With Network Frontiers’ Unified Compliance Framework, Honeywell maintains a manageable and consistent approach to governance, risk management, and compliance while measurably reducing the cost and complexity of adhering to regulatory demands.
A global enterprise has to juggle hundreds of demands to maintain regulatory compliance including government regulations, industry standards, internal security policies, and best practices. Sometimes it feels like a futile effort, a race against an ever-rising tide as new rules are imposed by emerging economies while the old standards are continually under revision.
In many corporations, managing compliance has become the black hole that consumes vast amounts of money, time, and brainpower derived from a well intentioned effort to do the right thing as comprehensively as possible. The end result: isolated compliance projects scattered across the organization, an apparent inability to leverage compliance efforts across the board, and a continual round of audits from internal teams and outside experts to obtain confirmation that everything is being done correctly.
The team at Honeywell knew that there had to be a better way.
In 2007, Honeywell became the first company to deploy the Unified Compliance Framework (UCF), developed by Dorian Cougias, founder and lead analyst of Network Frontiers, with his research partner Marcelo Halpern of the international law firm Latham and Watkins. The UCF is comprised of Information Technology (IT) control data extracted from more than 500 international regulatory requirements, standards, and guidelines, harmonized into a single hierarchal framework. This structure enables organizations to easily define commonalities among multiple regulatory bodies, enabling businesses to fully leverage the compliance policies, processes, and tools that are already in place.
“Our first encounter with Network Frontiers was in 2006 at a conference where Dorian Cougias presented,” said John McClurg, Vice President of Global Security at Honeywell. “His topic: ‘Building a Harmonized Set Of Minimum Security Standards’ was a total departure from the then current way of creating security policy.”
At that time, security was driven by a more-is-better approach that involved creating policies to cover every possible scenario from human resources to operational and physical security to compliance and risk management. Many businesses, including Honeywell, built policies around ISO 17799, a code of practice for information security management that lists a wide-ranging set of security controls that the information technology (IT) department was expected to apply in accordance with business needs.
“Honeywell’s policy was comprehensive in covering the functional areas of security per ISO 17799. All policy statements were contained in a single, hard-to-manage document,” said McClurg. “The UCF helped Honeywell move from that ‘big book’ approach to a more sensible, modular system with individual policies and standards for each business department. Now, when regulations change only the affected module(s) need to be adjusted instead of the entire system.”
Information in the UCF includes links to the full text of regulations and standards, and best practices, as well as audit guidelines, all filterable at many levels. Individualized control lists, compiled from reviewing all overlapping controls in the regulations that an enterprise must comply with, can easily be created.
“Being able to clearly see the many commonalties that exist when this information is unified is a real eyeopener. It’s unfortunate that companies continue to waste time and money reinventing the compliance wheel each time a new rule is introduced or an old guideline is updated,” says Cougias. The UCF is integrated into Honeywell’s security policies worldwide and has also been adopted by the company’s global operations, audit, and physical security divisions.
Shortly after deploying the UCF, Honeywell shifted focus away from creating and adjusting policies from scratch to concentrating on compliance activities that add business value through improving operational decision making and strategic planning.
Enforcing compliance and getting buy-in from senior executives also became easier because the policies were based on laws and regulations versus best practices, and controls were linked directly to roles, assets, and other tangibles. The UCF also gave Honeywell the ability to create a master set of policies and standards that the various business groups could customize.
“Compliance, like data security, can be a very nebulous thing,” says Craig Isaacs, CEO of Network Frontiers. “With the UCF, compliance was transformed from being an IT decision to a legal obligation.”
Some adjustments were needed before the UCF could be deployed. Information was gathered from subject matter experts across Honeywell to create a single, streamlined system that standardizes compliance controls and governance across the organization and can be managed by the businesses.
“A unified approach allows you to connect to everyone, which is critical as companies will naturally create costly silos of information without centralized systems,” said Cougias. “But it is important to allow tailoring of controls and the controls documents at the local business level, so that divisions can adopt and adapt according to their needs. This works fine as long as any changes are clearly communicated.”
The UCF also provides internal and external auditors with a well defined scope to decide which areas, cycles, functions, activities, systems, or other entities to audit. The UCF eases the actual audits because users can easily prove that they are adhering to the regulations.
The Audits and Risk Management section has all of the controls necessary for establishing your internal audit and risk teams, conducting internal audits, and audit reporting. Governance methodologies are delivered through research guides, glossaries, policies, procedures, configuration standards, audit questionnaires, and other such tools.
The UCF also ensures the appropriate policies are established to safeguard legal, regulatory, and contractual obligation-related activities. This approach allows integration with a systems configuration management and change management plan, so when key systems change, the associated policies and standards will change with them.
Honeywell is currently tracking over 200 authority documents that affect the organization. As new laws and regulations are identified throughout the company, requests are submitted to be incorporated into the UCF. Typically a request from UCF enterprise customers will be integrated into the next quarterly release of the UCF.
“The UCF is wide open. It isn’t just a framework; it’s a network of people working together, adding, improving, testing, reviewing, cross-checking under the same managed process utilized by other mission critical open software and systems. This meeting of the best minds ultimately makes for the best possible product,” said Isaacs. “The UCF is constantly changing for the better, a continuing evolution that is great for Honeywell and for everyone else who is working with the UCF.”
Global Security, Honeywell
Honeywell is a Fortune 100 technology and manufacturing leader, focused on inventing and manufacturing
breakthrough technologies in aerospace, homeland security, business and personal safety, and energy efficiency.
Based in Morris Township, N.J., Honeywell employs approximately 122,000 employees worldwide and conducts
business in more than 100 countries around the globe.