Policy Migration

Schedule a 15 minute discovery call today with Technically Creative Experts

Webinar Replay

Watch Technically Creative discuss the importance of properly migrating your policies. Policy migration is proving to be one of the most complex, time consuming, and critical pieces of the CA Data Protection migration process you may select the best system on the market but without well-defined and developed policies in place, you leave yourself exposed to a tremendous amount of risk. When it comes to policy migration, Success is in the details!  Webinar Replay is available here.

IDENTIFY POLICY STAKEHOLDERS

Each firm has different stakeholders when it comes to policy, but two main categories that are common are those responsible for policy definitions and those responsible for sign off on acceptance criteria.

Not all firms have just these two categories. In some firms, IT, compliance, control room, legal and other groups have a stake in policy. Ensure you accurately define the signoffs and process for testing and releasing policies.

If you currently have a process in place and have your policies properly defined, the migration process is simplified. In some cases, the destination vendor may be able to pick up that documentation and greatly improve the migration success.

THE NEED, PURPOSE & THE CORRELATION TO ANY REGULATION

Who is being excluded from the policy (if anyone)? The people, the person, the organization group – identifying these people is critical, as missing the person and not applying the proper policy can be a huge gap.

What is the overall objective of this policy? Always think about the content you need to cover. Are you looking for insider trading? People discussing a reward on the side for work, or even the new rules around incentives, be sure to write out what you are targeting.

Email subject, body, or attachment, in web activity, in a file on a share, sent to a printer, instant messaging, different channels – options vary among vendors.

When sent externally, one individual sends to another individual in a different department, when only internal, when containing a person in the research group? Is there an attachment is present? When the mail is sent out of normal business hours. Each vendor has different options to handle this and, in some cases, they don’t have an option, so be sure to review your supervision requirements with the next vendors options.

Is there an internal risk?  Is there a regulatory concern this policy is associated with?  Did something happen at the firm? All of these questions and the documentation of your policy are essential for making sure your policy is well covered going forward.

FILL THE GAPS

Do you have adequate policy coverage to cover your supervision requirements?

When examining a new solution, this is the perfect opportunity to review your current coverage and examine any gaps.

Policy development process:

The policy lifecycle is probably the most critical piece to the health of your supervision system. Having an effective policy lifecycle where you evidence changes and validate no loss of your true positives is critical to staying out of sight of the regulators.

  • Do you have one ?
  • Do you think you have one ?
  • Do you need help creating one ?

Analysis 01

More than just looking at what you have but also looking at what you are supposed to have. During the analysis phase, the stake holder must be involved; this includes anyone that holds a weight into what policy needs to cover or what the firm’s concerns are in communications. Remember that these do not need to be regulatory items but can also be risks related items.

For example, having a policy that covers customer complaints but doesn’t include terms like “you messed up” or like monitoring for gifts and entertainment without the word gift in the policy. This was actually something several firms were cited for in recent years. We know the word hits a lot, but with any good supervision solution, you should be able to reduce the hits based on when the use of the word is not an issue.

Design 02

When it comes down to the actual design of a policy, each vendor has different capabilities and thus a different design process. The key points in every system related to design are still the same – what do you need to find? – and document it well enough to build it. Keep in mind design can be based off your original policies or starting from scratch with constructing new ones that came out of the analysis phase.

Construction 03

Regardless of the system, the difficult part is actually building what we just documented.

Once we dive into construction, this is where the resources are really being utilized – from setting up the system, establishing data sets, actually constructing the policy and running data through the system – to test and validate the results before even stepping into the refinement cycle.

Refinement 04

Technically Creative will work with the client to review the results of the constructed policy potentially running through multiple cycles of ingestion and review of the captures content.

Release 05

Probably the highest stress point of this entire cycle is actually putting all those changes into production. It is always strongly advised that you have test users and test events for the policy – potentially also incorporating your changes to run through the system, to confirm proper capture.

Validation & Reporting 06

It is always smart to be proactive and run an analysis and trend across all of your changes – from things like your capture rates to frequent violators and frequent language results in hits. Technically Creative frequently sees cases where after a week, policy violations have sky rocketed due to a simple phrase in common documents which causes violations. The faster you jump back to the refinement phase to fix something like that, the more your reviewers will appreciate you.

Technically Creative can do a quick evaluation to ensure your policy’s coverage is as complete as it should be and you have all the necessary documentation. Technically Creative offers a free assessment on the core components related to supervision.

Technically Creative has been providing integral policy services spanning each version of the CA Data Protection communication surveillance product. Our extensive experience combined with a unique approach to building contextual-based linguistic rules ensures that each policy we build captures the most relevant content effectively and efficiently, while reducing any extraneous noise. We have gained a reputation as an industry leader, backed by the quality of our work and the thanks of our clients.

Policy Development Strategies

Convert

Some firms have gone the route of extracting the lexicons and phrases from the policy and try to have the destination system interpret it. Technically Creative has seen various levels of success in going this route, but overall it resulted in extensive testing and validation.

Migrate

Usually through a migration, you end up with something better in the end due to the volume of testing you have to do on the policies. In the process you can also target issues in your current policies to make them better in the destination system. It’s even possible the new system has a function/feature.

Build New

Some vendors have what they call “out of the box” policies. Even Technically Creative with our Policy Catalog containing 200+ policies, still feel they are only a great start, but you still need to add or modify them to make them effective for your firm.

Validate and Test

It’s critical to confirm your new systems policy effectiveness. Specifically testing the results of policy “conversions” from Orchestria into new vendors. Technically Creative highly recommends that you have your policies – at least the initial policies – professionally developed. There is a sharp learning curve to becoming proficient in the new policy languages and if you don’t fully understand the differences in functionality, it can lead to some critical oversights.
Plan for maintenance and refinement, it’s critical to maintain policy, the regulators are not accepting the out of the box answers or policy anymore.

The key points you must have are:

Signoff and acceptance Signoff and acceptance process, ensuring any change has names tied to it for approval. Using a ticketing system, which also must be archived to maintain that record is important
Policy Refinement report Showing a refinement report, this is a report detailing out what line waschanged/added/removed and why
Policy Compare document Compare document, which is a literal release document showing the "before and after" policy, which must align with the refinement report
Evidence
archive
Evidencing the policy change. This involves maintaining an output of items that triggered the policy before vs after

To Learn more about Policy Migration, schedule a 15 minute discovery call today with Technically Creative Experts.

Back-To-Top