the columns in the table that contain references to SOX, HIPAA, and GLBA. In this example, Haven notes from the table that all three regulations that apply to Woodgrove National Bank require the Security Management and Administration control category. |
5. | Consults Table 1.1, “Control Categories Mapped to Technology Solutions”, in this section to determine any new technologies that the bank needs to focus on. Referring to this table, Haven sees that Identity Management is a technology solution category that can help with the Security Management and Administration control category. |
6. | Researches specific technologies in Technology Solutions for Regulatory Compliance to understand which technologies can help his team address the remaining control objectives for the bank. Haven refers to the Identity Management Solutions section for technologies that can help him improve controls for identity management and user creation for the bank. He is particularly interested in the Identity and Access Management Series of papers that the Identity Management Solutions section references. After some research, Haven decides that the guidance provided in this series would be an excellent solution for the bank's IT environment. |
7. | Discusses his ideas with the bank’s lawyers and auditors, who help tailor his proposed plan to the bank’s unique compliance needs and obligations. |
8. | Finalizes a plan for his team to incorporate the technology solutions on which it will focus this year to address the remaining control categories, and develop a strategy to implement them. After the plan has been reviewed and approved by the bank’s lawyers and auditors, Haven allocates some of his budget to implement identity management infrastructure software at the bank. |
9. | Executes the finalized plan with his team. |
The last topic in this section provides a Summary that reiterates the main points of this portion of the guide.
 Top of page |  4 of 5 |