Comply (And/Or) Die: Conforming With Multiple Regulations 2

HIPAA, PCI, SOX, GLBA, FISMA ... the acronyms alone inspire fear and loathing. Yet compliance with one--or increasingly, several--state or federal regs is a fact of life for most companies. In this report, we discuss how to work smarter, not harder, with a focus on delivering solid bang for the corporate buck.
InformationWeek Green - January 25, 2010 InformationWeek Green
Download the entire January 25, 2010 issue of InformationWeek, distributed in an all-digital format as part of our Green Initiative
(Registration required.)
We will plant a tree
for each of the first 5,000 downloads.

Once upon a time, CIOs considering a new project or purchase weighed whether it helped IT support the core mission of the business. Now, for most of us, the decision process is laced with the additional complexity of asking, "Will this also help us with compliance?" Moreover, the days when we had to worry about only one regulation are mostly gone--when we asked the 379 respondents to our InformationWeek Analytics survey on regulatory compliance how many requirement sets their organizations are addressing, the No. 1 answer was four or more, at 35%. Add to that ongoing budgetary pressure and a political climate that seems to favor more, not less, regulation, and who can blame IT groups for feeling stretched to the limit?

Fortunately, there are ways to work smarter and cover multiple compliance mandates with careful planning. In our full report, we help IT come to grips with the daunting task of addressing the myriad controls involved when you must comply with two or more regulations. By focusing on similarities and overarching concepts and requirements, IT can target high-value areas and add efficiency. The key is to focus resources and structure the strategic process to ensure applicability across multiple regulatory standards.

Sounds like good advice for everyone, right? In fact, we take the fairly uncommon standpoint that our increased focus on regulatory compliance has had many positive effects for IT, in particular around information integrity and protection. But it has raised troublesome issues as well. Regulatory compliance tends to encompass some of the most disliked facets of technology and process--particularly, a prescriptive set of requirements backed by the threat of dire consequences if rules aren't adequately met. Yet, IT controls in many regulations are qualified with squishy terms, such as "appropriate security" or "reasonable protection."

There Is A Path

With the "audit-proof security program on a shoestring budget" ideal in mind, let's explore the scope of the problem. A minority of the 379 respondents to our survey are wrestling with just one standard, compared with the almost 80% who are dealing with at least two regulatory requirement sets simultaneously. And single-compliance organizations shouldn't get too comfortable. Generally speaking, the past decade brought a marked increase in regulatory oversight of sensitive information, and this trend is increasing at both the state and federal levels.

"Infosec pros have long complained that FISMA is not a threat reduction or risk mitigation framework--it's a giant exercise in covering one's posterior," says Michael A. Davis, CEO of security consultancy Savid Technologies and an InformationWeek contributor. Davis recently spoke with Dr. Ron Ross, a senior computer scientist with NIST and lead on the agency’s FISMA implementation project, about plans to make the regulation more effective. Ross says that, instead of providing more control guidelines, NIST is going to become more prescriptive, similar to PCI. It plans to provide more methods and processes that can be quickly implemented and that generate measurable outputs. Furthermore, Ross says, the agency wants these prescriptive controls to be more targeted to the threats that organizations are seeing in the real world.

To read the rest of the article,
Download the January 25, 2010 issue of InformationWeek

Multi-Compliance Report
We outline a comprehensive strategy for aligning security efforts with regs to save time and money. Download this report for 41 pages of action-oriented analysis, packed with 26 charts.

What you'll find:
  • Seven key areas of overlap for HIPAA and PCI DSS
  • A rundown of the Top 5 standard security frameworks
  • The three must-have security policies and the top four technical control areas that auditors will look for
Download this Analytics Report

Editor's Choice
Sara Peters, Editor-in-Chief, InformationWeek / Network Computing
John Edwards, Technology Journalist & Author
John Edwards, Technology Journalist & Author
James M. Connolly, Contributing Editor and Writer