|
While some tools can be tuned, others may need intense customization, or could even justify a new purchase.
Case in point: portals. These tools display centralized views, or network system health or compliance status. Some vendors provide overlay reports that purport to show the company's current compliance level to a variety of the regulations, such as HIPAA, SOX and GLBA. Compliance dashboards are certainly appealing in theory, but in practice they can fall far short of the business mark. Approach dashboards with caution.
If you are planning to use a vendor-supplied template, ask the vendor how the compliance policies were created and how easy it is to customize them. Because the regulations aren't prescriptive, most vendors use one of the control frameworks as a baseline for the compliance templates. They may even augment the template with information from lawyers, auditors and customers. These templates can be a great guide, but don't rely on them out of the box. They will need additional tuning from your IT and security staff.
If the tuning work isn't done upfront, dashboards can quickly become "garbage in/garbage out." Consider a database that stores personal health information and has the admin account password set to the default. If the admin account password setting isn't being monitored by the compliance dashboard, the slick-looking graphic may indicate an all-clear for HIPAA compliance but an auditor won't.
A final thought on compliance dashboards: Make sure resources have been assigned to monitor and maintain the dashboard long-term. There's no sense in spending valuable time to customize a portal only to have the critical log and alert data be ignored.
If your existing infrastructure cannot be tuned to help with compliance, your alternative is to buy a solution. Using products to automate portions of the compliance life cycle, such as system configuration, verification and reporting, helps IT get the job done efficiently. Tools are an essential part of the compliance process, but they must be configured and managed according to sound corporate risk management decisions; without them, the process would be far more costly and labor intensive. While these products won't solve all your compliance problems, they can help make the ongoing process more sustainable and effective.
Unfortunately, there is no quick fix when it comes to compliance. But if you approach it carefully by creating and laying out the policies, and determining what you have and what you can re-use, you'll meet an audit with success without breaking the bank.
--Diana Kelley
|
