S 2.439 Design and organisation of compliance management
Initiation responsibility: Top Management
Implementation responsibility: Compliance Manager, Top Management
Typically, overviews of the requirements are available in different units of an organisation that are relevant in these units and for the business processes of these units. This does not always include formalised overviews, but often individual information in different structures and the knowledge of experts. Due to the complexity of many business processes and organisational structures, as well as due to the increasing diversity of specifications from international collaboration, this may quickly result in a large number of different requirements.
Therefore, it makes sense to compile and, if required, complement the existing knowledge about the different statutory, contractual, and other provisions. For this, persons responsible must be appointed and their tasks in the field of compliance management must be specified. The corresponding role is often referred to as "Compliance Manager". Depending on the type and size of the organisation, it may be necessary to appoint one or more Compliance Managers.
In some companies, the term "Compliance Manager" is used to describe the central Compliance Manager for the organisation. Unless specified by other regulations, it is not necessary to establish a new position for this. For example, the task may be assumed by security management, auditing, controlling, or the legal advisors.
Appointing a central Compliance Manager provides the advantage of him/her having an overview of the entire organisation, by which duplication of work and conflicts can be identified and avoided prematurely. On the other hand, several Compliance Managers in different organisational units are usually better able to satisfy the needs of the target group they are responsible for. In the following, the Compliance Manager role is referred to in singular for the purpose of better readability.
The tasks of a Compliance Manager (regarding the units he/she is responsible for) include:
- identification and documentaion of all statutory, contractual, and other provisions to be taken into consideration for the essential business processes and information, as well as for operating IT systems and the related physical infrastructure. (see S 2.340 Consideration of legal framework conditions).
- documenting the requirements in a structured manner and merging and consolidating them from the different units.
- appointing persons in charge of meeting the individual identified requirements and of implementing appropriate safeguards.. The Compliance Manager should check at regular intervals whether the safeguards implemented are suitable for meeting the requirements.
- Frequently, requirements must at first be interpreted and translated to the circumstances of the respective organisation, because the majority of the laws and provisions formulate objectives and expectations rather than the specific design of their implementation.
- All kinds of requirements mentioned are also attributable to a certain target group in each case, who request or check their compliance. The identification of the requirements should always include a documentation of the target group in order to satisfy its needs. This will save comprehensive adaptation work later. For statutory requirements, it makes sense to document which authority (e.g. which regulatory authority) checks their compliance and in which form the information must be processed, for example.
The following table contains some examples regarding this:
| Requirements | Target group | Responsible Compliance Manager |
|---|---|---|
| Data protection laws | Data protection supervisory authority | Data Protection Officer of the government agency or company |
| Employment law | Personnel representative | Human Resources |
| Criminal law | Criminal prosecution authorities | Legal advisors / in-house lawyer |
| Agreements | Service providerscustomers | PurchasingSales |
| Other requirements | Cooperation partner | Specialised department |
Table: Assignment of requirements to target groups and Compliance Managers
Working with security management
Information security must directly or indirectly be taken into consideration in nearly all fields of requirements. Here, the IT Security Officer only acts as Compliance Manager in a few cases. Therefore, Compliance Manager and IT Security Officer must cooperate regularly in order to integrate the security requirements from the different units into compliance management on the one hand, and to transfer the requirements identified as being security relevant into security safeguards and to check their implementation on the other hand.
Security requirements result primarily from the interpretation of general legal provisions, sometimes from special laws, as well as from activity- or industry-related specifications governing the security of certain systems, services, or activities. In addition, there are obligations according to civil law, the (non-accidental) violation of which may result in a liability for the person in charge. Examples include the following:
- data protection laws
- CSA, Corporate Sector Supervision and Transparency Act (KonTraG)
- copyright law
- contracts, general terms and conditions of business, etc.
- license management
The requirements identified as being security relevant are typically incorporated when planning and designing business processes, applications, and IT systems or when procuring new components. Typical examples in the IT-Grundschutz Catalogues include safeguards such as S 2.419 Selection of suitable VPN products.
Review questions:
- Is there an overview of the statutory, contractual, or other provisions to be taken into consideration within the organisation?
- Is it ensured that the safeguards for meeting the specific requirements are implemented and appropriate?