Few issues this year have been more bewildering and frustrating for company officials than government rules regarding the security and retention of electronic data. More than one CIO has probably wished there
Unfortunately, there is no uber-checklist for complying with all the rules from the Sarbanes-Oxley Act to the Health Insurance Portability and Accountability Act (HIPAA) to California's SB 1386. But there are some basic strategies companies can use that will help.
Simply being security- and privacy-conscious goes a long way toward compliance. For example, a company that implements sound user authentication practices is going to do better at protecting personal health information -- a major requirement of HIPAA. Strong user-authentication processes, along with other security policies, may also constitute "internal controls," which companies are required to have under Sarbanes-Oxley. And implementing a sound security plan would defend against the consequences of SB 1386. That law requires companies to notify affected California residents if there's been a security breach of personal information.
"None of these regulations are requiring anything new," said Kevin Beaver, principal consultant with Principle Logic. "It's just general security practices that every organization should ideally have in place anyway."
Planning for the regulations is often an enlightening process. Preparation makes companies concentrate on security and privacy in ways they may not be used to and garner the attention of upper management, which previously may have only taken a peripheral interest.
A thorough risk assessment, required by many federal regulations, may show holes that the company didn't know existed and may also help identify programs to cut.
The risk assessment stage is one area in which thinking holistically about compliance can be fruitful. A good strategy is to have one risk assessment for all the regulations. Or, if that's not possible, use the same firm for the assessments.
To reap the benefits of both planning and implementation, an organization needs to assemble a group that oversees compliance, rather than having affected departments handle particular regulations on their own.
"If you tackle compliance a piece at a time, then you will fail," said Michael Rasmussen, director of information security research at Forrester Research's Giga Information Group. "You need someone spearheading the project to identify the common elements and find the economies of scale."
For large enterprises, Rasmussen recommends appointing a chief risk officer (CRO). Ideally, the CISO and the CSO would report to the CRO. Such an officer would have a good perspective for addressing compliance issues. For example, regulation of physical security, such as access control, is an important element of both the Gramm-Leach-Bliley Act and HIPAA, Rasmussen said.
But compliance can reach beyond company boundaries. A company that falls under SB 1386, for example, needs to add language to its contracts so that partners know about issues that may be problematic.
"You may have an offshore outsourcer that gets compromised, so you ... have to report it under SB 1386, but you have nothing in your contract spelling that out," Rasmussen said.