Video: Constructing a 'normalized' corporate compliance program

Modern IT organizations face an infinite number of compliance regulations based on industry, customers and general business rules -- and the number of rules seems to grow every day.

The trend is not going to change any time soon, either, said Mike Chapple, IT security manager at the University of Notre Dame in Notre Dame, Ind. The myriad regulations facing today's IT organizations creates what he calls a "jungle" of compliance rules complicated by varying jurisdictions and differences between federal and state and local laws.

"Whether you are in banking, health care, e-commerce or even education, there are likely a number of laws, regulations and contractual obligations that govern your IT operations," Chapple said during a webcast on building a normalized compliance program. "The compliance jungle exists because there are so many overlapping legal and regulatory requirements."

As a result, it's up to information security and compliance professionals to sort out what compliance rules apply to their organizations and figure out how to meet those requirements while still getting business done, Chapple said.

More on corporate compliance programs

Self-police risk to avoid SEC enforcement, panel states

Leverage technology to ease compliance management

But building -- and maintaining -- a corporate compliance program is not an easy task for any organization. Regulations are constantly in flux and not very well coordinated, Chapple said, creating an environment in which governance, risk and compliance (GRC) officers are expected to not only determine how to comply with current rules, but also how to be prepared for what is coming down the road.

To offset these issues, Chapple suggests developing a "normalized" corporate compliance program -- one that combines all of a company's compliance regulations and processes into one document. This can eliminate process overlap and prevent GRC redundancies, he said.

"We need to go through and look at all of the different requirements that apply to us and try to normalize it," Chapple said. "If we follow the controls we have in place, we'll be in compliance with all of the different requirements that we're subject to. Then we can map it to the different regulations and know that, as long as we're following our own statement, we've met the requirements."

In this video webcast, learn more about building a normalized corporate compliance program as Chapple offers tips on identifying what requirements apply to your organization, tools to help map security controls to those requirements, and advice for maintaining GRC programs in the face of constantly changing regulations.

Let us know what you think about the story; email Ben Cole, associate editor. For IT compliance news and updates throughout the week, follow us on Twitter @ITCompliance.

View All Videos

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.