Simplest solution of achieving regulatory compliance

Team-

I happened to appear for an interview with one of the Big 4 firms today. I was asked, “If a Financial Client asks for the simplest solution of achieving regulatory compliance against likes of FFIC, PCI etc., what would be my approach?”

My answer- My approach then would be to request the client to procure a GRC solution maybe- probably an RSA archer or an Agiliance Risk Vision. Depending upon the inputs the tool would require (Type of industry, regulatory authorities that I want compliance against, etc.), the tool would populate a list of security controls (obviously eliminating the redundant controls common across these standards). The organization would then have to assign a Security Risk Assessor to do a gap analysis of all those controls by liaising with different departments across the organization, gather answers and then perform a risk assessment. Following that, the organization would need to develop a risk mitigating strategy for any risk that emanates out the RA, and for which the organization tolerance level is zero. Following that, the monitoring and continual improvement plans happen.

What do you think about this answer folks? Can you please suggest me a better answer?

Find more posts tagged with

Comments

powmia

Host, or use an app that is hosted, in a cloud environment that meets said regulatory compliance. The easiest way to get compliance is to have someone else do it for you. I'm willing to bet that's the answer they were looking for, it's what I would have wanted to hear.

soccarplayer29

Simplest way to regulatory compliance? Get rid of the regulations and shift to another industry/country/environment with no regulations.

But more seriously, probably outsource the regulatory responsibilities/risk by transferring operations to a third party for portions and having contractual requirements that align with required regulations. Your organization is still ultimately responsible of course and will still have large actions to take in ensuring compliance but that would probably be my response. In coordination with the organization doing their own due diligence and continuous monitoring, training, etc.

beads

If your a US based company your responsible for HIPAA, right? HIPAA is 80 percent of all your other regulatory burden - start there. All other regulations are based on the HIPAA standard of 1997, leaving the last and harder 20 percent left to comply with.

(*Shudder*) Almost 20 years now.

- b/eads

powmia

beads wrote: »

If your a US based company your responsible for HIPAA, right? HIPAA is 80 percent of all your other regulatory burden - start there. All other regulations are based on the HIPAA standard of 1997, leaving the last and harder 20 percent left to comply with.

(*Shudder*) Almost 20 years now.

- b/eads

OP was asked about financial clients. HIPAA is about medical records, which is why "Health" is in the acronym. I sure hope you don't get asked the same question in an interview.

TheFORCE

powmia wrote: »

OP was asked about financial clients. HIPAA is about medical records, which is why "Health" is in the acronym. I sure hope you don't get asked the same question in an interview.

Financial clients and financial entities need to comply with HIPAA also. you'd be surprised how many health records a financial entity has. Who do you think keep track of your insurance information in your company? Every big company now has a Health and Benefits department, you think those areas do not work with medical records?