Building an IT Compliance Program in 5 Steps

Let’s face it — compliance [2] is boring. It’s tough to face the sea of acronyms: PCI DSS, SOX, HIPAA, GLBA, FERPA, DMCA, never mind the thick books of rules and regulations that come with each acronym.

Fortunately, compliance doesn’t need to be overly burdensome. This five-step process can help an organization build a solid compliance program that minimizes reworking:

Step 1: Identify Your Compliance Requirements

First, identify the specific compliance requirements that apply to your organization. These will vary greatly and depend upon three main factors:

• Jurisdictions. Some jurisdictions are obvious: If your offices are located in New York, you’re subject to U.S. federal law and New York state law. Other juridisctions may require more thought and analysis. What operations do you have in other countries or states? Do those operations bring your entire organization into the scope of compliance, or only the operations in those areas?
• Industries. The regulations that apply to an organization will vary, based upon that organization’s field of business. For example, financial-services firms will need to comply with the Gramm-Leach-Bliley Act (GLBA), while healthcare providers must focus on the Health Insurance Portability and Accountability Act (HIPAA). It might be wise to consult industry trade organizations to help identify the specific requirements in a field.
• Activities. While some regulations apply to industries, others apply to specific business activities. For example, across all industries, businesses that accept credit cards must comply with the Payment Card Industry Data Security Standard (PCI DSS). Similarly, organizations handling Social Security numbers will need to comply with state data-breach notification acts in the event of a data compromise.

Sorting out the tangled mess of laws and regulations can be quite complicated. It’s definitely a good idea to consult an attorney while trying to interpret the regulations that apply to a unique set of jurisdiction, industry and business activities.

Step 2: Narrow Your Scope

Once the specific requirements that apply to your business are identified, the most important step is to narrow the scope of the compliance efforts as much as possible. Minimize the number of locations that store, process or transmit sensitive data in unencrypted form. Taking the time to perform this scope reduction in a rigorous way will pay tremendous dividends in the next stages of the compliance program, when those systems are brought into compliance. The fewer systems and applications that work with sensitive data, the fewer remediation activities a company will need to undertake to ensure its current and future compliance.

As an example, if you isolate the systems in your environment that process credit cards and put those systems on a segregated card-processing network, only that network falls within the scope of PCI DSS. When it comes time to fill out the 40-page self-assessment questionnaire, you’ll have to do so with only that limited-scope network in mind. Otherwise, you’ll need to ensure that every computer in your organization complies with PCI’s stringent requirements.

Step 3: Assess Your Status

After reducing the number of locations that store, process and transmit regulated data, it’s time to assess the current compliance status. The exact process to follow will depend on the specific regulations that apply to a business, but here’s a general outline of the approach:

1. Choose an assessment tool. In some cases, such as PCI DSS, the regulation comes bundled with a tool that must be used to assess compliance. In other cases, you’ll have to either purchase or develop your own tool.

2. Apply it consistently across your environment. Use the tool to assess the current status of every system and application within the scope of your compliance efforts. To ensure objectivity, it might be a good idea to have a third party, or at least someone not responsible for system maintenance, perform the assessment.

3. Collate the results. Early on, get a picture of what problems consistently surface across your organization and where one-off problems exist.

Take time performing the assessment; it’s an extremely critical step that will determine the eventual success of your efforts.

Step 4: Remediate the Gaps

At this point, there will probably be a long “punch list” of issues that need to be addressed throughout the organization. The next task is straightforward, but time consuming: Fix the problems. Start by prioritizing the work. There are several schools of thought on the best way to do this. You should select the approach most appropriate for your organization’s culture and risk tolerance:

• Easy things first. Do as much as you can as quickly as possible. Start with the low-hanging fruit, and remediate the simple problems before turning to more complex tasks.
• Risk-based prioritization. Rank the remediation issues based on risk posed to the organization, and address the riskiest situations.
• Investigate systemic issues. Find the issues that affect the largest number of systems and start to problem solving.

You’ll probably combine several of these strategies and develop a hybrid approach that is suitable for the compliance needs of your organization.

Step 5: Monitor Ongoing Compliance

Even once all of the gaps are remediated, you’re not quite finished. Remember that IT compliance is not a one-time project; it’s an ongoing process that should be under way throughout the year. If you don’t build metrics and processes that support your compliance program, it’s bound to fall out of compliance, and the organization will find itself in a situation where it’s starting from square one.

Designing a robust compliance program by following these five steps is a significant investment for most organizations. It will consume time and money, but it will also protect your business from the strategic, financial, operational and reputational risks inherent in failure to comply with laws and regulations.