Tip

Avoid duplicated efforts to cut the cost of regulatory compliance

Is the cost of regulatory compliance busting your budget? If so, you’re not alone. Many businesses are overhauling their information systems and management processes to fall in line with regulatory requirements being forced upon them. But the cost of regulatory compliance

    Requires Free Membership to View

does not have to break the bank, if you have the right mind-set and take a smart approach. Specifically, you need to figure out where you’re duplicating your efforts and doing things you don’t really need to do.

First, it’s important to remember that a compliance strategy should be a side effect of a larger information risk management program. This one aspect alone can save you more money and time than anything else, because it allows you keep everything in perspective. I see so many organizations struggle to become “compliant” with, say, HIPAA. Then once they reach compliance in that area, they move on and struggle to become compliant with PCI DSS, and so on. It’s a continual cycle of starting anew with each compliance regulation until things are in check. All along, new processes and new systems are added that create complexities hardly anyone can afford to take on.

Figure 1 shows some common duplicated efforts in the name of a compliance strategy:

Figure 1 – Compliance duplication can have a hefty price tag and hinder business progress.

In my work, I often see numerous areas of overlap and redundancy. Look at the gist of the information security and privacy regulations you’re up against, and you’ll see that you can address most issues across the board by simply approaching things from an information risk perspective. In fact, many of the regulations require a formal risk assessment up front, but this is often skipped. Or people assume they know what needs to be done and just put policies and technical controls in place without looking at the big picture.

Depending on where you’re currently at with your compliance strategy (but the more advanced, the better), a great thing to do is an exercise in zero-based thinking. This is where you step back and ask yourself: If our compliance strategy were to perfect in every single way, how would it be different from the way things exist right now? What would we need more of? Less of? What would we do, or not do, knowing what we now know?

Regardless of what others are telling you, don’t purchase or implement a single thing in the name of compliance until you figure out where your company currently stands, what controls you already have in place and what it’s going to take to fill the gaps moving forward. The reality is the cost of regulatory compliance does not have to be expensive, but it’s often made that way because people are rushing to put things in place to meet deadlines and please their auditors.

Take a hard look at how you’re currently addressing compliance strategy. Placing a critical eye on your processes, policies and technologies will undoubtedly uncover numerous ways you can simplify things. As with other things in IT, simplicity is key -- if you don’t want compliance to make you crazy.

Kevin Beaver is an information security consultant and expert witness, as well as a seminar leader and keynote speaker at Atlanta-based Principle Logic LLC. Beaver has authored/co-authored eight books on information security, including The Practical Guide to HIPAA Privacy and Security Compliance and Hacking For Dummies, 3rd edition. In addition, he’s the creator of the Security On Wheels information security audiobooks and blog.

This was first published in May 2011

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.