Healthcare // Analytics
News
4/24/2012
12:43 PM
50%
50%

Compliance Policy Development: Do's And Don'ts

Consider this advice to make sure your governance and compliance policies are written wisely.

10 Massive Security Breaches
(click image for larger view)
Slideshow: 10 Massive Security Breaches
Compliance fatigue can afflict just about any enterprise facing the growing list of regulatory requirements placing pressuring on its security practices. Sometimes it might seem that there is just not enough money or time to keep up. But governance, risk, and compliance (GRC) experts believe that the key to bringing things into equilibrium is a solid foundation set by unified policies that can guide security standards and procedures to both minimize risk and comply with regulations now and in the future.

Unfortunately, many organizations today fail to do a good job establishing effective policies. Dark Reading recently talked to some experts in the industry, who offered some helpful tips on what organizations should and shouldn't be doing when developing their security and compliance policies.

-- Don't get bogged down in individual regulations. "Organizations today have numerous government and industry-specific regulations that they need to be mindful of," said Andres Kohn, VP of technology at Proofpoint. "The evolving regulatory environment becomes even more complicated due to multi-regulation and cross-border regulations."

Not to mention Gartner's predicting that by 2014, 70% of IT risk and security officers in Global 2000 organizations will be required to report annually to the board of directors on the state of security, Kohn said. He believes that with so many individual requirements it can be easy to get mired in the details.

"Don't be bogged down by specific regulations," he said, warning that creating policies off-the-cuff to fit specific regulatory mandates can lead to trouble. It makes more sense to develop a policy framework that can be managed and adjusted upon as required by all risk considerations, including new mandates.

-- Do let risk lead policy decisions. No matter what industry you're in, Rick Doten, vice president of cyber security for DMI, says it is important to always remember security's number one motivator: cyber security is all about managing risk. So let risk considerations lead policy decisions and then map compliance reporting to that, not vice versa.

"For instance, regulatory compliance is considered one of the primary business risks for industries such as the energy utilities. The National Energy Regulatory Commission (NERC) can fine a company up to $1 million a day for non-compliance," Doten says. "Others, such as the large financial institutions, have dozens of regulations they need to follow. They focus on building a security program where controls are appropriate to protect the business, and consider regulatory compliance as merely a reporting exercise to show how their controls map to meet the regulatory criteria."

Read the rest of this article on Dark Reading.

When picking endpoint protection software, step one is to ask users what they think. Also in the new, all-digital Security Software: Listen Up! issue of InformationWeek: CIO Chad Fulgham gives us an exclusive look at the agency's new case management system, Sentinel; and a look at how LTE changes mobility. (Free registration required.)

Comment  | 
Print  | 
More Insights
Big Love for Big Data? The Remedy for Healthcare Quality Improvements
Big Love for Big Data? The Remedy for Healthcare Quality Improvements
Healthcare data is nothing new, but yet, why do healthcare improvements from quantifiable data seem almost rare today? Healthcare administrators have a wealth of data accessible to them but aren't sure how much of that data is usable or even correct.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest, Nov. 10, 2014
Just 30% of respondents to our new survey say their companies are very or extremely effective at identifying critical data and analyzing it to make decisions, down from 42% in 2013. What gives?
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on InformationWeek.com for the week of November 16, 2014.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.