Comply (And/Or) Die: Conforming With Multiple Regulations
HIPAA, PCI, SOX, GLBA, FISMA ... the acronyms alone inspire fear and loathing. Yet compliance with one--or increasingly, several--state or federal regs is a fact of life for most companies. In this report, we discuss how to work smarter, not harder, with a focus on delivering solid bang for the corporate buck.
We will plant a tree for each of the first 5,000 downloads.
Once upon a time, CIOs considering a new project or purchase weighed whether it helped IT support the core mission of the business. Now, for most of us, the decision process is laced with the additional complexity of asking, "Will this also help us with compliance?" Moreover, the days when we had to worry about only one regulation are mostly gone--when we asked the 379 respondents to our InformationWeek Analytics survey on regulatory compliance how many requirement sets their organizations are addressing, the No. 1 answer was four or more, at 35%. Add to that ongoing budgetary pressure and a political climate that seems to favor more, not less, regulation, and who can blame IT groups for feeling stretched to the limit?
Fortunately, there are ways to work smarter and cover multiple compliance mandates with careful planning. In our full report, we help IT come to grips with the daunting task of addressing the myriad controls involved when you must comply with two or more regulations. By focusing on similarities and overarching concepts and requirements, IT can target high-value areas and add efficiency. The key is to focus resources and structure the strategic process to ensure applicability across multiple regulatory standards.
Sounds like good advice for everyone, right? In fact, we take the fairly uncommon standpoint that our increased focus on regulatory compliance has had many positive effects for IT, in particular around information integrity and protection. But it has raised troublesome issues as well. Regulatory compliance tends to encompass some of the most disliked facets of technology and process--particularly, a prescriptive set of requirements backed by the threat of dire consequences if rules aren't adequately met. Yet, IT controls in many regulations are qualified with squishy terms, such as "appropriate security" or "reasonable protection."
There Is A Path
With the "audit-proof security program on a shoestring budget" ideal in mind, let's explore the scope of the problem. A minority of the 379 respondents to our survey are wrestling with just one standard, compared with the almost 80% who are dealing with at least two regulatory requirement sets simultaneously. And single-compliance organizations shouldn't get too comfortable. Generally speaking, the past decade brought a marked increase in regulatory oversight of sensitive information, and this trend is increasing at both the state and federal levels.
"Infosec pros have long complained that FISMA is not a threat reduction or risk mitigation framework--it's a giant exercise in covering one's posterior," says Michael A. Davis, CEO of security consultancy Savid Technologies and an InformationWeek contributor. Davis recently spoke with Dr. Ron Ross, a senior computer scientist with NIST and lead on the agency’s FISMA implementation project, about plans to make the regulation more effective. Ross says that, instead of providing more control guidelines, NIST is going to become more prescriptive, similar to PCI. It plans to provide more methods and processes that can be quickly implemented and that generate measurable outputs. Furthermore, Ross says, the agency wants these prescriptive controls to be more targeted to the threats that organizations are seeing in the real world.