Achieving cyber compliance for export controls requires organizations to develop capabilities identifying what data is subject to what regulations and implement controls governing the location, access and transfer of regulated data.
Export Compliance professionals struggle to understand IT and IT professionals struggle to understand export compliance. As a result, many companies are unable to effectively understand and address the export compliance risks inherent in IT environments. Export Compliance risks exist in IT networks and systems like never before.
- Office 365 Environment
- Email Servers
- Third-party Network Access
- Foreign National Employee Controls
- Global Collaborative Environments
TC Engine’s assessment evaluates two separate aspects of the company’s compliance program:
- Trade Compliance Automation – the implementation of electronic forms, workflows, databases and reports to execute, manage and monitor Trade Compliance processes, and
- Trade Compliance in IT Environments ( commonly referred to as “Cyber Compliance”) – the implementation of Trade Compliance requirements into IT practices and systems to ensure the administration, creation, storage, access and transfer of electronic data complies with regulations (e.g. ITAR, EAR, etc.) and regulator expectations (e.g. Consent Agreements).
The key elements provided below are a high-level description of the primary interest-areas for the Export Compliance Assessment addressed and are consistent with the Regulatory requirements industry practices are considered to be TC Engine’s Temple of Compliance™ proprietary framework:
- Policy / Standard Work Management: Standard Work Management includes policies, processes, procedures and tools (e.g. forms, checklists and automated solutions) that provide clear guidance and mechanisms satisfying Trade Compliance requirements and controls.
- Business Landscape Management (BLM): BLM addresses a company’s ability to readily identify legal entities, management structure and organizational structure?
- Identity Management (IDM): IDM includes ensuring proper capture, validation, maintenance, and use of employee, contractor, and business partner representative identity attributes.
- Business Partner Management (BPM): BPM includes a standard process ensuring proper capture, validation, maintenance, and use of business partner attributes in the day-to-day business transactions.
- Restricted Parties List (RPL) Management: RPL includes a standard process to ensure a company does not conduct business with restricted parties, record-keeping related to the execution of the screening, justification of the vetting results for hits returned, recurring screening on a periodic basis, and the use of the result of the vetting process to impact business transactions.
- Jurisdiction, Classification, and Marking Management (JCM): JCM includes a standard process to ensure defense articles, including technical data (i.e. information, software, etc.) and defense services, are properly assigned a jurisdiction, classification, adequate jurisdictional marking to prevent unauthorized exports, and detailed records on the logic utilized in this process.
- Export Authorization Management (EAM): EAM addresses a comany’s awareness of how and when an export authority is required to support a transaction. This includes that there is a defined process on how to submit such a request to the compliance team for further processing and action.
- Transaction Verification Process (TVP) Management: TVP defines control points that a company should design and implement systematic controls and review cycles into business functional transactions (e.g. shipments, technical data transfers, etc.) to verify compliance with export control requirements to prevent unauthorized exports of defense articles, including technical data and defense services, while maintaining evidence of compliance in business functional transactions.
- Incident, Investigation, Escape, and Disclosure (IIED) Management: IIED includes a standard process to ensure potential Trade Compliance escapes are properly reported, documented, investigated, and disclosed.
- Assessment, Audit, and Oversight Management (AAM): AAM includes a standard process to ensure potential and actual Trade Compliance risks are regularly assessed and audited in business functions, processes and transactions.
- Corrective Action Management (CAM): CAM includes a standard process to ensure effective corrective actions are designed, reviewed to ensure effectiveness, implemented and monitored to address potential and actual Trade Compliance risks identified in the IIED and AAM categories.
- Traning Program Management (TPM): TPM includes a standard process to ensure employees that participate in export controlled transactions are properly trained on an annual basis on how day-to-day transactions are impacted by these regulations.
Upon complete of the Assessment, TC Engine will provide a detailed analysis of the company’s ability to centrally facilitate the identification, control and tracking of technical data across the enterprise with specific recommendation for achieving IT export compliance with process, tools and training.
Contact TC Engine to find out more.