How are you handling the jumble that is regulatory compliance management? Are you keeping everything in check, or are you drowning in the regulatory compliance waters? If you're like many, you're somewhere between "exhausted but still treading" and "forget about it, let the sharks get me."
From GLBA to PCI DSS to HIPAA/HITECH and beyond, I don't envy anyone responsible for pulling the mishmash of documentation together to make it all happen -- much less maintaining it in any reasonable state for it to be useful. The disaster recovery/incident response plans, the policies, the detailed procedures, the logs, the client/business partner requests, the auditor demands and so on -- I honestly don't know how the average person in charge of regulatory compliance management does it. It's more than enough to fill full-time job duties -- especially if it's not done effectively.
Ineffective management of your documentation is one of the greatest barriers to taming the compliance beast. Here's what you can do, starting today, to get things under control and stop being a passenger on this wild ride:
- Understand what electronic information you have, how it's governed, and where it's at risk. It sounds trite, but I see so many people trying to put together compliance documentation without truly understanding the what, how and where of sensitive information. You can't fall into compliance backwards.
- Know that compliance regulation is nothing more than security "best practices" in disguise. They're all just worded differently enough to make them seem unique. They're not. All that's unique are the context and sanctions. Everything else is good old-fashioned information security common sense.
- Don't fall for the vendor hype with their point solutions. There are lots of products being marketed to help you with the Payment Card Industry Data Security Standard, others with the Health Insurance Portability and Accountability Act and so on. You don't need unique products for individual regulations. Also, don't fall for the "compliance in a box" approach. It doesn't work.
- Manage compliance from the highest level possible. Use one framework such as ISO/IEC 27002:2005 once and for all rather than addressing each and every piece of every regulation as a standalone requirement. Worried about this approach not flying with your auditors, lawyers, business partners or clients? I have several clients whom I've helped create an information risk management infrastructure in this very fashion. After many years -- and many inquiries -- the pushback is nonexistent. It's just too logical of an approach to argue against.
- Use the same policy template for all policies across the board. Cluttered, overlapping policies is one of the biggest compliance hindrances I see. A guided approach to policy development and management using a consistent security policy template is the only reasonable way to go. You'll save a few trees, to boot.
Regulatory compliance management is as much about goal setting and time management as it is about information security. If you don't manage compliance from the highest level possible, you'll drive yourself nuts and drown in documentation. The outcome will be increased complexity in your information systems, which has been proven to serve one purpose: create more risk. Perhaps the time has come to get this thing we call compliance under control once and for all?
Kevin Beaver is an information security consultant and expert witness, as well as a seminar leader and keynote speaker at Atlanta-based Principle Logic LLC. He has authored/co-authored seven books on information security, including The Practical Guide to HIPAA Privacy and Security Compliance and Hacking For Dummies. He can be reached at www.principlelogic.com.