Using a Framework to Navigate Regulatory Compliance
The regulatory environment overseeing the protection of sensitive information is incredibly crowded. Sarbanes-Oxley (SOX), Graham-Leach-Bliley (GLB), the Health Insurance Portability and Accountability Act (HIPAA), HITECH, Red Flags, Payment Card Industry Data Security Standard (PCI-DSS), among a host of state laws and audit guidelines seems to provide the Fort Know of IT risk management if organizations would comply. The reality is the complexity and costs of compliance may be a contributing factor in the overall risk management failings that appear above the fold in your local newspaper.
While large companies are better equipped to deal with the additional costs for infrastructure, tools, staff, auditors, and third-party vulnerability scanners, the small or medium sized businesses can quickly become stretched to the point of ineffective security. There may be some paralysis when deciphering multiple regulatory obligations that often overlap or even conflict. There are opportunity costs when small business executives spend more time dealing with compliance issues than dealing with business strategy.
The solution is not to avoid regulatory obligations. The solution is to better manage information security and deploy best practices as simply part of the organizational culture. The way to get there isn’t to go through check boxes for every compliance item that comes your way. That will drive any person insane and lead to a tangled mess of interwoven security policies, procedures, technologies, etc. What I believe is a more effective approach to compliance is the implementation of an information security management system following a framework such as ISO 27001/27002. Many of the controls within 27002 align with the requirements in many of the compliance items so building a consolidated program based on a series of best practices will help meet compliance obligations.
ISO 27001/27002 is simply a framework that defines a security code of practice and best practices across twelve areas. These include: Risk assessment, security policy, governance, asset management, human resources, physical and environmental, communications and operations, access control, acquisition, development and maintenance, incident management, business continuity, and compliance. Pay particular attention to the last one and note that compliance is just one piece of the framework of best practices. This leads back to a previous post that risk management and information security must go beyond the simple yes or no check boxes of regulatory compliance in order to be effective.
The ability to protect sensitive information is a process that requires ongoing care and feeding in order to protect against the expensive financial and reputation damages of a breach. Using a framework such as ISO 27001/27002 allows for a consistent baseline which to measure and certify against. This minimizes confusion and complexity and goes a long way toward achieving compliance across a wide-array of regulatory requirements while effectively using both technical and human resources to maximize benefit and reduce unnecessary cost.
