Let’s face it — compliance is boring. It’s tough to face the sea of acronyms: PCI DSS, SOX, HIPAA, GLBA, FERPA, DMCA, never mind the thick books of rules and regulations that come with each acronym.
Fortunately, compliance doesn’t need to be overly burdensome. This five-step process can help an organization build a solid compliance program that minimizes reworking:
First, identify the specific compliance requirements that apply to your organization. These will vary greatly and depend upon three main factors:
Sorting out the tangled mess of laws and regulations can be quite complicated. It’s definitely a good idea to consult an attorney while trying to interpret the regulations that apply to a unique set of jurisdiction, industry and business activities.
Once the specific requirements that apply to your business are identified, the most important step is to narrow the scope of the compliance efforts as much as possible. Minimize the number of locations that store, process or transmit sensitive data in unencrypted form. Taking the time to perform this scope reduction in a rigorous way will pay tremendous dividends in the next stages of the compliance program, when those systems are brought into compliance. The fewer systems and applications that work with sensitive data, the fewer remediation activities a company will need to undertake to ensure its current and future compliance.
As an example, if you isolate the systems in your environment that process credit cards and put those systems on a segregated card-processing network, only that network falls within the scope of PCI DSS. When it comes time to fill out the 40-page self-assessment questionnaire, you’ll have to do so with only that limited-scope network in mind. Otherwise, you’ll need to ensure that every computer in your organization complies with PCI’s stringent requirements.
After reducing the number of locations that store, process and transmit regulated data, it’s time to assess the current compliance status. The exact process to follow will depend on the specific regulations that apply to a business, but here’s a general outline of the approach:
1. Choose an assessment tool. In some cases, such as PCI DSS, the regulation comes bundled with a tool that must be used to assess compliance. In other cases, you’ll have to either purchase or develop your own tool.
2. Apply it consistently across your environment. Use the tool to assess the current status of every system and application within the scope of your compliance efforts. To ensure objectivity, it might be a good idea to have a third party, or at least someone not responsible for system maintenance, perform the assessment.
3. Collate the results. Early on, get a picture of what problems consistently surface across your organization and where one-off problems exist.
Take time performing the assessment; it’s an extremely critical step that will determine the eventual success of your efforts.
At this point, there will probably be a long “punch list” of issues that need to be addressed throughout the organization. The next task is straightforward, but time consuming: Fix the problems. Start by prioritizing the work. There are several schools of thought on the best way to do this. You should select the approach most appropriate for your organization’s culture and risk tolerance:
You’ll probably combine several of these strategies and develop a hybrid approach that is suitable for the compliance needs of your organization.
Even once all of the gaps are remediated, you’re not quite finished. Remember that IT compliance is not a one-time project; it’s an ongoing process that should be under way throughout the year. If you don’t build metrics and processes that support your compliance program, it’s bound to fall out of compliance, and the organization will find itself in a situation where it’s starting from square one.
Designing a robust compliance program by following these five steps is a significant investment for most organizations. It will consume time and money, but it will also protect your business from the strategic, financial, operational and reputational risks inherent in failure to comply with laws and regulations.