Comply (And/Or) Die: Conforming With Multiple Regulations - InformationWeek
Healthcare // Analytics
02:20 PM

Comply (And/Or) Die: Conforming With Multiple Regulations

HIPAA, PCI, SOX, GLBA, FISMA ... the acronyms alone inspire fear and loathing. Yet compliance with one--or increasingly, several--state or federal regs is a fact of life for most companies. In this report, we discuss how to work smarter, not harder, with a focus on delivering solid bang for the corporate buck.

InformationWeek Green - January 25, 2010 InformationWeek Green
Download the entire January 25, 2010 issue of InformationWeek, distributed in an all-digital format as part of our Green Initiative
(Registration required.)
We will plant a tree
for each of the first 5,000 downloads.

Once upon a time, CIOs considering a new project or purchase weighed whether it helped IT support the core mission of the business. Now, for most of us, the decision process is laced with the additional complexity of asking, "Will this also help us with compliance?" Moreover, the days when we had to worry about only one regulation are mostly gone--when we asked the 379 respondents to our InformationWeek Analytics survey on regulatory compliance how many requirement sets their organizations are addressing, the No. 1 answer was four or more, at 35%. Add to that ongoing budgetary pressure and a political climate that seems to favor more, not less, regulation, and who can blame IT groups for feeling stretched to the limit?

Fortunately, there are ways to work smarter and cover multiple compliance mandates with careful planning. In our full report, we help IT come to grips with the daunting task of addressing the myriad controls involved when you must comply with two or more regulations. By focusing on similarities and overarching concepts and requirements, IT can target high-value areas and add efficiency. The key is to focus resources and structure the strategic process to ensure applicability across multiple regulatory standards.

Sounds like good advice for everyone, right? In fact, we take the fairly uncommon standpoint that our increased focus on regulatory compliance has had many positive effects for IT, in particular around information integrity and protection. But it has raised troublesome issues as well. Regulatory compliance tends to encompass some of the most disliked facets of technology and process--particularly, a prescriptive set of requirements backed by the threat of dire consequences if rules aren't adequately met. Yet, IT controls in many regulations are qualified with squishy terms, such as "appropriate security" or "reasonable protection."

There Is A Path

With the "audit-proof security program on a shoestring budget" ideal in mind, let's explore the scope of the problem. A minority of the 379 respondents to our survey are wrestling with just one standard, compared with the almost 80% who are dealing with at least two regulatory requirement sets simultaneously. And single-compliance organizations shouldn't get too comfortable. Generally speaking, the past decade brought a marked increase in regulatory oversight of sensitive information, and this trend is increasing at both the state and federal levels.

"Infosec pros have long complained that FISMA is not a threat reduction or risk mitigation framework--it's a giant exercise in covering one's posterior," says Michael A. Davis, CEO of security consultancy Savid Technologies and an InformationWeek contributor. Davis recently spoke with Dr. Ron Ross, a senior computer scientist with NIST and lead on the agency’s FISMA implementation project, about plans to make the regulation more effective. Ross says that, instead of providing more control guidelines, NIST is going to become more prescriptive, similar to PCI. It plans to provide more methods and processes that can be quickly implemented and that generate measurable outputs. Furthermore, Ross says, the agency wants these prescriptive controls to be more targeted to the threats that organizations are seeing in the real world.

To read the rest of the article,
Download the January 25, 2010 issue of InformationWeek

Multi-Compliance Report
We outline a comprehensive strategy for aligning security efforts with regs to save time and money. Download this report for 41 pages of action-oriented analysis, packed with 26 charts.

What you'll find:
  • Seven key areas of overlap for HIPAA and PCI DSS
  • A rundown of the Top 5 standard security frameworks
  • The three must-have security policies and the top four technical control areas that auditors will look for
Download this Analytics Report

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
2017 State of the Cloud Report
As the use of public cloud becomes a given, IT leaders must navigate the transition and advocate for management tools or architectures that allow them to realize the benefits they seek. Download this report to explore the issues and how to best leverage the cloud moving forward.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on for the week of November 6, 2016. We'll be talking with the editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll