Research: Affordable Conformance With Multiple Regulations
Comply (and/or) Die: Affordable Conformance With Multiple Regulations
When we asked the 379 respondents to our InformationWeek Analytics Regulatory Compliance survey how many requirement sets their organizations are addressing, the No. 1 answer was four or more, at 35%. Add to the mix a political climate that seems to favor more, not less, regulation and ongoing budgetary pressure, and who can blame CIOs for feeling stretched thin? After all, IT earns its keep by seamlessly supporting mission-critical systems. That’s hard to do when responsibilities are piling up.
Fortunately, there are ways to work smarter and, as the adage goes, kill a few birds with one stone. In this report we’ll help IT come to grips with the daunting task of addressing the myriad controls involved with complying with two or more regulations. By focusing on similarities and distilling the overarching concepts and requirements, those embarking on compliance projects can target high-value control areas and add efficiency. The key is to focus resources and structure your strategic process to ensure the usability of controls across multiple regulatory standards. For groups that have been wrestling with compliance for some time, we’ll help evaluate the effectiveness of existing strategies and suggest ways to balance regulatory requirements, the user experience and security.
We’ll also discuss some broad security program frameworks to illustrate the universe of useful policies, suggest an approach to forming a plan, and recommend a few discrete areas where implementing security controls can not only help the IT organization be more effective, but also address a range of specific requirements. To help bound the scope of our discussion, we’ll primarily focus on the ISO 27001/2 information security standard, PCI-DSS and HIPAA.
For organizations looking to tackle a single compliance area, this report is still worth reading. Strictly speaking, since you don’t need to worry about the intersection of regulations, addressing one set of requirements allows for many more choices as to where to begin. We’ll help narrow that set of proposed starting points with an eye toward future regulatory needs. Ultimately, with any strategic plan or tactical control, the key is to identify areas that maximize value and enhance operational effectiveness. To succeed, CIOs need both a long-term plan and some quick wins to show verifiable progress. So get out those Venn diagrams, exchange the propeller cap for the strategic program hat and get ready to comply.
Table of Contents
4 Author’s Bio
5 Executive Summary
7 Research Synopsis
8 Embrace the Regs
10 Don’t Run Scared
15 Comparisons: HIPAA, PCI
15 Different, but Alike Where It Counts
16 Need for Speed?
17 So Many Standards, So Little Time. The Approach.
19 Small Price to Pay
22 Defining the Standards
25 Put It in Writing
26 Security Policy
29 Acceptable Use Policy
30 Change Management Policy
30 Build or Buy?
31 Stay in Control
31 Other Useful Policies
32 Technical Control Considerations
37 Ready? Go Forth and Comply
38 Appendix
About the Author
Richard Dreger is president of WaveGard, a vendor-neutral security consulting firm. Rick has significant, broad-based technology experience with extensive skills in the information assurance, security and wireless networking fields. He has consulted for a wide breadth of clients in both the public and private sectors, and his professional background includes over 15 years of experience in Fortune 100 companies as well as smaller technology consulting firms.
Rick has complemented his hands-on consulting experience by leading courses such as the CWNP wireless curriculum and the (ISC)2 CISSP review. In addition to being one of the 11 founding members of the Certified Wireless Network Experts (CWNE) roundtable, he is also coauthor of the Certified Wireless Security Professional (CWSP) v2 study guide and numerous InformationWeek articles. Rick obtained his BSE from Duke University and his Masters from Villanova University.
Be the first one to comment.