Few issues this year have been more bewildering and frustrating for company officials than government rules regarding the security and retention of electronic data.
More than one CIO has probably wished there was a way to comply, in one fell swoop, with all the regulations, from the Sarbanes-Oxley Act to the Health Insurance Portability and Accessibility Act (HIPAA) to California's SB 1386.
Unfortunately, there is no uber-checklist for complying with all the rules. But there are some basic strategies companies can use that will help.
Simply being security- and privacy-conscious, for instance, goes a long way toward compliance. For example, a company that implements sound user authentication practices is going to do better at protecting personal health information -- a major requirement of HIPAA. Strong user-authentication processes, along with other security policies, may also constitute "internal controls," which companies are required to have under Sarbanes-Oxley.
And implementing a sound security plan would defend against the consequences of SB 1386. That law, which affects all companies that do business in California, requires them to notify a customer when there's been a security breach regarding that customer's personal information.
"None of these regulations are requiring anything new or out of the ordinary," said Kevin Beaver, principal consultant with Principle Logic LLC. "It's just general security practices that every organization should ideally have in place anyway."
It's all in the planning
Planning for the regulations is often an enlightening process. Preparation makes companies concentrate on areas, such as security and privacy, in ways they may not be used to. Additionally, the regulations bring security and privacy to the attention of upper management, which previously may have only taken a peripheral interest in them.
For example, many federal regulations require a risk assessment. A thorough risk assessment may show holes that the company didn't know existed. A risk assessment may also help identify programs to cut.
The risk assessment stage is one area in which thinking holistically about compliance can be fruitful. A good strategy is to have one risk assessment for all the regulations. Or, if that's not possible, use the same firm for the assessments.
Mark Doll, Ernst & Young's director of security and technology solutions for the Americas, was once asked by a client to reconcile a HIPAA risk assessment with one for the ISO 17799 standard. "It would have been cheaper for us to have done a new assessment," he said.
Setting sights too low
Companies sometimes take a myopic approach to compliance. They think of compliance as an issue for specific departments, rather than the entire enterprise. For example, HIPAA requires that patient data be handled properly. So a company may implement procedures for protecting the servers housing that data.
"The problem with this approach is: Normal users [outside that department] won't be sure which data is or is not private," Doll said.
To reap the benefits of both planning and implementation, an organization needs to assemble a group that oversees compliance, rather than having affected departments handle particular regulations on their own.
"If you tackle compliance a piece at a time, then you will fail," said Michael Rasmussen, director of information security research at Forrester Research's Giga Information Group. "You need someone spearheading the project to identify the common elements and find the economies of scale."
For large enterprises, Rasmussen recommends appointing a chief risk officer (CRO). Ideally, the chief information security officer and the chief security officer, who handles physical security, would report to the CRO. Such an officer would have a good perspective for addressing compliance issues. For example, regulation of physical security, such as access control, is an important element of both the Gramm-Leach-Bliley Act and HIPAA, Rasmussen said.
But bear in mind, too, that compliance can reach beyond company boundaries. A company that falls under SB 1386, for example, needs to add language to its contracts so that partners know about issues that may be problematic.
"You may have an offshore outsourcer that gets compromised, so you ... have to report it under SB 1386, but you have nothing in your contract spelling that out," Rasmussen said.