Priorities for your sound regulatory compliance management policy

From GLBA to PCI DSS to HIPAA/HITECH and beyond, I don't envy anyone responsible for pulling the mishmash of documentation together to make it all happen -- much less maintaining it in any reasonable state for it to be useful. The disaster recovery/incident response plans, the policies, the detailed procedures, the logs, the client/business partner requests, the auditor demands and so on -- I honestly don't know how the average person in charge of regulatory compliance management does it. It's more than enough to fill full-time job duties -- especially if it's not done effectively.

Ineffective management of your documentation is one of the greatest barriers to taming the compliance beast. Here's what you can do, starting today, to get things under control and stop being a passenger on this wild ride:

• Understand what electronic information you have, how it's governed, and where it's at risk. It sounds trite, but I see so many people trying to put together compliance documentation without truly understanding the what, how and where of sensitive information. You can't fall into compliance backwards.
• Know that compliance regulation is nothing more than security "best practices" in disguise. They're all just worded differently enough to make them seem unique. They're not. All that's unique are the context and sanctions. Everything else is good old-fashioned information security common sense.
• Don't fall for the vendor hype with their point solutions. There are lots of products being marketed to help you with the Payment Card Industry Data Security Standard, others with the Health Insurance Portability and Accountability Act and so on. You don't need unique products for individual regulations. Also, don't fall for the "compliance in a box" approach. It doesn't work.
• Manage compliance from the highest level possible. Use one framework such as ISO/IEC 27002:2005 once and for all rather than addressing each and every piece of every regulation as a standalone requirement. Worried about this approach not flying with your auditors, lawyers, business partners or clients? I have several clients whom I've helped create an information risk management infrastructure in this very fashion. After many years -- and many inquiries -- the pushback is nonexistent. It's just too logical of an approach to argue against.
• Use the same policy template for all policies across the board. Cluttered, overlapping policies is one of the biggest compliance hindrances I see. A guided approach to policy ...
  
  To continue reading for free, register below or login

  Requires Membership to View

  To gain access to this and all member only content, please provide the following information:

  Email Address:
  
  
  

  By joining SearchCompliance.com you agree to receive email updates from the TechTarget network of sites, including updates on new content, magazine or event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile or unsubscribing via email.
  
  TechTarget cares about your privacy. Read our Privacy Policy
  To read more you must become a member of SearchCompliance.com

  As an existing member of the TechTarget network please activate your SearchCompliance.com account 

  By joining SearchCompliance.com you agree to receive email updates from the TechTarget network of sites, including updates on new content, magazine or event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile or unsubscribing via email.
  
  TechTarget cares about your privacy. Read our Privacy Policy
  
  
  

  Digg This!     StumbleUpon     Del.icio.us

  
  
  
  

  RELATED CONTENT Compliance Tips Business Model for Information Security: Security right the first time Effective compliance document management in five days FTC compliance mandates new rules for social media marketing How to design an FTC compliance program for social media marketing New evaluation criteria for Web application security scanners Data loss prevention technology matures but is still no cure-all Threat management for information systems relies on categorization HIPAA-covered entities' first step should be a quality assurance plan Discovery of data breach under HITECH raises big compliance questions D.C. CTO sees compliance, cost savings benefits to cloud computing Managing governance and compliance Business Model for Information Security: Security right the first time Facing uncertainty, IT turns to governance, risk and compliance, ERM Google adds Dashboard: Does transparency mean more online privacy? NERC CSO warns of cybersecurity threats, risk to electric grid Threat management for information systems relies on categorization HITECH FAQ: What is the impact of the HITECH Act on IT operations? Survey shows privacy policy success lies in collaboration with IT Record locator service a step to health information exchange U.S. CIO Vivek Kundra on Data.gov, OpenID and government transparency Nonprofits are working to maintain donor trust with PCI compliance PCI compliance Compliance news quiz: Test your knowledge of FTC, SB 20, PCI and more Data breach notification law SB 20 strikes right balance: Simitian D.C. CTO sees compliance, cost savings benefits to cloud computing Does using ISO 27000 to comply with PCI DSS make for better security? Security and compliance can go together, when done in the right order Nonprofits are working to maintain donor trust with PCI compliance PCI DSS compliance fails to raise the bar on financial fraud PCI DSS compliance requires better management of vendor risk PCI DSS compliance requires new vendor management strategy PCI DSS FAQ: The Payment Card Industry Data Security Standard and IT

  RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary IT controls  (SearchCompliance.com)

  RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

  
  
  development and management using a consistent security policy template is the only reasonable way to go. You'll save a few trees, to boot.

Regulatory compliance management is as much about goal setting and time management as it is about information security. If you don't manage compliance from the highest level possible, you'll drive yourself nuts and drown in documentation. The outcome will be increased complexity in your information systems, which has been proven to serve one purpose: create more risk. Perhaps the time has come to get this thing we call compliance under control once and for all?

Kevin Beaver is an information security consultant and expert witness, as well as a seminar leader and keynote speaker at Atlanta-based Principle Logic LLC. He has authored/co-authored seven books on information security, including The Practical Guide to HIPAA Privacy and Security Compliance and Hacking For Dummies. He can be reached at www.principlelogic.com.