Canadian IT Manager's Blog

Broadly connecting Canadian Infrastructure and Development Managers through career, industry and technology insight.


How do you architect for regulatory compliance?

  • Comments 5
  • Likes
I know this is a hot topic for IT managers. In a recent poll of CIOs, it ranks number one and even ahead of security. So now the question, are there models you can study to gain greater insight and provide you with some really usable guidelines?

Here is a great white paper that does just that. I found it really useful since it provides the processes and tools that the Microsoft Information Technology Group uses to “systemize the approach of supporting regulatory compliance.” And, “this approach uses a framework of common security controls, unique tools for monitoring, and IT tools for tracking and reporting compliance.”

It is worth the read to gain deeper insights.

Thank you,
Stephen Ibaraki
  • This paper has some excellent ideas for managing the multiple sets of regulations that apply to any large/public company. I will be forwarding it to our manager of corporate security and IT compliance.

    I wonder, does Microsoft have any thoughts of making publicly available the suite of tools they use internally? Would others find value in this?

  • Hi Adam,

    It's good to see you here. Do you have added insights to share from your experiences?

    Thank you,
    Stephen Ibaraki

  • Hello All, Hello Stephen,

    In October past our local CIPS chapter (Toronto) held a CIO roundtable on IT Governance. I believe many readers may find the discussion that took place enlightening, hopefully even helpful. There were a few key take home messages for me. I feel the following points are just as relevant to compliance as they are to good governance:

    • “Governance means fundamentally different things to different people.” This is equally true for compliance. I find I am frequently trying to balance architecting for the “stringent” auditor versus architecting to meet the “spirit” of the regulatory guidance.

    • “IT and corporate governance should not be treated as separate entities.” Certainly the same can be said for compliance. There is simply too much waste if IT compliance is not framed and managed within the confines of corporate compliance.

    • “The policing role of IT is a given. CIOs need to accept it, and move beyond it.” …And here I was thinking policing was the fun part of my job.

    • “In actual fact, most such regulations aren’t even focused on IT, but on transparency and accountability in financial reporting. Still, CIOs are bearing the brunt of regulatory compliance requirements as companies look to IT to provide solutions.”

    You can find the event proceedings (i.e. summarized minutes) here:

    I think many readers will also find helpful the many tangents that address what the group felt would be critical skills for future CIOs.

    And finally, before I sign-off, let me take the opportunity in this public forum to congratulate you Stephen on your recent hat-trick of awards. Way to go!


  • Adam asked the question about whether Microsoft has a suite of tools that we use internally.

    I'm investigating this with some of our teams at HQ and will let you know what I find out.


  • It's looming and you can't ignore it. What am I blogging about? Regulatory Compliance. So take the time...

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment