|
Become Compliant
(without breaking the bank)
It's a floor wax! It's a dessert topping! It's a compliance tool!
Vendors have tried to cash in on the compliance crush by promising a cure-all to regulation woes. But by now, savvy IT professionals know there's no magic compliance tool--no "SOX-in-a-box" or "HIPAA-in-a-handbasket" to solve all of your enterprise compliance needs.
Rather, the trick is to understand what these tools can and cannot do. From there, you can determine whether to fine tune your existing infrastructure or invest in new technologies to meet the ever-changing regulatory requirements.
Setting Up Frameworks
Before you decide on an approach, you need to fully understand the regulations and what they require you to do.
Much of the regulatory legislation pertains to appropriate risk management and business controls, not to prescriptive security settings or systems. The lack of precise prescription is often by design. In the HIPAA Security Final Rule, for instance, a complete listing of the proposed requirements, public comment and the ruling response are included and provide transparency into the process. But the final rule is very general, lacking specific recommendations for implementation.
The lack of prescription means that companies must perform risk analyses and create their own actionable guidance. Reading through the actual requirements is a great place to start. Then you can review and adopt one of the commonly accepted control frameworks, such as COSO, COBIT, ISO 17799 and ITIL. Remember, more than one of these frameworks can be used. ITIL suggests using COBIT and ISO 17799 for defining "what" should be done, and using ITIL for the "how." The frameworks and legislation can help determine accountability paths, such as who will sign off on risk acceptance decisions. Use these as a starting point from which the key stakeholders--executives, auditors, IT administrative staff and any other employees involved in the compliance process--can obtain guidance and insight.
A word of caution: These frameworks are not entirely prescriptive, nor are they a replacement for decision making and self-definition within the organization. Creating policies and compliance rules for a business or entity is a collaborative process in which all stakeholders should participate.
|
