5 Compliance Musts

If you are in charge of IT and/or Security and you do not have that compliance and/or auditor twinkle in your eye, you might twinge each time someone says PCI, HIPAA, ISO, GLBA, SOX, or any other regulation or evil acronym that might be thrown your way.

Depending on your environment and your experience with compliance, the hardest part is knowing what applies within your organization. If faced with an auditor, you will have to show due diligence and due care. As they used to say “Knowing is half the battle!” Due diligence is just that: knowing, researching, and understanding what regulations apply within your organization and how your organization complies with them. Due care is the act of implementation and remediation of issues found and showing that the proper controls are in place and are effective.

Please note that this is a high level methodology to compliance. Additional assessment and expertise may be required depending on the size of the organization and what regulations were found to apply to the organization.

1. Know Who Is in Charge in Your Organization

Who within the organization is normally in charge of compliance? Within more mature organizations, someone within the legal department generally holds the title Chief Compliance Officer. This person would be in charge of researching and identifying what compliance frameworks and regulations that would be required.

Internal auditors would be responsible for ensuring that the controls identified within the organization are effective and running. Even if you are a seasoned Compliance Officer, rarely is it advisable to do it alone. Reliance on others within the organization, third parties, and management approval may need to be called upon to ensure you are headed down the right path.

2. Know Your Organization and Industry

The second step to compliance is understanding what your organization does and what industry or industries your organization fits into? In many ways knowing this information can help in the first stage of gathering the different regulations or frameworks. When working through the other steps, additional regulations and control frameworks may be uncovered so don’t panic if you do not find everything in the first stage.

Many online industry websites have a list of known regulations and possibly can provide some guidance on how they would apply within each organization. Some additional factors that may play into this include where your organization does business. There are many local, national, regional, and possibly internal regulations that an organization would have to follow.

Another factor is how your organization receives revenue. Does the organization work on cash only, take credit cards, or have an ecommerce site? Maybe your organization is a publicly traded company or a non-for-profit organization. What type of contracts does your organization currently have with its customers, service providers, and other third-parties? At this stage, it is essential to interview upper management to gather as much information and detail about the organization as possible.

3. Know Your Business Processes

The third step and the first step may seem redundant; however, it is in the third step where we dig even deeper and perform business process mapping to understand each process within each department. This helps to shed light on what systems and information are being used every day within the organization. This can be of the utmost importance in that it potentially can bring out even more regulations and compliance frameworks that maybe could not have been determined within the second step.

The business process mapping itself entails interviewing each line of business or department. The objective is to understand what type of information is collected, stored, transmitted, and processed within the environments. This is accomplished by following the flow of information from creation to destruction. Not only must there be tracking of electronic information, but also of paper and other forms of media.

4. Perform a Gap Assessment

After all of the previous steps have been completed, it is then time to analyze and determine what compliance and regulation requirements truly apply within the organization. This is where additional expertise and research would be needed to understand what specific data applies or needs to be protected by each regulation or compliance framework.

What processes and systems would potentially need additional requirements and controls in place to become compliant? This is where a detailed gap assessment for each regulation and control framework would take place. This is to ensure that each regulation applies within the organization, and to identify what additional controls would need to be put in place within the organization.

5. Create a Remediation Plan, Remediate, Assess, and Repeat

After performing the gap assessment and understanding what controls apply and are missing, the due care portion of compliance has been completed. There is now a clear understanding of what is expected of the organization. The organization must create and implement a plan of remediation to start becoming fully compliant. This is the start of the due diligence portion of the process, and it should be an ongoing process. The plan may include implementing technical controls such as encryption technologies or policies and procedures to ensure controls are defined, followed, and enforced.

More assessments may need to be done as well, such as a vulnerability assessment, penetration testing, and policy reviews. Additionally, a risk management program may need to be developed to ensure that different risks are identified, addressed, and remediated on a continual basis.

Compliance is not a one-time assessment. It is a continual cycle that requires maintenance on a regular basis. Just as regulations and compliance frameworks can change, so can the organization.

Acquisitions, mergers, and new services or products may introduce new regulations within the organization. As with any regulation or compliance framework, if it is not maintained it can fluctuate from compliance to non compliance even within a given day.


3 responses to “5 Compliance Musts

  1. ….January 19 2011…….So often our readers comment about the difficulty of getting management to address information security as more than a critical component of the Information Technology department s business continuity planning process. And in doing so failing to realize that ownership of information security belongs to everyone and every department in the organization especially to the point that failure to enact information security controls in any single part of the quality management system and control process can well cause economic penalties beyond the organization s ability to survive those penalties..Cybersecurity issues and all of those dynamics of moving to cloud computing play an important part of the total process of controlling information security in any organization. Has your organization decided to move some or its entire core IT operations to the cloud? If so does your company realize the risks surrounding what they may be considering to be simply a major cost reduction effort? Have they performed a what-if business impact analysis for best case worst case scenarios where disruptive events may affect both the informational security breach potentials as well as the levels of operational resilience of your company?.Moving more and more IT operations to a cloud environment seems to more and more of suggested strategy for protecting against these potential areas of threat and risk especially for small and mid-sized companies. And if we assume that to be the case then certainly a strong area of consideration for moving to the cloud involves an evaluation of maintaining at least current levels of compliance requirements for your organization let alone those areas of constant change in requirements that come with every organization s attempts to always be compliant with the requirements in their target market as well as those federal regulated requirements coming from the countries in which their organization does business..It is with this point in mind that our staff recommends reading an article written by Joseph Granneman CISSP recently posted in the electronic version of the and entitled Staying Compliant in the Cloud. .In this article Mister Granneman states the cloud computing revolution is upon us. It is impossible to ignore the talk everywhere about potential uses and cost savings for this new style of computing. This is a new frontier for computing that comes with a new set of risks and organizations need to be prepared. .We believe this is one of the better written articles on this topic and that this information should be added as required reading for all information security network security compliance data security and compliance risk management team members in your organization. .The better protection over all information security related issues to your organization and within your total business continuity planning process the better prepared your organization will be to face those inevitable cloud computing challenges in the future. .

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s