3.4.2 The Program Office

The Program Office may be focused on accountability across the organisation, but will more typically be in charge of both the domain (or one of the principal domains) for which the organisation is accountable (e.g. the Privacy Program Office or the Security Program Office) and of accountability. The Program Office can either be an organisational or a logical structure.

In its role to support the governance bodies in fulfilling their responsibilities, the mission of the Program Office can be divided into eight main areas:

• Inventory Obligations, Risk Assessment and Risk Treatment

• Maintain a registry of all obligations and associated operational standards.
• Perform risk assessments and identify risks and exposure. This is focused on the business and related (accounting) practices.
• Identify how to treat the risk. The analysis must include cost, timing, alternatives, and comply with the risk appetite identified by the Board.
• Create a rollout plan.
• Create a set of metrics to report on the state of the accountability program.
• Investigate best practices and compliance frameworks; consider adoption, attestation or certification based on benefits, costs, and risk.

This sets the stage to perform due-diligence, which often defines the boundary where the responsibility of the officers of the organisation is engaged. Performing due-diligence is however not enough it can only be used as defence if it can be demonstrated. The Program Office must be sure that this can be done.

• Company Culture, Practices and Standards

• Review relevant company codes, operating guidelines, and standards with regard to obligations. This must take a holistic view and deal with all appropriate business functions: sales, marketing, business operations, IT, facility management, workplace solutions, finances, accounting...
• Draft appropriate changes to these codes.
• Rollout these changes and ensure effective change of the documentation throughout the organisation.
• Notify staff of changes through adequate communication programs (awareness).
• When none exist, foster organisation-level codes and standards creation by or in collaboration with businesses and functions when required for alignment of the internal business processes. Ensure compliance through checklists and metrics used for reviews at different levels.
• Build templates for analysis (e.g. impact assessment, risk assessment) in regards to accountability and (domain specific) obligations, for use in the Analyse and Design phase of the lifecycle.
• Define a sign-off process with responsible parties to validate the major milestones in the Organisational Lifecycle for Accountability.

It is important to adopt the principle that all actions performed be traceable to the person or people performing and authorizing it (attributability). This is to be used primarily for root-cause analysis, continuous improvement and individual accountability.

• Incident Recovery and Response

This is a critical success factor. It is the responsibility of the Program Office to ensure that an adequate structure and set of processes is effectively implemented in the organisation. Considering the scope, this is often best implemented as a pan-organisation structure, rather than smaller teams dedicated to individual product offerings or, at a minimum, that such a structure exists to support dedicated product teams in case of an exceptional event. Details of this program are provided in section 3.4.5.

• 3 ^rd Party Engagement

• Ensure, with active involvement of procurement and contract negotiator, that all service and other provisioning contracts are compliant with relevant obligations.
• If appropriate, define appropriate standards and practices in regards to engagement with third-parties.
• Ensure that procurement or other relevant organisations maintain and update a registry of third-party engagements and their relationship with obligations.
• Enforce strict compliance with the standards and practices, as well as reporting.
• Monitor that procurement or other relevant organisations ensure that contract renewal and changes in terms are properly tracked.
• Ensure 3 ^rd party providers are regularly reviewed by procurement or other relevant organisations.
• Ensure that processes are in place by procurement or other relevant organizations to deal with non-compliance of 3 ^rd parties.

The collection and archiving of contracts is required but not sufficient in most instances. It must be possible to get a quick understanding of the relationship of external engagements with obligations across all engagements (hence the need to maintain a registry). Also refer to the discussion on 3 ^rd parties in section 3.4.3.

• Employee Skills and Awareness

• Ensure the organisation maintains a registry of job (function) profiles in relationship with the obligation and identifies sensitive positions.
• Ensure the organisation defines recruiting criteria for sensitive positions regarding obligations.
• Ensure the organisation has specific training programs for sensitive positions regarding obligations.
• Ensure compliance with legally-required training and certification.
• Inject topics in the on-boarding and recurrent employee code of ethics and business training programs.
• Ensure the organisation includes questions measuring accountability awareness and attitude in employee surveys.
• Ensure the organisation organises and rolls-out specific accountability awareness campaigns, such as posters displayed on billboards and internal bulletins.
• Ensure that management state of business (coffee talks) presentations regularly address accountability.
• In more general terms, ensure the organisation addresses accountability in appropriate employee information vehicles with adequate messages for rollout through the organisation.
• Ensure the organisation keeps skills of the specialised staff current support staff to join industry associations, professional networks, specialised conferences, and get training as required.

Accountability for ones own actions, regardless of the domain to which it is applied, must become part of the culture of the organisation, must be embraced by all employees and contractors. Circumventing this must be treated as a serious performance issue. It must be noted that human interaction is one of the weakest points in the security of a system.

• Compliance Readiness

• Appoint liaison to external domestic and regional compliance and regulatory agencies (as appropriate)
• Appoint liaison to relevant foreign compliance and regulatory (as appropriate)
• Ensure the organisation tracks external criteria use a mixture of specialised information services, industry associations, professional networks, specialised conferences, and consultants.
• Ensure the organisation understands reporting requirements and ensures compliance.
• Maintain the legally-required documentation (or ensure it is maintained by the relevant departments).

• Deploy Individual Accountability Tools

• Investigate and (if adequate) ensure deployment of techniques and tools supporting authorisation based on duty segregation.
• Investigate and ensure deployment of tools guaranteeing that all actions are logged and allow the identification of the agent and of the authoriser (as appropriate). This must be done in compliance with legal constraints on the handling of individually identifiable information. Ensure that these tools bear a proper timestamp and are secured against tampering or destruction.

There are some commercially-available tools which act as portals and allow the deployment of these types of controls even if the native applications do not support the functionality. In addition, using a uniform mechanism across the organisation allows for a streamlined management of the authorisation structure and of the audit logs. One must note that provisioning a trusted log with attribution is more important, less expensive, and less problematic than deploying an authorisation framework due to the complexity of modelling and allocating the correct structure for the roles, although the latter may reduce risks upfront.

• Ensure Continuity of the Accountability Program

• Ensure that all the above documentation stays current.
• Periodically review the various analyses performed
• Define and maintain a dashboard providing a synthetic view of the accountability program
• Define and track a set of metrics to measure effectiveness and progress. A significant part of these metrics must correspond to objective (as opposed to subjective) criteria.
• Have the accountability program and the Program Office audited regularly (in the order of once a year) by external auditors.