NEMEA Compliance Center - the most powerful survey creation, management, and reporting solution available. It intuitively collects responses, writes, and produces standardized regulatory compliance reports. In fact, it even supports the use of many different standards at once. Our compliance software has a fully featured user-interface that lets you rapidly compare the laws and regulations that govern your industry and business.

1. Governance and the Case
for Automating the
Compliance Cycle
Gary Swindon
3/20/2009
This NEMEA whitepaper discusses the relationship between two elements of the governance cycle,
compliance and remediation, and the need to automate the cycle in order to achieve continuous
compliance by enterprises at all levels. ©Copyright 2009 by NEMEA Security Services LLC all rights
reserved.

2. NEMEA Security Services, LLC
White Paper
Governance and the Case for Automating the Compliance Cycle
Any organization, enterprise or collection of likeminded individuals understands survival at some very
basic level; indeed, most conduct their affairs with this notion somewhere in their thinking. Those who
aspire to greater achievements as companies or governmental agencies and activities have looked for
years for a ‘silver bullet’ to protect and manage their processes, intellectual capital and other assets.
Sadly, like so many who refuse to tackle the difficult challenges presented by life; they failed in the quest
and will continue to fail because there is no single all encompassing solution to help an organization
stand out against their competition. Those who pay even the slightest attention to the changing
regulatory landscape should recognize that requirements are increasing and new regulations and
standards bring with them new enforcement penalties and other unpleasantness. Even organizations
that have been held up to the rest of the world as models of good process management sometimes fail
to understand the overarching importance of good governance built on solid compliance, remediation
and risk assessment. Nevertheless, what many have overlooked is that even the tone and tenor of the
regulations have changed. No longer written as proscriptive lists of do’s and don’ts they seek instead to
place the burden for compliance and the related decisions squarely on the shoulders of those who must
comply. Over the last twelve years or more, the Federal Government has mandated desired results
while moving toward allowing businesses to choose, enforce and document the processes that they
adopt. Interestingly enough, the Federal Government in the Executive Branch agencies has chosen to
voluntarily adhere to some of these regulations (HIPAA is a good example of voluntary compliance).
While Congress changed the method of constructing business regulatory legislation to a focus on
outcomes based actions that require a proactive stance on the part of the regulated, they also explicitly
recognized the need for regular compliance and risk assessments as the underpinnings of any actions
taken to reach compliance. That focus on outcomes represents an excellent first step in the process of
achieving the control that is the hallmark of a well governed enterprise.
At NEMEA we believe that governance has four core ideas or components, in order of priority they are:
compliance, remediation, risk and audit. Each of these components is essential to crafting a complete
governance effort (or strategy) on the part of an enterprise and its senior leadership. Although there
are some who argue that governance is already practiced by many organizations it is at best a process
beset by a lack of relevant current information upon which to base decision making. In every case
compliance must come first simply because of the far reaching consequences facing organizations that
would like to forget compliance or perform it only on an ‘as needed’ basis. More to the point, failing to
understand the compliance posture of the organization and dealing with it proactively is, at worst, a
recipe for failed intentions and at best, pure guesswork. Each step in the cycle builds on the previous
one; compliance assessments highlight remediation needs, the remediated weaknesses contribute to
the overall risk posture of the enterprise and the audit step is used to verify the adequacy and effect of
remediation efforts and the compliance program overall. Collectively these steps represent the
2

3. foundation for making informed business decisions regarding the expenditure of resources and the
commitment of the organization to long term, achievable goals. The true power of this governance
cycle is outlined in figure 1, below.
Figure 1
Governance Cycle
NEMEA believes that good governance confers a distinct advantage to those who practice it; their
organizations are proactive, compliance activities are ingrained in the day to day processes and
unpleasant surprises either in the form of audit results or weaknesses exploited by outside agencies are
kept to an absolute minimum. The organization’s senior leadership has the information that they need
to make informed decisions concerning the allocation of assets and being able to undertake new
initiatives to strengthen the position of the enterprise. Carried to the next logical step, truly well
governed organizations with good compliance programs ensure that middle managers and directors also
share in the information so that the quality of operating budget decisions can be enhanced in the day to
day efforts by the workforce. This idea is as relevant for governmental organizations as it is for business
at large because governmental agencies and offices must find better ways to provide services to the
3

4. constituents that they serve every day. Both need to become more resource efficient; governance can
help insure that that goal is achieved.
The Current Compliance Landscape
All of government and industry is more sensitive to security and compliance concerns, aware of the
topic, and to some extent more aware of their posture since the events of September 11, 2001. This is
especially true of those organizations that already had an appreciation of the need for sound compliance
management as a part of their existing business operations. There are several other factors that
contribute to a sharper focus on the need for better information on which to base investment decisions,
among them are: regulatory changes, especially those dealing with privacy, the cost of settlements
based on violations of regulations and policy, the impact of adverse publicity and press on the basic
trust relationship that exists between organizations, their existing customers, and the public in general,
and the need for competitive advantage in a given industry or endeavor. Without a solid understanding
of the need for compliance and how to manage and fix problems companies are reduced to making
potentially costly decisions on little relevant information.
Regulatory Changes: in the last 18 months the Federal Government has passed or updated landmark
laws dealing with several industries that were already burdened with the need for demonstrating good
compliance; the best known and publicized of these are: the major update to the FFIEC (Federal
Financial Institutions Examination Council) Examiners Handbook for banks and the Comptroller of the
Currency’s update of the Bank Secrecy/Anti Money Laundering rules. A new characteristic of these and
probably more laws to come is that the Congress has opened some of the laws to the states to set
enforcement standards, (there could be 50 different rules for compliance with GLBA). In addition, there
are unexpected requirements such as the mandate levied on industry to create new organizations and
force the hiring of new people such as Privacy and Compliance Officers. Congress has unexpectedly
extended laws that appeared at first glance to apply to only a part of an industry to that industry’s
business partners regardless of the line of business--as found in HIPAA (Health Insurance Portability and
Accountability Act). This is not a problem that is unique to industry, however, government agencies at
all levels must comply with the likes of FISMA (Federal Information Security Management Act), OMBs
POAM (Program Objectives and Milestones) requirements and NIST 800-53 Revision 2.
Settlement Costs: the press is replete with stories of companies and government agencies that ignored
rules because of the cost or convenience of implementation and then paid many times the cost to settle
lawsuits in order to get on with everyday business. Excellent examples come from the Healthcare
Industry; Kaiser-Permanente paid several million dollars to settle suits brought for releasing personal
health information on patients to a small group of email addresses. The cost of doing it right the first
time was less than $30K. Several of the larger care organizations have paid upwards of $10 million to as
much as several hundred million dollars to the Federal Government because of sloppy unaudited
business practices that would have cost the companies in question almost nothing in comparison to the
cost of settlement. The McDonalds Corporation lost a landmark suit to an elderly customer over
4

5. whether or not it is reasonable to expect coffee to be hot! (The initial award from the jury settlement
was more than two million dollars.) On the Federal side, the Veterans Administration permitted a
laptop containing the records of millions of Veterans to be stolen; they wound up paying for credit
monitoring services for people whose data was suspected of being compromised. The Department of
Energy experienced an incident where several disk drives containing nuclear program materials were
lost, or misplaced. There are many more examples in all industries; insurance carriers are very aware of
the situation and what they pay out every year for their client companies. Client companies are
becoming painfully aware of the cost of property and casualty insurance coverage. Costs are so high
that virtually every medium to large company is self-insuring for at least some of the risk that they carry
in doing business. As mentioned before the concomitant issue is that enterprises including government
agencies are making major policy decisions without critical information.
Impact of Adverse Publicity and Press: any business or government organization that depends on trust
between the customer and the organization to survive is aware of the tremendous potential impact of
adverse press on business growth and agency operations. Imagine the consumer experience involved in
going to a doctor for whom there was no trust, or a bank, brokerage house, or insurance company under
the same conditions. Even organizations that don’t typically consider public trust as having any part in
their business due to the nature of what they do are sometimes unpleasantly surprised at the impact.
Double-Click almost went out of business because of publicity surrounding the collection and use of
consumer healthcare information on the Internet without either the permission from potential targeted
individuals, or even the awareness on the part of the public that the information was being gathered. It
required a public explanation of business practices, an apology and a posted notice of practices on
gathering information and the use of the collected information before Double-Click’s customers or other
businesses would continue to buy their products. Medical practices have been driven out of business
over adverse publicity, government officials have been replaced, and the collateral effects on businesses
like Double-Click’s who didn’t even think about the fact that the public would pressure Double-Click’s
customers not to buy are well documented.
Competitive Advantage: every business and government agency is aware of their competitive
landscape to some extent. Those organizations that are aggressive about their business and products
are forced to pay attention to new changes on the part of the competition or competitive forces or face
the steady and sometimes rapid eroding of their market share or public trust. Competitive advantage
can come from anywhere; IT infrastructure, new product features that make it a de facto standard in its
industry, lower cost of operations including selling, the ability to deliver better service, and the ability of
the organization to give customers, business partners, and the public a sense of security and the
resulting trust that evolves from it are among the most effective. The need to engender trust, especially
in their target market segments, is of paramount importance. The ability to have better and timelier
information on which to make decisions is critical to the success of any enterprise. The ability to look at
Compliance from the standpoint of economic and policy trade-offs with objective information is a
competitive advantage of no mean stature.
5

6. Obstacles to Good Compliance Programs
Regardless of the size of the enterprise there are one or more obstacles to achieving a solid, useful
compliance program with repeatable processes and metrics. These obstacles come in the form of
‘institutional’ barriers such as the organizational attitude and structure, process barriers such as lack of
good program design with proper scope and metrics, to problems with the scope and frequency of
outside enforcement. Finally, the dearth of good automated toolsets with which to build sustainable
compliance programs limits the efforts and consequent success of organizations for whom a good
compliance program is recognized as valuable.
Organizational Attitude: a disproportionately large number of organizations whether they are
businesses or government agencies pay, at best, lip service to compliance. There is no belief among
senior mangers that compliance with any specific set of requirements is worthwhile beyond passing an
audit or staying out of the press. A major part of the problem exists in the message and manner in
which compliance and security professionals try to gain mindshare with senior management—using the
principal message of FUD (Fear, Uncertainty, and Doubt) often delivered in obscure terms. The manner
in which they attempt to present the message is immediately called into question because compliance
and security professionals can seldom converse with the affected managers using the language of the
business or enterprise instead of using the ‘techno-speak’ that is the common lingua franca of the
compliance and security organizations. This lack of a common understanding and language between the
senior managers and their compliance and security staffs continues to have an immediate and long
lasting impact on compliance efforts, namely that most compliance programs were consigned to failure
from the outset. Unfortunately, once credibility is lost by the compliance and security staff, it is almost
never regained. This lack of a common framework and approach to the importance of having a good
compliance program is the quintessential ‘last nail in the coffin’ of meaningful compliance efforts. It
should also be noted that if senior management doesn’t believe in the necessity for compliance, then it
is highly unlikely that the rest of the organization will pay more that minimal attention to it.
Audit Process versus Operational Process (built in compliance): a subset of the organizational attitude
is embodied in the pervasive dichotomy between what is provided by the audit function as opposed to
having a well established set of compliance aware operational processes. The internal audit function is
expected to be able to find and identify problem areas and to issue reports that can then be used to
address those findings. This simple idea however, more often than not, is overcome by a variety of
impediments such as a lack of available resources, a lack of appropriate tracking mechanisms, and the
grandfather of them all-the notion that no sense of urgency is necessary since the auditors won’t be
around for at least another year except to do minor spot checking on the progress of remediation.
Finally, it is a well documented fact that auditors, whether they are internal or external can only assess a
relatively small subset of all of the requirements that a business or government agency must address in
order to be considered ‘compliant’.
6

7. Organizational Structure: the structure and flow of information in an organization or agency frequently
contributes to frustrating compliance efforts. If the compliance function itself does not report high
enough in the ‘food chain’ few will view it as more than a potential interruption to their daily lives. In
addition, if compliance is perceived as a support organization instead of a ‘line’ function, it seldom has
the impact that is needed to put lasting programs in place and will compete (usually unsuccessfully) with
the likes of the auditors for a place on senior management calendars. Until compliance can be shown to
be a business enhancer or multiplier it will be relegated to a position no higher than a ‘necessary evil’.
Sadly, compliance functions lack the institutional history that internal auditors or Inspectors General
have, they have ‘come to the party late’ and that coupled with a lack of enforcement capability, the
compliance organization is solidly behind the organizational power curve.
Lack of Good Metrics: ask any management analyst, consultant, or expert what good metrics means to
an organization and you will find general agreement that they are critical to the sustainable success of
the business or program. They will also agree that it is a rare enterprise indeed that actually has good
metrics beyond some well defined financial and perhaps personnel related ones that most everyone
agrees on. These existing metrics are the result of years of financial and management practice and have
stood the proverbial test of time, meaning that they usually are good indicators of performance. When
it comes to compliance efforts no such agreement between experts exists, probably because compliance
has almost universally been treated as a potentially expensive afterthought. Vanishingly few enterprises
have an established and recognized baseline from which to measure their progress or lack thereof in
their compliance efforts. Second, the ability to compare one large data set against another as is
represented by compliance surveys etc. is a very difficult and time consuming process even given the
potentially great value in such a capability. The organizations that choose to use outside consultants to
measure their compliance and risk efforts discover very quickly that the process is very expensive, time
consuming, and that the data gets progressively more ‘stale’ as time goes on. It also fosters the notion
that compliance should only be measured once a year because it is so expensive and difficult and this
perception leads to a corollary outcome; most enterprises lack the ability or willingness to really track
the remediation efforts that they undertake in any kind of systematic fashion. The net result is that
board members and senior managers continue to be asked to fund major programs and initiatives
(including remediation efforts) without the information that they need to make an informed decision.
Scope of Enforcement: ironically, regulators sometimes unwittingly contribute to the lack of good
compliance efforts because they lack enough resources to do a thorough investigation or they are
hampered by their own decisions regarding the scope of the regulatory effort, the timing of the effort or
the lack of public exposure to the results of their investigations. It is also true that sometimes the law,
rule, or regulation lacks sufficient or appropriate penalties for the lapses uncovered in an investigation.
An excellent example of all of the above behaviors is found in HIPAA, (the Health Insurance Portability
and Accountability Act of 1996 as amended). Few healthcare organizations truly believe that regulatory
efforts on the part of the Federal Government, the States or the penalties associated with the Act are
sufficient cause for worry, let alone compliance action or effort. This last is not idle speculation, a study
7

8. done three years after the implementation dates of the Privacy, Security and Transactions and Codes
Sets provisions revealed that one third of all hospitals had undertaken no effort to comply with HIPAA.
Lack of Good Toolsets for Compliance Programs: with all of the companies that profess to be in the GRC
(Governance, Risk, and Compliance) space one might be tempted to assume that there would be at least
a couple of approaches to the problem that would yield good toolsets. To date no one company or two
companies has emerged with a solution that appears to be mostly or even widely usable or applicable
across many types of organizations such as government and business whether private or public. There
are other issues with the toolsets available; some interpret regulations for their customers instead of
rendering requirements faithfully, many price each part of the solution in such a way as to make user
flexibility nearly impossible, and finally, some are extremely difficult and time consuming to use.
Audit versus Compliance Mentality: in order to be successful in building compliance programs that have
lasting value to the enterprise the organization must come to grips with the embedded ideas and
attitudes surrounding both audit and compliance. The audit program depends upon the attitudes,
experience and opinions of the auditor to examine processes, people (employee behavior) and
determine and verify conditions and procedures that they are sent to evaluate. A compliance program,
on the other hand, relies upon the experience, training, opinions and attitudes of the employees who
must perform the everyday work and rely on established business procedures and process in order to
achieve the objectives and aims of the enterprise. To put it another way, in an audit situation, the
auditor’s opinion matters, not the employees who must stand the audit, whereas compliance
measurement relies on the employee or end user experience to measure effectiveness and success not
the auditors. While at first glance the foregoing may seem like heresy, both the auditor and the end
user have a well defined place in compliance efforts; it is only when the distinction becomes blurred that
the organization is headed for trouble. Compliance is best measured by those responsible for the day to
day activity of the enterprise.
Compliance, Remediation and the Need for Automation
If organizations are going to be successfully governed they must have the tools to do the job efficiently
and provide assessment information in an on demand environment over time to senior managers. The
wide ranging needs are many and in most cases can only be addressed in a highly automated
environment. The nine needs areas that follow are illustrative of the environmental requirements that
any good compliance and remediation toolset should not just allow but actively facilitate in order to
provide long lasting value to the enterprise.
1. The need to dramatically shorten cycle times for compliance assessments: based on experience,
the typical manual compliance assessment for one functional area such as IT (Information Technology)
in a medium sized organization (10,000 or so employees), often takes between 12 and 16 weeks to
complete. Even then, the usual tools are likely to be a combination of spreadsheets, both manual and
PC based, and word processing documents. Given this type of cycle time it is small wonder that the
8

9. pervasive attitude on the part of senior managers everywhere is that this should only be undertaken
once a year. As a reference point, in a large organization it can take most of a year to do the same thing.
2. The need to reach affected participants at all levels of the organization: in the case of a small
assessment a survey manager might actually know all of the right people to act as participants in a
survey; in a large organization it is extremely unlikely that a survey manager knows who the correct
participants are across all departments, divisions or offices. Unfortunately, whether the survey manager
knows them or not they must still find them in order for the survey to achieve its full value to the
organization. The only way that suggests itself is through automation.
3. The need to track changes in the compliance posture over time: in order to determine whether or
not remediation efforts, training efforts or other resource intensive activities are being successfully
implemented requires the ability to track changes over time. To illustrate the idea in a different way,
when a senior manager asks a subordinate ‘what did you do with the money I gave you to fix the
problem?’ it would be nice for everyone concerned if the subordinate had a good answer and could
prove their point with facts. In order to do this kind of tracking implies another capability—the ability of
the organization to assign responsibility for remediation, know what resources are required and where,
and when to expect that the desired results will be achieved.
4. The need to establish repeatable results and comparisons: as noted earlier, using outside agencies
such as consultants works against an organization trying to determine their long term compliance
posture. The expense, the departure of the institutional knowledge when the consultant team leaves,
and the fact that the consulting report was rendered as of a point in time with little or no hope of
updating it to reflect current changes in the organization, all work against the enterprise. An
organization that wants to build long term productive, value added compliance programs must have a
stable baseline against which to measure their efforts—and the survey methods, requirements, and
reporting should ideally be the same no matter how often or how long the results are rendered or
tracked.
5. The need to track responsibility and expenditures of assets to remediate issues: keeping track of
who is responsible for fixing identified problems, what they are spending in money and effort, what
success they might be achieving, what milestones can be tracked, and when to expect that the effort will
be successfully concluded is at the heart of this need. Considering the sheer volume of compliance
related information generated by even a modest sized survey, this portion of the toolset must be
automated in such a way that information in the form of ‘on demand’ reports can be rendered when
and where they are most needed.
6. The need to mimic the actual workflow as closely as possible: any toolset that provides the
information an organization needs may have some utility and value to the enterprise. The most useful
approach would be one that did not require the user to have to learn a different way of doing business
just to make the tool work. As much as possible the survey creation, distribution, analysis and reporting
9

10. should work in the same stepwise fashion that most individuals use every day when solving problems. If
the user can see how things fit together they are much more prone to use the tools to achieve their
aims.
7. The need to access and assess requirements or controls quickly: it is no secret that different groups
within organizations approach compliance information in different ways. At polar ends of this
dichotomy we have auditors who typically deal in controls and assess their robustness, and practitioners
who typically deal in requirements and how to implement them. Any toolset must be useable by both
groups in order to provide the maximum utility to the organization: this capability helps to insure that
there is a common framework or approach for the compliance process and that this process is grounded
in common methods of analysis, common reporting, and common sources and structure in Authority
Documents. Toolsets that allow the seamless crosswalk from requirements to controls while preserving
all of the related data such as which vulnerabilities are being addressed is vital to the success of the
compliance process
8. The need to add local authority documents of importance to the organization: simply put, any
toolset that supports the compliance cycle must be flexible enough to incorporate locally important
sources of standards such as policy and procedure or other requirements important to the successful
functioning of the enterprise. Ideally, authoring tools should be available to allow the organization to do
their own input or allow an outside party to do the input under the direction of the owning organization.
9. The need to aggregate and analyze large amounts of compliance data: data aggregation and
analysis for any medium to large organization is a problem because of the sheer size and volume of
information generated. Enterprises need the capability to analyze and report on current information
and analyze and compare it to preceding period data in order to assess progress. At a minimum, users
should be able to compare surveys created over time whether or not they were identical in their scope.
To say it differently, comparisons between data sets should be possible when using an automated
toolset and the toolset should know and be able to highlight the differences as well as compare the
same types of data.
Compliance Process and Automation
In order to apply the benefits of automation to address the needs of an organization, the compliance
data gathering process must be well documented and clearly understood. What level of process
decomposition is required is important because the ideal solution would be to wind up with tools that
follow the way people work to the greatest extent possible. One approach would be to list the major
components with the absolute minimum of detail necessary in order to obtain a working model that
covers the known and anticipated needs of the organization. In the section that follows, the compliance
assessment and remediation processes are outlined at a high level and the links to user workflow
requirements are explored in the context of automating the essential processes to optimize the value of
an automated toolset.
10

11. The first process is the survey creation and management portion that consists of 5 steps: creating the
survey structure or template; choosing the content; distributing the survey; collecting and analyzing the
results; and reporting on the results. The survey data collection process depends upon the input of
many users who are directly involved in managing these issues on a daily basis. This process is
highlighted in figure 2 below.
Compliance Steps
Creating the Survey Structure: the survey structure determines many things: the type of statistics
available for analysis and reporting; the degree of compliance achieved by the organization based on the
target survey audience; the graphics used for dashboard reporting; the time for gathering responses;
and ideally, the use of workflow items such as automated reminders for the participants.
Choosing the Survey Content: the content for the survey should be variable and customizable
depending on the needs of the organization; the survey manager should be able to choose a single or
multiple authority documents; sections from one or more documents; and single requirements or
questions from any document that may be needed. The system should allow the survey manager to
choose content from existing authority documents already provided for use or allow the survey manager
to create their own specific content to be used in a survey or surveys.
Distributing the Survey: there are two basic scenarios to consider when it comes to distributing the
survey: in the first scenario, the survey manager would know all of the recipients to whom the survey
11

12. should be sent; in the second scenario, the survey manager cannot possibly know all of the proper
recipients due to the size of the organization, vendor partners who may need to participate etc. In
either case, the distribution should be as automated and direct as possible.
Collecting and Analyzing the Results: the basic data analysis of the output provided by the survey
respondents should be automated and automatic and provide both summary and detail information as a
result of the survey. Further, the data itself should not be editable by the survey manager or the
respondents and any and all attached documentation submitted by the respondents should also be
carried forward as a part the output of this process.
Reporting on the Results: the survey output reports should faithfully reflect the data analysis and be
customizable and editable by the survey manager based on the needs of their particular organization.
This should include the ability to attach documents and comments provided by the survey respondents
in answer to the questions concerning the requirements covered.
Remediation Process and Automation
The base process that governs remediation activities consists of 4 steps: identifying the weaknesses to
be addressed as reported in the survey; assigning responsibility for remediation; determining the
resources and milestones; and reporting on progress. Unlike the survey process, the remediation
process depends on the management of an organization to determine what will be undertaken. This
process is outlined in the figure below (figure 3).
12

13. Remediation Steps
Identifying the Weaknesses to be Remediated: weaknesses identified for remediation should consist
of vulnerabilities, controls or both depending on the size and the needs of the organization. For
example; a small organization may wish only to address a global vulnerability such as ‘Policy &
Procedure’, while a larger organization may have a need to address the underlying controls as part of
the remediation process. For example, the vulnerability ‘access controls’ may have several uniquely
identified controls as part of the vulnerability such as ‘password length’, ‘strong passwords’, ‘password
expiration’, etc. The second aspect of this process is that of determining which weaknesses to
remediate based on organizational needs such as resource constraints.
Assigning Responsibility for Remediation: a system should allow assigning responsibility based on
individuals or members of a team that each has a particular control or controls to remediate as part of
addressing a larger vulnerability. This assignment should be editable so that as old points of contact
move on to other duties or responsibilities a new person or persons can be assigned to see the project
through to a successful conclusion.
Determining the Resources and Milestones: for any assigned responsibility, whether or not it is a single
or multiple vulnerabilities, or the underlying control or related controls, the assigned point of contact
should be able to determine and record the major resource and milestone requirements and allow other
team members to add their input as it becomes appropriate.
13

14. Reporting on Progress: the remediation point of contact should be able to report on a continuing basis
what progress is being made, what additional resources or time might be needed and allow those with
subordinate responsibilities to add their input as well. The survey manager should be able to obtain on
demand reports on any or all of the remediation efforts and be able to perform comparisons from a
baseline survey to the next survey in any or all of the areas to highlight progress or the lack of it.
Second, the survey manager should be able to compare multiple surveys to each other even when the
content may not be identical; in other words, surveys with any overlap at all in their design or focus
should be able to be compared on the items common to other surveys of interest.
The Compliance Cycle and Automation
In order to derive the most usability and value for adopting a continuous compliance cycle, the software
platform should be designed to follow normal workflow or problem solving steps while providing as
much flexibility as possible in the selection, management, and use of the tools features and functions.
The software architecture should embody current technology, simplicity of maintenance and
enhancement, scalability on demand and a robust data export capability in order to protect the client or
user, as well as, the developer’s investment. Other hallmarks of the architecture should include
maximizing data handling to include the seamless addition of external related documentation and
information, extensive on demand reporting, both ad hoc and templated, and a robust security model
that exists at all of the necessary levels in the hosted environment. The security model should
incorporate features to protect the user, the environment and the data in such a way that the user
doesn’t have to think about how to ensure security, but rather how to use the software tools to achieve
their compliance assessment and remediation goals. In short, the security features taken together
should be as transparent as possible consistent with a highly secure environment and not get in the way
of doing the work that needs to be done. Finally, the software should require the least amount of
physical and logical assets in order to be used: with this in mind, NEMEA chose to implement the
toolsets as a Software as a Service (SaaS) offering. The survey manager needs only to have a browser
and email capability in order to access and use the NEMEA solutions; respondents need the same
internet and email connection capability.
The NEMEA solution to automating the compliance cycle consists of two related toolsets, Compliance
Center and Remediation Center, that follow the architectural principles outlined above. Compliance
Center automates the compliance survey management process and follows the cycle in figure 2 while
allowing the maximum control by the survey manager over creation, content, distribution, analysis and
reporting of survey information. The survey manager can create a survey template rapidly and populate
the survey with known requirements that define what is being assessed and with a high degree of
probability, distribute the survey to the appropriate respondents even when the survey manager does
not know who they are. Remediation Center automates the remediation assignment and tracking
process outlined in figure 3. In addition, Remediation Center can use any survey, current or not, to
automatically pre-populate vulnerability or control weaknesses identified in the subject survey and
allows for assigning both the vulnerability and the related controls dynamically if an organization so
14

15. chooses. It also allows the survey manager to assign a point of contact for remediating selected
weaknesses, identify resources needed to correct the problem, allow selected individuals to establish
and modify milestones and identify and link any other external or internal assessment such as an audit
to the tracking system. The toolset also allows the survey manager to compare surveys to an existing
baseline survey even if the controls and vulnerabilities in the surveys being compared do not exactly
duplicate one another. In cases where two or more surveys are compared to a baseline survey, the
system automatically compares the areas that can yield relevant information and ignores the balance.
These two toolsets are the first of a series of complimentary products that NEMEA intends to offer to
potential clients.
From an architectural perspective, NEMEA chose to develop the toolsets using web standards including
AJAX. This is implemented using .NET and SQL running under a Microsoft operating system (OS) in a
clustered configuration. NEMEA code follows web standards for development and does not allow the
use of potentially insecure technologies such as Active-X or Java. The NEMEA infrastructure is
redundant at all levels; data center, server, communications and networking, and data storage. In
addition, the appropriate use of load balancing, IDS/IPS and other monitoring tools help to insure the
security of information at all times. NEMEA does not allow unencrypted access to the network or
toolsets and ensures logical segregation and separation between clients using the NEMEA SaaS tools.
The NEMEA solution to automating the compliance and remediation cycle is robust, cost effective and
secure while meeting the needs of organizations that are serious about compliance. NEMEAs products
directly address the most pressing issues that organizations face in trying to build effective and enduring
compliance, remediation and governance programs while giving users complete control over their
information. Using the NEMEA solution reduces the compliance cycle time by a minimum of 70% while
reducing the overall costs associated with assessment and remediation by more than 50%. Clearly, the
NEMEA product set can help virtually any organization, business or government agency establish and
maintain control over their governance processes through the provision of timely information for sound
decision making.
15

16. About NEMEA
NEMEA Security Services provides on-demand software solutions for enterprise-wide governance, risk
management, and compliance (GRC) that empower security-sensitive organizations to sustain a
compliance environment, limit risk without sacrificing business effectiveness, enhance shareholder
value, and improve corporate integrity by advancing GRC initiatives.
An industry thought-leader in understanding compliance standards, frameworks, and regulations,
NEMEA understands the benefits to be gained and the challenges that may be encountered in managing
enterprise-wide GRC initiatives on an on-going basis. NEMEA knows what is needed to operate
efficiently and effectively in a highly regulated business environment and firmly believes that
organizations should be free to focus on what they do best – managing their business and compliance,
risk, and audit initiatives without the encumbrances of implementing and maintaining rigid and complex
proprietary software solutions that require extensive customizations.
It’s for these reasons that NEMEA created a portfolio of innovative and intuitive web-based software
tools modeled on the way businesses actually work. NEMEA's automated toolsets allow powerful
collaboration across all departments, leading to better business decisions, lower costs, and empowered
management. Because the tools are built to suit unique business needs, organizations in regulated
industries can be confident that they can address their compliance requirements in a way that best fits
their environment and reap the benefits of effective governance, risk, and compliance management.
What Sets NEMEA Apart
Recognizing early on the advantages inherent in the “Software as a Service” (SaaS) delivery model as a
more cost-effective alternative for enterprises to achieve their business objectives, NEMEA is not so
much a software developer as it is a process integrator, freeing itself to focus on bringing solutions that
integrate GRC processes that are sustainable, reliable, efficient, and transparent to market.
NEMEA’s deep industry knowledge is gained from over 50 years of experience in designing risk
management programs, defining information security policies and processes, conducting security audits,
and defining GRC processes for diverse organizations in industries ranging from financial services,
healthcare, and manufacturing to internet services, the US military, and federal agencies.
NEMEA COMPLIANCE Center® is a compliance solution featuring a full suite of tools to create and
manage compliance surveys, collect and analyze results, create standard or custom reports, and tackle
essential remediation efforts. Its fully-featured user interface lets management rapidly compare the
laws and regulations pertinent to their industry and business and supports the use of numerous
standards simultaneously.
NEMEA REMEDIATION Center® is based on a simple and elegant concept – identify the issues to be
resolved; determine the milestones, resources, and participants who will perform the work; and track
the progress in a live reporting environment. REMEDIATION CENTER provides the ability to remediate
issues discovered during the use of COMPLIANCE CENTER that are considered to be immediately
unacceptable to the organization – and to make these remediation decisions on the basis of actual and
projected losses.
16

17. Committed to Your Success
NEMEA's product offerings are constantly being upgraded and expanded to meet the needs of the most
demanding governance program. To that end, NEMEA is developing two new products: NEMEA RISK
Center® and NEMEA AUDIT Center®.
NEMEA RISK Center® is designed to help organizations understand and manage risk. Making informed
decisions about risk and its potential impact on business and performance is critical. RISK
Center features tools to construct a risk profile that supports business efforts; align risk perspectives
across all departments; organize risk mitigation strategies; assess current requirements, capabilities, and
vulnerabilities; monitor the risk management processes; and establish links between compliance and
risk.
NEMEA AUDIT Center® is an automated, on-demand software tool designed to streamline the auditing
process. AUDIT Center provides the ability to shorten audit cycle time, gain control of compliance
efforts, reduce costs and time to implement changes, shorten the compliance survey cycle time, and
enhance reporting to the board.
Highest Levels of Availability, Reliability and Security
NEMEA is committed to providing the highest levels of availability, reliability, and security. To this end,
NEMEA partnered with Equinix to establish two data centers, both managed and operated through a
contractual arrangement with Equinix data centers and mindSHIFT data center services. These Equinix
facilities, located in the mid-Atlantic and mid-West, provide a secure platform for the reliable
deployment of NEMEA’s GRC applications as well as the highest level of physical security, power
availability, and infrastructure flexibility. Because NEMEA understands that security requires constant
vigilance, it engaged mindSHIFT to provide technology peace of mind by delivering premier IT
infrastructure
17