Society Of Corporate Compliance And Ethics
Society of Corporate Compliance and EthicsUtilities Compliance Conference, March 2010From Compliant to Compliance ManagementRichard Dahl, CTO SCIF Software, Inc.Copyright 2010 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 LicenseAgendaIntroduction to ComplianceBackground on Evaluating SecurityMove From Evaluating to Managing SecurityCompliance Implementation ’ Compliance ManagementCopyright 2010 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License1
Agenda‘Institutionalizing’ Compliance ManagementCommon Institutionalization StructuresProper Institutionalization StructureInterpreting the StandardsCompliance ArtifactsCompliance AssessmentsCopyright 2010 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 LicenseBackgroundRichard Dahl, Founder & CTOLeading NERC CIP compliance and information security expert.Expertise designing and implementing compliant, risk-basedinformation security solutions based on NERC CIP, PCI, FFIEC &NIST standards.Counterintelligence Special Agent, US Army Information WarfareBranchCopyright 2010 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License2
Introduction to ComplianceComplianceDo stuff to things.Security ComplianceApply Security Controls (stuff) to Assets in-Scope (things)Examples today are from CIP-002 - CIP-009Principles discussed today are Regulation AgnosticCopyright 2010 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 LicenseEvaluating SecurityCompliance AssessmentAre prescribed controls in-placeVulnerability AssessmentAre prescribed controls working properlyRisk AssessmentAre prescribed controls appropriateCopyright 2010 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License3
MoralWe must provide our own vision of how we achieve and maintaincompliance.Copyright 2010 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 LicenseCIP Implementation Challenges1. Confusing asset categories2. Inconsistent requirement granularity3. Inconsistent implementation within organizationCopyright 2010 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License4
CIP Challenge #1Confusing asset categoriesCIP is “Cyber Security” Standard, but.Copyright 2010 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 LicenseCIP Requirements By Asset TypeOrganizations, Locations, Networks, Personnel andInformation all require compliance implementation as well.CIP is a business issue, not an IT issue!Copyright 2010 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License5
CIP Challenge #2Inconsistent requirement granularityToo Prescriptive (Hot)Too Ambiguous (Cold)Reasonable (Just Right)Copyright 2010 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 LicenseToo PrescriptiveCIP 007-1 R 5.3.2 At a minimum, the Responsible Entity shall requireand use passwords, subject to the following, as technically feasible:Each password shall consist of a combination of alpha, numeric, andspecial characters.Copyright 2010 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License6
Too AmbiguousCIP 005-1 R2.4 Where external interactive access into the ElectronicSecurity Perimeter has been enabled, the Responsible Entity shallimplement strong procedural or technical controls at the accesspoints to ensure authenticity of the accessing party, where technicallyfeasible.Copyright 2010 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 LicenseReasonableCIP 007-1 R2.1 The Responsible Entity shall enable only those portsand services required for normal and emergency operations.Copyright 2010 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License7
CIP Challenge #3Inconsistent implementation within organizationWhat does CIP-007 R6 mean to you?The Responsible Entity shall ensure that all Cyber Assets withinthe Electronic Security Perimeter, as technically feasible,implement automated tools or organizational process controls tomonitor system events that are related to cyber security.Does it mean the same to the person.Down the hall?At the alternate data center?At another division?Copyright 2010 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 LicenseInstitutionalizationDefinedCompliance is achieved and maintained simply by the execution ofnormal business activitiesPersonnel meet the CIP Requirements simply by doing their jobs.CharacteristicsHorizontal integration of compliance activitiesClearly defined Responsibilities for compliance activitiesCopyright 2010 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License8
InstitutionalizationBenefitsReduced overhead of compliance managementGreater EfficiencyGreater EffectivenessPrimary RequirementsCommunicate and track compliance activitiesCopyright 2010 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 LicenseInstitutionalization StructureThree commonly espoused structures:CIP StandardsInherent Processes or Functions within CIPArtifacts Required by CIPCopyright 2010 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License9
Structural IssuesPrimary problem with these three structures is that they assume thatcompliance management (as opposed to compliance reporting) isdisconnected from managing the security posture in place.NERC UAS 1200 ImpactTemporary cyber security measureRequired documentation and attestation of security posture in placeCopyright 2010 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 LicenseStructural IssuesCIP StandardsIndividual Requirements can apply to multiple asset typesCIP-006 R1.1The Responsible Entity shall create and maintain aphysical security plan, approved by a senior manager ordelegates that shall address, at a minimum, the following:Processes to ensure and document that all Cyber Assetswithin an Electronic Security Perimeter also residewithin an identified Physical Security Perimeter. Wherea completely enclosed six-wall border cannot beestablished, the Responsible Entity shall deploy anddocument alternative measures to control physical accessto the Critical Cyber Assets.Copyright 2010 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License10
Structural IssuesCIP Standards - continuedExplicit cross reference of RequirementsCIP 005 R1.5Cyber Assets used in the access control and monitoring ofthe Electronic Security Perimeters shall be afforded theprotective measures as a specified in Standard CIP-003,Standard CIP-004 Requirement R3, Standard CIP-005Requirements R2 and R3, Standard CIP-006Requirements R2 and R3, Standard CIP-007,Requirements R1 and R3 through R9, Standard CIP-008,and Standard CIP-009.An organization cannot be compliant with CIP 005 R1.5 without beingcompliant with the other referenced Requirements for identified devicesor applicationsCopyright 2010 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 LicenseStructural IssuesCIP Standards - continuedImplicit cross reference of RequirementsCIP 002-1 R 3Using the list of Critical Assets developed pursuant toRequirement R2, the Responsible Entity shall develop a listof associated Critical Cyber Assets .CIP 005-1 R 1.5Cyber Assets used in the access control and monitoring ofthe Electronic Security Perimeters shall be afforded theprotective measures specified .CIP 005 R 1.4Any non-critical Cyber Asset within a defined ElectronicSecurity Perimeter shall be identified and protected .Copyright 2010 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License11
Structural IssuesInherent Processes or Functions within CIPOrganizations are not typically organized according to thesefunctionsCIP-006 R1.1The Responsible Entity shall create and maintain aphysical security plan, approved by a senior manager ordelegates that shall address, at a minimum, the following:Processes to ensure and document that all Cyber Assetswithin an Electronic Security Perimeter also reside withinan identified Physical Security Perimeter. Where acompletely enclosed six-wall border cannot be established,the Responsible Entity shall deploy and documentalternative measures to control physical access to theCritical Cyber Assets.Copyright 2010 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 LicenseStructural IssuesInherent Processes or Functions within CIPAudit and AccountabilityReferenceTextCIP 005-1 R 3The Responsible Entity shall implement and document Devicesan electronic or manual processes for monitoring and (Network Access Points)logging access at access points to the ElectronicSecurity Perimeters twenty-four hours a day, sevendays a week.CIP 007-1 R 5.1.2The Responsible Entity shall establish methods,Devicesprocesses, and procedures that generate logs ofsufficient detail to create historical audit trails ofApplicationsindividual user account access activity for a minimum ofninety days.CIP 007-1 R 6The Responsible Entity shall ensure that all CyberAssets within the Electronic Security Perimeter, astechnically feasible, implement automated tools ororganizational process controls to monitor systemevents that are related to cyber security.CIP 003-1R 4Asset(s)DevicesApplicationsThe Responsible Entity shall implement and document Informationa program to identify, classify, and protect informationassociated with Critical Cyber Assets.Copyright 2010 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License12
Institutionalization StructureArtifacts Required by CIP5 ��Access control program”“Security plan”“Operational procedures”Copyright 2010 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 LicenseInstitutionalization StructureArtifacts Required by CIPDifficult to properly associate the completion of these artifacts withthe responsible parties.Few organizations have as formal a security program as a literaland dogmatic interpretation of the CIP Standards requires.Copyright 2010 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License13
Institutionalization StructureWhat is the sense in creating one “Access Control Program” simplybecause CIP 003-1 R 5 requires “.a program for managing access toprotected Critical Cyber Asset information” ? There is no requirementwithin CIP that mandates a particular structure for documentation.We must remember the rules of English grammar, a ‘program’ is not thesame thing as a ‘Program.' Here, ‘program,' just like all references to‘plans’, ‘processes’, ‘logs’, ‘documentation,' ‘policies’, ‘procedures’, etc .are common nouns, and should therefore not be taken to imply aformality that is not required.Copyright 2010 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 LicenseInstitutionalization StructureTaking the artifact based approach to the extreme can hinder anappropriate security posture.CIP 003-1 R 6The Responsible Entity shall establish and document a processof change control and configuration management for adding,modifying, replacing, or removing Critical Cyber Asset hardwareor software, and implement supporting configurationmanagement activities to identify, control and document all entityor vendor related changes to hardware and software componentsof Critical Cyber Assets pursuant to the change control process.Copyright 2010 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License14
Institutionalization StructureOne unified process would have to incorporate changes toApplicationsDevicesNetwork access pointsThe document could easily end up a convoluted mess that no onethroughout their normal duties would require.System administrators, network administrators, and applicationadministrators only would need to understand information relevant to theassets under their control.Copyright 2010 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 LicenseProper StructureAnalysis of the CIP Standards Provide:Compliance actions must be performed on or behalf elInformationFacilitiesCopyright 2010 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License15
Asset Type CorrelationCIP 005 R 1- Electronic Security Perimeter: The Responsible Entity shallensure that every Critical Cyber Asset resides within an ElectronicSecurity Perimeter. The Responsible Entity shall identify and documentthe Electronic Security Perimeters and all access points to theperimeters.Applies to:Devices and ApplicationsMust reside within ESPOrganizations or NetworksMust document ESPsNetworks or OrganizationsMust identify all access pointsApplicability determined by responsibilities!Copyright 2010 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 LicenseAsset Based Structure LimitationCIP 007 R 5.3 Account Management At a minimum, the ResponsibleEntity shall require and use passwordsApplies to:Devices and ApplicationsMust reside within ESPMay be implemented differently according to riskTelemetry server passwordsFirewall at ESP Border TokensCopyright 2010 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License16
Compliance ScopeDefinitionDistinct category of asset type(s) that meet conditions set within theCIP Standards mandating application of Requirement(s)e.g. Critical Asset - Facilities that are essential to the reliableoperation of the Bulk Electric System CIP-002 R 1ConditionsCIP-002 R 2Provides the Criteria for inclusion.Requirements that applyCIP-002 R 2 Critical Asset IdentificationCIP-002 R 3 Critical Cyber Asset IdentificationCIP-002 R 4 Annual ApprovalCopyright 2010 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 LicenseCompliance Scope lianceScopeCopyright 2010 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License17
CIP Compliance ScopesCopyright 2010 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 LicenseScope Assessment LogicCopyright 2010 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License18
AMA-E Decision TreeCopyright 2010 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 LicenseStandard Map For CCAReferenceTextCIP 002 R 3Using the list of Critical Assets developed pursuant to Requirement R2, the Responsible Entity shall develop a list of associated Critical CyberAssets essential to the operation of the Critical Asset. Examples at control centers and backup control centers include systems and facility atmaster and remote sites that provide monitoring and control, automatic generation control, real-time power system modeling, and real-time interutility data exchange. The Responsible Entity shall review this list at least annually, and update it as necessary.CIP 002 R 4A senior manager or delegates shall approve annually the list of Critical Assets and the list of Critical Cyber Assets. Based on Requirements R1,R2, and R3 the Responsible Entity may determine that it has no Critical Assets or Critical Cyber Assets.CIP 005 R 1The Responsible Entity shall ensure that every Critical Cyber Asset resides within an Electronic Security Perimeter. The Responsible Entity shallidentify and document the Electronic Security Perimeters and all access points to the perimeters.CIP 006 R 1.1The Responsible Entity shall create and maintain a physical security plan, approved by a senior manager or delegates that shall address, at aminimum, the following: Processes to ensure and document that all Cyber Assets within an Electronic Security Perimeter also reside within anidentified Physical Security Perimeter. Where a completely enclosed six-wall border cannot be established, the Responsible Entity shall deploy anddocument alternative measures to control physical access to the Critical Cyber Assets.CIP 007 R 1The Responsible Entity shall ensure that new Cyber Assets and significant changes to existing Cyber Assets within the Electronic SecurityPerimeter do not adversely affect existing cyber security controls. For purposes of Standard CIP-007, a significant change shall, at a minimum,include implementation of security patches, cumulative service packs, vendor releases, and version upgrades of operating systems, application,database platforms, or other third-party software or firmware.CIP 007 R 1.2The Responsible Entity shall document that testing is performed in a manner that reflects the production environment.CIP 007 R 2.1The Responsible Entity shall enable only those ports and services required for normal and emergency operations.CIP 007 R 2.2The Responsible Entity shall disable other ports and services, including those used for testing purposes, prior to production use of all Cyber Assetsinside the Electronic Security Perimeters.CIP 007 R 2.3In the case where unused ports and services cannot be disabled due to technical limitations, the Responsible Entity shall document compensatingmeasures applied to mitigate risk exposure or an acceptance of risk.CIP 007 R 3.1The Responsible Entity shall document the assessment of security patches and security upgrades for applicability within thirty calendar days ofavailability of the patches or upgrades.Copyright 2010 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License19
CIP InterpretationProject team members rely largely on their own individual understandingof the CIP Requirements and information security to determine the gapsand appropriate resolution mechanisms.They may not be accountable for complianceOrganization’s find themselves lacking confidence that they are indeedcompliant.Little centralized documentation that can provide any kind oftraceability of what fulfills the CIP RequirementsTrusting the assertions of their project team.“Thus sayeth the consultant”Understanding what controls have been determined to meet therequirements is essential to ensuring ongoing compliance.Copyright 2010 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 LicenseControl FrameworkControl PurposeProvide consistent and granular interpretation of securityrequirementsControl SourcesNIST SP 800-53BITSISO 2700XControl MappingControls to CIP Requirements By Compliance ScopeCopyright 2010 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License20
CIP-007-1 R6Copyright 2010 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 LicenseCIP-007-1 R6Copyright 2010 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License21
CIP-007-1 R2.1-2.3Copyright 2010 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 LicenseCIP ComplexityOrganizations must be very careful to granularly define the interpretationof this RequirementGranular interpretation reduces any confusionPassword composition rules are enforced through user training.Password composition rules are technically enforced.These are not mutually exclusivePersonnel training requirements should include guidance onpassword composition even if it is technically possible toenforce the specific character types required.If the three specific character types cannot be technicallyenforced, an organization could reach the conclusion thatenforcement through user awareness training, combined withcontrols that ensure there are three distinct character types(by counting upper case and lower case alpha distinctly) isappropriate to meet the requirement.Copyright 2010 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License22
InterpretationThe interpretation of the Requirements is what always happens. it isjust not usually documented.Everyone who looks at the CIP Requirements interprets theirmeaning based on their own understanding of security and their levelof technical competence.The real issue is whether the individual interpretations are consistentwith one another throughout the enterprise.Copyright 2010 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 LicenseCompliance ArtifactsAuditable Evidence of ComplianceTypes of ArtifactsDocumentationPolicies or policy statementsListsSystem Configuration SettingsLoggingAuthentication MechanismsThird-Party ApplicationsCorrelation Engine ReportsExceptionsCopyright 2010 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License23
Compliance QuestionnairesOne Questionnaire for each Compliance ScopeContains controls deemed relevant for each asset-type/compliancescope combinationGranularly focuses questions for a specific asset or group of assetswithin scopeIncreases efficiency and effectiveness of audit programCopyright 2010 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 LicenseQuestionnaire FormatControl FamilyReferenceQuestion TextAuthentication ManagementAuthentication Management22.1The information system uniquely identifies and authenticates users (or processes acting on behalf of users).Authentication of user identities is accomplished through approved mechanisms.Authentication Management2.1.1Authentication of user identities is accomplished through the use of usernames and passwords.Authentication Management2.1.2Authentication of user identities is accomplished through the use of usernames and biometric devices.Authentication ManagementAuthentication Management2.1.32.1.4Authentication of user identities is accomplished through the use of usernames and tokens.Authentication of user identities is accomplished through the use of digital certificates.Authentication Management2.1.5Authentication of user identities is accomplished through the use of multi-factor authentication.Authentication Management2.2FIPS 201 and Special Publications 800-73 and 800-76 guidance regarding personal identity verification (PIV) card token for use inthe unique identification and authentication of federal employees and contractors is followed.Authentication ManagementAuthentication Management2.32.4NIST Special Publication 800-63 guidance on remote electronic authentication is followed.User identification and authentication within a specified security perimeter follows NIST SP 800-63 guidance.Authentication Management3The information system identifies and authenticates specific devices before establishing a connection.Authentication Management3.1The information system uses pre-defined mechanisms to identify and authenticate devices on local and/or wide area networks.Authentication Management3.1.1The information system uses shared known information (e.g., Media Access Control (MAC) or Transmission ControlProgram/Internet Protocol (TCP/IP) addresses) to identify and authenticate devices on local and/or wide area networks.Authentication Management3.1.2The information system uses an organizational authentication solution (e.g., IEEE 802.1x and Extensible Authentication Protocol(EAP) or a Radius server with EAP-Transport Layer Security (TLS) authentication) to identify and authenticate devices on localand/or wide area networks.Authentication ManagementAuthentication Management44.1The organization manages user identifiers.The organization manages user identifiers by uniquely identifying each user.Authentication Management4.2The organization manages user identifiers by verifying the identity of each user.Authentication Management4.3The organization manages user identifiers by receiving authorization to issue a user identifier from an appropriate organizationofficial.Authentication ManagementAuthentication Management4.54.5.1The organization manages user identifiers by disabling user identifier after a pre-defined time period of inactivity.The organization manages user identifiers by disabling user identifier after 6 months of inactivity.Authentication Management4.5.2The organization manages user identifiers by disabling user identifier after 3 months of inactivity.Authentication Management4.6The organization manages user identifiers by archiving user identifiers.Yes/No/NA/TICopyright 2010 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License24
Compliance Review ProcessCopyright 2010 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 LicenseGovernance ActionsDocument ongoing activities required by standard, e.g.Review logsReview usersUpdate and approve policiesReview compliance ArtifactsCorrelate those activities to assets in-scopeCreate checklists to ensure activities are completedCopyright 2010 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License25
SummaryThe difficulties inherent in the CIP Standards:Inconsistent granularity of requirementsInconsistent implementation within an organizationConfusing asset categoriesAre best mitigated through a documented interpretation of theRequirements based on the assets within scopeThis provides a high level of effective communication and supportsan efficient compliance management programCopyright 2010 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 LicenseThank YouQuestions ?Comments .Concerns !Copyright 2010 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License26
CIP 005 R1.5 Cyber Assets used in the access control and monitoring of the Electronic Security Perimeters shall be afforded the protective measures as a specified in Standard CIP-003, Standard CIP-004 Requirement R3, Standard CIP-005 Requirements R2 and R3, Standard CIP-006 R
Page 1 of 9 Rapid Regulatory Courses in HealthStream Getting Started Tip Sheet Please note: Everyone is required to take two compliance trainings titled: Rapid Regulatory Compliance: Non-clinical I Rapid Regulatory Compliance: Non-clinical II Depending on your position at CHA, you may have more courses on your list. One must complete them all.File Size: 1MBPage Count: 9Explore furtherRapid Regulatory Compliance: Clinical II - KnowledgeQ .quizlet.comRapid Regulatory Compliance: Clinical I - An HCCS .quizlet.comRapid Regulatory Compliance: Non-clinical II-KnowledgeQ .quizlet.comThe Provider Compliance Tip fact sheets are now available .www.cms.govRapid Regulatory Compliance - Non-Clinical - Part Istudyres.comRecommended to you b
Health Care Compliance Association (HCCA) Audit & Compliance Committee Conference Communicating with The Audit & Compliance Committee of the Board . Compliance Contract Compliance Board Structure & Leadership Competition Alliances Debt Management Planning/ Budgeting Payer Contracting Diagnostic and Treatment
The mission of the Lifespan Corporate Compliance Program is guided by the Lifespan mission of Delivering health with care: The Corporate Compliance Program's mission is to create a culture of system-wide compliance with all applicable laws, regulations and Lifespan policies, as well as an appreciation for privacy awareness.
The MLH Corporate Compliance Program The MLH Corporate Compliance Program Policy includes 7 elements of an effective compliance program as defined by the U.S. Federal Sentencing Guidelines: 1. Writt
Compliance & Ethics for Lawyers and In-House Counsel Preconference PM6 Joseph Murphy, Director of Public Policy, SCCE Donna Boehme, Compliance Strategists LLC Society of Corporate Compliance & Ethics 11th Annual Compliance & Ethics Institute Las Vegas, October 14, 2012 Poll #1 The principles of Attorney-Client Privilege mean that:
IEEE Reliability Society IEEE Robotics and Automation Society IEEE Signal Processing Society IEEE Society on Social Implications of Technology IEEE Solid-State Circuits Society IEEE Systems, Man, and Cybernetics Society IEEE Technology and Engineering Management Society NEW in 2015 IEEE Ultrasonics, Ferroelectrics, and Frequency Control Society
IEEE Reliability Society IEEE Robotics and Automation Society IEEE Signal Processing Society IEEE Society on Social Implications of Technology IEEE Solid-State Circuits Society IEEE Systems, Man, and Cybernetics Society IEEE Technology and Engineering Management Society NEW in 2015 IEEE Ultrasonics, Ferroelectrics, and Frequency Control Society
Welcome to the 2016 Compliance Trends Survey report, a joint effort between Deloitte and Compliance Week, which gauges the scope and complexity of the modern compliance function. In this, we have brought together Deloitte’s deep insight and experience and Compliance Week’s broad industry experience to gauge how well compliance and ethics
