Put the 'i' in IT compliance: a holistic, program-based approach can address security and privacy requirements

Communications News, Dec, 2008 by John Linkous

Today's information security and privacy compliance programs address a wide range of internal requirements dictated by business partnerships, established service-level agreements (SLAs), known and emerging threats, and other factors driven by both business and technology. The most effective method to manage compliance in today's complex world is through a disciplined, holistic approach that addresses compliance not as a reactive, point-in-time event, but as a proactive program.

[ILLUSTRATION OMITTED]

In the field of information assurance, IT has been focused on factors such as operational efficiency and performance. Security of information rarely came to the forefront, although some early regulations, such as the Federal Education Rights and Privacy Act, established a baseline of explicit data privacy and implied security. Security and privacy regulations tended to emerge first in industries that were already highly regulated, such as financial services and utilities, and were limited in scope. Sanctions were often missing from these regulations, meaning organizations might not even suffer penalties for non-compliance.

[ILLUSTRATION OMITTED]

In 1996, the Health Insurance Portability and Accountability Act (HIPAA) changed the landscape of information security and privacy compliance; it was one of the first broad regulations that contained significant information security and privacy requirements. Because HIPAA integrated provisions for many different business areas-IT operations, information security, HR and audit-it forced organizations (many for the first time) to establish a program approach to compliance, bringing diverse groups within the organization together to achieve specific cross-functional compliance goals. HIPAA, along with emerging frameworks for managing information assurance such as ISACA's COBIT and ISO17799, helped organizations establish a more comprehensive approach to information security and privacy compliance management.

As far as regulatory compliance for information security goes, the Sarbanes-Oxley Act of 2002 (SOX) became the gold standard for every publicly traded company in the United States. Not only civil sanctions, but also criminal sanctions were mandated for certain conditions of non-compliance, and these penalties applied to C-level executives.

Once SOX was in effect, corporate boards of directors throughout the country began to show an interest in security compliance. By enforcing a compliance mentality on senior executives, SOX helped organizations to adopt a holistic, program-based approach to security and privacy compliance, in which compliance reporting and metrics across all applicable compliance drivers became critical to the operational success of the company.

With SOX as an indicator of the future direction of compliance-driven information assurance, a holistic, program-based approach can provide the necessary capability to address security and privacy compliance across most enterprises. Building such a program is not a simple process, however, and requires buy-in from across the organization. The following list represents some of the more common problems many organizations encounter:

Making compliance regulation-specific. With regulations that have far-reaching implications and significant sanctions, taking a myopic view of information assurance can be easy-by concentrating the majority of security and privacy efforts on a single regulatory element. The danger of this regulation-specific mentality is that the organization can fall back into the "checklist" mentality, which promotes compliance over reducing risks and improving security.

Viewing compliance as a point-in-time event. Internal and external audits can provide organizations with useful feedback and recommendations. When the organization focuses on the audit itself, however, rather than risk-based decisions designed to continuously protect the organization, the threat of those risks during non-audit periods can become significantly higher.

Addressing technology without addressing the business. The purpose of an IT governance, risk and compliance (GRC) program is to ultimately protect business processes. When organizations take a "throw technology at the wall and see what sticks" mentality toward compliance, the real underlying value of information security and privacy is lost.

Failure to achieve organizational buy-in first. IT GRC is a broad-reaching program that requires buy-in across a broad range of constituents, including IT, human resources and finance. In many organizations, however, a "stovepipe" mentality exists across these groups.

Inconsistent metrics and reporting. An organization can only manage what it can control, and it can only control what it can define and measure. Inconsistent metrics and reporting can lead to a loss of control, which can morph into business and fiduciary impacts.

Sidestepping these mistakes while addressing complex, myriad security and privacy drivers can be a daunting task, even for the most knowledgeable of organizations. While an enterprise-wide IT GRC program is a starting point, building that program in a manner that avoids the most common mistakes outlined above is important.