Most companies, depending upon their industry, have to comply with anywhere from one to six or more regulatory requirements imposed by a government or industry entity to protect consumers, patients, investors and others. And the number of requirements in scope for a given company seems to increase on a daily basis as a result of a variety of recent events which include:
- Sub-prime mortgage lending practices that have left individuals homeless and investors with a fraction of their previous net worth;
- Ponzi schemes that have wiped out individuals’ entire life savings; and
- Security breaches that have exposed thousands or credit card holders to- potential identity theft and economic peril … to name just a few.
While these regulations are intended to protect us from unscrupulous activities or ill-advised management decisions by providing safeguards and promoting transparency, many of these regulations have direct implications to the management of information and therefore the complexity and cost of IT. For example, a pharmaceutical company will have to comply with 21 CFR Part 11 to meet FDA requirements, HIPAA if they store patient information and Sarbanes Oxley if they are a public company, in addition to state regulatory requirements like the recent 201 CMR 17.00 that the Commonwealth of Massachusetts will impose on companies that store personal information about Massachusetts residents if they are a Massachusetts employer.
So how do you navigate the myriad of requirements that apply to your industry and situation? Each of these requirements breaks down into a number of controls that need to be put in place based upon the risks that are relevant to your situation. In many cases, these controls are similar across regulatory requirements, but in order to make that determination you have to sort through each corresponding authority document to determine the appropriate controls and harmonize them.
Fortunately there is help available in this effort by leveraging work done by Network Frontiers, an organization that has analyzed over 600 authority documents from both an IT and legal perspective (visit for the list of authority documents currently tracked). They have harmonized the controls for well over 350 into the Unified Compliance Framework (UCF). With over 2400 controls documented, the UCF is the underpinning for a number of governance, risk, and compliance (GRC) vendors such as CA, NetIQ, Compliance Spectrum, and McAfee amongst others.
While using compliance framework such as UCF provides an opportunity to streamline and demystify IT compliance management, employing good practice standards and frameworks such as IT service management (ITSM) and ISO 27000 allows you to more easily implement these controls, measure your maturity and complete more audits successfully. Consistent, routine use of documented processes and the appropriate governance structure allow you to maintain the appropriate risk mitigation strategies and evidence that can be easily reported and verified so that your organization is not scrambling two months before the auditors come in to pull everything together.
In Practice
Good practice is foundational. Having sound change, security, incident, asset and configuration process in place lays the groundwork for assuring that risk is assessed and handled appropriately, decisions are made based on reliable information, approvals are handled effectively and by the right individuals and roles and responsibilities are well known and appropriate.
Good practice stabilizes the environment and provides a mechanism for continual improvement facilitating an effective and efficient organization. Good practices allow a mechanism for the IT organization to operate in concert enabling the management of “services” of the assurance of value to the business. Having good practice processes in place provides a platform upon which controls can be built so that as each new compliance mandate becomes relevant for your organization, it does not necessitate creating a new model specific to this purpose.
Your foundational good practice processes need only be reviewed to assure that they include the necessary measurable controls applicable to any new regulatory requirement and that the commensurate adjustments are made. As a result, the effort to incorporate new requirements should be minimized while the ongoing good practices in place contribute to business value and operational excellence.
Although the incorporation of compliance to regulatory mandates can seem daunting, there are frameworks to help you navigate the maze. Using a combination of compliance frameworks such as UCF and IT Service Management good practices such as those associated with ITIL, ISO 27000 and others can help to organize and simplify the effort and put you on the shortest path to compliance success.
Valerie Arraj is principal and managing partner for Compliance Process Partners, an IT compliance focused consulting and training company that uses service management and control objectives to help organizations lay the groundwork for compliance to regulatory and governance guidelines.