Taking a holistic approach to compliance |
 |
By Edward Hurley, News Writer
17 Dec 2003 | Security Wire Perspectives |
|
|
Few issues this year have been more bewildering and frustrating for
company officials than government rules regarding the security and
retention of electronic data. More than one CIO has probably wished
there was a way to comply with all the regulations in one fell swoop.
Unfortunately, there is no uber-checklist for complying with all the
rules from the Sarbanes-Oxley Act to the Health Insurance Portability
and Accountability Act (HIPAA) to California's SB 1386. But there are
some basic strategies companies can use that will help.
Simply being security- and privacy-conscious goes a long way toward
compliance. For example, a company that implements sound user
authentication practices is going to do better at protecting personal
health information -- a major requirement of HIPAA. Strong
user-authentication processes, along with other security policies,
may also constitute "internal controls," which companies are required
to have under Sarbanes-Oxley. And implementing a sound security plan
would defend against the consequences of SB 1386. That law requires
companies to notify affected California residents if there's been a
security breach of personal information.
"None of these regulations are requiring anything new," said Kevin
Beaver, principal consultant with Principle Logic. "It's just general
security practices that every organization should ideally have in
place anyway."
Planning for the regulations is often an enlightening process.
Preparation makes companies concentrate on security and privacy in
ways they may not be used to and garner the attention of upper
management, which previously may have only taken a peripheral
interest.
A thorough risk assessment, required by many federal regulations, may
show holes that the company didn't know existed and may also help
identify programs to cut.
The risk assessment stage is one area in which thinking holistically
about compliance can be fruitful. A good strategy is to have one risk
assessment for all the regulations. Or, if that's not possible, use
the same firm for the assessments.
To reap the benefits of both planning and implementation, an
organization needs to assemble a group that oversees compliance,
rather than having affected departments handle particular regulations
on their own.
"If you tackle compliance a piece at a time, then you will fail,"
said Michael Rasmussen, director of information security research at
Forrester Research's Giga Information Group. "You need someone
spearheading the project to identify the common elements and find the
economies of scale."
For large enterprises, Rasmussen recommends appointing a chief risk
officer (CRO). Ideally, the CISO and the CSO would report to the CRO.
Such an officer would have a good perspective for addressing
compliance issues. For example, regulation of physical security, such
as access control, is an important element of both the
Gramm-Leach-Bliley Act and HIPAA, Rasmussen said.
But compliance can reach beyond company boundaries. A company that
falls under SB 1386, for example, needs to add language to its
contracts so that partners know about issues that may be problematic.
"You may have an offshore outsourcer that gets compromised, so you
... have to report it under SB 1386, but you have nothing in your
contract spelling that out," Rasmussen said.
|
|
|
|
