Since 1999, there has been a dramatic rise in information security regulations. Gramm-Leach-Bliley (GLB) and the Health Insurance Portability and Accountability Act (HIPAA) came out in 1999, with the Sarbanes-Oxley Act (SOX) following in 2002.
Moreover, privacy and accountability concerns have given rise to an increasing number of voluntary standards—such as ISO 17799 and CobIT—with which businesses must comply to remain competitive and ensure business partner and consumer confidence.
Unlike traditional regulations, which govern uniform business practices for a single industry, information security regulations can span multiple industries, as well as weave into the data flow or outsourced relationships through secondary and tertiary applications to business partners.
As a result, many heavily regulated companies are forced to comply with multiple federal, state and international mandates, which takes a significant toll on corporate resources. In an attempt to balance the numerous industry and federal regulations facing them, many companies installed unique IT controls for each individual mandate and quickly became mired in compliance silos.
But there are businesses that have found a way to successfully jump the multi-regulation compliance hurdle. Essentially, they have found a way to collapse the silos.
The staggered maturity of the different regulations caused many businesses to treat each regulation as an independent project. As each new regulation came into play, it is rarely integrated into existing compliance activities and assigned its own resources.
Many businesses have committees and/or business units driving individual initiatives, which over time can lead to redundant control measures. Without developing a controls matrix to trace the existing applications across the enterprise, businesses may not even be aware of redundant controls and overlapping resources.
Although the goals of the multiple information security regulations may be different, there are six basic commonalities between the prevalent regulations, such as SOX, HIPAA, Payment Card Industry Data Security Standard (PCI), and ISO27001.
At first glance SOX and HIPAA do not seem to have much in common. HIPAA protects patient information, while SOX aims to reform corporate accounting practices and safeguard investors.
All of these mandates, however, require an incident response plan; a business continuity and disaster recovery plan; physical and logical controls over access to data; hiring, retention, and termination policies; and data backup and recovery procedures.
Once the decision has been made to streamline compliance initiatives, there are several steps an organization must follow, starting with the appointment of a “compliance Czar” to lead the project. Next, the organization should identify all the global mandates they are required to meet, and do a map-and-gap analysis against controls in place in the corporate computing environment.
Once the mapping is complete, a matrix should be created to pinpoint where the crossover of controls occurs and where they can be collapsed to satisfy requirements. From here, the compliance officer can identify reports for each control that satisfy multiple regulatory requirements.
It is critical that the business encourage disparate departments to work together and share resources effectively. The compliance officer should have the authority to appoint a cross-functional team to execute this project work.
But what about prioritizing controls? This should occur during the cross-teaming and matrix exercises, and should be driven by business requirements, rather than compliance concerns.
For example, there is no reason for any business to have multiple incident response plans for each regulation. A single corporate-wide incident response plan should be written to accommodate both SOX and HIPAA.
Similarly, there is no need to deploy different physical access controls to satisfy multiple regulations—a single key card or biometric deployment can satisfy many regulations. The mapping and priority exercises may also reveal older controls that have been overlooked or neglected, or controls that can be discarded.
Compliance is essentially the first day of the rest of your life. It is not a one-time check box. Compliance must be managed on a continuous basis as all of the prevalent regulations and standards require businesses to manage controls in place in the live production environment over time.
Since auditors and examiners look for proof of continuous management, organizations must provide demonstrable evidence of a good faith effort and maintain a defensible compliance position. Doing so facilitates a maintenance cycle that is able to resist implementing additional controls in a knee-jerk fashion every time a new mandate is announced.
As Director of Regulatory Affairs for security consulting and managed services provider Cybertrust, Marne Gordan maintains intelligence on security and privacy for financial services, health care, federal government and international markets. Ms. Gordan is a provisional BS7799 auditor.