Sep 09, 2009
Comply (and/or) Die: Affordable Conformance With Multiple Regulations
When we asked the 379 respondents to our InformationWeek Analytics Regulatory Compliance survey how many requirement sets their organizations are addressing, the No. 1 answer was four or more, at 35%. Add to the mix a political climate that seems to favor more, not less, regulation and ongoing budgetary pressure, and who can blame CIOs for feeling stretched thin? After all, IT earns its keep by seamlessly supporting mission-critical systems. That’s hard to do when responsibilities are piling up.
Fortunately, there are ways to work smarter and, as the adage goes, kill a few birds with one stone. In this report we’ll help IT come to grips with the daunting task of addressing the myriad controls involved with complying with two or more regulations. By focusing on similarities and distilling the overarching concepts and requirements, those embarking on compliance projects can target high-value control areas and add efficiency. The key is to focus resources and structure your strategic process to ensure the usability of controls across multiple regulatory standards. For groups that have been wrestling with compliance for some time, we’ll help evaluate the effectiveness of existing strategies and suggest ways to balance regulatory requirements, the user experience and security.
We’ll also discuss some broad security program frameworks to illustrate the universe of useful policies, suggest an approach to forming a plan, and recommend a few discrete areas where implementing security controls can not only help the IT organization be more effective, but also address a range of specific requirements. To help bound the scope of our discussion, we’ll primarily focus on the ISO 27001/2 information security standard, PCI-DSS and HIPAA.
For organizations looking to tackle a single compliance area, this report is still worth reading. Strictly speaking, since you don’t need to worry about the intersection of regulations, addressing one set of requirements allows for many more choices as to where to begin. We’ll help narrow that set of proposed starting points with an eye toward future regulatory needs. Ultimately, with any strategic plan or tactical control, the key is to identify areas that maximize value and enhance operational effectiveness. To succeed, CIOs need both a long-term plan and some quick wins to show verifiable progress. So get out those Venn diagrams, exchange the propeller cap for the strategic program hat and get ready to comply.